| Item |
Details |
|
User UPN logon
|
The text box on the left provides a space for you to type the
account name for this user. This is the name that the user will use
to log on to an Active Directory domain.
The drop-down list on the right lists the available user
principal name (UPN) suffixes that may be used to create the user
logon name. The list contains the full Domain Name System (DNS)
name of the current domain, the full DNS name of the root domain of
the current forest, and any alternative UPN suffixes that are
created with Active Directory Domains and Trusts.
|
|
User SamAccountName logon
|
The read-only text box on the left displays the domain name that
is used by computers that are running pre–Windows 2000
operating systems.
The text box on the right provides a space for you to type the
user's pre–Windows 2000 logon name.
|
|
Protect from accidental deletion check box
|
Select this option to update the security descriptor of the
object—and, potentially, its parent—to deny all administrators or
users of this domain and domain controller the ability to delete
this object.
|
Note |
|
|
This setting does not provide protection against accidental
deletion of a subtree that contains the protected object.
Therefore, we recommend that you enable this setting for all the
protected object’s containers, up to the domain naming context
head.
|
|
|
Log on Hours
|
Click to change the hours during which this selected object can
log on to the domain. By default, domain logon is allowed
24 hours a day, 7 days a week. Note that this control
does not affect the user's ability to log on locally to a computer
by using a local computer account instead of a domain account.
|
|
Log On To
|
Click to specify workstation logon restrictions that will allow
this user to log on only to specified computers in the domain. By
default, a user is able to log on at any workstation computer that
is joined to the domain. Note that this control does not affect the
user's ability to log on locally to a computer by using a local
computer account instead of a domain account.
|
|
Account expires
|
Sets the account expiration policy for this user. You can select
between the following options:
- Use Never to specify that the selected
account will never expire. This option is the default for new
users.
- Select End of, and then select a date
if you want to have the user's account expire on a specified
date.
|
|
Password options
|
The following are the password options for an
Active Directory user account:
- User must change password at next
logon—Forces a user to change his or her password the next time
that the user logs on to the network. Enable this option when you
want to ensure that the user will be the only person that knows the
password.
- Smart card is required for interactive log
on—Requires that a user possess a smart card to log on to the
network interactively. The user must also have a smart-card reader
attached to the computer and a valid personal identification number
(PIN) for the smart card.
- Password never expires—Prevents a
user’s password from expiring. We recommend that service accounts
have this option enabled and that they use strong passwords.
- User cannot change password—Prevents a
user from changing his or her password. Enable this option when you
want to maintain control over a user account, such as a Guest
account or a temporary account.
|
|
Encryption options
|
The following are the encryption options for an
Active Directory user account:
- Store password using reversible
encryption—Allows a user to log on to a Windows network from
Apple computers. If the user is not logging on from an Apple
computer, do not enable this option.
- User Kerberos DES encryption types for
this account—Provides support for the Data Encryption Standard
(DES). DES supports multiple levels of encryption, including
Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit), MPPE
Standard (56-bit), MPPE Strong (128-bit), Internet Protocol
security (IPsec) DES (40-bit), IPsec 56-bit DES, and IPsec Triple
DES (3DES).
- This account supports Kerberos AES 128 bit
encryption
- This account supports Kerberos AES 256 bit
encryption
|
|
Note |
|
|
The Kerberos Advanced Encryption Standard (AES) encryption
options (both the 128-bit option and the 256-bit option) are
available only when the domain functional level is set to Windows
Server 2008 R2, Windows Server 2008, or
Windows Server 2003. AES is a new encryption algorithm
that has been standardized by the National Institute of Standards
and Technology (NIST). For more information about Kerberos
authentication, see Kerberos Explained (http://go.microsoft.com/fwlink/?LinkId=85494).
|
|
|
Other options
|
The following are additional options for an
Active Directory user account:
- Account is sensitive and cannot be
delegated—You can use this option if the account, for example a
Guest or temporary account, cannot be assigned for delegation by
another account. For more information, see Enabling Delegated
Authentication (http://go.microsoft.com/fwlink/?LinkId=143007).
- Do not require Kerberos
preauthentication—Provides support for alternative
implementations of the Kerberos protocol. However, use caution when
you enable this option, because Kerberos preauthentication provides
additional security and requires time synchronization between the
client and the server. For more information, see Kerberos Explained
(http://go.microsoft.com/fwlink/?LinkID=120374).
|