Managing Windows User Accounts

Understanding Windows User Accounts

User accounts are among the basic tools for managing a Windows server. As a network administrator, you’ll spend a large percentage of your time dealing with user accounts — creating new ones, deleting expired ones, resetting passwords for forgetful users, granting new access rights, and so on. Before I get into the specific procedures of creating and managing user accounts, this section presents an overview of user accounts and how they work.

Local accounts versus domain accounts

A local account is a user account stored on a particular computer, applicable to that computer only. Typically, each computer on your network has a local account for each person who uses that computer.

By contrast, a domain account is a user account that’s stored by Active Directory (AD) and can be accessed from any computer that’s a part of the domain. Domain accounts are centrally managed. This chapter deals primarily with setting up and maintaining domain accounts.

User account properties

Every user account has several important account properties that specify the characteristics of the account. The three most important account properties are

Username: A unique name that identifies the account. The user must enter the username when logging on to the network. The username is public information. In other words, other network users can (and often should) find out your username.
Password: A secret word that must be entered to gain access to the account. You can set up Windows so that it enforces password policies, such as the minimum length of the password, whether the password must contain a mixture of letters and numerals, and how long the password remains current before the user must change it.
Group membership: The group(s) to which the user account belongs. Group memberships are the key to granting access rights to users so that they can access various network resources (such as file shares or printers) or perform certain network tasks (such as creating new user accounts or backing up the server).

Many other account properties record information about the user, such as the user’s contact information, whether the user is allowed to access the system only at certain times or from certain computers, and so on.

Creating a New User

To create a new domain user account in Windows Server 2016, follow these steps:

Choose Start ⇒ Administrative Tools ⇒ Active Directory Users and Computers.

This command fires up the Active Directory Users and Computers management console, as shown in Figure 12-1.
Right-click the domain that you want to add the user to and then choose New ⇒ User from the contextual menu.

This command summons the New Object – User Wizard, as shown in Figure 12-2.
Enter the user’s first name, middle initial, and last name.

As you fill in these fields, the New Object Wizard automatically fills in the Full Name field.
Change the Full Name field if you want it to appear different from what the wizard proposes.

You may want to reverse the first and last names so the last name appears first, for example.
Enter the user logon name.

This name must be unique within the domain. (Don’t worry, if you try to use a name that isn’t unique, you’ll get an error message.)

Pick a naming scheme to follow when creating user logon names. You can use the first letter of the first name followed by the complete last name, the complete first name followed by the first letter of the last name, or any other scheme that suits your fancy.
Click Next.

The second page of the New Object – User Wizard appears, as shown in Figure 12-3.
Enter the password twice.

You’re asked to enter the password and then confirm it, so type it correctly. If you don’t enter it identically in both boxes, you’re asked to correct your mistake.
Specify the password options that you want to apply.

The following password options are available:
- User Must Change Password at Next Logon
- User Cannot Change Password
- Password Never Expires
- Account Is Disabled
For more information about these options, see the section “Setting account options,” later in this chapter.
Click Next.

You’re taken to the final page of the New Object – User Wizard, as shown in Figure 12-4.
Verify that the information is correct and then click Finish to create the account.

If the account information isn’t correct, click the Back button, and correct the error.

FIGURE 12-1: The Active Directory Users and Computers management console.

FIGURE 12-2: Use the wizard to create a new user.

FIGURE 12-4: Verifying the user account information.

You’re done! Now you can customize the user’s account settings. At minimum, you’ll probably want to add the user to one or more groups. You may also want to add contact information for the user or set up other account options.

An alternative way to create a new user is simply to copy an existing user. When you copy an existing user, you provide a new username and password and Windows copies all the other property settings from the existing user to the new user.

Setting User Properties

After you create a user account, you can set additional properties for the user by right-clicking the new user and choosing Properties from the contextual menu. This command brings up the User Properties dialog box, which has about a million tabs that you can use to set various properties for the user. Figure 12-5 shows the General tab, which lists basic information about the user, such as the user’s name, office location, and phone number.

The following sections describe some of the administrative tasks that you can perform via the various tabs of the User Properties dialog box.

Changing the user’s contact information

Several tabs of the User Properties dialog box contain contact information for the user, such as

Address: Change the user’s street address, post office box, city, state, zip code, and so on.
Telephones: Specify the user’s phone numbers.
Organization: Record the user’s job title and the name of his boss.

