Item Details

User UPN logon

The text box on the left provides a space for you to type the account name for this user. This is the name that the user will use to log on to an Active Directory domain.

The drop-down list on the right lists the available user principal name (UPN) suffixes that may be used to create the user logon name. The list contains the full Domain Name System (DNS) name of the current domain, the full DNS name of the root domain of the current forest, and any alternative UPN suffixes that are created with Active Directory Domains and Trusts.

User SamAccountName logon

The read-only text box on the left displays the domain name that is used by computers that are running pre–Windows 2000 operating systems.

The text box on the right provides a space for you to type the user's pre–Windows 2000 logon name.

Protect from accidental deletion check box

Select this option to update the security descriptor of the object—and, potentially, its parent—to deny all administrators or users of this domain and domain controller the ability to delete this object.


This setting does not provide protection against accidental deletion of a subtree that contains the protected object. Therefore, we recommend that you enable this setting for all the protected object’s containers, up to the domain naming context head.

Log on Hours

Click to change the hours during which this selected object can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week. Note that this control does not affect the user's ability to log on locally to a computer by using a local computer account instead of a domain account.

Log On To

Click to specify workstation logon restrictions that will allow this user to log on only to specified computers in the domain. By default, a user is able to log on at any workstation computer that is joined to the domain. Note that this control does not affect the user's ability to log on locally to a computer by using a local computer account instead of a domain account.

Account expires

Sets the account expiration policy for this user. You can select between the following options:

  • Use Never to specify that the selected account will never expire. This option is the default for new users.

  • Select End of, and then select a date if you want to have the user's account expire on a specified date.

Password options

The following are the password options for an Active Directory user account:

  • User must change password at next logon—Forces a user to change his or her password the next time that the user logs on to the network. Enable this option when you want to ensure that the user will be the only person that knows the password.

  • Smart card is required for interactive log on—Requires that a user possess a smart card to log on to the network interactively. The user must also have a smart-card reader attached to the computer and a valid personal identification number (PIN) for the smart card.

  • Password never expires—Prevents a user’s password from expiring. We recommend that service accounts have this option enabled and that they use strong passwords.

  • User cannot change password—Prevents a user from changing his or her password. Enable this option when you want to maintain control over a user account, such as a Guest account or a temporary account.

Encryption options

The following are the encryption options for an Active Directory user account:

  • Store password using reversible encryption—Allows a user to log on to a Windows network from Apple computers. If the user is not logging on from an Apple computer, do not enable this option.

  • User Kerberos DES encryption types for this account—Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit), MPPE Standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPsec) DES (40-bit), IPsec 56-bit DES, and IPsec Triple DES (3DES).

  • This account supports Kerberos AES 128 bit encryption

  • This account supports Kerberos AES 256 bit encryption


The Kerberos Advanced Encryption Standard (AES) encryption options (both the 128-bit option and the 256-bit option) are available only when the domain functional level is set to Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. AES is a new encryption algorithm that has been standardized by the National Institute of Standards and Technology (NIST). For more information about Kerberos authentication, see Kerberos Explained (

Other options

The following are additional options for an Active Directory user account:

  • Account is sensitive and cannot be delegated—You can use this option if the account, for example a Guest or temporary account, cannot be assigned for delegation by another account. For more information, see Enabling Delegated Authentication (

  • Do not require Kerberos preauthentication—Provides support for alternative implementations of the Kerberos protocol. However, use caution when you enable this option, because Kerberos preauthentication provides additional security and requires time synchronization between the client and the server. For more information, see Kerberos Explained (

Additional references