NIST's guidance for a Zero Trust Architecture

Active Directory Objects

Active Directory User Object: An Introduction

What you will learn from this article:

Active Directory is a directory service that organizations can use to organize their resources. The Active Directory network is comprised of elements called Active Directory objects. These objects represent resources that are a part of the network. There are several types of objects such as a user, computer, printer, and more. In this article, we will take a look at what an Active Directory user object is, what are its properties, and how you can create, modify, and delete a user object.

What is an Active Directory User object?

An Active Directory user object, or an AD user object, represents a real user who is part of an organization’s Active Directory (AD) network.  It is a leaf object, which means it can’t contain other AD objects within itself. The user may be an employee of the organization such as a manager, HR person, or an IT administrator who generally has elevated permissions over other users. A user object is a security principal, which means that it would have a security identifier (SID) apart from a global unique identifier (GUID). A user object in AD has attributes that contain information such as canonical name. first name, middle name, last name, login credentials telephone number, manager who he or she reports to, address, who their subordinates are, and more.

Adding a user to the network can be done using the Active Directory Users and Computers (ADUC) console. For example, Joshua is a new employee in an organization, and the administrator needs to provide him access to various resources of the organization. All that the administrator has to do is create a user object through the Active Directory users and Computers console, and then assign access permissions to the user object representing Joshua. Depending on the permissions the administrator assigns to the user object, Joshua’s would get his access to the resources that is necessary for him.

Mandatory AD user object attributes

Every object has a set of mandatory and optional attributes. The values for the mandatory attributes are required for the successful creation of the object, and cannot be empty. For example, the mandatory attributes for a user object are:

  • cn: The distinguished name of the user object that is used to uniquely identify this object in the AD network
  • ObjectCategory: This is a single value property that contains the distinguished name of either the object class this user object belongs to, or the distinguished name of one of its superclasses.
  • Objectclass: The distinguished name of the object class that this user object belongs to.
  • sAMAccountName: The pre-Windows 2000 logon name of the object. This is a naming attribute that is also used to identify this user object in the network uniquely.

These attributes are unique across a domain, and they are used to identify the objects across the domain uniquely.

How to view the mandatory attributes of the user object?

  • Go to Start -> Administrative Tools, and click on Active Directory Users and Computers. The ADUC console will open.
  • Expand the console tree, and right-click on the user object whose mandatory properties you wish to see.
  • From the menu that pops up, click Properties.
  • A dialogue box will appear that shows the user object’s properties. Select the Attribute Editor tab.
  • In the attribute editor tab click the Filter button. A submenu with a list of attribute types will pop up.
  • From the menu, choose Mandatory.
  • The mandatory attributes of the user object will be shown.
Mandatory Attributes of a User Object in Active Directory
The Attribute Editor Tab displaying the Mandatory attributes

There are also other attributes that are optional such as telephoneNumber, Manager, and more. An AD user object can be created without these attributes. These optional attributes are used to provide additional information about the user that the user object references.

How to create an AD user object?

  • Go to Start -> Administrative Tools, and click on Active Directory Users and Computers. The ADUC console will open.
  • Right-click on the console tree.
  • From the menu that pops up, choose the option New.
  • From the list of objects that appear in the menu, select User. An object creation wizard will appear.
  • In the wizard window, enter the value for various attributes of the user object, and then click Next.
  • In the next page of the creation Wizard, enter the password for the user account. In this section, you will also be given the provision to configure the password policies for the user object.
  • After you have set the password and configured the password policies, click Finish.
New Object - User dialog box in Active Directory
Creating a new AD User Object

A new AD user object will be created, and it can be located on the ADUC console tree in its respective container.

How to modify an AD user object?

