In this lesson, you will learn about managing users’ accounts with Windows Server 2019 Active directory.
Creating user accounts
In Active Directory Domain Service (AD DS), you must configure all users who require access to network resources with a user account.
With this user account, users can authenticate to the AD DS domain and access network resources.
In Windows Server 2019, a user account is an object that contains all the information that defines a user.
A user account includes the user name, user password, and group memberships.
A user account also contains many other settings that you can configure based on your organizational requirements.
With an ADDS user account, you can do these things:
- Allow or deny users permission to sign in to a computer-based on their user account identity.
- Grant users access to processes and services for a specific security context.
- Manage users’ access to resources such as AD DS objects and their properties, shared folders, files, Directories, and printer queues.
A user account enables a user to sign in to computers and domains with an identity that the domain can Authenticate.
When you create a user account, you must provide a user logon name, which must be unique in the domain and forest in which you create the user account.
To maximize security, you should avoid multiple users sharing a single account and instead ensure that each user who signs in to the network has a unique user account and password. That is the best practice when we creating ADDS users in Domain environment.
Creating user accounts and Configuring user account attributes
A user account includes the user name and password, which serve as the user’s sign-in credentials.
A user Object also includes several other attributes that describe and manage the user.
You can create user accounts with different ways with windows server 2019,
You can use Active Directory Users and Computers, Active Directory Administrative Center, Windows PowerShell, or the dsadd Command-line tool to create a user object.
1.Creating User account with Active Directory Users and Computers snap-in
2. Creating User account with Active Directory Users Administrative Center
3. Creating User account with Windows PowerShell
New-ADUser -Name “Milan Maduranga” -GivenName “Milan” -Surname “Maduranga” -SamAccountName “m.milan” -UserPrincipalName “firstname.lastname@example.org” -Path ” OU=cisco_users,OU=cisco,OU=netlab,DC=netlab,DC=lk ” -AccountPassword(Read-Host -AsSecureString “Input Password”) -Enabled $true
4. Creating User account with Windows PowerShell dsadd Command-line tool
dsadd user cn=Milan,OU=cisco_users,OU=cisco,OU=netlab,DC=netlab,DC=lk -disabled no -fn Milan -ln Maduranga -mustchpwd yes -canchpwd yes -pwd *
When you create a user account in AD DS, you also configure all the associated account properties. You must define the attributes that allow the user to sign in by using the account, in addition to a few other attributes. Because you can associate a user object with many attributes, it is important that you understand what these attributes are and how you can use them in your organization.
You can configure user attributes by using Active Directory Administrative Center, Active Directory Users and Computers, Windows PowerShell, or the dsmod tool.
The attributes of a user object fall into several broad categories. These categories appear in the navigation
pane of the User Properties dialog box in Active Directory Administrative Center:
Account. In addition to the user’s user name properties (First name, Middle initial, Last name, Full name) and the user’s various logon names (User UPN logon, User SAMAccountName logon), youcan configure the following additional properties:
Log on hours. This property defines when the user can use the account access domain computers. You can use the weekly calendar style view to define Logon permitted hours and Logon denied hours.
Log on to. This property to define which computers a user can use to sign in to the domain. Specify the computer’s name and add it to a list of allowed computers.
Account expires. This is very useful when you want to create temporary user accounts. For example, you might want to create user accounts for interns who will be at your organization for just one year. You can set the account expiration date in advance. No one can use the account after the expiration date until an administrator reconfigures it manually.
User must change password at next log on. This attribute enables you to force users to reset their own password the next time they sign in. This is something you might enable after you reset a user’s password.
Smart card is required for interactive log on. This value resets the user’s password to a complex, random sequence of characters and sets a property that requires that the user use a smart card to authenticate during logon.
Password never expires. This is a property that you normally use with service accounts; that is, those accounts that services use, and not regular users. By setting this value, you must remember to update the password manually on a periodic basis. However, the system does not force you to do this at a predetermined interval. Consequently, the account can never be locked out due to password expiration—a feature that is particularly important for service accounts.
User cannot change password. You use this option generally for service accounts.
Store password by using reversible encryption. This policy provides support for programs that use protocols that require knowledge of the user’s password for authentication purposes. Storing passwords by using reversible encryption is essentially the same as storing plain-text versions of the passwords.
Account is trusted for delegation. You can use this property to allow a service account to impersonate a standard user to access network resources on behalf of a user.
Organization. This includes properties such as the user’s Display name, Office, Email Address, various contact telephone numbers, managerial structure, department and organization names, addresses, and other properties.
Member of. Use this section to define group memberships for the user.
Password Settings. This section includes password settings that apply directly to the user.
Profile. Use this section to configure a location for the user’s personal data and to define a location in which to save the user’s desktop profile when he or she logs out.
Policy. Use authentication policies to control Kerberos ticket-granting ticket (TGT) lifetimes and the authentication access control for a specific account, such as high-level administrative accounts.
Silo. Authentication policy silos are containers to which you can assign a user account. You can assign
authentication policies to these silos.Extensions. This section exposes many additional user properties, most of which do not normally require manual configuration.