User Management


User Management

The Active Directory Users and Computers MMC snap-in is used to manage both users and computers in the domain. Most of the functions that were done using the User Manager for Domains have been moved into this MMC snap-in. The main difference is the interfacethe MMC consoleand the amount of information you can keep track of using the Active Directory as compared to the limited amount of data that could be stored in the old security accounts manager (SAM) database of previous versions of Windows NT.

This chapter first covers the basic functions of this utility: adding users and computers to the domain. Then you'll learn about built-in user groups and how you can create your own user groups to help make administrative duties for large numbers of users an easier task.

Creating a New User Domain in the Active Directory

This common task is simplified by the use of a few dialog boxes to create the account. After the user account has been created, you can go back and use the properties page for the account to add more information.

For Windows domains beginning with Windows 2000 domain controllers, informationfrom user accounts to computer accounts, resource records, and so forthis now stored in the Active Directory. You can learn more about the Active Directory and the objects it stores in Chapter 31, "Using the Active Directory."


To create a new user account in a domain in the Active Directory, follow these steps:

  1. Click Start, Administrative Tools, Active Directory Users and Computers. For Windows 2000, use Server, Start, Administrative Tools, and then Active Directory Users and Computers.

  2. The MMC console pops up. In the left pane there is a domain with a tree of objects under it. In Figure 41.1 you can see the opening screen and the folders you can use to manage users and computers.

    Figure 41.1. The Active Directory Users and Computers MMC snap-in is used to administer users in the domain.

    graphics/41fig01.gif

  3. Click the Users folder in the left pane, and a list of user groups and individual users is displayed as shown in Figure 41.2.

    Figure 41.2. The Users folder contains user groups and users.

    graphics/41fig02.jpg

  4. Right-click on the Users folder and select New and then User. The New Object-User dialog box pops up. Here you can fill in information such as the username; the user's first, last, and full names ; initials ; and other information. Figure 41.3 shows an example, adding a new user named Yoko Ono.

    Figure 41.3. The New Object-User dialog box enables you to input basic information about the new user account.

    graphics/41fig03.gif

  5. The next dialog box (see Figure 41.4) enables you to enter a password for the user and to use one of several password options. For most new users, it's easiest to use the first check box (User Must Change Password at Next Login) so that the user can enter his own unique password, unknown to anyone else, even the administrator who created the account. If you are creating an account to use for running a service or some other similar use, you might want to use the Password Never Expires option so that you don't have to change the password periodically. Finally, you can disable a user account with the Account Is Disabled check box. This is useful when creating new accounts so that they are all initially disabled. When users are contacted about a new account, the administrator can deselect this property and give the user the first password needed to log in to the account.

    Figure 41.4. You can manage password administration using this dialog box.

    graphics/41fig04.gif

  6. Finally, a summary screen pops up showing the data you've entered for the new account. Click the Finish button to complete the process of creating the new account.

After creating a new user account, you might want to log in yourself before informing the user. This way you can avoid mistakes, such as having entered the wrong password for the account. Note that if you elected the option that the user must change the password at the next logon, you will also be forced to do that. An easy method for creating a large number of accounts is to enter a password you can remember and, when you log in to check the account, set the new password to one that matches the password policy for your organization.

Managing Other User Account Information

When you enter a new user account, you are prompted for only the minimal information needed to create the account in the Active Directory. After the account is created, you can use the properties page for the user account to add or modify other information. Simply right-click on the username in the right pane of the MMC console, and select Properties from the menu that appears. In Figure 41.5 you can see that, despite the minimal input used to create the account, there are several tabs that enable you to track all sorts of useful information about the user.

Figure 41.5. The properties page for a user account enables you to administer a lot more information than was input during account creation.

graphics/41fig05.jpg

Rather than try to show all the tabs for this properties page (because there are so many), all the user attributes that are part of the default user object are listed for reference in Table 41.1. This summary listing should make it easy to locate the data you want to look at or modify, and go straight to that properties page tab.

Table 41.1. Attributes of the User Account Object

Attribute

Tab on the Properties Dialog Box

Description

First Name

General

User's first name.

Initials

General

User's initial(s).

Last Name

General

User's last name.

Display Name

General

Defaults to show first three fields, although you can modify it.

Description

General

Text field, anything you want.

Office

General

Office location for this user.

Telephone Number

General

User's telephone number.

Email

General

User's email address.

Web Page

General

User's Web page.

Street

Address

Multiline street address field.

P.O. Box

Address

Post office box.

City

Address

City.

State/ Province

Address

State or province.

Zip/Postal Code

Address

ZIP code or postal code.

Country/Region

Address

Country or region.

User Logon Name

Account

User account logon username.

(Pre-Windows 2000)

Account

Logon for pre-Windows 2000 users.

Logon Hours

Account

Brings up dialog box to enter time restrictions for the account.

Log On To

Account

Brings up dialog box to enter which computers a user can log on to.

Account Options

Account

Options for logons , such as password policies.

Account Expires

Account

Enter Never or set account expiration date.

Profile Path

Profile

Path for user profile.

Logon Script

Profile

Path for logon script.

Home Folder

Profile

Local path or remote file share.

Connect

Profile

Use this to specify a drive letter that contains the user's home folder if it is not on the local computer's hard drive.

