Overview#

The MMC Account Tab is used to manage accounts in Microsoft Active Directory

Account Tab

userPrincipalName (User logon name:)#

When using the MMC, in the "New Object – user" dialog you are also required to specify a "User logon name". Which, in combination with the DNS domain name, becomes the "userPrincipalName".

The userPrincipalName typically appears as jim@mad.willeke.com which is made up from the MMC interface value that is the "User logon name:" and the drop down that the MMC only allows the "@" and the domain name (mad.willeke.com).

However, this is not enforced nor required. The userPrincipalName has no enforcement within Microsoft Active Directory other than the MMC interface.

The userPrincipalName is one of the "logon" attributes permitted by Microsoft Active Directory

Often, this value is populated with the user email address.

The "userPrincipalName" is an alternative name for the user to logon with. This attribute is not always assigned a value in Active Directory.

SamAccountName (User login name (pre-Windows 2000)):#

When you key in "User logon name", the field "pre-Windows 2000 logon name" is filled in for you with the first 20 characters of "User logon name". This becomes the "SamAccountName" attribute.

Account Tab

Domain NetBios Name#

The Domain NetBios Name is not stored on the user but is shown as read-only in the MMC Account Tab

This implies the user can logon as MAD\jim

"User must change password"#

The Microsoft Active Directory LDAP attribute in pwdLastSet determines if the user is prompted to change their password on the next login.

"User cannot change password"#

Sets the PASSWD_CANT_CHANGE bit of the user-Account-Control Attribute.

"Password never expires"#

Checking this value actually sets a user-Account-Control Attribute bit value DONT_EXPIRE_PASSWORD to indicate the password never expires.

Account Expires#

When "Never" is check, then the Microsoft Active Directory LDAP attribute in accountExpires is set to 0, which implies the account never expires. We have also seen this value in transactions in DirXML as "9223372036854775807".

"Store password using reversible encryption"#

Sets the USE_DES_KEY_ONLY bit of the user-Account-Control Attribute.

"End of:"#

When selecting a date, the value is set on the Microsoft Active Directory LDAP attribute in accountExpires.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
MAD-user-Account-LDAP-annotate... 87.0 kB 1 03-Apr-2010 11:33 jim MAD-user-Account-LDAP-annotated
jpg
MAD-user-Account-LDAP.jpg 32.2 kB 1 03-Apr-2010 11:32 jim MAD-User-LDAP-Account
« This page (revision-26) was last changed on 24-Aug-2014 19:49 by jim