Windows Server 2003

management
Administering accounts
&Services

Managing Accounts
Active Directory in Windows Server
2003 provides three types of
accounts:
User accounts
Groups
Computer accounts

User accounts, Groups &Computer

accounts
A user account is a record consisting of
information that defines a user a
member of a network
A group is a collection of users and
computers that have similar rights and
permissions to access network resources
A computer account is an account that is
automatically created when you join a
computer running Windows NT, Windows
2000,Windows XP, or Windows Server
2003 to a domain

Active directory users & computers

Managing user Accounts

A user account is a record, which
authenticates the identity of a user when a
user logs on to network
Identifying Types of User Accounts
You can use different types of user
accounts based on the resources you want
to access. The various types of user
accounts in Windows Server 2003 are:
Local User Account
Domain User Account
Built-in User Account

Creating Local User

Accounts

Creating DomainUser
Accounts

Creating Domain User Accounts

using templates
First
Create a
user
templat
e with
commo
n
properti
es
The
account
should
be
disabled

Creating Domain User Accounts

using templates
Rightclick the
user
account,,
and select
the Copy
option
from the
pop-up
menu, to
display
the Copy
Object
User
dialog
box.

Creating User Accounts cmd

line
command-line tool LDIF directory exchange
(Ldifde) enables you to create and modify user
account in Windows Server 2003. In addition, it
also allows you to import or export user and
group information with other directory services
You can include the command for running the
Ldifde tool in a Notepad file and save the file
by .LDF extension. The
syntax of the Ldifde command is:
C:\>ldifde f <filename>

Creating User Accounts

The syntax for specifying parameters in the .LDF
file is:
dn: cn = container name, ou= organizational unit,
dc= root domain
changetype: Add
objectClass: user
sAMAccountName: username
userPrincipalName: username including the path of
users container
displayName: username
userAccountControl: value

Creating User Accounts

In the above syntax:
dn: Specifies the path to an objects
container.
cn: Refers to the name of the container
used to store the newly created user
account.
ou: Refers to the name of the OU in which
the user account is to be created.
dc: Refers to the name of the root domain.
changetype: Specifies adding of a new
user account in the Users container.

Creating User Accounts

objectClass: Specifies the type of object to be
created.
sAMAccountName: Specifies the Security
Accounts Manager (SAM) name for the newly
created user. SAM is a Microsoft Windows Service,
which maintains the account information of users.
userPrincipalName: Specifies the username along
with the location of the account.
displayName: Refers to the login name of user.
userAccountControl: Specifies the value as 514 to
disable the user account.Specifies the value as
512 to enable the user account.

Creating User Accounts

For example, you need to create a user account, named David
Johnson in the Manufacturing OU of Atlanta.BlueValley.com
domain. The command for creating this user account is:

# Create David Johnson // The # symbol specifies a

comment in the file
# and is not executed while running the file from command
prompt.
dn: cn= David Johnson,ou=Manufacturing,
dc=Atlanta,dc=NorthAm,dc=BlueValley,dc=com
Changetype: Add
ObjectClass: user
sAMAccountName: David Johnson
userPrincipalName: David@Atlanta.NorthAm.BlueValley.com
displayName: David
userAccountControl: 514

Modifying User accounts

Resetting a User Password
Disabling and Enabling a User
Account
Renaming a User Account
Setting Logon Hours User Account
properties
Setting Account Expiration Date
User account properties

Managing User Profiles

A user profile is a personalized setting of the
Windows Server 2003 environment for a specific
user.
It contains information about all elements of the
desktop of a user, such as the Internet Explorer
Favorites, shortcuts in the Start menu and
desktop.
It also includes desktop display settings, such as
wallpaper and screensaver.
A user profile does not include the configuration
of a computer, such as hardware settings. It
includes the personal preferences of a user only.

Managing User Profiles

User profile folder and Contents

User profiles are stored in the User
Profile folder.

User profile folder and Contents contd..

Types of User Profiles

Local user profile

Roaming user profile
Mandatory user profile
Temporary user profile

Managing Groups
A group is defined as a set of user accounts,
computer accounts, and groups.
A group is a collection of users, computers,
or resources that belong to various domains
in an organization.
You can simplify the task of administration
by assigning permissions to a group of
users rather than assigning permissions to
each individual user account.

Managing Groups
The various tasks that can be
performed using groups are:
Assign permissions to the entire
group to access the network
resource.
Assign rights to users and then add
members with same rights to the
group.
Create e-mail distribution lists.

Identifying Types of Groups

Windows Server 2003 provides two types
of groups for assigning different types of
rights and permissions to users and
computers or sending e-mail messages.
You can use any type of group anywhere
on the network. These groups are stored in
the Active Directory database. The two
types of groups are:
Security groups
Distribution groups

Identifying Types of Groups

Security groups--A security group is a group that you
can use to assign rights and permissions to gain access
to network resources. Rights determine the operations
that the members of a security group can perform in a
domain or a forest. Permissions determine the
resources that can be accessed by the members of a
security group.
Distribution groups--A distribution group is a group that
enables you to create a distribution list for directoryenabled e-mail applications, such as Microsoft
Exchange Server. You cannot assign security-related
features, such as assigning permissions using
distribution groups

Exploring Group Scope

The level at which a group is created in a domain tree or a
forest is called the scope of a group.
The group scope determines whether a group is applicable
to a single domain in a forest or multiple domains.
The scope of the group is related to the membership and
resource access. It helps in deciding about the domains
from which members can be added to a group.
The various aspects that a group scope can determine
are:
The domains from which you can add members to a group.
The domains in which you can use the group to grant
permissions.
The domains in which a group can be a member of another
group.

Group scopes
Security and distribution groups can be further
subdivided according to the group scope. The various
types of group scopes are:
Local group: Grant permissions to resources that are
available on a local computer. Local groups cannot be
made members of any other type of group.
Domain local group: Assigns rights and permissions to
resources that belong to the domain local group. A
domain local group can contain global groups, universal
groups, and other domain local groups from its own
domain. You should use the domain local group when
you want to control users access to resources present
within a domain.

Group scopes
Global group: You can use a global group
to organize users from within a domain
who need to perform similar operations
and have similar network access
requirements. Provides access to
resources from any domain of a tree or a
forest
Universal group: Useful in multidomain
forests. Used to define roles or to manage
resources from more than 1 domain.

Group Management Implementation

Modifying Groups
Windows Server 2003 enables you to
manage and maintain groups using
Active Directory
Modify group properties
Add members to a group
Move groups
Delete groups

Changing group scopes

Global to Universal: Only if the group whose
scope is being changed is not a member of
another global group.
Domain Local to Universal: Only if the group
whose scope you want to change does not
contain any domain local group as its member.
Universal to Global: Only if the group whose
scope you want to change does not contain any
universal group as its member.
Universal to Domain Local: Does not contain any
restrictions

Default groups created in windows server

2003

When you install Active Directory on

a member server that is promoted as
a domain controller of the network,
Windows Server 2003 creates several
security groups by default. These
groups are called default groups

Default groups created in windows

server 2003

Default groups created in windows

server 2003

Managing computer accounts

A computer account is an object that stores
information such as the computer ID in a
domain
The computer needs to be a member of a
domain and have a valid computer account to
enable a user to log on to a network
Once joined to a domain computer accounts
are created in Active Directory to authenticate
user accounts and audit access to the network.
Pre-staging -- A system administrator can also
create a computer account in a domain before
joining the computer to the domain.