Creating a User Account Management Plan
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you deploy Windows Server 2003 and establish the appropriate user accounts in Active Directory, you need to create a plan for user account management. Creating a user account management plan involves determining which individuals in your organization have the right to create new user accounts, and establishing a plan for the disabling of and resetting of user accounts.
Assign the User Account Creation Right
Assigning the right to create new user accounts involves carefully balancing strong security and timely response to requests to create new accounts.
Because misuse of the user account creation right presents a security risk to your organization, assign this right to trusted administrators only. For many organizations, it is sufficient to limit the ability to create new user accounts to the members of the Domain Administrators group. In large organizations or in situations where administrators need to delegate tasks, you might need to assign the right to create new user accounts to another group, such as the IT staff or the Human Resources group.
Whoever you designate to create user accounts, a general guideline is to assign one individual the right to create new user accounts for every 100 employees. However, you might need to adjust this number based on the expected growth of your organization. For example, if your organization regularly adds new divisions, acquires companies, or expands into other markets, you need to plan for the creation of new user accounts by assigning the right to create new user accounts to the appropriate number of individuals to meet the requirements for your anticipated growth.
Establish a Plan for the Disabling of User Accounts
Because unused but active user accounts are a common target for security attacks, you must establish a clear, consistent policy for disabling user accounts.
You can choose one of the following solutions for disabling active unused user accounts in your organization:
Include disabling user accounts as part of the employee departure procedure. Establish a policy by which user accounts are deleted from Active Directory when employees leave your organization.
Create scripts that search for user accounts that have not been logged on to for a period of time or have not had their password changed, and delete the accounts that the script identifies. For example, you might decide to create a script that identifies accounts that have not been logged on to for six weeks, or that have not had their passwords changed for twice the password lifetime prescribed by domain Group Policy, and delete those accounts.
Establish a Plan for Resetting User Accounts
When a user forgets his or her password, the account must be reset before it can be used. An effective way to enable the resetting of user accounts in your organization is to grant help desk staff the right to reset passwords. Delegate the right to reset passwords to help desk staff so that members of the Domain Administrators group are not required to reset user account passwords.