|
|
< Day Day Up > |
|
The heart of an administrator’s job is creating and managing user and group accounts. In this chapter, you’ll first learn how to create and manager user accounts from the command line. You’ll then see how to create and manage groups from the command line. The focus of this chapter is on working with Active Directory directory service users and groups.
In Microsoft Windows Server 2003, two types of user accounts are defined:
Domain user accounts User accounts are defined in Active Directory and can access resources throughout the domain. You create and manage domain user accounts using the directory services commands.
Local user accounts User accounts are defined on a local computer and must authenticate themselves before they can access network resources. You create and manage local user accounts with the network services commands.
| Note |
Local machine accounts are used primarily in workgroup configurations rather than in Windows domains. Still, every computer on the network has one or more local machine accounts. The only exceptions are domain controllers, which do not have local machine accounts. When you want to work with local machine accounts, you use the network services commands. |
The directory services commands that are used to manage domain user accounts include:
DSADD USER Creates a user account in Active Directory. The syntax is
dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-mi Initial] [-ln LastName] [-display DisplayName] [-empid EmployeeID]
[-pwd {Password | *}] [-desc Description] [-memberof Group ...]
[-office Office] [-tel PhoneNumber] [-email EmailAddress]
[-hometel HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber]
[-webpg WebPage] [-title Title] [-dept Department] [-company Company] [-mgr Manager] [-hmdir HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath]
[-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd
{yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]
DSGET USER Displays the properties of user accounts using one of two syntaxes. The syntax for viewing the properties of multiple users is
dsget user UserDN ... [-dn] [-samid] [-sid] [-upn] [-fn] [-mi]
[-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email]
[-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg] [-title]
[-dept] [-company] [-mgr] [-hmdir] [-hmdrv] [-profile] [-loscr]
[-mustchpwd] [-canchpwd] [-pwdneverexpires] [-disabled]
[-acctexpires] [-reversiblepwd] [{-uc | -uco | -uci}]
[-part PartitionDN [-qlimit] [-qused]] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-c] [-q] [-l]
The syntax for viewing the group membership for users is:
dsget user UserDN [-memberof [-expand]] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-c] [-q] [-l] [{-uc | -uco |
-uci}]
DSMOD USER Modifies attributes of one or more user accounts in the directory.
dsmod user UserDN ... [-upn UPN] [-fn FirstName] [-mi Initial] [-ln
LastName] [-display DisplayName] [-empid EmployeeID] [-pwd {Password
| *}] [-desc Description] [-office Office] [- tel PhoneNumber]
[-email EmailAddress] [-hometel HomePhoneNumber] [-pager
PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel
IPPhoneNumber] [- webpg WebPage] [-title Title] [-dept Department]
[-company Company] [-mgr Manager] [- hmdir HomeDirectory] [-hmdrv
DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath]
[-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd
{yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires
NumberOfDays] [-disabled {yes | no}] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-c] [-q] [{-uc | -uco | -uci}]
At first glance, the user commands seem extraordinarily complex. Actually, the user commands aren’t complex so much as they are versatile. They allow you to add, view, or modify user accounts and include an extensive set of user account properties that you can work with. The parameter for working with a particular property is the same whether you are adding, viewing, or modifying an account. For example, when you create an account, you can set the user’s office telephone number with the –Tel parameter. To determine a user’s telephone number, use the –Tel parameter of DSGET USER and if you need to modify a user’s telephone number, you use the –Tel parameter of DSMOD USER.
To manage local machine user accounts, use the NET USER command, which is one of several network services commands. NET USER has several syntaxes, and the syntax you use depends on what you want to do, as follows:
Display local user accounts:
net user [UserName [Password | *] [/active:{no | yes}] [/comment:
"DescriptionText"] [/countrycode: NNN] [/expires:{{MM/DD/YYYY |
DD/MM/YYYY | mmm,dd,YYYY} | never}] [/fullname:"Name"]
[/homedir:Path] [/passwordchg:{yes | no}] [/passwordreq:{yes |
no}] [/profilepath:[Path]] [/scriptpath:Path] [/times:{Day[-Day]
[,Day[-Day]] ,Time[-Time] [,Time[-Time]] [;...] | all}]
[/usercomment:"Text"] [/workstations:{ComputerName[,...] | *}]
Create or modify local user accounts:
net user [UserName {Password | *} /add [/active:{no | yes}]
[/comment:"DescriptionText"] [/countrycode:NNN] [/expires:
{{MM/DD/YYYY | DD/MM/YYYY | mmm,dd,YYYY} | never}] [/fullname:"Name"]
[/homedir:Path] [/passwordchg:{yes | no}] [/passwordreq:{yes | no}]
[/profilepath:[Path]] [/scriptpath:Path] [/times:{Day[-Day]
[,Day[-Day]] ,Time[-Time] [,Time[-Time]] [;...] | all}]
[/usercomment:"Text"] [/workstations:{ComputerName[,...] | *}]]
Delete local user accounts:
net user UserName /delete
As you can see, NET USER lets you work with a fairly narrow set of user account properties. These account properties are best suited for working with local user accounts.
| Note |
NET USER can also be used to work with domain accounts in your logon domain. Beyond the current (logon) domain, you have no access, however, in contrast to the directory services commands, which let you create and manage domain user accounts in any domain in the Active Directory forest. |
|
|
< Day Day Up > |
|