If you have a network, the first step to managing users in Windows Server 2012 is to create a new user account. You can do this in Windows Server 2012 R2 Essentials by right-clicking the Users folder and selecting “New User.” After a successful creation of the account, you can modify the account properties and set a complex password. If you aren’t comfortable with password complexity, you can deactivate the account.
If you don’t have organizational units and want to create a user account, you can use the Active Directory Users and Computers management console to do this. Creating individual user accounts is an everyday task for some administrators. The Active Directory Administrative Center (ADAC) is an incredibly powerful and useful console that also contains a Recycle Bin and fine-grained password policies. You can also use the ADAC to create a new user from the ADDS.
In addition to creating new user accounts, you can also set logon hours for all users. The Logon Hours tab displays the days and times when a user can’t logon to the server. You can also lock down the workstations that allow users to access the server, and disable them if necessary. Once you have made changes to user accounts, you can click Finish to create the new user.
One of the most common queries that server administrators receive is about how to manage users. Adding and removing users can be done in the User Management section of Windows Server 2012. Managing user accounts also includes adding, deleting, and changing their password. In this article, we will cover how to add and remove users, as well as manage their account security. Managing users on Windows servers is a key component of maintaining a secure and reliable network.
Adding and deleting users is as easy as following a few simple steps. First, you need to open Computer Management. Click Start and type “System Tools” in the search field. The Computer Management window will appear. Click on System Tools – Local Users and Groups. Now, you can edit the account properties, add groups, and delete users. You should have a strong password, though. If you don’t remember your password, don’t worry – it will be copied into the new account.
How Do I View All Users in Windows Server 2012?
To view all the users in your Windows server, navigate to the Control Panel and click on Users and Computers. Double-click on the user account to open its properties. You can also view user groups and passwords by clicking the Advanced Search button. Alternatively, you can also use the “Net User” command to see all users on your server. To see which user account has the most rights and which is the least, you can try typing the user’s name in the Advanced Search box.
You can also use the local groups and user profiles in Windows Server 2012 to view all users. In addition, you can view all users by group and add new users through this menu. If you are using Windows Server 2012 R2, you can create new groups and users by using the local group and user profiles. However, you should note that the default group that a user has access to must be unique and complex. If you do not want multiple users to access your server, you should create new groups and users.
Where is Users And Groups in Windows Server 2012?
In Windows Server 2012, you can manage user accounts in two different ways: the Local Users and Groups snap-in in MMC or the User Accounts control panel. Both of these interfaces are identical in that changes made in one will be reflected in the other. The Local Users and Groups snap-in in MMC is simpler to use but offers limited access to user accounts. You can create new local user accounts and change their basic attributes, but the Local Users and Groups interface is not ideal if you’re trying to manage groups.
To create a new user account, go to the ‘Members’ page. Click on ‘Add a User Account’. You can either type the name of the user or use the Advanced Search feature to find the person or group. Similarly, you can create a new group and make it a member of another group. Once you’re done, you can apply a security template for the new users in the group.
How Do I Manage Users in Active Directory?
In order to manage users in Active Directory, you must create computer accounts. Large organizations may have thousands of users and several thousand computers. It would be impractical to manually change settings on every single one of those machines. A better solution would be to use group policy, which requires that all computers and servers in the domain are members of the same Active Directory. Moreover, applications like Exchange require that these servers are part of the same domain.
First, launch the Active Directory Administrative Center (ADAC) console. This tool is launched from the Server Manager, by clicking Tools. It has the same tiled interface as Server Manager. It contains various useful information, such as an overview of AD, links to help documentation, and details of Dynamic Access Control (DAC) deployment. The initial ADAC screen will appear, and you can reset the domain administrator password and perform a global search against AD. Once you’ve completed this, you can select the DC and delete the user.
How Do I List All Users in Windows?
To list all users on your Windows Server 2012 server, open the Computer Management program and right-click on the This PC icon. Choose System Tools, Local Users and Groups. Next, double-click on any user account name to see its properties. If the user is disabled or hidden, use the net user command to see its details. You can also use the ‘net user’ command to view the list of all users.
