Chapter 13: Managing Active Directory Users and Groups
|
| < Day Day Up > |
|
The heart of an administrator’s job is creating and managing user and group accounts. In this chapter, you’ll first learn how to create and manager user accounts from the command line. You’ll then see how to create and manage groups from the command line. The focus of this chapter is on working with Active Directory directory service users and groups.
Overview of Managing User Accounts from the Command Line
In Microsoft Windows Server 2003, two types of user accounts are defined:
-
Domain user accounts User accounts are defined in Active Directory and can access resources throughout the domain. You create and manage domain user accounts using the directory services commands.
-
Local user accounts User accounts are defined on a local computer and must authenticate themselves before they can access network resources. You create and manage local user accounts with the network services commands.
| Note | Local machine accounts are used primarily in workgroup configurations rather than in Windows domains. Still, every computer on the network has one or more local machine accounts. The only exceptions are domain controllers, which do not have local machine accounts. When you want to work with local machine accounts, you use the network services commands. |
The directory services commands that are used to manage domain user accounts include:
-
DSADD USER Creates a user account in Active Directory. The syntax is
dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-mi Initial] [-ln LastName] [-display DisplayName] [-empid EmployeeID]
[-pwd {Password | *}] [-desc Description] [-memberof Group ...]
[-office Office] [-tel PhoneNumber] [-email EmailAddress]
[-hometel HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber]
[-webpg WebPage] [-title Title] [-dept Department] [-company Company] [-mgr Manager] [-hmdir HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath]
[-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd
{yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}] -
DSGET USER Displays the properties of user accounts using one of two syntaxes. The syntax for viewing the properties of multiple users is
dsget user UserDN ... [-dn] [-samid] [-sid] [-upn] [-fn] [-mi]
[-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email]
[-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg] [-title]
[-dept] [-company] [-mgr] [-hmdir] [-hmdrv] [-profile] [-loscr]
[-mustchpwd] [-canchpwd] [-pwdneverexpires] [-disabled]
[-acctexpires] [-reversiblepwd] [{-uc | -uco | -uci}]
[-part PartitionDN [-qlimit] [-qused]] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-c] [-q] [-l]The syntax for viewing the group membership for users is:
dsget user UserDN [-memberof [-expand]] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-c] [-q] [-l] [{-uc | -uco |
-uci}] -
DSMOD USER Modifies attributes of one or more user accounts in the directory.
dsmod user UserDN ... [-upn UPN] [-fn FirstName] [-mi Initial] [-ln LastName] [-display DisplayName] [-empid EmployeeID] [-pwd {Password
| *}] [-desc Description] [-office Office] [- tel PhoneNumber]
[-email EmailAddress] [-hometel HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber] [- webpg WebPage] [-title Title] [-dept Department]
[-company Company] [-mgr Manager] [- hmdir HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath]
[-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd
{yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-c] [-q] [{-uc | -uco | -uci}]
| Tip | These user commands accept input from DSQUERY USER to set the distinguished name (DN) for the user or users you want to work with. You can also type the DNs for each user you want to work with. When you do this, make sure to separate each DN with a space. |
At first glance, the user commands seem extraordinarily complex. Actually, the user commands aren’t complex so much as they are versatile. They allow you to add, view, or modify user accounts and include an extensive set of user account properties that you can work with. The parameter for working with a particular property is the same whether you are adding, viewing, or modifying an account. For example, when you create an account, you can set the user’s office telephone number with the –Tel parameter. To determine a user’s telephone number, use the –Tel parameter of DSGET USER and if you need to modify a user’s telephone number, you use the –Tel parameter of DSMOD USER.
To manage local machine user accounts, use the NET USER command, which is one of several network services commands. NET USER has several syntaxes, and the syntax you use depends on what you want to do, as follows:
Display local user accounts:
net user [UserName [Password | *] [/active:{no | yes}] [/comment:
"DescriptionText"] [/countrycode: NNN] [/expires:{{MM/DD/YYYY | DD/MM/YYYY | mmm,dd,YYYY} | never}] [/fullname:"Name"]
[/homedir:Path] [/passwordchg:{yes | no}] [/passwordreq:{yes |
no}] [/profilepath:[Path]] [/scriptpath:Path] [/times:{Day[-Day]
[,Day[-Day]] ,Time[-Time] [,Time[-Time]] [;...] | all}]
[/usercomment:"Text"] [/workstations:{ComputerName[,...] | *}] Create or modify local user accounts:
net user [UserName {Password | *} /add [/active:{no | yes}]
[/comment:"DescriptionText"] [/countrycode:NNN] [/expires:
{{MM/DD/YYYY | DD/MM/YYYY | mmm,dd,YYYY} | never}] [/fullname:"Name"]
[/homedir:Path] [/passwordchg:{yes | no}] [/passwordreq:{yes | no}]
[/profilepath:[Path]] [/scriptpath:Path] [/times:{Day[-Day]
[,Day[-Day]] ,Time[-Time] [,Time[-Time]] [;...] | all}]
[/usercomment:"Text"] [/workstations:{ComputerName[,...] | *}]] Delete local user accounts:
net user UserName /delete
As you can see, NET USER lets you work with a fairly narrow set of user account properties. These account properties are best suited for working with local user accounts.
| Note | NET USER can also be used to work with domain accounts in your logon domain. Beyond the current (logon) domain, you have no access, however, in contrast to the directory services commands, which let you create and manage domain user accounts in any domain in the Active Directory forest. |
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 114
- Using SQL Data Manipulation Language (DML) to Insert and Manipulate Data Within SQL Tables
- Understanding SQL Transactions and Transaction Logs
- Using Data Control Language (DCL) to Setup Database Security
- Using Keys and Constraints to Maintain Database Integrity
- Working with SQL Database Data Across the Internet