To modify a user object in AD, you can perform the following steps:

  • Go to Start -> Administrative Tools, and click on Active Directory Users and Computers. The ADUC console will open.
  • Expand the console tree, and right-click on the user object you wish to modify.
  • From the menu that pops up, click Properties.
  • A dialogue box will appear that shows the various properties of the object.
  • Navigate through the various available tabs, and make the necessary changes.
  • Once done, click Apply, and then click OK.
  • The modifications will hence be reflected in the properties tab.

How to delete an AD user object?

To delete a user object in AD, you can perform the following steps:

  • Go to Start -> Administrative Tools, and click on Active Directory Users and Computers. The ADUC console will open.
  • Expand the console tree, and right-click on the user object you wish to delete.
  • From the submenu that pops up, click Delete.
  • Click Yes to confirm the deletion.
  • The AD user object will be deleted from the network, and it will not be shown on the console tree.

Properties of an AD user object

To understand the AD user object and its various attributes better, you can explore the user object’s properties dialogue box. To open the user object properties dialogue box, follow the below given steps:

  • Go to Start -> Administrative Tools, and click on Active Directory Users and Computers. The ADUC console will open.
  • Expand the console tree, and right-click on the user object you wish to modify.
  • From the menu that pops up, click Properties.
User Object Properties dialog box
User Object Properties dialog box

The various attributes are categorized under different tabs based on their commonalities. Let’s take a look at some of the tabs.

General tab

The general tab of the user properties window allows you to configure the basic details such as name and contact details for a user. The values for the name fields are very important as they make up the value for mandatory attribute cn. (The combination of the values in the 3 name fields makes up the value for cn.

LabelLDAP NameExample
First namegivenNameIsabella
Last nameSurnameSwan
Display namedisplayNameIsabella.e.swan
InitialsinitialsE
DescriptiondescriptionTemporary
OfficephysicalDeliveryOfficeNameSymantec
Telephone numbertelephoneNumber9159917893
Others (other telephone numbers)OtherTelephone9994327893
e-mailmailBella
Web pagewWWHomePageBellabingo.com
Others (other web pages)urlBellaeswanblog.com

Address tab

The address tab of the user properties window allows you to configure a set of attributes that describe the user’s physical location for contact purposes.

LabelLDAP NameExample
StreetstreetAddressPark street
P.O.boxpostOfficeBox1234
CityLLouisville
State/provincestKentucky
Zip/Postal codepostalCode1240
Country/regioncoIndia
Country/regioncUnited states

Organization tab

The organization tab of the user properties window allows you to add organization specific user details such as his company, department, designation, managers, subordinates etc.

LabelLDAP NameExample
TitletitleBusiness analyst
DepartmentdepartmentdepartmentX
CompanycompanycompanyY
Manager (name)managerAdvUser-1
Direct reportsdirectReportsLeena

Profile tab

The profile tab of the user properties window allows you to configure the user profile, logon scripts, and home folder details for the user object. It is beneficial when you have to allow your user access the same environment and data irrespective of the machine he logs in from. Let’s take a look at some of its attributes.

User Profile: A user profile carries environment settings, documents, music, and other data that are specific to the user. The profile is stored in the server and can be accessed by the user from anywhere.

Logon scripts: Using these scripts, you can configure what tasks will be executed when the user logs on. With these scripts, you can perform various tasks such as mapping network drives, Installing and setting a user’s default printer, updating virus signatures, updating software, and more.

Home folder: Home folders are similar to profiles as the data in it can be accessed from anywhere. The difference is that they don’t carry the working environment or customizations. Instead, they are just shares that can be accessed from anywhere. It is usually used when there is no sufficient disk space available on the local machine.

LabelLDAP NameExample
Profile path (User profile)profilePath\\sushma-root.com\roamingProfiles\roaminguser2
Logon script (User profile)scriptPathEb.bat
Local path (home folder)homeDirectorysushma-temp\Homefolder\Roaminguser2
Connect (home folder)homeDriveZ:
To (home folder)homeDirectory\\sushma-temp\Homefolder\Roaminguser2

Sessions tab

The sessions tab of the user properties window allows you to configure the timeout and reconnection settings for a user.

