17. Administering Accounts
Account templates for groups of people such as Sales, Managers etc. can be created, and to create new
user accounts you just copy the template and assign a new name and password. If the template
name has a _ at the beginning then it will always be at the top of the account list
in User Manager. Rights and permissions are NOT copied.
Account policies determine how passwords must be used and covers password age, minimum length, uniqueness
and lockout options. The policy comes into effect the next time the user makes a change to the password
or the next time they log in.
Pointers for a good Account Policy:
- No blank passwords
- Have a minimum password length (up to 14 characters)
- Change passwords often
- Users must use different passwords (up to 24 different passwords)
- Lockout accounts if there are multiple failures on login - deleting the old password, adding a new
one and then unlocking the account are common events that occur together and are done in the user
account in User Manager for Domains.
- Only an administrator can unlock accounts
- Users working outside restricted hours must be disconnected automatically.
All these things can be set up in the Policies menu of User Manager for Domains.
The BDC allows people to log on but you cannot do any account administration. If you need to take the PDC off
line then you follow these steps:
- In Administrative Tools click Server Manager.
- In the Computer list select the BDC.
- Click Promote to PDC.
- All users will be disconnected from both the PDC and the BDC.
- The BDC becomes a PDC and the PDC is automatically demoted to a BDC.
When bringing the original PDC back online, connecting and promoting the old PDC back up
to a PDC will automatically demote the temporary PDC back to a BDC.
If a PDC goes off line unexpectedly, then promote a BDC to a PDC. Bring the PDC back on line, demote it
using Server Manager on the temporary PDC then log on to the original PDC and promote the original PDC again.
The directory databases are automatically synchronised so that any changes made are saved.
In a large domain, password changes take some time to filter to all the BDCs so you may wish
to manually synchronise the databases. This is achieved by using Server Manager on the PDC
to pick one or all the domain's BDCs and select Synchronize with PDC.