Managing Users, Computers, and Groups
This chapter covers the following Microsoft-specified objectives for the "Managing Users, Computers, and Groups" section of the Managing and Maintaining a Microsoft Windows Server 2003 Environment exam:
Create and manage user accounts.
- Create and modify user accounts by using the Active Directory Users and Computers console.
- Create and modify user accounts by using automation.
- Import user accounts.
A primary function of a network administrator is to create and manage user accounts because user accounts are needed for users to authenticate to the network and to determine what resources the user can access.
For a small network, creating and modifying the user accounts one at a time with a management tool is not too time consuming. But on a network with hundreds or thousands of users, it makes sense to use tools that automate the process. If the data about the users exists in some other form, such as a new-hire database, you can create the user accounts by importing them from a compatible file.
Create and manage groups.
- Create and modify groups by using the Active Directory Users and Computers console.
- Identify and modify the scope of a group.
- Manage group membership.
- Find domain groups in which a user is a member.
- Create and modify groups by using automation.
For simplicity of network administration, we can create group objects and allocate resource access rights to these objects. Then by making user accounts members of the group, we can grant them the access that the group objects have been assigned.
Manage local, roaming, and mandatory user profiles.
- Create and modify local user profiles.
- Create and modify roaming user profiles.
- Create and enforce mandatory user profiles.
The settings for a user's work environment are stored in the user's profile. Any changes the user makes to the environment (Favorites, Start menu items, icons, colors, My Documents, Desktop, local settings, application-specific settings) are saved when the user logs off. The profile is reloaded when the user logs on again.
It is important for administrators to know how to manage user profiles so that the users' settings are saved from session to session. If managed properly, this also ensures the users see the same desktop no matter where they log on.
Create and manage computer accounts in an Active Directory environment.
Every computer running Windows NT, Windows 2000/2003, or Windows XP that is a member of a domain has a computer account in that domain. The computer account is a security principal, and it can be authenticated and granted permissions to access resources. A computer account is automatically created for each computer running the listed operating systems when the computer joins the domain.
Troubleshoot user accounts.
- Troubleshoot account lockouts.
- Troubleshoot issues related to user account properties.
With a large group of users, there are sure to be trouble calls every day from users having difficulties with their accounts. One system setting that often results in trouble calls is Account Lockouta user cannot log in because the account has been disabled after too many incorrect passwords were entered. Other problems can arise due to inappropriate settings in the user accounts.
Troubleshoot user-authentication issues.
Sometimes a user will not be able to log on to the network. This can be caused by simple factors, such as a user error when entering a user ID and password, or by more complex issues such as the computer account being unusable. The network administrator must be able to determine what is causing the problem and to promptly correct the situation.
Troubleshoot computer accounts.
- Diagnose and resolve issues related to computer accounts by using the Active Directory Users and Computers MMC snap-in.
- Reset computer accounts.
When a computer account is operating incorrectly, it may be impossible to log on to the domain from the computer. In this case it is necessary to reset the computer's account and rejoin the computer to the domain. This process reestablishes the secure relationship between the computer and the domain it is a member of.
- Creating and Managing User Accounts
- Creating and Modifying User Accounts Using Active Directory Users and Computers
- Adding Users to Groups
- Saving Time with User Templates
- Creating Accounts Using Automation
- Creating and Modifying User Accounts with Command-line Tools
- Importing and Exporting User Accounts
- Troubleshooting User Accounts
- Troubleshooting Account Lockouts
- Troubleshooting Issues Related to User Account Properties
- Managing Local, Roaming, and Mandatory User Profiles
- Creating and Modifying Local User Profiles
- Creating and Modifying Roaming User Profiles
- Creating and Enforcing Mandatory User Profiles
Creating and Managing Groups
- The Four Domain Functional Levels
- Group Type
- Group Scope
- Domain Local Groups
- Global Groups
- Universal Groups
- Recommended Sequence of Groups
- Creating and Modifying Groups by Using the Active Directory Users and
- Identifying and Modifying the Scope of a Group
- Managing Group Membership
- Adding Accounts to Groups with Command-line Tools
- Adding Accounts to Groups with Command-line Tools
- Finding Domain Groups in Which a User Is a Member
- Creating and Modifying Groups by Using Automation
Creating and Managing Computer Accounts in an Active Directory Environment
- Creating Computer Accounts Using the Active Directory Users and Computers
- Creating Computer Accounts by Joining the Domain
- Troubleshooting Computer Accounts
- Troubleshooting Issues Related to Computer Accounts by Using the Active Directory Users and Computers Console
Apply Your Knowledge
In studying this section, be sure to practice all the activities described. Become very familiar with Active Directory Users and Computers, creating users and groups, resetting user and computer accounts, and defining roaming profiles and mandatory profiles. Microsoft is proud of the new command-line directory-management toolsdsquery, dsadd, dsmod, and dsgetso be sure you know what each one is for as well as how to use it. Also be sure to understand pipingsending the output from one command as the input to another.
Use both ldifde and csvde, but don't spend hours making them work. Understand what they are for, and get to know the command structure. Work through the exercises until you can explain authoritatively ldifde and csvde to a colleague.
You will need access to a Windows Server 2003 domain controller. Many of the tools are new or differ from those available in Windows 2000, so don't try to get by with a Windows 2000 domain controller.
You don't have to buy Windows Server 2003 to try it out. You can download a free evaluation version (which expires in 180 days) from http://www.microsoft.com/windowsserver2003/evaluation/trial/default.mspx.
Starting with this chapter, you're going to learn about some of the common daily duties of a Windows Server 2003 administrator. You can rest assured that you will be performing the tasks you learn in this chapter very often. This chapter discusses creating and managing user accounts, group accounts, and computer accounts, and setting up roaming profiles. Troubleshooting is a big part of the job, too. Troubleshooting entails helping users understand why they cannot connect to the networkwhether it's because of locked-out user accounts, inoperative computer accounts, or other reasons. We'll be starting with user accounts. Let's get to it!