Académique Documents
Professionnel Documents
Culture Documents
Administration
User Creation & Maintenance
Contents
Creating a User Account with AD Users and Computers.............................................3
To create a new user account..................................................................................... 3
User Logon Name (user principal name).................................................................4
Pre-Windows 2000 logon name (samaccountname)................................................4
Account Password.................................................................................................... 5
Password never expires........................................................................................ 6
User Properties or Attributes...................................................................................... 6
General Tab............................................................................................................. 7
Display Name....................................................................................................... 7
Description........................................................................................................... 7
Office.................................................................................................................... 8
Telephone Number............................................................................................... 9
E-mail................................................................................................................... 9
Web Page............................................................................................................. 9
Address Tab........................................................................................................... 10
Account Tab........................................................................................................... 10
Profile & Member Of Tabs...................................................................................... 11
Telephone Tab........................................................................................................ 11
Organization Tab.................................................................................................... 12
Company............................................................................................................ 12
GroupCompany.................................................................................................. 12
EmployeeID........................................................................................................ 16
Terminal Services Profile Tab................................................................................. 16
Environment Tab.................................................................................................... 16
Sessions & Remote Control Tab.............................................................................16
COM+, Security, Published Certificates, Password Replication, Dial-In, Object &
Attribute Editor Tab............................................................................................... 16
2.
The First and Last name fields should correspond to the users official business
identity. Only the ASCII Standard Character set can be used. Characters
containing accents cannot be used. The names used here must be consistent
through the e-mail address and logon names. Note that the Full name is
automatically filled in after you enter the First and Last names. The Initial field
should only be filled in if the users email address includes the initial. If the users
initial field is filled in the email address should be
firstname.middleinitial.lastname@company.com, for example
john.f.kennedy@wppgts.com.
Compound Names
If the user has multiple first names or multiple last names, and they are part of the
email address, then they should be included in the appropriate field. For example,
Billy Bob Thornton would have Billy Bob in the firstname field (notice the space).
Ernest van den Haag would have Ernest in the firstname field, and van den
Haag in the lastname field. This is very important. For the E-mail Address, User
Principal Name, and pre-windows 2000 logon name a space is not allowed for
compound names. Remove the space in this situation. So Billy Bob Thorntons
Email address would be billybob.thornton@media.com, his user principal name
would be the same, the pre-windows 2000 logon name would be billybob.thornton.
Account Password
Type a password in both the Password and Confirm password boxes and click
Next. It must meet Password Complexity mentioned above. NEVER use Password
never expires! This is against our security and compliance policies and we do run
audits for this condition.
Now you can input a password for the new user. It must meet the password
complexity requirements set up for the domain.
The Password must be at least 8 characters long and meet 3 out of the following 4
requirements:
Uppercase letter
Lowercase letter
Number
Special characters
4.
Add more information about the user in the Properties dialog box on the
General tab as shown in Figure 5 below, and click OK. You are provided with this
selection of optional entries. Click each tab you want to go to and enter the
appropriate info.
6.
General Tab
Display Name
On the General tab you see many of the fields you just entered, such as the names.
You will also notice the Display Name. This is generated initially by taking the
contents of the First name field adding a space and then adding the Last name
field. If there are any changes to the first or last names later, make sure you
change the Display Name as well. Just like the First and Last Name fields, only the
ASCII Standard Character set can be used. Characters containing accents
cannot be used.
Description
This field is free to be updated as you like. However it is used for essential system
processes as well. SecureClient VPN Groups are automatically created by adding
any user that has |SecureClient| in this field. We also have an automated process
that cleans up AD as shown below.
If any user account that has not had its password changed within 90 days (39 days past our
requirement) it will be disabled.
If any computer account has not contacted the domain in over 120 days it will be disabled.
If any user account that has not had its password changed within 120 days it will be
deleted.
If any computer account has not contacted the domain in over 150 days it will be deleted.
Exceptions
It is possible to circumvent this process. However if you choose to circumvent this process
please understand you may be required to explain or provide documentation for why you are
circumventing a security process that your company is depending on for regulatory
purposes. Circumventing the process would be understandable if the user is on extended
leave for Maternity, sabbatical, etc.
Here is how you prevent the process from disabling or deleting a user or computer account:
Modify the description field of the user or computer account in AD to contain this term
EXACTLY - "|nodisable|", additionally please include your reason for not disabling or deleting
the user.
Note:
Once a computer account is disabled, users on that computer can no longer log into AD, and
the computer will no longer process GPO's. But since this computer was not contacted AD,
this should not matter.
Any account disabled by this process will have its description updated to denote it was
disabled by the automatic process.
