Microsoft

Organizing Active Directory objects

You're probably familiar with objects in Windows NT. But have you worked with Active Directory objects? You may not know what objects exist or how to move them around your tree. In this Daily Feature, Jim Boyce shows you how.


Few would argue that the Active Directory (AD) is one of the most significant changes from Windows NT to Windows 2000. It’s also the one technology that will cause the most work for administrators in terms of the learning curve and implementation. Once you understand AD and become comfortable deploying and managing it, however, you’ll soon realize why it is one of the most compelling features in Windows 2000. You will also soon realize that once deployed and configured, AD will actually simplify day-to-day management.

Of course, if you organize things properly, you make your management chores that much easier. In this Daily Feature, I’ll show you some of the components of AD and how you can organize and move them around.

Objects and containers
When you install a domain controller, Windows 2000 creates a default set of objects in AD along with the Active Directory structure. These objects include a handful of containers:
  • Users—This is where all new users and groups are created by default.
  • Computers—This is where all new computers are added to the domain.
  • Builtin—This container holds the built-in security groups that are created when you create the domain.
  • Domain Controllers—This is where domain controllers appear.

In addition, Windows 2000 creates a System container that stores AD systems and services information. The System container appears only if you choose Advanced Features from the View menu in the Active Directory Users And Computers console.

You also can create several other types of objects in AD:
  • User
  • Contact
  • Computer
  • Organizational Unit
  • Group
  • Shared Folder
  • Shared Printer

When you create new users through the Active Directory Users And Computers console, those users are placed in the current container. For example, right-click the Users folder and choose New | User, and the resulting user will be placed in the general Users container. Right-click an organizational unit (OU) and create a new user, and the user is placed in that OU. Using OUs to structure users can be extremely useful for simplifying administration. For example, you can apply group policy at the OU level, giving you an easy means of applying policies that differ from site or domain policies to groups of users.

Moving objects
In a perfect world, you would set up your domain structure, populate AD, and be done with it. Everything would be where it needs to be, and you wouldn’t have to worry about moving things around. Unfortunately, that just doesn’t happen. You might need to restructure the domain, move domains to other trees or forests, move users from one OU to another, move OUs to other domains, and so on. Windows 2000 gives you a handful of tools to use to move objects to suit specific objects.

You can easily move a user from one container to another, such as from one OU to another within the domain or even to a different domain. The Active Directory Users And Computers console doesn’t let you drag users to move them, but you can right-click a user and choose Move to open a Move dialog box. This dialog box enables you to select a container within the domain or another domain. Just select the desired location and click OK to move the user.

You can use the same method to move groups, computers, shared folders, printers, and other objects. Each object has a unique Global Unique Identifier (GUID), which doesn’t change during the move, so moving objects generally has no effect on their behavior.

In some cases, however, there are implications for moving objects. If you move a user who is a member of the global group Support in the Software domain to the Hardware domain, that user’s account takes on a new Security ID (SID) in the Hardware domain, the user’s new home. Resources that were previously available to the user through that group membership are no longer available because of the SID change.

There are several ways to remedy the situation, including adding the new SID to the resource access control lists (ACLs), moving the group, and creating a parallel group in the new domain, among others. The implications for moving users and groups between domains is beyond the scope of this article, but keep in mind that moving security principals between domains often has consequences that must be handled in order for the affected users to continue using their resources.

Making things easier with MoveTree
If you need to move several objects, you might prefer to use the MoveTree utility, a Windows 2000 Resource Kit tool. MoveTree lets you move users, groups, and OUs from one Windows 2000 domain to another in the same forest. You can use MoveTree to move objects between child domains as well as between two domain trees in a forest. The source domain can be either a Mixed mode or Native mode domain, but the target domain must be Native mode. MoveTree copies the objects to the Lost And Found container in the source domain and then moves them to the destination domain. It does not move local or domain global groups, but it does retain group membership for accounts during the move.

MoveTree isn’t a complete solution for moving users and groups between domains, however, because it does nothing to move the user’s resources—profile, scripts, data, and so on—to the new domain. For that reason, you’ll need to move these items separately, either manually or through a script.

In addition, moving security principals between domains typically has consequences for group policy application. Windows 2000 maintains the group policy links, which means that group policy for the relocated users is applied from the source domain, rather than from the target domain. This usually has performance considerations, because the policies are naturally applied across the network. Therefore, you should re-create the group policies in the target domain and link them to the affected users, and then remove the links to the group policies in the source domain.

Conclusion
Windows 2000’s Active Directory presents a whole new ball game for Windows NT administrators. To be successful in implementing AD, you must know what objects you can work with and how to organize and move objects around. In this Daily Feature, I’ve introduced you to AD containers and objects and explained how to move objects around.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks