User Accounts

On This Page

Creating user accounts
Deleting a user account
Resetting a user password
Modifying account properties
Configuring Logon Hours
Automatically log off users when logon time expires
Set an account expiration date
Disabling and enabling user accounts

Creating user accounts

Add a user account as follows:

1. Click on Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, double-click the domain node.

3. In the details pane, right-click the organizational unit where the user is to be added, point to New, and then click User.

   

4. Type first name, initials, and last name.

5. In User logon name, type the name that the user will log on with and, from the drop-down list, click the User Principal Name (UPN) suffix that must be appended to the user logon name (following the @ symbol). Click Next.

   

6. In Password and Confirm password, type the user's password and select the appropriate password options. Click Next.

   

7. Review the user object settings. If everything is correct, click Finish.

   

8. Assign logon rights and privileges to the new user as explained in subsection "Configuring User Rights" of this document. These procedures may be used by authorized administrators to modify user logon rights and privileges at any time by adding or deleting logon rights and privileges as required.

Deleting a user account

Each user account that is created has a unique, nonreusable SID. Windows 2000 uses the SID to identify the user and the permissions that are assigned to that user. When a user account is deleted, Windows 2000 does not use the SID again, even if a new user is created with the same name as the one that was deleted. Therefore, simply re-creating a deleted user account cannot restore access to resources.

User accounts can be deleted as follows:

1. Click on Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, click Users. Or, click the folder that contains the user account.

3. Right-click the user account, and then click Delete.

   

4. A confirmation window will appear. Click Yes to delete the account.

   Note: If a user is logged on to the network when that user's account is deleted the user will retain access to the network until logged off.

Resetting a user password

Users have the ability to change their own password if allowed to do so by the administrators. This requires that the user enter the old password for verification prior to being allowed to make the password change. However, in cases where the user does not remember the old password it will be necessary for the administrator to reset the password. Resetting a user password through an authorized administrator account does not require knowledge of the old password.

To reset a user password:

1. Click on Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, click Users. Or, click the folder that contains the desired user account.

3. In the details pane, right-click the user whose password needs to be reset, and then click Reset Password. There will be an additional dialog box stating that this change is irreversible and that the user can no longer log in using his or her known password. Note: This is intended as an emergency tool and not as a routine password change tool.

   

4. Type and confirm the password.

5. To require the user to change this password at the next logon process, select the User must change password at next logon check box.

   

Modifying account properties

The properties dialog box for each account contains a set of tabs that allows administrators to configure various properties for a specific user. A set of default properties is associated with each domain user account and local user account created. Domain user accounts contain more properties than local user accounts. Local user account properties represent a very small subset of domain user account properties.

Domain user accounts can be modified by:

1. Opening the Active Directory Users and Computers snap-in.

2. Selecting the folder containing the account to be modified.

3. In the details pane, double-clicking on the user object whose properties are to be modified (or right-clicking on the user object and selecting Properties). The following type of properties window will appear for domain user accounts:

   

Properties that are defined for a domain user account can be used to search for users in the Active Directory store. For example, if a user knows a person's first name and telephone number and wants to find the person's last name, the user can enter the telephone number to search for the last name.

Local user accounts can be modified by:

1. Opening the Computer Management snap-in Windows 2000 Professional or stand-alone servers.

2. Expanding the Local users and Groups folder.

3. Selecting the Users folder, and double clicking on the user object whose properties are to be modified (or right clicking on the user object and selecting Properties). The following type of properties window will appear for local user accounts:

   

The Properties dialog box

This subsection describes each of the properties tabs that can be modified. All the tabs described below apply to domain user accounts. Only the General, Dial-in (on stand-alone servers), Member of, and Profiles tabs apply to local user accounts.

• Personal Properties Tabs. The personal properties tabs include the General, Address, Telephones, and Organization tabs. Completing the attributes of each of these tabs enables users and organizations to locate other users in Active Directory. The following table describes the personal properties tabs.

  Tab	Description
  General	Use this tab to document the user's name, description, office location, telephone, e-mail, and home page information.
  Address	Use this tab to document the user's street address, post office box, city, state or province, zip code, and country.
  Telephones	Use this tab to document the user's home, pager, mobile, fax, and IP telephone numbers, and to add comments.
  Organization	Use this tab to document the user's title, department, company manager, and direct reports.

