6. If desired, check the User Must Change Password at Next Logon option.

If you check this option, the password that you assign will work for only one logon. As soon as the user logs on, he or she will be required to change the password.

7. Click OK.

That’s all there is to it The user’s password is now reset. Deleting a User Deleting a user account is surprisingly easy. Just follow these steps:

1. Log on as an administrator.

You have to have administrator privileges in order to perform this procedure.

2. Choose Start➪Administrative Tools➪Active Directory Users and Computers.

The Active Directory Users and Computer management console appears. 3. Click Users in the console tree. 4. In the details pane, right-click the user that you want to delete and choose Delete. Windows asks whether you really want to delete the user, just in case you’re kidding.

5. Click Yes and poof The user is history.

The account, anyway. Working with groups A group is a special type of account that represents a set of users who have common network access needs. Groups can dramatically simplify the task of assigning network access rights to users. Rather than assigning access rights to each user individually, groups let you assign rights to the group itself. Then those rights automatically extend to any user account that you add to the group. The following sections describe some of the key concepts that you need for using groups effectively — and some of the most common procedures you’ll employ when setting up groups on your server. 260 Part IV: Network Operating Systems Group types Two distinct types of groups exist, and they reflect two different ways of look- ing at what a group is for: ⻬ Security groups: Most groups are security groups, which extend access rights only to members of the group. For example, if you want to allow a group of users to access your high-speed color laser printer, you can create a group called ColorPrintUsers. Then, you can grant permission to use the printer to the ColorPrintUsers group. Finally, you can add individual users to the ColorPrintUsers group. ⻬ Distribution groups: Distribution groups aren’t used as much as secu- rity groups. They are designed as a way to send e-mail to a group of users by specifying the group as the recipient. Group scope Three distinct group scopes exist: ⻬ Domain local: A group with domain local scope can have members from any domain. However, the group can be granted permissions only from the domain in which the group is defined. ⻬ Global: A group with global scope can have members only from the domain in which the group is defined. However, the group can be granted permissions in any domain in the forest. A forest is a high-level grouping of domains. ⻬ Universal scope: Groups with universal scope are available in all domains that belong to the same forest. As you can probably guess, universal scope groups are usually found only on very large networks. One common way to use domain local and global groups is like this: ⻬ Use domain local groups to assign access rights for network resources. For example, to control access to a high-speed color printer, create a domain local group for the printer. Grant the group access to the printer, but don’t add any users to the group. ⻬ Use global groups to associate users with common network access needs. For example, create a global group for users who need to access color printers. Then, add each user who needs access to a color printer mem- bership in the group. ⻬ Finally, add the global group to the domain local group. Doing so extends printer access to all members of the global group. This technique gives you the most flexibility when your network grows. 261

Chapter 19: Windows Server 2003