PlayUKlottery.com - win up to 42 million Pounds
Lesson 2: Creating User and Computer Accounts

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 2: Creating User and Computer Accounts

You use objects, user accounts, and computer accounts to represent users and computers so that you can control network access and manage the use of network resources. To add a user or a computer account to an OU, you must have the permission to add new objects to the OU. By default, members of the Administrators group have permission to add objects anywhere in the domain.

After this lesson, you will be able to

  • Create domain user accounts.

  • Describe how to create computer accounts.

Estimated lesson time: 30 minutes

Creating User Accounts

User accounts are employed to authenticate the user, as well as to assign permissions to gain access to network resources. You can use the Active Directory Users and Computers administrative tool on any available domain controller to create a new user account. After you create the account, it is replicated to all other domain controllers in the domain.

When you create the user account, you must first select the container in which to create it. You can create user accounts at the domain level, but doing so limits your delegation options and increases the complexity of managing your network. To create a domain user account, you would do the following:

  1. Open the Active Directory Users and Computers administrative tool.

  2. Right-click the OU in which you want to create the user account, point to New, and then click User. Figure 5.1 shows the New Object - User dialog box. The fields in Figure 5.1 are explained in Table 5.1.

Table 5.1 describes the domain user account options that you can configure.

Table 5.1 Configurable Domain User Account Options

Option Description
First Name The user's first name. This field or the Last Name field is required.
Initials The user's initials. This field or the First Name or the Last Name field is required.
Last Name The user's last name. This field or the First Name or the Initials field is required.
Full Name The user's complete name. This name must be unique within the OU or container where you create the user account. Active Directory directory services display this name in the OU or container where the user account is located.
User Logon The user's unique logon name based on your naming conventions. Name This is required and must be unique within the enterprise.
User Logon Name (Pre-Windows 2000) The user's unique logon name that is used to log on from computers running earlier versions of Windows, such as Windows NT 4.0 or 3.51. This is required and must be unique within the domain.

Click to view at full size.

Figure 5.1 The New Object - User dialog box

NOTE
The user logon name, combined with the domain name in the box that appears to the right of the User Logon Name box, is the User Principal Name (UPN). The UPN uniquely identifies the user throughout the entire enterprise. An example of a UPN would be user5@domain1.domain.com.

After you enter the information about the user, you can set the password requirements for the user account by clicking the Next button to display the password options shown in Figure 5.2.

Click to view at full size.

Figure 5.2 The New Object - User dialog box's password settings

Table 5.2 describes the password options that you can configure.

Table 5.2 Configurable Password Options

Option Description
Password Enter the password that is used to authenticate the user. For greater security, you should always assign a password.
Confirm Password Confirm the password by typing it a second time to make sure that you typed it correctly.
User Must Change Password At Next Logon Select this check box if you want the user to change his or her password the first time that he or she logs on. This ensures that the user is the only person who knows the password.
User Cannot Change Password Select this check box if you have more than one person using the same domain user account (such as Guest), or to maintain control over user account passwords. This allows only administrators to control passwords.
Password Never Expires Select this check box if you want the password to never change.
Account Disabled Select this check box to prevent the use of this account—for example, on an account for a new employee who has not yet started.

Each user account that you create is associated with a set of default attributes. You can use the attributes that you define for a domain user account to search for users in Active Directory directory services. For this reason, you should provide detailed attribute definitions for each domain user account that you create.

After you create a domain user account, you can configure personal and account attributes, logon options, and dial-in settings.

The tabs in the Properties dialog box for a user contain information about each user account. When the Advanced Features for the Active Directory Users and Computers snap-in are active, the tabs are General, Address, Account, Profile, Telephones, Organization, Published Certificates, Member Of, Dial-In, Object, Security, Environment, Sessions, Remote Control, and Terminal Services Profile.

Right-click the user account, and then click Properties to open the Properties dialog box for a user account.

NOTE
To create a local user account on a computer, open Computer Management and select the Local Users And Groups tool in the System Tools group.

Moving Objects

In Active Directory directory services, you can easily move objects between OUs within your domain structure. Active Directory directory services simplify your job as an administrator by allowing you to move objects whenever organizational or administrative functions change. For example, when an employee moves from one department to another, it is a lot easier to move the user account than to have to delete the user account, recreate a new user account, and make sure that all rights and permissions are correctly reestablished.

When you move objects between OUs

  • Permissions that are assigned directly to objects remain the same.