To list all users in Windows Server 2012, you must have access to the system, but there are ways to do so without requiring administrative privileges. For example, using the “Run As” feature to run an application as a local administrator, you can browse the user list by specifying a user name and domain, if applicable. This way, you’ll be logged in locally, and the name and group will match.
Once you’ve done that, you can use the Get-User PowerShell cmdlet to see a list of local users. This command can also be used to get the list of users on Active Directory. But, this command only lists local users on the system where the command is run. You can also use Get-ADUser to view Active Directory users. These two cmdlets are both useful, but each has its own set of limitations.
How Do I Add a User in Windows Server 2012?
When creating a new user in Windows Server 2012, it is important to provide the correct information so that the new account will be recognized by the system. If the new user does not have any administrator rights, you can set them to be a member of a group to gain administrative access. This will also allow them to change their password if necessary. To add a user to a group, follow the steps outlined below.
To add a new user, use the Active Directory Users and Computers command in the Windows Administrative Tools. Then, in the context menu, select New -User to invoke the New Object – User wizard. Fill out all of the required information and save the changes. Remember to use a complex password if you want to keep the users’ accounts safe and private. You can also deactivate users if they don’t need administrative access.
What are the Different Types of User Accounts?
The different types of user accounts include standard user accounts, domain users, and administrator users. A standard user account can perform basic computer functions, but it cannot install applications or printers. On the other hand, an administrator account has complete control over Windows and can perform administrative tasks. In some cases, a user may be granted special permissions, such as allowing a user to install applications or install printers. User groups can be created either manually or by using virtualization software.
A local user account is stored on a workstation or server. It is not allowed to change system files or property. It is typically used for temporary tasks. Windows accounts are automatically created, while Linux accounts must be created manually after installation. Local user accounts and administrator accounts are used differently, so be sure to keep these in mind when choosing the type of account you create. This way, you can ensure that your system is secure.
Learn More Here:
1.) Windows Help Center
2.) Windows – Wikipedia
3.) Windows Blog
4.) Windows Central
7 способов посмотреть, кто работает на сервере терминалов
25 февраля 2017
Статьи по 1С
С чего начинается администрирование пользователей на сервере терминалов?
Конечно с просмотра «Активных» или «Отключенных» сессий пользователей.
Без этой картины администрирование сервера терминалов невозможно.
Помимо статьи, записал также, и подробное видео, о том как администрировать пользователей на сервере терминалов (Новичкам смотреть обязательно!)
Конечно, данная тема также подымается и на курсе: Администратор 1С!
И так, конечно мы должны во всех подробностях видеть, что у нас происходит на сервере терминалов!
Какие процессы запущены от имени тех или иных пользователей (в т.ч. процессы 1С) их идентификаторы, id сессий пользователей, это и многое другое помогает администратору всегда быть в курсе того что происходит на сервере и соответственно всем этим управлять, и вовремя реагировать на различные ситуации.
На разных версиях Windows server администраторы по-разному решают этот вопрос.
Кто-то смотрит пользователей используя простой «Диспетчер задач» на Windows server 2012 – 2016. Некоторые используют различные команды в CMD, ну а кое-кто использует PowerShell .
Но все администраторы хотят одного:
1. Чтоб быстро посмотреть всех пользователей кто работает на сервере.
2. Чтоб это было как можно информативней.
3. Чтоб бесплатно.
Поэтому поводу решил собрать все лучшие, простые и быстрые способы которые (на мое мнение) стоит использовать.
Уверен, что многим начинающим администраторам эти способы помогут в администрировании сервера терминалов.
И так способ первый и самый простой (На Windows server 2012 R2)
1. Диспетчер задач.
«Диспетчер задач» – вкладка «Пользователи» – позволяет нам видеть пользователей, которые работают на этом сервере.
Но по умолчанию стандартный «Диспетчер задач» – вкладка «Пользователи» нам не покажет, что пользователь работает на сервере удаленно, используя RDP, хорошо, что это можно легко исправить.
Правый клик мышкой на панели «Пользователь» и в появившимся контекстном меню
ставим птичку напротив «Сеанс» а также стоит поставить и напротив «Имя клиента».
Так мы будем знать, что этот пользователь работает у нас на сервере через RDP.
