Windows 7 / Security and Privacy

Maintaining User Accounts

User accounts are fairly easy to maintain after they've been configured. Most of the maintenance tasks you need to perform involve user profiles and group membership, which are covered in separate sections of this tutorial. Other than these areas, you might also need to perform the following tasks:

  • Delete user accounts
  • Disable, enable, or unlock user accounts
  • Move user accounts
  • Rename user accounts
  • Reset a user's domain password
  • Set logon scripts and home folders
  • Create a local user account password backup

Each of these tasks is examined in the sections that follow.

Deleting User Accounts

Each user account created in the domain has a unique security identifi er (SID) and that SID is never reused. If you delete an account, you cannot create an account with the same name and regain all the same permissions and settings of the previously deleted account. The SID for the new account will be different than the old one, and you will have to redefine all the necessary permissions and settings. Because of this, you should delete accounts only when you know they are not going to be used again. If you are unsure, disable the account rather than deleting it.

To delete an account, select the account in Active Directory Users And Computers and press Delete. When prompted to confirm the deletion, click Yes and the account is permanently deleted. Deleting a user account doesn't delete a user's on-disk data. It only deletes the user account from Active Directory. This means the user's profile and other personal data will still be available on disk until you manually delete them.

CAUTION: The permissions on users are internally characterized within Active Directory by unique SIDs that are allocated when the user is created. If you delete a user account and then re-create it, it will have a new SID and thus new permissions.

Disabling and Enabling User Accounts

If you need to deactivate a user account temporarily so that it cannot be used for logon or authentication, you can do this by disabling the account. Although disabling an account makes it unusable, you can later enable the account so that it can be used again. To disable an account, right-click the account in Active Directory Users And Computers, and then select Disable Account.

When prompted that the account has been disabled, click OK. A white circle with a down arrow is added to the account's icon to show that it is disabled. If you later need to enable the account, you can do so by right-clicking the account in Active Directory Users And Computers and then selecting Enable Account.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Users, Groups, and Computers
  2. Managing Domain User Accounts
  3. Configuring User Account Policies
  4. Enforcing Password Policy
  5. Configuring Account Lockout Policy
  6. Creating Password Settings Objects and Applying Secondary Settings
  7. Understanding User Account Capabilities, Privileges, and Rights
  8. Assigning User Rights
  9. Creating and Configuring Domain User Accounts
  10. Configuring Account Options
  11. Configuring Profile Options
  12. Troubleshooting User Accounts
  13. Implementing and Creating Preconfigured Profiles
  14. Configuring Local User Profiles
  15. Implementing Mandatory User Profiles
  16. Managing User Data
  17. Using Offline Files
  18. Configuring Offline Files on Clients
  19. Maintaining User Accounts
  20. Moving User Accounts
  21. Resetting a User's Domain Password
  22. Creating a User Account Password Backup
  23. Managing Groups
  24. Understanding the Scopes of Groups
  25. Creating a Group
  26. Creating group accounts at the command line
  27. Modifying Groups
  28. Managing Computer Accounts
  29. Moving a Computer Account
  30. Configuring Properties of Computer Accounts
  31. Troubleshooting Computer Accounts