IT tutorials
 
Technology
 

Active Directory 2008 : Supporting User Objects and Accounts (part 3) - Administering User Accounts

8/7/2013 6:26:51 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

5. Administering User Accounts

The primary purpose of user objects in Active Directory is to support authentication of a human being or a service. Accounts are provisioned, administered, and, eventually, deprovisioned. The most common administrative tasks related to existing user accounts are resetting a password; unlocking an account; and disabling, enabling, deleting, moving, and renaming user objects.

The following sections examine each of these tasks and how they can be performed using the Windows interface, Windows PowerShell, or Command Prompt. Each of these tasks requires you to have appropriate permissions to the user objects. 

Resetting a User’s Password

If the user forgets his or her password and attempts to log on, he or she will receive a logon message, as shown in Figure 4.

A logon message notifying a user that the user name or password is invalid

Figure 4. A logon message notifying a user that the user name or password is invalid

Before the user can log on successfully, you will have to reset that password. You do not need to know the user’s old password to do so.

To reset a user’s password in the Active Directory Users And Computers snap-in:

  1. Right-click the user object, and then click Reset Password.

  2. In the Reset Password dialog box, shown in Figure 5, enter the new password in both the New Password and Confirm Password boxes.

    It is a best practice to assign a temporary, unique, strong password for the user.

    The Reset Password dialog box

    Figure 5. The Reset Password dialog box

  3. Select the User Must Change Password At Next Logon check box.

    It is a best practice to force the user to change the password at the next logon, so that the user ends up with a password known only by the user.

  4. Click OK.

  5. Communicate the temporary password to the user in a secure manner.

You can also use the DSMod command to reset a user’s password and, optionally, force the user to change that password at the next logon. Type the following command:

dsmod user UserDN -pwd NewPassword -mustchpwd yes

where UserDN is the distinguished name (DN) of the user object and NewPassword is the new password. The -mustchpwd yes parameter forces the user to change the password at the next logon.


Unlocking an Account

An Active Directory domain supports account lockout policies. A lockout policy is designed to prevent an intruder from attempting to penetrate the enterprise network by logging on repeatedly with various passwords until he or she finds a correct password. When a user attempts to log on with an incorrect password, a logon failure is generated. When too many logon failures occur within a specified period of time, defined by the lockout policy, the account is locked out. The next time the user attempts to log on, a notification clearly states the account lockout. 

Note

WATCH FOR DRIVES MAPPED WITH ALTERNATE CREDENTIALS

A common cause of account lockout is a drive mapped with alternate credentials. If the alternate credentials’ password is changed, and the Windows client attempts repeatedly to connect to the drive, the account whose credentials were used to map the drive will be locked out.

Your lockout policy can define a period of time after which a lockout account is automatically unlocked. But when a user is trying to log on and discovers that he or she is locked out, it is likely he or she will contact the help desk for support.

To unlock a user account in the Active Directory Users And Computers snap-in:

  1. Right-click the user object, and then click Properties.

  2. Click the Account tab.

  3. Select the Unlock Account check box.

Windows Server 2008 R2 also includes the option to unlock a user’s account when you choose the Reset Password command.

To unlock a user account while resetting the user’s password:

  • In the Reset Password dialog box, select the Unlock The User’s Account check box.

This method is particularly handy when a user’s account has become locked out because the user did, in fact, forget the password. You can now assign a new password, specify that the user must change the password at next logon, and unlock the user’s account in one dialog box.

Use the Unlock-ADAccount cmdlet to unlock an account by using Windows PowerShell. The DS commands do not provide a method to unlock an account.

Disabling and Enabling a User Account

User accounts are security principals—identities that can be given access to network resources. Because each user is a member of Domain Users and of the Authenticated Users special identity, each user account has at least read access to a vast amount of information in Active Directory and on your file systems unless you have been severe and unusually successful at locking down access control lists (ACLs).

Therefore, it is important not to leave user accounts open. You should configure password policies and auditing —and procedures to ensure that accounts are being used appropriately. If a user account is provisioned before it is needed, or if an employee will be absent for an extended period of time, disable the account.

To disable an account in the Active Directory Users And Computers snap-in, right-click a user and choose Disable. If an account is already disabled, the Enable Account command will appear when you right-click the user.

From the command line, you can use the DSMod command, as in the following example:

dsmod user UserDN -disabled yes

Enabling an account is just a matter of changing yes to no for the DSMod command:

dsmod user UserDN -disabled no

In each command, UserDN is the distinguished name (DN) of the user object, and the -disabled {yes|no} parameter disables or enables the account.


