38720906 step by step guide to managing active directory
TRANSCRIPT
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
1/16
Step-by-Step Guide to Managing Active DirectoryPublished: September 17, 2004
This guide introduces you to administration of the Windows Server 2003 Active Directory service
and the Active Directory Users and Computers snap-in.
On This PageIntroduction
Overview
Using Active Directory Domains and Trusts Snap-In
Using the Active Directory Users and Computers Snap-In
Additional Resources
Introduction
Step-by-Step GuidesThe Microsoft Windows Server 2003 Deployment step-by-step guides provide hands-on experience
for many common operating system configurations. The guides begin by establishing a common
network infrastructure through the installation of Windows Server 2003, the configuration of Active
Directory, the installation of a Windows XP Professional workstation, and finally the addition of this
workstation to a domain. Subsequent step-by-step guides assume that you have this common
network infrastructure in place. If you do not wish to follow this common network infrastructure,
you will need to make appropriate modifications while using these guides.
The common network infrastructure requires the completion of the following guides.
Part I: Installing Windows Server 2003 as a Domain Controller
Part II: Installing a Windows XP Professional Workstation and Connecting It to aDomain
Once the common network infrastructure is configured, any of the additional step-by-step guides
may be employed. Note that some step-by-step guides may have additional prerequisites above and
beyond the common network infrastructure requirements. Any additional requirements will be noted
in the specific step-by-step guide.
Microsoft Virtual PCThe Windows Server 2003 Deployment step-by-step guides may be implemented within a physical
lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft
Virtual Server 2005. Virtual machine technology enables customers to run multiple operating
systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are
designed to increase operational efficiency in software testing and development, legacy application
migration, and server consolidation scenarios.
The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur
within a physical lab environment, although most configurations can be applied to a virtual
environment without modification.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E4http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E3Bhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E6Dhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#EJAAChttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E1CAGhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E1CAGhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#EJAAChttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E6Dhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E3Bhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E4http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E4http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E3Bhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E6Dhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#EJAAChttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#E1CAGhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspx -
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
2/16
Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the
scope of this document.
Important NotesThe example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious. No association with any real company,
organization, product, domain name, e-mail address, logo, person, places, or events is intended or
should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name
and Domain Name System (DNS) name used in the common infrastructure are not registered for
use on the Internet. You should not use this name on a public network or Internet.
The Active Directory service structure for this common infrastructure is designed to show how
Windows Server 2003 Change and Configuration Management works and functions with Active
Directory. It was not designed as a model for configuring Active Directory for any organization.
Top of page
Overview
This guide introduces you to administration of the Windows Server 2003 Active Directory service.The Active Directory administrative tools simplify directory service administration. You can use the
standard tools or, using Microsoft Management Console (MMC), create custom tools that focus on
single management tasks. You can combine several tools into one console. You can also assign
custom tools to individual administrators with specific administrative responsibilities.
The Active Directory administrative tools can only be used from a computer with access to a
domain. The following Active Directory administrative tools are available on the Administrative Tools
menu:
Active Directory Users and Computers
Active Directory Domains and Trusts
Active Directory Sites and ServicesYou can also remotely administer Active Directory from a computer that is not a domain controller,such as a computer running Windows XP Professional. To do this, you must install the Windows
Server 2003 Administration Tools Pack.
The Active Directory Schema snap-in is an Active Directory administrative tool for managing the
schema. It is not available by default on the Administrative Tools menu and must be added
manually.
For advanced administrators and network support specialists, there are many command-line tools
that can be used to configure, manage, and troubleshoot Active Directory. You can also create
scripts that use Active Directory Service Interfaces (ADSI). Several sample scripts are supplied on
the operating system installation media.
Prerequisites
Part 1: Installing Windows Server 2003 as a Domain Controller
Part II: Installing a Windows XP Professional Workstation and Connecting It to aDomain
Step by Step Guide to Setting up Additional Domain Controllers
Guide Requirements
You must be logged on as a user with administrative privileges to perform the procedures in this
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx -
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
3/16
document.
