Property Name

Description

Typical setting

Remarks

User Object

An data structure representing the user account. Use the action 'Get user (AD)' to find the user account in Active Directory and setup the variable that contains the 'User Object'.

%UserObject%

See Deployment section.

SAM-Account-Name

The user logon name (pre-Windows 2000) without the (NETBIOS) domain name. In most cases the SAM-Account-Name is equal to the prefix of the User-Principal-Name and specified by the general %UserName% name variable. The name must be unique within the domain.

Specify the path of the organizational unit (OU) or container relative to the domain. To specify OU's in OU's, use the full path relative to the domain, separated by slashes: OU/ChildOU/GrandChildOU. Examples: students or students/group1. For more information on how to specify the domain/OU/container in which the user account is created, see the Remarks section below.

User-Principal-Name

The User-Principal-Name (UPN) is an Internet-style login name for the user. The UPN is the preferred logon name for Active Directory users. Users should be using their UPNs to log on to the domain. The UPN has the format 'account_name@domain.com', where 'account_name' is the UPN-prefix and 'domain.com' is the upn-suffix. In most cases the User-Principal-Name prefix is specified by the general user name variable.

The UPN is the preferred loin name for Active Directory users. Users should be using their UPN to log on to the domain. The UPN has the format account_name@domain.com, where account_name is the UPN prefix and domain.com is the UPN suffix.

The UPN Prefix is usually chosen to be the same as the SAM-Account-Name. Typically the name contained in %UserName% is generated by the name generation algorithm.

DisplayName

This is the Display name attribute of the account. It usually contains the full name of the user.

Given-Name

The Given-name corresponds with the first name of the user account. The Given-name is an optional attribute of Active Directory user accounts.

Initials

The 'Initials'-field name corresponds with the middle name of the user account. The 'Initials'-field is an optional attribute of Active Directory user accounts.

SurName

The 'Surname' corresponds with the last name of the user account. The 'Surname' is an optional attribute of Active Directory user accounts.

Password generator

The specification how to generate passwords for the user account

Specifies the method used to generate a password for the user account. These methods vary from simple (easy to remember) passwords to strong passwords. There are several predefined settings available.

The resulting password will be stored in a variable. By default it is stored in the variable %Password%. This variable must be specified as the value for the Password property.

Password

The password of the user account.

Typically the name contained in the variable %Password% is generated by the Password generator. To create the same password for all users you can specify the password here directly. For example "test1234". You can also read the password from the input file.

Description

A user comment. The field can contain a text of any length.

Home directory

The path of the home directory of the user account. Note that the home directory is not moved or created by this action. Instead, the home directory specification in the Active Directory is updated. You can move the home directory, by adding the actions 'Copy directory' and 'Delete directory' to the script.

The value can be specified either in the form \\<server name>\<share name>\<rest of path>, or as an local path e.g. G:\UserData\<user name>.

Note, This specification does create the home directory itself if it does not exist. In order to create the home directory, specify the action Create Directory in the User Management Resource Administrator script after this action.

Home directory drive

The drive letter to which the home directory is connected. Specify only the drive letter itself without colon and or backslash.

If the drive letter is specified, the Home directory must be specified in the form \\<server name>\<share name>\<rest of path>, and not as a local path.

User profile

A path to the user's profile. Note that this specification does not create the profile directory. Instead, it specifies the profile's path in the SAM user account database. You can create the profile directory, by adding the action 'Create Directory' to the script.

The value must have he form \\<server name>\<share name>\<rest of path>.

Logon script

The path for the user's logon script file. The script file can be a .CMD file, an .EXE file, or a .BAT file.

User must change password at next logon

The password is expired. Use this property to force the user to change the password at the next logon. Note that the user can logon using the current password.

When set to Yes the User cannot change password property must by set to No.

User cannot change password

The user cannot change password. When the user cannot change the password, only the administrator can change the password.

Valid specifications are Yes and No. This setting has no effect on members of the administrators group. When set to Yes, the User must change password at next logon property must by set to No.

Password never expires

The password should never expire on the account.

Valid specifications are Yes and No. The default value is No. This setting overrides the Maximum Password Age setting in the password policy for the domain/computer.

Store password using reversible encryption

An password specific option. If you have users logging on to your Windows 2000 network from Apple computers, select this option for those user accounts.

Allows a user to log on to a Windows network from Apple computers. If a user is not logging on from an Apple computer, this option should not be used.

Account disabled

The user's account is disabled. If an user account is disabled, the account does exist but cannot be used to logon to the network.

Smart cart is required for interactive logon.

Specifies whether a smart cart is required

Requires that the user possesses a smart cart to log on to the network interactively. The users must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart cart. When this option is selected, the password for the user account is automatically set to a random and complex value and the Password never expires account option is set.

Account is trusted for delegation

Specifies whether the account is trusted for delegation

Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources on the computer

Account is sensitive and cannot be delegated

Specified that the account cannot be delegated.

Allows control over a user account, such as a for guest or temporary account. This option can be user if this account cannot be assigned for delegation by another account

Use DES encryption types for this account

Provides support for Data Encryption Standard (DES)

Do not require Kerberos preauthentication

Provides support for alternative implementations of the Kerberos protocol

Account expiration

Specifies the date after which the account is expired

Logon hours

The hours the user account can log on to the domain. By default, domain logon is allowed 24 hours a day, 7 days a week.

The value is specified as a text of 42 hexadecimal characters, representing all the hours of a week. The hours of each day are represented by 6 characters.

Workstations

A list of workstation names, separated by ",", on which the user is allowed to logon.

If specified, the user is only allowed to logon when seated at one of the computers (workstation or server) listed. A maximum of 8 computer (workstation or server) names can be specified.

If not specified, such an explicit restriction does not apply.

General - Office

The users's office location This is the person's office location, including the building and office address or number.

General - TelephoneNumber

The user's phone number

General - E-mail

The user's e-mail address. The e-mail address appears with the universal principal name suffix (for example, someone@microsoft.com).

General - Web-Page

The user's home page URL, either on the Internet or in the local intranet site.

Address - Street

The user's street address

Address - P.O. Box

The user's post office box number

Address - City

The city where the user is located

Address - State/province

The state or province where the user is located

Address - Zip/Postal Code

The zip or postal code applicable for the user

Address -Country/region

The user's country or region

The country can be either explicitly chosen from a drop down list, or be specified as text. In the latter case it can also be read from a variable, for instance created by a column from the list of users.

Telephones - Home

The user's home telephone number

Telephones - Pager

The user's page number

Telephones - Mobil

The user's mobil telephone number

Telephones - Fax

The user's fax number

Telephones - IP phone

The users IP telephone number

Telephones - Notes

Descriptive information and any comments for this user.

Organization - Title

The user's title

Organization - Department

The user's department

Organization - Company

The users's company