Shulou(Shulou.com)06/01 Report--

Anyone who knows a little bit about computers knows Administrator. Yes, he is the default system administrator account and the most powerful default user in the system. When the system can install Active Directory service, it becomes a domain controller, and the Administrator account naturally lifts all boats and becomes a domain administrator account.

Windows is a multi-user operating system, we can not only have Administrator accounts, but also create more user accounts and set user rights and permissions as needed to meet the needs of various types of users. (precisely because the administrator account Administrator is heaven and earth, as we all know, it also brings security problems, because everyone knows that this account is an administrator account, as long as the password is cracked, it will gain control of the entire system and will be used by bad guys, so it is necessary to rename the Administrator account in practice.)

A user account is an object that contains all the information of the user. Accounts can be either local or domain accounts. User accounts include the user name and password used when logging in, the group in which the user account belongs, and the user's access to computer and network resources.

Local users and groups are managed at the beginning of the → management tool → computer to manage → local users and groups.

They are saved in the local SAM database under the system drive letter\ WINDOWS\ system32\ config, and the registry-related files are also saved in this directory, so backing up this directory is equivalent to backing up local users, groups, and registry information.

Domain user accounts are managed in Active Directory users and computers.

They are stored in the Active Directory database, not in the local SAM database, but centrally on the domain controller.

There are four name types for domain user accounts.

1. User login name

When creating a user account, the user login name entered by the administrator, such as the One user created in the previous lesson, the heyijie user in the figure above, the user login name must be unique in the container in which the user resides.

2. User login names of previous versions of Windows 2000

The name of the NetBIOS that uses the domain name (the basic network input and output system, such as Nwtraders.msft, whose NetBIOS name is usually the Nwtraders before .msft) plus the user login name, such as the previous version of Windows 2000 in the figure above, the user login name of the previous version of NWTRADERS\ heyijie,Windows 2000 must be unique in the domain.

3. User principal login name (UPN,User Principal Name)

It consists of the user login name and the user principal name suffix (that is, the domain name), which is connected by the @ character. For example, the user principal login name in the figure above is: heyijie@nwtraders.msft. The user principal login name must be unique in the forest.

4. LDAP relative distinguished name

The relative distinguished name of LDAP uniquely identifies the object in the upper-level container, which is not used by ordinary users, but is used by administrators in scripts or command lines to add users to the network. For example, the One user in the second picture in this chapter, his parent container is Users, and his LDAP relative distinguished name is:

CN=one,CN=users,dc=mwtraders,dc=msft

The network environment of this chapter is as follows: domain name: nwtraders.msft:

Example: use the administrator identity on the domain controller to create a domain user Kaka in the OU production department in order to log in on Glasgow, the password is required to be reset when logging in for the first time, and the administrator has the authority on the Glasgow.

1. Log in to London with Administration, open Active Directory users and computers, and create a new user Kaka in the OU production department.

(the surname and first name can be easily managed and identified in Active Directory users and computers. They can be used in Chinese and English, but cannot be used for login. "user login name" and "user login name before Windows 2000" can be different, but it is not convenient to remember later, and they can also use Chinese. ) as shown below, fill in the content, and click next.

The functions are shown in the table below. The first item indicates that the user must change the password when he logs in for the first time, and there is no need to change it later until the password expires. The default is available for 42 days, and then click next.

2. Log in with the newly established user kaka on Glasgow, and change your password when you log in for the first time.

3. After Kaka login, there is no shutdown item in the start of → shutdown, only logout.

This is because the domain user group (Domain Users) and the authentication user group (Authenticated Users) belong to the local Users group of Glasgow and do not have the power to shut down. To solve this problem, it is necessary to give the local Users group the right to shut down and to add Kaka users to the local Administrators group of Glasgow. According to the requirements of this example, the latter method is used here.

To achieve this requirement, you can use either of the following:

(1) one way to accomplish this requirement is to log out and log in to the local computer with the local Administrator identity of Glasgow.

Then right-click "my computer" and select "manage". Locate the computer management (local) → system tool → local user and group → group in computer management, and double-click on the Administrators group to open his properties.

