Updating User and Group AccountsActive Directory Users And Computers is the tool to use when you want to update a domain user or group account. If you want to update a local user or group account, you'll need to use Local Users And Groups. When you work with Active Directory, you'll often want to get a list of accounts and then do something with those accounts. For example, you might want to list all the user accounts in the organization and then disable the accounts of users who have left the company. One way to perform this task is to follow these steps:
Use this same procedure to get a list of computers, groups, or other Active Directory resources. With computers, use a custom search, click Field, choose Computer, and then select Computer Name (Pre “Windows 2000). With groups, use a custom search, click Field, choose Group, and then select Group Name (Pre “Windows 2000). The sections that follow examine other techniques you can use to update (rename, copy, delete, and enable) accounts as well as to change and reset passwords. You'll also learn how to troubleshoot account logon problems. Renaming User and Group AccountsTo rename an account, complete the following steps:
Security IdentifiersWhen you rename a user account, you give the account a new label. As discussed in Chapter 9 , "Creating User and Group Accounts," user names are meant to make managing and using accounts easier. Behind the scenes, Windows Server 2003 uses security identifiers (SIDs) to identify, track, and handle accounts independently from user names. SIDs are unique identifiers that are generated when accounts are created. Because SIDs are mapped to account names internally, you don't need to change the privileges or permissions on renamed accounts. Windows Server 2003 simply maps the SIDs to the new account names as necessary. One common reason for changing the name of a user account is that the user gets married and decides to change her last name. For example, if Linda Martin (lindam) gets married, she might want her user name to be changed to Linda Randall (lindar). When you change the user name from lindam to lindar, all associated privileges and permissions will reflect the name change. Thus, if you view the permissions on a file that lindam had access to, lindar will now have access (and lindam will no longer be listed). Changing Other InformationWhen you change lindam to lindar, the user properties and names of files associated with the account aren't changed. This means you should update the account information. The information you might need to change includes:
Note Changing directory and file information for an account when a user is logged on might cause problems. So you might want to update this information after hours or ask the user to log off for a few minutes and then log back on. In most cases you can write a simple Windows script that will perform the tasks for you quickly and automatically. Copying Domain User AccountsCreating domain user accounts from scratch every time can be tedious . Instead of starting anew each time, you might want to use an existing account as a starting point. To do this, follow these steps:
As you might expect, when you create a copy of an account, Active Directory Users And Computers doesn't retain all the information from the existing account. Instead, Active Directory Users And Computers tries to copy only the information you'll need and to discard the information that you'll need to update. The properties that are retained include
Deleting User and Group AccountsDeleting an account permanently removes the account. Once you delete an account, you can't create an account with the same name to get the same permissions. That's because the SID for the new account won't match the SID for the old account. Because deleting built-in accounts can have far-reaching effects on the domain, Windows Server 2003 doesn't let you delete built-in user accounts or group accounts. You could remove other types of accounts by selecting them and pressing the Delete key or by right-clicking and selecting Delete. When prompted, click OK and then click Yes. With Active Directory Users And Computers, you can select multiple accounts by doing one of the following:
Changing and Resetting PasswordsAs an administrator, you'll often have to change or reset user passwords. This usually happens when users forget their passwords or their passwords expire. To change or reset a password, complete the following steps:
Enabling User AccountsUser accounts can become disabled for several reasons. If a user forgets the password and tries to guess it, the user might exceed the account policy for bad logon attempts. Or another administrator could have disabled the account while the user was on vacation. Or the account could have expired. What to do when an account is disabled, locked out, or expired is described in the following sections. Account DisabledWhen an account is disabled, complete the following steps:
Account Locked OutWhen an account is locked out, complete the following steps:
Note If users frequently get locked out of their accounts, consider adjusting the account policy for the domain. Here, you might want to increase the value for acceptable bad logon attempts and reduce the duration for the associated counter. For more information on setting account policy, see the section of Chapter 9 entitled "Configuring Account Policies." Account ExpiredOnly domain accounts have an expiration date. Local user accounts don't have an expiration date. When a domain account is expired, complete the following steps:
|