Минусы данного способа здесь очевидны, чтоб смотреть пользователей мы должны находится на сервере терминалов, где собственно и запускаем «Диспетчер задач», нет возможности сделать какую-то выборку, фильтр и т.д.
2. quser
Следующий метод это использование команды quser в CMD или PowerShell.
Quser – это аналог QUERY USER (Такое сокращение позволяет выполнять команду быстрее)
Здесь все просто запускаем CMD или PowerShell и пишем команду quser
Так мы увидим всех пользователей, что работают на этом сервере.
Метод очень простой быстрый и достаточно информативный.
Он покажет Вам – Пользователя, Сеанс, его ID, Статус , Бездействие сеанса, и время входа.
Если мы хотим посмотреть только какого-то конкретного пользователя, тогда можно написать например так:
Пример:
Term01 – это логин пользователя.
Большинство системных администраторов отдают предпочтение именно этому способу.
И не только потому, что быстро, просто и т.д., но и потому что можно смотреть удаленно всех пользователей, сидя за своим ПК, где не будь в локальной сети.
И для этого достаточно ввести команду с параметром SERVER
Пример:
Если Вы хотите больше узнать о технической стороне 1С, тогда регистрируйтесь на первый бесплатный модуль курса: Администратор 1С
Right-click My Computer and select Manage. Expand the Local Users and Groups: Windows Server 2012 and Windows Server 2012 R2 this is found within Server Manager then Select Tools > Computer Management.
To view, edit, or add new local user accounts, open the local user management snap-in. This can be accessed quickly using the “Run” command (windows key +R), Start → Run. Then enter lusrmgr. msc .
How do I get to local users and groups in Server 2012?
HOW TO: Add a new user account – Server 2012 From the Server 2012 Start screen, press Windows Key + X. Select Computer Management from the context menu. Select Local Users and Groups from the navigation tree to the left of the Computer Management window.
How do I find users in Windows Server?
Step 1- Open the Command Line Interface by running “cmd” in the run dialog box (Win + R). Step 2- Type query user and press Enter. It will list all users that are currently logged on your computer.
Where is Local Users and Groups in Windows Server?
Use the Local Users and Groups Tool for a Quick Look Hit Windows+R, type “lusrmgr. msc” into the Run box, and then hit Enter. In the “Local Users and Groups” window, select the “Users” folder, and then double-click the user account you want to look at.
How do I find local admin?
Method 1: Check for administrator rights in Control Panel Open Control Panel, and then go to User Accounts > User Accounts. 2. Now you will see your current logged-on user account display on the right side. If your account has administrator rights, you can see the word “Administrator” under your account name.
What is a local admin account?
In Windows, a local administrator account is a user account that can manage a local computer. Generally, a local administrator can do anything to the local computer, but is not able to modify information in active directory for other computers and other users.
How do I add a user to Server 2012?
Go to Start > This PC, and right click on the icon This PC > Properties > Remote setting > choose Allow remote connection to this computer > Select Users > Add > into the column Enter the object names to select add the user name and click on Check names, and if found, click on OK.
How do I give myself admin rights on Server 2012?
Procedure Right-click My Computer on the computer desktop and click Manage. Expand Local Users and Groups. Click Groups. Double-click Administrators to display the Administrators Properties window. Click Add. Select Entire Directory from the Look in list. Select the name of the user that you created and click Add.
How do I give a local admin rights?
Select Start >Settings > Accounts . Under Family & other users, select the account owner name (you should see “Local Account” below the name), then select Change account type. Under Account type, select Administrator, and then select OK. Sign in with the new administrator account.
How do I find server users?
To view a list of user accounts Open the Windows Server Essentials Dashboard. On the main navigation bar, click Users. The Dashboard displays a current list of user accounts.
How do I add users to Windows Server?
To add users to a group: Click on the Server Manager icon ( Select the Tools menu in the upper right, then select Computer Management. Expand Local Users and Groups. Expand Groups. Double-click on the group to which you want to add users. Select Add.
How do I find my username using CMD?
In the box, type cmd and press Enter. The command prompt window will appear. Type whoami and press Enter. Your current username will be displayed.
