Managing User Attributes

Active Directory Users and Computers

When you create a user with the Active Directory Users and Computers snap-in New Object– User Wizard, you are prompted for some common properties, including logon names, password, and user first and last names. A user object in Active Directory, however, supports dozens of additional properties that you can configure at any time with the Active Directory Users and Computers snap-in.

Use the buttons below to navigate through the lesson

When you create a user with the Active Directory Users and Computers snap-in New Object– User Wizard, you are prompted for some common properties, including logon names, password, and user first and last names. A user object in Active Directory, however, supports dozens of additional properties that you can configure at any time with the Active Directory Users and Computers snap-in. To read and modify the attributes of a user object, right-click the user,and choose Properties.

Account attributes: the Account tab These properties include logon names, password, and account flags. Many of these attributes can be configured when you create a new user with the Active Directory Users and Computers snap-in. The “Account Properties” section details account attributes.

Personal information: the General, Address, Telephones, and Organization tabs The General tab exposes the name properties that are configured when you create a user object, as well as basic description and contact information. The Address and Telephones tabs provide detailed contact information. The Telephones tab is also where Microsoft chose to put the Notes field, which maps to the info attribute and is a very useful general-purpose text field that is underused by many enterprises. The Organization tab shows job title, department, company, and organizational relationships.

User configuration management: the Profile tab Here you can configure the user’s profile path, logon script, and home folder. Group membership: the Member Of tab. You can add the user to, and remove the user from, groups and change the user’s primary group. Terminal services: the Terminal Services Profile, Environment, Remote Control, and Sessions tabs.  These four tabs enable you to configure and manage the user’s experience when the user is connected to a Terminal Services session.

Remote access: the Dial-in tab. You can enable and configure remote access permission for a user on the Dial-in tab.
Applications: the COM+ tab.  This tab enables you to assign the users to an Active Directory COM+ partition set.

A user object has even more properties than are visible in its Properties dialog box. Some of the so-called hidden properties can be quite useful to your enterprise. To uncover hidden user attributes, you must turn on the Attribute Editor, a new feature in Windows Server 2008. Click the View menu and select the Advanced Features option. Then open the Properties dialog box of the user, and the Attribute Editor tab will be visible.

The Attribute Editor displays all the system attributes of the selected object. The Filter button enables you to choose to see even more attributes, including backlinks and constructed attributes. Backlinks are attributes that result from references to the object from other objects.  A user’s memberOf attribute is updated automatically by Active Directory when the user is referred to by a group’s member attribute. You do not ever write directly to the user’s memberOf attribute; it is dynamically maintained by Active Directory.

A constructed attribute is one of the results from a calculation performed by Active Directory. An example is the tokenGroups attribute. This attribute is a list of the security identifiers (SIDs) of all the groups to which the user belongs, including nested groups. To determine the value of tokenGroups, Active Directory must calculate the effective membership of the user, which takes a few processor cycles. Therefore, the attribute is not stored as part of the user object or dynamically maintained. Instead, it is calculated when needed. Because of the processing required to produce constructed attributes, the Attribute Editor does not display them by default. They also cannot be used in LDAP queries.

The Active Directory Users and Computers snap-in enables you to modify the properties of multiple user objects simultaneously. Select several user objects by holding the Ctrl key as you click each user or using any other multiselection technique. Be certain that you select only objects of one class, such as users. After you have multiselected the objects, right-click any one of them and choose Properties.

When you have multiselected the user objects, a subset of properties is available for modification.

  • General: Description, Office, Telephone Number, Fax, Web Page,
  • Account: UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires
  • Address: Street, P.O. Box, City, State/Province, Postal Code, Country/Region
  • Profile: Profile Path, Logon Script, and Home Folder
  • Organization: Title, Department, Company, Manager

Some attributes of a user object could be quite useful, including division, employeeID, employeeNumber, and employeeType. Although the attributes are not shown on the standard tabs of a user object, they are now available through the Attribute Editor, and they can be accessed programmatically with Windows PowerShell or VBScript.

Be sure to know which properties can be modified for multiple users simultaneously. Exam scenarios and simulations that suggest a need to change many user object properties as quickly as possible are often testing your understanding of multiselecting.