  • The objects inherit permissions from the new OU. Any permissions inherited from the previous OU will no longer affect the objects.

  • You can move multiple objects at the same time.

Similar to moving users, you use the Active Directory Users and Computers tool to move an object. In the Active Directory Users And Computers window, right-click the object you want to move, and then click Move. In the Move dialog box, click on the container that you want the object moved to, and then click OK.

Locating Objects

In Active Directory directory services, you can also easily locate resources throughout the network, regardless of the physical location of the object. Use the Active Directory Users and Computers tool to locate groups in Active Directory directory services. Click Find on the Action menu in the Active Directory Users And Computers window to open the Find dialog box. The Find dialog box, shown in Figure 5.3, allows you to search Active Directory directory services to locate different types of objects. The search criteria that are available vary (as does the dialog box's title bar) depending on the type of object you selected in the Find list.

Click to view at full size.

Figure 5.3 The Find dialog box

After a search successfully completes, the search results are displayed. You can then perform administrative functions on the objects that are listed. The functions that are available depend on the type of object you located. For example, if you searched for computer accounts, you can delete the computer account, disable or reset the computer account, move the computer account to another OU, or adjust the computer account's attributes.

NOTE
Users can use Search, available on the Start menu, to find objects in Active Directory directory services. The Search commands in Windows Explorer and My Network Places can also be used to locate objects in Active Directory directory services.

Practice: Creating and Managing Domain User Accounts

In this practice, you will create user accounts based on information given in Exercise 1. After creating the user accounts you will modify the user account properties, specifically the logon hours properties, for one of the user accounts. You will test the user account you modified to verify that the logon restrictions you set up are working, and finally, you will move two of the user accounts from the OU in which they were created to another OU.

Exercise 1: Creating User Accounts

In this exercise, you will create four user accounts.

  • To create a domain user account

    1. In the console tree, right-click Production, point to New, and then click User.

      2. Notice that the New Object - User dialog box shows that the new user account is being created in the location domain.com/Production.

    2. Create the user account by typing User in the First Name box, One in the Last Name box, and User1 in the User Logon Name box.

    3. If you are on a network where there are multiple domains, in the box to the right of the User Logon Name box, select @domain.com.

    NOTE
    If you did not follow the naming convention suggested in this kit, select the appropriate domain name.

    1. Click Next to continue.

    2. In the Password and Confirm Password boxes, use the information in the following table to determine the password to type or whether you should leave these boxes blank (you are not assigning a password). Use the information in the table to determine how to set the password options as well.

      3. First nameLast name User logon namePassword Change password
      User One User1 Blank Must
      User Two User2 Blank Must
      User Three User3 User3 Must
      User Four User4 User4 Cannot

    3. After you have assigned the appropriate password options, click Next.

    4. Verify that the user account options are correct, and then click Finish.

      5. Notice that the user account that you just created now appears in the details pane of the Active Directory Users And Computers window.

    5. Repeat steps 1-7 to create User Two, User Three, and User Four in the Production OU. Add all four of these new user accounts to the Print Operators group.

    NOTE
    As you continue with the exercises in this chapter, you will be asked to log on to the domain controller as a user other than Administrator. To be able to log on to a domain controller, you will need to make the user account a member of a group that has a right to log on to domain controllers (for example, the Print Operators group). To add a user to the Print Operators group, click the Builtin node in the console pane, right-click Print Operators in the details pane, and click Properties. In the user's Properties dialog box, click the Members tab, click Add, select the user you want to add to the group, click Add, and then click OK twice.

    Exercise 2: Modifying User Account Properties

    In this exercise, you will configure the Logon Hours properties for one of the user accounts that you created in Exercise 1.

  • To modify user account properties

    1. In the Production OU, right-click User2, and then click Properties.

    2. Click the Account tab, and then click Logon Hours.

    NOTE
    A blue block indicates that the user is allowed to log on during that hour. A white block indicates that the user cannot log on.

      By default, when can a user log on?

      Answer

    1. Restrict User2's logon hours, so that User2 can only log on from 6:00 PM until 6:00 AM.

    NOTE
    To restrict the user's logon hours, click the start time of the first period during which you want to prevent the user from logging on, and then drag the pointer to the end time for the period. A frame will outline the blocks for all of the selected hours. Click Logon Denied. The outlined area is now a white block, indicating that the user will not be permitted to log on during those hours.

