38720906 Step by Step Guide to Managing Active Directory

8/8/2019 38720906 Step by Step Guide to Managing Active Directory

1/16

Step-by-Step Guide to Managing Active DirectoryPublished: September 17, 2004

This guide introduces you to administration of the Windows Server 2003 Active Directory service

and the Active Directory Users and Computers snap-in.

On This PageIntroduction

Overview

Using Active Directory Domains and Trusts Snap-In

Using the Active Directory Users and Computers Snap-In

Additional Resources

Introduction

Step-by-Step GuidesThe Microsoft Windows Server 2003 Deployment step-by-step guides provide hands-on experience

for many common operating system configurations. The guides begin by establishing a common

network infrastructure through the installation of Windows Server 2003, the configuration of Active

Directory, the installation of a Windows XP Professional workstation, and finally the addition of this

workstation to a domain. Subsequent step-by-step guides assume that you have this common

network infrastructure in place. If you do not wish to follow this common network infrastructure,

you will need to make appropriate modifications while using these guides.

The common network infrastructure requires the completion of the following guides.

Part I: Installing Windows Server 2003 as a Domain Controller

Part II: Installing a Windows XP Professional Workstation and Connecting It to aDomain

Once the common network infrastructure is configured, any of the additional step-by-step guides

may be employed. Note that some step-by-step guides may have additional prerequisites above and

beyond the common network infrastructure requirements. Any additional requirements will be noted

in the specific step-by-step guide.

Microsoft Virtual PCThe Windows Server 2003 Deployment step-by-step guides may be implemented within a physical

lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft

Virtual Server 2005. Virtual machine technology enables customers to run multiple operating

systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are

designed to increase operational efficiency in software testing and development, legacy application

migration, and server consolidation scenarios.

The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur

within a physical lab environment, although most configurations can be applied to a virtual

environment without modification.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E4http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E3Bhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E6Dhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#EJAAChttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E1CAGhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E1CAGhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#EJAAChttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E6Dhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E3Bhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E4http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E4http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E3Bhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E6Dhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#EJAAChttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E1CAGhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspx


2/16

Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the

scope of this document.

Important NotesThe example companies, organizations, products, domain names, e-mail addresses, logos, people,

places, and events depicted herein are fictitious. No association with any real company,

organization, product, domain name, e-mail address, logo, person, places, or events is intended or

should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name

and Domain Name System (DNS) name used in the common infrastructure are not registered for

use on the Internet. You should not use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how

Windows Server 2003 Change and Configuration Management works and functions with Active

Directory. It was not designed as a model for configuring Active Directory for any organization.

Top of page

Overview

This guide introduces you to administration of the Windows Server 2003 Active Directory service.The Active Directory administrative tools simplify directory service administration. You can use the

standard tools or, using Microsoft Management Console (MMC), create custom tools that focus on

single management tasks. You can combine several tools into one console. You can also assign

custom tools to individual administrators with specific administrative responsibilities.

The Active Directory administrative tools can only be used from a computer with access to a

domain. The following Active Directory administrative tools are available on the Administrative Tools

menu:

Active Directory Users and Computers

Active Directory Domains and Trusts

Active Directory Sites and ServicesYou can also remotely administer Active Directory from a computer that is not a domain controller,such as a computer running Windows XP Professional. To do this, you must install the Windows

Server 2003 Administration Tools Pack.

The Active Directory Schema snap-in is an Active Directory administrative tool for managing the

schema. It is not available by default on the Administrative Tools menu and must be added

manually.

For advanced administrators and network support specialists, there are many command-line tools

that can be used to configure, manage, and troubleshoot Active Directory. You can also create

scripts that use Active Directory Service Interfaces (ADSI). Several sample scripts are supplied on

the operating system installation media.

Prerequisites

Part 1: Installing Windows Server 2003 as a Domain Controller

Part II: Installing a Windows XP Professional Workstation and Connecting It to aDomain

Step by Step Guide to Setting up Additional Domain Controllers

Guide Requirements

You must be logged on as a user with administrative privileges to perform the procedures in this
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx


3/16

document.

