Adding User Accounts

Each user that wants to access resources on the network must have a user account. The type of account needed depends on your network configuration. With Active Directory domains, you use domain user accounts. With workgroups, you use local user accounts that pertain only to specific machines.

Creating Domain User Accounts

When you create a domain user account, you pass the user’s DN to DSADD USER. The common name component of the DN sets the user’s name. The rest of the DN specifies where in Active Directory the user account is to be located, which includes the container in which the user account is to be created and the related domain. For example, you could create a user account for Mary Baker in the Sales organizational unit of the cpandl.com domain by typing: dsadd user “CN=Mary Baker,OU=Sales,DC=cpandl,DC=com”. The account would be created with Mary Baker as the user logon name, but because no other properties would be set, the account would be disabled automatically for security reasons.

User names aren’t case-sensitive and can be as long as 64 characters. Typically, in addition to the user account’s DN, you’ll want to specify the following:

• First name as set with the –Fn parameter

• Middle initial as set with the –Mi parameter

• Last name as set with the –Ln parameter

• Display name as set with the –Display parameter

  Note

  In most cases, the display name should be set to the same value as the common name of the user account. This ensures that the account is easier to manage, because, if you know the user’s display name, you also know the common name component of the distinguished name.

• SAM account name (also referred to as the logon name) as set with the –Samid parameter

• Password as set with the –Pwd parameter. The password must follow the complexity requirements enforced through Group Policy (if any).

The first 20 characters of the common name are used to set the SAM account name of the user account, which is also referred to as the pre–Windows 2000 user logon name. The SAM account name must be unique in the domain and if there is overlap you might want the group’s SAM account name to be different from its display name. In this case, you would need to set the SAM account name using the –Samid parameter.

Unlike accounts created in The Active Directory Users And Computers administrative tool, the user’s first name, middle initial, and last name values are not used to set the user’s display name. You must set this value using the –Display parameter. The display name is the name Windows displays in dialogs. The common name component of the user account name and the domain name component of the distinguished name are used to set the user’s fully qualified logon name. The fully qualified logon name is used for logon and authentication. For example, if the user’s logon domain is cpandl and the logon name is marybaker, the fully qualified logon name is cpandl\marybaker.

To create an account for Mary A. Baker that uses these parameters, you can use the following command:

dsadd user "CN=Mary Baker,OU=Sales,DC=cpandl,DC=com" -fn Mary -mi A 
-ln Baker -samid "marybaker" -display "Mary Baker" -pwd dg56$2#

If there are problems creating the account, you’ll see a warning and you’ll need to check your syntax, ensuring that all the values are set appropriately and that the DN values are valid. Otherwise, DSADD USER should report DSADD SUCCEEDED.

Customizing Domain User Account Attributes and Group Memberships

All new domain users are members of the group Domain Users, and their primary group is specified as Domain Users. You can add group memberships using the –Memberof parameter. Follow the parameter name with the group DNs. If a group DN contains a space, it should be enclosed in quotation marks, such as

dsadd user "CN=Mary Baker,OU=Sales,DC=cpandl,DC=com" -memberof 
"CN=Backup Operators,CN=Builtin,DC=cpandl,DC=com" "CN=DHCP 
Administrators,CN=Builtin,DC=cpandl,DC=com"

Here, the user account is created and then added as a member of the Backup Operators and DHCP Administrators groups. This is a two-stage process: account creation happens first and then group memberships are configured. If an error occurs when adding group membership, DSADD USER will specify that the object was created successfully but there was an error after creation occurred. Check the syntax you used when specifying the group DNs, then use DSMOD USER to configure the user’s group membership correctly.

For security reasons, you might want to consider setting these parameters as well when creating user accounts:

• –mustchpwd {yes | no} By default, the user doesn’t have to change his or her password upon first logon, which means –mustchpwd no is assumed. If you set –mustchpwd yes the user must change his or her password upon first logon.

• –canchpwd {yes | no} By default, the user can change his or her password, which means –canchpwd yes is assumed. If you set –canchpwd no, the user can’t change the password.

• –pwdneverexpires {yes | no} By default, –pwdneverexpires no is assumed and the user password expires according to the group policy settings. If you set –pwdneverexpires yes, the password for this account never expires.

