User Account Management Tasks
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
| Task | Permissions Required to Perform Task | ||
|---|---|---|---|
Create a user account in disabled state |
CC on parent object (to create objects of class User) |
||
Create a user account |
CC on parent object (to create objects of class User) WP on the user object to modify User-Account-Control attribute Extended Right “Reset Password” required on user account |
||
Delete a user account |
SD on the user object itself OR DC on parent object (to delete objects of class User)
|
||
Rename a user account |
WP on the user object to modify Common-Name attribute WP on the user object to modify RDN attribute WP on the user object to modify Obj-Dist-Name attribute |
||
Move a user account |
SD on the user object itself OR DC on parent object (to delete objects of class User) CC on target parent (to create objects of class User) WP on the user object to modify Common-Name attribute WP on the user object to modify RDN attribute |
||
Disable a user account |
WP on the user object to modify User-Account-Control attribute |
||
Unlock a user account |
WP on the user object to modify the Lockout-Time attribute |
||
Enable a disabled user account |
WP on the user object to modify User-Account-Control attribute |
||
Reset a user account’s password |
The User-Change-Password extended right is required on the user object |
||
Force a user account to change the password at the next logon |
WP on the user object to modify User-Password attribute AND The User-Force-Change-Password extended right is required on the User object. ALTERNATIVELY, WP on the user object to modify Pwd-Last-Set attribute also works |
||
Modify a user’s first name |
WP on the user object to modify Given-Name attribute |
||
Modify a user’s initials |
WP on the user object to modify Initials attribute |
||
Modify a user’s last name |
WP on the user object to modify Surname attribute |
||
Modify a user’s display name |
WP on the user object to modify Admin-Display-Name attribute |
||
Modify a user account’s description |
WP on the user object to modify Description attribute |
||
Modify a user’s office location |
WP on the user object to modify Physical-Delivery-Office-Name attribute |
||
Modify a user’s telephone number |
WP on the user object to modify Telephone-Number attribute |
||
Modify the location of a user’s primary web page |
WP on the user object to modify WWW-Home-Page attribute |
||
Modify a user’s e-mail address |
WP on the ser object to modify E-Mail-Address attribute |
||
Modify a user’s street address |
WP on the user object to modify Street-Address attribute |
||
Modify a user’s P.O box |
WP on the user object to modify Post-Office-Box attribute |
||
Modify a user’s city/province |
WP on the user object to modify Locality-Name attribute |
||
Modify a user’s state |
WP on the user object to modify State-Or-Province-Name attribute |
||
Modify a user’s zip/postal code |
WP on the user object to modify Postal-Code attribute |
||
Modify a user’s country/region |
WP on the user object to modify Country-Name attribute |
||
Modify a user’s UPN |
WP on the user object to modify User-Principal-Name attribute |
||
Modify a user’s Pre-Windows 2000 user logon name |
WP on the user object to modify SAM-Account-Name attribute |
||
Modify the hours during which a user can log on |
WP on the user object to modify Logon-Hours attribute |
||
Specify the computers from which a user can log on |
WP on the user object to modify User-Workstations attribute |
||
Set User cannot change password for a user account |
WD on the user object OTE: Granting WD is equivalent of granting Full-Control Note The Active Directory Users and Computers Snap-In does not allow this operation to be performed from UI. Use dsacls.exe to perform operation. |
||
Set Password Never Expires for a user account |
WP on the user object to modify User-Account-Control attribute |
||
Set Store Password Using Reversible Encryption for a user account |
WP on the user object to modify User-Account-Control attribute |
||
Disable a user account |
WP on the user object to modify User-Account-Control attribute |
||
Set Smart card is required for interactive logon for a user account |
WP on the user object to modify User-Account-Control attribute |
||
Set Account is sensitive and cannot be delegated for a user account |
WP on the user object to modify User-Account-Control attribute |
||
Set Use DES encryption types for this account for a user account |
WP on the user object to modify User-Account-Control attribute |
||
Set Do not require Kerberos pre-authentication for a user account |
WP on the user object to modify User-Account-Control attribute |
||
Specify the date when a user account expires |
WP on the user object to modify Account-Expires attribute |
||
Specify a profile path for a user |
WP on the user object to modify Profile-Path attribute |
||
Specify a logon script for a user |
WP on the user object to modify Script-Path attribute |
||
Specify the drive letter to which to map the UNC path specified by the home directory for a user account |
WP on the user object to modify Home-Drive attribute WP on the user object to modify Home-Directory attribute (This is not changed, but is needed to enable editing in the ADU&C UI) |
||
Specify a user’s home folder local path |
WP on the user object to modify Home-Directory attribute WP on the user object to modify Home-Drive attribute (This is not changed, but is needed to enable editing in the ADU&C UI) |
||
Specify the home folder to connect to for a user account |
WP on the user object to modify Home-Drive attribute WP on the user object to modify Home-Directory attribute |
||
Specify a user’s home telephone number |