If you are working on a domain controller, the Active Directory Schema snap-in might not beinstalled. To install it:
At a command-line prompt, typeregsvr32 schmmgmt.dll
The Active Directory Schema management snap-in will now be available within MMC.
On Windows Server 2003based stand-alone servers or Windows XP Professional workstations,Active Directory Administrative Tools are optional. You can install them from Add/Remove
Programs in the Control Panel using the Windows Components wizard or from the ADMINPAK
on the Windows Server 2003 CD.
Top of page
Using Active Directory Domains and Trusts Snap-InThe Active Directory Domains and Trusts snap-in provides a graphical view of all domain trees in
the forest. Using this tool, an administrator can manage each of the domains in the forest, manage
trust relationships between domains, configure the mode of operation for each domain (native or
mixed mode), and configure the alternative User Principal Name (UPN) suffixes for the forest.
Starting the Active Directory Domains and Trusts Snap-InTo start the snap-in
1. On HQ-CON-DC-01, click the Start button, point to AllPrograms, point to
AdministrativeTools, and then click Active Directory Domains and Trusts. The Active
Directory Domains and Trusts snap-in appears as in Figure 1.
Figure 1. Active Directory Domains and Trust Snap-In
The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active
Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred
to as a mail address. The default UPN suffix is the forest DNS name, which is the DNS name of the
first domain in the first tree of the forest. In this guide and the other step-by-step guides in this
series, the default UPN suffix is contoso.com.
You can add alternate UPN suffixes, which increase logon security. You can also simplify user logon
names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows
Server 2003 domain and is not required to be a valid DNS domain name.To add additional UPN suffixes
1. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then
click Properties.
2. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.3. Click OK to close the window.
Changing Domain and Forest Functionality
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#top -
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
4/16
Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a
way to enable domain or forest-wide Active Directory features within your network environment.
Different levels of domain functionality and forest functionality are available depending on your
environment.
If all domain controllers in your domain or forest are running Windows Server 2003 and the
functional level is set to Windows Server 2003, all domain and forest-wide features are available.When Windows NT 4.0 or Windows 2000 domain controllers are included in your domain or forest
with domain controllers running Windows Server 2003, only a subset of Active Directory domain
and forest-wide features are available.
The concept of enabling additional functionality in Active Directory exists in Windows 2000 with
mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain
controllers and cannot use Universal security groups, group nesting, and security ID (SID) history
capabilities. When the domain is set to native mode, Universal security groups, group nesting, and
SID history capabilities are available. Domain controllers running Windows 2000 Server are not
aware of domain and forest functionality.
Warning: Once the domain functional level has been raised, domain controllers running earlier
operating systems cannot be introduced into the domain. For example, if you raise the domain
functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot
be added to that domain.
Domain functionality enables features that will affect the entire domain and that domain only. Four
domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native,
Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the
Windows 2000 mixed functional level.
To raise domain functionality
1. Right-click the domain object (in the example, contoso.com), and then click Raise Domain
Functional Level.
2. From the Select an available domain functional level drop-down list, select Windows
Server 2003, and then click Raise.
3. Click OK on the warning message to raise domain functionality. Click OK again to complete the
process.
4. Close the Active Directory Domains and Trusts window.
Top of page
Using the Active Directory Users and Computers Snap-InTo start the Active Directory Users and Computers snap-in
1. Click the Start button, point to AllPrograms, point to AdministrativeTools, and then click
Active Directory Users and Computers.
2. Expand Contoso.com by clicking +.Figure 2 displays the key components of the Active Directory Users and Computers snap-in.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#tophttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/#top -
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
5/16
Figure 2. Active Directory Users and Computers Snap-In
Recognizing Active Directory ObjectsThe objects described in the following table are created during the installation of Active Directory.
Icon Folder DescriptionDomain The root node of the snap-in represents the domain being administered.
Computers Contains all Windows NT, Windows 2000, Windows XP, and Windows Server
2003based computers that join a domain. This includes computers running
Windows NT versions 3.51 and 4.0. If you upgrade from a previous version, Active
Directory migrates the machine account to this folder. You can move these
objects.System Contains Active Directory systems and services information.
