Creating Active Directory Accounts

team lib

Creating accounts in Active Directory for users to log on to the domain and forest to access resources is a common and simple task. You use the Active Directory Users and Computers console (see Figure 15-1) in Windows Server 2003 to create and manage domain user accounts and domain groups.

click to expand
Figure 15-1: Active Directory Users and Computers console is the primary tool that Administrators use to create domain users accounts and groups.

Creating user accounts isn't difficult, but you need to pay attention to lots of details. First, we walk you through creating a quick-and-dirty user account. Then, we talk about all the fine-tuning you can perform on this account:

  1. To get to Active Directory Users and Computers, choose Start All Programs Administrative Tools Active Directory Users and Computers.

  2. Double-click the domain or organizational unit to which you want to assign this new account.

    You see all the default settings for this domain or organizational unit, including user accounts. If you're assigning the user account to the Users container, when you initially click it, you see the Administrator and Guest accounts, plus other accounts that Windows Server 2003 set up, depending on the services you installed.

    REMEMBER 

    An organizational unit is an Active Directory container that holds other organizational units, computers, user accounts, and groups. For more information on organizational units, see Chapter 11.

  3. You can create a new user account from scratch by highlighting the container in which you want to place it, and then choosing Action New User from the toolbar.

    (You can also right-click the container and choose New User from the pop-up menu.) This reveals the Create New Object - User Wizard shown in Figure 15-2. When you create a user object from scratch, you should pay attention to every detail of that account.

    click to expand
    Figure 15-2: Use the New Object - User Wizard to create a user object.

  4. Fill in the following information:

    • First name; last name ; initial: Type the user's first name, last name, and middle initial, if applicable .

    • Full name: This is how the name will be displayed on the system. Notice that the Setup wizard has entered the name for you. You can replace what's filled in for you and arrange the display of the full name any way you like. Usually, the first name is displayed, then the last name.

    • User logon name: Type the information you want the user to use to validate himself or herself to the network. You should create a company standard such as last name, first initial or something similar. (See the "What's in a name?" sidebar later in this chapter.)

      Pre-Windows 2000, the user logon name is the name given to the user for pre-Windows 2000 systems. Notice that the wizard fills in this information for you. You won't need to change this unless you're a tech head.

  5. Click the Next button to continue setting up this new user account object.

    In the next screen, you will enter information about the password.

  6. Type a password for this account, and then confirm that password to the system by retyping it.

  7. Configure the password settings using the options described in the following list:

    • User Must Change Password at Next Logon check box: Forces users to change their passwords.

    • User Cannot Change Password check box: Prevents users from changing their passwords.

    • Password Never Expires check box: Exempts this account from the policy that can require a password change after a specified time period.

    • Account is Disabled check box: Ensures that this account can't be used to gain access to the system. Chances are, if you're creating a new user, you don't want to select this option because you want the user to be able to access the system.

  8. Click the Next button when you're finished marking your selections.

    You're presented with a confirmation screen about the choices you've made.

  9. Click the Finish button if everything is correct. If you think of something else that needs to be added, press the Back button to add it now. If you need to add data later, you can edit the properties of the account as well.

start sidebar
What's in a name?

Windows Server 2003 doesn't actually use or even care about the human-friendly name assigned to a user account. Instead, Windows Server 2003 uses a SID, or Security Identifier, to recognize and track user accounts. But, because you're human, you should employ human-friendly names whenever possible. This reduces stress and makes user management easier.

What we're trying to say is that you should employ a naming convention. A naming convention is just a predetermined method for creating names for users, computers, resources, and other objects. The two key features of a naming convention are the capability to always create new names and that the names created provide descriptive information about the named object.

Small networks rarely need complex or even predefined naming conventions. However, when the number of named items on your network exceeds about 100 or so, you may find it increasingly difficult to remember who or what jackal, herbie, and 8675309 actually are. Therefore, starting a small network with a naming convention can ease the growth process later.

Windows Server 2003 doesn't impose or suggest a naming scheme. It just lets you define names as you please . If you decide to use a naming convention, you need to be diligent in enforcing and employing that scheme.

The naming convention you choose or create doesn't matter; as long as it always provides new names and those names indicate information about the objects they label. Here are some general naming-convention rules:

  • The names need to be consistent across all element types (user names, computer names, share names, directory names, and so on).

  • The names should be easy to understand. (If they're too complex or difficult, they won't be used.)

  • The name should somehow identify the type of object.

You can create new names by mimicking the structure of existing names. Here are some examples of partial naming conventions that you can customize for your network:

  • Create user names by combining the first and last name of a user (for example, JohnSmith or JSmith).

  • Create user names by combining the last name of a user and a department code (for example, SmithAcct and SmithSales5). With Active Directory, this type of design is less needed because, in many cases, the layout of your OU structure reflects the organizational areas of your company.

