Active Directory, Chapter 2 Creating user accounts

Chapter 2 Creating user accounts

The above picture is not owned by us.This belongs to original owner. We have mentioned for knowledge purpose only.

Users are the main reason for your job, you’ll spend a lot of time administering user accounts during your career as an AD administrator.

Everyone logging on to a network requires a user account. These are the objects. You’ll work with the most because user accounts can be quite volatile with leavers,Joiners, changes, and password resets etc.

Also apart from General User’s Accounts you may also have below user accounts.

  1. Group or other specialized mailboxes
  2. Service Accounts

Volatility & Impact

  1. Users and Groups occur frequently but have a low impact.
  2. Modifications to the forest or schema are very infrequent but potentially have a huge impact.
  3. Changing things like the forest, schema, or sites and subnets needs special permission—membership in the Enterprise Admins and Schema Admins groups
  1. Active Directory has a few built-in accounts that are created when you install the first domain controller, but all other accounts have to be created by you, the administrator.
  1. Some specialized accounts and groups may be created by the installation of Microsoft products. The best advice for those accounts is to let the application create them and leave them alone.

User Creation

  • User can be created by Multiple Ways –>  A.GUI, B.PowerShell,  C.User Template.
  •  Managed service accounts ->Introduced in server intended to use for Exchange & SQL Resetting the password for service accounts can cause issues with the services.
  • (ADAC) Active Directory Administrative Centre was 1st introduced in 2008R2
  • The AD module is loaded into Power Shell using this command: Import-Module Active Directory You need to run Power Shell with elevated privileges (Run as Administrator) to gain the maximum benefit from the AD module.
  • The samAccountName must be unique across the forest because it’s used to create the UPN (User PrincipalName, which looks like an email address and can be used for logging in instead of a login ID).

Deletion of Objects

  1. PAD (Protection from Accidental Deletion) setting doesn’t affect an AD attribute. It modifies the permissions on the user account or other objects. The permission to delete the object is denied to the everyone group. Deny permissions take precedence over Allow permissions, meaning that no one can delete the object.
  1. PAD-> can be used on users, groups, computers, ou’s recommended to use.(PAD settings can be removed and object can be deleted)

Standardize the User Creation Process

  1. Always Standardize naming convention for user creation.
  1. Don’t use comma it creates difficulty while scripting. (Commas create separator elements)
  1. Template user creation means copying a user account from existing accounts.

Managed Service Accounts

  1. Managed service accounts were introduced in Windows Server 2008 R2. They’re used to run services such as SQL Server, Exchange, and IIS on systems within your domain.
  1. The Managed Service Accounts container is the default location (CN=Managed Service Accounts) for these objects, but you can create them in any OU or container in your Active Directory.


Please refer below URL for more details on user creation.

Please refer below URL for more details on managed service accounts.