| Create/manage user accounts |
Use Active Directory Users and Computers from a domain controller or workstation with Administrative Tools installed to configure domain accounts:
- When creating a new user account:
- Configure an expiration date for temporary user accounts. Once the account is expired, it cannot be used for logon.
- Disable an account if the user will be gone for an extended period of time. Disabling prevents the account from being used during the user’s absence. Enable the account when the user returns.
- Configure the logon hours for a user account to allow the account to be used only between specific hours.
- Logon attempts outside of the specified hours will not be allowed.
- By default, users who are currently logged on when the logon hours expire are allowed to continue working.
- To log a user off when the permitted logon time expires, you can configure Group Policy settings to log the user off automatically.
- Configure a list of workstations that a user is allowed to log on to. This restricts the user to only those workstations specified.
- Copy an existing user account to create a similar user account. When you copy an account:
- You will be prompted for a new name and password.
- Existing account settings and group memberships will be copied to the new account.
- Permissions will not be copied to the new account.
- Add a User Principal Name (UPN) suffix to a forest so that the users who join the forest can use a friendly user-logon name that does not match the domain name.
- Authenticate a user who logs on with a certificate by mapping the certificate to the user account.
- Restore an accidentally deleted user account from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID that will not automatically assume the permissions and memberships of the previously-deleted account.
- Use the Shift or Ctrl key to select multiple users when modifying properties on multiple user accounts at once. Properties such as the logon name or password cannot be modified in this way.
- Move user accounts to add them to the appropriate OUs. Grouping users within OUs allows you to apply Group Policy settings to multiple users.
|
| Use templates |
If you regularly create user accounts with the same settings, you can create a template account. The template account is a normal user account with the settings you need for subsequent accounts.
- Copy the template account whenever you need to create a new one.
- Disable this account to prevent it from being used for logon.
New accounts retain group memberships but not direct permission assignments.
|
| Manage passwords |
Keep in mind the following about user passwords:
- When creating a new user account or resetting a forgotten password, reset the user account password, and then select User must change password at next logon. This forces the user to reset the password immediately following logon, ensuring that the user is the only person who knows the password.
- The User cannot change password option allows you to maintain control over a Guest, service, or temporary account. For example, many applications use service accounts for performing system tasks.
- The application must be configured with the user account name and password.
- If you allow changing the user account password for the service account, you would need to change the password within every application that uses that account.
- To reset the user account password, right-click the user object and select Reset Password.
- An account that has been locked out due to too many incorrect passwords attempts must be unlocked. To unlock an account:
- Go to the Account tab in the account object’s Properties dialog box, and select the Unlock Account box.
- Use the Reset Password dialog to unlock a user account.
|
| Create a user profile |
The user profile tracks user environment settings, such as program-specific settings, user security settings, and desktop settings (including the files, folders, and shortcuts on the desktop).
- By default, the profile is stored on the local computer. A profile is created on each computer when a user logs on.
- A roaming user profile makes profile settings consistent across computers by saving the profile to a network share.
- To use a roaming profile, edit the user account properties and specify the profile path.
- To simplify administration, use the %username% variable in the Profile Path.
- Active Directory replaces %username% with the user logon name.
- When the user logs on, profile settings are copied from the network to the local computer.
- Changes made on the local computer are saved back to the network share.
|
| Deprovision a user |
Deprovisioning is the process of removing access rights from a user account when the user leaves the organization.
- If the user will be replaced by another user, disable the existing account. When the new user starts, rename the account, reset the password, and enable the account. This process preserves all of the permissions and other settings associated with the user.
- If the user will not be replaced, you can delete the account.
- Be sure to reassign any permissions to other users, reassign ownership over files, or delete unnecessary files such as the user profile.
- After a user account has been deleted, all permissions and memberships that are associated with that user account are permanently deleted.
- All permissions and memberships must be recreated manually if you want to duplicate a deleted user account.
- Many third-party tools exist that can simplify the deprovisioning process. For example, you can delete the user account and automatically reassign permissions or file ownership with a single step. You can also create your own deprovisioning solution through a programming language to synchronize accounts between databases or applications.
|