Microsoft

SolutionBase: A look at Windows Server 2003's Active Directory Users And Computers

Here's a guided tour of one of the most commonly used Windows Server 2003 administration tools: Active Directory Users and Computers.


One of the utilities that a Windows Server 2003 network administrator will use most frequently is Active Directory Users And Computers. However, new network administrators and network administrators who've only used Windows NT may find themselves confused by the new utility. Here's a look at Active Directory Users And Computers in W2K3, what it does, how it differs from utilities in Windows NT Server and Windows 2000 Server, how it works, and how to perform common tasks using it.

What it does
Active Directory Users And Computers serves as the main utility for working with user, group, and computer objects in Active Directory. Remember that every item that needs to interface with your network is represented by an object in Active Directory. These objects contain all of the information for the item including descriptions, file system rights, security identifiers, application rights, and directory information.

Active Directory Users And Computers will allow you to create, modify, and delete these objects. Because of the way Active Directory works, you can create container objects that can contain other objects. For example, you can create a container object called Sales that contains all of the users, groups, and computers for people in your company's sales department. This way you can design an Active Directory tree that mirrors your organization and delegate authority to users or other IT people in those areas. For more information about how to design an Active Directory tree, see the article "Design your Active Directory tree with security in mind."

Some of the common tasks you accomplish with Active Directory Users And Computers include:
  • Adding new users to Active Directory
  • Changing passwords
  • Granting rights to your file servers
  • Allowing remote access to the network
  • Setting login and logout scripts
  • Controlling when users can use the network

Often if you add applications to your network such as Exchange or Terminal Services, these applications will extend what you can do in Active Directory Users And Computers. For example, if you add Terminal Services to your network, you can use Active Directory Users And Computers to control how long a user can stay connected to your Terminal Server.

How things are different in Windows Server 2003
You'll experience the greatest culture shock if you're moving from Windows NT directly to Windows Server 2003. Microsoft has made many changes to its administration utilities over the years. Active Directory Users And Computers does the job of two different Windows NT utilities. For user and group administration, Active Directory Users And Computers replaces User Manager For Domains. When it comes to controlling servers and member workstations, Active Directory Users And Computers replaces Server Manager.

However, to further complicate things, Active Directory Users And Computers doesn’t fully replicate every duty these old Windows NT tools did. Active Directory Users And Computers only handles the object duties for them. When it comes to things like administering trusts, rather that using User Manager For Domains, you'll use the Active Directory Domains And Trusts utility. For a complete discussion of how things have changed between Windows NT and Windows Server 2003, see the article "How Windows NT Services map to Windows Server 2003." To sum things up, you can basically forget everything you learned about administering Windows NT when you make the move to Windows Server 2003.

The change isn't so great when you move from Windows 2000 Server to Windows Server 2003. Active Directory Users And Computers does the same thing in both versions. The only things that have changed are minor cosmetic issues. In addition, you'll find a few new objects and properties available in W2K3 that weren't available in Windows 2000 Server.

For example, when you start Active Directory Users And Computers, you'll notice a couple of new top-level containers—Program Data and NTDS Quotas. Program Data contains object information pertaining to network applications, specifically data stored directly into Active Directory. The NTDS Quotas container stores quota objects. Extending the disk quota feature introduced with Windows 2000, NTDS quotas restrict the number of objects a user can create in a container.

Above the domain information, you'll notice the new Saved Queries container. You can place XML queries here that allow you to perform actions on groups of objects that meet the query. Using saved queries keeps you from having to use ADSI scripts or having to manually select multiple objects when you need to make massive changes.

Finally, Microsoft has made some cosmetic changes to how the Active Directory Users And Computers MMC looks. Rather than having one level of menu choices for Console, Windows, and Help with another level of choices for Action and View, Windows Server 2003 puts all of the pull-down menus on the same line. Most of the choices within the respective menus remain unchanged, however.

Finding your way around
To start Active Directory Users And Computers, log in to your server as Administrator. Click Start | All Programs | Administrative Tools | Active Directory Users And Computers. When you do, you'll see the screen shown in Figure A.

Figure A
Active Directory Users And Computers under Windows Server 2003


If you've ever worked with an MMC before, you'll be familiar with the layout. Across the top you'll find a set of pull-down menus. Beneath that is a button bar that provides one-click functionality to frequently used procedures. Finally, you'll see two panes. The left pane provides a tree view of your Active Directory configuration. The right pane shows the objects for containers highlighted in the left pane.

Menu choices
Pull-down menus you can access include:
  • File—Here you can access the Options menu, which allows you to clean up console information. You can also quit Active Directory Users And Computers by clicking Exit.
  • Action—This menu allows you to perform different actions depending on which container object you've selected. For example, if you select the Users container, you might see the Delegate Control menu option and options that allow you to create new users and groups, but if you select a particular User object, you'll see actions about what you can do to a user, such as resetting passwords and disabling accounts.
  • View—This menu choice allows you to customize the appearance of Active Directory Users And Computers. You can change how objects appear, how many columns Active Directory Users And Computers displays, and even filter out objects you don't want to appear.
  • Window—This menu choice allows you to display multiple MMC windows and control how those windows appear on your server.
  • Help—Obviously, this choice allows you to access Active Directory Users And Computers Help files.

