Updating User and Group Accounts


Updating User and Group Accounts

Active Directory Users And Computers is the tool to use when you want to update a domain user or group account. If you want to update a local user or group account, you'll need to use Local Users And Groups.

When you work with Active Directory, you'll often want to get a list of accounts and then do something with those accounts. For example, you might want to list all the user accounts in the organization and then disable the accounts of users who have left the company. One way to perform this task is to follow these steps:

  1. In Active Directory Users and Computers, right-click the domain name and then click Find.

  2. In the Find selection list, click Custom Search. This updates the Find dialog box to display a Custom Search tab.

  3. Using the In selection list, select the area you want to search. To search the enterprise, select Entire Directory.

  4. On the Custom Search tab, click Field to display a shortcut menu, choose User, and then select Logon Name (Pre “Windows 2000).

    Tip

    Be sure to select Logon Name (Pre “Windows 2000). Don't use Logon Name ”user accounts aren't required to have a Windows Server 2003 logon name, but they're required to have a pre “Windows 2000 logon name.


  5. Using the Condition selection list, choose Present and then click Add. If prompted to confirm, click Yes.

  6. Click Find Now. Active Directory Users and Computers gathers a list of all users in the designated area.

  7. You can now work with the accounts one by one or several at a time. To select multiple resources not in sequence, hold down the Ctrl key and then click the left mouse button on each object you want to select. To select a series of resources at once, hold down the Shift key, select the first object, and then click the last object.

  8. Right-click and then select an action from the shortcut menu that's displayed, such as Disable Account.

    Tip

    The actions you can perform on multiple accounts include: Add Member To Group (used to add the selected accounts to a designated group), Enable Account, Disable Account, Delete, and Move. Although Properties is listed as a possible action on the right-click shortcut menu, you can't edit the properties of multiple accounts in Windows 2000. This feature is only in Windows Server 2003.


Use this same procedure to get a list of computers, groups, or other Active Directory resources. With computers, use a custom search, click Field, choose Computer, and then select Computer Name (Pre “Windows 2000). With groups, use a custom search, click Field, choose Group, and then select Group Name (Pre “Windows 2000).

The sections that follow examine other techniques you can use to update (rename, copy, delete, and enable) accounts as well as to change and reset passwords. You'll also learn how to troubleshoot account logon problems.

Renaming User and Group Accounts

To rename an account, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're renaming.

  2. Right-click the account name, and then choose Rename. Type the new account name when prompted.

Security Identifiers

When you rename a user account, you give the account a new label. As discussed in Chapter 9 , "Creating User and Group Accounts," user names are meant to make managing and using accounts easier. Behind the scenes, Windows Server 2003 uses security identifiers (SIDs) to identify, track, and handle accounts independently from user names. SIDs are unique identifiers that are generated when accounts are created.

Because SIDs are mapped to account names internally, you don't need to change the privileges or permissions on renamed accounts. Windows Server 2003 simply maps the SIDs to the new account names as necessary.

One common reason for changing the name of a user account is that the user gets married and decides to change her last name. For example, if Linda Martin (lindam) gets married, she might want her user name to be changed to Linda Randall (lindar). When you change the user name from lindam to lindar, all associated privileges and permissions will reflect the name change. Thus, if you view the permissions on a file that lindam had access to, lindar will now have access (and lindam will no longer be listed).

Changing Other Information

When you change lindam to lindar, the user properties and names of files associated with the account aren't changed. This means you should update the account information. The information you might need to change includes:

  • Display Name

    Change the user account's Display Name in Active Directory Users And Computers.

  • User Profile Path

    Change the Profile Path in Active Directory Users And Computers, and then rename the corresponding directory on disk.

  • Logon Script Name

    If you use individual logon scripts for each user, change the Logon Script Name in Active Directory Users And Computers, and then rename the logon script on disk.

  • Home Directory

    Change the home directory path in Active Directory Users And Computers, and then rename the corresponding directory on disk.

Note

Changing directory and file information for an account when a user is logged on might cause problems. So you might want to update this information after hours or ask the user to log off for a few minutes and then log back on. In most cases you can write a simple Windows script that will perform the tasks for you quickly and automatically.


