User Accounts

Module 3 Managing Users and Service Accounts

w w t . w c e n h c o r o . p o c . n i

Module Overview
Create and Administer User Accounts Configure User Object Attributes
w w t . w c e n h c o r o . p o c . n i

Automate User Account Creation Create and Configure Managed Service Accounts

Create and Administer User Accounts

User Account Create Users with Windows PowerShell
w w t . w c e n h c o r o . p o c . n i

Name Attributes Account Attributes User Account Management

User Account
A user account:
nables authentication of a user with attributes! including a user logon name and "assword #s a securit$ "rinci"al with a securit$ identifier %S#&' that can be assigned "ermissions to resources

w w t . w c e n h c o r o . p o c . n i

A user account can be stored:

#n Active &irector$! where it enables logon to the domain and can be assigned "ermissions to resources an$where in the domain
&omain user accounts are administered with Active &irector$ sna"(ins and commands

#n the local SAM database of a member com"uter! where it enables logon to the local com"uter and can be assigned "ermissions to local resources
)ocal user accounts are administered with the )ocal Users and *rou"s sna"(in

Create Users with PowerShell

New-ADUser Name <string> [Parameters]
-Name: Name of user to create+ #f no other "arameters are "rovided this will also be the SAM Account name+ [Parameters]: Parameters ma$ include:
-SAMAccountName: ,he name with which the user logs on+ -AccountPassword: Used to set the account "assword+ #f this is not "rovided! the "assword is null and the account disabled+ ( na!"ed: Used to enable the account+ #f this is not "rovided! the account is disabled b$ default+ -Path: Used to s"ecif$ the location where the object should be created+ -$ default! it will be created in the Users container+

w w t . w c e n h c o r o . p o c . n i

#et-$e"p New-ADUser detai"ed: Use to get full e."lanations of the "arameters that can be used+

Name Attributes
User logon name %"re(Windows /000': sAMAccountName
Uni1ue in domain /0(character limit

%echnocorp&A'it.(omte

w w t . w c e n h c o r o . p o c . n i

User logon name: userPrinci"alName %UPN' A'it.(omte)technocorp.com

Name 2 3 2 UPN suffi. Uni1ue in forest

A'it (omte

Name or 4ull Name: cn %common name'

Uni1ue in OU so that the relative distinguished name %5&N' is uni1ue in the OU! so that! in turn! the object6s distinguished name %distinguishedName attribute' is uni1ue in the forest

&is"la$ name: dis"la$Name

.change global address list %*A)'

(omte* A'it

-est if uni1ue! but not technicall$ re1uired to be uni1ue

Account Attributes
)ogon 7ours )og On ,o User must change "assword at ne.t logon User cannot change "assword Password never e."ires Account is disabled Store "assword b$ using reversible encr$"tion Smart Card is re1uired for interactive logon Account is trusted for delegation Account e."ires

w w t . w c e n h c o r o . p o c . n i

User Account Management

Account Management involves the following tas8s:
5enaming a user account
w w t . w c e n h c o r o . p o c . n i

5esetting a user "assword Unloc8ing a user account &isabling or enabling a user account Moving a user account &eleting a user account

Configure User Object Attributes

A ,our of User Attributes 9iew All Attributes
w w t . w c e n h c o r o . p o c . n i

Modif$ Attributes of Multi"le Users Modif$ User Attributes b$ Using Windows PowerShell &emonstration: Create Users with ,em"lates Create Users with ,em"lates

A ,our of User Attributes

#n this demonstration! $ou will learn: 7ow to access the "ro"erties of a user
w w t . w c e n h c o r o . p o c . n i

,he role of each tab in the user Pro"erties dialog bo.

