Windows 7 / Security and Privacy

Creating and Configuring Domain User Accounts

As a member of the Account Operators, Enterprise Admins, or Domain Admins group, you can use Active Directory Users And Computers to create user accounts. Follow these steps:

  1. Click Start, Administrative Tools, and Active Directory Users And Computers. This starts Active Directory Users And Computers.
  2. By default, you are connected to your logon domain. If you want to create OUs in a different domain, right-click the Active Directory Users And Computers node in the console tree, and then select Change Domain. In the Change Domain dialog box, type the name of the domain to which you want to connect, and then click OK. Alternatively, you can click Browse to find the domain to which you want to connect in the Browse For Domain dialog box.
  3. You can now create the user account. Right-click the container in which you want to create the user, point to New, and then select User. This will start the New Object-User Wizard.
    When you create a new user, you're prompted for the first name, initials, last name, full name, and logon name. The pre-Windows 2000 logon name then appears automatically. This logon name is used when a user logs on to Windows NT, Microsoft Windows 95, or Microsoft Windows 98.
  4. When you click Next, you can set the user's password and account options. The password must meet the complexity requirements set in the group policy. These options are as follows:
    • User Must Change Password At Next Logon
    • User Cannot Change Password
    • Password Never Expires
    • Account Is Disabled
  5. Click Next, and then click Finish. If you use a password that doesn't meet the complexity requirements of group policy, you'll see an error and you'll have to click Back to change the user's password before you can continue.

Viewing and Setting User Account Properties

If you double-click a user account in Active Directory Users And Computers, a Properties dialog box appears, with tabs allowing you to configure the user's settings. Table-3 lists the tabs you see in the Properties dialog box.

Table-3 User Account Properties
Account TabDescription
AccountUsed to manage logon name, account options, logon times, and account lockout
AddressUsed to manage geographical address information
Attribute EditorUsed to edit the attributes of the related user object
COM+Used to select the user's COM+ partition set
Dial-IUsed to set the user's dial-in or virtual private network (VPN) access controls as well as callback, IP address, and routing options for dialin or VPN
Environmentsed to manage the Terminal Services startup environment
GeneralUsed to manage the account name, display name, e-mail address, telephone number, and Web page
Member OfUsed to add the user to or remove the user from selected groups
ObjectDisplays the canonical name of the user object with dates and Update Sequence Numbers
OrganizationUsed to manage the user's title and corporate information (department, manager, direct reports)
ProfileUsed to manage the user profile configuration (profile path, logon script) and home folder
Published CertificatesUsed to install or remove user's X.509 certificates
Remote ControlUsed to manage remote control settings for Terminal Services
SecurityUsed to configure advanced permissions for users and groups that can access this user object in Active Directory
SessionsUsed to manage Terminal Services timeout and reconnection settings
TelephonesUsed to manage home phone, pager, fax, IP phone, and cell phone numbers
Terminal Services ProfileUsed to manage the user profile for Terminal Services
Note:
The number of tabs in a user's Properties dialog box will vary depending upon the software installed. For example, adding Exchange mail services will add multiple property sheets (tabs) to each user's Active Directory account. Also, to view the Published Certificates, Objects, or Security property sheets, you must be in Advanced view. To access Advanced view, select Advanced Features from the View menu in Active Directory Users And Computers.

Most of the time, as the administrator, you will use a number of the account settings regularly. The General tab has the name and e-mail for the user. The Account tab has the user name and lets you configure logon hours or logon settings. There is also an area on the Account tab that allows the account to be unlocked. This latter setting is a quick way to unlock an account when a user has forgotten a password or is locked out of the account for some other reason. The Profile tab lets you set a user profile, logon script, and home folder. The Member Of tab lets you add the user to various groups. The Security tab lets you set the way permissions for groups or users are configured and provides access to the Effective Permissions tool via the Advanced button.

Obtaining Effective Permissions

In Active Directory, user accounts are defined as objects-as are group and computer accounts. This means that user accounts have security descriptors that list the users and groups that are granted access. Security descriptors also define ownership of the object and specify the permissions that those users and groups have been assigned with respect to the object.

Individual entries in the security descriptor are referred to as access control entries (ACEs). Active Directory objects can inherit ACEs from their parent objects. This means that permissions for a parent object can be applied to a child object. For example, all members of the Account Operators group inherit permissions granted to this group.

Because of inheritance, sometimes it isn't clear whether a particular user, group, or computer has permission to work with another object in Active Directory. This is where the Effective Permissions tool comes in handy. The Effective Permissions tool allows you to examine the permissions that a user, group, or computer has with respect to another object. For example, if you wanted to determine what permissions, if any, a user who has received delegated control has over another user or group, you could use Effective Permissions to do this.

The Effective Permissions tool is available in Active Directory Users And Computers- but only if you are in the Advanced Features view. Select Advanced Features from the View menu if necessary, and then double-click the user, group, or computer for which you are trying to determine the effective permissions of another user or group. In the Properties dialog box, click the Advanced button on the Security tab to open the Advanced Security Settings dialog box, and then click the Effective Permissions tab. Next, click Select, type the name of the user or group for which you want to see the effective permissions with regard to the previously selected object, and then click OK.

The effective permissions for the selected user or group in relation to the previously selected object appear. The Effective Permissions box will have check marks showing which permissions are in effect. If there are no effective permissions, none of the permissions' check boxes will be selected.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Users, Groups, and Computers
  2. Managing Domain User Accounts
  3. Configuring User Account Policies
  4. Enforcing Password Policy
  5. Configuring Account Lockout Policy
  6. Creating Password Settings Objects and Applying Secondary Settings
  7. Understanding User Account Capabilities, Privileges, and Rights
  8. Assigning User Rights
  9. Creating and Configuring Domain User Accounts
  10. Configuring Account Options
  11. Configuring Profile Options
  12. Troubleshooting User Accounts
  13. Implementing and Creating Preconfigured Profiles
  14. Configuring Local User Profiles
  15. Implementing Mandatory User Profiles
  16. Managing User Data
  17. Using Offline Files
  18. Configuring Offline Files on Clients
  19. Maintaining User Accounts
  20. Moving User Accounts
  21. Resetting a User's Domain Password
  22. Creating a User Account Password Backup
  23. Managing Groups
  24. Understanding the Scopes of Groups
  25. Creating a Group
  26. Creating group accounts at the command line
  27. Modifying Groups
  28. Managing Computer Accounts
  29. Moving a Computer Account
  30. Configuring Properties of Computer Accounts
  31. Troubleshooting Computer Accounts