Chapter Three
User Management
1
�User Account
User Account is an object in AD DS which
controls the authentication and access to
resources, and contains many attributes about
a user on your network.
In other terms, a user account in the AD
represents actual user or actual person, who is
going to access resource on the network.
2
�Local user and Domain User
Local user
• A user account created in a local database of a computer.
• A local user are generally used in WORKGROUP model.
• Local user can login only on the perspective computer.
Domain user
• A user account created in ACTIVE DIRECTORY
database.
• A domain user are used in domain model.
• Domain user can logon to any computer in the
DOMAIN.
�Traditional AD Management Tools
4
�New Active Directory Management
Tools
5
� Creating User Accounts on a DC
Go to Server Manager, click on Tools menu (right
side), and click on Active Directory Users and
Computers
On the window that comes, on the left column,
under Active Directory Users and Computers, you
see Saved Queries and the Domain Name you
created earlier (in this case au.local)
Expand the domain name (click on the small
triangle before the name)
6
� Creating User Accounts on a DC
There you see the default containers
Builtin
Computers
Domain Controllers
ForeignSecurityPrincipals
Managed Service Accounts
Users
Click on each of these to see what they have
The Domain Controllers for examples show you the
DC servers you set up
7
� Creating User Accounts on a DC
Click on Users (the last one), and you see
many security groups and 2 or 3 users
(including Administrator and Guest-which is
disabled by default)
Disabled accounts show small little down arrow
symbols with them, like on the guest account
To create a user account, right click on User,
go to New, click on User
This takes you to New Object – User wizard
8
� Creating User Accounts on a DC
Then fill the fields like First name, Last name, etc.
Assume you have a user named John Doe, to create a
user account for this person type John as First name,
and Doe as Last name, you see his full name is given
by itself
For User logon name, you should first have to
plan on what format user logon names should
have
In this case for user logon name we will follow First
name and the first letter of last name, with no spaces
• E.g. JohnD
9
� Creating User Accounts on a DC
Then click next
Here you type password for this user
You see the options “user must change
password at next logon”, “user cannot change
password”, “password never expires”,
“account is disabled”.
For this case, select password never expires, since
this is a test environment
Click next, and then finish
10
� User Properties
After creating the user, you see the new user in
the list of users
Right click on the newly created user, and click on
Properties
There you see many tabs, including the General
tab, Account tab, etc.
Click on the Account tab, here you see options
like setting the logon hours for the user, the
computers he is allowed to logon etc.
For temporary users, we can set the account
expire date also.
11
� User Template
User templates are used to create other users based on
same properties in the future
To create a user template, right click on Users, then New >
User
User templates are still a real user accounts, but let us give first
name: _Sales_User, last name: _Template
Give sample user logon name, like _sales_user_template
• Assuming we are creating user account template for future sales
department staff members
• We use the underscore (_) just to make the template appear first
alphabetically (not a must)
Click next, give appropriate password, and password never
expires (or the other option also possible)
Select “Account is disabled”, click next and finish.
12
� User Template
To create users based on the template, right click
on the user template account, and click “copy”
Then enter the real user name, logon name, click
next, give password and de-select “account is
disabled”
The advantage of using template instead of
directly creating the user is it copies all the
properties from the template, like the logon ours,
member of (the group this user belongs to), the
privileges, etc.
This saves time and effort if we have many users.
13
�Common Administrative Processes
You can reset the password of users
Right click on the user, click on Reset password
There you can type in the new password, and also unlock the
account (if it is locked for trying many times with wrong
username password)
You can also unlock an account (not reset the password) by
right clicking on the user account name, properties, and
then click on Account tab, there click on Unlock account
checkbox
To disable an account (like if the user leaves the
organization), right click on the account, then click on
Disable account
We can also delete an account by right clicking on it
14
�Common Administrative Processes
We can also rename user accounts, like when
you want to change the full name or logon
name
To do so, right click on the User account, and click
rename
15
�Group Account Management
� Group Account
A Group Account is an object in AD DS which is used to
help manage the permissions assigned to the users on
your network.
Instead of individually give or deny privileges to
individual users, we assign them to groups and we
manage the group.
It simplifies the management of permissions assigned to
the users in the network.
Assume we have different users, they all work for the
same department, and if it is true that they should have
the same access to the same resources on a network,
then group account management becomes important.
17
� Group Account
It enables us to give permissions to a group,
and every user account which is a member of
that group will inherit those permissions.
