Published using Google Docs
Win2008s-creating objects in AD.doc
Updated automatically every 5 minutes

To create an organizational unit

1. Open the Active Directory Users And Computers snap-in.

2. Right-click the Domain node or the OU node in which you want to add the new OU, choose New, and then select Organizational Unit.

3. Type the name of the organizational unit.

Be sure to follow the naming conventions of your organization.

4. Select Protect Container From Accidental Deletion.

You’ll learn more about this option later in this section.

5. Click OK.

OUs have other properties that can be useful to configure. These properties can be set

after the object has been created.

6. Right-click the OU and choose Properties.

Follow the naming conventions and other standards and processes of your organization.

You can use the Description field to explain the purpose of an OU.

If an OU represents a physical location, such as an office, the OU’s address properties

can be useful.

The Managed By tab can be used to link to the user or group that is responsible for the

OU. Click the Change button underneath the Name box. By default, the Select User,

Contact, Or Group dialog box that appears does not, despite its name, search for groups; to search for groups, you must first click the Object Types button and select Groups.

You’ll learn about the Select Users, Contacts, Or Groups dialog box later in this lesson.

The remaining contact information on the Managed By tab is populated from the

account specified in the Name box. The Managed By tab is used solely for contact information—the specified user or group does not gain any permissions or access to the OU.

7. Click OK.

If you want to delete the OU, you must first turn off the safety switch. To delete a protected OU, follow these steps:

1. In the Active Directory Users And Computers snap-in, click the View menu and select Advanced Features.

2. Right-click the OU and choose Properties.

3. Click the Object tab.

If you do not see the Object tab, you did not enable Advanced Features in step 1.

4. Clear the check box labeled Protect Object From Accidental Deletion.

5. Click OK.

6. Right-click the OU and choose Delete.

7. You will be prompted to confirm that you want to delete the OU. Click Yes.

8. If the OU contains any other objects, you will be prompted by the Confirm Subtree Deletion dialog box to conf irm that you want to delete the OU and all the objects it contains. Click Yes.

Creating a User Object

To create a new user in Active Directory, perform the following steps. Be certain to follow the naming conventions and processes specified by your organization.

1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (for instance,  con-

toso.com) and navigate to the OU or container (for example, Users) in which you want to create the user account.

3. Right-click the OU or container, choose New, and then select User.

The New Object – User dialog box appears, as shown in Figure 2-5.

4. In First Name, type the user’s first name.

5. In Initials, type the user’s middle initial(s).

Note that this property is, in fact, meant for the initials of a user’s middle name, not the initials of the user’s first and last name.

6. In Last Name, type the user’s last name.

7. The Full Name field is populated automatically. Make modifications to it if necessary.

The Full Name field is used to create several attributes of a user object, most notably the common name (CN), and to display name properties. The CN of a user is the name displayed in the details pane of the snap-in. It must be unique within the container or OU. Therefore, if you are creating a user object for a person with the same name as an existing user in the same OU or container, you will need to enter a unique name in the Full Name field

Figure 2-5 New Object – User dialog box

8. In User Logon Name, type the name that the user will log on with and, from the drop-down list, select the user principle name (UPN) suffix that will be appended to the user logon name following the @ symbol.

User names in Active Directory can contain some special characters (including periods, hyphens, and apostrophes), which enable you to generate accurate user names such as O’Hara and Smith-Bates. However, certain applications can have other restrictions, so it is recommended to use only standard letters and numerals until you have fully tested the applications in your enterprise for compatibility with special characters in logon names.

The list of available UPN suffixes can be managed using the Active Directory Domains And Trusts snap-in. Right-click the root of the snap-in, Active Directory Domains And Trusts, choose Properties, and then use the UPN Suffixes tab to add or remove suffixes.

The DNS name of your Active Directory domain will always be available as a suffix and cannot be removed.

9. In the User logon name (Pre-Windows 2000) box of the Active Directory Users And Computers snap-in, enter the pre-Windows 2000 logon name, often called the down-level logon name.

10. Click Next.

11. Enter an initial password for the user in the Password and Confirm Password boxes.

12. Select User Must Change Password At Next Logon.

It is recommended that you always select this option so that the user can create a new

password unknown to the IT staff. Appropriate support staff members can always reset the user’s password at a future date if they need to log on as the user or access the user’s resources. However, only users should know their passwords on a day-to-day basis.

