1. Home
  2. Server Administration
  3. Active Directory. Windows server 2003 Windows 2000

Introduction

User accounts are one of the most frequently used types of objects in Active Directory. Because Windows 2000 and Windows 2003 systems manage users through Active Directory, many key issues that system administrators have to deal with are covered in this chapter. In particular, Active Directory manages all the information regarding passwords, group membership, the disabling or expiration of accounts, and when users have logged in.

The Anatomy of a User

The default location for user objects in a domain is the cn=Users container directly off the domain root. You can, of course, create user objects in other containers and organizational units in a domain. Table 6-1 contains a list of some of the interesting attributes that are available on user objects. This is by no means a complete list. There are many other informational attributes that I haven't included.

Table 6-1. Attributes of user objects

Attribute

Description

accountExpires

Large integer representing when the user's account is going to expire. See Recipe 6.25 for more information.

cn

Relative distinguished name of user objects. This is commonly the username of the user.

displayName

Typically the full name of a user. This attribute is used in administrative tools to display a user's descriptive "name."

givenName

First name of the user.

homeDirectory

Local or UNC path of user's home directory. See Recipe 6.29 for more information.

homeDrive

Defines the drive letter to map the user's home directory to. See Recipe 6.29 for more information.

lastLogon

Last logon timestamp, which is not replicated among domain controllers.

lastLogonTimestamp

Approximate last logon timestamp, which is replicated among domain controllers. This attribute is new in Windows Server 2003. See Recipe 6.27 for more information.

managedObjects

Multivalued linked attribute (with managedBy) that contains a list of DNs of objects the user manages.

lockoutTime

Large integer representation of the timestamp for when a user was locked out. See Recipe 6.9 for more information.

memberOf

List of DNs of the groups the user is a member of. See Recipe 6.14 for more information.

objectSID

Octet string representing the SID of the user.

primaryGroupID

ID of the primary group for the user. See Recipe 6.15 for more information.

profilePath

UNC path to profile directory. See Recipe 6.29 for more information.

pwdLastSet

Large integer that can be translated into the last time the user's password was set. See Recipe 6.23 for more information.

sAMAccountName

NetBIOS style name of the user.

sidHistory

Multivalued attribute that contains a list of SIDs that is associated with the user.

scriptPath

Path to logon script. See Recipe 6.29 for more information.

sn

Last name of user.

tokenGroups

List of SIDs for the groups in the domain the user is a member of (both directly and via nesting).

unicodePwd

Octet string that contains the password for the user. This attribute cannot be directly queried.

userAccountControl

Account flags that define such things as account status and password change status.

userPrincipalName

Email-style account name for user, which a user can use to logon to a computer.

userWorkstations

Multivalued list of computers a user can logon to.



    		Chapter 1. Getting Started
    		Chapter 2. Forests, Domains, and Trusts
    		Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    		Chapter 4. Searching and Manipulating Objects
    		Chapter 5. Organizational Units
    		Chapter 6. Users
    		Introduction
    		Recipe 6.1 Creating a User
    		Recipe 6.2 Creating a Large Number of Users
    		Recipe 6.3 Creating an inetOrgPerson User
    		Recipe 6.4 Modifying an Attribute for Several Users at Once
    		Recipe 6.5 Moving a User
    		Recipe 6.6 Renaming a User
    		Recipe 6.7 Copying a User
    		Recipe 6.8 Unlocking a User
    		Recipe 6.9 Finding Locked Out Users
    		Recipe 6.10 Troubleshooting Account Lockout Problems
    		Recipe 6.11 Viewing the Account Lockout and Password Policies
    		Recipe 6.12 Enabling and Disabling a User
    		Recipe 6.13 Finding Disabled Users
    		Recipe 6.14 Viewing a User's Group Membership
    		Recipe 6.15 Changing a User's Primary Group
    		Recipe 6.16 Transferring a User's Group Membership to Another User
    		Recipe 6.17 Setting a User's Password
    		Recipe 6.18 Setting a User's Password via LDAP
    		Recipe 6.19 Setting a User's Password via Kerberos
    		Recipe 6.20 Preventing a User from Changing His Password
    		Recipe 6.21 Requiring a User to Change Her Password at Next Logon
    		Recipe 6.22 Preventing a User's Password from Expiring
    		Recipe 6.23 Finding Users Whose Passwords Are About to Expire
    		Recipe 6.24 Setting a User's Account Options (userAccountControl)
    		Recipe 6.25 Setting a User's Account to Expire in the Future
    		Recipe 6.26 Finding Users Whose AccountsAre About to Expire
    		Recipe 6.27 Determining a User's Last Logon Time
    		Recipe 6.28 Finding Users Who Have Not Logged On Recently
    		Recipe 6.29 Setting a User's Profile Attributes
    		Recipe 6.30 Viewing a User's Managed Objects
    		Recipe 6.31 Modifying the Default Display Name Used When Creating Users in ADUC
    		Recipe 6.32 Creating a UPN Suffix for a Forest
    		Chapter 7. Groups
    		Chapter 8. Computers
    		Chapter 9. Group Policy Objects (GPOs)
    		Chapter 10. Schema
    		Chapter 11. Site Topology
    		Chapter 12. Replication
    		Chapter 13. Domain Name System (DNS)
    		Chapter 14. Security and Authentication
    		Chapter 15. Logging, Monitoring, and Quotas
    		Chapter 16. Backup, Recovery, DIT Maintenance, and Deleted Objects
    		Chapter 17. Application Partitions
    		Chapter 18. Interoperability and Integration
    		Appendix A. Tool List