Module 3: Managing User

Accounts

Creating User Accounts

What Is a User Account?
Names Associated with Domain User Accounts

Guidelines for Creating a User Account

Naming Convention
User Account Placement in a Hierarchy
User Account Password Options
When to Require or Restrict Password Changes
Tools to Create User Accounts
Best Practices for Creating User Accounts

What Is a User Account?

Local user accounts

(stored on local computer)

Domain user accounts

(stored in Active Directory)
Windows Server 2003 Domain

Multimedia: Types of User Accounts

Names Associated with Domain User Accounts

Name

Example

User logon name

Tadams

Pre-Windows 2000
logon name

contoso\Tadams

User principal logon

name

Tadams@contoso.msft

LDAP distinguished
name

CN=terry
adams,ou=sales,dc=contoso,dc=msft

LDAP relative
distinguished name

CN=terry adams

Guidelines for Creating a User Account

Naming Convention
A convention for naming user accounts
should accommodate:
Employees with identical names
Different types of employees, such as temporary or
contract employees

User Account Placement in a Hierarchy

Geopolitical Design

Business Design

North America

Accounting

Users

South America
Users

Users

Sales
Users

User Account Password Options

Account options

Description

User must change

Users must change their passwords the next
password at next
time they log on to the network
logon
User cannot
change password

Users do not have the permissions to

change their own password

Password never
expires

Users passwords will not expire and do not

need to be changed

Account is
disabled

Users cannot log on by using the

selected account

When to Require or Restrict Password Changes

Option
Require
password
changes
Restrict
password
changes

Use this option when you:

Create new domain accounts
Reset passwords

Create local and domain service accounts

Tools to Create User Accounts

Tools available to create user accounts

Active Directory Users and Computers
Command-line utilities

Dsadd
Net user
Batch utilities
CSVDE
LDIFDE
Computer Management MMC to create local users

Best Practices for Creating User Accounts

Best practices for creating local user accounts
Limit the number of people who can log on locally
Rename the Administrator account

Use strong passwords

Best practices for creating domain user accounts

Do not use the Users container for ordinary
user accounts

Disable any account that will not be used immediately

Require users to change their passwords the first time
that they log on

When to Modify User Account Properties

Modify user account properties to:

Make it easier to use search capabilities
to find users

Match a companys organizational hierarchy

Determine the group membership of a user account

Properties Associated with User Accounts

The Properties dialog box for a user account contains:

Renaming a User Account

The Rename User dialog box

Creating a User Account Template

What Is a User Account Template?
What Properties Are in a Template?

Guidelines for Creating User Account Templates

Practice: Creating a User Account Template

What Is a User Account Template?

Employs a user account with properties meeting
common user requirements
Makes creating user accounts with standardized
configurations more efficient

User Account
Template

What Properties Are in a Template?

Tab

Properties copied

Address

All properties except Street Address

Account

All properties except Logon Name

Profile

All properties except Profile path and Home folder

reflect new users logon name

Organization

All properties except Title

Member Of

All properties

Guidelines for Creating User Account Templates

Create a separate classification for each department

Create a separate group for short-term and temporary
employees
Set user account expiration dates for short-term and
temporary employees

Disable the account template

Identify the account template

Why Enable or Disable User Accounts?

Scenarios for disabling accounts

User takes a leave of absence
Creating accounts that will not be used immediately

Tools available for disabling or enabling accounts

Active Directory Users and Computers
Dsmod command

What Are Locked-Out User Accounts?

Account lockout
thresholds:
Define the number of
failed logon attempts
Prevent hackers from
guessing user passwords
Logon failures can occur:
At the logon screen
At a screen saver
protected by a password

When accessing network

resources

When to Reset User Passwords

Reset a password when a user forgets his
or her password
After the local users password has been reset, the user
can no longer access some types of information