Univention Corporate Server - Manual for users and administrators

Download PDF

User management via Univention Management Console module

6.1. User management via Univention Management Console module#

Users are managed in the UMC module Users (see Univention Management Console modules).

Creating a user in the UMC module 'Users'

Fig. 6.1 Creating a user in the UMC module Users#

With Next on Fig. 6.1 the second page Fig. 6.2 is shown, where the initial password can be set.

Password setting for a new user

Fig. 6.2 Password setting for a new user#

As an alternative the user may set the initial password himself if the Self Service app is installed. For this to work an external email address must be given, which is registered at the contact email address. The user will then receive an email to that address containing a web address and a token, which can be used to set the password and unlock the account. For this also see Password management via Self Service app.

Initial user password

Fig. 6.3 Initial user password#

By default a simplified wizard for creating a user is shown, which only requests the most important settings. All attributes can be shown by clicking on Advanced. The simplified wizard can be deactivated by setting the Univention Configuration Registry Variable directory/manager/web/modules/users/user/wizard/disabled to true.

Advanced user settings

Fig. 6.4 Advanced user settings#

6.1.1. User management module - General tab#

Table 6.1 General tab#

Attribute

Description

Title

The title of the user is to be entered here.

First name

The first name of the user is to be entered here.

Last name

The last name of the user is to be entered here.

Username

This is the name, by which the user logs into the system. For recommended characters for the user, see Recommendation for username definition.

In order to ensure compatibility to non-UCS systems the creation of users which are only distinguished from each other by upper and lower case letters is prevented. Thus, if the username smith already exists, then the username Smith cannot be created.

By default it is not possible to create a user with the same name as an existing group. If the Univention Configuration Registry Variable directory/manager/user_group/uniqueness is set to false, this check is removed.

Description

Arbitrary descriptions for the user can be entered here.

Password

The user’s password has to be entered here.

Password (retype)

In order to avoid spelling errors, the user’s password has to be entered for a second time.

Override password history

By checking this box, the password history is overridden for this user and for this password change. This means, with this change the user can be assigned a password which is already in use.

Further details on user password management can be found in User password management.

Override password check

By checking this box, the requirements for the length of the password and for password quality checks are overridden for this user and for this password change. This means, the user can e.g. be assigned a shorter password than would be possible according to the defined minimum length.

Further details on the password policies for users can be found in User password management.

Primary email address (mailbox)

The email address of the user is declared here, see Assignment of email addresses to users.

Display name

The display name is automatically composed of the first and surnames. It generally does not need to be changed. The screen name is used for the synchronization with Active Directory and Samba/AD among other things.

Birthday

This field is used to save a user’s birthday.

Organization

The organization is to be entered here.

Employee number

Numbers for staff members can be entered in this field.

Employee type

The category of the staff member can be entered here.

Superior

The superior of the user can be selected here.

Picture of the user (JPEG format)

This mask can be used to save a picture of the user in LDAP in JPEG format. In the default settings the file size is limited to 512 kilobytes.

6.1.2. User management module - Groups tab#

Table 6.2 Groups tab#

Attribute

Description

Primary group

This selection list can be used for specifying the user’s primary group. All the groups registered in the domain are open for selection. By default, the group Domain Users is preset.

Groups

Here it is possible to set further group memberships for the user in addition to the primary group.

6.1.3. User management module - Account tab#

Table 6.3 Account tab#

Attribute

Description

Account is deactivated

The Account is deactivated checkbox can be used to deactivate the user account. If the checkbox is selected, the user cannot log into the system. This affects all authentication methods. This is typically used when a user leaves the company. In a heterogeneous environment, an account deactivation might also be caused by external tools.

Account expiry date

A date is specified in this input field on which the account will automatically be locked. This is practical for user accounts that only need to be active for a certain period of time, e.g., for interns.

If the date is deleted or replaced by a different, future date, the user will regain the right to sign in.

User has to change password on next login

If this checkbox is ticked, then the user has to change their password during the next login procedure.

Password expiry date

If the password is subject to an expiry date, then this date is displayed in this entry field. This entry field cannot be edited directly, see User password management.

If a password expiry interval is defined, the password expiry date is automatically adjusted when passwords are changed.

If no Expiry interval is declared, the old expiry date will be deleted and no new date will be set.