WP on the user object to modify Phone-Home-Primary attribute |
||
Specify the user’s other Home Telephone numbers |
WP on the user object to modify Phone-Home-Other attribute |
||
Specify a user’s pager number |
WP on the user object to modify Phone-Pager-Primary attribute |
||
Specify other pager numbers for a user |
WP on the user object to modify Phone-Pager-Other attribute |
||
Specify a user’s mobile number |
WP on the user object to modify Phone-Mobile-Primary attribute |
||
Specify other mobile numbers for a user |
WP on the user object to modify Phone-Mobile-Other attribute |
||
Specify a user’s facsimile number |
WP on the user object to modify Facsimile-Telephone-Number attribute |
||
Specify other facsimile numbers for a user |
WP on the user object to modify Phone-Fax-Other attribute |
||
Specify a user’s IP phone number |
WP on the user object to modify Phone-IP-Primary attribute |
||
Specify other IP phone numbers for a user |
WP on the user object to modify Phone-IP-Other attribute |
||
Modify notes for a user account |
WP on the user object to modify Comment attribute |
||
Specify a user’s title |
WP on the user object to modify Title attribute |
||
Specify a user’s department |
WP on the user object to modify Department attribute |
||
Specify a user’s manager |
WP on the user object to modify Manager attribute |
||
View certificates issued to a user |
WP on the user object to modify X-509 Cert attribute |
||
Add certificates from store for a user |
WP on the user object to modify X-509 Cert attribute |
||
Add certificates from file for a user |
WP on the user object to modify X-509 Cert attribute |
||
Remove a certificate for a user |
WP on the user object to modify X-509 Cert attribute |
||
Copy a user’s certificate to a file |
Create File/Write Data permissions on target parent folder on file-system RP on the user object to modify X-509 Cert attribute WP on the user object to modify X-509 Cert attribute |
||
Add a user account to a group |
WP on the target Group object to modify Member attribute |
||
Remove the user from a group |
WP on the target Group object to modify Member attribute |
||
Set the Primary Group (used for POSIX Compliance) for a user |
WP on the target user object to modify Primary-Group-ID attribute |
||
Create a user account in disabled state |
CC on parent object (to create objects of class User) |
||
Create a user account |
CC on parent object (to create objects of class User) WP on the user object to modify User-Account-Control attribute Extended Right “Reset Password” required on user account |
||
Delete a user account |
SD on the user object itself OR DC on parent object (to delete objects of class User) Note DC on parent will grant permission to delete all objects under the parent (and if class is specified, then only all objects of specified class). |
||
Rename a user account |
WP on the user object to modify Common-Name attribute WP on the user object to modify RDN attribute WP on the user object to modify Obj-Dist-Name attribute |
||
Move a user account |
SD on the user object itself OR DC on parent object (to delete objects of class User) CC on target parent (to create objects of class User) WP on the user object to modify Common-Name attribute WP on the user object to modify RDN attribute |
||
Disable a user account |
WP on the user object to modify User-Account-Control attribute |
||
Unlock a user account |
WP on the user object to modify the Lockout-Time attribute |
||
Enable a disabled user account |
WP on the user object to modify User-Account-Control attribute |
||
Reset a user account’s password |
The User-Change-Password extended right is required on the user object |
||
Force a user account to change the password at the next logon |
WP on the user object to modify User-Password attribute ALTERNATIVELY, WP on the user object to modify Pwd-Last-Set attribute also works |
||
Modify a user’s first name |
WP on the user object to modify Given-Name attribute |
||
Modify a user’s initials |
WP on the user object to modify Initials attribute |
||
Modify a user’s last name |
WP on the user object to modify Surname attribute |
||
Modify a user’s display name |
WP on the user object to modify Admin-Display-Name attribute |
||
Modify a user account’s description |
WP on the user object to modify Description attribute |
||
Modify a user’s office location |
WP on the user object to modify Physical-Delivery-Office-Name attribute |
||
Modify a user’s telephone number |
WP on the user object to modify Telephone-Number attribute |
||
Modify the location of a user’s primary web page |
WP on the user object to modify WWW-Home-Page attribute |
||
Modify a user’s e-mail address |
WP on the ser object to modify E-Mail-Address attribute |
||
Modify a user’s street address |
WP on the user object to modify Street-Address attribute |
||
Modify a user’s P.O box |
WP on the user object to modify Post-Office-Box attribute |
||
Modify a user’s city/province |
WP on the user object to modify Locality-Name attribute |
||
Modify a user’s state |
WP on the user object to modify State-Or-Province-Name attribute |
||
Modify a user’s zip/postal code |
WP on the user object to modify Postal-Code attribute |
||
Modify a user’s country/region |
WP on the user object to modify Country-Name attribute |
||
Modify a user’s UPN |
WP on the user object to modify User-Principal-Name attribute |
||
Modify a user’s Pre-Windows 2000 user logon name |
WP on the user object to modify SAM-Account-Name attribute |
||
Modify the hours during which a user can log on |
WP on the user object to modify Logon-Hours attribute |
||
Specify the computers from which a user can log on |
WP on the user object to modify User-Workstations attribute |
.gif "note")
Note