Two sets of attributes tend to appear on the certification exams and also present challenges to Windows administrators: name attributes and account attributes. Several attributes are related to the name of a user object and an account. It is important to understand the distinctions between them.

A user’s sAMAccountName attribute (the pre-Windows 2000 logon name) must be unique for the entire domain. Many organizations use initials or some combination of first and last name to generate the sAMAccountName. That approach can be problematic because an organization of any size is likely to have users with names similar enough that the rules for generating the sAMAccountName would generate a duplicate name. This problem is solved if the employee number or some other unique attribute of the users is used for the sAMAccountName.

The userPrincipalName (UPN) attribute consists of a logon name and a UPN suffix which is, by default, the DNS name of the domain in which you create the object. The UPN must be unique for the entire forest. E-mail addresses, which must be unique for the whole world, certainly meet that requirement. Consider using e-mail addresses as UPNs.

If your Active Directory domain name is not the same as your e-mail domain name, you must add the e-mail domain name as an available UPN suffix. To do this, open the Active Directory Domains And Trusts snap-in, right-click the root of the snap-in, and choose Properties.

The RDN must be unique within an OU. For users, this means the cn attribute must be unique within the OU. This can be a tricky one. If you have a single, flat OU for users that already contains a user named Tom Smith, and you hire a second Tom Smith, his user object cannot have the same common name as the first. Unfortunately, there’s no perfect answer to this problem for all organizations.
One solution is to design a naming standard that applies a single rule for all CNs. Perhaps the CN should include an employee’s number— for example, Tom Smith (645928). If your OU structure for user accounts is flat, be prepared to address this challenge.

On the Account tab of a user’s Properties dialog box, shown opposite, are the attributes
directly related to the fact that a user is a security principal, meaning that it is an identity to which permissions and rights can be assigned. Other security principals include computers, groups, and the inetOrgPerson object class.

Logon Hours. Click Logon Hours to configure the hours during which a user is allowed to log on to the network.

Log On To. Click Log On To if you want to limit the workstations to which the user can log on. This is called Computer Restrictions in other parts of the user interface, and maps to the userWorkstations attribute. You must have NetBIOS over TCP/IP enabled for this feature to restrict users, because it uses the computer name rather than the Media Access Control (MAC) address of its network card to restrict logon.

User Must Change Password At Next Logon.  Select this check box if you want the user to change the password you have entered the first time he or she logs on. You cannot select this option if you have selected Password Never Expires. Selecting this option will automatically clear the mutually exclusive option User Cannot Change Password.

User Cannot Change Password. Select this check box if you have more than one person using the same domain user account (such as Guest) or to maintain control over user account passwords. This option is commonly used to manage service account passwords. You cannot select this option if you have selected User Must Change Password At Next Logon.

Password Never Expires. Select this check box if you never want the password to expire. This option will automatically clear the User Must Change Password At Next Logon setting because they are mutually exclusive. This option is commonly used to manage service account passwords.

Account Is Disabled. Select this check box to disable the user account, for example, when creating an object for a newly hired employee who does not yet need access to the network.

Store Password Using Reversible Encryption. This option, which stores the password in Active Directory without using Active Directory’s powerful, nonreversible encryption hashing algorithm, exists to support applications that require knowledge of the user password. If it is not absolutely required, do not enable this option because it weakens password security significantly. Passwords stored using reversible encryption are similar to those stored as plaintext. Macintosh clients using the AppleTalk protocol require knowledge of the user password. If a user logs on using a Macintosh client, you will need to select this option.

Smart Card Is Required For Interactive Logon. Smart cards are portable, tamper-resistant hardware devices that store unique identification information for a user. They are attached to, or inserted into, a system and provide an additional, physical identification component to the authentication process.

Account Is Trusted For Delegation. This option enables a service account to impersonate a user to access network resources on behalf of a user. This option is not typically selected, certainly not for a user object representing a human being. It is used more often for service accounts in three-tier (or multitier) application infrastructures.

Account Expires. Use the Account Expires controls to specify when an account expires.