user management

Module 3: Managing User Accounts

Creating User Accounts

What Is a User Account?

Names Associated with Domain User Accounts

Guidelines for Creating a User Account Naming Convention

User Account Placement in a Hierarchy

User Account Password Options

When to Require or Restrict Password Changes

Tools to Create User Accounts

Best Practices for Creating User Accounts

What Is a User Account?

Multimedia: Types of User Accounts

Domain user accounts (stored in Active Directory)

Local user accounts (stored on local computer)

Windows Server 2003 Domain

Names Associated with Domain User Accounts

Name Example

User logon name Tadams

Pre-Windows 2000 logon name

contoso\Tadams

User principal logon name

Tadams@contoso.msft

LDAP distinguished name

CN=terry adams,ou=sales,dc=contoso,dc=msft

LDAP relative distinguished name

CN=terry adams

Guidelines for Creating a User Account Naming Convention

A convention for naming user accounts should accommodate:

Employees with identical names

Different types of employees, such as temporary or contract employees

User Account Placement in a Hierarchy

Geopolitical Design

Users

North America

Users

South America

Business Design

Users

Accounting

Users

Sales

User Account Password Options

Account options Description

User must change password at next logon

Users must change their passwords the next time they log on to the network

User cannot change password

Users do not have the permissions to change their own password

Password never expires

Users’ passwords will not expire and do not need to be changed

Account is disabled

Users cannot log on by using the selected account

When to Require or Restrict Password Changes

Option Use this option when you:

Require

password

changes

Create new domain accounts

Reset passwords

Restrict password changes

Create local and domain service accounts

Tools to Create User Accounts

Tools available to create user accounts

Active Directory Users and Computers

Command-line utilities

Dsadd

Net user

Batch utilities

CSVDE

LDIFDE

Computer Management MMC to create local users

Best Practices for Creating User Accounts

Best practices for creating local user accounts

Limit the number of people who can log on locally

Best practices for creating domain user accounts

Disable any account that will not be used immediately

Require users to change their passwords the first time that they log on

Do not use the Users container for ordinary user accounts

Rename the Administrator account

Use strong passwords

When to Modify User Account Properties

Modify user account properties to:

Make it easier to use search capabilities to find users

Match a company’s organizational hierarchy

Determine the group membership of a user account

Properties Associated with User Accounts

The Properties dialog box for a user account contains:

Renaming a User Account

The Rename User dialog box

Creating a User Account Template

What Is a User Account Template?

What Properties Are in a Template?

Guidelines for Creating User Account Templates

Practice: Creating a User Account Template

What Is a User Account Template?

Employs a user account with properties meeting common user requirements

Makes creating user accounts with standardized configurations more efficient

User Account

Template

What Properties Are in a Template?

Tab Properties copied

Address All properties except Street Address

Account All properties except Logon Name

ProfileAll properties except Profile path and Home folderreflect new user’s logon name

Organization All properties except Title

Member Of All properties

Guidelines for Creating User Account Templates

Create a separate classification for each department

Create a separate group for short-term and temporary employees

Set user account expiration dates for short-term and temporary employees

Disable the account template

Identify the account template

Why Enable or Disable User Accounts?

Scenarios for disabling accounts

User takes a leave of absence

Creating accounts that will not be used immediately

Tools available for disabling or enabling accounts

Active Directory Users and Computers

Dsmod command

What Are Locked-Out User Accounts?

Account lockout thresholds:

Define the number of failed logon attempts

Prevent hackers from guessing user passwords

Logon failures can occur:

At the logon screen

At a screen saver protected by a password

When accessing network resources

When to Reset User Passwords

Reset a password when a user forgets his or her password

After the local user’s password has been reset, the user can no longer access some types of information