13. Click Next.

14. Review the summary and click Finish.

The New Object – User interface enables you to configure a limited number of account-related properties such as name and password settings. However, a user object in Active Directory supports dozens of additional properties. These can be configured after the object has been created.

15. Right-click the user object you created and choose Properties.

16. Configure user properties.

Be certain to follow the naming conventions and other standards of your organization.

You will learn more about many of the user properties in Chapter 3 and Chapter 8,

“Authentication.”

17. Click OK.

Creating a Group Object

Groups are an important class of object because they are used to collect users, computers, and other groups to create a single point of management. The most straightforward and common use of a group is to grant permissions to a shared folder. If a group has been given read access to a folder, for example, then any of the group’s members will be able to read the folder. You do not have to grant read access directly to each individual member; you can manage access to the folder simply by adding and removing members of the group.

To create a group:

1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (for instance,  con-

toso.com) and navigate to the OU or container (such as Users) in which you want to create the group.

3. Right-click the OU or container, choose New, and then select Group.

The New Object – Group dialog box appears, as shown in Figure 2-6.

4. Type the name of the new group in the Group Name box.

Most organizations have naming conventions that specify how group names should be

created. Be sure to follow the guidelines of your organization.

By default, the name you type is also entered as the pre-Windows 2000 name of the new group. It is very highly recommended that you keep the two names the same.

5. Do not change the name in the Group Name (Pre-Windows 2000) box.

6. Choose the Group type.

 A Security group can be given permissions to resources. It can also be configured

as an e-mail distribution list.

 A Distribution group is an e-mail–enabled group that cannot be given permissions

to resources and is, therefore, used only when a group is an e-mail distribution list

that has no possible requirement for access to resources.

Figure 2-6 The New Object – Group dialog box

7. Select the Group Scope.

 A Global group is used to identify users based on criteria such as job function, location, and so on.

 A Domain local group is used to collect users and groups who share similar

resource access needs, such as all users who need to be able to modify a project

report.

 A Universal group is used to collect users and groups from multiple domains.

Group scope will be discussed in more detail in Chapter 4, “Groups.”

Note that if the domain in which you are creating the group object is at a mixed or

interim domain functional level, you can select only Domain Local or Global scopes for security groups. Domain functional levels will be discussed in Chapter 13, “Domains and Forests.”

8. Click OK.

Group objects have a number of properties that are useful to configure. These can be

specified after the object has been created.

9. Right-click the group and choose Properties.

10. Enter the properties for the group.

Be sure to follow the naming conventions and other standards of your organization.

The group’s Members and Member Of tabs specify who belongs to the group and what groups the group itself belongs to.

The group’s Description field, because it is easily visible in the details pane of the Active Directory Users And Computers snap-in, is a good place to summarize the purpose of the group and the contact information for the individual(s) responsible for deciding who is and is not a member of the group.

The group’s Notes field can be used to provide more detail about the group.

The Managed By tab can be used to link to the user or group that is responsible for the

group. Click the Change button underneath the Name box. To search for a group, you

must first click the Object Types button and select Groups. The Select User, Contact, Or Group dialog box will be discussed later in this lesson.

The remaining contact information on the Managed By tab is populated from the account specified in the Name box. The Managed By tab is typically used for contact information so that if a user wants to join the group, you can decide who in the business should be contacted to authorize the new member. However, if you select the Manager Can Update Membership List option, the account specified in the Name box will be given permission to add and remove members of the group. This is one method to delegate administrative control over the group.

11. Click OK.

Creating a Computer Object

Computers are represented as accounts and objects in Active Directory, just as users are. In fact, behind the scenes, a computer logs on to the domain just as a user does. The computer has a user name—the computer’s name with a dollar sign appended, for instance, DESKTOP101$—and a password that is established when you join the computer to the domain, and it’s changed automatically every thirty days or so thereafter. To create a computer object in Active Directory:

1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (such as contoso.com) and navigate to the OU or container (for instance, Users) in which you want to create the computer.