How do I find user groups?
There are multiple ways to find out the groups a user belongs to. The primary user’s group is stored in the /etc/passwd file and the supplementary groups, if any, are listed in the /etc/group file. One way to find the user’s groups is to list the contents of those files using cat , less or grep .
How do I find my groups in CMD?
To view local groups on your computer: Open an elevated/administrator command prompt. Type net localgroup and press Enter. Observe the list of local groups on your computer.
How do I find out what ad groups I am a member of?
Using the GUI Go to “Active Directory Users and Computers”. Click on “Users” or the folder that contains the user account. Right click on the user account and click “Properties.” Click “Member of” tab.
How do I know if I have admin rights in CMD?
Open the Command Prompt with Administrative Privileges Click the Start icon and click in the Search box. Type cmd into the search box. You will see the cmd (Command Prompt) in the search window. Hover the mouse over the cmd program and right-click. Select “Run as administrator”.
How do I make my domain a local admin?
Posts: 61 +0 Right Click on My Computer (if you have privileges) Select Manage. Navigate through System Tools > Local Users and Groups > Groups * On the Right-Side, Right Click on Administrators. Select Properties. Click the Add Type the User Name of the user you want to add as local admin.
How do I find out my administrator password Windows 10?
Windows 10 and Windows 8. x Press Win-r . In the dialog box, type compmgmt. msc , and then press Enter . Expand Local Users and Groups and select the Users folder. Right-click the Administrator account and select Password. Follow the on-screen instructions to complete the task.
How do I login as Local Admin?
For example, to log on as local administrator, just type . \Administrator in the User name box. The dot is an alias that Windows recognizes as the local computer. Note: If you want to log on locally on a domain controller, you need to start your computer in Directory Services Restore Mode (DSRM).
Why Local Admin rights are bad?
Attackers thrive on the misuse of administrative privileges. By making too many people local administrators, you run the risk of people being able to download programs on your network without proper permission or vetting. One download of a malicious app could spell disaster.
What are the types of Administrator?
Types of Administrators cybozu.com Store Administrator. An administrator who manages cybozu.com licenses and configures access controls for cybozu.com. Users & System Administrator. An administrator who configures various settings, such as adding users and security settings. Administrator. Department Administrators.
If you’re curious about who is currently connected to a remote desktop connection, you’ve come to the right place. There are numerous methods for determining the number of remotely connected users.
RDP, which stands for Remote Desktop Protocol, is a protocol developed and owned by Microsoft that allows a user to connect to another computer via a network connection using a graphical interface. To connect to the server, the user uses RDP client software, whereas the server uses RDP server software, which is included with the Windows Server operating system. When a client connects to a server, Windows Servers keep track of the logged-in user’s information, which we can view.
So let’s get started.
Using Task Manager
Using Task Manager, we can see a list of active remote desktop users on a Windows server. This method of checking Active User works for every version of Windows Server.
Here are the steps:
- Goto Run and type taskmgr.exe and press the Ok button
This will open Task Manager. - Just navigate to the Users tab there you will get Users currently active.
It will display a list of users currently logged in. Here, I have only logged so it is showing one user information. Also, it contains information like what application the user is using, its current status, CPU usage, and memory usage.
Here you will only be able to determine which users are using Remote Connection. If you want to know which types of connections are used to connect to the remote, simply click on any column of the list, say «Status,» then right-click on it and select «Session.» The list will then show a session column with the types of connections to remote, such as console, terminal, services, or RDP, and so on. As shown below.
Using Query User Command
With the help of the query command, we can find various information about sessionId, the number of users, session state(active/inactive) etc on the Remote Desktop Session Host Server. This command can be used to determine whether a specific user is logged in to a specific Remote Desktop Session Host Server or not.
This command will work Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, etc. So, this command will not work for Windows Server 2008.
Syntax:
query user [ | | ] [/server:]
Example:
It will return the following information:
- Username: Name of the User.
- sessionname: Name of the session on Remote Desktop Session Host Server. Here, I have rdp-tcp#45
- Id: This is the session ID
- STATE: This is the state of the session either active or disconnected.
- Idle Time: the number of minutes since the session’s last keystroke or mouse movement.