18
� Types of Groups
There are two types of groups:
Security groups
• Used for the management of permissions
• We will see this in this course
Distribution group
• Used for activities like email distribution groups and the
like
• In exchange environment for e.g. we setup distribution
groups, and email to the group other than typing all the
individual users
19
� Group Scopes
On a domain based network, we have 3 types
of group scopes
Domain local
Global
Universal
Domain Local Groups:
Used for the direct assignment of access
permissions on files, printer queues, and other
such resources.
20
� Group Scopes
Global groups
Provide domain-centric membership, place all user
accounts into Global groups.
Specific to one domain in the forest
Universal groups
Used for the gathering of users and groups from
multiple domains throughout the forest
Typically, organizations using WANs should use
Universal groups only for relatively static groups in
which memberships change rarely.
In reality, what we mostly deal with is the global group,
and the rest are not practiced
21
� Creating Group Accounts
To create a group, open Active Directory Users
and Computers, on the containers list, right
click on users, then new, then select Group.
You get the New Object-Group wizard.
You put the group name (e.g. Sales Users)
The group scope is global
Group type is security
• Just the default
Then click ok. The security group is created.
22
� Make Users Member of a Group
There are more than one ways to make users
of a domain be member of a group.
One way is, right click on the group name,
select properties, the click on Members tab.
There, type the Add button, there type the
user name, and click on Check Names button.
From the populated list, select the right one
and click Ok.
23
� Make Users Member of a Group
The other way to make users be member of a
group is go to the user in the Active Directory
Users and Computers, right click on it >
properties > click on the Member Of tab, then
click on the Add button.
Then type the group name, and click on Check
Names, then click ok (with the correct group
names populated)
24
� Make Users Member of a Group
To add multiple users be members of a group, go
to Active Directory Users and Computers, click on
Users container, then press the Control (Ctrl) key
and click on the multiple user accounts.
Then right click on the selected users, select Add
to Group
Then type the group name, and click on the check
names button
Then with the appropriate group populated, click
Ok.
25
� Remove Users from a Group
Membership
To remove users membership of a group, one
way is to right click on the Group, Properties,
then click on the Members tab
Then click on the member tab, and click on
Remove button, click Ok.
This does not deletes the user account, but it
only removes its membership from that group
26
� Group Account
Using the Active Directory users and
Computers or the GUI, there is not much more
to do with managing groups
But we can use PowerShell to manage our
groups using scripts, or at more enterprise
level we use AD Administrative Center.
27
�Computer Account Management
� Computer Account Management
So far, we saw other ADDS objects, specifically
– user accounts and group accounts.
Computer accounts is also another type of
ADDS object.
First, go to Active Directory Users and
Computers, and click on the Computers
container
Because we did not add any computer object so
far, the container is empty
29
� Computer Account Management
First have a client computer
In a VMware environment, install a client operating
system (like windows 7)
On a physical environment, have a PC and connect it
physically to the network.
On the client computer, give it appropriate name
(e.g. WIN8-client1), give an IP address from same
address pool, for the DNS server of the client
computer, fill the IP address of one of the Domain
Controllers
30
� Joining a Computer to a Domain
Usually, a computer account is created when a
client computer joins a domain.
To make a computer join a domain, as an
example on a windows 8.1 PC, after giving the
appropriate IP address as stated on the previous
slide, right click on My Computer, on the system
properties, click on Change Settings, under the
Member of, click on Domain, and type the
domain name (in our case au.local), click Ok
31
� Joining a Computer to a Domain
On the coming screen, enter either the AD
Administrator credentials, or any created user
account on the AD as user name and
password.
It then should well come you to the domain,
and allow it to restart.
32
� Joining a Computer to a Domain
On the Domain controller, go to the Active Directory
Users and Computers, and if you click on the
Computers container, you see the newly joined
computer name listed.
That is typically how computer accounts are created.
You can also create a computer account before the
computer actually joins the domain
This is called pre-staging or manually creating a computer
account
To do so, right click on the Computers container > new >
computer … (try this by yourself)
Usually used when you want to mass create computer
accounts in advance
33
� Computer Account Management
Computer accounts are important for auditing
i.e. to know who did what from which computer
If you go to the client computer and see it full
computer name, it puts the domain name as
suffix to the computer name
E.g. WIN7-Client1.au.local
• If the computer name is WIN7-Client
34
