Module 2: Managing User and Computer Accounts

Overview Creating User Accounts Creating Computer Accounts Modifying User and Computer Account Properties Creating a User Account Template Managing User and Computer Accounts Using Queries to Locate User and Computer Accounts in Active Directory

Lesson: Creating User Accounts What Is a User Account? Names Associated with Domain User Accounts Guidelines for Creating a User Account Naming Convention User Account Placement in a Hierarchy User Account Password Options When to Require or Restrict Password Changes Tools to Create User Accounts Practice: Creating User Accounts Best Practices for Creating User Accounts

What Is a User Account? Multimedia: Types of User Accounts Domain user accounts (stored in Active Directory) Local user accounts (stored on local computer) Windows Server 2003 Domain

Names Associated with Domain User Accounts Name Example User logon name Tadams Pre—Windows 2000 logon name contoso\Tadams User principal logon name LDAP distinguished name CN=terry adams,ou=sales,dc=contoso,dc=msft LDAP relative distinguished name CN=terry adams

Guidelines for Creating a User Account Naming Convention A convention for naming user accounts should accommodate: Employees with identical names Different types of employees, such as temporary or contract employees

User Account Placement in a Hierarchy Geopolitical Design Users North America Users South America Business Design Users Accounting Users Sales

User Account Password Options Account options Description User must change password at next logon Users must change their passwords the next time they log on to the network User cannot change password Users do not have the permissions to change their own password Password never expires Users’ passwords will not expire and do not need to be changed Account is disabled Users cannot log on by using the selected account

When to Require or Restrict Password Changes Option Use this option when you: Require password changes Create new domain accounts Reset passwords Restrict password changes Create local and domain service accounts

Tools to Create User Accounts Tools available to create user accounts Active Directory Users and Computers Command-line utilities Dsadd Net user Batch utilities CSVDE LDIFDE Computer Management MMC to create local users Active Directory Users and Computers Command-line utilities Dsadd Net user Batch utilities CSVDE LDIFDE Computer Management MMC to create local users

Practice: Creating User Accounts In this practice, you will: Create a local user account by using Computer Management Create a domain account by using Active Directory Users and Computers Create a domain user account by using dsadd

Best Practices for Creating User Accounts Best practices for creating local user accounts Limit the number of people who can log on locally Best practices for creating domain user accounts Disable any account that will not be used immediately Require users to change their passwords the first time that they log on Do not use the Users container for ordinary user accounts Rename the Administrator account Use strong passwords

Lesson: Creating Computer Accounts What Is a Computer Account? Why Create a Computer Account? Where Computer Accounts Are Created in a Domain Computer Account Options Practice: Creating a Computer Account

What Is a Computer Account? Identifies a computer in a domain Provides a means for authenticating and auditing computer access to the network and to domain resources Is required for every computer running:  Windows Server 2003  Windows XP Professional  Windows 2000  Windows NT

Why Create a Computer Account? Security  Authentication  Auditing Management  Software deployment  Desktop management  Hardware and software inventory through Systems Management Server

Where Computer Accounts Are Created in a Domain Computers that join a domain are created in the Computers container Computer accounts can be moved to or created in other organizational units Computer accounts can be moved to or created in other organizational units

Computer Account Options

Practice: Creating a Computer Account In this practice, you will: Create a computer account by using Active Directory Users and Computers Create a computer account by using dsadd

Lesson: Modifying User and Computer Account Properties When to Modify User and Computer Account Properties Properties Associated with User Accounts Renaming a User Account Properties Associated with Computer Accounts Practice: Modifying User and Computer Account Properties

When to Modify User and Computer Account Properties Modify user account properties to: Make it easier to use search capabilities to find users Match a company’s organizational hierarchy Determine the group membership of a user account Make it easier to use search capabilities to find users Match a company’s organizational hierarchy Determine the group membership of a user account Modify computer account properties to: Assist in asset tracking (Location property) Document who manages a computer (Managed By property) Assist in asset tracking (Location property) Document who manages a computer (Managed By property)

Properties Associated with User Accounts The Properties dialog box for a user account contains:

Renaming a User Account The Rename User dialog box

Properties Associated with Computer Accounts The Properties dialog box for a computer account contains:

Practice: Modifying User and Computer Account Properties In this practice, you will modify user and computer account properties

Lesson: Creating a User Account Template What Is a User Account Template? What Properties Are in a Template? Guidelines for Creating User Account Templates Practice: Creating a User Account Template

What Is a User Account Template? Employs a user account with properties meeting common user requirements Makes creating user accounts with standardized configurations more efficient User Account Template

What Properties Are in a Template? TabProperties copied Address All properties except Street Address Account All properties except Logon Name Profile All properties except Profile path and Home folder reflect new user’s logon name Organization All properties except Title Member Of All properties

Guidelines for Creating User Account Templates Create a separate classification for each department Create a separate group for short-term and temporary employees Set user account expiration dates for short-term and temporary employees Disable the account template Identify the account template

Practice: Creating a User Account Template In this practice, you will create a user account template

Lesson: Managing User and Computer Accounts Why Enable or Disable User and Computer Accounts? What Are Locked-Out User Accounts? When to Reset User Passwords When to Reset Computer Accounts Practice: Resetting and Disabling a User Account

Why Enable or Disable User and Computer Accounts? Scenarios for disabling accounts User takes a leave of absence Creating accounts that will not be used immediately User takes a leave of absence Creating accounts that will not be used immediately Tools available for disabling or enabling accounts Active Directory Users and Computers Dsmod command Active Directory Users and Computers Dsmod command

What Are Locked-Out User Accounts? Account lockout thresholds:  Define the number of failed logon attempts  Prevent hackers from guessing user passwords Logon failures can occur:  At the logon screen  At a screen saver protected by a password  When accessing network resources

When to Reset User Passwords Reset a password when a user forgets his or her password After the local user’s password has been reset, the user can no longer access some types of information

When to Reset Computer Accounts Reset computer accounts when: Computers fail to authenticate to the domain Passwords need to be synchronized

Practice: Resetting and Disabling a User Account In this practice, you will: Reset a user account password Disable user accounts

Lesson: Using Queries to Locate User and Computer Accounts in Active Directory Multimedia: Introduction to Locating User and Computer Accounts in Active Directory Search Types What Is a Saved Query? Importing and Exporting Saved Queries Practice: Using Saved Queries to Locate Users and Computers in Active Directory

Multimedia: Introduction to Locating User and Computer Accounts in Active Directory This presentation will explain how to locate objects in Active Directory

Search Types Basic query criteria include: Object type Location General values associated with the object, such as name and description

What Is a Saved Query?

Importing and Exporting Saved Queries

Practice: Using Queries to Locate Users and Computers in Active Directory In this practice, you will: Create a query to find computer accounts in the sales department Export the query as an XML file in the Admin_tools shared folder

Lab: Managing User and Computer Accounts In this lab, you will: Create user accounts Create computer accounts Use queries to locate objects Modify user and computer properties