Users Contains all the users in the domain. In an upgrade, all users from the previous
domain will be migrated. Like computers, the user objects can be moved.
You can use Active Directory to create the following objects.
Icon Object DescriptionUser A user object is an object that is a security principal in the directory. A user
can log on to the network with these credentials, and access permissions can
be granted to users.
Contact A contact object is an account that does not have any security permissions.
You cannot log on to the network as a contact. Contacts are typically used to
represent external users for the purpose of e-mail.Computer An object that represents a computer on the network. For Windows NTbased
workstations and servers, this is the machine account.Organizational
Unit
Organizational units (OUs) are used as containers to logically organize
directory objects such as users, groups, and computers in much the same
way that folders are used to organize files on your hard disk.
Group Groups can have users, computers, and other groups. Groups simplify the
management of large numbers of objects.
Shared Folder A shared Folder is a network share that has been published in the directory.
Shared printer A shared printer is a network printer that has been published in the directory.
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
6/16
Adding an Organizational UnitThis procedure creates an additional OU in the Contoso domain. Note that you can create nested
OUs, and there is no limit to the nesting levels.
These steps follow the Active Directory structure established in the common infrastructure step-by-
step guides. If you did not create that structure, add the OUs and users directly under
Contoso.com; that is, where Accounts is referred to in the procedure, substitute Contoso.com.
To add an OU
1. Click the + next to Accounts to expand it.
2. Right-click Accounts.3. Point to New and click Organizational Unit. Type Construction as the name of your new
organizational unit, and then click OK.Repeat the previous steps to create additional OUs as follows:
Organizational unit Engineering under Accounts.
Organizational unit Manufacturing under Accounts.
Organizational unit Consumer under the Manufacturing organizational unit. (To do this, right-click Manufacturing, point to New, and then click Organizational Unit.)
Organizational units Corporate and Government under the Manufacturing organizational unit.Click Manufacturing so that its contents will display in the right pane.
When you are finished, you should have the following hierarchy as shown in Figure 3.
Figure 3. New OUs
Creating a User AccountThe following procedure creates the user account John Smith in the Construction OU.
To create a user account
1. Right-click the Construction organizational unit, point to New, and then click User, or click
New User on the snap-in toolbar.2. Type user information as shown in Figure 4.
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
7/16
Figure 4. New User Dialog Box
3.
Click Next to continue.
4. Type pass#word1 in both the Password and Confirm password boxes, and then
click Next.
Note: The role that passwords play in securing an organization's network is often
underestimated and overlooked. Passwords provide the first line of defense against
unauthorized access to your organization. The Windows Server 2003 family has a new feature
that requires complex passwords for all newly established user accounts. For information about
this feature, see the Setting Password Policy step-by-step guide.
5. Click Finish to accept the confirmation in the next dialog box.You have now created an account for James Smith in the Construction OU.
To add additional information about this user
1. Select Construction in the left pane, right-click JohnSmith in the right pane, and then click
Properties.2. Add more information about the user in the Properties dialog box on the General tab as
shown in Figure 5, and then click OK. Click each available tab and review the optional user
information that may be defined.
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
8/16
Figure 5. Additional User Information
Moving a User AccountUsers can be moved from one OU to another within the same domain or a different domain. For
example, in this procedure, John Smith moves from the Construction division to the Engineering
division.
To move a user from one OU to another
1. Click the John Smith user account in the right pane, right-click it, and then click Move.
2. On the Move screen, click + next to Accounts to expand it as shown in Figure 6.
Figure 6. List of Available OUs
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
9/16
3.
Click the Engineering OU, and then click OK.
Creating a GroupTo create a group
1. Right-click the Engineering OU, click New, and then click Group.2. In the New Object Group dialog box, type Tools for Name.
3. Review the type and scope of groups available in Windows Server 2003 as shown in the
following table. Leave the default settings, and then click OK to create the Tools group.
The Group type indicates whether the group can be used to assign permissions to othernetwork resources, such as files and printers. Both security and distribution groups can be
used for e-mail distribution lists.
