Create a Resource Account in the Resource Partner Forest
Applies To: Windows Server 2008
You must use this procedure when you want to use the resource account mapping method so that federated users can access Windows NT token–based applications.
Before you proceed with the steps in this procedure, make sure that you have configured the resource forest for a new user principal name (UPN) suffix according to Checklist: Configuring the Resource Partner Organization. Creating the UPN suffix in the resource partner forest is a precondition for performing this procedure.
Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To create a resource account in the resource partner forest
- If you are creating a resource account on a domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
You can also open Active Directory Users and Computers on a client computer that has the Windows Administration Tools Pack installed.
In the console tree, double-click the domain that you want to add the resource account to, right-click the container or organizational unit (OU) where you want the resource account to reside, point to New, and then click User.
In User logon name, type the user logon name of the federated user that will be impersonated, that is, the exact user name of the user account in the account partner forest. Then, in the drop-down list to the right of User logon name, select the UPN suffix that matches the name of the account partner forest.
For example, say that Darren Parker is an employee of A. Datum Corporation. He regularly logs into the network by using his UPN, DarrenP@Adatum.com. The administrator for Tailspin Toys has been given the task of creating a resource account for the DarrenP account. In this example, Adatum.com is the name of the account partner forest, and Tailspintoys.net is the name of the resource partner forest. After following steps 1 and 2, the administrator of Tailspintoys.net types DarrenP in the User logon name field and then selects **@adatum.com** in the drop-down list. In this example, adatum.com is the only choice in the drop-down list because the administrator added adatum.com as a UPN suffix before completing step 3.
In First name and Last name, type the first name and last name of the resource account. Then, in User logon name (pre–Windows 2000), type any unique name, and then click Next.
Federated applications may require that the resource account name be identical to the name of the federated user's account in the account forest. For this reason, consider typing a user name in this field that is identical to the user name for each account in the account partner.
In Password and Confirm password, type a long, complex password.
Verify that the User must change password at next logon check box is not selected and that the Password never expires check box is selected, and then click Next.
Resource accounts are not intended to be accessed directly by the federated user whose user account is impersonated. Therefore, the federated user does not need to know about the resource account because he or she does not need to log on with this account directly. Also, the password that is used for the resource account does not have to match the password of the impersonated user account.
- If you are prompted to create an Exchange mailbox, do not create one. Mailboxes are not necessary for resource accounts.