Creating and Maintaining Active Directory Objects - user accounts
Automate Creation of Active Directory Accounts
Getting to know User Accounts
The user account is the primary means by which people using an Active Directory network will access resources. Resource access for individuals takes place through their individual user accounts. To obtain permission and access the network, the user must authenticate using their specific account. This is known as authentication, and means confirming one's identity with a password, token, pin. In cases of biometric authentication, fingerprints or handprints are most commonly used. When a username and password are used, authentication is accomplished by validating the username and password supplied in the logon dialog box against information that has been stored within the Active Directory database. (Authentication should not be confused with authorization, which means confirming the permissions to access network resources granted to an authenticated user).
Three types of user accounts can be created and configured in Windows Server 2008:
- Local accounts. These accounts are used to access the local computer only and are stored in the local Security Account Manager (SAM) database on the computer where they reside. Local accounts are never replicated to other computers, nor do these accounts have domain access. This means that a local account configured on one server cannot be used to access resources on a second server; you would need to configure a second local account in that case.
- Domain accounts. These accounts are used to access Active Directory or network-based resources, such as shared folders or printers. Account information for these users is stored in the Active Directory database and replicated to all domain controllers within the same domain. A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest.
- Built-in user accounts. These accounts are automatically created when Microsoft Windows Server 2008 is installed. Built-in user accounts are created on a member server or a standalone server. However, when you install Windows Server 2008 as a domain controller, the ability to create and manipulate these accounts is disabled. By default, two built-in user accounts are created on a Windows Server 2008 computer: the Administrator account and the Guest account. Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller. In the case of a standalone server, the built in accounts are local accounts on the server itself. On a domain controller, the built-in accounts are domain accounts that are replicated to each domain controller.
On a member server or standalone server, the built-in local Administrator account has full control of all files as well as complete management permissions for the local computer. On a domain controller, the built-in Administrator account created in Active Directory has full control of the domain in which it was created. By default, there is only one built-in administrator account per domain. Neither the local Administrator account on a member server or standalone server nor a domain Administrator account can be deleted; however, they can be renamed.