Training
Find Training
Manage My Learning
Training Options
Browse by Subject
Guide My Training
Certifications
Certification Overview
Browse by Subject
Browse by Name
Find an Exam
Prepare for an Exam
Register for an Exam
Books
Books Overview
New and Upcoming
Find Books
Where to Buy
Special Offers
What's New
Community
Learning Community
Member Sites
Worldwide Sites
Help and Support




 
Microsoft® Windows® 2000 Administrator's Pocket Consultant, Second Edition
Author William R. Stanek
Pages 560
Disk N/A
Level All Levels
Published 08/14/2002
ISBN 9780735617926
Price $29.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Chapter 9: Managing Existing User and Group Accounts continued

Updating User and Group Accounts

Active Directory Users And Computers is the tool to use when you want to update a domain user or group account. If you want to update a local user or group account, you'll need to use Local Users And Groups.

When you work with Active Directory, you'll often want to get a list of accounts and then do something with those accounts. For example, you might want to list all the user accounts in the organization and then disable the accounts of users who have left the company. One way to perform this task is to follow these steps:

  1. In Active Directory Users and Computers, right-click the domain name and then click Find.

  2. In the Find selection list, click Custom Search. This updates the Find dialog box to display a Custom Search tab.

  3. Using the In selection list, select the area you want to search. To search the enterprise, select Entire Directory.

  4. On the Custom Search tab, click Field to display a shortcut menu, point to User, and then select Logon Name (Pre-Windows 2000).

    5. TIP

    Be sure to select Logon Name (Pre-Windows 2000). Don't use Logon Name—user accounts aren't required to have a Windows 2000 logon name, but they're required to have a pre-Windows 2000 logon name.

  5. Using the Condition selection list, choose Present and then click Add. If prompted to confirm, click Yes.

  6. Click Find Now. Active Directory Users and Computers will gather a list of all users in the designated area.

  7. You can now work with the accounts one by one or several at a time. To select multiple resources not in sequence, hold down the Ctrl key and then click the left mouse button on each object you want to select. To select a series of resources at once, hold down the Shift key, select the first object, and then click the last object.

  8. Right-click and then select an action from the shortcut menu that's displayed, such as Disable Account.

TIP

The actions you can perform on multiple accounts include: Add Member To Group (used to add the selected accounts to a designated group), Enable Account, Disable Account, Delete, and Move. Although Properties is listed as a possible action on the right-click shortcut menu, you can't edit the properties of multiple accounts in Windows 2000. This feature is only in Microsoft Windows .NET Server.

Use this same procedure to get a list of computers, groups, or other Active Directory resources. With computers, use a custom search, click Field, point to Computer, and then select Computer Name (Pre-Windows 2000). With groups, use a custom search, click Field, point to Group, and then select Group Name (Pre-Windows 2000).

The sections that follow examine other techniques you can use to update (rename, copy, delete, and enable) accounts as well as to change and reset passwords. You'll also learn how to troubleshoot account logon problems.

Renaming User and Group Accounts

To rename an account, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're renaming.

  2. Right-click the account name and then choose Rename. Type the new account name when prompted.

SIDs

When you rename a user account, you give the account a new label. As discussed in Chapter 7, "Understanding User and Group Accounts," user names are meant to make managing and using accounts easier. Behind the scenes, Windows 2000 uses SIDs (security identifiers) to identify, track, and handle accounts independently from user names. SIDs are unique identifiers that are generated when accounts are created.

Because SIDs are mapped to account names internally, you don't need to change the privileges or permissions on the renamed account. Windows 2000 simply maps the SID to the new account names, as necessary.

One common reason for changing the name of a user account is that the user gets married and decides to change her last name. For example, if Linda Martin (lindam) gets married, she might want her user name to be changed to Linda Randall (lindar). When you change the user name from lindam to lindar, all associated privileges and permissions will reflect the name change. Thus, if you view the permissions on a file that lindam had access to, lindar will now have access (and lindam will no longer be listed).

Changing Other Information

When you change lindam to lindar, the user properties and names of files associated with the account aren't changed. This means you should update the account information. The information you might need to change includes:

  • Display Name  Change the user account's Display Name in Active Directory Users And Computers.

  • User Profile Path  Change the Profile Path in Active Directory Users And Computers and then rename the corresponding directory on disk.

  • Logon Script Name  If you use individual logon scripts for each user, change the Logon Script Name in Active Directory Users And Computers and then rename the logon script on disk.

  • Home Directory  Change the home directory path in Active Directory Users And Computers and then rename the corresponding directory on disk.