Office
The Office field is important for the Office Directory and our Software Licensing
procedures. Only specific values should be entered here and no typos are allowed.
Those values are visible in AD U&C under the Offices OU. This value must be added
by Local IT to the user account or the software reporting functions will fail and the
user will not show up in the office directory.
Telephone Number
The telephone number field is Crucial for GroupMs Global Directory. If it has the
wrong value the users phone system will not work properly! The value in this field
must be the users direct office telephone number. The number format used by this
field is the E.164 telephone number standard. This means it must begin with the +
sign, followed by the 1,2 or 3 digit country code, followed by the phone number.
Any international phone should be able to dial this number. Even if you are not on
the Cisco IPT solution it is essential for your number to follow this format so that you
can be dialed by users which are. It will also be used by other systems such as
SharePoint, Jive and Unified Communications. The number must not contain spaces,
brackets or hyphens. A valid number would be +442079693400.
+44 20 7969-3400 or +44 (0) 20 7969 3400 are not valid values.
E-mail
This field is also important. This MUST match the users current e-mail address and
UPN. It will be used by many applications and Exchange. When the UPN or E-mail is
changed, this field must be updated as well.
Web Page
Leave this field alone, SharePoint will use it for mySites.
Address Tab
The Street, P.O. Box and State/province values should be (but do not have to be)
filled out to the correct values. Some of these values are managed by the
Whitepages process.
City
This field is mandatory. The City names are predefined and must be entered exactly
as defined in this SharePoint List. Any other value will result in problems with Jive.
Email archiving and message cleansing will not function correctly for the user. The
Country field must also be filled out.
Country
This field is mandatory. This field is also used for Jive, Email archiving and
Automating functions within Exchange and AD. This is a drop down list on the
Address Tab
Account Tab
This tab is used for general administration. Please see the Password Not Expires
section above.
Telephone Tab
The telephone tab can be edited at the discretion of the local administrator,
however please keep in mind two issues. The phone numbers must all follow the
E.164 format. Be sensitive to our employees privacy concerns and the local
government and work council requirements.
The Notes field is for the user, not for IT.
Organization Tab
The Department and Company attributes should be managed by the Local
Administrator. The company value is critical to security and proper operations. If
this is improperly set, you will be providing this user access to the wrong companys
resources!
Company
The proper values for this field are saved in this Sharepoint List. Any other value
will result in problems with the mail and application systems.
GroupCompany
If this user is a member of a smaller company that is not on the Approved
Company Values Sharepoint List above, they you must determine whether that
users company is closely associated with one of the brands in the Approved
Company Values list. If they are close enough so that this sub company should be
allowed access to all the broadcast emails, the intranet and even file security for the
entire top level company then you should obtain approval from local business
management and the global communication director of that brand. Once that
approval is obtained, record it in this list. The Approved Group Company Values
list can be used for sub brands, affiliates and JVs after following this process. But
these values cannot go in the Company attribute. They can be used in the
groupmcompany attribute.
Unfortunately the groupmcompany attribute is not available via the Active Directory
Users and Computers tool usually. It is not on the organization tab. To access it in
ADUC, you must turn on advanced features, by clicking on the view menu and then
selecting advanced features.
This will add additional tabs to the properties view of the user object. Select the
Attribute Editor Tab.
Under the attribute editor tab, scroll down until you can find the GroupMcompany
attribute.
Select it and click Edit
Do not use this feature on other values. You risk destroying the user account.
If you are confused or the user is a member of an affiliate or JV, contact the Global
Infrastructure and Operations Team.
EmployeeID
Certain Countries are using the EmployeeID for use with applications. To do this,
please register this application with Global IT so we can avoid conflicts and ensure
performance. For example, the US uses this with Concur for authentication, GTS
uses it for Timesheets, and Russia is using it as well. This field is hidden and has no
interface for editing. SO you can use the attribute editor as shown above or we
have built a small applet to manage this for you on a user by user basis. Contact
Global IT to request it.
We do have a standard for using this field. The EmployeeID should be the HR
number assigned to the user. Do NOT use this field if the HR number cannot be
publicly known, because this value will be available to anyone with access to AD.
However because we typically have different HR systems in each country, we would
face conflicts eventually. To avoid this we reserve the 1 st two characters for the
country. We use the ISO-3166-1 codes for the country. In the instance where there
are more than 1 HR system in a country, the 2 nd HR system would use a 0 in the
third character, the third would use a 1, and so on. SO my employeeID field should
be US for United States & then my HR number for example US00001.
Environment Tab
This tab can be edited at the discretion of local IT, but in general should not be
used.