• Account Tab. The Account tab allows setting a user's logon name and other account options for the user account. Some of these options were set as default when the user account was created in Active Directory. The defaults can be modified and additional settings can be configured.

• Profile Tab. User profiles automatically create and maintain the desktop settings for each user's work environment on the local computer. The Profile tab allows setting a path where the user profiles are to be stored. In addition, the user account can be assigned a logon script and home folder.

• Published Certificates Tab. A certificate is a collection of data used for authentication and secure exchanges of information on nonsecured networks, such as the Internet. A certificate securely binds a public encryption key to the entity that holds the corresponding private key. The Published Certificates tab allows the creation of a list of X.509 certificates for the user account.

• Member of Tab. The Member of tab allows modification of group membership for users.

• Dial-in Tab. The Dial-in tab allows for controlling how a user can make a dial-in connection to the network from a remote location.

• Object Tab. The Object tab provides the fully qualified domain name of the object. It also provides additional information, such as the object class, the create and modified dates, the original Unique Sequence Number (USN), and the current USN. The USNs are used to track changes to objects in Active Directory.

• Security Tab. The Security tab is used to set permissions on the user object in Active Directory. It can be used to allow or deny specific permissions to groups or users within the domain. Advanced permissions can also be configured, and the inheritance of permissions from the parent object to the user object in the Active Directory can be allowed or prevented.

• Terminal Services Tabs. The Terminal Services tabs are the Environment, Sessions , Remote Control , and Terminal Services Profile tabs. The Terminal Services tabs contain information about the user that is specific to Terminal Services. Terminal Services allows users to log on from a computer terminal and run Windows 2000 sessions on the terminal. The information on the Terminal Services tab includes when users can log on, under what conditions, and how specific desktop settings are stored.

Configuring Logon Hours

To configure the logon hours, follow these steps:

1. Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Account tab.

2. Click the Logon Hours button. Set the valid and invalid logon hours using the Logon Hours dialog box shown. In this dialog box each hour of the day or night is a field that can be turned on and off. To change the setting for an hour, click it. Then select either the Logon Permitted or Logon Denied option button.

   • Hours that are allowed are filled in with a dark bar.

   • Hours that are disallowed are blank.

   

3. To ensure that logon restrictions are verified prior to allowing a user to log on, review the Enforce user logon restrictions setting of the Kerberos Policy to verify that it is enabled as described in the "Configuring Kerberos Policies" subsection.

Automatically log off users when logon time expires

To forcibly disconnect users when their logon time has expired, as set in the previous subsection, follow these steps:

1. To forcibly disconnect users who are members of a domain, access the Domain Security Policy interface and follow the procedures in the "Configuring Security Options" subsection to expand Local Policies and access the Security Options.

2. Double click on the Automatically log off users when logon time expires option, or right-click on it and select Security. This opens a Security Policy Setting dialog box for the selected option.

   

3. Check Define this policy setting and select the Enabled radio button.

4. Click OK to configure the selected option.

   Note: The Automatically log off users when logon time expires option is only available on domain controllers for application to members of the domain. To set a policy locally for a single computer, use the Automatically log off users when logon time expires (local) option on the specific computer.

Set an account expiration date

To configure an account expiration date for a user account, follow these steps:

1. Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Account tab.

2. Under Account expires, select the End of: radio button.

3. In the date drop down menu box, select the drop down arrow. A calendar window will appear showing the current date. Use the calendar to select the date the account is to expire on by using the forward arrow (right side arrow) to select a future month, and then clicking on the desired day within the calendar.

4. Click the Apply button and click OK to close user's the Properties dialog box.

Disabling and enabling user accounts

To disable a user account, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, click Users or the folder that contains the desired user account.

3. In the details pane, right-click the user.

4. Click Disable Account as shown below.

   

To enable a user account

1. Click Start, point to Programs, to Administrative Tools, then click Active Directory Users and Computers.

2. In the console tree, click Users or the folder that contains the desired user account.

3. In the details pane, right-click the user.

4. Click Enable Account as shown below.