Microsoft Windows relies on the user account type to determine access permissions for the associated user account. A user account can be global or local. DRA also supports InetOrgPerson objects, but recognizes InetOrgPerson objects as normal users.
A user account that can be used in any domain that trusts the domain in which the user account was created. You can grant specific permissions to a user account. You can also make a user account a member of a group and then assign permissions to that group. Grouping user accounts helps simplify the process of managing network permissions for many user accounts.
A local user account is the same as any account that you use to log into a Windows operating system. It enables you to access the system's resources in your own user space.
To learn more about managing user accounts, see the following topics:
Microsoft Windows stores user account and group definitions in the directory of the managed domain. Therefore, an Administration server cannot modify the directory information from a trusted domain unless that domain is also managed by DRA.
For example, in Account and Resource Management, you may see user accounts and groups that you cannot modify. These user accounts and groups are defined in domains trusted by one of the managed domains. However, you can add accounts and groups from a trusted domain to other groups in the managed domain.
This section guides you through administering user accounts in the Account and Resource Management node of the Delegation and Configuration Console and in the Web Console. With the appropriate powers, you can perform various user account management tasks, such as creating and deleting accounts. If you select multiple user accounts, you can perform selected tasks in one operation, such as deleting, moving, or adding users to a group. For more information about your assigned powers, see Viewing Your Assigned Powers and Roles.
You can execute all applicable tasks below from the Tasks menu or from the right-click menu. Generally, you select the All My Managed Objects node and execute a Find Now operation to locate and select the desired user object. In the case of creating a new user, you must select the domain or OU where you want to create the user. The Tasks menu indicates which tasks you can perform when you select single or multiple user accounts.
You can manage your own account by modifying general properties, such as your telephone number. Before you manage your account, ensure you have the appropriate power.
You can copy a user account to another ActiveView. This action is called transferring a user account. To copy a user account to another ActiveView, you need the Copy User to Another ActiveView power in both the source and target ActiveViews. Transferring a user account to another ActiveView does not remove the user account from the source ActiveView.
NOTE:Copying a user account to another ActiveView can only be done from the Delegation and Configuration Console via the Account and Resource Management node.
You can rename user accounts in the managed domain or managed subtree. Changing the user logon name also changes the name of the mailbox associated with the user account.
You can execute most of the tasks below from the Management > Search tab in the Web Console. Execute a search operation to locate and select the required user object. After you select one or more objects in the list, the taskbar becomes active with options such as create, account, and exchange. Click the options to display their functions.
You can create user accounts in the managed domain or managed subtree. You can also modify properties, create a mailbox, enable email, and specify group memberships for the new account.
NOTE:
Your company may have a naming convention enforced through policy that determines the name you can assign to the new user account.
By default, DRA places the new user account in the Users OU of the managed domain.
You cannot create InetOrgPerson objects in DRA.
When you clone a user account, any groups that the user is a member are automatically added to the new user account, saving you time in configuring the new account. You can add or remove groups from the new account, enable email, and make any other property configurations as you would with any new account.
NOTE:When you clone an InetOrgPerson object, you create a user account.
You can manage the properties of user accounts in the managed domain or managed subtree. The powers you have determine which properties you can modify for a user account. If you installed Exchange and enabled Microsoft Exchange support, you can modify the associated mailbox properties while managing user accounts.
NOTE:If home directory policies are enabled, DRA automatically modifies the home directory of a user account when you manage that account. For example, when you change the home directory location, DRA attempts to create the specified home directory and move the contents of the previous home directory to the new location. DRA also applies the assigned ACLs from the previous directory to the new directory.
Exporting results: DRA enables you to export the Member Of results as a CSV file. To export the Member Of results from the Web Console, go to Management > Search and click Properties. Navigate to the Member Of tab and click the Download icon.
NOTE:The unsaved changes are not exported. Ensure you save any recent changes so they are available in the exported file.
You can enable a user account in the managed domain or managed subtree. If you are managing a Microsoft Windows account, you can specify the domain controller at which DRA applies this change.
When you apply this change to a specific domain controller, DRA also applies this change to the default domain controller for this managed domain. To verify which default domain controller DRA is using, view the domain properties.
You can disable a user account in the managed domain. If you are managing a Microsoft Windows account, you can specify the domain controller at which DRA applies this change.
When you apply this change to a specific domain controller, DRA also applies this change to the default domain controller for this managed domain. To verify which default domain controller DRA is using, view the domain properties.
You can unlock a user account in the managed domain or managed subtree.
Because DRA retrieves the user account status from the accounts cache, the user interface may indicate that the selected account is unlocked when it is actually locked. DRA allows you to unlock a user account even if the account status indicates it is currently unlocked. You can also specify a domain controller when unlocking a user account using the DRA console without having to reset the user account password.
You can reset the password for an account in the managed domain or managed subtree. The powers you have determine the fields you can change for that user account.
When you reset the password for a user account, DRA automatically unlocks the account. You can select whether DRA generates a new password for the user account. You can also modify several password-related options for the account. If you are managing a Microsoft Windows account, you can specify the domain controller at which DRA applies these changes
NOTE:When you apply this change to a specific domain controller, DRA also applies this change to the default domain controller for this managed domain. To verify which default domain controller DRA is using, view the domain properties.
