Administering User Accounts
The primary purpose of user objects in Active Directory is to support authentication of a User or a service. Accounts are created, administered, and, eventually, deleted.
The most common administrative tasks related to user accounts are resetting a password, unlocking an account, disabling, enabling, deleting, moving, and renaming user objects.
In the following sections we will examine each of these tasks and how they can be performed using the Windows interface, Windows PowerShell, VBScript, or the command prompt. Each of these tasks requires you to have appropriate permissions to the user objects.
Use the buttons below to navigate through the lesson
Resetting a User’s Password
If the user forgets his or her password and attempts to log on, he or she will receive a logon message. Before the user can log on successfully, you will have to reset that password. You do not need to know the user’s old password to do so. Simply right-click the user’s object in Active Directory and choose Reset Password. The Reset Password dialog appears. Enter the new password in both the New Password and Confirm Password boxes. It is a best practice to select the User Must Change Password At Next Logon option so that the user’s password is known only to the user.
You can also use a DS command to reset a user’s password and, optionally, to force the user to change that password at the next logon. Type the following command:
dsmod user UserDN -pwd NewPassword -mustchpwd yes
Using Windows PowerShell, type the following commands:
$objUser=[ADSI]”LDAP://UserDN”
$objUser.SetPassword(“NewPassword”)
Note that, unlike other attributes, you do not use SetInfo after using SetPassword to configure the user’s password.
However, if you want to force the user to change passwords at the next logon, you do as follows:
$objUser.Put (“pwdLastSet”,0)
$objUser.SetInfo()
In VBScript, the code is very similar:
Set objUser=GetObject(“LDAP://UserDN”)
objUser.SetPassword “NewPassword”
objUser.Put “pwdLastSet”,0
objUser.SetInfo
It is even possible to import passwords, using LDIFDE, a command introduced in earlier lessons.
Unlocking a User Account
When a user attempts to log on with an incorrect password, a logon failure is generated. When too many logon failures occur within a specified period of time defined by the lockout policy, the account is locked out. The next time the user attempts to log on, a notification
clearly states the account lockout.
You can unlock a user account by right-clicking the account, choosing Properties, clicking the Account tab, and selecting the Unlock Account check box.
Unfortunately, neither the command line nor Windows PowerShell provides a native tool for unlocking accounts. To unlock a user with VBScript, use the following code:
Set objUser = GetObject(“LDAP://UserDN”)
objUser.IsAccountLocked = False
objUser.SetInfo
Disabling and Enabling a User Account
User accounts are security principals—identities that can be given access to network resources. Because each user is a member of Domain Users and of the Authenticated Users special identity, each user account has at least read access to a vast amount of information in Active Directory and on your file system.
Therefore, it is important not to leave user accounts open. That means you should configure password policies and auditing procedures to ensure that accounts are being used appropriately. If a user account is provisioned before it is needed, or if a user will be absent for an extended period of time, disable the account.
To disable an account in the Active Directory Users And Computers snap-in, right-click a user and choose Disable. From the command line, you can use Dsmod.exe, as in the following example:
dsmod user UserDN -disabled yes
With Windows PowerShell you must use a roundabout method to
set the flag:
$objUser=[ADSI]”LDAP://UserDN”
$objUser.psbase.InvokeSet(‘Account Disabled’,$true)
$objUser.SetInfo()
VBScript is more straightforward:
Set objUser = GetObject(“LDAP://UserDN”)
objUser.AccountDisabled=TRUE
Enabling an account is just a matter of yes to no for the Dsmod.exe command:
dsmod user UserDN -disabled no
In the Windows PowerShell commands shown earlier, change $true to $false
and, in VBScript, change TRUE to FALSE.
Deleting a User Account
When an account is no longer necessary, it can be deleted from Active Directory. However, it is critical to consider that after the account has been deleted, it is eventually purged entirely from the directory. You cannot simply re-create a new account with the same name as a deleted account and hope it has the same group memberships and access to resources; it will not. The loss of the user’s SID and of its group memberships can cause significant problems if, later, you realize you need the account.
