Type of Users Object
Users and computers are the Primary objects in Active Directory.
In Previous article : we have learned how to join computer in Active Directory
Creating and managing users objects are everyday tasks for most AD DS administrators.
There are two types of user accounts running in any operating system [windows , Linux ,novel]
Local Users:
- These accounts can only access resources on the local computer
- are stored in the local Security Account Manager (SAM) file [C:\Windows\System32\Config.]
- Local accounts are never replicated to other computers
- Do not provide domain access: This means that a local account configured on one computer and cannot be used to access resources on a second server à SO… you would need to configure a second local account in that case.
- In picture above : users Donald is local users and can access ONLY computer HR121
- If we have workgroup [Active Directory is NOT implemented ] : this means that we have to create same users account on ALL computers in network [which is near to impossible ]
Domain Users:
- These accounts can access AD DS or network-based resources, such as shared folders and printers.
- Account information for these users is stored in the AD DS database [c:\windows\NTDS\NTDS.dit] and replicated to all domain controllers within the same domain.
- In picture above : ALL other users [Jack , John, Suzan , Lara , Sami ] as domain users and can access ALL network resources [unless we make restriction policy ]
- AD provide us with mechanism to centrally create , manage , control user account in directory service through console [Active Directory users and computers ] and console [active directory administrative center]
- Before we go to create users accounts : we need to clarify difference between [ authentication and authorization ]
- Authentication is the process of confirming a user’s identity by provides username and à SO … When a user supplies a name and password, : the authentication process check these information in the AD DS database[ NTDS.dit]
- Authorization is the process of confirming that an authenticated user has the correct permissions to access network resources.
Creating User Objects in AD
To create domain user account
- Open either [Active Directory users and computers ] or [active directory administrative center ]
- Select container [users ] or organizational unit [OU] that you would like to create users
- Right click then select create à users
- Provide users name and login name à provide password à select [user must change password to make sure that user will provide his own password
- press finish to create users
From user account properties à insert users information like :
set User properties
From user account properties insert users information like :
- contact info ; address , telephone number
- group member ,
- Account status : locked , disable , enabled
- Login hours
- Which computer can this user login to : by default user can access to any computer in domain ‘
- Organizational information like : job title , direct manager , department
- Email address : its recommended to leave this option since it will be filled by exchange server
- And other user information that you feel it could help to this account
- Note ; Adding photo to user account will be done later using exchange server
Deleting Users Object
- Deleting user account is easy process , but be careful because each user account has security identifier which mean that when delete user account and re-create user with typical information this doesn’t we have same account since SID has been changed
- Starting from windows 2012 , When delete user account accidently : it will be sent to active directory recycle bin à so we retrieve it easily , NOT like previous Active Director edition [2000 ,2003, 2008 ]