Copying Domain User Accounts

Creating domain user accounts from scratch every time can be tedious . Instead of starting anew each time, you might want to use an existing account as a starting point. To do this, follow these steps:

  1. Right-click the account you want to copy in Active Directory Users And Computers, and then choose Copy. This opens the Copy Object “ User dialog box.

  2. Create the account as you would any other domain user account. Then update the properties of the account, as appropriate.

As you might expect, when you create a copy of an account, Active Directory Users And Computers doesn't retain all the information from the existing account. Instead, Active Directory Users And Computers tries to copy only the information you'll need and to discard the information that you'll need to update. The properties that are retained include

  • City, state, ZIP code, and country values set in the Address tab

  • Department and company set in the Organization tab

  • Account options set using the Account Options fields on the Account tab

  • Logon hours and permitted logon workstations

  • Account expiration date

  • Group account memberships

  • Profile settings

  • Dial-in privileges

    Note

    If you used environment variables to specify the profile settings in the original account, the environment variables are used for the copy of the account as well. For example, if the original account used the %UserName% variable, the copy of the account will also use this variable.


Deleting User and Group Accounts

Deleting an account permanently removes the account. Once you delete an account, you can't create an account with the same name to get the same permissions. That's because the SID for the new account won't match the SID for the old account.

Because deleting built-in accounts can have far-reaching effects on the domain, Windows Server 2003 doesn't let you delete built-in user accounts or group accounts. You could remove other types of accounts by selecting them and pressing the Delete key or by right-clicking and selecting Delete. When prompted, click OK and then click Yes.

With Active Directory Users And Computers, you can select multiple accounts by doing one of the following:

  • Select multiple user names for editing by holding down the Ctrl key and clicking the left mouse button on each account you want to select.

  • Select a range of user names by holding down the Shift key, selecting the first account name, and then clicking the last account in the range.

    Note

    When you delete a user account, Windows Server 2003 doesn't delete the user's profile, personal files, or home directory. If you want to delete these files and directories, you'll have to do it manually. If this is a task you perform routinely, you might want to create a Windows script that performs the necessary procedures for you. However, don't forget to back up files or data that might be needed before you do this.


Changing and Resetting Passwords

As an administrator, you'll often have to change or reset user passwords. This usually happens when users forget their passwords or their passwords expire.

To change or reset a password, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're renaming.

  2. Right-click the account name, and then choose Reset Password or Set Password, as appropriate.

  3. Type a new password for the user and confirm it. The password should conform to the password complexity policy set for the computer or domain.

  4. Double-click the account name and then clear Account Is Disabled and Account Is Locked Out, whichever is appropriate and necessary. In Active Directory Users And Computers, these check boxes are on the Account tab.

Enabling User Accounts

User accounts can become disabled for several reasons. If a user forgets the password and tries to guess it, the user might exceed the account policy for bad logon attempts. Or another administrator could have disabled the account while the user was on vacation. Or the account could have expired. What to do when an account is disabled, locked out, or expired is described in the following sections.

Account Disabled

When an account is disabled, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're restoring.

  2. Double-click the user's account name and then clear the Account Is Disabled check box. In Active Directory Users And Computers, this check box is in the Account tab.

Account Locked Out

When an account is locked out, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're restoring.

  2. Double-click the user's account name, and then clear the Account Is Locked Out check box. In Active Directory Users And Computers, this check box is in the Account tab.

Note

If users frequently get locked out of their accounts, consider adjusting the account policy for the domain. Here, you might want to increase the value for acceptable bad logon attempts and reduce the duration for the associated counter. For more information on setting account policy, see the section of Chapter 9 entitled "Configuring Account Policies."


Account Expired

Only domain accounts have an expiration date. Local user accounts don't have an expiration date.

When a domain account is expired, complete the following steps:

  1. Access Active Directory Users And Computers.

  2. Double-click the user's account name, and then select the Account tab.

  3. In the Account Expires panel, select End Of and then click the down arrow on the related field. This displays a calendar that you can use to set a new expiration date.



Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net