Especially on a large, busy network, managing user accounts is an ongoing process of additions, deletions, and changes. While these taks aren't difficult, they can be time-consuming and need to be managed carefully.
If you need to deactivate a domain user account for some period of time but not delete it permanently, you can disable it. To disable a user account, follow these steps:
Figure 9-11. Disabling a user account.
To enable a previously disabled account, you perform the same steps, choosing Enable Account from the shortcut menu.
Each user account in the domain has an associated security identifier that is unique and never reused, which means that a deleted account is completely deleted. If you delete Jeremy's account and later change your mind, you will have to re-create not only the account but also the permissions, settings, group memberships, and other properties that the original user account possessed. For that reason, if there's any doubt about whether an account might be needed in the future, it's best to disable it and not perform the deletion until you're sure it won't be needed again.
However, accounts do have to be deleted at regular intervals. To delete a domain user account, follow these steps:
To search for a particular user account, open Active Directory Users and Computers from the Administrative Tools menu and on the toolbar, click the Find icon, shown here:
This opens the Find Users, Contacts, And Groups dialog box. Don't be misled, though. Open the drop-down list in the Find box and you'll see that you can use this tool to search for computers, printers, shared folders, organizational units, and much more.
To find a specific user, select the scope of your search in the In box. Type in a name, part of a name, or some other descriptive element that's part of the user's profile, and click Find Now. As you can see in Figure 9-12, a search for a portion of a name returns all users with that element in their names.
Figure 9-12. Searching for a user by name.
The larger the network, the more specific your search will need to be. In a large network environment, you can narrow your search to a specific organizational unit. Open Active Directory Users and Computers from the Administrative Tools menu and select Find from the shortcut menu. Right-click the OU you are interested in.
To move a user account from one container to another, follow these steps:
On occasion, a user account may need to be renamed. For example, if you have an account configured with an assortment of rights, permissions, and group memberships for a particular position and a new person is taking over that position, you can change the first, last, and user logon names for the new person. To rename an existing user account, follow these steps:
Figure 9-13. Renaming an existing user account.
For passwords to be effective, they must not be obvious or easy to guess. However, when passwords are not obvious or easy to guess, they will inevitably be forgotten. When a user forgets his or her password, you can reset it. The best policy is to reset it to a simple password and require the user to change the password at the next logon to the network.
To reset a password, just open Active Directory Users and Computers from the Administrative Tools menu and find the container for the account whose password you need to reset. Right-click the account name and choose Reset Password from the shortcut menu. In the Reset Password dialog box (Figure 9-14), enter the new password twice, and select the User Must Change Password At Next Logon option.
Figure 9-14. Resetting a user's password.
If a user violates a group policy, such as exceeding the limit for bad logon attempts, Group Policy will lock the account. When an account is locked, it cannot be used to log on to the system. To unlock a user account, follow these steps:
By default, Group Policy does not lock accounts due to failed logon attempts. You should make this setting for security reasons. See the section "Understanding Group Policies," later in this chapter.
Home directories or folders are repositories that you can provide on a network server for users' documents. Placing home folders on a network file server has several advantages:
The contents of home folders are not part of user profiles, so they don't affect network traffic during logon. (A home folder can also be on a client computer, but that defeats much of its purpose.)
To create a home folder on a network file server, follow these steps:
Figure 9-15. Sharing the new Home Folders folder.
NOTE
Home folders should be stored on a partition formatted with NTFS. Home folders on a FAT partition can be secured only by assigning shared folder permissions on a user-by-user basis.
To provide a user with a home folder, you must add the path for the folder to the user account's properties. Follow these steps to give a user access to a home folder:
Figure 9-16. Specifying a home folder.