In its properties, you can see that the Domain Admins (Domain administrators Group) in the domain is already a member, so all members of the domain administrators group have administrative rights over all computers in the domain, and Administrator is the default member of the Domain Admins group. Next click the add button to join the Kaka user.

Click 2 Advanced, and enter the domain user name that has read access to the active Directory in the pop-up dialog box (all domain users have read access to the active Directory by default), where enter the account name and password for Kaka.

Add Zhao Kaka users in the order of 1, 2, 3 below.

(2) the second method can log in to London as domain administrator Administrator and implement remote management in Active Directory user and computer management.

Locate the computer Glasgow, right-click and select "manage".

Click the add button to add Kaka users.

When Kaka joins the local administrators group, Kaka is not only the domain user, but also the administrator of the Glasgow computer, and naturally has the power to shut down.

Template replication user

In a department, to create users in small batches, it is most appropriate to use user account templates.

Example: make the Kaka user of the production department into the account template, and then use him as the template to create the Feifei and Lili users of the production department.

Not all attributes of the template account can be copied to the new user. The following table lists the attributes that can be copied.

1. Make it into an account template in the Kaka user attributes, enter the attribute items that can be copied, and the attributes are public to the members of the production department.

2. After completing the properties of the template, right-click on it and select "copy".

3. When you are finished, check her properties.

4. The contents of the template have been copied in.

Replicate the Kaka to another user in the same way.

Use commands to create users in bulk

To create users in large quantities, it is relatively slow to copy them with templates, and the best way is to use the Dsadd command to create users in bulk.

Example: use Dsadd command to create users Worker1, Worker2, … for the production department. , Worker10 a total of 10 employees, and the unified setting is: "users need to change the password next login", the password is: p@ssw0rd, the department in the unit is: the production department, the company is: 51CTO.

1. Copy the content between the [] sign below to a text file on London, and copy it 10 times, and change the Worker1 to Worker1, Worker2, and... , Worker10, and save the file as a batch file of type bat.

[Dsadd user "cn=Worker1,ou= production, dc=nwtraders,dc=msft"-samid Worker1-upn Worker1@nwtraders.msft-pwd p@ssw0rd-dept production-company 51CTO-mustchpwd yes]

The function of the Dsadd command is to add users to the directory. You can enter dsadd user /? on the CMD command line. To query how to add users. Several common parameters are as follows:

"cn=Worker1,ou= production, dc=nwtraders,dc=msft": the user Distinguished name (DN) to be added. Ou= production indicates that the user is a user in the production OU.

-samid sets the SAM account name of the user. If not specified, dsadd uses the first 20 characters in the common name (CN) to create the SAM account name.

-upn sets the upn (user login) value to.

-fn sets the user name to.

-mi sets the user's middle name with the initials.

-ln sets the user's last name as.

-display sets the user display name as.

-pwd {| *} set the user password to. If it is *, you will be prompted for a password.

-dept sets the user's department to.

-company sets the user's company information to.

-mustchpwd {yes | no} whether the user changes the password the next time he logs in. Default value: no.

-canchpwd {yes | no} whether the user can change the password. If-mustchpwd is "yes", it should be "yes". Default value: yes.

Double-click the batch file execution to create the 10 users.

The units in the property are also set.

Management of domain users

1. Disable the user account: when the user is on a business trip, temporarily stop the use of the travel user account.

2. Enable the user account: when the user comes back from a business trip, re-activate the account.

3. Reset password: if the user forgets the password after returning from a business trip or is not successfully locked by the system after several logins, the administrator can reset the password for the user.

4. Mobile users: users transfer from one department to another.

5. Delete users: delete users after the employee resigns.

It is worth mentioning that after deleting a user (such as Worder10) and then recreating a user with the same name (such as Worder10), he will not inherit the original rights and permissions. Because the user's rights and permissions in the Windws system are identified by the user's SID, a SID number is assigned when the user is first established. When the user is deleted, and then the user with the same name is rebuilt, he will get a new SID number, which is different from the original, so he cannot inherit the original power and authority.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.