لطفا منتظر باشید ...
Lesson 3: Creating User Accounts
Local user accounts are created using the Local Users and Groups snap-in within the Computer Management console. Domain user accounts are created using the Active Directory Users and Computers console. To use either tool, you must have administrator privileges. This lesson takes you step-by-step through creating user accounts and setting user account properties.
After this lesson, you will be able to
Create local user accounts
Create domain user accounts
Set user account properties
Estimated lesson time: 45 minutes
Creating Local User Accounts
Using the Local Users and Groups snap-in (illustrated in Figure 7.3), you create, delete, or disable local user accounts on the local computer in a workgroup. You cannot create local user accounts on a domain controller.
Figure 7.3 Local Users and Groups snap-in and the New User dialog box
To create local user accounts
Click Start, point to Programs, point to Administrative Tools, and then click Computer Management.
Expand the Local Users and Groups snap-in, right-click Users, and select New User.
In the New User dialog box (see Figure 7.3), set the local user account options described in Table 7.6.
Table 7.6 Local User Account Options
| Option | Description |
|---|---|
| User Name | A unique name based on your naming convention. An entry in this box is required. |
| Full Name | The complete name of the user, to determine which person belongs to an account. An entry in this box is optional. |
| Description | A description that is useful for identifying users—for example, a department or an office location. An entry in this box is optional. |
| User Must Change Password At Next Logon | Requires the user to change his or her password the first time that he or she logs on. |
| User Cannot Change Password | Only administrators are allowed to control passwords. |
| Password Never Expires | Password will never change. The User Must Change Password at Next Logon option overrides the Password Never Expires option. |
| Account Is Disabled | Prevents use of the user''s account—for example, for a new employee who has not yet started. |
Creating Domain User Accounts
Using the Active Directory Users and Computers console (illustrated in Figure 7.4), you create, delete, or disable domain user accounts on the domain controller, or local user accounts on any computer in the domain.
When you create the domain user account, the user logon name defaults to the domain in which you are creating the domain user account. However, you can select any domain in which you have permissions to create domain user accounts. You must select the container in which to create the new account. You can create the domain user account in the default Users container or in a container that you create to hold domain user accounts.
To create domain user accounts
Click Start, point to Programs, point to Administrative Tools, then click Active Directory Users And Computers.
Click the domain, right-click the Users container, point to New, and click User.
NOTE
In a live system environment, the Users container is merely a default container. Actual users should be added to a custom OU rather than the Users container.
Figure 7.4 Active Directory Users and Computers console and the New Object User dialog box
In the New Object-User dialog box (see Figure 7.4), set the domain user name options described in Table 7.7.
Table 7.7 User Name Options on the New Object-User Dialog Box
| Option | Description |
|---|---|
| First Name | The user''s first name. An entry in the First Name, the Last Name, or the Full Name box is required. |
| Initials | The User''s initials. An entry in this, the First Name, the Last Name, or the Full Name box is required. |
| Last Name | The user''s last name. An entry in the First Name, the Last Name, or the Full Name box is required. |
| Full Name | The user''s complete name. The name must be unique within the container where you create the user account. Windows 2000 completes this option if you enter information in the First Name, Initials, or Last Name boxes. The Create-In field displays this name in the DN path of the container where the user account is located in the directory. |
| User Logon Name | The User Logon Name contains a box and a list that uniquely identify the user throughout the entire network. The box (on the left) is the user''s unique logon name, based on your naming conventions. An entry is required and must be unique within the domain. The list (on the right) is the domain name. |
| User Logon Name (Pre-Windows 2000) | The user''s unique logon name that is used to log on from earlier versions of Windows, such as Windows NT 4.0 or Windows NT 3.5.1. An entry is required and must be unique within the domain. |
Setting Password Options
In the New Object-User dialog box, shown in Figure 7.4, click Next to open a second New Object-User dialog box, shown in Figure 7.5, which contains password settings. In this dialog box, you set the password requirements for the domain user account.
Figure 7.5 New Object-User dialog box
Table 7.8 describes the password options in the New Object-User dialog box.