End a disconnected session – Allows you to configure the duration after which a disconnected session should end.

Active session limit – Allows you to configure the duration after which an active session should end.

Idle session limit – Allows you to configure the duration after which an idle session should end.

Disconnect from session – if you choose this option the session will be disconnected once the session limit is reached.

End session – if you choose this option the session will be ended once the session limit is reached.

Allow reconnection – This section allows you to configure the reconnection settings for a user’s session

From any client – choosing this option allows the user to reconnect from any client to his session

From originating client only – choosing this option allows the user to reconnect from any client to his session

Note: Disconnecting from a session means dropping the connection with the server without logging off whereas ending a session means disconnecting and logging off.

The values related to this Tab are stored in a LDAP attribute called userParameters.

Accounts tab

The account tab of the user properties window allows you to configure the user account specific details such as the name with which he can log on, the machines in the network he can log on to, account access duration in weekdays or hours, password configurations, account expiry dates, and more.

The name fields in the account tab (User logon name and pre-windows 2000 name) are very important as they make up the user credentials. The account options also have to be carefully configured to ensure the security of the network resources and the account itself.

LabelLDAP NameExample
User logon nameuserPrincipalNameBella
User logon name(pre-windows 2000)SAMAccountNameBella
Logon hourslogonHours9 am to 5 pm, from Monday to Friday
Log on tologonWorkStationAll computers
Unlock accountlockoutTime(indicates when the account was locked)unchecked
Account optionsuserAccountControlUser must change password at next logon
Account expiresaccountExpiresNever

Member Of tab

The names of the groups to which a user belongs can be seen in the Member Of tab of the user properties window (The user can also be added to new groups or removed from the ones he belongs to by using this tab).

The Values (or group names) are stored in a multivalued LDAP attribute called memberOf.

Note: When required the primary group of a user can also be changed using this tab. The name of the primary group does not appear in the memberOf attribute. The SID of the primary group is displayed separately in an attribute called primaryGroupID.

Security tab

The security tab of the computer properties window allows you to configure access permissions on the user object. The security tab allows you to grant or deny permissions to other groups and users over the user object.

  • In the “group or user names” section you can choose the group or the user to whom you would like to deny or allow permission.
  • You can use the check boxes available in the “permissions” section to configure (allow or deny) the permissions the other users and groups will have over the user object.

Advanced button

Clicking on the advanced tab opens another window with the following tabs:

  • Permissions – Using this tab, you can view the other permissions that were assigned to the user by inheritance and also which of the object’s permissions are inheritable. This tab also allows you to add permissions or edit existing permissions.
  • Auditing – Using this tab, you can view and configure the types of object accesses to be audited.
  • Owner – Using this tab, you can view and configure ownership rights over the user object.
  • Effective permissions – This tab displays a list of permissions. Each permission has a check box to its left indicating whether it is effective or not.

Active Directory User Objects Best Practices

  • When you use Active Directory Users and Computers to view the property sheet for an object, the Security tab, which displays the Active Directory permissions assigned to that object, is usually not visible. Choose Advanced Features from the View menu to make this tab visible.
  • If you have resources such as shared folders or printers on computers that are not running Windows 2000, you must manually publish information about these resources in Active Directory if you want users to be able to locate and access them through Active Directory. You do this by adding the appropriate type of object for that resource to Active Directory and having it point to where the resource is located on the network.
  • When you create a new Active Directory object, you usually use a wizard to specify values for the important attributes of the object. You can specify other attributes after the object is created by opening the property sheet for that object.
Related posts
Active Directory Objects

Active Directory User properties – General tab

Active Directory Objects

AD computer object security tab

Active Directory Objects

Active Directory Computer Objects Tabs

Active Directory Objects

Active Directory Computer Object Management

Leave a Reply

Your email address will not be published. Required fields are marked *