If you are working on a domain controller, the Active Directory Schema snap-in might not beinstalled. To install it:

At a command-line prompt, typeregsvr32 schmmgmt.dll

The Active Directory Schema management snap-in will now be available within MMC.

On Windows Server 2003based stand-alone servers or Windows XP Professional workstations,Active Directory Administrative Tools are optional. You can install them from Add/Remove

Programs in the Control Panel using the Windows Components wizard or from the ADMINPAK

on the Windows Server 2003 CD.

Top of page

Using Active Directory Domains and Trusts Snap-InThe Active Directory Domains and Trusts snap-in provides a graphical view of all domain trees in

the forest. Using this tool, an administrator can manage each of the domains in the forest, manage

trust relationships between domains, configure the mode of operation for each domain (native or

mixed mode), and configure the alternative User Principal Name (UPN) suffixes for the forest.

Starting the Active Directory Domains and Trusts Snap-InTo start the snap-in

1. On HQ-CON-DC-01, click the Start button, point to AllPrograms, point to

AdministrativeTools, and then click Active Directory Domains and Trusts. The Active

Directory Domains and Trusts snap-in appears as in Figure 1.

Figure 1. Active Directory Domains and Trust Snap-In

The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active

Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred

to as a mail address. The default UPN suffix is the forest DNS name, which is the DNS name of the

first domain in the first tree of the forest. In this guide and the other step-by-step guides in this

series, the default UPN suffix is contoso.com.

You can add alternate UPN suffixes, which increase logon security. You can also simplify user logon

names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows

Server 2003 domain and is not required to be a valid DNS domain name.To add additional UPN suffixes

1. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then

click Properties.

2. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.3. Click OK to close the window.

Changing Domain and Forest Functionality
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#top


4/16

Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a

way to enable domain or forest-wide Active Directory features within your network environment.

Different levels of domain functionality and forest functionality are available depending on your

environment.

If all domain controllers in your domain or forest are running Windows Server 2003 and the

functional level is set to Windows Server 2003, all domain and forest-wide features are available.When Windows NT 4.0 or Windows 2000 domain controllers are included in your domain or forest

with domain controllers running Windows Server 2003, only a subset of Active Directory domain

and forest-wide features are available.

The concept of enabling additional functionality in Active Directory exists in Windows 2000 with

mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain

controllers and cannot use Universal security groups, group nesting, and security ID (SID) history

capabilities. When the domain is set to native mode, Universal security groups, group nesting, and

SID history capabilities are available. Domain controllers running Windows 2000 Server are not

aware of domain and forest functionality.

Warning: Once the domain functional level has been raised, domain controllers running earlier

operating systems cannot be introduced into the domain. For example, if you raise the domain

functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot

be added to that domain.

Domain functionality enables features that will affect the entire domain and that domain only. Four

domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native,

Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the

Windows 2000 mixed functional level.

To raise domain functionality

1. Right-click the domain object (in the example, contoso.com), and then click Raise Domain

Functional Level.

2. From the Select an available domain functional level drop-down list, select Windows

Server 2003, and then click Raise.

3. Click OK on the warning message to raise domain functionality. Click OK again to complete the

process.

4. Close the Active Directory Domains and Trusts window.

Top of page

Using the Active Directory Users and Computers Snap-InTo start the Active Directory Users and Computers snap-in

1. Click the Start button, point to AllPrograms, point to AdministrativeTools, and then click

Active Directory Users and Computers.

2. Expand Contoso.com by clicking +.Figure 2 displays the key components of the Active Directory Users and Computers snap-in.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#top


5/16

Figure 2. Active Directory Users and Computers Snap-In

Recognizing Active Directory ObjectsThe objects described in the following table are created during the installation of Active Directory.

Icon Folder DescriptionDomain The root node of the snap-in represents the domain being administered.

Computers Contains all Windows NT, Windows 2000, Windows XP, and Windows Server

2003based computers that join a domain. This includes computers running

Windows NT versions 3.51 and 4.0. If you upgrade from a previous version, Active

Directory migrates the machine account to this folder. You can move these

objects.System Contains Active Directory systems and services information.

