UEU-co logo


Previous Page Next Page

Working with Domain User Accounts

Microsoft operating systems, particularly network operating systems, can make user accounts a little confusing, particularly for the novice administrator. Two different types of user accounts exist: local accounts and domain accounts. Two different account types are necessary because two different security systems pervade computers running Microsoft operating systems and network operating systems such as Windows Server 2008: local security and domain-level security.

A local account is used to gain access to the local machine and its resources. Having a local account means that the user can be validated to the local security database on the server (or desktop computer running Windows XP Professional or Windows Vista Business) and gain access to local resources. Local accounts are more of an issue on computers in workgroups or on member servers within your domain. Creating local accounts is discussed in Hour 3, “Configuring Windows Server 2008 Basic Settings.”

A domain account enables a user to log on to a domain and access the resources available on that domain. You add domain users to the Windows Server 2008 network by using the Active Directory Users and Computers snap-in (in the Server Manager or the MMC).

Before adding domain users to the Active Directory, you should determine the set of parameters or rules that you will follow when you create the usernames for your domain (or domains). For example, you might determine that you will use the first initial and then the last name of employees at your company to create each username. Keep the following in mind as you determine your set of rules for naming your users’ accounts:

  • Usernames must be unique. So, the convention of using the first initial followed by the last name will not work when you have users with the same last name and the same first initial. Networks running Windows Server 2008 or Windows 2000 on the domain controllers provide you with 256 characters to create the username, which provides more than enough possibilities.
  • User logon names can be a combination of numeric and alphanumeric characters. You can use names and even floor locations, such as marysmithfloor2, to help define unique and descriptive usernames.
  • You cannot end a username with a period or use the reserved characters *, /, |, :, ;, =, <, and >.

By the Way

Windows Server 2008 (and Windows Server 2003) domain usernames are also referred to as user principal names. These names consist of two parts: the user’s name and the user principal name suffix. You create the username; the suffix consists of the @ sign followed by the domain where the user resides.

Adding Users to the Domain

When you create a new user account in the Active Directory Users and Computers snap-in, a security identifier (SID) is created for the account. Windows actually uses the SID to identify the account (in internal processes) instead of the username. The SID is unique for every user account and includes information on the user’s group memberships and security settings. When a user logs on to the network from a client computer, the username and password are used to validate or authenticate the user to the domain.

You add user accounts to the domain with the Active Director Users and Computers snap-in. To add a user to your domain, follow these steps:

1. Open the Active Directory Users and Computers snap-in in the Server Manager (expand the AD DS node) or via the Start menu, click Start, Administrative Tools, and then Active Directory Users and Computers.

2. Under the Active Directory Users and Computers snap-in, expand the domain node in the Node pane. Then select the Users folder in the tree. A list of the default groups and users in your domain appears in the Details pane.

3. To create a new user, click the Create a New User in the Current Container button on the Active Directory toolbar (or see the following). The New Object–User dialog box opens (see Figure 8.11).

Figure 8.11. The New Object–User dialog box is used to create the new user account.

Did you Know?

If you are using the Users and Computers snap-in in the Server Manager window, you won’t have the Active Directory toolbar at the top of the window as you will when you run the Users and Computers snap-in in the MMC. To add a new user in the Server Manager window, click the More Actions link in the Actions pane, point at New, and then select User.

4. Enter a first name, initials, and a last name for the user (this is actually the name that will appear in the Active Directory).

5. In the User Logon Name box, type the username that the user will use to log on to the domain.

Did you Know?

When you create the domain user account, note that a pre–Windows 2000 version of the user account is also created for the user, truncating the username that you have created at 20 characters.

6. When you have entered the appropriate information (see steps 4 and 5), click Next to continue.

7. On the next screen (see Figure 8.12), you are asked to provide a password for the user (and confirm it) and to set properties related to the user’s password. The password possibilities are as follows:

  • User Must Change Password at Next Logon— If you want to let the users have control over the password that they assigned themselves, check this check box. You can then enter something generic, such as password, as the user’s password. At the first logon, the user is required to change the default password.
  • User Cannot Change Password— If you want to assign passwords to your users and not allow them to change passwords, click this check box.
  • Password Never Expires— This makes the password selected by you or the user a lifelong password; it has no expiration time limit. When you do not use this option, passwords are good for a month (31 days), by default.
  • Account Is Disabled— This check box enables you to disable the current account without actually deleting the account.

Figure 8.12. Enter a password for the user and set password properties.

8. After supplying the password and setting password options, click Next. A summary screen for the new user account appears. Click Finish.

Did you Know?

Windows Server 2008 embraces the same strengthened password protection for user accounts introduced in Windows Server 2003. Users are not able to change a user password to a blank password (no password at all). Any user attempting to log on to the domain with a blank password is not given access to resources in the domain and can only log on to the local computer.

The new user account appears in the Details pane of the Active Directory Users and Computers snap-in. You can add additional user accounts as needed.

Setting User Account Properties

After you create a user account, you can access a number of properties related to the account. These properties range from when the user can log on to the domain to the user’s business information, such as phone number and address.

To access a user account’s properties, right-click a user account in the Active Directory Users and Computers snap-in, and select Properties from the shortcut menu. The Properties dialog box for that user account opens (see Figure 8.13).

Figure 8.13. User properties are set in the account’s Properties dialog box.

The various user properties are set in the tabs of the dialog box. The user Properties dialog box includes the following tabs:

As noted in this list, a number of these tabs are discussed in more detail in later hours of this book. Before we end our discussion of user account options, let’s take a look at setting the logon hours for users and the computers that they can log on to and access domain resources.

Setting Logon Hours and Computers

The is used to set the logon hours for a user and the computers on which that user can log on to the domain. To set the logon hours for the user, follow these steps:

1. Right-click the user’s account in the Active Directory Users and Computers Details pane on the Properties dialog box (if necessary).

2. On the Account tab, select the Logon Hours button for the user appears (see Figure 8.14).

Figure 8.14. You can control when a user can log on to the network.

[View full size image]

3. All hours are allowed by default (all hours are in blue). To disallow certain hours (such as Saturdays) for logon, click and drag to select the time range. Then click the Logon Denied option button. The timeframe that you selected turns white. This timeframe is no longer allowed for user logon. When you have finished specifying the timeframes for logon (and logon denial), click the OK button. You are returned to the Account tab of the Properties dialog box.

4. You can also specify the computers that a user can use to log on to the network. On the Account tab, select the Log On To button. The Logon Workstations dialog box opens (see Figure 8.15).

Figure 8.15. You can specify the computers that a user can use to log on to the network.

5. Select the The Following Computers option button. To add a computer to the list, type the computer’s NetBIOS name into the Computer name box (the NetBIOS name is the first 15 characters of a computer’s name and does not include the domain name suffix).

6. After typing in the computer name, click the Add button. You can add a number of computers to the list (computers can also be removed from the list with the Remove button). After entering the computers for the user, click OK. You are returned to the Account tab of the Properties dialog box. Click OK to close the dialog box.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_now Pepperstone Group Limited