- LOGON Time: THis is the login time of the user at the server.
Note: You must have Full Control Authorization or special access permission to use this command.
query session
It displays information about not only active sessions but also other sessions that the server is running.
Using quser command
This is the same as the Query User command. This command will also work for Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 only.
Syntax
quser [ | | ] [/server:]
Using qwinsta command
Query WINdows STAtion is abbreviated as qwinsta. It displays information about sessions on a Remote Desktop Session Host server. The list includes information not only about active sessions but also about other sessions that the server runs.
Syntax
qwinsta [ | | ] [/server:] [/mode] [/flow] [/connect] [/counter]
Example:
Look at the state column and you will see whether the user is active or not. You can see here User with ID 6 is active
Using Get-RDUserSession commandlet
The Get-RDUserSession cmdlet returns a list of all user sessions in a collection or in a Remote Desktop deployment. Note that this may not work in some servers like Windows R2 2012.
Import-Module RemoteDesktop Get-RDUserSession
Output:
Using WMI
Windows Management Instrumentation (WMI) is a PowerShell subsystem that provides administrators with powerful system monitoring tools.
By simply typing the following command you will know a lot:
Get-WmiObject Win32_LoggedOnUser
If you just want to know the username just type the below command:
Get-WmiObject Win32_LoggedOnUser | Select Antecedent -Unique | %{"{0}\{1}" -f $_.Antecedent.ToString().Split('"')[1],$_.Antecedent.ToString().Split('"')[3]}
Using PsLoggedOn Tools
PsTools is a small Sysinternals command-line tool that can help in the administration of local and remote systems. It aids to determine currently logged-in users in local as well as remote systems.
Because PsLoggedOn requires a logon to access the Registry of a remote system, it will show you as logged on via resource share to remote computers that you query.
Note that this tool’s command will only work for Windows Server 2008 and above.
Syntax:
psloggedon [- ] [-l] [-x] [\\computername | username]
Here,
| Parameter | Description |
| — | Displays the supported options as well as the units of measurement for output values. |
| -l | Displays only local logins rather than both local and network resource logons. |
| -x | Don’t Show Logon times. |
| computername | Specifies the name of the compute for which logon information is to be displayed. |
| username | PsLoggedOn searches the network for computers where that user is logged in if you specify a user name. This is useful if you don’t want a specific user to be logged in when you’re about to change their user profile configuration. |
Download
Steps to use PsLogged.
- Download PsLogged from the above link
- Extract the files
- Goto extracted links and an open the command prompt on the same location.
- Then use the syntax mentioned above.
PSLoggedOn requires the Remote Registry Service to be running on the target computer. This service is not enabled by default.
Using Remote Event Viewer
Event Viewer is a powerful Windows tool that allows you to obtain log information from both your local and remote computers.
1 Connect successfully to a remote computer
2 Press Ctrl + R and type eventvwr and press Enter. This will open eventvwr.
3 Just click on the ‘Create Custom View‘ label located at the right corner.
4 Then under Popup, select Security under ‘Event Logs‘ and type Id in as 4624 ,4647, 4779,4800 and then press Ok.
5 In the next screen give the Name of the log like ‘Remote Login History‘ and click on Ok.
6 You will get the ‘Remote Login History‘ Label under Custom Views. Click on the label ‘Remote Login History‘ you will get all login, logout, locked, unlocked event information of the remote users.
7 Click on the row of the event and detail related to that event will get displayed just below it.
How to Enable Remote Registry Service in Remote Server?
Steps for enabling remote registry service in a remote server are as follows:
- Goto the services manager.
- Look for the «Remote Registry» service.
- Double-click on the service.
- Set the «Start Type» to «Automatic,» then press the «Start» button.
- Click OK to save your settings.
Or you can simply run the following line by line in Powershell.
Set-Service RemoteRegistry –startuptype automatic –passthru
Start-Service RemoteRegistry
Set-Service is the cmdlet that can modify the StartupType, Status, Description, and Displayname properties of a service. You can start, stop, and suspend service with the help of the Set-Service cmdlet.
Here, Set-Service is looking for RemoteRegistry Service and set this service to start automatically. And -passthru indicates that if you are already running this service then ignore it else run it automatically.
