5. Understanding Logon Names and Passwords
Before you create a domain user account, you should think for a moment about
the new account's logon name and password. You identify all domain user
accounts with a logon name. This logon name can be (but doesn't have to
be) the same as the user's e-mail address. In Windows domains, logon
names have two parts:
For the user Williams whose account is created in adatum.com, the full logon name for Windows is [email protected].
User accounts can also have passwords and public certificates associated with them. Passwords are authentication strings for an account. Public certificates
combine a public and private key to identify a user. You log on with a
password by typing the password. You log on with a public certificate
by using a smart card and a smart card reader.
Although Windows displays user names to describe privileges and permissions, the key identifiers for accounts are security identifiers (SIDs). SIDs
are unique identifiers that Windows generates when you create accounts.
SIDs consist of the domain's security ID prefix and a unique relative
ID. Windows uses these identifiers to track accounts independently from
user names. SIDs serve many purposes; the two most important are to
allow you to easily change user names and to allow you to delete
accounts without worrying that someone could gain access to resources
simply by re-creating an account with the same user name.
When you change a user name, you tell Windows to map a particular
SID to a new name. When you delete an account, you tell Windows that a
particular SID is no longer valid. Afterward, even if you create an
account with the same user name, the new account won't have the same
privileges and permissions as the previous one because the new account
will have a new SID.
5.1 Creating Mail-Enabled User Accounts
Mail-enabled users are defined as custom recipients in Exchange
Server. They have an Exchange alias and an external e-mail address, but
they do not have an Exchange mailbox. All e-mail messages sent to a
mail-enabled user are forwarded to the remote e-mail address associated
with the account.
In the Exchange Management Console, mail-enabled users are listed as
such in the Recipient Configuration node and in the Mail Contact node.
You can manage mail-enabled users through the Exchange Management
Console and the Exchange Management Shell.
In the Exchange Management Console, you can create a new mail-enabled user by completing the following steps:
-
In the Exchange Management Console, expand and then select the Recipient Configuration node.
Note
If you want to create the user account in a domain other than the
current one, you first need to set the scope for the Recipient
Configuration node.
-
Right-click the Recipient Configuration node, and then select New Mail User. This starts the New Mail User Wizard.
-
Click Next to accept the default selections on the Introduction page (to create a mail user).
-
On the User Information page, shown in Figure 5
the Organizational Unit text box shows where in Active Directory the
user account will be created. By default, this is the Users container
in the current domain. Because you'll usually need to create new user
accounts in a specific organizational unit rather than in the Users
container, select the Specify The Organizational Unit check box, and
then click Browse. In the Select Organizational Unit dialog box, choose
the location in which to store the account and then click OK.
-
Type the user's first name, middle initial, and last name in the
text boxes provided. These values are used to create the Name entry,
which is the user's display name.
-
As necessary, make changes to the Name text box. For example, you
might want to type the name in LastName FirstName MiddleInitial format
or in FirstName MiddleInitial LastName format. The name must be no more
than 64 characters in length.
-
In the User Logon
Name text box, type the user's logon name. Use the drop-down list to
select the domain with which you want to associate the account. This
sets the fully qualified logon name.
-
The first 20 characters of the logon name are used to set the
pre–Windows 2000 logon name, which must be unique in the domain. If
necessary, change the pre–Windows 2000 logon name.
-
Type and then confirm the password for the account. This password
must follow the conventions of your organization's password policy.
Typically, this means that the password must be at least six characters
in length and must use three of the four available character types:
lowercase letters, uppercase letters, numbers, and symbols.
-
If you want to ensure that the user changes the password at next logon, select the User Must Change Password At Next Logon check box. Click Next. As shown in Figure 6
the Exchange alias is set to the user's logon name by default. You can
change this value by entering a new alias. The Exchange Management
Console uses the alias to set the user's e-mail address.
-
To the right of the External E-Mail Address text box is an Edit
button. Click the down arrow next to the Edit button to display two
options:
-
SMTP Address Select SMTP Address to associate a standard SMTP e-mail address with the user. Enter the e-mail address, and then click OK.
-
Custom Address
Click Custom Address to associate a custom e-mail address with the
user. Enter the e-mail address, and then enter the e-mail address type.
