Windows Server 2012 R2 User Account Management

User Account Management

What is a User Account?

An object in AD DS responsible for controlling authentication and validation of access to resources, containing many attributes about a particular user on your network. 

Traditional Active Directory Management Tools

 At this stage, it is important to get familiar with some of the management tools an administrator is likely to come across in the execution of their daily tasks.

Active Directory Users and Computers – This tool is typically used daily to manage Active directory objects such as users, groups, computers and OUs. Users with expired passwords or locked accounts are common in network set ups and this tool will help you reset their accounts and get them back up and running.

Active Directory Sites and Services – This tool is used to manage sites, network topology, replication and related services.

Active Directory Domains and Trusts – Useful tool for managing trust relationships and forest functional level.

Active Directory Schema – This tool is not installed by default and used to manage the schema.

Command Line Tools – A collection of tools used for basic scripting and command line management. 

New Active Directory Management Tools

The arrival of Windows Server 2012 R2 saw some additional tools added by Microsoft to further extend the functionality and management of the operating system.

Active Directory Administrative Centre – A GUI built on Windows PowerShell with an enhanced interface to perform object management using task-oriented navigation.

Windows PowerShell – A command line application like CMD used to create and manage objects and provides scripting capabilities. 

Creating User Accounts

Before we begin to create users on our server, some steps are required as by default the tools are not readily in view. Click start to access the menu and right click on Active Directory Users and Computers. This will become your most frequently used tool so it is advisable to pin it to your task bar. Below the menu will be pull up options where you can choose to pin this tool for easy access.

                               Active Directory Users and Computers 

Launching the tool we just pinned above will open a very important administrative section of our Windows Server 2012 operating system.

Here, you would see the domain you created along with a few other tools such as Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, Managed Service Accounts and Users which are extremely vital to administering resources on your server.

Right clicking on the Users tab on the left will drop down a menu, from which you can select New > User to display the object screen as above. You will discover later as we explore servers further, you can copy an existing user account to inherit permissions from the account such as access to certain security groups.

Click next to choose a secure password for the user and notice the tick options; ‘User must change password on next logon’, ‘User cannot change password’, ‘Password never expires’ and ‘Account disabled’.

                                      User Account Object Overview 

Now that we have a new user created, let’s take a closer look at the user object itself to get familiar with some of the properties. Right Click the user we just created, and select Properties as shown below. 

1. General Tab: More information about the new user such as first and last name, contact details and email address created on your Exchange server can be found here. 

2. Address Tab: Further information about the new user such street number, post code and country can be populated in this tab. Third party applications like Exclaimer could leverage this for managing company signatures, something we shall learn about in advanced future lessons.

3. Member Of Tab: This tab reveals vital information about the security groups the user belongs to. Notice you have the ability to add and remove groups specific to each user, to control the resources they have access to in your server environment. 

4. Organization Tab: You can further define your new user in this tab with job title, department and company they work for. Click Apply for any changes made to take effect.

5. Account Tab: Administrators will find themselves in this tab a lot. User accounts can be unlocked, password policy changes and account expiry dates can be set in this interface. User logon domain and names when a client forgets their credentials are also present in this tab. 

6. Logon Hours: Administrators may sometimes wish to set up a time frame during the week when users can access the server. In the Account tab, Click Logon Hours to display the day days and times when a user can be permitted or denied logon for security reasons.

7. Logon To: Another important and useful security feature is the ability to lock down the workstations from which a user is allowed to access the server. Click Logon To in the Accounts tab to add/remove computers designated for a particular user to logon, trying to access resources from unassigned workstation will see the user authentication denied.

                                User Account Administrative Tasks
Server administrators in active environments will frequently get user related queries when there is a problem accessing an account. Below, we’ll discuss some of the commonly known requests and how to administer those tasks. 

                 Save 20% on ESET

1. Copying An Existing User: This feature comes in handy when you have a new employee starting at a department with existing users and resource permissions already assigned. Right Click the user and select Copy from the menu to display the user object as below.

Populate the fields with your new user credentials including a strong password. Note that all policies from the existing user will be inherited by the new user. 

Double check the summary to ensure the existing user has been copied and click Finish.

You can confirm the new account has been created when you check the Member Of properties.

2. Resetting User Account Password: This task will most likely be the most requested task from users to their administrators. Passwords may be set to expire after a period of time or users may no longer be able to access their emails with the passwords they already have. In Active Directory services, locate the user and Right Click on their object > Select Reset Password > Type in new password > Apply. 

3. Disabling An Active User Account: In the event an employee leaves the company, administrators usually get a request from managers to delete the user account. 

Bearing in mind that every active directory object carries a unique identifier, it is best practice to disable the account, preventing the user from ever logging on until you are 100% sure the users’ email account for example will no longer be needed. 

Right Click on the user in question and select Disable Account. You will be prompted to disable the account and proceed with your action. Notice state of the object when disabled with downward arrow. 

You can always re-enable the account again by right clicking and selecting Enable Account

                                                 Next Steps

Congratulations for making it this far in the course, hopefully your understanding of managing user accounts on your server has become clearer after practicing these tutorials.

Join us again as we dive deeper into Windows Server 2012 R2 configuration for our next topic in Computer Account Management.Thanks for investing your time with us. 

                                     Ledger Nano S - The secure hardware wallet
                                        Learn Data Backup on Sia Blockchain 

Written   Twitter: @ixploitsecurity   Facebook:

                  Credits to all organisations and development teams at Microsoft Corporation 


Post a Comment