User Properties - Account Tab

User logon name

The text box on the left provides a space for you to type the account name for this user. This is the name that the user will use to log on to an Active Directory domain.

The drop-down list on the right lists the available user principal name (UPN) suffixes that may be used to create the user logon name. The list contains the full Domain Name System (DNS) name of the current domain, the full DNS name of the root domain of the current forest, and any alternative UPN suffixes that are created with Active Directory Domains and Trusts.

User logon name (pre–Windows 2000)

The read-only text box on the left displays the domain name that is used by computers running pre–Windows 2000 operating systems. This name will also be used in the pre–Windows 2000 syntax for domainname\username user logon.

The text box on the right provides a space for you to type the user's pre–Windows 2000 logon name. This user name is in the pre–Windows 2000 format, which is domainname\username.

Logon Hours

Click to change the hours that this selected object can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week. Note that this control does not affect the user's ability to log on locally to a computer using a local computer account instead of a domain account.

Log On To

Click to specify workstation logon restrictions that will allow this user to log on only to specified computers in the domain. By default, a user is able to log on at any workstation computer that is joined to the domain. Note that this control does not affect the user's ability to log on locally to a computer using a local computer account instead of a domain account.

Unlock account

Allows you to unlock user accounts that become locked because of too many failed logon attempts.

Notes

When the current domain controller indicates the selected user account as "not locked," this control is enabled only if the domain functional level is set to Windows Server 2008 or Windows Server 2008 R2. In other words, only Windows Server 2008 and Windows Server 2008 R2 domain controllers allow you to "force unlock" user accounts. This feature is particularly useful when user accounts get locked on Read Only Domain Controllers (RODCs) and the lockout information is not replicating to other domain controllers. Note, however, that the unlock operation can be performed only on a writable domain controller. When the current domain controller indicates the selected user account as "locked," the check box text reads Unlock account. This account is currently locked out on this Active Directory Domain Controller.

Account options

The following are the Active Directory user account options:

• User must change password at next logon
  
  
• User cannot change password
  
  
• Password never expires
  
  
• Store password using reversible encryption
  
  
• Account is disabled
  
  
• Smart card is required for interactive logon
  
  
• Account is sensitive and cannot be delegated
  
  
• User Kerberos DES encryption types for this account
  
  
• This account supports Kerberos AES 128 bit encryption
  
  
• This account supports Kerberos AES 256 bit encryption
  
  
• Do not require Kerberos preauthentication
  
  

Note

The Kerberos AES encryption options (both the 128-bit option and the 256-bit option) are available only when the domain functional level is set to Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Advanced Encryption Standard (AES) is a new encryption algorithm that has been standardized by the National Institute of Standards and Technology (NIST). It is expected to be widely used in the next several years. For more information about Kerberos authentication, see Kerberos Explained (https://go.microsoft.com/fwlink/?LinkId=85494).

Account expires

Sets the account expiration policy for this user. You can select between the following options:

• Use Never to specify that the selected account will never expire. This option is the default for new users.
  
  
• Select End of, and then select a date if you want to have the user's account expire on a specified date.