3. Right-click the OU or container, choose New, and then select Computer.

The New Object – Computer dialog box appears, as seen in Figure 2-7.

4. In the Computer Name box, type the computer’s name.

Your entry will automatically populate the Computer Name (Pre-Windows 2000) box.

5. Do not change the name in the Computer Name (Pre-Windows 2000) box.

6. The account specified in the User Or Group field will be able to join the computer to the domain. The default value is Domain Admins. Click Change to select another group or user.

Generally, you will select a group that represents your deployment, desktop support,

or help desk team. You can also select the user to whom the computer is assigned. You will explore the issues related to joining the computer to the domain in Chapter 5, “Computers.”

7. Do not select the check box labeled Assign This Computer Account As A Pre-Windows 2000 Computer unless the account is for a computer running Microsoft Windows NT 4.0.

Figure 2-7 The New Object – Computer dialog box

8. Click OK.

Computer objects have a number of properties that are useful to configure. These can be specified after the object has been created.

9. Right-click the computer and choose Properties.

10. Enter the properties for the computer.

Be sure to follow the naming conventions and other standards of your organization.

The computer’s Description field can be used to indicate who the computer is assigned to, its role (for instance, a training-room computer), or other descriptive information.

Because Description is visible in the details pane of the Active Directory Users And Computers snap-in, it is a good place to store the information you find most useful to know about a computer.

There are several properties that describe the computer, including DNS Name, DC Type, Site, Operating System Name, Version, and Service Pack. These properties will be populated automatically when the computer joins the domain.

The Managed By tab can be used to link to the user or group responsible for the com-

puter. Click the Change button underneath the Name box. To search for groups, you

must first click the Object Types button and select Groups. The Select Users, Contacts, Or Groups dialog box is discussed later in this lesson. The remaining contact information on the Managed By tab is populated from the account specified in the Name box.

The Managed By tab is typically used for contact information. Some organizations use the tab to indicate the support team (group) responsible for the computer. Others use the information to track the user to whom the computer is assigned.

11. Click OK.

Using Saved Queries

Windows Server 2003 introduced the Saved Queries node of the Active Directory Users and Computers snap-in. This powerful function enables you to create rule-driven views of your domain, displaying objects across one or more OUs. To create a saved query:

1. Open the Active Directory Users And Computers snap-in.

Saved Queries is not available in the Active Directory Users And Computers snap-in that is part of Server Manager. You must use the Active Directory Users And Computers console or a custom console with the snap-in.

2. Right-click Saved Queries, choose New, and then select Query.

3. Type a name for the query.

4. Optionally, enter a description.

5. Click Browse to locate the root for the query.

The search will be limited to the domain or OU you select. It is recommended to narrow your search as much as possible to improve search performance.

6. Click Define Query to define your query.

7. In the Find Common Queries dialog box, select the type of object you want to query.

The tabs in the dialog box and the input controls on each tab change to provide options that are appropriate for the selected query.

8. Click OK.

After your query is created, it is saved within the instance of the Active Directory Users And Computers snap-in, so if you open the Active Directory Users And Computers console (dsa.msc), your query will be available the next time you open the console. If you created the saved query in a custom console, it will be available in that custom console. To transfer saved queries to other consoles or users, you can export the saved query as an XML file and then import it to the target snap-in.

Creating and Locating Objects in Active Directory

In this practice, you will create and then locate objects in Active Directory. You will create OUs, users, groups, and computers. You will then create a saved query and customize the view of that saved query.

Exercise 1 Create Organizational Units

The default Users and Computers containers are provided to facilitate the setup of and migration to an Active Directory domain. It is recommended that you create OUs that reflect your administrative model and that you use these OUs to create and manage objects in your directory service. In this exercise, you will create OUs for the example domain, contoso.com. These OUs will be used in practices and exercises later in this training kit.

1. Log on to SERVER01 as Administrator.

2. Open the Active Directory Users And Computers snap-in.

3. Expand the Domain node.

4. Right-click the Domain node, choose New, and then select Organizational Unit.

5. Type the name of the organizational unit: People.

6. Select Protect Container From Accidental Deletion.

7. Click OK.

8. Right-click the OU and choose Properties.

9. In the Description field, type Non-administrative user identities.

10. Click OK.

11. Repeat steps 2–10 to create the following OUs.

Exercise 2 Create Users

Now that you have created OUs in the contoso.com domain, you are ready to populate the directory service with objects. In this exercise, you will create several users in two of the OUs you created in Exercise 1, “Create Organizational Units.” These user objects will be used in practices and exercises later in this training kit.