NOTE

Changing directory and file information for an account when a user is logged on might cause problems. So you might want to update this information after hours or ask the user to log off for a few minutes and then log back on. In most cases, you can write a simple Windows script that will perform the tasks for you quickly and automatically.

Copying Domain User Accounts

Creating domain user accounts from scratch every time can be tedious. Instead of starting anew each time, you might want to use an existing account as a starting point. To do this, follow these steps:

  1. Right-click the account you want to copy in Active Directory Users And Computers and then choose Copy. This opens the Copy Object - User dialog box.

  2. Create the account as you would any other domain user account. Then update the properties of the account, as appropriate.

As you might expect, when you create a copy of an account, Active Directory Users And Computers doesn't retain all the information from the existing account. Instead, Active Directory Users And Computers tries to copy only the information you'll need and to discard the information that you'll need to update. The properties that are retained include

  • City, state, zip code, and country values set on the Address tab

  • Department and company set on the Organization tab

  • Account options set using the Account Options fields on the Account tab

  • Logon hours and permitted logon workstations

  • Account expiration date

  • Group account memberships

  • Profile settings

  • Dial-in privileges

NOTE

If you used environment variables to specify the profile settings in the original account, the environment variables are used for the copy of the account as well. For example, if the original account used the %UserName% variable, the copy of the account will also use this variable.

Deleting User and Group Accounts

Deleting an account permanently removes the account. Once you delete an account, you can't create an account with the same name to get the same permissions. That's because the SID for the new account won't match the SID for the old account.

Because deleting built-in accounts can have far-reaching effects on the domain, Windows 2000 doesn't let you delete built-in user accounts or group accounts. You could remove other types of accounts by selecting them and pressing the Delete key or by right-clicking and selecting Delete. When prompted, click OK and then click Yes.

With Active Directory Users And Computers, you can select multiple accounts by doing one of the following:

  • Select multiple user names for editing by holding down the Ctrl key and clicking the left mouse button on each account you want to select.

  • Select a range of user names by holding down the Shift key, selecting the first account name, and then clicking on the last account in the range.

NOTE

When you delete a user account, Windows 2000 doesn't delete the user's profile, personal files, or home directory. If you want to delete these files and directories, you'll have to do it manually.

Enabling User Accounts

User accounts can become disabled for several reasons. If a user forgets the password and tries to guess it, the user might exceed the account policy for bad logon attempts. Another administrator could have disabled the account while the user was on vacation. Or, the account could have expired. The steps to follow to restore an account that is disabled, locked out, or expired are described below.

Account Disabled

When an account is disabled, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're restoring.

  2. Right-click the user's account name and then select Enable Account.

Account Locked Out

When an account is locked out, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're restoring.

  2. Double-click the user's account name and then clear the Account Is Locked Out check box. In Active Directory Users And Computers, this check box is on the Account tab.

NOTE

If users frequently get locked out of their accounts, consider adjusting the account policy for the domain. You might want to increase the value for acceptable bad logon attempts and reduce the duration for the associated counter. For more information on setting account policy, see the section of Chapter 8 entitled "Configuring Account Policies."

Account Expired

Only domain accounts have an expiration date. Local user accounts don't have an expiration date.

When a domain account has expired, complete the following steps:

  1. Access Active Directory Users And Computers.

  2. Double-click the user's account name and then select the Account tab.

  3. In the Account Expires panel, select End Of and then click the down arrow on the related field. This displays a calendar that you can use to set a new expiration date.

Changing and Resetting Passwords

As an administrator, you'll often have to change or reset user passwords. This usually happens when users forget their passwords or their passwords expire.

To change or reset a password, complete the following steps:

  1. Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate.

  2. Right-click the account name and then choose Reset Password or Set Password, as appropriate.

  3. Type a new password for the user and confirm it. The password should conform to the password policy set for the computer or domain.

  4. Double-click the account name and then clear Account Is Disabled and Account Is Locked Out, whichever is appropriate and necessary. In Active Directory Users And Computers, these check boxes are on the Account tab.

Troubleshooting Logon Problems

The previous section listed ways in which accounts can become disabled. Beyond the typical reasons for an account being disabled, some system settings can also cause access problems. Specifically, you should look for the following:

  • User gets a message that says that the user can't log on interactively  The user right to log on locally isn't set for this user, and the user isn't a member of a group that has this right.

    • The user might be trying to log on to a server or domain controller. If so, keep in mind that the right to log on locally applies to all domain controllers in the domain. Otherwise, this right only applies to the single workstation.

