Learn how to create user accounts in Active Directory.
- In Active Directory Domain Services, there are many different types of objects that you'll be responsible for managing. One of those objects is something known as a user account object. Now this user account object is basically an interface between an actual human user in your company and the Active Directory Domain Services enterprise. So if you think about it you have the actual people in your company. And when they're on the network they need to be able to access resources.
Well you manage their ability to access or even restrict their access to resources through the user account that you create to represent those people. So to demonstrate the creation of one of these user accounts, I'm going to connect to DC1. Here in the Server Manager, I am going to go up to the tools menu, and select Active Directory Users and Computers. Here in Active Directory Users and Computers, you will see we have our domain, landonhotel.local, and if I expand that there's a number of folders or containers.
And when I want to create a user account object, I just need to select the container that I want to create the object in. So, how about we take this one right at the bottom that says users. Right, that seems like a good container for a user. So I'm going to click on it and them I'm going to actually right-click using the right mouse button, and in this menu I'm just going to hover my mouse over the word new, and you'll see it pops out a secondary menu, and down near the bottom we see user. So I'm going to click that.
Here, I have the new object user wizard. So, we're going to say that we have a new user in our company named Kathy Lopez. So we're just going to simply fill in the form here. First name is Kathy. I'm not going to worry about a middle initial, but if we go to the last name, last name is Lopez. And you'll notice that as I typed in the first name and the last name, the full name field auto-populated. So it's already saying that we have Kathy Lopez.
Next, we have to assign a user login name, and this is something you should put a little bit of thought into for your organization, you should have some kind of a consistent naming convention, and use one that would work no matter how large your enterprise is. Now a very typical naming convention would be first initial and last name, so that would just simply be klopez. But you want to be careful because what happens if I hire Kathy's brother Kevin, and so now I have Kevin Lopez which would also be klopez, so you have to have some kind of alternative backup to what happens when you have a duplicate, cause you're not allowed to have duplicate user account names on your network.
So here we'll see that we have email@example.com. The pre-Windows 2000 name is LANDONHOTEL\klopez. Okay, it's just a matter of how it's looked at by the system. I'm going to click on next, and then we get to the password screen. Now I'm going to go ahead and type in a password that I like to use here. And you have to type it in twice, make sure it matches. But then we have four options when it comes to the password. The default is that the user must change password at next logon. And that is a recommended way to go.
What this means is the password I've typed in might be something simple like temp123. And that won't necessarily work if you have certain password restriction policies that you have to be more complex, but the idea is that you're using a very basic password, you give it to the user, the user logs on using the password you assigned, and then they are prompted to change to a password that only they know. That is the recommended strategy. You could, however, click the second box that says, "user cannot change password," which means that you, the administrator, actually will be assigning passwords and have full control over the users' passwords.
This is not a good idea, but it is an option that's available. The third checkbox is password never expires. This is if you want to override any password policies that you have forcing an account to have to reset their password every X number of days. You typically do not want to do this on any of your strong security accounts, okay, even though it used to be a common thing that IT administrators because they knew about this, they would check the box so that they never had to reset their passwords, but that's the exact opposite of what you should do.
Administrators that have power should regularly be changing passwords so that you don't have a security vulnerability. Whereas if you have, let's say, like a kiosk account that has no privileges whatsoever, maybe you never have change that password just for simplicity. And the last checkbox is that the account could be disabled. And that means that you're creating the account, it will be established in your Active Directory database, but the user account can't be used yet, it can't be logged in. This would be done if you were going to forecast a future hiring.
Maybe somebody's been hired but they haven't hit their start date yet. You want to create the account, get the work done, have it in Active Directory, only to then be enabled at a future date once the employee has been hired. So at this point we would make whatever selections are appropriate, and like I said, the default is the one it really should be. Okay, so I'm going to put it back to that. And I'll click next, and finish. And just like that, you can see that we now have a user account named Kathy Lopez. And that's all there is to creating a user account in Active Directory.
- Installing domain controllers, including the AD DS role
- Managing AD DS with AD Administrative Center and the command line
- Transferring and seizing FSMO roles
- Adjusting permissions
- Creating users and groups
- Managing computer accounts
- Creating organizational units (OUs)