Users Contains all the users in the domain. In an upgrade, all users from the previous

domain will be migrated. Like computers, the user objects can be moved.

You can use Active Directory to create the following objects.

Icon Object DescriptionUser A user object is an object that is a security principal in the directory. A user

can log on to the network with these credentials, and access permissions can

be granted to users.

Contact A contact object is an account that does not have any security permissions.

You cannot log on to the network as a contact. Contacts are typically used to

represent external users for the purpose of e-mail.Computer An object that represents a computer on the network. For Windows NTbased

workstations and servers, this is the machine account.Organizational

Unit

Organizational units (OUs) are used as containers to logically organize

directory objects such as users, groups, and computers in much the same

way that folders are used to organize files on your hard disk.

Group Groups can have users, computers, and other groups. Groups simplify the

management of large numbers of objects.

Shared Folder A shared Folder is a network share that has been published in the directory.

Shared printer A shared printer is a network printer that has been published in the directory.


6/16

Adding an Organizational UnitThis procedure creates an additional OU in the Contoso domain. Note that you can create nested

OUs, and there is no limit to the nesting levels.

These steps follow the Active Directory structure established in the common infrastructure step-by-

step guides. If you did not create that structure, add the OUs and users directly under

Contoso.com; that is, where Accounts is referred to in the procedure, substitute Contoso.com.

To add an OU

1. Click the + next to Accounts to expand it.

2. Right-click Accounts.3. Point to New and click Organizational Unit. Type Construction as the name of your new

organizational unit, and then click OK.Repeat the previous steps to create additional OUs as follows:

Organizational unit Engineering under Accounts.

Organizational unit Manufacturing under Accounts.

Organizational unit Consumer under the Manufacturing organizational unit. (To do this, right-click Manufacturing, point to New, and then click Organizational Unit.)

Organizational units Corporate and Government under the Manufacturing organizational unit.Click Manufacturing so that its contents will display in the right pane.

When you are finished, you should have the following hierarchy as shown in Figure 3.

Figure 3. New OUs

Creating a User AccountThe following procedure creates the user account John Smith in the Construction OU.

To create a user account

1. Right-click the Construction organizational unit, point to New, and then click User, or click

New User on the snap-in toolbar.2. Type user information as shown in Figure 4.


7/16

Figure 4. New User Dialog Box

3.

Click Next to continue.

4. Type pass#word1 in both the Password and Confirm password boxes, and then

click Next.

Note: The role that passwords play in securing an organization's network is often

underestimated and overlooked. Passwords provide the first line of defense against

unauthorized access to your organization. The Windows Server 2003 family has a new feature

that requires complex passwords for all newly established user accounts. For information about

this feature, see the Setting Password Policy step-by-step guide.

5. Click Finish to accept the confirmation in the next dialog box.You have now created an account for James Smith in the Construction OU.

To add additional information about this user

1. Select Construction in the left pane, right-click JohnSmith in the right pane, and then click

Properties.2. Add more information about the user in the Properties dialog box on the General tab as

shown in Figure 5, and then click OK. Click each available tab and review the optional user

information that may be defined.


8/16

Figure 5. Additional User Information

Moving a User AccountUsers can be moved from one OU to another within the same domain or a different domain. For

example, in this procedure, John Smith moves from the Construction division to the Engineering

division.

To move a user from one OU to another

1. Click the John Smith user account in the right pane, right-click it, and then click Move.

2. On the Move screen, click + next to Accounts to expand it as shown in Figure 6.

Figure 6. List of Available OUs


9/16

3.

Click the Engineering OU, and then click OK.

Creating a GroupTo create a group

1. Right-click the Engineering OU, click New, and then click Group.2. In the New Object Group dialog box, type Tools for Name.

3. Review the type and scope of groups available in Windows Server 2003 as shown in the

following table. Leave the default settings, and then click OK to create the Tools group.

The Group type indicates whether the group can be used to assign permissions to othernetwork resources, such as files and printers. Both security and distribution groups can be

used for e-mail distribution lists.