    If the user should have access to the local system, configure the Logon Locally user right as described in the section of Chapter 8 entitled "Configuring User Rights Policies."

  • User gets a message that the system could not log the user on  If you've already checked the password and account name, you might want to check the account type. The user might be trying to access the domain with a local account. If this isn't the problem, the global catalog server might be unavailable and, as a result, only users with administrator privileges can log on to the domain.

  • User has a mandatory profile and the computer storing the profile is unavailable  When a user has a mandatory profile, the computer storing the profile must be accessible during the logon process. If the computer is shut down or otherwise unavailable, users with mandatory profiles won't be able to log on.

  • User gets a message saying the account has been configured to prevent the user from logging on to the workstation  The user is trying to access a workstation that isn't defined as a permitted logon workstation. If the user should have access to this workstation, change the logon workstation information as described earlier in the section of this chapter entitled "Setting Permitted Logon Workstations."

Setting Advanced Active Directory Permissions

As you know from previous discussions, user, group, and computer accounts are represented in Active Directory as objects. Active Directory objects have standard and advanced security permissions. These permissions grant or deny access to the objects. You can view advanced security permissions for objects by completing the following steps:

  1. Start Active Directory Users And Computers and then display advanced options by selecting Advanced Features from the View menu. Next, right-click the user, group, or computer account you want to work with.

  2. Select Properties from the shortcut menu and then click the Security tab in the Properties dialog box.

  3. Select the user, computer, or group whose permissions you want to view in the Name list box. If the permissions are dimmed, it means the permissions are inherited from a parent object.

Understanding Advanced User, Group, and Computer Permissions

Advanced permissions for Active Directory objects aren't as straightforward as other permissions. Different types of objects can have sets of different permissions that are specific to the object. They can also have general permissions that are specific to the container they are defined in.

Table 9-2 summarizes the most common object permissions. Keep in mind that some permissions are generalized. With Read Property and Write Property, Property is a placeholder for the actual property name, such as Read General Information or Write General Information. With Create Object and Delete Object, Object is a placeholder for a type of object, such as a file or folder. Keep in mind that Active Directory stores information about many types of objects, including users, groups, computers, and much more.

Table 9-2. Advanced Permissions for Active Directory Objects

PermissionDescription
Full ControlPermits reading, writing, modifying, and deleting
List ContentsPermits viewing object contents
Read PropertyPermits reading a particular property of an object, such as Read Group Membership
Write PropertyPermits writing to a particular property of an object, such as Write Group Membership
Read All PropertiesPermits reading all object properties
Write All PropertiesPermits writing all object properties
DeletePermits deletion of object
Delete SubtreePermits deletion of object and child objects
Modify OwnerPermits modifying the ownership of the object
Validate Write To ...Permits a particular type of validated write
Extended Write To ...Permits a particular type of extended write
All Validated WritesPermits all types of validated writes
All Extended WritesPermits all extended writes
Create ObjectPermits creation of a specific object type, such as Create Files
Delete ObjectPermits deletion of a specific object type, such as Delete Subfolders and Files
Create All Child ObjectsPermits creation of all child objects
Delete All Child ObjectsPermits deletion of all child objects
Change PasswordPermits changing passwords for the object
Receive AsPermits receive as the object
Reset PasswordPermits resetting passwords for the object
Send AsPermits send as the object
Add/Remove Self As MemberPermits adding and removing object as a member

Setting Advanced User, Group, and Computer Permissions

To set advanced permissions for Active Directory objects, follow these steps:

  1. Start Active Directory Users And Computers and then right-click the user, group, or computer account you want to work with.

    2. CAUTION

    Only those administrators with a solid understanding of Active Directory and Active Directory permissions should manipulate advanced object permissions. Incorrectly setting advanced object permissions can cause problems that are very difficult to track down.

  2. Select Properties from the shortcut menu and then click the Security tab in the Properties dialog box as shown in Figure 9-11.

    3. Click to view graphic
    Click to view graphic

    Figure 9-11. Use the Security tab to configure object permissions.

  3. Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by doing the following:

    • Select the user or group you want to change.

    • Use the Permissions list box to grant or deny access permissions.

    • Inherited permissions are dimmed. Override inherited permissions by selecting the opposite permission.

  4. To set access permissions for additional users, computers, or groups, click the Add button. Then use the Select Users, Computers, Or Groups to add users, computers, or groups.

  5. Select the user, computer, or group you want to configure in the Name list box, click Add, then OK, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.

  6. Click OK when you're finished.

Previous


Last Updated: August 26, 2002
Top of Page