1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

2. Follow the procedure in the “Creating a User Object” section earlier in the chapter and create the following users in the People OU. For each user, create a complex, secure password. Remember the passwords you assign—you will be logging on as these user accounts in other exercises and practices in this training kit.

3. In the console tree, expand the Domain node, contoso.com, and select the People OU.

4. Right-click the People OU, choose New, and then select User.

The New Object – User dialog box appears.

5. In First Name, type the user’s first name: Dan.

6. In Last Name, type the user’s last name: Holme.

7. In User Logon Name, type the user’s logon name: dholme.

8. In the User Logon Name (Pre-Windows 2000) text box, enter the pre-Windows 2000 logon name: dholme.

9. Click Next.

10. Enter an initial password for the user in the Password and Confirm Password boxes.

The default password policy for an Active Directory domain requires a password of seven or more characters. Additionally, the password must contain three of four character types: upper case (A–Z), lower case (a–z), numeric (0–9), and nonalphanumeric (for example, ! @ # $ %). The password cannot contain any of the user’s name or logon name attributes.

Remember the password you assign to this user; you will be logging on as this user

account in other exercises and practices in this training kit.

Many training resources suggest using a generic password such as P@ssword. You may use a generic password for the practices in this training kit; however, it is recommended that you create unique passwords, even in a practice, so that you are using best practices even in a lab environment.

11. Select User Must Change Password At Next Logon.

12. Click Next.

13. Review the summary and click Finish.

14. Right-click the user object you created and choose Properties.

15. Examine the attributes that can be configured in the Properties dialog box. Do not

change any of the user’s properties at this time.

16. Click OK.

17. Repeat steps 3–12 and create the following users in the People OU.

 James Fine

● First name: James

● Last name: Fine

● Full name: James Fine

● User logon name: jfine

 Barbara Mayer

● First name: Barbara

● Last name: Mayer

● Full name: Barbara Mayer

● User logon name: bmayer

● Pre-Windows 2000 logon name: bmayer

 Barbara Moreland

● First name: Barbara

● Last name: Moreland

● Full name: Barbara Moreland

● User logon name: bmoreland

● Pre-Windows 2000 logon name: bmoreland

18. Repeat steps 3–12 and create a user account for yourself in the People OU. For the user logon name, use your first initial and last name, for example, dholme for Dan Holme.

Create a complex, secure password and remember it because you will be logging on as this account in other exercises and practices in this training kit.

19. Repeat steps 3–12 and create an administrative account for yourself in the Admins OU.

This account will be given administrative privileges. Create the user object in the Admins OU rather than in the People OU. For the user logon name, use your first initial and last name, followed by _admin, for instance, dholme_admin for Dan Holme’s administrative account. Create a complex, secure password and remember it because you will be logging on as this account in other exercises and practices in this training kit.

Exercise 3 Create Computers

Computer accounts should be created before joining machines to the domain. In this exercise, you will create several computers in two of the OUs you created in Exercise

1. These computer objects will be used in practices and exercises later in this training kit.

1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the Domain node, contoso.com, and select the Servers OU.

3. Right-click the Servers OU, choose New, and then select Computer.

The New Object – Computer dialog box appears.

4. In the Computer Name box, type the computer’s name: FILESERVER01.

Your entry will automatically populate the Computer Name (Pre-Windows 2000) box.

5. Do not change the name in the Computer Name (Pre-Windows 2000) box.

6. Take note of the account specified in the User Or Group Field text box. Do not change the value at this time.

7. Do not select the check box labeled Assign This Computer Account As A Pre-Windows 2000 Computer.

8. Click OK.

9. Right-click the computer and choose Properties.

10. Examine the properties that are available for a computer. Do not change any attributes at this time.

11. Click OK.

12. Repeat steps 3–8 to create computer objects for the following computers:

 SHAREPOINT02

 EXCHANGE03

13. Repeat steps 3–8 and create the following computers in the Clients OU rather than in the Servers OU.

 DESKTOP101

 DESKTOP102

 LAPTOP103

Exercise 4 Create Groups

It is a best practice to manage objects in groups rather than to manage each object individually.