The button bar
As in most MMCs, the button bar in Active Directory Users And Computers closely resembles a Web browser. Like browser buttons, these buttons are relatively self-explanatory. Left to right, these buttons are:
  • Back
  • Forward
  • Up One Level
  • Show/Hide Console
  • Paste
  • Properties
  • Refresh
  • Export List
  • Help
  • Create New User
  • Create New Group
  • Create New Organizational Unit
  • Set Filter
  • Find Objects
  • Add Objects To Group

You'll notice that as you go from container to container in the left pane, buttons sometimes will become unavailable. For example, if you go to the Computers container, you can't use the Create New Organizational Unit button.

The Console Tree
The left pane is called the Console Tree. This tree displays all of the container objects for Active Directory. Somewhat as you do in the Hive in the Windows Registry, you'll navigate through the Console Tree to get to Active Directory objects. Default objects you'll find in Windows Server 2003's Console Tree are:
  • Saved Queries—Allows you to store XML queries that perform actions on groups of objects.
  • DomainWhere Domain is the name of your Active Directory Domain. This is the main container for Active Directory and contains all of the other container and organizational unit objects.
  • BuiltinContains all of the default security groups that come with Windows Server 2003 such as Administrators, Groups, Users, and Pre-2000 Computers.
  • Computers—Contains all of the workstations and member servers on your network.
  • Domain Controllers—Contains all of the domain controllers for your Active Directory tree.
  • ForeignSecurityPrincipalsStores security principal objects within a trusted domain.
  • LostAndFoundHere you'll find the objects that were supposed to replicate across the directory but couldn’t for some reason. Objects will appear here if they were created at the same time the container that holds them was deleted. This will probably only happen where you have multiple network administrators working in Active Directory.
  • NTDS Quotas—Stores quota objects, which restrict the number of objects a user can create in a container.
  • Program Data—Contains object information pertaining to network applications, specifically data stored directly into Active Directory.
  • System—Contains additional containers that store system information for Active Directory such as Group Policies, DNS, IPSec, and DFS Configurations.
  • User—This is the default container for Active Directory users.

In addition to these default containers, you can create additional containers called Organizational Units. Organizational Units can be structured to reflect your organization or however else you want to organize your Active Directory tree. They can contain other objects such as users, groups, printers, shared folders, or even other Organizational Units.

Common Active Directory objects
Within the containers reside objects, which represent every resource that has access on your network. As you look through the various containers discussed above, you'll see the objects appear in the right pane.

Microsoft has done a pretty good job of giving the objects meaningful names. You can quickly guess what an object does by its name. For example, the DHCP Users object is a group object containing members that have read-only access to DHCP. Even if you can't discern an object's purpose by its name, Microsoft has included a Description column that tells you what each default object does.

Each object is made up of a group of properties, which describe the object and what it can do on the network. You can view the properties for an object by right-clicking it and selecting Properties. I'll describe the Properties for the following objects:
  • Computer
  • Group
  • User

I'm only going to describe the default tabs for each object. Applications that extend Active Directory's Schema, such as Exchange, will add additional tabs to objects.

Computer
The Computer object describes computers that have rights on the network. It can describe domain controllers, member servers, or workstations. You'll find domain controllers in the Domain Controllers container. Member servers and workstations will appear in the Computers container. When you right-click a Computer object and select Properties, you'll see the screen shown in Figure B.

Figure B
Active Directory's Computer object


As with most Properties pages, you'll find tabs with further information. Tabs on the Computer Properties page include:
  • General—This tab provides basic information about the object, including both its NetBIOS name and its DNS name. The most important check box here is Trust Computer For Delegation. You'll select it if you want the computer to be able to request services from another computer.
  • Operating System—This tab will show you the operating system running on the computer and what Service Packs have been applied to it.
  • Member Of—Here you'll make the computer a member of a group.
  • Location—On this tab you can enter a string describing where the computer is located.
  • Managed By—Here you can enter information about who's in charge of the computer. You can quickly assign someone by selecting their information directly from Active Directory.
  • Object—This tab displays information about the object including its name, when it was created, when it was last updated, and the Update Sequence Numbers for it.
  • Security—This tab controls the Active Directory rights other objects have to this object. The Group Or Users box lists the objects with rights and the Permissions box describes the permissions the selected object has.
  • Dial-in—Here you'll decide whether or not users can remotely access the computer, whether by dial-up or VPN. You can also set callback options for extra security.

Group
If you right click a Group object, you'll see the screen shown in Figure C.

