This video looks at how to create a new user in Active Directory and the properties that can be configured for that user. Once a user is created in Active Directory, this user can be used as a template for other users on the system. This video covers how to create a template and use it later on to create additional users.
Demonstration 0:19
UPN Suffix
Each user that is created has a UPN suffix assigned to them. The UPN suffix by default will be the DNS domain name. It is possible to have more than one UPN suffix defined. If multiple UPN suffixes are defined when the user is created, a UPN suffix can be chosen that is different from the domain. For example, if the domain is ITFreeTraining.local, another UPN suffix may be created called IFTraining.com. This allows the internal domain to be referenced via a DNS name that is not discoverable on the internet. This method also provides a friendlier DNS name for staff when they login.
User properties
For the properties of each user, there are a number of settings that can be configured. Listed below are the settings for a user account in Active Directory organized by the tab the setting can be found on.
General Tab
This tab contains a number of fields for the user name, office location, telephone number, etc. Filling in these fields helps a user when performing searches on the network. For example, if they wanted to search for all staff in a certain office they could search based on the office field. All the fields are informational only and do not affect how the account operates.
Address Tab
The address tab has details about the physical location of the user. These include the street number, city, etc. All the fields are informational only and do not affect how the account operates.
Account Tab
User Logon Name: This is the name that the user will use to login, e.g., DoeJ. Next to this is the UPN suffix that is associated with the user, e.g., ITFreeTraining.local. These put together can be used to login into the network, e.g. DoeJ@ITFreeTraining.local. The user can also use the NetBios domain name to login rather than the UPN suffix, e.g. ITFreeTraining\DoeJ
User Logon Name (Pre Windows 2000): This is the user name that will be used by old clients like Windows NT and some old non Microsoft systems. When possible you should keep this the same as the User Logon Name to prevent confusion. The pre Windows 2000 logon name is limited to 20 characters.
Logon Hours: The Logon Hours button allows the administrator to set when the user can be authenticated on the network. By default, if the user is logged in past the hours configured here, they will not be able to open any new connections; however, any existing connections will still be able to be used.
Log On To: The Log On To button allows you to configure which computers the user can logon to. If you have configured a kiosk account, you may want to add the kiosk computers in here to prevent that user from being used on another computer.
Unlock Account: If the user has too many wrong login attempts due to incorrect passwords, the account will be locked. To enable the account again, clear this tick box.
User Must Change Password at Next Login: When this tickbox is ticked, the user will be forced to change their password the next time they login. This should not be used for a service account as this will prevent the account from working until the password has been changed.
User Cannot Change Password: This tickbox prevents the user from changing their password. This setting is usually used for shared logins, for example, a login that was used for an internet kiosk.
Password Never Expires: This tick box prevents the password from expiring as set in the domain password policy. The domain password policy will define how long a user can have the same password before it has to be changed. This option is normally used for service accounts. A service account is often used for software like Exchange. If the password on the account were to expire, this would stop the software from working.
Store Password Using Reversible Encryption: This stores a copy of the user’s password in an attribute in the user account that can be decrypted. The encryption used and password used for encryption is widely known so it is quite easy to decrypt the password assuming that the person doing so has enough access to read the attribute in the user’s account. Some old clients may require this option but it is best not to enable it if you don’t have to do so. This option is sometimes used to migrate users from one system to another. Since the password can be decrypted, another system can use this attribute to transfer the password. It should be remembered that the password will not be stored in this attribute after this option has been ticked until the password has been changed.
Account Is Disabled: This tick box will disable the account. The account can’t be used until it is enabled again.
Smartcard Is Required for Interactive Login: This option will not allow a user to log into a computer unless a Smartcard is used.
Account Is Sensitive and Cannot Be Delegated: By default delegation is disabled in Active Directory. If it is enabled and this tick box is ticked, this user account will not b0e able to be used for delegation.
Use Kerberos DES Encryption Types for This Account: Enables DES encryption for the account. This is weaker than Kerberos but may be required for older operating systems or non Microsoft systems.
This Account Supports Kerberos AES 128bit Encryption: Allows 128bit AES encryption to be used. This requires the client and server both to support it. This does not mean that 128bit encryption will be used; it simply means that it is available to be used if required.
This Account Supports Kerberos AES 256bit Encryption: Same as above but for 256bit AES encryption.
Do Not Require Kerberos Pre-authentication: This option will remove the timestamp from the Kerberos ticket. This may be required to allow the user account to work with some non Microsoft systems. Since there is no time stamp in the Kerberos ticket, the Kerberos ticket may be able to be used in a replay attack. A replay attack is when the communication is captured and replayed again at a later date.
Account Expires: This allows you to set a date and time when the account will no longer be able to be used. If you have staff that are on short term contracts, you may want to configure this option so they cannot use the account after their contract expires. The account expires on midnight of that day. If the user is still logged in at that time, they will still be able to use the account but they will not be able to make any new connections.
Profile tab
Profile Path: This is the location where the user profile can be stored. This option allows the profile to become roaming. This means the profile specified will be used when the user logins to another system. This allows the user to have the same user experience when they use multiple computers. When specifying the path for the profile, %username% can be used and Windows will substitute this string for the username. Using this string allows the user account to be easily copied to another account without having to change the profile setting for each user.
Logon Script: This is the name of a script that will be run each time the user logs in. The script is stored in the NetLogon share on a Domain Controller.
Home Folder: This allows you configure a location for the user to store their documents. The location can be a share location or you can also map a drive to a share for the user.
This tab has a number of fields that can be configured for the user’s telephone numbers. These include home, pager, mobile, fax, and IP phone. There is also a notes section that can be used to put in additional information about the user. Fields on this screen are for information purposes only and do not affect how the account operates.