Deleting a User Account

When an account is no longer necessary, you can delete it from your directory.

To delete a user account in Active Directory Users And Computers, perform the following steps:

  1. Select the user and press Delete, or right-click the user and then choose Delete.

    You are prompted to confirm your choice because of the significant implications of deleting a security principal.

  2. Confirm the prompt.

You can delete objects from Active Directory by using the DSRm command, another of the DS commands. DSRm uses a simple syntax:

dsrm UserDN

where UserDN is the distinguished name (DN) of the user object. Notice that, unlike other DS commands, DSRm is not followed by the User object class keyword.

Use the Remove-ADUser cmdlet to delete a user in Windows PowerShell.

It is critical to consider that once the account has been deleted, it is eventually purged entirely from the directory. You cannot simply re-create a new account with the same name as a deleted account and hope it has the same group memberships and access to resources; it will not. The loss of the user’s SID and group memberships can cause significant problems if you later realize you need the account.

Therefore, many organizations choose to decommission a user account in stages. First, the account is disabled. After a period of time, it is deleted. Active Directory actually maintains a subset of the account’s properties—most notably its SID—for a period of time called the tombstone lifetime, which is 180 days by default. After that time, the account’s record is removed from the directory. 

You can also consider recycling a user account. If a user leaves your organization, you may eventually hire a replacement who will need very similar resource access, group memberships, and user rights as the previous user. You can disable the account until a replacement is found, then rename the account to match the new user’s name. The previous user’s SID, group memberships, and resource access are thereby transferred to the replacement. Alternately, you can use the previous user’s account as a template and create a copy of the account for the new user. 

Moving a User Account

To move a user object in the Active Directory Users And Computers snap-in:

  1. Right-click the user, and then click Move.

  2. Click the folder to which you want to move the user account, and then click OK.

Alternately, you can:

  • Drag the user object and drop it onto the destination OU.

To move a user with a command-line tool, use DSMove. DSMove uses the following syntax:

dsmove UserDN -newparent TargetOUDN

DSMove does not specify the User object class keyword. Instead, it simply indicates the DN of the user to move and, in the TargetOUDN placeholder, the distinguished name of the OU to which the user will be moved.

Consider that when you move a user, you might change the Group Policy objects (GPOs) that apply to that user. GPOs .

You can use the DSMove command with the -newname parameter to change the common name (CN) of the object.

In Windows PowerShell, you can use the Move-ADObject or Move-Item cmdlets to move a user to another OU.

Practice Supporting User Objects and Accounts

In this practice, you perform procedures that reflect common tasks required to support users in an enterprise environment. To perform the exercises in this practice, you should have performed the practices in Lessons 1 and 2 so that the following user objects exist in the User Accounts OU:

  • April Stewart

  • Jeff Ford

  • Mike Fitzmaurice

  • Tony Krijnen

EXERCISE 1 View All Attributes of a User

In this exercise, you explore the Attribute Editor and use it to reveal and modify user attributes that are not visible in the Active Directory Users And Computers snap-in.

  1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

  2. In the User Accounts OU, right-click Tony Krijnen and choose Properties.

  3. Examine the tabs of the Properties dialog box.

    What attributes are visible? Do you see any that you have not seen before? Do you see any attributes that, if configured, can provide useful information to your enterprise?

  4. Click the Telephones tab and enter information into the Notes field. Click OK.

  5. Click the View menu and select Advanced Features.

  6. Open the properties of Tony Krijnen again and click the Attribute Editor tab.

  7. Scroll to locate the info attribute.

    What do you see there?

  8. Locate the division attribute, double-click it, type Subsidiary, and then click OK.

  9. Locate the employeeID attribute, double-click it, type 104839, and then click OK.

  10. Examine other attributes that are visible in the Attribute Editor.

    What attributes do you see that are not visible in the Active Directory Users And Computers snap-in? Can any of the hidden attributes, if configured, provide useful information to your enterprise?

  11. Click OK to close the Properties dialog box.

EXERCISE 2 Manage Attributes of Multiple Objects

In this exercise, you select multiple objects and configure properties of the objects.

  1. In the User Accounts OU, select April Stewart.

  2. Hold the Ctrl key and select Jeff Ford and Mike Fitzmaurice.

    You should have three users selected now.