Table 7.8 Password Options on the New Object-User Dialog Box
| Option | Description |
|---|---|
| Password | The password that is used to authenticate the user. For greater security, you should always assign a password. |
| Confirm Password | Confirm the password by typing it a second time to make sure that you typed the password correctly. An entry is required if you assign a password. |
| User Must Change Password At Next Logon | Requires the user to change his or her password the first time that he or she logs on. This ensures that the user is the only person who knows the password. |
| User Cannot Change Password | Only administrators are allowed to control passwords. Select this check box if you have more than one person using the same domain user account (such as Guest) or to maintain control over user account passwords. |
| Password Never Expires | Password will never change. Possible use: for a domain user account that will be used by a program or a Windows 2000 service. The User Must Change Password At Next Logon option overrides the Password Never Expires option. |
| Account Is Disabled | Prevents use of the user''s account—for example, for a new employee who has not yet started. |
NOTE
Always require new users to change their passwords the first time that they log on. This prevents a user account from existing without a password, and once the user logs on and changes his or her password, only the user knows
the password.
TIP
For added security on networks, create unrelated initial passwords for all new user accounts by using a random combination of letters and numbers. Creating an unrelated initial password will help keep the user account secure.
Practice: Creating Domain User Accounts
In this practice, you create the domain user accounts shown in Table 7.9.
Table 7.9 Domain User Accounts for Practice
| First Name | Last Name | User Logon Name | Password | Change Password |
|---|---|---|---|---|
| User | One | User1 | (blank) | Must |
| User | Three | User3 | (blank) | Must |
| User | Five | User5 | User5 | Must |
| User | Seven | User7 | User7 | Must |
| User | Nine | User9 | User9 | Cannot |
The following procedure outlines the steps that are required to create the first user account using the Active Directory Users and Computers console. After you have created the first user account, follow the same steps to create the remaining user accounts.
To create a domain user account
Log on as Administrator.
Click Start, point to Programs, point to Administrative Tools, then click Active Directory Users And Computers.
Windows 2000 displays the Active Directory Users and Computers console.
Expand microsoft.com (if you did not use Microsoft as your domain name, expand your domain), and then double-click Users.
In the details pane, notice the default user accounts.
Which user accounts does the Active Directory Installation Wizard create by default?
Right-click Users, point to New, then click User.
Windows 2000 displays the New Object-User dialog box.
Where in the Active Directory will the new user account be created?
Type User in the First Name box.
Type One in the Last Name box.
Notice that Windows 2000 completes the Full Name box for you.
Type user1 in the User Logon Name box.
In the list to the right of the User Logon Name box, select @microsoft.com. (The domain name will vary if you did not use microsoft.com as your DNS domain name.)
The user logon name, combined with the domain name in the box that appears to the right of the User Logon Name box, is the user''s full Internet logon name. This name uniquely identifies the user throughout the directory (for example, user1@microsoft.com).
Notice that Windows 2000 completes the pre-Windows 2000 logon name box for you.
When is the pre-Windows 2000 logon name used?
Click Next to continue.
Windows 2000 displays the New Object-User dialog box, prompting you to supply password options and restrictions.
In the Password box and the Confirm Password box, type the password or leave these boxes blank if you are not assigning a password.
If you enter a password, notice that the password is displayed as asterisks as you type. This prevents onlookers from viewing the password as it is entered.
Specify whether or not the user can change his or her password.
What are the results of selecting both the User Must Change Password At Next Logon check box and the User Cannot Change Password check box? Explain.
Under what circumstances would you select the Account Is Disabled check box when creating a new user account?
After you have selected the appropriate password options, click Next.
Windows 2000 displays the New Object-User dialog box, displaying the options and restrictions that you have configured for this user account.
Verify that the user account options are correct, then click Finish.
Answers
NOTE
If the user account options are incorrect, click Back to modify the user account options.
In the details pane of the Active Directory Users and Computers console, notice that the user account that you just created now appears.
Complete Steps 4-13 for the remaining user accounts.
User Account Properties
A set of default properties is associated with each user account that you create. After you create a user account you can configure personal and account properties, logon options, and dial-in settings. For domain users, these account properties equate to object attributes.
You can use the properties that you define for a domain user account to search for users in the directory or for use in other applications as objects'' attributes. For this reason, you should provide detailed definitions for each domain user
account that you create.
The tabs in the Properties dialog box (see Figure 7.6) contain information about each user account. Table 7.10 describes the tabs in the Properties dialog box.
