Introduction

User accounts are one of the most frequently used types of objects in Active Directory. Because Windows 2000 and Windows 2003 systems manage users through Active Directory, many key issues that system administrators have to deal with are covered in this chapter. In particular, Active Directory manages all the information regarding passwords, group membership, the disabling or expiration of accounts, and when users have logged in.

The Anatomy of a User

The default location for user objects in a domain is the cn=Users container directly off the domain root. You can, of course, create user objects in other containers and organizational units in a domain. Table 6-1 contains a list of some of the interesting attributes that are available on user objects. This is by no means a complete list. There are many other informational attributes that I haven't included.

Table 6-1. Attributes of user objects

Attribute

Description

accountExpires

Large integer representing when the user's account is going to expire. See Recipe 6.25 for more information.

cn

Relative distinguished name of user objects. This is commonly the username of the user.

displayName

Typically the full name of a user. This attribute is used in administrative tools to display a user's descriptive "name."

givenName

First name of the user.

homeDirectory

Local or UNC path of user's home directory. See Recipe 6.29 for more information.

homeDrive

Defines the drive letter to map the user's home directory to. See Recipe 6.29 for more information.

lastLogon

Last logon timestamp, which is not replicated among domain controllers.

lastLogonTimestamp

Approximate last logon timestamp, which is replicated among domain controllers. This attribute is new in Windows Server 2003. See Recipe 6.27 for more information.

managedObjects

Multivalued linked attribute (with managedBy) that contains a list of DNs of objects the user manages.

lockoutTime

Large integer representation of the timestamp for when a user was locked out. See Recipe 6.9 for more information.

memberOf

List of DNs of the groups the user is a member of. See Recipe 6.14 for more information.

objectSID

Octet string representing the SID of the user.

primaryGroupID

ID of the primary group for the user. See Recipe 6.15 for more information.

profilePath

UNC path to profile directory. See Recipe 6.29 for more information.

pwdLastSet

Large integer that can be translated into the last time the user's password was set. See Recipe 6.23 for more information.

sAMAccountName

NetBIOS style name of the user.

sidHistory

Multivalued attribute that contains a list of SIDs that is associated with the user.

scriptPath

Path to logon script. See Recipe 6.29 for more information.

sn

Last name of user.

tokenGroups

List of SIDs for the groups in the domain the user is a member of (both directly and via nesting).

unicodePwd

Octet string that contains the password for the user. This attribute cannot be directly queried.

userAccountControl

Account flags that define such things as account status and password change status.

userPrincipalName

Email-style account name for user, which a user can use to logon to a computer.

userWorkstations

Multivalued list of computers a user can logon to.



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List