NIST's guidance for a Zero Trust Architecture

Active Directory Objects

Active Directory User properties – General tab

Introduction: 

An object is the fundamental component of Active Directory. A user object is a representation of a user who is a member of an organization’s network. The user could be a company employee such as a manager, human resources representative, or IT administrator. In AD, a user object contains properties that include personal, security and other information that defines the user object. A user object is a security principal, which implies it has a security identification (SID) in addition to a globally unique identity (GUID), and also they are an entity that can be authenticated by the system and used to control access to network resources by assigning permissions and security groups. It cannot contain any other Active Directory object, hence it is classified as a leaf object.

Managing User Objects: 

User objects can be managed in the ADUC console by defining the properties. Right-click on the user object and select Properties from the context menu. A dialog box with a variety of tabs will appear, allowing you to set preferences and enter information about the user object. The tabs are as follows:

  • General: This tab offers a number of fields for configuring basic user information. The values for the name fields are critical since they comprise the value for the mandatory attribute ‘cn’. The fields are:
    • First name: the given name of the user
    • Initials : the middle initial(s) of the user
    • Last name: the user’s surname
    • Display name: the full name of the user
    • Description: a description of the user object
    • Office: the office in which the user works
    • Telephone number: the user’s telephone number
    • Email: the e-mail address of the user
    • Web page: the Web page belonging to the user.

Note: There is an ‘Other’ button next to the Telephone and Web page fields. When you click this button, a dialog box will open that allows you to provide additional entries for Webpage and Telephone number.

  • Address: It allows you to configure attributes that describe the user’s physical location. This tab contains the following details:
    • Street: the full street address of the user
    • P.O. Box: the Post Office Box number
    • City: the city of the user
    • State/province:the state or province of the user
    • Zip/Postal Code: the zip code or postal code of the user
    • Country/region: the country of the user
  • Telephones: This tab includes contact information for different modes of verbal or digital communication, such as:
    • Home: the home telephone number of the user.
    • Pager: the pager number of the user.
    • Mobile: the cellular phone number of the user.
    • Fax: the fax number of the user.
    • Notes: any additional notes pertaining to the user.
    • IP phone: the IP phone number of the user.

Note: Except for Notes, each of these fields has an ‘Other’ button that allows you to enter and view extra entries for that field.

  • Organization: It helps in the configuration of information pertaining to the organization in which the user works, such as:
    • Title: the title of the user.
    • Department: the department in which the user works.
    • Company: the name of the company the user works for.
    • Manager: the user’s manager or supervisor within the company.

Note: Change button to change the manager’s user object, Properties to view that object’s properties, and Clear to erase the entry pointing to the manager’s user object.

  • Direct reports: any other user accounts that have this user’s account specified as their manager.
  • Account: This tab is used to configure domain user account information. The account tab’s name fields are critical because they comprise the user credentials. Account settings are also vital to protect the network resources as well as the account. The fields include:
  • User logon name: the UPN (User Principal Name) that the user will use when logging on to the domain.
  • User logon name (pre-Windows 2000) :the logon name that is used when logging on from pre-Windows 2000 computers.
  • Account is locked out: locks out the account and prevents the user from logging in.
  • User must change password at next logon: the user must change the password during the next logon.
  • User cannot change password: prevents the user from changing the password.
  • Password never expires: prevents the password from expiring after a specific time.
  • Store password using reversible encryption: requires users to use reversible encryption.
  • Account is disabled: prevents users from logging on with this account.
  • Smart card is required for interactive logon: allows the user to log on using a smart card.
  • Account is trusted for delegation: allows the account to be used to run as an identity of a service.
  • Account is sensitive and cannot be delegated: allows a user to assign responsibility over a portion of the namespace to another user, group, or computer.
  • Use DES encryption types for this account: requires Data Encryption Standard (DES) to be used with the account.
  • Do not require Kerberos pre authentication: removes the need for pre authentication for accounts.
  • Account expires: the expiration date of the account.
  • Note: The tab contains a ‘Logon Hours’ button, which allows you to determine when this user can log on or remain signed on to the network. There is also a ‘Log On To’ button, which allows you to decide which machines the user can use while logging on to the domain.
  • Profile: It helps in configuring the user profile, login routines, and home folder settings of the user object. It is used to provide users with access to the same environment and data regardless of the system from which they log in. Let’s have a look at some of its fields:
  • Profile path: the path to the user’s profile.
  • Logon scripts: Set the path of the logon script, which contains the settings that will be applied every time the user logs on to the network.
  • Local path: the path to the directory on the local system.
  • Connect: the disc letter to which the path will be mapped
  • To: the UNC (Universal Naming Convention) path to the directory
  • Remote Control: This tab helps in configuring Terminal Services remote control settings for the user, allowing others to take over a session. After taking over the session, the other user can perform actions and demonstrate how to carry out specific activities on the remote computer to the user. The following fields are available for configuring these settings:
    • Enable remote control: enable others to control or view a session belonging to the user.
    • Require user’s permission: enables the user to give permission to allow another user to control or view a session.
    • Level of control: the permission level granted to someone who interacts with the user’s session through remote control, such as View the user’s session and Interact with the session.
  • Terminal Services Profile: It’s similar to the Profile tab, however the settings on this tab are only for a user’s Terminal Services session. The fields are:
    • Profile Path: the path to the user’s profile that should be used with Terminal Services. If no path is specified, the setting from the Profile tab is used.
    • Local path: the local path to a location on the Terminal Services computer.
    • Connect: drive letter for a mapped drive that will be available within the session
    • To: UNC path to the network location of the home directory.
    • Allow logon to terminal server: enable users to establish a Terminal Services session.