Figure C
A typical Active Directory Group


Tabs on the Group object include:
  • General—This tab displays information about the object. You can view, but not change Group Scope and Group Type for Groups. You can change all other fields on this page.
  • Members—Here you can add and remove group members. By clicking the Add button, you can add individual objects or select multiple objects.
  • Member Of—This tab lists the groups that the object belongs to. You can add or delete group membership here.
  • Managed By—Here you can enter information about who's in charge of the computer. You can quickly assign someone by selecting their information directly from Active Directory.
  • Object—This tab displays information about the object including its name, when it was created, when it was last updated, and the Update Sequence Numbers for it.
  • Security—This tab controls the Active Directory rights other objects have to this object. The Group Or Users box lists the objects with rights and the Permissions box describes the permissions the selected object has.

User
When you right-click a User object and select Properties, you'll see the screen shown in Figure D.

Figure D
A typical User object


Tabs on User objects include:
  • General—Displays general descriptive information about the user, including name, e-mail address and Web site address.
  • Address—This tab displays snail mail addresses for the user.
  • Account—Here you'll find detailed account information for the user. You can view and change the logon name for the user, along with controlling when the user can log on to the network. The Account Options on this tab allow you to force users to change their password at next logon, prevent them from changing passwords, require a Smart Card for logon, and enable delegation for the account. You'll also use this page if the account gets locked out due to logon failures.
  • Profile—On this tab you'll specify the paths to any logon scripts you're using. You can also specify a path to the user's profile here.
  • Telephones—This tab serves as a repository for any telephone numbers you have for the user, including pagers, cell phones, and IP telephone numbers.
  • Organization—Don't confuse this tab with Active Directory's Organizational Unit object. Here, you'll place information about the user's company, including job title, department, and company name. You can also import Manager information from Active Directory.
  • Environment—This tab controls the Terminal Services startup environment for the user.
  • Sessions—This tab helps you control how the user interacts with Terminal Services, including how long a session stays connected and what happens if you disconnect from the server.
  • Remote Control—This tab allows you to remotely control a user's Terminal Services session. You can set settings that allow you to only view the session or to work in the session as well.
  • Terminal Services Profile—This tab is similar to the Profile tab, but this only controls profile information for the Terminal Services session.
  • COM+—You can assign the user to be part of a COM+ partition set here.
  • Published Certificates—This tab allows you to associate X.509 security certificates with the user.
  • Member Of—This tab lists the groups that the object belongs to. You can add or delete group membership here.
  • Dial-in—Here you'll decide whether or not users can remotely access the computer, whether by dial-up or VPN. You can also set callback options for extra security.
  • Object—This tab displays information about the object including its name, when it was created, when it was last updated, and the Update Sequence Numbers for it.
  • Security—This tab controls the Active Directory rights other objects have to this object. The Group Or Users box lists the objects with rights and the Permissions box describes the permissions the selected object has.

Accomplishing common tasks with Active Directory Users And Computers
Now that you know your way around Active Directory Users And Computers, it's time to find out how to accomplish common administration tasks. Table A shows you some of the things you can do, and how to get them done.
Table A
What you want to do How to do it
Create a new user Right-click the container where you want the new user object to reside. Click New | User. Follow the prompts in the New Object - User screen to add information about the user such as logon name and user name. Click Next to see additional screens and enter appropriate information.
Create a new group Right-click the container where you want the new group object to reside. Click New | Group. Follow the prompts in the New Object - Group screen to add information about the group such as group name and group type. For most groups you create, you'll create a Global Security group. Click OK to create the group.
Create a new container object Right-click the domain or container where you want the new container object to reside. Click New | Organizational Unit. In the New Object - Organizational Unit screen, enter a unique name for your container. Click OK to create the container.
Make a user a member of a group Right-click the user object. Select Add To A Group. When the Select Group window appears, type the name of the group in the Enter The Object Name To Select box and click Check Names. If you don't know the name, click Advanced. Click Find Now to display all groups. Select the group you want the user to belong to and click OK. Click OK again to close the Select Group window and finish.
Change a password Right-click the user object. Select Reset Password.
When the Reset Password screen appears, type the new password in the appropriate fields. To force a user to change a password immediately, select Users Must Change Password. Click OK.
Unlock an account Right-click the user object. Select Properties. Click the Account tab. Remove the check from the Account Is Locked Out box.
Disable an account Right-click the user object. Select Disable Account. Reenable by right-clicking the user object and selecting Enable Account.
Move a user Drag and drop the user to the target container.
Restrict logon times Right-click the user object. Select Properties. Click the Account tab. Click Logon Hours. When the Logon Hours screen appears, select Logon Denied and click the time blocks when you don't want the user to log on.
Delete a group Right-click the group object. Select Delete.
Delegate authority Right-click the container object where you want to delegate tasks. Select Delegate Control. The Delegation Of Control Wizard appears. Follow the prompts on screen to add users or groups that you want to give control to and what powers you want to grant to those users or groups.
Allow users to use VPN Right-click the user object. Select Properties. Click the Dial-in tab. Select Allow Access. Click OK to close.
How to do common tasks in Active Directory Users And Computers

Editor's Picks