Table 7.10 Tabs in the Properties Dialog Box
| Tab | Description |
|---|---|
| General | Documents the user''s first name, last name, display name, description, office location, telephone number(s), e-mail address, home page, and additional Web pages |
| Address | Documents the user''s street address, post office box, city, state or province, zip or postal code, and country or region |
| Account | Documents the user''s account properties, including the following: user logon name, logon hours, computers permitted to log on to, account options, account expiration |
| Profile | Sets a profile path, logon script path, home directory, and shared document folder |
| Telephones | Documents the user''s home, pager, mobile, fax, and Internet Protocol (IP) telephone numbers, and contains space for comments |
| Organization | Documents the user''s title, department, company, manager, and direct reports |
| Remote Control | Configures Terminal Services remote control settings |
| Terminal Services Profile | Configures the Terminal Services user profile |
| Member Of | Documents the groups to which the user belongs |
| Dial-In | Documents the dial-in properties for the user |
| Environment | Configures the Terminal Services startup environment |
| Sessions | Sets the Terminal Services timeout and reconnection settings |
NOTE
For a local user account, the Properties dialog box contains only the
General, Member Of, and Profile tabs, as local users are not user objects
in Active Directory.
Setting Personal Properties
Four of the tabs in the Properties dialog box contain personal information about each user account. These tabs are General, Address, Telephones, and Organization. Completing the properties of each of these tabs allows you to locate domain user accounts in the directory. For example, if all of the properties on the Address tab are complete, as shown in Figure 7.6, you can locate that person by using the street address or another field.
Figure 7.6 Address tab of the Properties dialog box
To set personal properties
On the Administrative Tools menu, click Active Directory Users And Computers, then click the domain.
Click the appropriate container to view available domain user accounts.
Right-click the appropriate domain user account and click Properties.
Click the appropriate tab for the personal properties that you want to enter or change and then enter values for each property.
Click OK.
Setting Account Properties
Use the Account tab in the Properties dialog box (see Figure 7.7) to set options for a domain user account.
Some of the domain user account options are the same for both the Account tab and the New Object-User dialog box. Table 7.11 describes the additional account properties that are not available when you create a domain user account.
Figure 7.7 Account tab of the Properties dialog box
Table 7.11 Additional Account Options
| Option | Description |
|---|---|
| Store Password Using Reversible Encryption | Enables Macintosh users to log on. Macintosh computers only send this type of command. |
| Smart Card Is Required For Interactive Logon | Allows a user to log on with a smart card. Additional hardware is required. |
| Account Is Trusted For Delegation | Allows a user to assign responsibility for management and administration of a portion of the namespace to another user, group, or organization. |
| Account Is Sensitive And Cannot Be Delegated | Prevents the account from being assigned for delegation by another account. |
| Use DES Encryption Types For This Account | Provides the Data Encryption Standard (DES). |
| Do Not Require Kerberos Preauthentication | Removes Kerberos preauthentication for accounts using another implementation of Kerberos. Not all implementations or deployments of Kerberos use the preauthentication feature. |
| Account Expires | Sets account expiration dates. Select Never if you do not want the account to expire. Select End Of and then enter a date in the adjoining text box if you want Windows 2000 to automatically disable the user account on the date you specify. |
Setting Logon Hours
Set logon hours to control when a user can log on to the domain. Restricting logon hours limits the hours that users can explore the network. By default, Windows 2000 permits access for all hours on all days. You might want to allow users to log on only during working hours. Setting logon hours reduces the amount of time that the account is open to unauthorized access.
To set logon hours
In the Properties dialog box, on the Account tab, click Logon Hours.
On the Logon Hours dialog box for the user, a blue box indicates that the user can log on during the hour. A white box indicates that the user cannot log on (see Figure 7.8).
To allow or deny access, do one of the following:
Select the rectangles on the days and hours for which you want to allow access, click the start time, drag to the end time, and then click Logon Permitted.
Select the rectangles on the days and hours for which you want to deny access, click the start time, drag to the end time, and then click Logon Denied.
NOTE
The days and hours for which you have allowed access are now shown
in blue.
Click OK.
It is important that you remember that any connections to network resources on the domain are not disconnected when the user''s logon hours run out. However, the user will not be able to make any new connections.
Figure 7.8 Logon Hours dialog box
Setting the Computers from Which Users Can Log On
Setting logon options for a domain user account allows you to control the computers from which a user can log on to the domain. By default, each user can log on from all computers in the domain. Setting the computers from which a user can log on prevents users from accessing another user''s data that is stored on that user''s computer.
NOTE
To control the computers from which a user can log on to a domain, NetBIOS must be enabled over TCP/IP.
To set logon workstations
In the Properties dialog box, on the Account tab, click Log On To.
On the Logon Workstations dialog box (see Figure 7.9), select the option that specifies from which computers a user can log on.
Add the computers from which a user can log on.
