Section 8.3: Creating User Accounts
You can use User Accounts in Control Panel to create local user accounts on a Windows 2000, Windows XP Professional or Windows Server 2003 computer. To create local user accounts, do the following:
• Click on the START button to display the Start Menu
• Open the control panel
• Then open user accounts
• Click on the CREATE A NEW USER ACCOUNT link
• In the TYPE A NAME for the new user account text box, enter the new User Account Name
• Then click NEXT
• Set the appropriate Account Type
• Then click CREATE ACCOUNT
You can also use Computer Management to create local user accounts on a Windows XP Professional or Windows Server 2003 computer, do the following:
• Click on the START button
• Point to ALL PROGRAMS
• Point to ADMINISTRATIVE TOOLS
• Click on COMPUTER MANAGEMENT
• Expand Local Users And Groups node
• Right-click the Users folder
• On the pop-up menu, click NEW USER
• Provide the User Name and a Password for the new user accountError! Bookmark not defined.
• Set the appropriate Account Setting
• Then click CREATE
When you copy an existing domain user account, the password settings; description; groups; profile; and dial-in information attributes are copied but not the password; full name; and username as these attributes are unique to each user and must be configured for each individual account.
You can use this method to create user account template by creating a user account that is configured according to the requirements of your company. Then, when you need to create a new user account, right-click the template user account in Active Directory Users and Computers, select copy and then configure the password; full name; and username for the user account.
8.3.4: Modifying User Accounts and Computer Accounts
As the nature of you network changes, you may need to modify user accounts and computer accounts. This may entail changing the account policies, or moving the accounts to another domain. You can use Active Directory Users and Computers in Administrative Tools to modify user accounts and computer accounts. To accomplish this, do the following:
• Click on the START button
• Point to ALL PROGRAMS
• Point to ADMINISTRATIVE TOOLS
• Open ACTIVE DIRECTORY USERS AND COMPUTERS
• Open the organizational container that contains the user account or computer account that you want to modify
• In the Details pane, right-click the user account or computer account that you want to modify
• On the pop-up menu, click properties to display the Properties dialog box
• In the Properties dialog box, modify the properties of the account as required
Using the command line You can also use the dsmod command-line utility to modify the properties of one or more existing user accounts or computer accounts in Active Directory. The dsmod command supports a number of parameters, which allow you to modify any of the properties associated with the user account or the computer account. The properties associated with user accounts correspond to the various tabs on the User Account Properties dialog box and are listed in Table 8.2. The properties associate with computer accounts correspond to the various tabs on the Computer Account Properties dialog box and are listed in Table 8.3.
The syntax for modifying a user account with the dsmod command-line utility is:
dsmod user <user_DN ...> [-upn <upn>] [-fn <first_name>] [-mi <initial>] [-ln <last_name>] [-display <display_name>] [-empid <employee_ID>] [-pwd (<password> | 1)] [-desc <description>] [-office <office>]
[-tel <phone_number] [-email <e-mail_address>]
[-hometel <home_phone_number>] [-pager <pager_number>]
[-mobile <cell_phone_number>] [-fax <fax_number>]
[-iptel <IP_phone_number>] [-webpg <web_page>] [-title <title>]
[-dept <department>] [-company <company>] [-mgr <Manager]
[-hmdir <home_directory] [-hmdrv <drive_letter>:]
[-profile <profile_path] [-loscr <script_path] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}]
[-pwdneverexpires {yes | no}] [-acctexpires <number_of_days]
[-disabled {yes | no}] [{-s <server> | -d <domain>}] [-u <user_name>] [-p {<password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
The syntax for modifying a computer account with the dsmod command-line utility is:
dsmod computer <computer_DN ...> [-desc <description>] [-loc <location>] [-disabled {yes | no}] [-reset] [{-s <server> | -d <domain>}]
[-u <user_name>] [-p{<password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
The parameters for the dsmod command-line utility are discussed in Table 8.4.
