Functions of user accounts in active directory

  • Provide a method for user authentication to the network:
  • Provide detailed information about a user

Built-in user accounts

  • Administrator and Guest: For local accounts, they are stored in SAM database; for domain accounts, they are stored in Active Directory.
  • They can not be deleted

Guidelines to the built-in administrator account:

  • The local admin account has full access to all aspects of a computer, domain admin account has full access to all aspects of the domain.
  • The should be renamed and given a very strong password to increase security.
  • The admin account should be used to log on to a computer or domain only when performing administrative operations is necessary.
    Network administrators should use a regular user account for logging on to perform nonadministrative tasks.
  • It can be renamed or disabled but can not be deleted.

Guidelines to the guest account:

  • It is disabled by default.
  • It has a blank password by default, so assign a password once it has been enabled.
  • Should be renamed.
  • It has limited access to a computer or domain.


Creating and modifying user accounts


Can use DSADD command.

Account name is not case sensitive, password is case sensitive.

Basic Attributes must be entered when creating a account:

  • Full name
  • User logon name : Referred to as UPN.
    format is username@domain. the “@domain” is called the UPN suffix.
  • User logon name( pre-windows 2000) : format is domain\username .
  • Password and confirm password.

Templates: used to create users with similar group memberships, account options, and descriptive fields.

Create a generic account and modify it, make sure it is ” disabled”. then copy it when creating a new user, change the basic attributes.


User profile is a collection of a user’s personal files and settings that define his or her working environment.

The user profile is created as a subfolder of the “Users” folder, which is in the system drive. The subfolder is named after the user’s name.

Key files and folders in the user’s profile:

  • AppData(N/A): A hidden folder that’s the default location for user application data.
  • Desktop:  Contains desktop items.
  • Documents( My documents) : the default location applications use to store saved documents
  • Downloads(N/A): The default location for files downloaded.
  • Favorites: Bookmarks from IE.
  • Music (my music): The default location for saved music files.
  • Pictures(my pictures): the default location for saved picture files.
  • Ntuser.dat: a hidden system file containing user preferences for windows and application settings, merged with the registry when a user logs to windows.

Types of profile:

  • Default Local profile: ” %SYSTEMDRIVE% \ Users\Default”, assigned for the new user if no modified profile has been assigned to him or her.
  • Roaming profile
    It is stored on a network share, so a user can get a copy of it no matter which computer he or she logs on to. And any change the user makes to the profile are replicated from the locally cached copy to the profile on the network share when the user logs off.
    The Roaming profile are created by :


     1. Create a folder on the server for storing roaming profile, the server should have the File services role installed.
     2. Share this folder and give the Domain Users group the Full control share permission.

     3. Edit the Profile path text box in the ” Profile tab” of the user account’s properties dialog box. The path should be similar to \\server\profiles\%username%.

Due to security change on MS16-072 on 14 June 2016, there are some extra setup needed for roaming profile, check below page for detailed steps:

You can keep the %username% so you can edit multiple accounts or create user template.
Next time time the user logs on the computer, the default or existing local profile is copied to the roaming profile.
The folder with the user’s logon name and .V2 at the end is created automatically with the appropriate permissions set. “.V2” distinguishes a roaming profile from a pre-Vista roaming profile.

Note. if you use different version windows to share roaming profile, it may destroy the profile.

For more about roaming profile, see here.

  • A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.Configure: User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to The .man extension causes the user profile to be a read-only profile.User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\\.Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile.Only system administrators can make changes to mandatory user profiles.

The system choose the profile in this order:

  • Created manually by administrator on the network share, if not then;
  • The ” NETLOGON” share: this system folder is shared by default, location is ” %SYSTEMDRIVE% \ windows\SYSVOL\sysvol\domain\Scripts” domain is the domain name in which the server locate. Or
  • The default  profile on the local system.
  • Mandatory profile
  • Super mandatory profile


Profile Tab in the ADUC:

User profile:

Profile Path: The path of the roaming profile. We have talked about this in the Roaming profile part above.

Logon Script:  This will read the script located at \\domain_name\NETLOGON. So you have to copy the script file to this location, then you only need to type the name of the script file, such as logonScript.bat.

This is especially useful when you have older clients such as Windows 95/98 or Windows NT. These types of operating systems do not use Group Policies. If you assign the logon script in both ways for a user, if the user logs on to a computer running Windows 2000 or above, both logon scripts in GPO and here will run.

Permission: the group “Domain Users” should be given read/write access to the file or the folder where the log file is located.