  • Create computer names by combining the user name, a computer type code, and room number (for example, SmithW98 and JS102).

  • Create group names by combining resource descriptor, location, project, or department names (for example, Tower12, Planning2, and Conference12).

  • Create share or directory names by combining the content or purpose descriptor with a group or project name (for example, Documents, SalesDocs, and AcctSheets).

  • Create printer names by combining the model type, location, department, and group names (for example, HP5Sales, CLJRm202, and HP4Acct).

As you can see, each of these suggested partial naming schemes always creates new names and provides enough information about the named object to determine where it is and whether it's a user account, computer, share, or printer.

end sidebar
 

You've just created a new domain user account object, and you'll see that object in the Active Directory Users and Computers console window. In Step 1, we mention the way the name is displayed, and that's how you should see the object's name listed.

If you right-click the new object and then click Properties, you'll see several tabs, including General, Address, Account, Profile, and many more.

You can use these tabs to enter more information about the new user account object, such as the groups to which it belongs. You may see other tabs, depending on the services installed on your Windows Server 2003 system and whether the server is a stand-alone server, a member of a domain, or a domain controller.

In the following sections, we go through some of the default tabs of a member server individually, so that you'll know what to fill in and why.

General tab

When you click the General tab, you can type more information about the account, such as a description (additional location information, what the account is used for, or whatever you want), office address, telephone number, Web page address, and e-mail address. The more information you can provide at this time, the more you'll be relieved later when you might need this information. The description information shows up in the Active Directory Users and Computers console if you have the detail view selected (View Detail).

Address tab

Click the Address tab to type information about the user's physical mailing address. Although this information is not required, it's good to have handy.

Account tab

Click the Account tab to reveal the logon name, logon name for pre-Windows 2000 systems, logon hours, workstation restrictions (which can be set with the Log on to button), and account expiration information. Most of the options in this tab are self-explanatory - except the logon hours and expiration information, which are described as follows :

  • Logon hours: Click the Logon Hours button to reveal the Logon Hours dialog box (see Figure 15-3). In this dialog box, you can define the hours during which a user can gain entry to the system. If this user account attempts to log on during off hours, the logon fails. If the user is already online when the hours expire, the user remains online but can't establish any new network connections (that is, the user can't send a document to a printer or open a new file). You define hours by selecting the day and hour sections and selecting the Logon Permitted or Logon Denied option. This option is mostly used for contractors who are allowed to use the system only during regular working hours.

    click to expand
    Figure 15-3: Access can be set by time of day and day of week.

  • Account expiration: Mark the Account Expires End Of option to define when (if ever) the account expires. This is useful for contract or temporary employees who have been granted access to the system for a specified period of time.

Profile tab

Click the Profile tab in the Properties dialog box to reveal current information about the user account's profile (see Figure 15-4). In this dialog box, you can define the following:

  • User profile path : The location where the roaming profile for this user is stored. The roaming profile makes a user's working environment available to them on any workstation on the network. (See the "Give Your Users Nice Profiles" section later in this chapter.)

  • Logon script name: The file name of the script file to be executed at logon. Logon scripts are usually batch files that define paths, set environmental variables , map drives , or execute applications. You typically use logon scripts only in Windows Server 2003 for compatibility with older servers or DOS applications or to automatically configure settings for NetWare server access.

  • Home directory: The default storage location for this profile as a local path or as a mapped drive letter to a network drive.

click to expand
Figure 15-4: Examples of a User Profile and its profile path, logon script location, and Home Folder designation.

Telephones tab

Click the Telephones tab in the Properties dialog box to enter every imaginable phone number a person can have these days, such as pager, fax, and mobile. There's even a Comments section where you can add whatever you want.

Organization tab

Click the Organization tab in the Properties dialog box to enter information about the user's title in the organization and the names of the people to whom the person reports to directly. If your organization is prone to restructuring, you may opt to leave this tab blank.

Member Of tab

Clicking the Member Of tab in the Properties dialog box reveals information about the account's group membership status. This is where you can add a user account object to a group or remove a user account object from a group (see Figure 15-5). If you want to add this object to another group, click the Add button and select the group. As we discuss later in this chapter, group membership determines the resources to which you grant a user account access.

click to expand
Figure 15-5: Group memberships are defined here.

Dial-in tab

Click the Dial-in tab in the Properties dialog box to enable or disable the account from dialing into the network. This is also where you can set any callback options. Callback means that, as users dial into the network, the server dials back a preset telephone number to verify that the users are in fact who they say they are. This number can be preset or set by the user. Callback is often used in security situations but dial back doesn't work particularly well when a user is on the road and staying in different hotels, which all have different telephone numbers . Use this option with caution.

team lib


Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net