Unlock lockout

If the account has automatically been locked temporarily for security reasons, usually because the user has entered the password incorrectly too often, this checkbox can be used to unlock the account again manually before the lockout is lifted automatically when the lockout duration has passed. This temporary account lockout can happen if a corresponding domain wide policy setting has been defined by an administrator. There are three different mechanisms that may trigger lockout if configured properly:

  • Failed PAM authentication attempts to an UCS server (see Automatic lockout of users after failed login attempts).

  • Failed LDAP authentication attempts (if the ppolicy overlay has been activated and configured).

  • Failed Samba/AD authentication attempts (if the Samba domain passwordsettings have been configured).

Lockout till

If the account has automatically been locked temporarily for security reasons, usually because the user has entered the password incorrectly too often, this field shows the time when the account automatically gets unlocked.

Activation date

If a user account shall only become usable at a later date, this can be set here. A cron job periodically checks if accounts need to be activated. It runs every 15 minutes by default. When saving the changes, the account is automatically marked as deactivated in case a date in the future has been specified.

Windows home drive

If the Windows home directory for this user is to show up on a different Windows drive than that specified by the Samba configuration, then the corresponding drive letter can be entered here, e.g. M:.

Windows home path

The path of the directory which is to be the user’s Windows home directory, is to be entered here, e.g. \ucs-file-serversmith.

Windows logon script

The user-specific logon script relative to the NETLOGON share is entered here, e.g. user.bat.

Windows profile directory

The profile directory for the user can be entered here, e.g. \ucs-file-serveruserprofile.

Relative ID

The relative ID (RID) is the local part of the SID. If a user is to be assigned a certain RID, the ID in question can be entered in this field. If no RID is assigned, the next available RID will automatically be used. The RID cannot be subsequently changed. Integers from 1000 upwards are permitted. RIDs below 1000 are reserved to standard groups and other special objects.

Samba privilege(s)

This selection mask can be used to assign a user selected Windows systems rights, for example the permission to join a system to the domain.

Permitted times for Windows logins

This input field contains time periods for which this user can sign in to Windows computers.

If no entry is made in this field, the user can sign in at any time of day.

Allow the authentication only on these Microsoft Windows host(s)

This setting specifies the clients where the user may sign in. If no settings are made, the user can sign in to any client.

UNIX home directory

The path of the user’s home directory.

Login shell

The user’s login shell is to be entered in this field. This program is started if the user performs a text-based login. By default, /bin/bash is preset.

User ID

If the user is to be assigned a certain user ID, the ID in question can be entered in this field. If no value is specified, a free user ID is assigned automatically.

The user ID can only be declared when adding the user. When the user data are subsequently edited, the user ID will be represented in gray and barred from change.

Group ID of the primary group

The group ID of the user’s primary group is shown here. The primary group can be changed in the General tab.

Home share

If a share is selected here, the home directory is stored on the specified server. If no selection is made, the user data are saved on the respective login system.

Home share path

The path of the home directory relative to the Home share is declared here. The username is already preset as a default value when creating a user.

6.1.4. User management module - Contact tab#

Table 6.4 Contact tab#

Attribute

Description

Email address(es)

Additional email addresses can be saved here. These are not evaluated by the mail server.

The values of this attribute are stored in the LDAP attribute mail. Most address book applications using an LDAP search function will search for an email address by this attribute.

Telephone number(s)

This field contains the user’s business phone number.

Room number(s)

The room number of the user.

Department number(s)

The department number of the user can be entered here.

Street

The street and house number of the user’s business address can be entered here.

Postal code

This field contains the postal code of the user’s business address.

City

This field contains the city of the user’s business address.

Private telephone number(s)

The private fixed network phone number can be entered here.

Mobile telephone number(s)

The user’s mobile numbers can be entered here.

Pager telephone number(s)

Pager numbers can be entered here.

Private postal address(es)

One or more of the user’s private postal addresses can be entered in this field.

6.1.5. User management module - Mail tab#

This tab is displayed in the advanced settings.

The settings are described in Assignment of email addresses to users.

6.1.6. User management module - Options tab#

Table 6.5 (Options) tab#

Attribute

Description

Public key infrastructure account

If this checkbox is not ticked, the user will not be assigned the object class pkiUser.
On this page