Applies To: Windows Server 2008 R2, Windows Server 2012
User UPN logon
The text box on the left provides a space for you to type the account name for this user. This is the name that the user will use to log on to an Active Directory domain.
The drop-down list on the right lists the available user principal name (UPN) suffixes that may be used to create the user logon name. The list contains the full Domain Name System (DNS) name of the current domain, the full DNS name of the root domain of the current forest, and any alternative UPN suffixes that are created with Active Directory Domains and Trusts.
User SamAccountName logon
The read-only text box on the left displays the domain name that is used by computers that are running pre–Windows 2000 operating systems.
The text box on the right provides a space for you to type the user's pre–Windows 2000 logon name.
Protect from accidental deletion
Select this option to update the security descriptor of the object—and, potentially, its parent—to deny all administrators or users of this domain and domain controller the ability to delete this object.
This setting does not provide protection against accidental deletion of a subtree that contains the protected object. Therefore, we recommend that you enable this setting for all the protected object’s containers, up to the domain naming context head.
Log on Hours
Click to change the hours during which this selected object can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week. Note that this control does not affect the user's ability to log on locally to a computer by using a local computer account instead of a domain account.
Log On To
Click to specify workstation logon restrictions that will allow this user to log on only to specified computers in the domain. By default, a user is able to log on at any workstation computer that is joined to the domain. Note that this control does not affect the user's ability to log on locally to a computer by using a local computer account instead of a domain account.
Sets the account expiration policy for this user. You can select between the following options:
to specify that the selected account will never expire. This option is the default for new users.
, and then select a date if you want to have the user's account expire on a specified date.
The following are the password options for an Active Directory user account:
User must change password at next logon
—Forces a user to change his or her password the next time that the user logs on to the network. Enable this option when you want to ensure that the user will be the only person that knows the password.
Smart card is required for interactive log on
—Requires that a user possess a smart card to log on to the network interactively. The user must also have a smart-card reader attached to the computer and a valid personal identification number (PIN) for the smart card.
Password never expires
—Prevents a user’s password from expiring. We recommend that service accounts have this option enabled and that they use strong passwords.
User cannot change password
—Prevents a user from changing his or her password. Enable this option when you want to maintain control over a user account, such as a Guest account or a temporary account.
The following are the encryption options for an Active Directory user account:
Store password using reversible encryption
—Provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is the same as storing plaintext versions of the passwords. This policy should never be enabled unless application requirements outweigh the need to protect password information.
User Kerberos DES encryption types for this account
—Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit), MPPE Standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPsec) DES (40-bit), IPsec 56-bit DES, and IPsec Triple DES (3DES).
This account supports Kerberos AES 128 bit encryption
This account supports Kerberos AES 256 bit encryption
The Kerberos Advanced Encryption Standard (AES) encryption options (both the 128-bit option and the 256-bit option) are available only when the domain functional level is set to Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. AES is a new encryption algorithm that has been standardized by the National Institute of Standards and Technology (NIST). For more information about Kerberos authentication, see Kerberos Explained (http://go.microsoft.com/fwlink/?LinkId=85494).
The following are additional options for an Active Directory user account:
Account is sensitive and cannot be delegated
—You can use this option if the account, for example a Guest or temporary account, cannot be assigned for delegation by another account. For more information, see Enabling Delegated Authentication (http://go.microsoft.com/fwlink/?LinkId=143007).
Do not require Kerberos preauthentication
—Provides support for alternative implementations of the Kerberos protocol. However, use caution when you enable this option, because Kerberos preauthentication provides additional security and requires time synchronization between the client and the server. For more information, see Kerberos Explained (http://go.microsoft.com/fwlink/?LinkID=120374).