Use the computer name that you specified when you installed Windows 2000, which is the name of the computer account in the directory.
If necessary, delete or edit the name of a computer from which the user can log on.
Click OK.
Figure 7.9 Logon Workstations dialog box
Configuring Dial-In Settings
Configuring dial-in settings for a user account permits you to control how a user can make a dial-in connection to the network from a remote location. To gain
access to the network, the user dials in to a computer running the Windows 2000 Remote Access Server (RAS).
NOTE
In addition to configuring dial-in settings and having RAS on the server
to which the user is dialing in, you must also set up a dial-up connection for the server on the client computer. Set up a dial-up connection by using the Network Connection Wizard, which you can access from Network Connections in
My Computer.
Configure dial-in settings on the Dial-In tab of the Properties dialog box. Table 7.12 describes the required options for setting up security for a dial-up connection.
Table 7.12 Options on the Dial-In Tab in the Properties Dialog Box
| Option | Description |
|---|---|
| Allow Access | Turns on dial-in or virtual private network (VPN) remote access for the user. |
| Deny Access | Turns off dial-in or VPN remote access for the user. |
| Control Access Through Remote Access Policy | Specifies that remote access permission for this user is controlled through a remote access policy. |
| Verify Caller-ID | Indicates the telephone number that the user must use to dial in. |
| Callback Options | The callback methods, including: No Callback. The RAS server will not call the user back and the user pays the telephone charges. This is the default. Set By Caller (Routing and Remote Access Service Only). The user provides the telephone number for the RAS server to call back. The company pays the telephone charges for the session. Always Callback To. The RAS server uses the specified telephone number to call back the user. The user must be at the specified telephone number to make a connection to the server. This reduces the risk of an unauthorized person dialing in because the number is preconfigured. Use this option in a high-security environment. |
| Assign A Static IP Address | Specifies whether to disregard group dial-in profile settings and assign a static TCP/IP address to this user. |
| Apply Static Routes | Specifies whether to configure predefined routes for one-way initiated demand-dial routed connections. |
| Static Routes | Allows the definition of static routes. |
Practice: Modifying User Account Properties
In this practice, you modify user account properties. You configure the logon hours and account expiration settings for several of the user accounts that you created in the previous practice. You add these user accounts to the Print Operators group so that the accounts can log on to the domain controller. Then you test the logon hours restrictions, the password restrictions that you set up when you
created the accounts, and the account expiration settings.
Exercise 1: Configuring Logon Hours and Account Expiration
In this exercise you configure the hours during which User3 and User5 can log on to the computer, and for User5 you also set a date for the account to expire.
Scenario
Modify the following user accounts with the properties specified in Table 7.13.
Table 7.13 User Account Properties for Exercise 1
| User Account | Logon Hours | Account Expires |
|---|---|---|
| User3 | 6 PM-6AM, Monday-Friday | |
| User5 | Today |
IMPORTANT
Complete the following procedure while you are logged on as
Administrator with the Active Directory Users and Computers console running and your domain expanded in the console tree.
To specify logon hours
In the console tree of the Active Directory Users and Computers console, expand Users.
In the details pane, right-click User Three, then click Properties.
Windows 2000 displays the User Three Properties dialog box with the General tab active.
In the General tab, what information can you specify for the user account in addition to the first and last name? How would this information be useful?
Click the Account tab, and then click Logon Hours.
Windows 2000 displays the Logon Hours For User Three dialog box.
Currently, when can User Three log on?
To restrict the user''s logon hours, click the start time of the first period during which you want to prevent the user from logging on and then drag the pointer to the end time for the period.
A frame outlines the blocks for all of the selected hours.
Answers
NOTE
To select the same block of time for all days in the week, above the Sunday row, click the gray block that represents the start time, and then drag the pointer to the end time. To select an entire day, click the gray block that is labeled with the name of the day.
Click Logon Denied.
The outlined area is now a white block, indicating that the user will not be permitted to log on during those hours.
Repeat Steps 4 and 5 as necessary until only the correct logon hours are allowed.
Click OK to close the Logon Hours For User Three dialog box.
In the User Three Properties dialog box, click OK to apply your settings and return to the Active Directory Users and Computers console.
To set account expiration for a user account
In the console tree of the Active Directory Users and Computers console, click Users.
In the details pane, right-click User Five and click Properties.
Windows 2000 displays the User Five Properties dialog box with the General tab active.
Click the Account tab.
When will the account expire?
Click End Of and then set the date to today''s date.