    1. Click OK to close the Logon Hours For User Two dialog box.

    2. Click OK to close the User Two Properties dialog box, and then close the Active Directory Users And Computers window.

    Exercise 3: Testing the User Account

    In this exercise, you will log on using User One, for which you will need to change the password, and then you will log on using User Two, for which you modified the logon hours in Exercise 2, to test the effects of the account settings.

  • To test changing a password at logon

    1. Log off the Administrator account by clicking Start, clicking Shut Down, and selecting Log Off Administrator in the drop-down list. Then click OK.

    2. When the Welcome To Windows box appears, press CTRL+ALT+DELETE.

    3. Select the contents in the User Name box, and attempt to log on as User1 with no password.

      4. Windows 2000 displays a Logon Message message box, indicating that you must change your password.

    NOTE
    If Windows 2000 displays a message that the local policy of your system does not permit you to interactively log on User1 to your server, log on as Administrator, add your User1 account to the Print Operators group, log off as Administrator, and then log on as User1 again.

    1. Click OK.

      2. The Change Password dialog box appears.

    2. In the Change Password dialog box, in the New Password and Confirm New Password boxes, type User1 and then click OK.

      3. Windows 2000 displays the Change Password message box indicating that your password was changed.

    3. Click OK to close the Change Password message box.

      4. Were you able to successfully log on as User1? Why or why not?

    4. Log off the User One account, and repeat steps 2 - 6 for User Two; use User2 as the new password.

    NOTE
    If Windows 2000 displays a message that the local policy of your system does not permit you to interactively log on User2 to your server, log on as Administrator, add your User2 account to the Print Operators group, log off as Administrator, and then log on as User2 again.

      Were you able to successfully log on as User Two? Why or why not?

    NOTE
    If you are doing the lab between the hours of 6:00 AM and 6:00 PM, you can use the Date/Time icon in Control Panel to change your system clock to verify that the logon settings are working. If you do change your system time, remember to set the correct time after you complete your test.

    Answer

    Exercise 4: Moving a User Account from One OU to Another OU

    User One and User Three have been transferred from Production to Administration. In this exercise, you will move the user objects for User One and User Three to reflect the transfer.

  • To move a user account

    1. Log on as Administrator, and open Active Directory Users And Computers from the Start menu.

    2. In the Production OU, select both User One and User Three, right-click, and then click Move.

    3. In the Move dialog box, expand your domain, click Administration, and then click OK.

      4. Notice that the user accounts that you moved no longer appear in the Production OU.

    4. To verify that the user accounts were moved to the correct location, in the console tree, click Administration.

      5. Notice that the user objects for User One and User Three are now located in the Administration OU.

    5. Close the Active Directory Users And Computers window.

    6. Log off.

    Creating Computer Accounts

    Computer accounts are similar to user accounts in that they can be used to authenticate and audit the computer, as well as being used to assign permissions to gain access to network resources.

    Since all domain controllers in a Windows 2000 domain are peers, you can use the Active Directory Users and Computers tool on any available domain controller to create a new computer account. After you create the account, Active Directory directory services replicate it to all other domain controllers in the domain.

    When you create the computer account, select the container in which to create it. You can create computer accounts at the domain level, but doing so limits your delegation options and increases the complexity of managing your network. To create a computer account, you also use the Active Directory Users and Computers tool. Right-click on the container in which you want to create the computer account, point to New, and then click Computer. Type in the name of the computer.

    NOTE
    The computer name must be unique within the enterprise.

    For added security, you might want to change the selection in the User Or Group box. You can enter any user or group to join a computer to a domain. During the process of joining the computer to the domain, a dialog box appears that prompts you for an account that has the right to join the computer to the domain. The person who joins the computer to the domain must enter a user name and password that matches the value you designate in this box. As with user accounts, each computer account that you create is associated with a set of default attributes. You can use the attributes that you define for a computer account to search for a computer in the Active Directory directory services. For this reason, you should provide detailed attribute definitions for each computer account that you create.

    Lesson Summary

    You use objects, user accounts, and computer accounts to represent users and computers so that you can control network access and manage the use of network resources. To add a user or a computer account to an OU, you must have the permission to add new objects to the OU. By default, members of the Administrators group have permission to add objects anywhere in the domain. User accounts are employed to authenticate the user, as well as to assign permissions to gain access to network resources. You can use the Active Directory Users and Computers tool on any available domain controller to create a new user account. After you create the account, it is replicated to all other domain controllers in the domain.