Active Directory User Management Guide

Overview

Active Directory (AD) is Microsoft's directory service for Windows domain networks. It stores information about network resources and makes this data available to users and administrators. This guide covers the fundamental tasks of managing user accounts in Active Directory, including creating, modifying, and troubleshooting user accounts with a focus on common password-related issues.

Prerequisites

• Domain administrator or delegated user management permissions
• Access to a Windows Server with Active Directory Domain Services
• Remote Server Administration Tools (RSAT) installed if managing remotely
• Understanding of your organization's OU (Organizational Unit) structure
• Knowledge of company naming conventions and password policies

Accessing Active Directory Users and Computers

The Active Directory Users and Computers (ADUC) console is the primary graphical tool for managing user accounts.

1. On a Domain Controller: Click Start → Windows Administrative Tools → Active Directory Users and Computers
2. On a Workstation with RSAT: Click Start → Search for "Active Directory Users and Computers" or run dsa.msc from the Run dialog (Win + R)
3. Verify Connection: Ensure you see your domain name in the left pane and can expand the tree structure

Understanding Organizational Units (OUs)

Before creating users, familiarize yourself with your domain's OU structure:

• OUs are containers that organize users, computers, and groups hierarchically
• They typically mirror your organizational structure (departments, locations, roles)
• Group Policies are often applied at the OU level
• Common OU structures include: Users → Department → Role or Location → Department → Users

Navigate through your domain tree to find the appropriate OU where the new user should be created. If unsure, consult your company's AD documentation or ask a senior administrator.

Creating a New User Account

Follow these steps to create a new user account in Active Directory:

1. In Active Directory Users and Computers, navigate to the appropriate OU
2. Right-click the OU → Select New → User
3. In the "New Object - User" dialog, fill in the following fields:
   • First name: User's first name (e.g., "John")
   • Initials: Middle initial (optional)
   • Last name: User's last name (e.g., "Smith")
   • Full name: Auto-populates, verify it's correct
   • User logon name: Username for logging in (e.g., "jsmith" or "john.smith")
4. Click Next
5. Set the initial password:
   • Password: Enter a temporary password that meets your domain's complexity requirements
   • Confirm password: Re-enter the password
   • User must change password at next logon: Check this box (recommended for security)
   • User cannot change password: Usually unchecked unless it's a service account
   • Password never expires: Only check for service accounts, never for regular users
   • Account is disabled: Check only if you're creating the account in advance
6. Click Next
7. Review the summary information
8. Click Finish

Configuring Additional User Properties

After creating the user, configure additional properties by right-clicking the user and selecting Properties:

General Tab

• Description: Job title or role
• Office: Physical location
• Telephone number: Direct line
• Email: Corporate email address

Account Tab

• User logon name: Verify correct username
• Logon hours: Restrict when user can log in (if needed)
• Log On To: Restrict which computers user can access (if needed)
• Account options: Additional security settings
• Account expires: Set expiration date for temporary employees

Profile Tab

• Profile path: Location of roaming profile (if applicable)
• Logon script: Batch file to run at login (if applicable)
• Home folder: User's network home directory

Member Of Tab

• Add user to security groups based on their role
• Groups control access to resources and applications
• Click Add to search and add groups

Modifying Existing User Accounts

To modify an existing user account:

1. Locate the user in Active Directory Users and Computers
2. Right-click the user → Select Properties
3. Navigate to the appropriate tab and make your changes
4. Click Apply then OK

Common Modifications

• Name Change: General tab → Update first/last name
• Email Change: General tab → Update email field
• Department Change: Organization tab → Update department
• Manager Change: Organization tab → Select new manager
• Group Membership: Member Of tab → Add or remove groups

Password Management

Password management is one of the most common administrative tasks you'll perform in Active Directory.

Resetting a User's Password

1. Locate the user account in ADUC
2. Right-click the user → Select Reset Password
3. Enter the new temporary password (must meet complexity requirements)
4. Confirm the password
5. Check "User must change password at next logon" (highly recommended)
6. Optionally check "Unlock the user's account" if the account is locked
7. Click OK
8. Securely communicate the new password to the user

Forcing a Password Change

To require a user to change their password at next logon:

1. Right-click the user → Properties
2. Go to the Account tab
3. Check "User must change password at next logon"
4. Click Apply then OK

Unlocking a Locked Account

1. Right-click the user → Properties
2. Go to the Account tab
3. Check the box "Unlock account"
4. Click Apply then OK

Password Troubleshooting

This section covers common password-related issues and their solutions—a frequent topic in technical interviews and daily support work.