In this exercise, you will create several groups in two of the OUs you created in Exercise 1.

These groups will be used in practices and exercises later in this training kit.

1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the Domain node, contoso.com, and select the Groups OU.

3. Right-click the Groups OU, choose New, and then select Group.

The New Object – Group dialog box appears.

4. Type the name of the new group in the Group Name text box: Finance.

5. Do not change the name in the Group Name (Pre-Windows 2000) box.

6. Select the Group Type: Security.

7. Select the Group Scope: Global.

8. Click OK.

Group objects have a number of properties that are useful to configure. These can be

specified after the object has been created.

9. Right-click the group and choose Properties.

10. Examine the properties available for the group. Do not change any attributes at this time.

11. Click OK.

12. Repeat steps 3–8 to create the following global security groups in the Groups OU:

 Finance Managers

 Sales

 APP_Office 2007

13. Repeat steps 3–8 to create the following global security groups in the Admins OU rather

than in the Groups OU.

 Help Desk

 Windows Administrators

Exercise 5 Add Users and Computers to Groups

Now that you have created groups, you can add objects as members of the groups. In this exercise, you will add users and computers to groups. Along the way, you will gain experience with the Select dialog box that is used in some procedures to locate objects in Active Directory.

1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

2. Open the properties of your administrative account in the Admins OU.

3. Click the Member Of tab.

4. Click the Add button.

5. In the Select Groups dialog box, type the name Domain Admins.

6. Click OK.

7. Click OK again to close the account properties.

8. Open the properties of the Help Desk group in the Admins OU.

9. Click the Members tab.

10. Click the Add button.

11. In the Select dialog box, type Barb.

12. Click Check Names.

The Multiple Names Found box appears.

13. Select Barbara Mayer and click OK.

14. Click OK to close the Select dialog box.

15. Click OK again to close the group properties.

16. Open the properties of the APP_Office 2007 group in the Groups OU.

17. Click the Members tab.

18. Click the Add button.

19. In the Select dialog box, type DESKTOP101.

20. Click Check Names.

A Name Not Found dialog box appears, indicating that the object you specified could

not be resolved.

21. Click Cancel to close the Name Not Found box.

22. In the Select box, click Object Types.

23. Select Computers as an object type and click OK.

24. Click Check Names. The name will resolve now that the Select box is including computers in its resolution.

25. Click OK.

Exercise 6 Find Objects in Active Directory

When you need to find an object in your domain’s directory service, it is sometimes more efficient to use search functionality than to click through your OU structure to browse for the object. In this exercise, you will use three interfaces for locating objects in Active Directory.

1. Log on to SERVER01 and open the Active Directory Users And Computers snap-in.

2. Click the Find Objects In Active Directory Domain Services button.

3. Make sure the In drop-down list is set to contoso.com (the domain name).

4. In the Name box, type Barb.

5. Click Find Now.

6. The two users named Barbara should appear in the Search results.

7. Close the Find box.

8. Open Network from the Start menu.

9. Click Search Active Directory.

10. Repeat steps 3–7.

11. In the Active Directory Users And Computers snap-in, right-click the Saved Queries node, choose New, and then choose Query.

If Saved Queries is not visible, close the console and open the Active Directory Users

And Computers console from the Administrative Tools folder of Control Panel.

12.  In the Name box, type All Users.

13. In the Description box, type Users for the entire domain.

14. Click Define Query.

15. On the Users tab, in the Name box, choose Has A Value.

16. Click OK twice to close the dialog boxes.

The results of the saved query appear. Note that it shows the users from both the People OU and the Admins OU.

17. Choose View, and then click Add/Remove Columns.

18. In the Available columns list, select Last Name and click the Add button.

19. In the Displayed columns list, select Type and click the Remove button.

20. Click OK.

21. Drag the Last Name column heading so that it is between Name and Description.

22. Click the Last Name column  heading so that users are sorted alphabetically by last name.