Home folder:

Local Path:  Specifies that the home folder is located on a local path. It will let user to specify the path on local system where he has logged in. If he is logging to other system he will not get the files or folder there. For that he has to use Connect Option just below local path option where he can put the server path. So by doing this he will get his folder and files even if his hoping from one system to another

Connect: Home folders are similar to profiles as the data in it can be accessed from anywhere, the difference is that they don’t carry the working environment or customizations instead they are just shares that can be accessed from anywhere. It is usually used when there is no enough disk space available on the local machine.


If you logged as a standard user and need to do some administrator’s job, such as MMC, click “start” type
runas /user:administrator mmc

click enter, then provide password of the admin.

The most confusing part is the difference between Profile path and Home folder:

By default, they are same location, and you can verify these location for current user by command “set HOME” and “set userprofile“.

Profile path is where your environment is stored – background image, color preference, personalization, customizations, and other settings related to your userprofile.
Your profile can be stored within your home folder, but doesn’t have to be… And this is where the roaming profile path can be.

Your profile is located by default under C:\Documents and Settings in System Winxp or earlier, and c:\users\your_username in Windows 7 or later.

You can easily alter this in a domain environment.

Typically home folders point to a user name variable, instead of a specific location (else you’d have to ‘hard code’ every body’s home folder).
So homefolder could be \\server1\%username%, where a shared folder can be




Distribution group

Used to group users together mainly for sending emails to several people at once with an active directory-integrated email application, such as Microsoft Exchange.
Distribution group are not security principals and can not be used to assign rights and permission to their members.

Microsoft Exchange Server 2007: Implementation and Administration
By Jim McBee, Benjamin Craig page 248:
Only universal groups should be used as mail-enabled groups.

Security group

The main active directory object administrators use to manage network resource access and grant rights to users. However, it can be used as distribution group. Only security group can be added to a resource’s DACL.

We can convert from security to distribution and vice versa. If a security group is an entry in the DACL for a shared folder, after the security group been changed to a distribution group, the group remains in the DACL, but has no effect on access to the resource for any of its members.

Group Scope

Group scope determines the reach of a group’s application in a domain or a forest.

4 types of group scope

1.  Local : applies only to groups created in the SAM database.

2. Domain local: The main security principal recommended for assigning rights and permissions to domain resources. Global and universal groups should then be added as members of domain local groups, which are added to resource’s DACL.
The “local” here refers to where resources this group scope is assigned to can be located. You can not, for example, add a domain local group from Domain A to the DACL of a resource in Domain B.

3. Global: used mainly to group users from the same domain with similar access or rights requirements.
A common use of global groups is creating one for each department, location, or both.

4. Universal:

The group membership information is stored only on GC servers.
Linked value replication: allows replicating only group membership changes instead of the entire membership list.

Group   scope               Group can include as members… Group can be assigned permissions in… Permissions and rights assignments Group scope can be converted to…
  • Accounts from any domain within the forest in which this Universal Group resides
  • Global groups from any domain within the forest in which this Universal Group resides
  • Universal groups from any domain within the forest in which this Universal Group resides
Any domain or forest Resources on any DC or member computer in any domains in another forest
  • Domain local
  • Global (as long as no other universal groups exist as members)
  • Accounts from the same domain as the parent global group
  • Global groups from the same domain as the parent global group
Member permissions can be assigned in any domain Resources on any DC or member computer in any domain in the forest or trusted domains in another forest Universal (as long as it is not a member of any other global groups)
Domain local
  • Accounts from any domain
  • Global groups from any domain
  • Universal groups from any domain
  • Domain local groups but only from the same domain as the parent domain local group
Member permissions can be assigned only within the same domain as the parent domain local group Resources on any DC or member computer in the domain;

Domain local groups in the Builtin folder can be added to DACLs only on DCs, not on member computers.

Universal (as long as no other domain local groups exist as members)


In Single domain environment, use AGDLP:

Accounts are made members of
Global groups, which are made members of
Domain Local groups, which are assigned
Permissions to resources

In multi-domain environment,use AGGUDLP

Accounts are made members of
Global groups, which when necessary are nested in other
Global groups, which are made members of
Universal groups, which are then made members of
Domain Local groups, which are assigned
Permissions to resources

Groups nesting

Making one group a member of another group. It is often used to group users who have similar roles but work in different departments.

Converting Group scope

Following options are the only available one-step converting options you can do, you can not convert from domain local to global straight away, you need to  do domain local > universal, then universal > global.

  • Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group.
  • Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member.
  • Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member.
  • Universal to domain local. There are no restrictions for this operation.


Special Group:

Interactive User: The members of the Interactive group gain access to resources on the computer at which they are physically located or logged on. This group includes all users who log into a computer locally. Users who are connected across a network are not members of this group (with the exception of the Remote Desktop Users group). Remote Desktop Users, as the term implies, connects to computers via RDP; they are also granted interactive login rights during the initiated RDP sessions even though the users are logging in remotely.

12:51:07 01/24/2019