<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
The [{$pagename}] is used to manage accounts in [Microsoft Active Directory]


[{Image src='MMC Account Tab/MAD-user-Account-LDAP.jpg' caption='Account Tab' style='font-size: 120%; color: blue;'}]

!! [userPrincipalName] (User logon name:)
When using the [MMC], in the &quot;New Object – user&quot; dialog you are also required to specify a &quot;User logon name&quot;. Which, in combination with the DNS domain name, becomes the &quot;[userPrincipalName]&quot;.

The [userPrincipalName] typically appears as jim@mad.willeke.com which is made up from the [MMC] interface value that is the &quot;User logon name:&quot; and the drop down that the [MMC] only allows the &quot;@&quot; and the domain name (mad.willeke.com).

However, this is not enforced nor required. The [userPrincipalName] has no enforcement within [Microsoft Active Directory] other than the [MMC] interface.

The [userPrincipalName] is one of the &quot;logon&quot; attributes permitted by [Microsoft Active Directory]

Often, this value is populated with the user email address.

The &quot;[userPrincipalName]&quot; is an alternative name for the user to logon with. This attribute is not always assigned a value in Active Directory.

!! [SamAccountName] (User login name (pre-Windows 2000)):
When you key in &quot;User logon name&quot;, the field &quot;pre-Windows 2000 logon name&quot; is filled in for you with the first 20 characters of &quot;User logon name&quot;. This becomes the &quot;[SamAccountName]&quot; attribute.

[{Image src='MMC Account Tab/MAD-user-Account-LDAP-annotated.jpg' caption='Account Tab' style='font-size: 120%; color: blue;'}]


!! Domain NetBios Name
The Domain NetBios Name is not stored on the user but is shown as read-only in the [MMC Account Tab]

This implies the user can logon as MAD\jim

!! &quot;User must change password&quot;
The [Microsoft Active Directory] LDAP attribute in [pwdLastSet|pwd-Last-Set attribute] determines if the user is prompted to change their password on the next login.

!! &quot;User cannot change password&quot;
Sets the [PASSWD_CANT_CHANGE] bit of the [user-Account-Control Attribute].

!! &quot;Password never expires&quot;
Checking this value actually sets a [user-Account-Control Attribute] bit value [DONT_EXPIRE_PASSWORD] to indicate the password never expires.

!! [Account Expires]
When &quot;Never&quot; is check, then the [Microsoft Active Directory] LDAP attribute in [accountExpires] is set to 0, which implies the account never expires. We have also seen this value in transactions in [DirXML] as &quot;[9223372036854775807|9,223,372,036,854,775,807]&quot;.

!! &quot;Store password using reversible encryption&quot;
Sets the [USE_DES_KEY_ONLY] bit of the [user-Account-Control Attribute].

!&quot;End of:&quot;
When selecting a date, the value is set on the [Microsoft Active Directory] LDAP attribute in [accountExpires].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>