Network Administration / Active Directory

Managing objects in Active Directory

When you deploy Active Directory and Windows 2000 or Windows 2003, you must learn a new set of administration utilities and new ways of doing things. In this article, I'll shown you how to manage objects using the Active Directory Users And Computers utility.

Active Directory (AD) presents fresh challenges to new Windows 2000 administrators. If you've administered Windows NT before, you can forget much of what you knew and begin learning new ways of doing things. One of the new things you must learn to do is create and manage objects in Active Directory.

You manage these objects in the AD through the Active Directory Users And Computers console, just as you do for shared folders, printers, and other objects. In this article, I'll show you how to manage common objects in Active Directory.

Working with User objects

As mentioned previously, Windows 2000 creates a Users container when it sets up the directory. This container stores users and groups. By default, it contains the Administrator and Guest accounts, as well as several default groups such as Domain Users and Domain Guests. You'll also see other accounts - such as the IUSR_machine account used by IIS for anonymous authentication - depending on the server's configuration.

While the Users container is the default location for accounts, you're not limited to storing accounts in it. OUs are another option for storing users and groups. They give you the added ability to organize the directory along logical administrative lines for several purposes. For example, organizing users and groups through OUs helps you as an administrator to locate users and groups more easily, particularly in domains with a large number of accounts. You also can apply a group policy at the OU, domain, and site levels, giving you considerable flexibility for selectively applying policies.

Managing accounts is a relatively straightforward process. To create a new account, right-click the container in which you want the account created and choose New | User. This starts a wizard that prompts you for the following information:

  • User's first name, middle initial, and last name - The console builds the Full Name field from this data, but you can change the Full Name field as needed. The Full Name field is the name that appears for the account in the directory.
  • User logon name - This is the user's account name. Windows 2000 automatically postfixes the name in the account properties with the domain name, resulting in a logon name similar to This is not an e-mail address even though it will likely coincide with the user's e-mail address.
  • Pre-Windows 2000 logon name - This logon name can be used when logging on from non-Windows 2000 clients as well as Windows 2000 clients.

The wizard also prompts you for the account password and general password properties. You also have the option of disabling the account when you create it. If you have Exchange Server installed, the wizard also prompts you for mailbox information and gives you the option of creating the account without a mailbox.

After you create the account, you can modify other properties for the account. Just double-click the account to open its property sheet. You'll see quite a few other properties besides what you entered in the wizard. The property pages include the following tabs:

  • General - This tab lists the user's name, e-mail address, Web page address, and other common properties.
  • Address - This tab lists the user's physical address (street, city, etc.).
  • Account - The Account tab lists the user's account name and lets you configure account options such as logon hours, to which computers the user can log on, account expiration, and a handful of additional account options.
  • Profile - Use this tab to configure the user's profile path, logon script, and home folder.
  • Telephones - You can use this tab to list several phone numbers for the user.
  • Organization - This tab lists the user's company, department, title, manager, and to whom the user reports.
  • Environment - This tab lets you configure the Terminal Services startup environment for the user.
  • Sessions - Use the Sessions tab to configure Terminal Services timeout and reconnection settings.
  • Remote Control - Use this tab to enable remote control and/or observation of the user's Terminal Services session.
  • Terminal Services Profile - This tab allows you to specify a mandatory or roaming user profile for the user's Terminal Services sessions and a home directory for sessions.
  • Published Certificates - Use this tab to view and manage the user's certificates.
  • Member Of - Use this tab to configure the user's group membership.
  • Dial-In - With this tab, you can allow or deny dial-in access for the user and set callback and other RRAS options.
  • Object - This tab lists read-only information about the user object, including the Update Sequence Numbers (USNs), which are used to track the object in the directory.
  • Security - Use the Security tab to define the permissions that users and groups have over the account.

You can move users to other containers through the Active Directory Users And Groups console. You also can delete and rename the account. Renaming an account changes the way it is displayed in the console but does not affect its logon name or its SID. Deleting an account removes it from the directory. If you create a new account with the same properties, keep in mind that the new account will not have the same SID as the old account and will require that you reapply permissions to resources to allow the user to access them - but only if you applied permissions through the account rather than through group membership.

