Paul Hill | itFlee.

com

In this lecture, you are going to learn how you can create and manage user accounts within Active Directory. Creating
and managing user accounts within Active Directory is a common task that you will need to fully understand to have a
successful career as a Windows Server administrator.

When it comes to creating and managing user accounts you really have two options, first use the Active Directory Users
and Computers console or secondly the PowerShell command line. In this lecture, you are going to learn how to use the
Active Directory GUI for Active Directory.

You can access the Active Directory console from Server Manager by selecting Tools > Active Directory Users and
Computers.

Creating an Organizational Unit

The first thing we are going to do is learn how to create a user account. The first thing you need to do is decide where to
locate the new user account. Most companies will already have their organizational units created but in our case, we
have not done this yet. There is the default container called Users, but I do not recommend that you place new users
into this container because you cannot easily manage them with Group Policy, instead let’s create a new organizational
unit and call it “Managed Users” (although you can use whatever name you want).

Right-click on this OU and again create sub OU’s called “Administrators” and “Users”.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

Creating a user account within Active Directory

Now we have some kind of organization within our domain. Of course, this type of designing is entirely up to you and
how to you want organize your Active Directory objects. You might decide to put both admins and regular users in the
same OU, you might decide to create an OU for each division of the company, or you may decide to put each team
inside of their own OU.

Let’s create a new user account under the Administrators OU. Right-click the OU and select New > User.

So far we have been using the Administrator account that was setup by default on Windows Server. This practice is
generally frowned upon in the security world as shared user accounts are considered a bad practice. I am going to create
a user account for myself by entering my first and last name. I am going to use the user logon name format of first name
dot last name.

You will notice that there is a separate logon for pre-windows 2000. This field adapts your User Logon Name to a format
that is acceptable by older server operating systems (before Server 2000 as the name implies). For example, if your User
Logon Name is longer than 20 characters it will be truncated in the pre-windows 2000 logon name. Click Next.

On the next screen, you need to setup your user’s password. I am going to enter the password I want to use for my
account, and I am going to uncheck the checkbox that reads User must change password at next logon.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

Generally, how a new account creation works is that you will create their account within Active Directory using a
temporary password (like “Password1” or hopefully something a little more complex). Once you create the account you
will provide them with the username and temporary password. When they log into a domain computer they will be
asked to create a new password that they will hopefully be able to remember.

Since we are creating the user account for ourselves, we do not need to use a temporary password and will not want to
change it once we log in. I have had people come by my desk when I am creating their account and I just have them
enter their desired password straight into active directory and if this is the case I will uncheck this checkbox again so
they will not be asked to change it when they first log in.

The User cannot change password option if you do not want the user to be able to set their password to something
else. This can be useful for service accounts or if you have a particular need to prevent people from changing their
passwords. This option obviously makes your account less secure, so if security is a concern at all, do not check this
checkbox.

The Password never expires is also useful for service accounts or any account that you do want to reset the passwords
on the accounts for. Again, this introduces another security vulnerability as if someone gets the password it will work
indefinitely.

The Account is disabled checkbox is good if you are creating a user account ahead of time but it is not ready to be used.
Of course, if an account is disabled, you will not be able to use it at all.

Click Next and Finish to create the user account.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

Memberships
Now we have the user account created. Right now, the account is sitting inside of the Administrators OU, but that does
not make the account an administrator account. What determines the permissions and roles of a user account is its
memberships. To manage the memberships of a user account, right-click on the user and choose Properties. Go to the
Member Of tab.

To make this user account a domain administrator, we need to add the Domain Admins membership. Click the Add
button, and when the Select Groups dialog appears, search for Domain Admins and click Check Names.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

Once the name becomes underlined, you know that the group was found within Active Directory. Click OK.

Now we can see that the user has been added to the Domain Admins group. Click OK to close the dialog box.

Searching for Objects (User Accounts) within Active Directory

In our case, if you needed to reset the password for Paul Hill it would be very simple because we currently only have one
user account created. What if you have thousands of user accounts and hundreds of OUs? The user account could be
located in any one of them. Thankfully, Active Directory has a search feature that allows you to find any object quickly
and easily. At the top of the Active Directory console, select the notebook and magnifying glass button at the top right of
the menu (if you hover over the button, it will read “Find objects in Active Directory Domain Services”).

Once the window appears, you first need to decide what type of object you are searching for. You can click the Find
dropdown list and view the available options. Since we are going to look for user accounts, leave the default option of
Users, Contacts and Groups selected. The In drop down list allows you to choose what OU you want to search. Most of

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

the time, it is best to simply select Entire Directory so you will be running the search as broad as you possibly can. In
some cases where you have several large domains joined, it may be better to select the domain you want to search in (in
our case, itflee.com). Type in the name of the user account that you created and click Find Now.

In the search results, you can see that our user account was found. We can now right-click on the user and do whatever
we need to do (reset the password, disable or delete the account, etc…). Here is a useful tip, if you need to find the
location of the user within Active Directory, enable the Advanced Features view before searching for the user. Once you
find the user in your search, right-click and choose Properties. Next, navigate to the Object tab. You will see the exact
location of the user listed under Canonical name of object.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

Click OK to close the properties Window.

Resetting User Passwords and Unlocking Accounts

One of the most common tasks you will need to complete within Active Directory is resetting user passwords.
Thankfully, this very easy to do and can be done by right-click on the user account and selecting Reset Password.

This process is the same as creating a new user account. You can require the user to reset their password at the next
login or unlock their account if it is locked out. Accounts can get locked out if there have been multiple failed login
attempts. Administrators can change whether accounts are locked out and how many failed attempts before an account
is locked using Group Policy. If a person locks out their account, you will need to check the Unlock the user’s account. I
am not going to change the password for this account, so I am going to hit Cancel to close the window.

Of course, in some scenarios you may not be asked you to reset a user’s password but only but simply unlock the
account. To do this, you can right-click on the user account and choose Properties. Navigate to the Account tab and
select the Unlock account checkbox then click Apply or OK.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

Paul Hill | PaulH@itflee.com | itFlee.com