Managing User Accounts

Especially on a large, busy network, managing user accounts is an ongoing process of additions, deletions, and changes. These tasks aren't difficult, but they can be time-consuming and need to be managed carefully.

Disabling and Enabling a User Account

If you need to deactivate a domain user account for some period of time but not delete it permanently, you can disable it. To disable a user account, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. Open the container that holds the user account.
3. Right-click the user name and choose Disable Account from the shortcut menu (Figure 9-11). An informational box opens telling you that the object has been disabled, and a red circle with an "X" appears over the user account's icon.

   

   Figure 9-11. Disabling a user account.

To enable a previously disabled account, you perform the same steps, choosing Enable Account from the shortcut menu.

Double-check that the Guest account is disabled (it is by default). Enabling the Guest account exposes an unnecessary security risk for most companies.

Deleting a User Account

Each user account in the domain has an associated security identifier that is unique and never reused, which means that a deleted account is completely deleted. If you delete Jeremy's account and later change your mind, you have to re-create not only the account but also the permissions, settings, group memberships, and other properties that the original user account possessed. For that reason, if there's any doubt about whether an account might be needed in the future, it's best to disable it and not perform the deletion until you're sure it won't be needed again.

However, accounts do have to be deleted at regular intervals. To delete a domain user account, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. Open the container that holds the user account.
3. Right-click the user name and choose Delete from the shortcut menu.
4. An Active Directory dialog box opens, asking you to confirm the deletion. Click Yes and the account is deleted.

Finding a User Account

To search for a particular user account, launch Active Directory Users and Computers from the Administrative Tools folder and on the toolbar, click the Find icon, shown here:

This opens the Find Users, Contacts, And Groups dialog box. Don't be misled, though. Open the drop-down list in the Find box and you'll see that you can use this tool to search for computers, printers, shared folders, organizational units, and much more.

To find a specific user, select the scope of your search in the In box. Type a name, part of a name, or some other descriptive element that's part of the user's profile, and click Find Now. As you can see in Figure 9-12, a search for a portion of a name returns all users with that element in their names.

The larger the network, the more specific your search needs to be. In a large network environment, you can narrow your search to a specific organizational unit. Launch Active Directory Users and Computers from the Administrative Tools folder and choose Find from the shortcut menu. Right-click the OU you are interested in.

Figure 9-12. Searching for a user by name.

Moving a User Account

To move a user account from one container to another, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. In the console tree, click the OU that contains the user account.
3. Right-click the user account to be moved and choose Move from the shortcut menu.
4. In the Move dialog box, select the destination container and click OK.

Renaming a User Account

On occasion, a user account might need to be renamed. For example, if you have an account configured with an assortment of rights, permissions, and group memberships for a particular position and a new person is taking over that position, you can change the first, last, and user logon names for the new person. It's a good practice to rename the Administrator account for security reasons.

To rename an existing user account, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. In the console tree, click the OU that contains the account.
3. Right-click the user name, and choose Rename from the shortcut menu. (You can also slowly click the user name twice.)
4. Press the Delete key and then the Enter key to open the Rename User dialog box (Figure 9-13).
5. Enter the changes and click OK. The account is renamed, and all permissions and other settings remain intact. Any other personal data in the account's Properties dialog box has to be changed as well.

   

   Figure 9-13. Renaming an existing user account.

Securing the Administrator Account

The Administrator account is an obvious and highly attractive target to hackers, and thus requires special care to protect. The following tactics are useful for securing the Administrator account:

• Rename the Administrator account to something that a hacker wouldn't be able to guess (avoid admin, root, boss, and so on). A standard user name is appropriate.
• Create a decoy Administrator account that has no privileges what-soever, and then regularly scan the event log to see if anyone has attempted to log on using this account.
• Set a lockout policy for the real Administrator account (which you've renamed). Use the Passprop utility from the Microsoft Windows 2000 Server Resource Kit to do so.

Resetting a User's Password

For passwords to be effective, they must not be obvious or easy to guess. However, when passwords are not obvious or easy to guess, they will inevitably be forgotten. When a user forgets his or her password, you can reset it. The best policy is to reset it to a simple password and require the user to change the password at the next logon to the network.

To reset a password, just launch Active Directory Users and Computers from the Administrative Tools folder and find the container for the account whose password you need to reset. Right-click the account name and choose Reset Password from the shortcut menu. In the Reset Password dialog box (Figure 9-14), enter the new password twice, and select the User Must Change Password At Next Logon option.

Figure 9-14. Resetting a user's password.

Windows XP provides the ability to create an encrypted password reset disk, enabling a user to reset his or her password without having to call the Help Desk. (In any organization, the Help Desk personnel spend a large portion of their time resetting passwords.) Just make sure that users know to store these disks in a secure physical location, such as a locked desk drawer.

Unlocking a User Account

If a user violates a group policy, such as exceeding the limit for bad logon attempts, Group Policy locks the account. When an account is locked, it cannot be used to log on to the system. To unlock a user account, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. In the console tree, click the OU that contains the locked account.
3. Right-click the user account in the details pane and choose Properties from the shortcut menu.
4. In the Properties dialog box, click the Account tab.
5. Clear the check box next to Account Is Locked Out. Click OK.

By default, Group Policy does not lock accounts due to failed logon attempts. You should make this setting for security reasons. See the section entitled Understanding Group Policies, later in this chapter.

For instructions on how to delegate the right to unlock locked accounts, see Chapter 10.

Using Home Folders

Home directories or folders are repositories that you can provide on a network server for users' documents. Placing home folders on a network file server has several advantages:

• Backup of user documents is centralized.
• Users can access their home folders from any client computer.
• Home folders can be accessed from clients running any Microsoft operating system (including MS-DOS and all versions of Windows).

The contents of home folders are not part of user profiles, so they don't affect network traffic during logon. (A home folder can also be on a client computer, but that defeats much of its purpose.)

Creating Home Folders on a Server

To create a home folder on a network file server, follow these steps:

1. On the server, create a new folder for the home folders. Right-click the new folder, and choose Properties from the shortcut menu.
2. Click the Sharing tab, and select Share This Folder (Figure 9-15).

   

   Figure 9-15. Sharing the new Home Folders folder.

3. Click the Security tab, and remove the default Full Control from the Everyone group and assign Full Control to the Users group. (This setting prevents anyone other than domain user accounts from accessing the folder.)

   Home folders should be stored on a partition formatted with NTFS. Home folders on a FAT partition can be secured only by assigning shared folder permissions on a user-by-user basis.

Providing Home Folders to Users

To provide a user with a home folder, you must add the path for the folder to the user account's properties. Follow these steps to give a user access to a home folder:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. Click the OU containing the user account. Right-click the user name, and choose Properties from the shortcut menu.
3. Click the Profile tab.
4. In the Home Folder area, click the Connect option and specify a drive letter to use to connect to the file server.
5. In the To box, specify the UNC name for the connection—for example, \\server_name\shared_folder\user_logon_name. If you use the variable %username%, as shown in Figure 9-16, a home folder is given the user's logon name, and all user accounts except the designated user and the local Administrator account are blocked access (all permissions are removed).

   

   Figure 9-16. Specifying a home folder.