262
Networking: A Beginner's Guide
restriction. (Note that the Log On To feature works only if the network uses the NetBIOS
or NetBEUI protocols; it will not work with TCP/IP-only networks unless the Windows
Internet Naming Service is set up on the network.)
NOTE
Allowing a user to log on to another user's computer does not mean that user can log
on with the other user's permissions or access anything that only the other user can access. This
simply means the user can use the listed physical computer to log on to his own account from that
computer.
The Account Options section of the Account tab enables you to select various
binary (on/off) account options. Yet set some of the options, such as requiring a user
to change the password at the next logon, as you add the account. Some options
listed are unique to the user's Properties dialog box. The two most important of these
additional options are Account Is Disabled and Account Is Trusted for Delegation.
Account Is Disabled, if selected, disables the user account while leaving it set up
within Active Directory. This option is useful if you need to deny this user account
access to the network, but might need to reenable the account in the future. (Account
Is Disabled is handled as a high-priority change within the domain, and it takes effect
immediately, even across large numbers of domain controllers.) Because deleting an
account also deletes any permissions the user might have, you should always disable
an account instead if you might need to grant access to the network again to that user.
For example, if someone is on vacation, you could disable the user's account while she
is gone, and then clear the Account Is Disabled checkbox when she returns.
You must select Account Is Trusted for Delegation option if you want to designate
the user account to administer some part of the domain. Windows Server 2008 enables
you to grant administrative rights to portions of the Active Directory tree without
needing to give administrative rights to the entire domain.
The last option on the Account tab of the user Properties dialog box is the expiration
date setting, Account Expires. By default, it is set to Never. If you wish to define an
expiration date, you may do so in the End Of field. When the date indicated is reached,
the account is automatically disabled (but not deleted, so you can reenable it if you
wish).
Another tab that you will use often in the user's Properties dialog box is the Member
Of tab, in which you define the security groups for a user, as shown in Figure 17-8.
Security groups are discussed after the description of deleting or disabling a user account.
Deleting or Disabling a User Account
Deleting a user account is easy using the Active Directory Users and Groups console.
In the left pane, select the Users folder, and then select the user in the right pane. Either
right-click the user and choose Delete or open the Action pull-down menu and choose
Delete.
Disabling an account is just as easy. Select the user account, right-click it, and
choose Disable Account (or open the Action pull-down menu and choose Disable
Account).