  Note

  Using –pwdneverexpires yes overrides the domain account policy. Generally it isn’t a good idea to set a password so that it doesn’t expire. This defeats the purpose of having passwords in the first place.

• –disabled {yes | no} By default, so long as you create an account with a password, the account is created and enabled for use (meaning –disabled no is assumed). If you set –disabled yes, the account is disabled and can’t be used. This temporarily prevents anyone from using the account.

Consider the following examples to learn more about DSADD USER:

Create an account for Scott L. Bishop in the Users container of the cpandl.com domain. Set the password so that it must be changed upon first logon.

dsadd user "CN=Scott L. Bishop,CN=Users,DC=cpandl,DC=com" -fn Scott 
-mi L -ln Bishop -samid "scottb" -display "Scott L. Bishop" -pwd 
acornTree -mustchpwd yes

Create an account for Bob Gage in the Engineering OU of the ny.cpandl.com domain. Set the password so that it never expires but disable the account.

dsadd user "CN=Bob Gage,OU=Engingeering,DC=ny,DC=cpandl,DC=com" -fn 
Bob -ln Gage -samid "bgage" -display "Bob Gage" -pwd dazedOne 
-pwdneverexpires yes
-disabled

Create an account for Eric F. Lang in the Marketing OU of the cpandl.com domain. Set the password so that it can’t be changed.

dsadd user "CN=Eric F. Lang,OU=Marketing,DC=cpandl,DC=com" -fn Eric 
-mi F -ln Lang -samid "eflang" -display "Eric F. Lang" -pwd albErt 
-canchpwd no

Most of the time, the parameters discussed in this section will be the only ones you’ll use when creating accounts. As you’ve seen, based on the DSADD USER syntax, there are many other user account parameters. You can set these properties for user accounts as discussed later in the chapter.

Creating Local User Accounts

Local machine accounts are created on individual computers. If you want to create a local machine account for a particular computer, you must log on locally or use a remote logon to access a local command prompt. Once you are logged on to the computer you want to work with, you can create the required account using NET USER. In some cases, local computer policy might allow you to create an account using only the name of the account to create and the /Add parameter, such as

net user wrstanek /add

Here, you create a local account with the logon name wrstanek and use a blank password. Although you might be able to use a blank password, you risk the computer’s and possibly the network’s security by doing so. Therefore, at a minimum, I recommend you provide a user name and password for new local user accounts. The password follows the account name as shown in the following example:

net user wrstanek dg56$2# /add

Here, you create the local machine account for wrstanek and set the password to dg56$2#.

If the account creation is successful, NET USER will state “Command Completed Successfully.” However, if there are problems creating the account, NET USER won’t display an error message per se. Instead, it will display the command syntax. In this case, check your syntax and ensure that all the values are set appropriately.

Other values and parameters you might want to use with local user accounts include

• /comment:"DescriptionText" Sets a description of the user account. Normally, you would type the user’s job title or department.

• /fullname:"Name" Sets the full name of the user account. The full name is also referred to as the display name.

• /passwordchg {yes | no} By default, users can change their passwords, which means /password yes is assumed. If you set /passwordchg no, users won’t be able to change their passwords.

• /passwordreq {yes | no} By default, users are required to have a password for their accounts. This means /passwordreq yes is assumed, so a user’s account must have a password and that password cannot be blank.

• /active {yes | no} By default, user accounts are enabled when they are created, which means /active yes is assumed. If you set /active no the account is disabled and can’t be used. Use this parameter to temporarily prevent anyone from using an account.

Consider the following examples to learn more about using NET USER:

Create a local machine account for the Desktop Support team with a full name and description.

net user dsupport squ5 /fullname:"Desktop Support" /comment:"Desktop 
Support Account" /add

Create a local machine account for Phil Spencer, include a full name and description, and require a password.

net user pspencer magma2 /fullname:"Phil Spencer" /comment:"Offsite 
Sales Manager" /passwordreq yes /add

Create a local machine account for Chris Preston, include a full name and description. Set a password but don’t let the user change it.

net user chrisp apples /fullname:"Chris Preston" /comment:"PR
Manager" /passwordchg no /add