9iew All Attributes

,he Attribute ditor tab #n Active &irector$ Users and Com"uters! clic8 the 9iew menu! and then select Advanced 4eatures
w w t . w c e n h c o r o . p o c . n i

Modif$ Attributes of Multi"le Users

Procedure for modif$ing attributes
Select multi"le users %for e.am"le! b$ using C,5)2clic8' 5ight(clic8 an$ one of the selected users! and then clic8 Properties

w w t . w c e n h c o r o . p o c . n i

Attributes that can be modified

#enera": &escri"tion! Office! ,ele"hone Number! 4a.! Web "age! (mail Account: UPN suffi.! )ogon hours! Com"uter restrictions %logon wor8stations'! all Account o"tions! Account e."ires Address: Street! P+O+ -o.! Cit$! State:"rovince! ;#P:Postal Code! Countr$:region Pro+i"e: Profile "ath! )ogon scri"t! 7ome folder ,rgani-ation: <ob ,itle! &e"artment! Com"an$! Manager

Modif$ User Attributes b$ Using PowerShell

*et(AdUser returns attributes of objects

Get-ADUser UserDN [-parameter value] UserDN : distinguishedName of the user

w w t . w c e n h c o r o . p o c . n i

Parameter: Name of attribute value. 9alue for attribute %or use = for all attributes'
Set(A&User modifies s"ecified attributes

Set-ADUser UserDN [-parameter value] UserDN : distinguishedName of the user Parameter value. Attribute and value to be modified

.am"le using both cmdlets together

*et(A&User ,on$+>rijnen ? Set(A&User @office AStoc8holmA

&emonstration: Create Users with ,em"lates

#n this demonstration! $ou will learn: What a tem"late user account is! and wh$ it is useful
w w t . w c e n h c o r o . p o c . n i

7ow to create a tem"late user account 7ow to co"$ a tem"late user account

Create Users with ,em"lates

#enera" ta!. No "ro"erties are co"ied Address ta!. P+O+ bo.! cit$! state or "rovince! ;#P or "ostal code! and countr$ or region are co"ied
Note that the street address itself is not co"ied

w w t . w c e n h c o r o . p o c . n i

Account ta!. )ogon hours! logon wor8stations! account o"tions! and account e."iration Pro+i"e ta!. Profile "ath! logon scri"t! home drive! and home folder "ath ,rgani-ation ta!+ &e"artment! com"an$! and manager Mem!er ,+ ta!. *rou" membershi" and "rimar$ grou"

Automate User Account Creation

."ort Users with CS9& #m"ort Users with CS9&
w w t . w c e n h c o r o . p o c . n i

#m"ort Users with )&#4& #m"ort Users with Windows PowerShell

."ort Users with CS9&

CS9 %comma(se"arated value! or comma(delimited te.t'
Can be edited with sim"le te.t editors such as Note"ad or Microsoft Office .cel

CS9& +e.e

w w t . w c e n h c o r o . p o c . n i

csvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributes /ootDN. Start of e."ort %default B domain' SearchScope. Sco"e of e."ort %-ase!One)evel!Subtree' 0i"ter. 4ilter within the sco"e %)&AP 1uer$ language' (ist,+Attri!utes. Use the )&AP name
Export

CSVDE.exe filename.ldf Import Active Directory

#m"ort Users with CS9&

CS9& +e.e
csvde i -f filename [-k] i+ #m"ort@default mode is e."ort 1+ Continue "ast errors %such as Object Alread$ .ists'

w w t . w c e n h c o r o . p o c . n i

Cannot im"ort "asswords! so users are created as disabled Cannot modif$ e.isting users
Export

CSVDE.exe filename.ldf Import Active Directory

#m"ort Users with )&#4&

)&AP &ata #nterchange 4ormat %)&#4' )&#4& +e.e
ldifde [-i] [-f filename] [-k] i+ #m"ort@default mode is e."ort

w w t . w c e n h c o r o . p o c . n i

1+ Continue "ast errors %such as Object Alread$ .ists'

Cannot im"ort "asswords! so users are created as disabled Can modif$ or remove e.isting users

Export

LDIFDE.exe filename.ldf Import Active Directory

#m"ort Users with Windows PowerShell

#m"ort(CS9 New(A&User #m"ort(CS9 Users.csv ? foreach CNew(A&User (SamAccountName DE+SamAccountName (Name DE+Name (Surname DE+Surname (*ivenName DE+*ivenName (Path AOUB4inance!OUBUserAccounts!&CB4A-5#>AM!&CBCOMA (AccountPassword %Convert,o( SecureString (AsPlain,e.t DE+SamAccountName (4orce' ( nabled DtrueF

w w t . w c e n h c o r o . p o c . n i

Export

Windows PowerS ell filename.csv Import Active Directory