Home

Telephones

User's home number. Use the Other button to add additional numbers (this button works for all the phone number fields).

Pager

Telephones

User's pager number.

Mobile

Telephones

User's mobile phone number.

Fax

Telephones

User's fax number.

IP Phone

Telephones

User's IP telephone number.

Notes

Telephones

Add notes here, such as a PIN number for the user's pager.

Title

Organization

User's job title.

Department

Organization

Business department for this user.

Company

Organization

Use this to record a company name. This can be useful when using a single network for multiple corporate entities, or when creating accounts for outside vendors .

Manager

Organization

The user's supervisor.

Direct Reports

Organization

Multiline text field.

Member Of

Member Of

List of user groups a user is a member of. Use the Add and Remove buttons to change group memberships for the user.

Primary Group

Member Of

Use this button to specify the user's primary group. This is used by Macintosh users, or users running Posix applications. You should not change this field otherwise .

Remote Access Permission

Dial-in

Allow or deny dial-in access here.

Verify Caller-ID

Dial-in

Use to verify caller ID for incoming calls.

Callback Options

Dial-in

Set to No Callback, Set by Caller, or Always Callback To if you want to supply a telephone number for Callback.

Assign a Static IP Address

Dial-in

Use the same address each dial-in. Not available in a mixed-mode network.

Apply Static Routes

Dial-in

You can define static routes for this client's dial-in session.

Starting Program

Environment

Used to specify a program to run at logon for Terminal Services clients .

Client Devices

Environment

Check boxes allow you to connect drives , printers, and a default printer at logon time.

End a Disconnection Session

Sessions

Set time (or never) to end Terminal Services idle session.

Active Session Limit

Sessions

The maximum amount of time before an active Terminal Services session is disconnected (or never).

Idle Session Limit

Sessions

The maximum time before an idle Terminal Services client is disconnected (or never).

Session Limits

Sessions

You can specify that a session be ended or disconnected when a timer expires.

Allow Reconnection

Sessions

Permit disconnected client to reconnect .

In addition to these fields, there are two other tabs (for Windows 2000). The Remote Control tab enables you to remotely control or view a user's session when using Terminal Services. The Terminal Services Profile tab enables you to set a path for a home directory and user profile for Terminal Services users. This also is where you use a check box (Allow Logon to Terminal Server) to enable the user account for Terminal Services. Generally, terminal services are not heavily deployed in most networking environments and are not detailed any further here.

For Windows Server 2003, there is an additional tab labeled COM+. This tab can be used to designate the partition set for the user. Partition sets are made up of one or more COM+ partitions to enable users to access COM+ applications.

As you can see, you can keep a lot more information about a user on your network than was possible under Windows NT 4.0 Server's simple User Manager for Domains and the Security Accounts Manager (SAM) database. And if that isn't enough data to keep about a user, you can always extend the schema , which is the definition of all the classes of objects (and attributes) in the Active Directory. You can add new attributes and then add them to this user class of objects. You can also create a new user object (with a different name) if your business has a need to create objects for users who differ radically in the attributes associated with them. For example, in a factory environment you might want to use attributes that define the method used to pay the employee, or perhaps an attribute to store the skills the employee possesses. Although extending the schema should be done only when absolutely necessary, there are times when it is a good idea.

Caution

Never extend the schema unless you are absolutely certain of your decision. You cannot roll back an extension to the schemayour changes will be permanent! Always keep this in mind when evaluating third-party software that requires extending the AD schema.

Note

For more information about the Active Directory and the schema, see Chapter 31. As indicated in that chapter, the kinds of objects and attributes that can be stored in the directory database are extensible. That is, you can create new attributes and objects. If you've installed Microsoft Exchange Server, for example, or a third-party product that is integrated with the Active Directory, you might find additional tabs or fields in the properties sheets for a particular object.

Using the Action Menu

In the preceding section you brought up the properties page by right-clicking on the user account and selecting Properties from the menu that popped up. You also can reach this menu, called the Action menu, by highlighting a user or group and then clicking on the Action menu at the top of the MMC console. Use this menu to do the following:

  • Delegate Control Brings up a wizard that enables you to delegate control of folders and objects by groups or by users.

  • Find Brings up a search dialog box you can use to search the directory.

  • New Brings up a submenu you can use to add a new computer, contact, group, InetOrgPerson, MSMQ Queue Alias, printer, user, or shared folder.

  • All Tasks Enables you to delegate control or use the Find search function. The Find Users, Contacts, and Groups dialog box is shown in Figure 41.6. Click on the Advanced tab if you want to refine your search more precisely.

    Figure 41.6. Use the Find dialog box to locate information in the Active Directory.

    graphics/41fig06.gif

  • Refresh Refreshes the display with current information.

  • Export list Enables you to export a list of users and groups to various file types, such as comma-delimited or tab-delimited ASCII and Unicode files. You can use this to import listings into other applications, such as Microsoft Excel.

  • Properties Accesses all those user attributes covered in the preceding section. This is an alternative way to bring up the user's properties page.

  • Help Provides help for using this utility.

There are many useful items on this Action menu. The Export List capability is especially useful in large environments where it is necessary to produce reports on users or the user database. The New menu item enables you to manage not just users, but also other objects, such as computers, which is the topic of the next section, and user groups, which is discussed later in this chapter.



Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2003
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net