You can move a user account to another container, such as an OU, in the managed domain or managed subtree.
You can delete a user account in the managed domain or managed subtree. If the Recycle Bin is disabled for that domain, deleting a user account permanently removes the user account from the Active Directory. If the Recycle Bin is enabled for that domain, deleting a user account moves the user account to the Recycle Bin.
WARNING:When you create a user account, Microsoft Windows assigns a Security Identifier (SID) to that account. The SID is not generated from the account name. Microsoft Windows uses SIDs to record privileges in access control lists (ACLs) for each resource. If you delete a user account, you cannot return access capabilities for that account by creating a new user account with the same name.
You can add or remove user accounts from a specific group in the managed domain or managed subtree. You can also view or modify properties of existing groups to which this account belongs.
DRA offers you the ability to quickly and efficiently transform user accounts. When the individual associated with a user account transitions to new job responsibilities, you can use the transform capabilities of DRA. Taking advantage of job role templates, you can quickly add, remove, or update the group memberships associated with an account. Whether an individual is promoted, changes departments, or leaves the company, the ability to transform a user account will save you time, money, and guesswork.
You can use the transform user account capabilities to fulfill any of the following needs:
Remove group memberships from a user account
Add group memberships to a user account
Change user properties
Remove particular group memberships while adding other group memberships to a user account
Consider the following process before attempting to transform a user account:
Decide whether you need to add, remove, or both add and remove group memberships.
Review your current subtractive and additive templates to ensure you have the necessary template user accounts.
If necessary, create any required template accounts.
Complete the Transform User wizard.
As DRA transforms a user, the group memberships designated by the subtractive template are removed from the user account, while those memberships designated by the additive template are assigned to the user account. DRA leaves any memberships outside of the subtractive or additive templates intact. For example, an individual in your outside sales department is transferred from US sales to European sales. Within your organization, you have both distribution groups and security groups that are unique for these sales teams and a number that are shared across all sales teams. The US sales team has the US Hotspots DL and the US Sales Mgmt DL distribution groups while the European sales team has Euro Hotspots and Euro Sales Mgmt distribution groups. Both teams are members of the Global Sales Sec security group, but also have individual site‑specific security groups.
Your subtractive template, named US Sales Template, would be assigned the following group memberships:
US Hotspots DL
US Sales Mgmt DL
Global Sales Sec
US Sec
Your additive template, named Euro Sales Template, would be assigned the following group memberships:
Euro Hotspots DL
Euro Sales Mgmt DL
Global Sales Sec
Euro Sec
During the transformation process, the user account of the transferred sales person is first removed from all the group memberships designated by the US Sales Template, and then added to all the group memberships designated by the Euro Sales Template. If this individual was also a member of the Poker Players distribution group, this group membership remains untouched.
The following powers allow an Assistant Administrator to further modify a user account during the transformation process:
Modify Address Properties while Transforming a User Account
Modify Description while Transforming a User Account
Modify Office while Transforming a User Account
Modify Telephone Properties while Transforming a User Account
You can also restrict the ability to add or remove group memberships by giving an Assistant Administrator only one of the following powers:
Add a user to groups found in a template
Remove a user from groups found in a template
You can use either of these power-based limiting options to create a layer of security within your organization. By giving certain individuals the power to only remove groups found in a template, you can create interim user accounts. These interim accounts can then be reviewed before a different Assistant Administrator uses an additive template account to grant the new group memberships.
Transformation of user accounts is directly tied to the roles and job ladders of your organization. Consider creating a template for each role or job within your company. DRA makes no distinction between a user account template used as subtractive versus additive. Create a single template user account for each role within your organization. During the transformation, you select the template as subtractive or additive. Selecting a template as subtractive does not stop the same template from being used as additive in a future transformation.
To create a user transformation template, you must have the powers to create a user account and assign that user account to the appropriate groups. These powers can be obtained through associating your account with the Create and Delete User Accounts and the Group Administration roles in the appropriate ActiveViews or through the assigning of individual powers.
Transforming a user account enables you to add, remove, or both add and remove user account group memberships. Use this workflow to help you when individuals transition from one job responsibility to another within your organization. You must have the Transform a User role or a role that contains the appropriate powers to transform user accounts. This function can only be done from Delegation and Configuration console via the Account and Resource Management node.
To transform a user account:
In the left pane, expand All My Managed Objects.
To specify the user account you want to manage, execute a Find Now operation to locate and then select the user object.
Click Tasks > Transform.
Review the Welcome window, and then click Next.
On the Select User Template window, use Browse to the select the appropriate subtractive template user.
If you want to review the properties of the subtractive template user account, click View.
Use Browse to the select the appropriate additive template user.
If you want to review the properties of the additive template user account, click View.
If you have the appropriate powers, you can check Change other properties of the user and select properties to modify. Click Next to navigate through the properties available.
Click Next.
Review the Summary window, and then click Finish.