The Group scope determines the visibility of the group and what type of objects can becontained within the group.

Scope Visibility May ContainDomain Local Domain Users, Domain Local, Global, or Universal GroupsGlobal Forest Users or Global Groups

Universal Forest Users, Global, or Universal Groups

Adding a User to a GroupTo add a user to a group

1. Click the Engineering OUin the left pane.2. Right-click the Tools group in the right pane, and then click Properties.3. Click the Members tab, and then click Add.

4. In the Enter the object names to select text box, type John, and then click OK.

Figure 7. Add John Smith to the Tools Security Group

5.

On the Tools Properties screen, verify John Smith is now a member of the Tools Security

Group, and then click OK.

Publishing a Shared FolderTo help users find shared folders more easily, you can publish information about shared folders in

Active Directory. Any shared network folder, including a Distributed File System (Dfs) folder, can be

published in Active Directory. Creating a Shared folder object in the directory does not automatically

share the folder. This is a two-step process: you must first share the folder, and then publish it in

Active Directory.

To share a folder

1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk

volumes.2. In Windows Explorer, right-click the Engineering Specs folder, and then click Properties.

Click Sharing, and then click Share this folder.


10/16

3. On the Engineering Specs Properties screen, type ES in the Share name box, and then click

OK. Close WindowsExplorer once complete.

Note: By default, the built-in Everyone group has permissions to this shared folder. You can

change the default permission by clicking the Permissions button.

Publishing the Shared Folder in the DirectoryTo publish the shared folder in the directory

1. In the Active Directory Users and Computers snap-in, right-click the Engineering OU, point

to New, and then click Shared Folder.2. On the New Object Shared Folder screen, type EngineeringSpecs in the Name box.3. In the Network Path name box, type \\hq-con-dc-01.contoso.com\ES, and click OK.

4. Right-click Engineering Specs, and then click Properties.5. Click Keywords. For NewValue, type specifications, and then click Add to continue. Click

OK twice to finish.Users may now search Active Directory by share name or keyword to locate this shared resource.

Searching for a Shared FolderTo find a shared folder

1. In the ActiveDirectoryUsersandComputers MMC, right-click Contoso, and then click

Find.

2. In the Find drop-down list, click SharedFolders. Type specifications in the Keywords textbox, and then click FindNow.

3. In Searchresults, right-click EngineeringSpecs, and then click Open.

Figure 8. Searching for Shared Folders in Active Directory

Note: When populated, the ES shared folder contents will be available to end users through

directory searches. Users may also map this shared resource as a network drive.4. Close the FindSharedFolders dialog box.

Publishing a PrinterYou can also publish information about shared printers in Active Directory. Information about

printers shared from Windows NT must be published manually. Information about printers shared

from the Windows Server 2003 family or the Windows 2000 Server family is published to the


11/16

directory automatically when you create a shared printer. Use Active Directory Users and Computers

to manually publish shared printer information.

The print subsystem will automatically propagate changes to the printer attributes (location,

description, loaded paper, and so on) to the directory.

Note: This section details the steps to configure and publish a printer, which prints directly to a

file. If you want to use an IP, LPT, or USBbased printer, you must modify the steps in theseprocedures.

Adding a New PrinterTo add a new printer

1. Click the Start button, click Printers and Faxes, and then double-click Add Printer. The Add

Printer Wizard appears. Click Next.2. Click Local printer attached to this computer, clear the Automatically detect and install

my Plug and Play printer check box, and then click Next.3. In the Use the following port drop-down list, click the FILE: (Print to File) option, and then

click Next.4. In the Manufacturer results pane, click Generic. In the Printers results pane, click Generic /

Text Only. Click Next to continue.

5. On the Name Your Printer page, change the Printer name to Print to File, and then clickNext.

6. On the Printer Sharing page, change the Share name to FilePrinter, and then click Next.7. For Location on the Location and Comment page, type Headquarters Bldg 4 Room

2200. Click Next to continue.

8. Click Next to print a test page, and then click Finish to complete the installation.9. When prompted, type TestPrint as the file name for the printer test page. Click OK once

complete.The printer is automatically published in Active Directory.

