User Flashcards
A user account identifies a single user, such as an employee
Local
A local user account is created and stored on a local system and is not distributed to any other system.
Local user accounts are created with the Computer Management console.
The local Security Accounts Manager (SAM) manages the user account information.
Only local resources are accessible with local user accounts.
Domain
A domain user account is created and centrally managed through Active Directory, and is replicated between domain controllers in the domain.
Domain user accounts are created with Active Directory Users and Computers, command line tools, and PowerShell.
Each domain user account has a unique security identifier (SID) to identify the user. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions.
Domain user accounts have a variety of properties, such as user information, group membership, user profiles, and dial-in settings.
External Users
External users which need an e-mail account, can be represented through a contact object. A contact object is an account that does not have any security permissions. Users represented as contact objects cannot log on to the domain. Use contacts to add information about individuals, such as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for attributes of contact objects.
User or Logon Name
The user or logon name is the name of the user account. It is typically a combination of the given name (first name) and surname (last name) of the user. For example, Andy Waters may have the following logon name, awaters.
The User Principle Name (UPN)
The User Principle Name (UPN) combines the user account name with the DNS domain name. For example, account awaters in the westsim.com domain would have awaters@westsim.com as the UPN.
The UPN format is also known as the SMTP address format.
The DNS domain name in the UPN is known as the UPN suffix.
By default, the domain that holds the user account is selected for the UPN suffix. However, you can configure different UPN suffixes to use instead of the domain name.
The LDAP Name
The LDAP Distinguished Name (DN) references the domain and related container(s) where the object resides. It has three basic attributes: Domain Component (DC) Organizational Unit (OU) Common Name (CN) An example LDAP Distinguished Name (DN) is:
CN=awaters, OU=sales, DC=westsim, DC=com
The Relative Distinguished Name (RDN)
The Relative Distinguished Name (RDN) is used to identify the object within its container. The RDN needs to be unique only within the object’s container. In the example above, the RDN is CN=awaters.
User Account Management Facts
Use Active Directory Users and Computers from a domain controller or workstation with Administrative Tools installed to configure domain accounts.
To modify properties on multiple user accounts at once, use the Shift or Ctrl keys to select all users, then edit the necessary properties. Properties such as the logon name or password cannot be modified in this way.
You can move user accounts to add them to the appropriate OUs. Grouping users within OUs allows you to apply Group Policy settings to groups of users.
When creating a new user account or resetting a forgotten password, a common practice is to reset the user account password, then select User must change password at next logon. This forces the user to reset the password immediately following logon, ensuring that the user will be the only person who knows the password.
Enable the User cannot change password option when you want to maintain control over a Guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. If you allow changing the user account password for the service account, you would also need to change the password within every application that uses that account.
To reset the user account password, right-click the user object and select Reset Password.
An account which has been locked out because too many incorrect passwords have been entered must be unlocked. To unlock an account, go to the Account tab in the account object’s Properties dialog box, and select the Unlock Account box. Resetting the password on the account also unlocks a user account.
You can configure an expiration date for temporary user accounts. Once the account is expired, it cannot be used for logon.
If a user will be gone for an extended period of time, disable the account. This prevents the account from being used during the user’s absence. Enable the account when the user returns.
Configure the logon hours for a user account to allow the account to only be used between specific hours.
Logon attempts outside of the specified hours will not be allowed.
Users who are currently logged on will be allowed to continue working when the logon hours expire.
To log a user off when the logon hours pass, configure Group Policy settings to log the user off automatically.
You can configure a list of workstations that a user is allowed to log on to. When configured, logon to other user accounts will not be allowed.
The user profile tracks user environment settings, such as program-specific settings, user security settings and desktop settings (including the files, folders, and shortcuts on the desktop).
By default, the profile is stored on the local computer. A profile will be created on each computer when a user logs on.
To make profile settings consistent across computers, use a roaming user profile (where the profile is saved on a network share). When the user logs on, profile settings are copied from the network to the local computer. Changes made on the local computer are saved back to the network share.
To use a roaming profile, edit the user account properties and specify the profile path. To simplify administration, use the %username% variable in the Profile Path. Active Directory replaces %username% with the user logon name.
If you accidentally delete a user account, restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account.
Deprovisioning is the process of removing access rights for users when they leave your organization.
If the user will be replaced by another user, disable the existing account. When the new user starts, rename the account, reset the password, and enable the account. This process preserves all of the permissions and other settings associated with the user.
If the user will not be replaced, you can delete the account. Be sure to reassign any permissions to other users, reassign ownership over files, or delete unnecessary files such as the user profile. After a user account has been deleted, all permissions and memberships that are associated with that user account are permanently deleted. All permissions and memberships must be recreated manually if you want to duplicate a deleted user account.
Many third-party tools exist that can simplify the deprovisioning process. For example, you can delete the user account and automatically reassign permissions or file ownership with a single step. You can also create your own deprovisioning solution through a programming language to synchronize accounts between databases or applications.
To create another user account similar to an existing user, copy the existing user account. You will be prompted for a new name and password. Existing account settings and group memberships will be copied to the new account. Permissions will not be copied to the new account.
If you regularly create user accounts with the same settings, you can create a template account. The template account is a normal user account with the settings you need for subsequent accounts.
Copy the account whenever you need to create a new one.
New accounts retain group memberships but not direct permission assignments.
Disable this account to prevent it from being used for logon.
Adding a User Principal Name (UPN) suffix to a forest allows the users who join the forest to use a friendly user-logon name that does not match the domain name. To add a UPN suffix to a forest:
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties.
Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab.
Click Add.
Click OK.