The Group scope determines the visibility of the group and what type of objects can becontained within the group.
Scope Visibility May ContainDomain Local Domain Users, Domain Local, Global, or Universal GroupsGlobal Forest Users or Global Groups
Universal Forest Users, Global, or Universal Groups
Adding a User to a GroupTo add a user to a group
1. Click the Engineering OUin the left pane.2. Right-click the Tools group in the right pane, and then click Properties.3. Click the Members tab, and then click Add.
4. In the Enter the object names to select text box, type John, and then click OK.
Figure 7. Add John Smith to the Tools Security Group
5.
On the Tools Properties screen, verify John Smith is now a member of the Tools Security
Group, and then click OK.
Publishing a Shared FolderTo help users find shared folders more easily, you can publish information about shared folders in
Active Directory. Any shared network folder, including a Distributed File System (Dfs) folder, can be
published in Active Directory. Creating a Shared folder object in the directory does not automatically
share the folder. This is a two-step process: you must first share the folder, and then publish it in
Active Directory.
To share a folder
1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk
volumes.2. In Windows Explorer, right-click the Engineering Specs folder, and then click Properties.
Click Sharing, and then click Share this folder.
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
10/16
3. On the Engineering Specs Properties screen, type ES in the Share name box, and then click
OK. Close WindowsExplorer once complete.
Note: By default, the built-in Everyone group has permissions to this shared folder. You can
change the default permission by clicking the Permissions button.
Publishing the Shared Folder in the DirectoryTo publish the shared folder in the directory
1. In the Active Directory Users and Computers snap-in, right-click the Engineering OU, point
to New, and then click Shared Folder.2. On the New Object Shared Folder screen, type EngineeringSpecs in the Name box.3. In the Network Path name box, type \\hq-con-dc-01.contoso.com\ES, and click OK.
4. Right-click Engineering Specs, and then click Properties.5. Click Keywords. For NewValue, type specifications, and then click Add to continue. Click
OK twice to finish.Users may now search Active Directory by share name or keyword to locate this shared resource.
Searching for a Shared FolderTo find a shared folder
1. In the ActiveDirectoryUsersandComputers MMC, right-click Contoso, and then click
Find.
2. In the Find drop-down list, click SharedFolders. Type specifications in the Keywords textbox, and then click FindNow.
3. In Searchresults, right-click EngineeringSpecs, and then click Open.
Figure 8. Searching for Shared Folders in Active Directory
Note: When populated, the ES shared folder contents will be available to end users through
directory searches. Users may also map this shared resource as a network drive.4. Close the FindSharedFolders dialog box.
Publishing a PrinterYou can also publish information about shared printers in Active Directory. Information about
printers shared from Windows NT must be published manually. Information about printers shared
from the Windows Server 2003 family or the Windows 2000 Server family is published to the
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
11/16
directory automatically when you create a shared printer. Use Active Directory Users and Computers
to manually publish shared printer information.
The print subsystem will automatically propagate changes to the printer attributes (location,
description, loaded paper, and so on) to the directory.
Note: This section details the steps to configure and publish a printer, which prints directly to a
file. If you want to use an IP, LPT, or USBbased printer, you must modify the steps in theseprocedures.
Adding a New PrinterTo add a new printer
1. Click the Start button, click Printers and Faxes, and then double-click Add Printer. The Add
Printer Wizard appears. Click Next.2. Click Local printer attached to this computer, clear the Automatically detect and install
my Plug and Play printer check box, and then click Next.3. In the Use the following port drop-down list, click the FILE: (Print to File) option, and then
click Next.4. In the Manufacturer results pane, click Generic. In the Printers results pane, click Generic /
Text Only. Click Next to continue.
5. On the Name Your Printer page, change the Printer name to Print to File, and then clickNext.
6. On the Printer Sharing page, change the Share name to FilePrinter, and then click Next.7. For Location on the Location and Comment page, type Headquarters Bldg 4 Room
2200. Click Next to continue.
8. Click Next to print a test page, and then click Finish to complete the installation.9. When prompted, type TestPrint as the file name for the printer test page. Click OK once
complete.The printer is automatically published in Active Directory.