Note: If no Profile path or Home folder path is specified, the settings from the Profile tab are used.

  • Environment: This page allows you to configure the startup environment for Terminal Service, using the following fields:
    • Start the following program at logon: enables users to receive a program instead of a desktop while connecting to Terminal Services, and allows them to enter the program’s path and executable name.
    • Connect client drives at logon: maps drive letters to local client drives and enables the local drives to be accessed from the session.
    • Connect client printers at logon: makes printers configured on the client computer available for a Terminal Services session
    • Default to main client printer: makes the default printer on the client computer to be the default printer in the Terminal Services session.
    • Sessions: It helps in configuring the timeout and reconnection settings of a user’s Terminal Services sessions. The various fields are as follows:
    • End a disconnected session: allows to choose how long a disconnected session should remain on the server
    • Active session limit: specify how long a user’s session should remain active
    • Idle session limit: controls how long a user can remain connected without any activity
    • When a session limit is reached or connection is broken: set what will happen when session limit is reached or connection is broken
    • Allow reconnection: control how a user can reconnect to a disconnected session.

Note: Logging off and disconnecting are the two methods for ending a Terminal Services session. Logging off completely terminates the session on the server and frees up the resources it was using. In contrast, disconnect simply interrupts communication between the client and the Terminal Services server while continuing to use server resources

  • Published Certificates: The tab shows a list of certificates that have been published for the user object, together with information such as who it was issued to, who issued it, the certificate’s intended purpose, and its expiration date. The certificates can be configured using the following:
    • Add from Store: to add additional certificates to the listing from the computer’s local certificate store
    • Add from File: to add a certificate from a file
    • Remove: to remove the certificate
    • Copy to File: to export the certificate that is selected in the list to a file.
  • Dial-in: It is helpful for configuring settings that are utilized when a user attempts to join the network remotely through dial-up or VPN. The settings are configured using the following:
    • Allow access: enables dial-in or VPN remote access
    • Deny access: prohibits dial-in or VPN remote access
    • Control access through a Remote Access Policy: specify that a remote access policy is used to control permission for remote access.
    • Verify Caller-ID: specify the telephone number that the user must be calling from in order to establish a successful connection.
    • No Callback: enables users to connect remotely and without the use of callback.
    • Set by Caller (Routing and Remote Access Service Only): specify a telephone number that the server will call back when a remote connection is authenticated.
    • Always Callback To: forces the server to call the user back at a preconfigured telephone number to reduce connection of unauthorized users.
    • Assign a Static IP Address: define a specific IP address to the user when the user connects remotely.
    • Apply Static Routes: places additional routes in the routing table upon connection.
    • Static Routes: define the additional routes that will be placed in the routing table upon connection.
  • Security: It helps to configure the permissions that other groups and users have on the user object, using the following:
    • Group or user names: lists the users and groups that have been added to the Discretionary Access Control List (DACL) for the account
    • Add: add users and groups to the DACL
    • Remove: Remove users and groups from the DACL
    • Permissions: allowing or denying permissions for a selected user or group
    • Advanced: providing additional permissions to the selected user or group
  • Member Of: The tab helps in configuring the user’s membership in groups, using the following:
    • Add button: add the user to a group by selecting from a list of available groups.
    • Remove button: remove the user’s membership from the group.
    • Set Primary Group: change Primary Group

Note: Changing primary group applies to specific users who use Macintosh computers and users who are running POSIX-compliant applications.

  • COM+: It is capable of configuring the COM+ partition set to which the user belongs.

When creating a user in the ADUC console, you can only configure basic properties such as logon names, passwords, and first and last names.After creating the user object, you can define additional properties using the ADUC console to get more control over it. From this article, you have learned how to manage user objects using properties in order to improve the security and performance of Active Directory.

Related posts
Active Directory Objects

Active Directory User properties – General tab

Active Directory Objects

Active Directory Computer Object Security Tab

Active Directory Objects

Active Directory Computer Objects Tabs

Active Directory Objects

Active Directory Computer Object Management

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.