User accounts are fairly easy to maintain once they've been configured. Most of the maintenance tasks you need to perform involve user profiles and group membership, which are covered in separate sections of this chapter. Other than these areas, you may also need to perform the following tasks:
Each of these tasks is examined in the sections that follow.
Each user account created in the domain has a unique security identifier (SID) and that SID is never reused. If you delete an account, you cannot create an account with the same name and regain all the same permissions and settings. The SID for the new account will be different than the old one, and you will have to redefine all the necessary permissions and settings. Because of this, you should delete accounts only when you know they are not going to be used again. If you are unsure, disable the account rather than deleting it.
To delete an account, select the account in Active Directory Users And Computers and press Delete. When prompted to confirm the deletion, click Yes and the account is permanently deleted. Deleting a user account doesn't delete a user's on-disk data. It only deletes the user account from Active Directory. This means the user's profile and other personal data will still be available on disk until you manually delete them.
If you need to deactivate a user account temporarily so that it cannot be used for logon or authentication, you can do this by disabling the account. While disabling an account makes it unusable, you can later enable the account so that it can be used again. To disable an account, right-click the account in Active Directory Users And Computers, and then select Disable Account.
When prompted that the account has been disabled, click OK. A red circle with an X is added to the account's icon to show that it is disabled. If you later need to enable the account, you can do so by right-clicking the account in Active Directory Users And Computers and then selecting Enable Account.
When there is a reorganization or a user otherwise changes departments, you may need to move the user account to a new container in Active Directory Users and Computers. To move a user account, right-click the account, and then select Move. The Move dialog box appears allowing you to select the container to which you want to move the user account. Alternatively, you can drag the user account into a new container. You can also select multiple users to move by using windows keyboard shortcuts such as CTRL then selecting multiple users, or using Shift and selecting the first and last user.
Active Directory tracks objects by their SID. This allows you to safely rename user, computer, and group accounts without worrying about having to change access permissions as well. That said, however, the process of renaming a user account is not as easy as renaming other types of accounts. The reason is that users have several name components that are all related to a user's last name, including a full name, display name and user logon name. So when a person's last name changes as the result of a marriage, adoption or divorce, you not only need to update the user's account name in Active Directory but the rest of the related name components as well. To simplify the process of renaming user accounts, Active Directory Users And Computers provides a new dialog box (shown in the following screen) that you can use to rename a user's account and all the related name components.
With the addition of the Rename User dialog box, the process for renaming user accounts is as follows:
Find the user account that you want to rename in Active Directory Users And Computers.
Right-click the user account and then select Rename. Active Directory Users And Computers then highlights the account name for editing. Press Backspace or Delete to erase the existing name and then press Enter to open the Rename User dialog box.
Make the necessary changes to the user's name information and then click OK. If the user is logged on, you'll see a warning prompt telling you that the user should log off and then log back on using the new account logon name.
The account is renamed and the SID for access permissions remains the same. You may still need to modify other data for the user in the account properties dialog box, including the following:
User Profile Path—As necessary change the Profile Path on the Profile tab, and then rename the corresponding directory on disk.
Logon Script Name—If you use individual logon scripts for each user, change the Logon Script Name on the Profile tab, and then rename the logon script on disk.
Home Folder—As necessary change the home folder path on the Profile tab, and then rename the corresponding directory on disk.
One of the good things about using domain policy to require users to change their password is that the overall security of the network is improved by doing so. One of the downsides of frequent password changes is that users occasionally forget their password. If this happens, it is easy to fix by doing the following:
Find the user account whose password you want to reset in Active Directory Users And Computers.
Right-click the user account and then select Reset Password.
In the Reset Password dialog box shown in the following screen, type and then confirm the new password for the user.
If you want, select the User Must Change Password At Next Logon option, and then click OK.
Note
The password change is immediately replicated to the PDC emulator as discussed in the section entitled "Using, Locating, and Transferring the PDC Emulator Role". This makes the password available for the user to log on anywhere in the domain.
Whenever a user violates group policy such as when they fail to change their password before it expires or exceed the limit for bad logon attempts, Active Directory locks the account. Once the account is locked, the user can no longer log on. As accounts can also be locked because someone is trying to break into an account, you shouldn't automatically unlock accounts. Instead, either wait until the user asks you to unlock their account or go speak to the user when you notice their account has been locked.
You can unlock accounts by completing the following steps:
In Active Directory Users And Computers, right-click the locked account and then select Properties.
In the Properties dialog box, select the Account tab.
Clear the Account Is Locked Out check box and then click OK.
Sometimes a user (or even an admin) will forget the local Administrator's or another local user account password on their server. If you manually reset a local user's account password, and the user has encrypted e-mail, files that have been encrypted, or passwords they use for Internet accounts, that data will be lost or not available with the new or reset password. With Windows Server 2003 you can reset a user's password without losing that encrypted data. You can consider this as backing up a local user password and you do this by creating a Reset Disk.
Be careful of the following when creating a Reset Disk:
You are not allowed to create a Reset Disk and change your password from the Logon screen simultaneously.
Reset Disks can only be used for local accounts, not for domain accounts.
You do not have to create a new Reset Disk each time you change a local user's password; you only need to create the Reset Disk once for an account.
Users should create their own Reset Disk for each local account they use.
You can make a reset disk for a Windows Server 2003 server that is a member of a domain or is a stand-alone server in a workgroup. You can also make a reset disk for a Windows XP Professional system that is a member of a domain or is a stand-alone workstation in a workgroup. You cannot, however, make a reset disk for a domain controller. Domain controllers do not have local accounts.
Follow these steps to make a password reset disk for a local account:
Log on to the computer using the local user account whose password you want to backup.
Press Ctrl+Alt+Delete, and then click Change Password.
In the User Name dialog box, type the name of the local user account login. In Log On To, type or select the name of the local host.
Click the Backup button. This starts the Forgotten Password Wizard.
Put a blank formatted 1.4 MB floppy disk into the A: drive.
The wizard asks for your current password, then a progress meter will display. When the process is complete, click Finish, and then click Cancel to get back to the desktop.
Troubleshooting: The Backup button doesn't appear
Sometimes the Backup button doesn't appear when you go through the Reset Disk creation process. The workaround is to use the Backspace key to delete the user name in the first field of the Security dialog box.
Store the floppy disk in a secure place, because now anyone can use it to gain access to the server. If you lose your local user password and need to gain access as a local administrator on your server, you can use the Reset Disk. Here's how to use the Reset Disk to get into a local user account:
Try to log on and fail. Select Reset when the Logon Failed Dialog box appears, to run the Forgotten Password Wizard.
Put the Reset Disk created earlier into the A: drive.
Type a new password and confirm. Then type a password hint and click OK.
The password should be changed and you should be able to log on using that password.
Inside Out: How the Password Reset Disk works
The Reset Disk process generates a public/private key pair. There are no passwords stored on the Reset Disk. The Reset Disk contains the private key and the public key encrypts the local account password. When a user forgets the local account password, the restore process uses the private key on the Reset Disk to decrypt the current password and create a new one that is encrypted with the same key. Data is not lost because the same encryption is used for any other encrypted data.