Locating a Printer in Active DirectoryTo find a printer in Active Directory

1. On the Printers and Faxes screen, double-click the Add Printer icon.2. The Add Printer Wizard dialog box appears. Click Next to continue.

3. Click Anetwork printer, and then click Next.4. Click Find a printer in the Directory (default), and then click Next.

5. The Find Printers dialog box appears. Click Find Now to search for all printers published in

Active Directory. Setting additional search options can limit results by available features or

printer location.

Printer Location Tracking: Use printer location tracking to streamline printer searches. When

printer location tracking is enabled and the user clicks Find Now, Active Directory lists all

printers matching the user's query that are in the user location. Users can change the location

field by clicking Browse to search for printers in other locations. For more information about

configuring printer location tracking, see the Windows Server 2003 Help and Support Center.6. In the Searchresults on the FindPrinters page, double-click PrinttoFile to install the

printer. Click Yes (default) to set this printer as the default printer for your system, and then

click Next.


12/16

Figure 9. Searching for Shared Printers in Active Directory

7.Click Finish to complete the printer installation.

8. Close the Printers and Faxes window.

You can publish printers shared by operating systems other than Windows Server 2003, Windows

2000, or Windows XP in Active Directory. The simplest way to do this is to use the pubprn.vbs

script, although the Active Directory Users and Computers snap-in can be used. This script will

publish all the shared printers on a given server. It is located in the \winnt\system32 directory.

Publishing a Printer Manually Using the pubprn.vbs ScriptTo publish a printer manually using the pubprn.vbs script

1. Click the Start button, and then click Run. Type cmd in the text box, and then click OK.2. Type cd \windows\system32,and then press Enter.3. Type cscript pubprn.vbs prserv1 "LDAP://ou=accounts,dc=contoso,dc=com", and then

press Enter.Note: This example publishes all the printers on the Prserv1 server to the Accounts OU. The

script copies only the following subset of the printer attributes including Location, Model,

Comment, and UNCPath. This script will not work on Windows Server 2003, it is

provided as a manual tool for publishing printers to Active Directory from down-level

print servers only.4. Close the window.

Publishing a Printer Manually Using the Active Directory Users and Computers Snap-In

1. Right-click the Marketing OU, click New, and then click Printer.2. The New Object-Printer dialog box appears. In the text box, type the path to the printer, such

as \\server\share name, and then click OK.End users experience seamless operations from printers being published in the directory since they

can browse for printers, submit jobs to those printers, and install the printer drivers directly from

the server.

Creating a Computer ObjectA computer object is created automatically when a computer joins a domain. If you do not want to

give all users the ability to add computers to the domain, computer objects may also be created

before the computer joins a domain manually or via scripts.

To manually add a computer to the domain


13/16

1. Right-click the Engineering OU, point to New, and then click Computer.2. For the computer name, type Legacy, and then click Next.

3. If the computer is a managed system, you can enter the system GUID. In this example, leave

the system GUID blank, click Next, and then click Finish.

4. To manage this computer from the Active Directory Users and Computers snap-in, right-

click the computer object, and then click Manage.

Optionally, you can select which users are permitted to join a computer to the domain. This allows

the administrator to create the computer account and someone with lesser permissions to install the

computer and join it to the domain.

Renaming, Moving, and Deleting ObjectsEvery object in the directory can be renamed and deleted, and most objects can be moved to

different containers. The following procedure expands the example for creating a computer object.

To move the Legacy computer object to different container

1. In the Accounts OU, click the Engineering OU.2. Right-click the Legacy computer object, and then click Move.3. Expand the Resources OU, and then click to highlight Servers as shown in Figure 10.

Figure 10. Moving a Computer Object

4.

Click OK to move the computer to the Server OU within the Resources OU.

Managing Computer ObjectsComputer objects in Active Directory can be managed directly from the Active Directory Users and

Computers snap-in. Computer Management is a component you can use to view and control many

aspects of the computer configuration. Computer Management combines several administration

utilities into a single console tree, providing easy access to a local or remote computer's

administrative properties and tools.