You can perform a handful of other actions on the account, as well. Right-click the account and choose the action from the context menu. For example, you can send an e-mail to the user, disable the account, open the user's home page, and add the user to groups.

Working with Group objects

You also use the Active Directory Users And Computers console to create and manage groups. You can create domain local and global security groups, and create domain local, global, and universal distribution groups. You can use security groups as distribution groups under Exchange 2000 Server, but distribution groups cannot be used as security principals. If Exchange 2000 Server is installed, you also can assign a mailbox and create an e-mail address for the group through the wizard.

The properties for a group enable you to change group membership, delegate control of the group, and perform additional management tasks. Simply double-click a group to open its property sheet, which includes the following pages:

  • General - This page lists the group's pre-Windows 2000 group name, e-mail address, group type, and optional administrative notes.
  • Members - Use the Members page to view current members and add/remove members to the group.
  • Member Of - This page lets you view and manage the group's membership within other groups in the domain or other universal groups from other domains in the forest.
  • Managed By - Use this page to specify the information for the person who's responsible for managing the group and to view that user's account properties.
  • Object - This page lists read-only information about the group object, including its USNs.
  • Security - Use the Security page to define the permissions that users and groups have over the group.

As with user accounts, you can right-click a group and perform tasks from the group's context menu, such as renaming the group or moving it to another container.

Controlling access to AD objects

An important aspect of managing objects in the Active Directory is ensuring that they are secure. For example, you want to ensure that only the appropriate users have the ability to change membership for a group, add new users to a particular OU, remove or modify user accounts, and so on.

You control access to objects in the Active Directory by setting Access Control Lists (ACLs) on the object, just as you would for, say, a shared NTFS folder. While the actual permissions are different, the concept is the same. The permissions you assign determine the control that users can exercise over the object. You can change permissions on essentially any object in the AD, although you should modify permissions with some discretion. For example, you should not change the permissions for the many default objects (such as the System container) unless you fully understand the implications of the change and have a specific reason for making modifications.

You configure permissions on AD objects through the Active Directory Users And Computers console. Locate the object in the directory, right-click it, and choose Properties. Select the Security page to view and modify the permissions for the object. Existing users and groups for which the permissions apply appear in the top half of the property sheet, and the most common applicable permissions appear in the bottom half. Select a user or group to view and manage its permissions. Click Advanced to configure advanced permissions, enable auditing, and set ownership of the object.

You also can configure inheritable permissions for the object through the Security page. By default, all objects inherit permissions from their parent objects. For example, an OU that you create in a container inherits permissions from the container. The option Allow Inheritable Permissions From Parent To Propagate To This Object, if selected, enables inheritance. Deselect this option if you need to apply permissions to a child's object that are different from its parent's permissions.

Delegating administrative control

Another important aspect of managing objects in the Active Directory is delegating administration of those objects to others. For example, assume you work in a large organization with many OUs, each for a different department or division. You could spend your entire day doing nothing but managing users for all of those departments. To keep this from happening, delegate administrative control of each OU to a power user or administrator in each department.

To delegate an object, open the Active Directory Users And Computers console, locate and right-click the object, and choose Delegate Control from the context menu to start the Delegation Of Control wizard. After you select the users or groups to which you want to delegate administrative control, the wizard displays a list of common tasks that you can delegate. The tasks vary according to the object's type, but for the purpose of this explanation, I'll assume you're delegating control of an OU. The common tasks for an OU include:

  • Creating, deleting, and managing user accounts
  • Resetting passwords on user accounts
  • Reading all user information
  • Creating, deleting, and managing groups
  • Modifying the membership of a group
  • Managing group policy links

You can enable delegation for each of these tasks individually. For example, you can grant a user the ability to create, delete, and manage user accounts but not create, delete, or manage groups. You also can define custom tasks for delegation through the wizard.

If you select the option to create a custom task, the wizard presents a list of all object types for the folder (an extensive list). You can select multiple object types and then set general and property-specific permissions, as well as permissions to control the creation and deletion of specific child objects. In short, you can create essentially any combination of tasks and permissions through this method. Doing so requires an in-depth understanding of Active Directory and the objects in the container. In the majority of cases, the common tasks presented by the wizard enable you to adequately delegate administrative control in a secure fashion.

Contact Us | Authors | Subject Index | RSS Feeds

Copyright ©2007