User management is set to a daily frequency because in larger networks, user account creation or modification is required on a regular basis. This activity is mostly initiated by request forms that come from your user base. As such, it is often performed on an ad hoc basis during the day because many administrators perform it when the request comes in. But, if you want to structure your day so that you perform activities in an organized manner, you should collect all user account creation/modification requests and perform this activity only in a set period of each day. To create a new user object:
1.Launch theGlobal MMC Console(Quick Launch Area | Global MMC Console). The console automatically connects to your default domain. If you need to work with a different forest or domain controller, right-click onActive Directory Users and Computers(Computer Management | Active Directory Users and Computers) and select the appropriate command to change your connection. 2.Navigate to the appropriate organizational unit (OU).
If you are using the default Windows structure, this should be the Users container (Computer Management | Active Directory Users and Computers |domainname | Users).
TIP
The default Users container in AD is not an organizational unit and therefore cannot support either delegation or the assignation of Group Policy objects. GPOs must be assigned at the domain level to affect this container. If you want to assign GPOs to user objects but not at the domain level, you must create a new People OU.3.Either right-click in the right window pane to select theNew | Usercommand in the context menu or use theNew Usericon in the console toolbar. This activates theNew Object - User Wizard.
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
4.This wizard displays two dialog boxes. The first deals with the account names. Here you set the user’s full name, the user’s display name, their logon name or their user principal name (UPN), and their down- level (or Pre-Windows 2000) logon name. ClickNext. 5.The second screen deals with the password and
account restrictions. Type in the password for this user and make sure the checkbox forUser must change password at next logonis selected. If the user is not ready to take immediate possession of the account, you should check theAccount is disabledoption as well. ClickFinishwhen done.
SECURITY SCAN Be careful when you set apassword to never expire. If it is for a nonuser account such as a service account— accounts that are designed to operate services—or for a generic purpose account, you should also make sure you set theUser cannot change passwordoption. This way, no one can use the account to change its password. You can also use much the same procedure to modify existing accounts and perform operations such as disabling accounts, renaming them, and reassigning them.
TIP
Windows Server 2003 supports two types of logon names: the UPN and the down-level logon name. The latter is related to the Windows NT logon name you used to give to your users. If you are migrating from a Windows NT environment, make sure you use the same down-level name strategy (unless there are compelling reasons to change this strategy). Users will be familiar with this strategy and will be able to continue using the logon name they are most familiar with. Down-level logon names work mostly within a single domain whereas UPNs are mostly used to cross domain boundaries.You can also automate the user creation process. The
csvdecommand is designed to perform massive user modifications in AD. Use the following command to create multiple users at once:
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
where–iturns on the import mode,-findicates the source file for the import (filename.csv)—this source file must be in comma-separated value (CSV) format,-vputs the command in verbose mode, and–ktells it to ignore errors and continue to the end. You can review the outputfilename.txt file for the results of the operation.
TIP
CSV files can easily be created in Microsoft Excel. They usually contain a first line indicating which values are to come. For example: CN,Firstname,Surname,Description should support values such as: jdoe,Jane,Doe,Manager or japscott,John,Apscott,Technicianand so on. Once created, use Excel to save the file as aCSV (Comma Delimited)file. If you need to migrate information from one domain to another, use thecsvdecommand to first export the information, then import the information from one domain to the other. Typecsvde -?for more information.TIP
You can also create two other types of user objects. InetOrgPersonis a user object that has exactly the same properties as a User object. It is used to maintaincompatibility with other, non-Microsoft directory services. Contactis a user object that cannot be a security principal. It is created only to include its information in the directory.
DC-02: User Password Reset
✔
Activity Frequency: DailyThe most common activity administrators must perform on user accounts is the password reset. This is the reason why this is set as a daily task. Depending on the size of your network, you may not have to reset passwords daily, but chances are good you have to do it more than once a week.
TIP
In order to avoid replication latency, especially when you reset a password for a regional user, you should always connect to the user’s closest domain controller to reset the password. This way, users don’t have to wait for the change to be replicated from central DCs to regional DCs to be able to use the new password.To reset a user’s password:
1.Begin by launching theActive Directory Users and Computersportion of the Global MMC and
right-click on it to selectConnect to Domain Controller. Select the proper DC and clickOK. 2.Once connected, right-click on the domain name and
selectFind.
3.Type the user’s name in theFinddialog box and clickFind Now.
4.Once you locate the proper user, right-click on their name and selectReset Password.
5.In theReset Passworddialog box, type the new password, confirm it, and checkUser must change password at next logon. ClickOKwhen done. 6.Notify the user of the new password.
You can also change passwords through the command line:
dsmod user “UserDN” –pwd a5B4c#D2eI –mustchpwd yes
where theUserDN is the user’s distinguished name. For example, “CN=Jane Doe, CN=Users, DC=Intranet, DC=TandT, DC=Net” refers to user Jane Doe in the Users container in the Intranet.TandT.Net domain. Use quotes to encompass the entire username.
The directory also stores a lot of information that is not necessarily available to users. One example is user account information. A new tool, acctinfo.dll can be found in the Account Lockout Tools (search for it at www.microsoft.com/download). This tool must be registered on the server or workstation using the Active Directory Users and Computers console:
regsvr32 acctinfo.dll
Once registered, it adds a new tab to the user object’s Property page, the Additional Account Info tab. This tab is quite useful because it provides additional information
about the status of the account and also provides a button for resetting regional user passwords directly on their site DC, avoiding replication delays.
TIP
If you want to use this DLL in the Global MMC, you will need to reopen the console in author mode, remove the AD Users and Computers snap-in and add it anew. ReviewProcedure GS-17to see how to perform this operation.SCRIPT CENTER
The Microsoft TechNet Script Center includes a script that supports changing user passwords. This script can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/scriptcenter/user/ScrUG03.asp?frame=true. 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4