Information Technology Reference
In-Depth Information
A primary task of an Active Directory domain administrator is managing
user, group, and computer accounts. Users are hired, leave the company, change departments,
and change their names. Passwords are forgotten and must be reset. New resources become
available to which users or, more likely, groups of users must be given access. New computers
are installed on the network and must be added to the domain. All these tasks, particularly in
large networks, keep administrators busy.
This chapter discusses GUI and command-line tools for creating and managing all aspects
of Active Directory accounts. You examine user account properties and user profiles, including
roaming and mandatory profiles. Finally, you learn about group account types and group
scopes, including how to use groups to maintain secure access to resources in a multidomain
environment.
Working with user accounts is one of the most important Active Directory administrative tasks.
User accounts are the main link between real people and network resources, so user account
management requires not only technical expertise, but also people skills. When users can't log
on or access a needed resource, they often turn to the administrator to solve the problem.
Fortunately, an administrator's understanding of how user accounts work and how to best con-
figure them can reduce the need to exercise people skills with frustrated users.
User accounts have two main functions in Active Directory:
•
Provide a method for user authentication to the network
—The user logon name and pass-
word serve as a secure method for users to log on to the network to access resources. A
user account can also contain account restrictions, such as when and where a user can log
on or an account expiration date.
•
Provide detailed information about a user
—For use in a company directory, user accounts
can contain departments, office locations, addresses, and telephone information. You can
modify the Active Directory schema to contain just about any user information a company
wants to keep.
As you learned in Chapter 3, Windows OSs have three categories of user accounts: local,
domain, and built-in. Local user accounts are found in Windows client OSs, such as Windows
XP and Vista, as well as Windows Server OSs on systems that aren't configured as domain con-
trollers. These accounts are stored in the Security Accounts Manager (SAM) database on local
computers, and users can log on to and access resources only on the computer where the account
resides. A network running Active Directory should limit the use of local user accounts on client
computers, however, as they can't be used to access domain resources. Local user accounts are
mainly used in a peer-to-peer network where Active Directory isn't running. Administrators can
also log on to a computer with a local Administrator account for the purposes of joining the
computer to a domain or troubleshooting access to the domain. Local user accounts are usually
created in Control Panel's User Accounts applet or the Computer Management MMC's Local
Users and Groups snap-in. Because these accounts don't participate in Active Directory, they
can't be managed from Active Directory or be subject to group policies. The number of attrib-
utes in a local user account pales in comparison to those in Active Directory user accounts, as
shown in Figure 5-1.
Search WWH ::
Custom Search