Locating a Printer in Active DirectoryTo find a printer in Active Directory
1. On the Printers and Faxes screen, double-click the Add Printer icon.2. The Add Printer Wizard dialog box appears. Click Next to continue.
3. Click Anetwork printer, and then click Next.4. Click Find a printer in the Directory (default), and then click Next.
5. The Find Printers dialog box appears. Click Find Now to search for all printers published in
Active Directory. Setting additional search options can limit results by available features or
printer location.
Printer Location Tracking: Use printer location tracking to streamline printer searches. When
printer location tracking is enabled and the user clicks Find Now, Active Directory lists all
printers matching the user's query that are in the user location. Users can change the location
field by clicking Browse to search for printers in other locations. For more information about
configuring printer location tracking, see the Windows Server 2003 Help and Support Center.6. In the Searchresults on the FindPrinters page, double-click PrinttoFile to install the
printer. Click Yes (default) to set this printer as the default printer for your system, and then
click Next.
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
12/16
Figure 9. Searching for Shared Printers in Active Directory
7.Click Finish to complete the printer installation.
8. Close the Printers and Faxes window.
You can publish printers shared by operating systems other than Windows Server 2003, Windows
2000, or Windows XP in Active Directory. The simplest way to do this is to use the pubprn.vbs
script, although the Active Directory Users and Computers snap-in can be used. This script will
publish all the shared printers on a given server. It is located in the \winnt\system32 directory.
Publishing a Printer Manually Using the pubprn.vbs ScriptTo publish a printer manually using the pubprn.vbs script
1. Click the Start button, and then click Run. Type cmd in the text box, and then click OK.2. Type cd \windows\system32,and then press Enter.3. Type cscript pubprn.vbs prserv1 "LDAP://ou=accounts,dc=contoso,dc=com", and then
press Enter.Note: This example publishes all the printers on the Prserv1 server to the Accounts OU. The
script copies only the following subset of the printer attributes including Location, Model,
Comment, and UNCPath. This script will not work on Windows Server 2003, it is
provided as a manual tool for publishing printers to Active Directory from down-level
print servers only.4. Close the window.
Publishing a Printer Manually Using the Active Directory Users and Computers Snap-In
1. Right-click the Marketing OU, click New, and then click Printer.2. The New Object-Printer dialog box appears. In the text box, type the path to the printer, such
as \\server\share name, and then click OK.End users experience seamless operations from printers being published in the directory since they
can browse for printers, submit jobs to those printers, and install the printer drivers directly from
the server.
Creating a Computer ObjectA computer object is created automatically when a computer joins a domain. If you do not want to
give all users the ability to add computers to the domain, computer objects may also be created
before the computer joins a domain manually or via scripts.
To manually add a computer to the domain
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
13/16
1. Right-click the Engineering OU, point to New, and then click Computer.2. For the computer name, type Legacy, and then click Next.
3. If the computer is a managed system, you can enter the system GUID. In this example, leave
the system GUID blank, click Next, and then click Finish.
4. To manage this computer from the Active Directory Users and Computers snap-in, right-
click the computer object, and then click Manage.
Optionally, you can select which users are permitted to join a computer to the domain. This allows
the administrator to create the computer account and someone with lesser permissions to install the
computer and join it to the domain.
Renaming, Moving, and Deleting ObjectsEvery object in the directory can be renamed and deleted, and most objects can be moved to
different containers. The following procedure expands the example for creating a computer object.
To move the Legacy computer object to different container
1. In the Accounts OU, click the Engineering OU.2. Right-click the Legacy computer object, and then click Move.3. Expand the Resources OU, and then click to highlight Servers as shown in Figure 10.
Figure 10. Moving a Computer Object
4.
Click OK to move the computer to the Server OU within the Resources OU.
Managing Computer ObjectsComputer objects in Active Directory can be managed directly from the Active Directory Users and
Computers snap-in. Computer Management is a component you can use to view and control many
aspects of the computer configuration. Computer Management combines several administration
utilities into a single console tree, providing easy access to a local or remote computer's
administrative properties and tools.