Setting account options

The Account tab of the User Properties dialog box, shown in Figure 12-6, features a variety of interesting options that you can set for the user. You can change the user’s logon name, change the password options that you set when you created the account, and set an expiration date for the account.

FIGURE 12-6: Set user account info here.

The following account options are available in the Account Options list box:

User Must Change Password at Next Logon: This default option allows you to create a one-time-only password that can get the user started with the network. The first time the user logs on to the network, he is asked to change the password.
User Cannot Change Password: Use this option if you don’t want to allow users to change their passwords. (Obviously, you can’t use this option and the preceding one at the same time.)
Password Never Expires: Use this option to bypass the password-expiration policy for this user so that the user will never have to change her password.
Store Password Using Reversible Encryption: This option stores passwords by using an encryption scheme that hackers can easily break, so you should avoid it like the plague.
Account Is Disabled: This option allows you to create an account that you don’t yet need. As long as the account remains disabled, the user won’t be able to log on. See the upcoming section, “Disabling and Enabling User Accounts,” to find out how to enable a disabled account.
Smart Card Is Required for Interactive Logon: If the user’s computer has a smart card reader to read security cards automatically, select this option to require the user to use it.
Account Is Trusted for Delegation: This option indicates that the account is trustworthy and can set up delegations. This advanced feature usually is reserved for Administrator accounts.
Account Is Sensitive and Cannot Be Delegated: This option prevents other users from impersonating this account.
Use DES Encryption Types for This Account: This option beefs up the encryption for applications that require extra security.
Do Not Require Kerberos Preauthentication: Kerberos refers to a common security protocol used to authenticate users. Select this option only if you are using a different type of security.

Specifying logon hours

You can restrict the hours during which the user is allowed to log on to the system. Click the Logon Hours button on the Account tab of the User Properties dialog box to open the Logon Hours for [User] dialog box, as shown in Figure 12-7.

FIGURE 12-7: Restrict a user’s logon hours.

Initially, the Logon Hours dialog box is set to allow the user to log on at any time of day or night. To change the hours that you want the user to have access, click a day and time or a range of days and times, select Logon Permitted or Logon Denied, and then click OK.

Restricting access to certain computers

Typically, a user can use his user account to log on to any computer that’s part of the user’s domain. You can restrict a user to certain computers, however, by clicking the Log On To button on the Account tab of the User Properties dialog box. This button brings up the Logon Workstations dialog box, as shown in Figure 12-8.

FIGURE 12-8: Restricting the user to certain computers.

To restrict the user to certain computers, select the The Following Computers radio button. Then, for each computer you want to allow the user to log on from, enter the computer’s name in the text box and click Add.

If you make a mistake, you can select the incorrect computer name and then click Edit to change the name. or click Remove to delete the name.

Setting the user’s profile information

From the Profile tab, as shown in Figure 12-9, you can configure three bits of information about the user’s profile information:

Profile Path: This field specifies the location of the user’s roaming profile..
Logon Script: This field is the name of the user’s logon script. A logon script is a batch file that’s run whenever the user logs on. The main purpose of the logon script is to map the network shares that the user requires access to. Logon scripts are carryovers from early versions of Windows NT Server. In Windows Server 2012, profiles are the preferred way to configure the user’s computer when the user logs on, including setting up network shares. Many administrators still like the simplicity of logon scripts, however. For more information, see the section “Creating a Logon Script,” later in this chapter.
Home Folder: This section is where you specify the default storage location for the user.

From the Profile tab, you can specify the location of an existing profile for the user, but it doesn’t actually let you set up the profile.

Resetting User Passwords

By some estimates, the single most time-consuming task of most network administrators is resetting user passwords. Lest you assume that all users are forgetful idiots, put yourself in their shoes, being made to set their passwords to something incomprehensible (94kD82leL384K) that they have change a week later to something more unmemorable (dJUQ63DWd8331) that they don’t write down. Then network admins get mad when they forget their passwords.

Sooo, when a user calls and says that she forgot her password, the least you can do is (appear to) be cheerful when you reset it. After all, the user probably spent 15 minutes trying to remember it before finally giving up and admitting failure.

Here’s the procedure to reset the password for a user domain account:

Log on as an administrator.

You must have administrator privileges to perform this procedure.
Choose Start ⇒ Administrative Tools ⇒ Active Directory Users and Computers.

The Active Directory Users and Computers management console appears.
In the Active Directory Users and Computers management console, click Users in the console tree.

Refer to Figure 12-1.
In the Details pane, right-click the user who forgot her password and then choose Reset Password from the contextual menu.