Note: The following example assumes that you are working from the HQ-CON-DC-01 console andthat HQ-CON-DC-02 is currently running.

Managing a Remote ComputerTo manage a remote computer

1. In the Active Directory Users and Computers snap-in, right-click contoso.com, and then

click Connect to Domain.2. Click Browse, and then click the + next to contoso.com. Double-click

vancouver.contoso.com, and then click OK.

3. Expand vancouver.contoso.com by clicking the +, and then click Domain Controllers.


14/16

4. Right-click HQ-CON-DC-02, and then click Manage. The system may now be remotely

managed as shown in Figure 11.

Figure 11. Remotely Managing a Computer

See full-sized image

5.

Close the ComputerManagement window.

Nested GroupsNested groups allow you to provide company-wide or department-wide access to resources with

minimum maintenance. Placing every team account group into a single company-wide resource

group is not an effective solution because it requires the creation and maintenance of a large

number of membership links. To use nested groups, administrators create a series of account

groups that represent the managerial divisions of the company.

For example, the top account group might be called "All Employees," and would be attached to a

resource group that gives access to resources and shared directories. The next level might contain

account groups that represent major divisions of the company. Each group at this level is a member

of All Employees, and is attached to a resource group giving access to shares and other resources

appropriate to the division it represents.

Within a division, the next level of account groups might represent departments. Shared resources

for the department might include project schedules, meeting schedules, vacation schedules, or any

network information appropriate to the whole department. The department account groups are all

members of the division account group.

Within a department, the management structure can be organized into security groups to any

required level of specificity. These might be team account groups and might represent leaf nodes in

the organizations hierarchical tree.

With this group hierarchy in place, you can give a new employee instant access to the resources of

the team, the department, the division, and the company as a whole by placing the employee in a
http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/sgad8720_big.gifhttp://www.microsoft.com/library/media/1033/technet/images/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/sgad8720_big.gif


15/16

team account group. This system supports the principle of least access because the new employee

cannot view the resources of adjacent teams, other departments, or other divisions.

Creating Nested GroupsTo create a nested group

1. In the Active Directory Users and Computers snap-in, right-click vancouver.contoso.com,

and then click Connect to Domain.2. Click Browse, and then click contoso.com. Click OK twice to finish.3. Expand contoso.com, and then expand the Accounts OU.

4. Create a new group by right-clicking Engineering, pointing to New, and then clicking Group.

Type All Engineering, and then click OK.

5. Right-click the All Engineering Group, and then click Properties.6. Click the Members tab, and then click Add.7. In the Enter the objects name to select box, type Tools, and then click OK.8. Click OK again. A nested group has been created.

Finding Specific ObjectsIn a large directory deployment, it may be unreasonable to browse a comprehensive list of objects

in search of a unique object. Often, it is more efficient to find specific objects that meet a certain

criteria. In the following example, you will find all users who have a logon name starting with J in

the Contoso domain.To find users with a logon name starting with J

1. Click to select contoso.com. Right-click contoso.com, and then click Find.2. Click the Advanced tab. In the Field drop-down list, select User, and then click LogonName.3. Type J for Value, and then click Add. Click Find Now. Your results should be similar to those

shown in Figure 12.

Figure 12. Employing Advanced Directory Search Techniques

4.

Close the Find User, Contacts, and Groups window.

Filtering a List of Objects


16/16

Filtering the list of returned objects from the directory can allow you to manage the directory more

efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in. For

example, you can choose to view only users and groups, or you may want to create a more complex

filter. If an OU has more than a specified number of objects, the Filter function allows you to restrict

the number of objects displayed in the results pane. You can use the Filter function to configure this

option.To create a filter designed to display users only

1. In the Active Directory Users andComputers snap-in, click Engineering under the

Accounts OU.2. Click the View menu, and then click Filter Options.

3. Click the radio button for Show only the following types of objects, select Users, and then

click OK.

4. Expand Accounts, and then click Engineering to verify the filtering results.5. Remove the filter.

Documents

38720906 Step by Step Guide to Managing Active Directory