Click OK to apply your changes and return to the Active Directory Users and Computers console.
Close the Active Directory Users and Computers console and log off Windows 2000.
Answers
Exercise 2: Testing User Accounts
In this exercise you log on each of the user accounts that you created in the
previous exercises and then test the effects of the account settings.
To test logon capabilities of user accounts
Attempt to log on as User1 with no password.
Windows 2000 displays the Logon Message message box, indicating that you must change your password.
Click OK to close the Logon Message message box.
In the Change Password dialog box, leave the Old Password box blank, type student in the New Password box and the Confirm New Password box, and click OK.
Windows 2000 displays the Change Password message box indicating that your password was changed.
Click OK to close the Change Password message box.
Were you able to successfully log on? Why or why not?
Answers
There are several ways to allow regular users to log on at a domain controller. In the next procedure you add the users to the Print Operators group, because this group has the right to log on to a domain controller. Only users belonging to certain administrative groups may log on interactively onto a domain controller. A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions to a group of users rather than having to assign permissions to each individual user account. For more information on groups, see
Chapter 8, "Group Account Administration."
To add users to the Print Operators group
Log on as Administrator.
In the console tree of the Active Directory Users and Computers console, expand Users.
In the details pane, right-click User One, then click Properties.
Windows 2000 displays the User One Properties dialog box with the General tab active.
Click the Member Of tab.
Click Add.
Windows 2000 displays the Select Groups dialog box.
Select Print Operators, click Add, then click OK.
Click OK to close the User One Properties window.
Repeat Steps 3-7 for User3, User5, User7, and User9.
Close the Active Directory Users and Computers console and log off Windows 2000.
To test restrictions on logon hours
Attempt to log on as User1 with a password of student.
Were you able to successfully log on? Why or why not?
Log off Windows 2000 and attempt to log on as User3 with no password.
When prompted, change the password to student.
Were you able to successfully log on? Why or why not?
Answers
To test password restrictions
Attempt to log on as User7 with no password.
Were you able to successfully log on? Why or why not?
Attempt to log on as User7 with a password of User7.
When prompted, change the password to student.
Were you able to log on? Why or why not?
Log off Windows 2000.
Attempt to log on as User9 with a password of User9.
Were you able to successfully log on? Why or why not?
Answers
To test password restrictions by attempting to change a password
Press Ctrl+Alt+Delete.
Windows 2000 displays the Windows Security dialog box.
Click Change Password.
Windows 2000 displays the Change Password dialog box.
In the Old Password box, type the password for the User9 user account; in the New Password and Confirm New Password boxes, type student, then click OK.
Were you able to change the password? Why or why not?
Click OK to close the Change Password message box, then click Cancel to return to the Windows Security dialog box.
Click Log Off.
Windows 2000 displays the Log Off Windows dialog box, prompting you to verify that you want to log off.
Click Yes to log off.
Answers
To test account expiration
Attempt to log on as User5.
When prompted, change your password to student.
Were you successful? Why or why not?
Log off Windows 2000.
Answers
To change the system time
Log on to your domain as Administrator, click Start, point to Settings, then click Control Panel.
In Control Panel, double-click Date/Time.
Windows 2000 displays the Date/Time Properties dialog box.
Under Date, enter tomorrow''s date, then click OK to apply your changes and return to Control Panel.
Close Control Panel and log off Windows 2000.
To test account expiration
Attempt to log on as User5 with a password of student.
Were you successful? Why or why not?
To change the system time
Log on to your domain as Administrator, click Start, point to Settings, then click Control Panel.
In Control Panel, double-click Date/Time.
Windows 2000 displays the Date/Time Properties dialog box.
Under Date, enter today''s date, then click OK to apply your changes and return to Control Panel.
Close Control Panel and log off Windows 2000.
Lesson Summary
In this lesson you learned that local user accounts are created using the Local
Users and Groups snap-in built into the Computer Management console, and
domain user accounts are created using the Active Directory Users and Computers console. When you create a domain user account, it is always created on the first available domain controller that is contacted by Microsoft Management Console (MMC), and then the account is replicated to all domain controllers.
You also learned that there is a set of default properties associated with each user account that you create. You learned that for domain user accounts, these properties equate to object attributes, so you can use these properties to search for
domain users in the directory.
In the practice portion of this lesson, you created five domain user accounts. You then configured account properties including modifying the logon hours, setting account expiration, and determining when and if a user can change his or her password. Finally, you tested these properties to verify that they worked
as expected.