A dialog box appears allowing you to change the password.
Enter the new password in both password boxes.

Enter the password twice to ensure that you input it correctly.
(Optional) Select the User Must Change Password at Next Logon option.

If you select this option, the password that you assign will work for only one logon. As soon as the user logs on, she will be required to change the password.
Click OK.

That’s all there is to it! The user’s password is reset.

Deleting a User

People come, and people go. And when they go, so should their user account. Deleting a user account is surprisingly easy. Just follow these steps:

Log on as an administrator.

You must have administrator privileges to perform this procedure.
Choose Start ⇒ Administrative Tools ⇒ Active Directory Users and Computers.
In the Active Directory Users and Computers management console that appears, click Users in the console tree.
In the Details pane, right-click the user that you want to delete and then choose Delete from the contextual menu.

Windows asks whether you really want to delete the user, just in case you’re kidding.
Click Yes.

Poof! The user account is deleted.

Deleting a user account is a permanent, nonreversible action. Do it only if you’re absolutely sure that you never ever want to restore the user’s account. If there’s any possibility of restoring the account later, disable the account instead of deleting it. (See the preceding section.)

Working with Groups

A group is a special type of account that represents a set of users who have common network access needs. Groups can dramatically simplify the task of assigning network access rights to users. Rather than assign access rights to each user individually, you can assign rights to the group itself. Then those rights automatically extend to any user you add to the group.

The following sections describe some of the key concepts that you need to understand to use groups, along with some of the most common procedures you’ll employ when setting up groups for your server.

Creating a group

Here’s how to create a group:

Log on as an administrator.

You must have administrator privileges to perform this procedure.
From Server Manager, choose Tools ⇒ Active Directory Users and Computers.

The Active Directory Users and Computers management console appears.
Right-click the domain to which you want to add the group and then choose New ⇒ Group from the contextual menu.
In the New Object – Group dialog box that appears, as shown in Figure 12-10, enter the name for the new group.

Enter the name in both text boxes.
Choose the group scope.

The choices are
- Domain Local: For groups that will be granted access rights to network resources
- Global: For groups to which you’ll add users and Domain Local groups
- Universal: If you have a large network with multiple domains
Choose the group type.

The choices are Security and Distribution. In most cases, choose Security.
Click OK.

The group is created. However, at this point, it has no members. To remedy that, keep reading.

Adding a member to a group

Groups are collections of objects called members. The members of a group can be user accounts or other groups. A newly created group (see the preceding section) has no members. As you can see, a group isn’t useful until you add at least one member.

Follow these steps to add a member to a group:

Log on as an administrator.

You must have administrator privileges to perform this procedure.
Choose Start ⇒ Administrative Tools ⇒ Active Directory Users and Computers.

The Active Directory Users and Computers management console appears.
Open the folder that contains the group to which you want to add members and then double-click the group.

The Group Properties dialog box appears.
Click the Members tab.

The members of the group are displayed, as shown in Figure 12-11.
Click Add, type the name of a user or other group that you want to add to this group, and then click OK.

The member is added to the list.
Repeat Step 5 for each user that you want to add.

Keep going until you add everyone!
Click OK.

FIGURE 12-11: Adding members to a group.

That’s all there is to it.

On the Member Of tab of the Group Properties dialog box, you can see a list of each group that the current group is a member of.

Creating a Logon Script

A logon script is a batch file that’s run automatically whenever a user logs on. The most common reason for using a logon script is to map the network shares that the user needs access to. Here’s a simple logon script that maps three network shares:

echo off net use m: \\server1\shares\admin net use n: \\server1\shares\mktg net use o: \\server2\archives

Here, two shares on server1 are mapped to drives M: and N:, and a share on server2 is mapped as drive O:.

If you want, you can use the special variable %username% to get the user’s username. This variable is useful if you created a folder for each user, and you want to map a drive to each user’s folder, as follows:

net use u: \\server1\users\%username%

If a user logs on with the username dlowe, for example, drive U: is mapped to \\server1\users\dlowe.

Scripts should be saved in the Scripts folder, which is buried deep in the bowels of the SYSVOL folder — typically, here:

c:\Windows\SYSVOL\Sysvol\domainname\Scripts

where domainname is your domain name. Because you need to access this folder frequently, I suggest creating a shortcut to it on your desktop.

After you create a logon script, you can assign it to a user by using the Profile tab of the User Properties dialog box. For more information, see the section “Setting the user’s profile information,” earlier in this chapter.