Lesson 6: Maintaining User Accounts - MCSE Training Kit, Microsoft Windows 2000 Active Directory Services [Electronic resources] نسخه متنی

Lesson 6: Maintaining User Accounts

The needs of your organization may require you to modify user accounts. Other modifications are based on personnel changes or personal information. These
include disabling, enabling, and deleting a user account. You may also need to unlock a user account or reset a user's password. This lesson takes you step-by-step through disabling, enabling, deleting, and unlocking user accounts and resetting user passwords.

NOTE
To modify a user account, you make changes to the user account object
in Active Directory. To successfully complete the tasks for modifying user
accounts you must have permission to administer the object in which the user accounts reside.

After this lesson, you will be able to

Disable, enable, rename, and delete user accounts

Reset user passwords

Unlock user accounts

Estimated lesson time: 30 minutes

Disabling, Enabling, Renaming, and Deleting User Accounts

Modifications that you make to user accounts that affect the functionality of the user accounts include the following:

Disabling and enabling a user account. You disable a user account when a user does not need an account for an extended period, but will need it again. For example, if John takes a two-month leave of absence, you would disable his user account when he leaves. When he returns, you would enable his user account so that he could log on to the network again.

Renaming a user account. You rename a user account when you want to retain all rights, permissions, and group memberships for the user account and reassign it to a different user. For example, if there is a new company accountant replacing an accountant who has left the company, rename the account by changing the first, last, and user logon names to those of the new accountant.

Deleting a user account. Delete a user account when an employee leaves the company and you are not going to rename the user account. By deleting these user accounts, you do not have unused accounts in Active Directory.

The procedures for disabling, enabling, renaming, and deleting user accounts are very similar.

To disable, enable, rename, and delete user accounts

In the Active Directory Users and Computers console, expand the console tree until the appropriate user account is visible, and then select the user account.

On the Action menu, click the command for the type of modification that you want to make (see Figure 7.13).

Figure 7.13 Disabling, enabling, deleting, or renaming user accounts

NOTE
If a user account is enabled, the Action menu displays the Disable
Account command. If a user account is disabled, the Action menu displays the Enable Account command.

Resetting Passwords and Unlocking User Accounts

If a user cannot log on to the domain or to a local computer because of a password problem, you might need to reset the user's password or unlock the user's account. To perform these tasks, you must have administrative privileges for the object in which the user account resides.

Resetting Passwords

If a user's password expires before he or she can change it, or if a user forgets his or her password, you need to reset the password. You do not need to know the old password to reset a password.

After the password has been set for a user account, either by the administrator or by the user, the password is not visible to any user, including the administrator. This improves security by preventing users, including the administrator, from learning another user's password. If passwords were readable, an administrator could look up a user's password, reset the password, and then log on as that user. After the administrator was through impersonating the user, the administrator could log back on and change the user's password back to what it was.

To reset user passwords

In the Active Directory Users and Computers console, expand the console tree until the appropriate user account is visible, and then select the user account.

On the Action menu, click Reset Password.

The Reset Password dialog box appears.

Enter a new password for the user, confirm the password, and click OK.

In the Reset Password dialog box, you should always select User Must Change Password At Next Logon to force the user to change his or her password the next time he or she logs on.

NOTE
If a user logs on through the Internet only, do not select the User Must Change Password At Next Logon option.

Unlocking User Accounts

A Windows 2000 group policy locks out a user account when the user violates the policy—for example, if the user exceeds the limit that a group policy allows for bad logon attempts. When a user account is locked out, Windows 2000
displays an error message. For further information on using group policy, see Chapter 12, "Administering Group Policy."

To unlock a user's account

In the Active Directory Users and Computers console, expand the console tree until the appropriate user account is visible, and then select the user account, designated with a red "X."

On the Action menu, click Properties, and then in the Properties dialog box, click the Account tab.

Notice that the Account Lock Out check box is selected.

Clear the check box and click OK.

Practice: Administering User Accounts

In this practice you work with disabling and enabling a user account and learn how to reset the password for a user account.

Exercise 1: Enabling a User Account

In this exercise you disable a user account so that it can no longer be used to log on to the domain. You then enable the same account.

To disable a user account

Log on to your domain as Administrator.

Start the Active Directory Users and Computers console.

Expand Microsoft.com domain and click Users.

In the details pane, right-click the Profile User account you created in Lesson 5, then click Disable Account.

The Active Directory message box appears, stating that the account has been disabled. The account is also marked with a red "X."

Click OK to return to the Active Directory Users and Computers console.

In the details pane of the Active Directory Users and Computers console, right-click the user account that you just disabled to display the shortcut menu.

How can you tell that the user account is disabled?

Log off Windows 2000.

Attempt to log on as puser.

Were you successful? Why or why not?

Answers

To enable a user account

Log on to your domain as Administrator.

Start the Active Directory Users and Computers console.

Expand Microsoft.com domain and click Users.

In the details pane, right-click the Profile User account you created, and then click Enable Account.

The Active Directory message box appears, confirming that the account has been enabled.

Click OK to return to the Active Directory Users and Computers console.

In the details pane of the Active Directory Users and Computers console, right-click the user account that you just enabled to display the shortcut menu.

How can you tell that the user account is enabled?

Log off Windows 2000.

Answers

To test account enabling and to change the password for a user account

Log on as puser.

Were you successful? Why or why not?

Change your password to student.

Log off Windows 2000.

Answers

Exercise 2: Resetting the Password for a User Account

In this exercise you reset the password for a user account.

To reset the password for a user account

Log on to your domain as Administrator.

Start the Active Directory Users and Computers console.

Expand Microsoft.com domain and click Users.

In the details pane, right-click the Profile User account, then click Reset Password.

The Reset Password dialog box appears, prompting you for the new password for this account. Notice that the Administrator account is not able to view the current password.

In the New Password box and the Confirm Password box, type password and check the box labeled User Must Change Password At Next Logon. Click OK.

Windows 2000 displays the Active Directory message confirming that the password has been changed.

Click OK to return to the Active Directory Users and Computers console.

Log off Windows 2000.

To test password resetting

Log on as puser and type password as the password.

Were you successful? Why or why not?

Log off Windows 2000.

Answers

Lesson Summary

In this lesson you learned about disabling and enabling user accounts. You disable a user account when a user does not need a user account for an extended period, but will need it again. You enable the account when it is needed again.

You also learned about renaming user accounts and deleting user accounts. You rename a user account when you want to retain all rights, permissions, and group memberships for the user account and reassign it to a different user. You delete a user account when it is no longer needed.

Finally, in this lesson you learned about resetting the password for a user account and enabling a user account that is locked. If a user's password expires before he or she can change it, or if a user forgets his or her password, you need to reset the password so that the user can log on to the domain. You also learned that if a user forgets his or her password and gets locked out of the system, you can log on as Administrator and unlock the account.

In the practice portion of this lesson, you disabled and enabled a user account and reset the password for a user account.