Information Technology Reference
In-Depth Information
4. Click
File
,
Save As
from the menu. In the Save as type list box, click
All Files (*.*)
. In the
File name text box, type
C:\ldfusers.ldf
, and then click
Save
. Exit Notepad.
5. Open a command prompt window. Type
cd \
and press
Enter
. Type
ldifde -i -f ldfusers.ldf
and press
Enter
.
6. Close the command prompt window, and open Active Directory Users and Computers, if
necessary. Click the
TestOU
OU and verify that the user was created. If necessary, refresh
the view so that you can see this user.
7. Close all open windows.
User accounts provide a way for users to authenticate to the network and contain user infor-
mation that can be used in a company directory. There are three categories of users in
Windows: local, domain, and built-in. The two built-in accounts are Administrator and Guest.
■
Active Directory Users and Computers is the main tool for creating and maintaining user
accounts. User account names must be unique in a domain, aren't case sensitive, and must be
20 or fewer characters. A complex password is required by default. A naming standard should
be devised before creating user accounts. At the very least, the user's full name, logon name,
and password are required to create a user account in Active Directory Users and Computers.
■
User templates facilitate creating users who have some attributes in common, such as
group memberships. Administrators can use the multiple edit feature of Active Directory
Users and Computers to edit certain fields for several users at once.
■
The most important user account properties are in the General, Account, Profile, Member
Of, and Terminal Services tabs. The Account tab contains information that controls many
aspects of logging on to the domain, such as logon name, logon hours, logon locations,
account lockout, and account expiration. The Profile tab contains information about
where a user's profile data is stored and can specify a logon script.
■
A user profile contains personal files and settings that define the user's environment. By
default, the profile is local and stored as a subdirectory of the %SYSTEMDRIVE%\Users
folder. A profile stored on a network share is called a roaming profile and is configured in
the Profile tab of a user account's Properties dialog box. Profiles can be made mandatory
by renaming the Ntuser.dat file as Ntuser.man in the user's profile directory.
■
Groups are the primary security principal used to grant rights and permissions. The two
group types are security and distribution, but only security groups are used to assign permis-
sions and rights. The group type can be converted from security to distribution and vice versa.
■
There are three group scopes in Active Directory: domain local, global, and universal.
(Local groups are found on domain member computers and stand-alone computers.) The
recommended use of groups can be summarized with the acronyms AGDLP and AGGUDLP.
Groups can be nested, as long as the rules for group membership are followed. Group
scope can be converted, with some restrictions. There are default groups in the Builtin and
Users folders, and there are special identity groups with dynamic membership that can't
be managed.
■
Computers that are domain members have computer accounts in Active Directory. Domain
users logging on to member computers can use single sign-on forestwide and perform Active
Directory searches. Computers can be managed by using group policies and remote MMCs.
■
Computer accounts are created automatically when a computer joins a domain or manually
by an administrator. By default, computer accounts are created in the Computers folder, but
to use group policies, they must be moved to an OU that has a group policy linked to it.
■
You can automate account management by using command-line tools, such as DSADD
and DSMOD, and bulk import/export programs, such as CSVDE and LDIFDE. Command-
line tools can be simplified by using batch files and piping.
■
Search WWH ::
Custom Search