You can also consider recycling a user account. If a user leaves your organization, it’s possible you will eventually hire a replacement who will need very similar resource access, group memberships, and user rights as the previous user. You can disable the account until a replacement is found and then rename the account to match the new user’s name. The previous user’s SID, group memberships, and resource access are thereby transferred to the replacement.
To delete a user account in Active Directory, select the user and press Delete or right-click the user and choose Delete. You will be prompted to confirm your choice because of the significant implications of deleting a security principal.
You can delete objects from Active Directory by using the Dsrm command, another of the DS commands. Dsrm uses a simple syntax:
dsrm UserDN
Notice that Dsrm is not followed by the user object class as are the other DS commands.
To delete a user from Active Directory, using Windows PowerShell, you connect to the parent container—the OU—and use the container’s Delete method. This might seem slightly strange, but it parallels the fact that you use the container’s Create method to create a user. The following two Windows PowerShell commands will delete a user:
$objOU = [ADSI]”LDAP://organizational units DN”
$objOU.Delete(“user”,”CN=UserCN”)
VBScript uses the same approach, with its unique syntax:
Set objOU = GetObject(LDAP://organizational units DN”)
objOU.Delete “user”,”CN=UserCN”
Moving a User Account
If you need to move a user object in Active Directory, you can drag and drop it in the Active Directory Users and Computers snap-in. However, it is more accurate to right-click the user and choose the Move command.
To move a user with a command-line tool, use Dsmove. Dsmove uses the following syntax:
dsmove UserDN -newparent TargetOUDN
Dsmove does not specify a user object class. Instead, it simply indicates the DN of the user to move and, in the TargetOUDN placeholder, the distinguished name of the OU to which the user will be moved. To move a user in Windows PowerShell, you must use the psbase.MoveTo method. The following two lines of code will move a user:
$objUser=[ADSI]”LDAP://UserDN”
$objUser.psbase.MoveTo(“LDAP://TargetOUDN”)
In VBScript, you use an approach that seems a bit backward. You connect to the target container and then you grab the user object and move it to the container. The following two lines of code do the trick:
Set objOU = GetObject(“LDAP://TargetOUDN”)
objOU.MoveHere “LDAP://UserDN”, vbNullString
The intrinsic constant vbNullString passes Null to the MoveHere method, instructing it that you want the object to keep its current CN.
Renaming a User Account
When a user account needs to be renamed, there can be one or more attributes you must change. To rename a user in Active Directory, right-click the user and choose Rename. Type the new common name (CN) for the user and press Enter. The Rename User dialog box appears and prompts you to enter the Full Name (which maps to the cn and name attributes), First Name, Last Name, Display Name, User Logon Name, and User Logon Name (Pre-Windows 2000).
Renaming a User Account
From a command prompt, you can use Dsmod.exe with the following syntax:
dsmod user UserDN [-upn UPN][-fn FirstName][-mi Initial][-ln LastName] [-dn DisplayName][-email EmailAddress]
You cannot change the samAccountName attribute by using Dsmod.exe, and you cannot change the CN of the object by using Dsmod.exe.
To change the CN of an object from a command shell, you must use Windows PowerShell or VBScript. In Windows PowerShell, two lines of code work:
$objUser=[ADSI]”LDAP://UserDN”
$objUser.psbase.rename(“CN=New CN”)
You can also change other name attributes, using the Put method of the user object.
To rename a user with VBScript, use a variation of the MoveHere method shown in the previous section:
Set objOU = GetObject(“LDAP://CurrentOUDN”)
objOU.MoveHere “LDAP://UserDN”, “CN=New CN”
In these two lines, you connect to the user’s current OU and use the MoveHere method of the OU to apply a new CN to the user.