  3. Right-click any of the selected users and choose Properties.

    A Properties dialog box appears with a subset of user properties that can be applied to multiple users simultaneously.

  4. On the General tab, select the Office check box and type Miami in the Office text box.

  5. Select the Description check box and type Salesperson in Miami in the Description text box.

  6. Click the Account tab.

    In this scenario, these three users work on weekdays. They are not allowed to log on during the weekend.

  7. Select the Logon Hours check box, and then click the Logon Hours button.

  8. Click Sunday and click the Logon Denied button.

  9. Click Saturday and click the Logon Denied button. Then click OK.

  10. On the Address tab, select the Street, City, State/Province, and ZIP/Postal Code check boxes. Enter fictitious address information in these boxes.

  11. Click the Organization tab and configure the company name, Contoso, Ltd.

  12. Click OK.

  13. Open the user objects to confirm that the changes were applied.

EXERCISE 3 Manage User Attributes with DS Commands

In this scenario, three users are relocating from Miami to Sydney. They will be taking several weeks to perform the relocation. You will manage their accounts through the process.

  1. Open Active Directory Module For Windows PowerShell from the Administrative Tools program group.

    Windows PowerShell can launch executables just like Command Prompt.

  2. Spend some time considering how you could, with a single command, change the office attribute of the three users to Sydney and disable the accounts so that they cannot be used while the employees are away. In addition, you want to change the description attribute of the users to Salesperson in Sydney. What DS commands would you use?

  3. Type the following command as one line, and then press Enter:

    dsquery user -desc "*Miami*" | dsmod user -office "Sydney"
   -desc "Salesperson in Sydney" -disabled yes

    You might think that it would be more efficient to query for users in the Miami office, and then change the office to Sydney. Unfortunately, the DSQuery command does not support the office attribute. Therefore, you must use another attribute as a criteria for the query. In this scenario, the description attribute of a user includes an indication of the office in which the user works.

  4. In the Active Directory Users And Computers snap-in, open the user accounts to confirm that the changes were made.

  5. You need to make a record of the pre–Windows 2000 logon names and user principal names of the salespeople in Sydney. What DS commands could you enter to show you that information?

  6. Type the following command and press Enter:

    dsquery user -desc "*Sydney*" | dsget user -samid -upn

    The salespeople have arrived in Sydney. It is now time to enable their accounts.

  7. You want to use Windows PowerShell cmdlets to enable the accounts of users in the Sydney office. Use the Get-Help cmdlet to learn about the -Filter parameter of the Get-ADUser cmdlet. Review the material in Lesson 2 about how to use Set-ADUser to enable a user account. Try to identify the command needed to achieve the task. Then continue to the next step, which presents the solution.

  8. Type the following command and press Enter:

    Get-ADUser -Filter {office -eq "Sydney"} | Set-ADUser -enabled $true

  9. In the Active Directory Users And Computers snap-in, confirm that the three users’accounts are once again enabled.

EXERCISE 4 Reset a Password and Unlock a User Account

While he was relocating from Miami to Sydney, David Jones forgot his password. After you enabled his account, he attempted to log on several times with an incorrect password, and then his account was locked. In this exercise, you reset David’s password and unlock his account.

  1. In the Active Directory Users And Computers snap-in, select the User Accounts OU.

  2. In the details pane, right-click David Jones’ account and choose Reset Password.

  3. Enter a new password for David in the New Password and Confirm Password boxes.

  4. Ensure that the User Must Change Password At Next Logon check box is selected.

  5. Select the Unlock The User’s Account check box, and then click OK.
 
Others
 
- Active Directory 2008 : Supporting User Objects and Accounts (part 2) - Managing User Attributes with DSMod and DSGet, Understanding Name and Account Attributes
- Active Directory 2008 : Supporting User Objects and Accounts (part 1) - Managing User Attributes with Active Directory Users And Computers
- Exchange Server 2010 Administration Essentials : Using and Managing Exchange Server Services
- Exchange Server 2010 Administration Essentials : Understanding Data Storage in Exchange Server 2010
- Windows 8 Tile-Based Apps : Calendar
- Windows 8 Tile-Based Apps : Cloud Service Connections
- Windows 8 Tile-Based Apps : People
- Introduction to Sharepoint 2013 : SHAREPOINT CENTRAL ADMINISTRATION
- Introduction to Sharepoint 2013 : THE PLATFORM
- Introduction to Sharepoint 2013 : ADDRESSING THE NEEDS OF THE DEVELOPER
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us