Organization Tab
This tab allows more information about the user’s job title, department, and company to be added. Additional details about who they report to can be added here. The information in this tab does not affect how the account operates.
Member Of Tab
This tab lists all the groups that the user is a member of. At the bottom is an option, set primary group. When the user is a member of more than one group you can set the primary group using this option. The primary group is only used with Macintosh and UNIX based systems. Generally this option is used when creating files. Macintosh and UNIX based systems will use the primary group listed here when creating files or folders.
Remote Desktop Services Profile Tab
This tab allows the administrator to set up a profile to be used when using remote desktop servers. Using a remote desktop profile like this allows the same profile to be used regardless of which remote desktop server the user connects to. If a profile location is specified in here, it will override the settings in the profile tab when the user connects to a remote desktop server.
Deny This User Permissions to Log On to Remote Desktop Session Host Server: If this option is ticked this will deny the user the ability to connect to a Remote Desktop server using Remote Desktop. If the user is an administrator and this option is ticked, it will still deny them. Windows Servers can be configured for Remote Desktop access only for server administration. When the server is in this mode, 2 administrators can connect to the server at once. If this is the case and this option is ticked, the user’s account will still be able to use Remote Desktop to access the server for administration reasons.
Remote Virtual Desktop Tab
This allows the administrator to assign a virtual Hyper-V computer to the user.
Com+ Tab
This is used with COM+. COM+ is an application framework provided by Microsoft. This setting allows you to configure a different COM+ partition to be configured for that user. This means different users can have different COM+ partitions, thus separating their data.
Dial-in Tab
Network Access Permission: This setting determines if the user can use dial in or use a VPN to access the network. The default option is to use a Network Policy Server or NPS. This is the preferred option because it allows centralised control and the use of groups. The other two options are allow and deny which must be set for each user and offer no centralized management.
Verify Called ID: When the user connects to the network using a modem, this setting can hold the telephone number of the user, allowing Windows to check which phone number that user is using to dial in.
Callback Options: These options determine if Windows is allowed to call the user back when they connect to the network. Using call back allows the company to pay for the call charge rather than the user. By default the option is no callback. This can be configured to set by caller or always call back.
Assign Static IP Address: This allows a static IP address to be configured for that user so when they connect they will always get the same IP address.
Apply Static Routes: This option allows routes to be configured that will be added to the user’s routing table when they connect up.
Environment Tab
These settings are used when connecting up using Remote Desktop to a Remote Desktop Server.
Starting Program: Allows a program to be configured to run when the user logs in, for example, a menu program that allows the user to launch other applications.
Connect Client Drives at Logon: This option will connect all the local drives on the client’s computer as mapped drives inside the Remote Desktop session.
Connect Client Printers at Logon: This will create copies of the client’s local printers in the Remote Desktop session for them to use.
Default to Main Client Printer: This will make the Remote Desktop session default printer the same as the client’s local computer.
Sessions Tab
This tab allows you to configure a number of options that will be used for the user in Remote Desktop.
End a Disconnected Session: This is the time taken for a disconnected session on the Remote Desktop Server to be ended. Until it is ended, the user will be able to reconnect to the Remote Desktop Server and access the session.
Active Session Limit: This sets a limit on how long a session can stay open on a Remote Desktop Server. This stops a user from connecting up to the server and staying logged in indefinitely.
Idle Session Limit: This setting determines how long a user setting can stay idle for.
When a Session Limit Is Reached or Connection Is Broken: This setting will determine what will happen if either of the above two options occur, that is, the session is idle for too long or the session is open too long. The session will either be disconnected or ended.
Allow Reconnection: This setting determines, once a user is disconnected, if they have to connect again from the same computer or if they are allowed to reconnect using a different computer.
Remote Control Tab
This tab refers to the remote control options used when connecting to a Remote Desktop Server.
Enable Remote Control: If ticked, allows an administrator to remote control a user’s session.
Require User’s Permission: Will determine if the user’s permission is required before remote controlling a session or not.
Published Certificates Tab
This tab will show any certificates that are associated with that user. Additional certificates can be added to the user from here as well.
Password Replication Tab
Read only Domain Controllers have the option to cache the user’s password on the Read Only Domain Controller. This tab will show any read only Domain Controllers that have this user’s password cached on that server.
Attribute Editor Tab
This tab allows the administrator to manually edit any of the attributes that are associated with that user. It is recommended that you always use the tools provided by Microsoft rather than modifying the attributes directly.
Demonstration adding a UPN Suffix
To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.
Demonstration creating a new user
To create a new user in Active Directory, open Active Directory Users and Computers from administrative tools under the start menu. To create a new user, right click users and select new user. This will launch the wizard in which you can enter in the basic details for the users. In the properties for the user, there are a lot of settings that can be configured. Details about these properties are listed above.
A lot of common administration tasks are available by right clicking the user. These include copy, add to group, disable account, reset password, move, delete, and properties.
When you copy a user, a wizard will appear asking for the settings for some of the fields that will be used with the new user. The rest of the settings will be set to the same settings as the user from which you are copying.
If you need to delete a user, it is recommended that you disable the account first. When you are sure the account is no longer required, you should delete the account then.
To show advanced options, select the view menu and then select the option advanced features.
If you need to make changes to multiple users at once, select the users and open the properties. The properties that are common to all those users will be shown.
References
“Logon hours and other user settings” http://technet.microsoft.com/en-us/library/bb726988.aspx
“preauthentication” http://technet.microsoft.com/en-us/library/bb742516.aspx
“Primary group” http://technet.microsoft.com/en-us/library/bb726986.aspx
Credits