Note: The following example assumes that you are working from the HQ-CON-DC-01 console andthat HQ-CON-DC-02 is currently running.
Managing a Remote ComputerTo manage a remote computer
1. In the Active Directory Users and Computers snap-in, right-click contoso.com, and then
click Connect to Domain.2. Click Browse, and then click the + next to contoso.com. Double-click
vancouver.contoso.com, and then click OK.
3. Expand vancouver.contoso.com by clicking the +, and then click Domain Controllers.
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
14/16
4. Right-click HQ-CON-DC-02, and then click Manage. The system may now be remotely
managed as shown in Figure 11.
Figure 11. Remotely Managing a Computer
See full-sized image
5.
Close the ComputerManagement window.
Nested GroupsNested groups allow you to provide company-wide or department-wide access to resources with
minimum maintenance. Placing every team account group into a single company-wide resource
group is not an effective solution because it requires the creation and maintenance of a large
number of membership links. To use nested groups, administrators create a series of account
groups that represent the managerial divisions of the company.
For example, the top account group might be called "All Employees," and would be attached to a
resource group that gives access to resources and shared directories. The next level might contain
account groups that represent major divisions of the company. Each group at this level is a member
of All Employees, and is attached to a resource group giving access to shares and other resources
appropriate to the division it represents.
Within a division, the next level of account groups might represent departments. Shared resources
for the department might include project schedules, meeting schedules, vacation schedules, or any
network information appropriate to the whole department. The department account groups are all
members of the division account group.
Within a department, the management structure can be organized into security groups to any
required level of specificity. These might be team account groups and might represent leaf nodes in
the organizations hierarchical tree.
With this group hierarchy in place, you can give a new employee instant access to the resources of
the team, the department, the division, and the company as a whole by placing the employee in a
http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/sgad8720_big.gifhttp://www.microsoft.com/library/media/1033/technet/images/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/sgad8720_big.gif -
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
15/16
team account group. This system supports the principle of least access because the new employee
cannot view the resources of adjacent teams, other departments, or other divisions.
Creating Nested GroupsTo create a nested group
1. In the Active Directory Users and Computers snap-in, right-click vancouver.contoso.com,
and then click Connect to Domain.2. Click Browse, and then click contoso.com. Click OK twice to finish.3. Expand contoso.com, and then expand the Accounts OU.
4. Create a new group by right-clicking Engineering, pointing to New, and then clicking Group.
Type All Engineering, and then click OK.
5. Right-click the All Engineering Group, and then click Properties.6. Click the Members tab, and then click Add.7. In the Enter the objects name to select box, type Tools, and then click OK.8. Click OK again. A nested group has been created.
Finding Specific ObjectsIn a large directory deployment, it may be unreasonable to browse a comprehensive list of objects
in search of a unique object. Often, it is more efficient to find specific objects that meet a certain
criteria. In the following example, you will find all users who have a logon name starting with J in
the Contoso domain.To find users with a logon name starting with J
1. Click to select contoso.com. Right-click contoso.com, and then click Find.2. Click the Advanced tab. In the Field drop-down list, select User, and then click LogonName.3. Type J for Value, and then click Add. Click Find Now. Your results should be similar to those
shown in Figure 12.
Figure 12. Employing Advanced Directory Search Techniques
4.
Close the Find User, Contacts, and Groups window.
Filtering a List of Objects
-
8/8/2019 38720906 Step by Step Guide to Managing Active Directory
16/16
Filtering the list of returned objects from the directory can allow you to manage the directory more
efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in. For
example, you can choose to view only users and groups, or you may want to create a more complex
filter. If an OU has more than a specified number of objects, the Filter function allows you to restrict
the number of objects displayed in the results pane. You can use the Filter function to configure this
option.To create a filter designed to display users only
1. In the Active Directory Users andComputers snap-in, click Engineering under the
Accounts OU.2. Click the View menu, and then click Filter Options.
3. Click the radio button for Show only the following types of objects, select Users, and then
click OK.
4. Expand Accounts, and then click Engineering to verify the filtering results.5. Remove the filter.