Table 8.2: The User Account Properties
| Tab | Properties |
|---|---|
| General | The name, description, display name, office location, telephone number, e-mail address, and web page of the user. |
| Address | The street address, post office box, city, state/province, zip/postal code, and country of the user. |
| Account | The logon name, account options, unlock account, and account expiration for the user account. |
| Profile | The profile path and home folder for the user account. |
| Telephone | The home telephone number, pager, mobile phone number, fax number, and Internet Protocol (IP) phone number of the user. |
| Organization | The title of the user, department to which the user is attached, the manager, and direct reports for the user. |
| Member Of | The groups to which the user belongs. |
| Dial-in | The remote access permissions, callback options, and static IP address and routes for the user account. |
| Environment | Specifies the starting applications and the client devices to connect to when the user account is used to logon to Terminal Services. |
| Sessions | Terminal Services settings for the user account. |
| Remote control | Terminal Services remote control settings for the user account. |
| Terminal Services Profile | The Terminal Services profile path and the Terminal Services home folder for the user account. |
| COM+ | The COM+ partition set to which the user has membership |
Table 8.3: The Computer Account Properties
| Tab | Properties |
|---|---|
| General | The pre-Windows 2000 computer name, DNS name, role, and description of the computer. |
| Operating System | The name, version, and service pack installed on the computer. |
| Member Of | The groups to which the computer belongs. |
| Location | The physical location of the computer. |
| Managed By | The name, office, street address, city, state/province, country/region, telephone number and fax number of the administrator responsible for managing the computer. |
| Dial-in | The remote access permissions, callback options, and static IP address and routes for the computer account. |
Table 8.4: The Dsmod Command-line Parameters
| Parameter | Description |
|---|---|
| user <user_DN ...> | Specifies the distinguished names (DNs) of one or more user accounts to modify. |
| computer <computer_DN ...> | Specifies the distinguished names (DNs) of one or more computers to modify. |
| -upn <upn> | Sets the user's User Principal Name to the value specified in <upn>. |
| -fn <first_name> | Sets the user's first name to the value specified in <first_name> |
| -mi <initial> | Sets the user's initials to the value specified in <initial> |
| -ln <last_name> | Sets the user's surname to the value specified in <last_name> |
| -display <display_name> | Sets the user account's display name to the value specified in <display_name> |
| -empid <employee_ID> | Sets the user's Employee ID to the value specified in <employee_ID> |
| -pwd {<password> | *} | Resets the password for the user account to the value specified in <password>. If * is specified, the user must specify a password when he or she next logs on. |
| -desc <description> | Sets the computer or user account description to <description>. |
| -office <office> | Sets the user's office location to the value specified in <office>. |
| -tel <phone_number> | Sets the user's telephone number to the value specified in <phone_number>. |
| -email <e-mail_address> | Sets the user's e-mail address to the value specified in <e-mail_address>. |
| -hometel <home_phone_number> | Sets the user's home telephone number to the value specified in <home_phone_number>. |
| -pager <pager_number> | Sets the user's pager number to the value specified in <pager_number>. |
| -mobile <cell_phone_number> | Sets the user's cell phone number to the value specified in <cell_phone_number>. |
| -fax <fax_number> | Sets the user's fax number to the value specified in <fax_number>. |
| -iptel <IP_phone_number> | Sets the user's IP phone number to the value specified in <IP_phone_number>. |
| -webpg <web_page> | Sets the user's web page to the value specified in <web_page>. |
| -title <title> | Sets the user's title to the value specified in <title>. |
| -dept <department> | Sets the user's department to the value specified in <department>. |
| -company <company> | Sets the user's company to the value specified in <company>. |
| -mgr <manager> | Sets the user's manager to the value specified in <manager>. |
| -hmdir <home_directory> | Sets the user's home directory to the value specified in <home_directory>. |
| -hmdrv <drive_letter>: | Sets the user's home drive letter to the value specified in <drive_letter>:. |
| -profile <profile_path> | Sets the user's profile path to the value specified in <profile_path>. |
| -loscr <script_path> | Sets the user's logon script path to the value specified in <script_path>. |
| -mustchpwd {yes | no} | If set to yes, specifies that the user must change his or her password at the next logon. If -mustchpwd is set to yes, then -canchpwd must also be set to yes. |
| -canchpwd {yes | no} | If set to yes, specifies that the user can change his or her password. -canchpwd must also be set to yes if -mustchpwd is set to yes. |
| -reversiblepwd {yes | no} | If set to yes, specifies that the user's password must be stored using reversible encryption. |
| -pwdneverexpires {yes | no} | If set to yes, specifies that the user's password never expires. |
| -acctexpires <number_of_days> | Sets the user account to expire in the specified <number_of_days>. If <number_of_days> is O, the account expires at the end of the day; if <number_of_days> is a positive integer, the account expires after the <number_of_days> has expired; If <number_of_days> is a negative integer, the account expires in the past; and if <number_of_days> is "never", the account never expires. |
| -disabled {yes | no} | Sets the computer account or user account to disabled if the yes switch is specified or enabled if the no switch is specified. |
| -s <server> | -d <domain> | the specified <server> name, while -d <domain> connects to a domain controller in the specified <domain>. |
| -u <user_name> | Specifies the user account to use when connecting. |
| -p{ <password> | * } | -p <password> specifies the password to be used with the user account to use when connecting while - p * specifies that the command prompt the user for a password when connecting. |
| -c | Sets the command to run in continuous mode. In this mode, the command reports errors but continues with the next computer or user account in the argument list when multiple computer objects are specified in <computer_DN ...> or <user_DN ...>. |
| -q | Sets the command to run in quiet mode. In this mode, all command output is suppressed to the standard output. |
| -uc | Specifies that the input from or output to pipe is formatted in Unicode. |
| -uco | Specifies that the output to pipe or file is formatted in Unicode. |
| -uci | Specifies that the input to pipe or file is formatted in Unicode. |
| -loc <location> | Used with dsmod computer only to set the computer location to <location> |
| -reset | Used with dsmod computer only to reset the computer account. |