Active Directory users
In order to identify the people who log on to your system, you need to create a user account for each of them. Over time, as their role and the resources they require access to changes, you will have to modify the account, and eventually, when they no longer work for the company, to delete the account. In Active Directory, an individual needs a user account to verify their identity before they can access network resources. This is known as authentication.
The cornerstone of authentication is the user account, with its user logon name, password and unique security identifier (SID). When a user logs on, Active Directory authenticates them by using the user name and password provided. Once successful authentication occurs, the Windows Server security subsystem creates the security access token that represents that user on the network. The access token contains the user account SID, as well as the SIDs of groups to which the user belongs. (This is because membership of groups can give the user additional permissions. In fact permissions should be assigned to groups not directly to users).
This access token is then used to verify user rights and to authorise access to resources secured by access control lists (ACLs). A user is represented in Active Directory by a user object. A user object includes not just a user’s name, password, and SID, but also personal information such telephone number and address. You can also add extra fields if you want to keep information such as emergency contacts here as well.
Creating user accounts/objects
The main tool used to create user accounts/objects is Active Directory Users and Computers. Although user accounts can be created in the root of a domain or in any of the default containers, it is usually best to locate users in organisational units (OUs) so that you can delegate administrative authority and utilise group policy settings based on the OUs. So if your company had an administration department, a sales department, a purchasing department and a manufacturing department, you could create four OUs, one for each department, and they could be administered independently.
To access Active Directory Users and Computers, go to Start, select Programs and then Administrative Tools. As long as your server is a Domain Controller you should see it here. If not, go back and promote your server to a Domain Controller.
This can be down by following the steps below:
Installing Active Directory Domain Services (AD-DS)
In Windows Server 2008, unlike previous server operating Systems, there is an additional step that needs to be taken before running DCPROMO to promote the server to Domain Controller and installing Active Directory on it. This step is the installation of Active Directory Domain Services (AD-DS) role on the server. In fact, the AD-DS role is what enables the server to act as a Domain Controller, but you will still need to run DCPROMO the regular way.
AD-DS can be installed as follows:
Server Manager/Initial Configuration Tasks
Roles can and should be added from Server Manager (but they can also be initiated from the Initial Configuration Tasks wizard that auto-opens the first time you log on to the server).
Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the Administrative Tools folder.
Wait till it finishes loading, then click on Roles > Add Roles link.
In the Before you begin window, click Next.
In the Select Server Roles window, click to select Active Directory Domain Services, and then click Next.
In the Active Directory Domain Services window read the provided information if you want to, and then click Next.
In the Confirm Installation Selections, read the provided information if you want to, and then click Next.
Wait till the process completes.
When it ends, click Close.
Going back to Server Manager, click on the Active Directory Domain Services link, and note that there’s no information linked to it, because the DCPROMO command has not been run yet.
Now you can click on the DCPROMO link,
To run DCPROMO, enter the command in the Run command, or click on the DCPROMO link from Server Manager > Roles > Active Directory Domain Services.
Depending upon the question if AD-DS was previously installed or not, the Active Directory Domain Services Installation Wizard will appear immediately or after a short while. Click Next.
Creating a domain user
To create a user, right-click the container in which you want to create the user, select New, and then click User. The New Object-User dialog box appears. The first screen of the New Object-User dialog box asks for the user name.
Note: To create a new user object, you must be a member of the Enterprise Admins, Domain Admins, or Account Operators group, or you must have been given the necessary permissions for the container in which the account will be created.
Alternatively, you could click Action from Active Directory Users and Computers, which brings up the drop-down menus shown below. If you then click New, you are given a choice of new directory objects, one of which is User.
When you complete the user details remember the name entered here must be unique relative to all other objects in the OU (or other container) in which you create the user object. You could have a Sales organisational unit (OU) and a Marketing OU and within each have a John Smith. This is OK as they are objects in different containers.
The user principal name (UPN) consists of a logon name and a UPN suffix, which is, by default, the DNS name of the domain in which you create the object. This property is required, as well as the entire UPN, in the format:
This must be unique within the Active Directory forest. For example, JohnSmith@CiscoServer.com.
The UPN can be used to log on from any Microsoft Windows system running Windows 2000 onwards
This logon name is used to log on from down-level clients, such as (pre–Windows 2000) Microsoft Windows 95, Windows 98, Windows ME, Windows NT 4.0, or Windows NT 3.51. This field is required and must be unique within the domain.
When you create a new user, you are initially prompted to configure the most common properties for the user object, including logon names and a password. The next screen prompts you for the password options. Be aware that there are password complexity checks, and if you set a password that fails the complexity it will not let you configure the user. You have two options. One is to loosen the password complexity policy (this could be a security violation) or ensure your password complies with it. The default is as shown in below.
The password complexity and other settings shown above are configured in the Default Domain Policy. To access them, click Start, select Administrative Tools, click Default Domain Policy, click Settings and then click Password Policy. Password complexity, if enabled, requires the following:
- Not contain all or part of the user’s account name.
- Be at least six characters in length.
- Contain characters from three of the following four categories:
o English uppercase characters (A through Z)
o English lowercase characters (a through z)
o Base 10 digits (0 through 9)
o Non-alphabetic characters (e.g. $, #, %).
Complexity requirements are enforced when passwords are changed or created. If the password fails the complexity test, the user account is not created or the password is not changed.
There are numerous additional properties that you can configure at any time with Active Directory Users and Computers. These properties help you to administer your users and you have the ability to search for objects by using LDAP (lightweight directory access protocol) queries. To configure the properties of a user, right-click on the user and choose Properties. The user’s Properties dialog box appears, see picture below
From this you can modify all the properties on the tabs.
There is a very useful new tool, which was released just after Windows 2003, called Group Policy Management Console. You can download it from:
When it is installed you will have an interface like that shown below. This tells you at a glance the effective settings and which security policy they are taken from.
Creating a computer account
When you join a computer to a domain, Active Directory automatically creates a computer account for it in Active Directory Users and Computers in the Computers container. But if you have a network of several hundred computers, it might make administration easier if you split them up into more manageable chunks. This can be done in two ways. In both cases you split your computers into OUs either by department or location, whichever is easiest for you. Then you can:
- let Active Directory create the computer account automatically, then move it into the appropriate OU (Organisational Unit); or
- pre-stage that computer account, which means that you create the computer account where you want it to go first before the computer joins the domain.
You can assign rights to computer accounts as well as users but it tends to make troubleshooting quite complex. If possible, it is easier to manage if you grant all rights and permissions via user accounts. Although there will be exceptions such as kiosks with anonymous logons, you want to minimise their rights in order to minimise your security exposure and, if possible, have them standalone.