Creating and managing users accounts
Each user object in AD DS has more than a few attributes that can be configured. We can't cover all user object attributes here, but the most important attributes related to identity will be covered in this section.
All user accounts can be created using a few different GUI or command-line tools. For administrators who like to use GUI tools, there are two different MMC Snap-ins: Active Directory Administrative Center and Active Directory Users and Computers.
The Active Directory Administrative Center is important for this certification. It has a lot of improvements compared to Active Directory Users and Computers, and exam questions are focused on this MMC Snap-in.
For command-line-oriented administrators, the PowerShell and Dsadd command-line tools are valuable options.
To prepare for the exam, your focus needs to be on PowerShell, but some questions might be related to the Dsadd command-line tool. All examples in this section will present PowerShell commands.
Creating a user using GUI tools is a straightforward process, but it's different depending on which MMC Snap-in you decide to use. With Active Directory Users and Computers, creating a user requires only the most important attributes that need to be configured:
- First name
- Last name
- User login name
- Password
With this information in the user account, the user will be able to log in to the domain-joined machine. All other attributes, such as group membership, company name, and phone number, must be configured later if you use Active Directory Users and Computers. However, if you decide to use the Active Directory Administrative Center for user creation, the process will be a little bit different. You need to add all the attributes that were necessary when using Active Directory Users and Computers, but all other attributes can be added at the same time during the creation process.
The creation process using PowerShell can include several commands in a row. Depending on which switches are used in the PowerShell cmdlet, different attributes can be included. The following example shows you the command for user creation using PowerShell with the same parameters used in previous examples for GUI MMC Snap-ins:
New-ADUser -GivenName Vladimir -Surname Stefanovic -Name "Vladimir Stefanovic" -UserPrincipalName vladimir.stefanovic@mcsacertguide.local -SamAccountName vladimir.stefanovic –AccountPassword (Read-Host –AsSecureString "Enter password") -Enabled $true
Once a user account is created with PowerShell, it will not be enabled unless you include the -Enabled with parameter $true switch. If you forget to add that switch to the command, you can enable the account later using the PowerShell Enable-ADAccount cmdlet.
If, for any reason, you want to copy a user account, only Active Directory Users and Computers can offer this; the Active Directory Administrative Center doesn't have this option. With PowerShell, you can do this by creating scripts or creating a user from a template:
Only the most commonly used attributes are copied to the new user account:
- Group memberships
- Home directories
- Profile settings
- Logon scripts
- Logon hours
- Password settings
- Department name
- Manager
Once you create a user account, using any of the provided methods, the account will be fully operational and other users will be able to use them. If you want to change some of the attributes, which is one of the most common tasks for user accounts, this can also be done using the same MMC Snap-ins or PowerShell. If you want to use the GUI MMC Snap-in, you just need to go to the properties for the selected account and change the value of the specific attributes. The Set-ADUser PowerShell cmdlet needs to be used if you want to change the attributes, and you can add more than one switch in a PowerShell command:
Set-ADUser -Identity vladimir.stefanovic -Company "Packt" -Department "IT"
Deleting a user account can also be done using management tools, MMC Snap-ins, or PowerShell. In both MMC Snap-ins, you just need to right-click on the user account and select Delete. PowerShell for AD DS has the Remove-ADUser cmdlet. The following command will delete the user account without any additional questions:
Remove-ADUser -Identity vladimir.stefanovic -Confirm:$false
If you don't use -Confirm:$False, you'll be asked to confirm the deletion of the user account.
By default, the user account isn't protected from accidental deletion. That attribute is unchecked by design, and if you want to enable it, you need to make some changes to the user account. Protecting the user account from accidental deletion is very important, because once deleted account will prevent the user to log on to the system and access to corporate resources. The easiest way to do this using a GUI MMC Snap-in is to use the Active Directory Administrative Center. You just need to check the Protect from accidental deletion checkbox. Using this MMC Snap-in, you can configure this protection during the creation of your user account:
If you want to use the MMC Snap-in Active Directory Users and Computers, you need to edit the properties of the user account on the Object Tab, and check the Protect object from accidental deletion checkbox:
The PowerShell cmdlet for this task is Set-ADObject. This needs to be started once the user account is created:
Set-ADObject -Identity:"CN=Vladimir Stefanovic,OU=Users,OU=Packt,DC=mcsacertguide,DC=local"-ProtectedFromAccidentalDeletion:$true
In this cmdlet, the parameter for the -Identity switch is the object's Distinguished Name.