Click OK.
-
Click Next, and then click New. The Exchange Management Console
creates the new user and mail-enables it. If an error occurs, the user
will not be created. You will need to correct the problem and repeat
this procedure. Click Finish.
You can list all mail-enabled users by typing get-mailuser
at the Exchange Management Shell prompt. Example 1 provides the full syntax and usage for Get-MailUser.
Example 1. Get-MailUser cmdlet syntax and usage
Syntax
Get-MailUser [-Identity Identifier
| -Anr Name
] [-Credential Credential
]
[-DomainController FullyQualifiedName
] [-Filter FilterString
]
[-IgnoreDefaultScope {$true | $false}] [-Organization OrgName
]
[-OrganizationalUnit OUName
] [-ReadFromDomainController {$true | $false}]
[-ResultSize Size
] [-SortBy Value
]
Usage
Get-MailUser -Identity "aaronl" | fl
Get-MailUser -OrganizationalUnit "marketing" | fl
Note
By default, Get-MailUser
lists the name and recipient type for matches. In the example, fl is an
alias for Format-List and is used to get detailed information about
matching entries.
You can create a new mail-enabled user account using the New-MailUser cmdlet. Example 2 shows the syntax and usage. When prompted, provide a secure password for the user account.
Note
The syntax and usage are entered on multiple lines for ease of
reference. You must enter the command-line values for a cmdlet on a
single line.
Example 2. New-MailUser cmdlet syntax and usage
Syntax
New-MailUser -Name DisplayName
-ExternalEmailAddress EmailAddress
{AddtlParams1}
New-MailUser -Name DisplayName -ExternalEmailAddress EmailAddress
-Password Password
-UserPrincipalName UserNameAndSuffix
{AddtlParams1}
New-MailUser -Name DisplayName
-FederatedIdentity FederatedId
-WindowsLiveID WindowsLiveId
{AddtlParams2}
New-MailUser -Name DisplayName -Password Password -WindowsLiveID
WindowsLiveId
[-EvictLiveId {$true | $false}] {AddtlParams2}
New-MailUser -Name DisplayName
-WindowsLiveID WindowsLiveId
-UseExistingLiveId {$true | $false} {AddtlParams2}
{AddtlParams1}
[-Alias ExchangeAlias
] [-ArbitrationMailbox ModeratorMailbox
]
[-DisplayName Name
] [-DomainController FullyQualifiedName
] [-FirstName
FirstName
] [-Initials Initials] [-LastName LastName
]
[-MacAttachmentFormat <BinHex | UuEncode | AppleSingle | AppleDouble>]
[-MessageBodyFormat <Text | Html | TextAndHtml>] [-MessageFormat <Text |
Mime>] [-ModeratedBy Moderators
] [-ModerationEnabled <$true | $false>]
[-Organization OrgName
] [-OrganizationalUnit OUName
] [-PrimarySmtpAddress
}SmtpAddress
] [-ResetPasswordOnNextLogon <$true | $false>]
}[-SamAccountName PreWin2000Name
] [-SendModerationNotifications <Never |
Internal | Always>] [-UsePreferMessageFormat <$true | $false>]
{AddtlParams2}
[-Alias ExchangeAlias
] [-ArbitrationMailbox ModeratorMailbox
]
[-DisplayName Name
] [-DomainController FullyQualifiedName
] [-FirstName
FirstName
] [-Initials Initials] [-LastName LastName
] [-ModeratedBy
Moderators
] [-ModerationEnabled <$true | $false>] [-Organization OrgName
]
[-OrganizationalUnit OUName
] [-PrimarySmtpAddress SmtpAddress
]
[-RemotePowerShellEnabled <$true:$false>] [-ResetPasswordOnNextLogon
<$true | $false>] [-SamAccountName PreWin2000Name
]
[-SendModerationNotifications <Never | Internal | Always>]
Usage
New-MailUser -Name "Frank Miller" -Alias "Frankm"
-OrganizationalUnit "cpandl.com/Technology"
-UserPrincipalName "[email protected]" -SamAccountName "Frankm"
-FirstName "Frank" -Initials "" -LastName "Miller"
-ResetPasswordOnNextLogon $false
-ExternalEmailAddress "SMTP:[email protected]"