Powershell Script File which displays a List of all User RDP connection
The below script will list all users’ RDP Connections History.
Steps:
- Open Text File and paste the below code.
- Save the file as .ps1
- Open Powershell and type: Powershell.exe -File file_location_path and press Enter
where file_location_path is the actual location of the file
Scripts:
$AllUser = Get-WmiObject -Class Win32_UserAccount
foreach($User in $AllUser)
{
$RegPath = «Registry::HKEY_USERS\»+$User.SID+»\Software\Microsoft\Terminal Server Client\Servers\»
Write-Host «User:»$User.Name
Write-Host «SID:»$User.SID
Write-Host «Status:»$User.Status
$QueryPath = dir $RegPath -Name -ErrorAction SilentlyContinue
If(!$?)
{
Write-Host «[!]Not logged in»
Write-Host «[*]Try to load Hive»
$File = «C:\Documents and Settings\»+$User.Name+»\NTUSER.DAT»
$Path = «HKEY_USERS\»+$User.SID
Write-Host «[+]Path:»$Path
Write-Host «[+]File:»$File
Reg load $Path $File
If(!$?)
{
Write-Host «[!]Fail to load Hive»
Write-Host «[!]No RDP Connections History»
}
Else
{
$QueryPath = dir $RegPath -Name -ErrorAction SilentlyContinue
If(!$?)
{
Write-Host «[!]No RDP Connections History»
}
Else
{
foreach($Name in $QueryPath)
{
$User = (Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint
Write-Host «Server:»$Name
Write-Host «User:»$User
}
}
Write-Host «[*]Try to unload Hive»
Start-Process powershell.exe -WindowStyle Hidden -ArgumentList «Reg unload $Path»
}
}
foreach($Name in $QueryPath)
{
Try
{
$User = (Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint
Write-Host «Server:»$Name
Write-Host «User:»$User
}
Catch
{
Write-Host «[!]No RDP Connections History»
}
}
Write-Host «———————————-»
}
Script Credits go to gstudent@3gstudent
What is happening in the above script?
Ans: To begin, use «reg load» to load the hive. Then, from «HKEY_USERS\»+$User.SID+»\Software\Microsoft\Terminal Server Client\Servers\«, read the RDP Connections History. Finally, use «reg unload» to unload the hive. To get the history of login users, data are read from the NTUSER.DAT file.
Differentiate between local and remote desktop users in the Task Manager
Here are some differences:
-
Remote users require Remote Desktop to log in, while local users are logged in directly on the computer.
-
To observe the difference, open the Task Manager and locate the Session ID column.
-
When you open the Task Manager for both local and remote users, you will find that local users have a Session ID of 0, whereas remote users have a Session ID greater than 0.
User Account Management
What is a User Account?
An object in AD DS responsible
for controlling authentication and validation of access to resources,
containing many attributes about a particular user on your network.
Traditional Active Directory Management
Tools
At this stage, it is important to get familiar
with some of the management tools an administrator is likely to come across in
the execution of their daily tasks.
Active
Directory Users and Computers – This tool is typically used
daily to manage Active directory objects such as users, groups, computers and
OUs. Users with expired passwords or locked accounts are common in network set
ups and this tool will help you reset their accounts and get them back up and
running.
Active
Directory Sites and Services – This tool is used to manage
sites, network topology, replication and related services.
Active
Directory Domains and Trusts – Useful tool for managing
trust relationships and forest functional level.
Active
Directory Schema – This tool is not installed by default and
used to manage the schema.
Command
Line Tools – A collection of tools used for basic scripting and
command line management.
New Active Directory Management Tools
The arrival of Windows Server 2012 R2 saw some additional tools added by Microsoft to further extend the
functionality and management of the operating system.
Active
Directory Administrative Centre – A GUI built on Windows
PowerShell with an enhanced interface to perform object management using
task-oriented navigation.
Windows
PowerShell – A command line application like CMD used to create and
manage objects and provides scripting capabilities.
