70-240 in 15 minutes a week: AD User and Group Administration

by Dan DiNicolo

Welcome to article number 15 in my 70-240 in 15 minutes a week series. This week's article covers Active Directory User and Group Administration, as well as publishing resources in Active Directory. This includes a look at user logon names, bulk account processing utilities, account maintenance, group types and strategies, and publishing printers and folders to the directory. Again, this topic falls into the Active Directory portion of the 70-240 exam. I anticipate another 3 to 4 articles relating to Active Directory, before moving into articles relating to the final major area, networking services.

The material covered in this article includes:

- Introduction to user accounts and logon names
- Creating and managing user accounts
- Active Directory group concepts
- Active Directory group strategies
- Publishing resources in Active Directory

Introduction to User Accounts and Logon Names

Since the basics of this topic have already been covered in previous articles, I will keep this part short. Just as a review, remember that 3 main types of user accounts exist in a Windows 2000 Active Directory environment:

Local User Accounts: These accounts exist in the local Security Accounts Manager (SAM) database on each Windows 2000 system (with the exception of domain controllers). These accounts are created using the Local Users and Groups tool in Computer Management. Note that in order to log on with a local account, the account must exist in the SAM database of the system you are logging in from. This makes local accounts impractical for large environments, due to the administrative overhead involved. 

Domain User Accounts: These accounts are stored in Active Directory, and can be used to log on to systems and access resources throughout an AD forest. Accounts are configured centrally using Active Directory Users and Computers. 

Built-in Accounts: These accounts are created by the system and cannot be deleted. By default, both standalone systems and domains will have two accounts, Administrator and Guest. The guest account will be disabled by default.

Since this portion of the series covers Active Directory, we will concentrate on domain user accounts. These accounts are stored on domain controllers, which carry a copy of the Active Directory database. You will need to be familiar with the different formats in which user logon names exist, because there are differences to allow for backwards compatibility with 'downlevel' clients (such as Windows 95, 98, NT). The two main types of names are the User Principal Name (referred to as the user logon name in the interface) and user logon name (pre-Windows 2000). Both are seen in the screen shot below:
Welcome to Article 15 in Dan DiNicolo's 70-240 in 15 minutes a week series. This week's article covers Active Directory User and Group Administration, as well as publishing resources in Active Directory. This includes a look at user logon names, bulk account processing utilities, account maintenance, group types and strategies, and publishing printers and folders to the directory.

A User Principal Name (UPN) is formatted much like an email address. It lists a logon name followed by the '@' sign and domain name. By default, the domain name of the root domain will appear selected in the dropdown box, regardless of the domain in which the account is being created (the drop down list with also contain the domain name of the domain in which you are creating the account). It is also possible to create additional domain suffixes that can appear in the dropdown box and be used in the UPN if you so choose (this is done using Active Directory Domains and Trusts). The only requirement is that all UPNs in the forest be unique. When a user logs on to a Windows 2000 system using a UPN, they need only specify the UPN and the password - there is no longer a need to input or remember the domain name. Another benefit would be having UPNs map to user email addresses, again simplifying the amount of information users need to remember.

The User logon name (pre-Windows 2000) is provided for backwards compatibility with Microsoft systems not running Windows 2000. These systems still rely on traditional Netbios-based authentication, where a username, password, and domain name (in Netbios format) need to be provided. These downlevel logon user names must be unique within a domain. Note that the username portion of both the downlevel logon name and UPN need not be identical.

Creating User Accounts

Creating user accounts in Active Directory is simply enough, seeing as a wizard walks you through the process. Simply right-click in Active Directory User and Computers, choose New - User, and you're off to the races. The wizard only sets up basic account properties, such as names, logon names, passwords, and so forth. To get at the majority of the settings (such as group membership, home directory info, etc), you must access the properties of the user after creating it. In smaller environments, creating all user accounts one at a time may be reasonable. In larger environments, you might create a template account, and then copy that account (and common settings) in order to more quickly create new accounts. However, you should also be aware that Windows 2000 includes 2 utilities that exist for the purpose of bulk-import of user accounts and associated properties: 

Csvde: This tool does bulk import to AD of comma-separated source files. Note that Csvde can only be used to import accounts - it cannot be used to delete or change information. The file used in a simply text file, with values separated by commas. The first line of the file defines the structure. For example, if I wanted to create a .csv text file to be imported that would import 2 user accounts, it might look like the one below:

dn, displayname, objectClass, sAMAccountName, userPrincipalName, telephoneNumber
"cn=dan dinicolo, cn=users, dc=win2000trainer, dc=com", Dan DiNicolo, user, dinicolo, dinicolo@win2000trainer.com, 416-555-5555
"cn=john doe, cn=users, dc=win2000trainer, dc=com", John Doe, user, doe, doe@win2000trainer.com, 416-555-5556

Note that basically any user settings can be imported, as long as the file is structured correctly and the attribute names are properly defined. For a list of available attributes, click here. http://support.microsoft.com/support/kb/articles/q257/2/18.asp

Ldifde: this tool does bulk-import to AD using LDIF, the LDAP Interchange Format. It can be used to add, delete, or modify objects in Active Directory. LDIF files use a line-separated format, meaning that each attribute has its own line, and records are separated by a blank line. For example, if I wanted to create the users from the previous example using ldifde, I would create a text file with the entries shown below:

Dn: cn= dan dinicolo, cn=users, dc=win2000trainer, dc=com
DisplayName: Dan DiNicolo
ObjectClass: user 
SAMAccountName: dinicolo
UserPrincipalName: dinicolo@win2000trainer.com
TelephoneNumber: 416-555-5555

Dn: cn= john doe, cn=users, dc=win2000trainer, dc=com
DisplayName: John Doe
ObjectClass: user 
SAMAccountName: doe
UserPrincipalName: doe@win2000trainer.com
TelephoneNumber: 416-555-5556

Note that all accounts created with these utilities are disabled by default, and that you cannot include passwords in the bulk-import process (they are left blank be default). For a more detailed overview of csvde and ldifde, click here 

This article was originally published on Jun 5, 2001
Page 1 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date