Lecture Notes: User Creation in Windows Server 2008 R2
IT Department
September 2025
Comprehensive notes for IT students and professionals on creating and managing user
accounts in Active Directory on Windows Server 2008 R2.
Contents
1 Introduction to User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 Purpose and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Types of User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3 User Account Creation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.1 Using Active Directory Users and Computers (ADUC) . . . . . . . . . . . . . . . 2
3.2 Using Active Directory Administrative Center (ADAC) . . . . . . . . . . . . . . . 3
3.3 Using PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 Configuring User Account Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5 Managing Group Memberships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
6 Security and Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
7 Managed Service Accounts (MSAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
8 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
9 Best Practices and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
9.1 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
9.2 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1
�1 Introduction to User Accounts
User accounts in Windows Server 2008 R2 are Active Directory (AD) objects that represent
individuals or entities requiring access to network resources. Managed within Active Direc-
tory Domain Services (AD DS), user accounts enable authentication (verifying identity) and
authorization (granting access) using protocols like Kerberos. In Windows Server 2008 R2,
user account management includes advanced features like fine-grained password policies and
Managed Service Accounts (MSAs).
1.1 Purpose and Benefits
• Purpose: Provide secure access to network resources, enforce policies, and track user
activities.
• Benefits:
– Centralized management of user identities.
– Support for Single Sign-On (SSO) across domain resources.
– Customizable attributes for user-specific settings (e.g., logon hours, profile paths).
– Integration with Group Policies for security and configuration.
2 Types of User Accounts
Windows Server 2008 R2 supports several user account types within AD DS:
Account Type Description Use Case in 2008 R2
User Represents individuals (e.g., Access to workstations, email, and
employees). resources.
Service Used by Legacy accounts for services;
applications/services. replaced by MSAs.
Managed Service Auto-managed accounts for Eliminates manual password
Accounts services. updates for services.
Computer Represents devices in the Managed similarly to users but for
domain. machines.
InetOrgPerson LDAP-compatible user Used for interoperability with
object. non-Microsoft directories.
Table 1: Types of User Accounts
3 User Account Creation Methods
User accounts can be created using graphical tools or PowerShell in Windows Server 2008 R2.
3.1 Using Active Directory Users and Computers (ADUC)
1. Open ADUC ([Link]) from Administrative Tools.
2. Navigate to the domain or Organizational Unit (OU) (e.g., OU=Users,DC=corp,DC=example,DC=com).
3. Right-click > New > User.
4. Enter Full Name and User Logon Name (e.g., jdoe for John Doe).
5. Set initial password; configure options (e.g., User must change password at next logon).
6. Complete wizard; set additional attributes (e.g., department, phone) in Properties.
2
�3.2 Using Active Directory Administrative Center (ADAC)
1. Open ADAC from Administrative Tools.
2. Navigate to domain or OU in the navigation pane.
3. Click New > User in the Tasks pane.
4. Fill in details: Name, Logon Name, Password, and optional fields (e.g., email, group
membership).
5. Save; verify account in ADAC or ADUC.
3.3 Using PowerShell
PowerShell provides automation for user creation:
New-ADUser -Name ”John Doe” -GivenName ”John” -Surname ”Doe” -SamAccountName ”jdoe” -
UserPrincipalName ”jdoe@[Link]” -Path ”OU=Users,DC=corp,DC=example,DC=com” -
AccountPassword (ConvertTo-SecureString ”P@ssw0rd123” -AsPlainText -Force) -Enabled $true -
PasswordNeverExpires $false -ChangePasswordAtLogon $true
This creates a user with mandatory attributes and enables the account.
4 Configuring User Account Properties
User accounts have attributes that define their behavior and access:
• Mandatory Attributes:
– cn (Common Name): Full name (e.g., John Doe).
– sAMAccountName: Pre-Windows 2000 logon name (e.g., jdoe).
– userPrincipalName (UPN): Logon name with domain (e.g., jdoe@[Link]).
• Optional Attributes:
– Profile: Home folder, profile path, logon script.
– Account: Logon hours, computer restrictions, account expiration.
– Organization: Department, title, manager.
– Member Of: Group memberships for permissions.
• Configuration Steps:
1. In ADUC, right-click user > Properties.
2. Modify tabs: General (contact info), Account (logon settings), Profile (paths), Mem-
ber Of (groups).
3. Apply changes; verify with user logon.
5 Managing Group Memberships
Groups control access and permissions:
• Types: Security (permissions) and Distribution (email lists).
• Scopes: Domain Local, Global, Universal.
• Adding to Groups:
– In ADUC: User Properties > Member Of > Add > Select group (e.g., Domain Users).
– In PowerShell:
3
� Add-ADGroupMember -Identity ”CN=IT_Staff,OU=Groups,DC=corp,DC=example,DC=com
Members ”jdoe”
• Best Practice: Use IGDLA model (Identities > Global groups > Domain Local groups >
Access).
6 Security and Password Policies
• Password Policies: Set via Group Policy at domain level (e.g., 8-character minimum,
complexity enabled).
• Fine-Grained Password Policies: Introduced in 2008 R2; apply via Password Settings
Objects (PSOs) to users or groups in OUs.
1. In ADAC: Navigate to Password Settings Container > New > Password Settings.
2. Specify settings (e.g., 14-character minimum, 90-day expiration).
3. Assign to user or group.
• Account Lockout: Configure in Group Policy (e.g., lock after 5 failed attempts, reset after
15 minutes).
• Security Options: Disable accounts when not needed; set expiration for temporary users.
7 Managed Service Accounts (MSAs)
MSAs, introduced in 2008 R2, automate password management for service accounts:
• Creation:
New-ADServiceAccount -Name ”MyServiceAccount” -Path ”OU=Services,DC=corp,DC=example,DC=
Enabled $true
• Installation: Install on server hosting the service:
Install-ADServiceAccount -Identity ”MyServiceAccount”
• Use Case: Assign to services like SQL Server or IIS to eliminate manual password updates.
8 Backup and Recovery
• Backup: User accounts are part of AD database; back up System State using Windows
Server Backup.
• Recovery: Use Active Directory Recycle Bin (requires 2008 R2 forest functional level):
Restore-ADObject -Identity ”CN=John Doe,OU=Users,DC=corp,DC=example,DC=com”
• Alternative: Authoritative restore with ntdsutil for non-Recycle Bin scenarios.
9 Best Practices and Troubleshooting
9.1 Best Practices
• Place users in appropriate OUs for policy application.
• Use strong, unique passwords; enforce via GPOs or PSOs.
• Assign minimal group memberships to follow least-privilege principle.
4
� • Enable Recycle Bin for easy recovery of deleted accounts.
• Use PowerShell for bulk user creation (e.g., from CSV):
Import-Csv ”[Link]” | ForEach-Object { New-ADUser -Name $_.Name -SamAccountName $_.SamA
• Document user account details and group assignments.
9.2 Troubleshooting
• Logon Failures: Check account status (disabled/locked), password expiration, or logon
restrictions.
• Policy Issues: Verify PSO or GPO application with gpresult /r.
• Deleted Users: Use Recycle Bin or check Event Viewer (Security logs).
• Tools: ADUC, ADAC, PowerShell (Get-ADUser), dcdiag for AD health.