Creating
User Accounts
Before we begin to create
users on our server, some steps are required as by default the tools are not
readily in view. Click start to access the menu and right click on Active
Directory Users and Computers. This will become your most frequently used tool so
it is advisable to pin it to your task bar. Below the menu will be pull up options
where you can choose to pin this tool for easy access.
Active Directory Users and Computers
Launching the tool we just
pinned above will open a very important administrative section of our Windows
Server 2012 operating system.
Here, you would see the domain
you created along with a few other tools such as Builtin, Computers, Domain
Controllers, ForeignSecurityPrincipals, Managed Service Accounts and Users
which are extremely vital to administering resources on your server.
Right clicking on the Users
tab on the left will drop down a menu, from which you can select New > User
to display the object screen as above. You will discover later as we explore
servers further, you can copy an existing user account to inherit permissions
from the account such as access to certain security groups.
Click next to choose a secure
password for the user and notice the tick options; ‘User must change password on next logon’, ‘User cannot change password’, ‘Password
never expires’ and ‘Account disabled’.
User Account Object
Overview
Now that we have a new user
created, let’s take a closer look at the user object itself to get familiar
with some of the properties. Right Click the user we just created, and select
Properties as shown below.
1.
General Tab: More
information about the new user such as first and last name, contact details and
email address created on your Exchange server can be found here.
2.
Address Tab: Further information about the new user
such street number, post code and country can be populated in this tab. Third
party applications like Exclaimer could leverage this for managing company
signatures, something we shall learn about in advanced future lessons.
3.
Member Of Tab: This
tab reveals vital information about the security groups the user belongs to.
Notice you have the ability to add and remove groups specific to each user, to
control the resources they have access to in your server environment.
4.
Organization Tab: You
can further define your new user in this tab with job title, department and
company they work for. Click Apply for any changes made to take effect.
5.
Account Tab: Administrators
will find themselves in this tab a lot. User accounts can be unlocked, password
policy changes and account expiry dates can be set in this interface. User
logon domain and names when a client forgets their credentials are also present
in this tab.
6. Logon Hours: Administrators may
sometimes wish to set up a time frame during the week when users can access the
server. In the Account tab, Click Logon
Hours to display the day days and times when a user can be permitted or
denied logon for security reasons.
7.
Logon To: Another
important and useful security feature is the ability to lock down the
workstations from which a user is allowed to access the server. Click Logon To in the Accounts tab to
add/remove computers designated for a particular user to logon, trying to
access resources from unassigned workstation will see the user authentication
denied.
User Account Administrative Tasks
Server administrators in
active environments will frequently get user related queries when there is a
problem accessing an account. Below, we’ll discuss some of the commonly known
requests and how to administer those tasks.
1.
Copying An Existing User: This
feature comes in handy when you have a new employee starting at a department
with existing users and resource permissions already assigned. Right Click the
user and select Copy from the menu to display the user object as below.
Populate the fields with your
new user credentials including a strong password. Note that all policies from
the existing user will be inherited by the new user.
Double check the summary to
ensure the existing user has been copied and click Finish.
You can confirm the new
account has been created when you check the Member Of properties.
2.
Resetting User Account Password: This
task will most likely be the most requested task from users to their
administrators. Passwords may be set to expire after a period of time or users
may no longer be able to access their emails with the passwords they already
have. In Active Directory services, locate the user and Right Click on their
object > Select Reset Password > Type in new password > Apply.
3.
Disabling An Active User Account:
In
the event an employee leaves the company, administrators usually get a request
from managers to delete the user account.
Bearing in mind that every active
directory object carries a unique identifier, it is best practice to disable
the account, preventing the user from ever logging on until you are 100% sure
the users’ email account for example will no longer be needed.
Right Click on the user in
question and select Disable Account. You
will be prompted to disable the account and proceed with your action. Notice
state of the object when disabled with downward arrow.
You can always re-enable the
account again by right clicking and selecting Enable Account
Next Steps
Congratulations
for making it this far in the course, hopefully your understanding of managing
user accounts on your server has become clearer after practicing these
tutorials.
Join us
again as we dive deeper into Windows Server 2012 R2 configuration for our next
topic in Computer Account Management.Thanks for investing your time with
us.
Credits to all organisations and development teams at
Microsoft Corporation