Scenario 1: User Forgot Their Password

Symptoms: User cannot log in, states they forgot password

Solution:

1. Verify the user's identity (following your company's security policy)
2. Reset the password using the steps in Step 6
3. Ensure "User must change password at next logon" is checked
4. Provide the temporary password securely
5. Have the user test logging in and changing the password

Scenario 2: Account is Locked Out

Symptoms: User receives "Account is locked out" or similar error message

Solution:

1. Verify the account is indeed locked:
   • Open user properties → Account tab
   • Look for "Unlock account" checkbox (if grayed out with no checkmark, account isn't locked)
2. Investigate the cause of lockout:
   • Multiple failed login attempts
   • Old saved credentials on another device
   • Mobile device with cached old password
   • Mapped drives using old credentials
   • Scheduled tasks running with old credentials
3. Unlock the account (Account tab → Check "Unlock account")
4. Ask user to clear cached credentials on all devices
5. If lockouts persist, review Event Logs to find the source

Scenario 3: Password Expired

Symptoms: User receives "Your password has expired" message

Solution:

1. Verify password expiration in user properties → Account tab
2. If expired, reset password or have user change it:
   • At domain computer: User can press Ctrl+Alt+Del → Change Password
   • Remotely: Admin resets via ADUC
3. For service accounts, consider setting "Password never expires"

Scenario 4: "Your Password is Incorrect" Errors

Symptoms: User is certain they're using correct password but receives incorrect password error

Troubleshooting Steps:

1. Verify Caps Lock is off: Most common cause of this issue
2. Check username: Ensure user is entering correct username format (DOMAIN\username or username@domain.com)
3. Test on different computer: Isolates if issue is machine-specific
4. Check account status: Verify account is not disabled or locked
5. Verify password requirements: Ensure password meets complexity requirements if recently changed
6. Check replication: Password changes may not have replicated to all domain controllers yet (wait 15 minutes)
7. Review Group Policy: Check if any policies are affecting authentication
8. Last resort: Reset the password and have user set a new one

Scenario 5: Cannot Reset Password (Insufficient Permissions)

Symptoms: Admin receives error when attempting to reset password

Solution:

1. Verify you have necessary permissions to reset passwords in that OU
2. Cannot reset passwords for users in higher-privileged groups (e.g., Domain Admins)
3. Contact a higher-level administrator or domain admin
4. Check if the user object has "Deny" permissions that override your rights

Disabling and Enabling User Accounts

When employees leave or take extended leave, disable (don't delete) their accounts:

Disabling an Account

1. Right-click the user account
2. Select Disable Account
3. Confirm the action
4. A red "X" icon will appear on the user object

Enabling an Account

1. Right-click the disabled user account
2. Select Enable Account
3. The red "X" icon will disappear
4. You may need to reset the password if it has expired

Deleting User Accounts

Deleting accounts should be done carefully as it's usually not reversible from the Recycle Bin unless AD Recycle Bin is enabled.

Before Deleting

• Verify the account has been disabled for the required period
• Ensure all data has been backed up or transferred
• Document the deletion in your ticketing system
• Get approval if required by company policy

Deletion Process

1. Right-click the user account
2. Select Delete
3. Confirm the deletion warning
4. The account is moved to the Deleted Objects container

Best Practices and Security Considerations

Account Creation Best Practices

• Follow consistent naming conventions across the organization
• Always use "User must change password at next logon" for new accounts
• Never set "Password never expires" for regular user accounts
• Document account creation in your ticketing system
• Create accounts in the appropriate OU for proper Group Policy application
• Assign only the minimum necessary groups and permissions

Password Security

• Never share passwords via email, chat, or text message
• Use complex temporary passwords that meet domain requirements
• Communicate passwords through secure, approved channels only
• Regularly audit accounts with "Password never expires" enabled
• Implement Multi-Factor Authentication (MFA) where possible

Account Lifecycle Management

• Disable accounts immediately when employees leave
• Set account expiration dates for contractors and temporary staff
• Regularly audit disabled accounts for potential deletion
• Review and remove unnecessary group memberships during offboarding
• Maintain documentation of all account changes

Troubleshooting Tips

• Always verify identity before resetting passwords
• Check Event Logs for detailed information about lockouts and failures
• Consider replication delays when password changes don't seem to work
• Use "Find" (binoculars icon) to quickly locate users in large directories
• Enable "Advanced Features" (View menu) to access additional properties

Quick Reference: Common Tasks

Create User

Right-click OU → New → User → Fill in details → Set temporary password → Check "User must change password at next logon" → Finish

Reset Password

Right-click user → Reset Password → Enter new password → Check "User must change password at next logon" → OK

Unlock Account

Right-click user → Properties → Account tab → Check "Unlock account" → Apply → OK

Disable Account

Right-click user → Disable Account → Confirm

Add to Group

Right-click user → Properties → Member Of tab → Add → Search for group → OK → Apply