Creating user and group accounts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Creating user and group accounts

User accounts are used to authenticate, authorize or deny access to resources for, and audit the activity of individual users on your network. A group account is a collection of user accounts that you can use to assign a set of permissions and rights to multiple users simultaneously. A group can also contain contacts, computers, and other groups. You can create user accounts and group accounts in Active Directory to manage domain users. You can also create user accounts and group accounts on a local computer to manage users specific to that computer.

Some of the most common tasks are creating user accounts in Active Directory, creating group accounts in Active Directory, creating user accounts on a local computer, and creating groups on a local computer. You can also use the command line to create user and group accounts in Managing Active Directory from the command line or on a Managing local groups from the command line. For more information about other tasks for managing Active Directory user accounts and groups, see Manage Users, Groups, and Computers. For information about other tasks for managing user accounts and groups on a local computer, see Local Users and Groups How To....

To create a user account in Active Directory

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click the folder in which you want to add a user account.

    Where?

    • Active Directory Users and Computers/domain node/folder
  3. Point to New, and then click User.

  4. In First name, type the user's first name.

  5. In Initials, type the user's initials.

  6. In Last name, type the user's last name.

  7. Modify Full name to add initials or reverse order of first and last names.

  8. In User logon name, type the user logon name, click the UPN suffix in the drop-down list, and then click Next.

    If the user will use a different name to log on to computers running Windows 95, Windows 98, or Windows NT, then you can change the user logon name as it appears in User logon name (pre-Windows 2000) to the different name.

  9. In Password and Confirm password, type the user's password, and then select the appropriate password options.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • To add a user, you can also click

    Create a new user in the current container on the toolbar.

  • To add a user, you can also copy any previously created user account.

  • A new user account with the same name as a previously deleted user account does not automatically assume the permissions and group memberships of the previously deleted account because the security ID (SID) for each account is unique. To duplicate a deleted user account, all permissions and memberships must be manually recreated.

  • When a user account is created with the new user wizard from within the details pane, you can quickly edit the user properties by closing the wizard, clicking the new account, and then pressing ENTER. To open the new user wizard from within the details pane, right-click in the details pane, click New, and then click User.

  • For interoperability with other directory services, you can create an InetOrgPerson user object. To create a new inetOrgPerson, in step three, click InetOrgPerson instead of User.

  • When creating a new user, the full name attribute is created in the FirstNameLastName format by default. The full name attribute also governs the display name format is shown in the global address list. You can change the display name format by using ADSI Edit. If you do so, this will also change the full name format. For more information, see article Q250455, "How to Change Display Names of Active Directory Users" in the Microsoft Knowledge Base.

To create a group account in Active Directory

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click the folder in which you want to add a new group.

    Where?

    • Active Directory Users and Computers/domain node/folder
  3. Point to New, and then click Group.

  4. Type the name of the new group.

    By default, the name you type is also entered as the pre–Windows 2000 name of the new group.

  5. In Group scope, click one of the options.

  6. In Group type, click one of the options.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • To add a group, you can also click the folder in which you want to add the group, and then click

    Create a new group in the current container on the toolbar.

  • If the domain in which you are creating the group is set to the domain functional level of Windows 2000 mixed, you can select only security groups with Domain local or Global scopes. For more information, see Group scope.

  • When a group account is created with the new group wizard from within the details pane, you can quickly edit the group account properties by closing the wizard, clicking the new account, and then pressing ENTER. To open the new group wizard from within the details pane, right-click in the details pane, click New, and then click Group.

  • A group name cannot be identical to any other group name in the domain.

  • A group name (pre–Windows 2000) (samAccountName object attribute) can contain up to 63 uppercase or lowercase characters.

  • A group name (pre–Windows 2000) (samAccountName object attribute) cannot consist solely of periods or spaces.

  • In Active Directory Users and Computers, by default, the name that you type is also entered as the pre–Windows 2000 name of the new group.

  • A group name (CN) can contain up to 256 uppercase or lowercase characters, except for the following:

    " / \ [ ] : ; | = , + * ? <>

  • A group name (CN) cannot consist solely of spaces.

  • When you use the net group command to create a new group account (net group <group_name> /add /domain, for example, net group Group1 /add /domain), if you specify a group name that is longer than 64 characters, the directory service sets the group’s CN to the automatically generated objectSID of the newly created group account and the samAccountName object attribute assumes the name that you specify in the net group command. For more information about net group name restrictions, see NetGroupAdd (https://go.microsoft.com/fwlink/?LinkId=159751).

To create a user account on a local computer

  1. Open Computer Management.

  2. In the console tree, click Users.

    Where?

    • Computer Management/System Tools/Local Users and Groups/Users
  3. On the Action menu, click New User.

  4. Type the appropriate information in the dialog box.

  5. Select or clear the check boxes for:

    • User must change password at next logon

    • User cannot change password

    • Password never expires

    • Account is disabled

  6. Click Create, and then click Close.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

  • A user name cannot be identical to any other user or group name on the computer being administered. It can contain up to 20 uppercase or lowercase characters, except for the following:

    " / \ [ ] : ; | = , + * ? < >

    A user name cannot consist solely of periods (.) or spaces.

  • In Password and Confirm password, you can type a password containing up to 127 characters. However, if the network consists of computers running Windows 95 or Windows 98, consider using passwords no longer than 14 characters. If your password is longer, you may not be able to log on to the network from those computers.

  • You should not add a new local user to the local Administrators group unless the user will perform only administrative tasks. For more information, see Why you should not run your computer as an administrator.

To create a group on a local computer

  1. Open Computer Management.

  2. In the console tree, click Groups.

    Where?

    • Computer Management/System Tools/Local Users and Groups/Groups
  3. On the Action menu, click New Group.

  4. In Group name, type a name for the new group.

  5. In Description, type a description of the new group.

  6. To add one or more users to a new group, click Add.

  7. In the Select Users, Computers, or Groups dialog box, do the following:

    • To add a user or group account to this group, under Enter the object names to select, type the name of the user account or group account that you want to add, and then click OK.

    • To add a computer account to this group, click Object Types, select the Computers check box, and then click OK. Under Enter the object names to select, type the name of the computer account that you want to add, and then click OK.

  8. In the New Group dialog box, click Create, and then click Close.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

  • A local group name cannot be identical to any other group or user name on the local computer being administered. It can contain up to 256 uppercase or lowercase characters, except for the following:

    " / \ [ ] : ; | = , + * ? < >

    A group name cannot consist solely of periods (.) or spaces.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

Change History

Date Revision

March 25, 2011

Corrected the description of the maximum length of the CN and sAMAccountName attributes for a group object.