Domain User Accounts

By Author: fiona
Total Articles: 191
Comment this article

Domain user accounts allow users to log on to a 70-680 Exam domain and gain access to resources anywhere on the network. The user provides his or her user name and password during the logon process. By using this information, Windows Server 2003 authenticates the user and then builds an access token that contains information about the user and security settings. The access token identifies the user to computers running Windows Server 2003 and computers running preWindows Server 2003 operating systems on which the user tries to gain access to resources. Windows Server 2003 provides the access token for the duration of the logon session.
You create a domain user account in a container or an OU in the copy of the Active Directory database (called the directory) on a domain controller, as shown in MCITP. The domain controller replicates the new user account information to all domain controllers in the domain.
After Windows Server 2003 replicates the new user account information, all of the domain controllers in the domain tree can authenticate ...
... the user during the logon process.

Note It can take a few minutes to replicate the domain user account information to all domain controllers. This delay might prevent a user from immediately logging on using the newly created domain user account. By default, replication of directory information within a site occurs every five minutes.
The primary reason for defining an OU is to delegate administration. Delegating administration is the assignment of IT management responsibility for a portion of the namespace, such as an OU, to an administrator, a user, or a group of administrators or users.
You should design OUs for simplicity. It is likely that your domains will require a number of OUs to meet administrative requirements. The best practice is to begin with one OU and then add only those OUs that you can justify. Define OUs with administration, not users, in mind.
By linking GPOs to OUs, GPOs can be applied to either users or computers in the OU. Because there is only one way to delegate administration and there are multiple ways to administer Group Policy, you must define OU structures to delegate administration first. After an OU structure is defined to handle delegation of administration, you can define additional OUs to administer Group Policy.
You cannot assign access permissions based on a user's membership in an OU.OUs are not security principals. Access control is the responsibility of global,
domain local, or universal groups.
You move objects within an a+ certification hierarchy by using drag and drop, the Move option on the Active Directory Users And Computers console, or the Dsmove command.