Windows

A closer look at Windows Server 2008's Active Directory Users and Computers

When administering Windows Server 2008, one of the tools you'll use most often is Active Directory Users And Computers. Here's a quick guided tour of the tool and some of the changes that have occurred since Windows Server 2003.

 Of the administrative tools used by Windows administrators, Active Directory Users and Computers is very likely to be near the top of the management arsenal. Present in Windows and Active Directory since the birth of Windows 2000, which jettisoned the old NT-style directory, Active Directory Users and Computers has made an unscathed transition to Windows Server 2008. Let's look at the Active Directory Users and Computers tool in Windows Server 2008 and outline what it does, how it works, and how to perform common tasks in the tool.

What it does

Active Directory Users and Computers serves as the primary entry point for management of user, group, and computer objects in Active Directory. Active Directory objects contain the information necessary for the item including descriptions, file system rights, security identifiers, application rights, and directory information.

Active Directory Users and Computers allows you to create, modify, and delete objects in the directory. Objects in Active Directory do not--and usually are not--all thrown into one huge group. Instead, objects are nested inside groups called Organizational Units which, in turn, can house additional organizational units. As such, the directory really becomes a tree of sorts, with the organizational units as the limbs and the individual objects as leaves.

Often, organizations create Active Directory structures that mirror their organization structures. For example, an organization might have separate organization units for Sales and Engineering, with different policies for each and with structures that make the most sense for the department and for the security needs for each group. This allows you to design an Active Directory tree that mirrors an organization and to delegate authority to users or to other IT people in appropriate areas. For more information about how to design an Active Directory tree, see the article, Design your Active Directory tree with security in mind.

Some of the common tasks accomplished with Active Directory Users and Computers include:

  • Adding new users to Active Directory
  • Changing passwords
  • Granting rights to file servers
  • Allowing remote access to the network
  • Setting login and logout scripts
  • Controlling when users can use the network
  • Creating security groups - with either static or dynamic membership

Many applications, including Exchange Server, Terminal Services and System Center add capability to Active Directory. Sometimes, these applications add extensions to Active Directory Users and Computers to allow management of objects related to the new product. For example, if you add Terminal Services to your network, you can use Active Directory Users and Computers to control how long a user can stay connected to your Terminal Server.

With Exchange 2003 and below, Microsoft provided extensions for Active Directory Users and Computers that allowed some Exchange object management. With Exchange 2007, Microsoft has moved away from this management paradigm, but many products still work in this fashion.

How things are different in Windows Server 2008

You'll experience the greatest culture shock if you're moving from Windows NT directly to Windows Server 2008. Microsoft has made many changes to its administration utilities over the years. Active Directory Users and Computers does the job of two different Windows NT utilities. For user and group administration, Active Directory Users and Computers replaces User Manager For Domains. When it comes to controlling servers and member workstations, Active Directory Users and Computers replaces Server Manager.

The change isn't so great when you move from Windows 2000 Server or Windows Server 2003 to Windows Server 2008. Active Directory Users and Computers does the same thing in all versions, but has undergone some enhancement over time. In addition, you'll find a few new objects and properties available in Windows Server 2008 that weren't available in earlier versions of Windows Server.

Most notably, Microsoft has added an Attribute Editor tab to every object that allows administrators an easy way to quickly change the value of any Active Directory object's attributes. This is long overdue!

Finding your way around

There are a couple of ways to use Active Directory Users and Computers in Windows Server 2008. Regardless of the method you use to start the tool, you should log in to the server as an administrative user.

First, you can use the new Server Manager tool and Browse to Roles | Active Directory Domain Services | Active Directory Users and Computer. Figure A below shows you this tool in the context of Server Manager.

Figure A

Active Directory Users and Computers through Server Manager

The second method is to start Active Directory Users and Computers directly, which is how the tool was used in previous versions of Windows. To do so, click Start | All Programs | Administrative Tools | Active Directory Users and Computers. When you do, you'll see the screen shown in Figure B. This article uses this method to manage Active Directory Users and Computers.

Figure B

Active Directory Users and Computers

If you've ever worked with Microsoft Management Console (MMC) before, the layout should be familiar. Across the top notice the set of pull-down menus. Beneath the menu bar is a button bar that provides quick access to frequently used procedures. Finally, you'll see two panes. The left pane provides a tree view of your Active Directory structure. The right pane shows the objects for containers highlighted in the left pane.

Menu choices

Pull-down menus you can access include:

  • File: In the File menu lies the Options menu, which allows you to clean up console information. You can also quit Active Directory Users and Computers by clicking Exit.
  • Action: This menu allows you to perform different actions depending on which container object you've selected. For example, if you select the Users container, you might see the Delegate Control menu option and options that allow you to create new users and groups, but if you select a particular User object, you'll see actions about what you can do to a user, such as resetting passwords and disabling accounts. When the domain object is selected, this menu contains options to raise the domain functional level and to modify the servers that are considered operations masters, such as the PDC emulator and the schema master.
  • View: This menu choice allows you to customize the appearance of Active Directory Users and Computers. You can change how objects appear, how many columns Active Directory Users and Computers displays, and filter out objects you don't want to appear.
  • Window: This menu choice allows you to display multiple MMC windows and control how those windows appear on your server.
  • Help: As would be expected, this choice allows you to access Active Directory Users and Computers Help files.

The button bar

As in most MMCs, the button bar in Active Directory Users and Computers closely resembles a Web browser. Like browser buttons, these buttons are relatively self explanatory. Left to right, these buttons are:

  • Back to previous selection
  • Forward to next selection (if you previously used Back)
  • Move up one level in the Active Directory hierarchy
  • Show/Hide console tree
  • Paste
  • Get properties for current object
  • Refresh
  • Export List
  • Help
  • Show/Hide action pane
  • Create a new user object in the current container
  • Create a new group in the current container
  • Create a new organizational unit in the current container
  • Create a filter to see only specific types of objects
  • Find objects
  • Add selected objects to a group

You'll notice that as you go from container to container in the left pane, buttons sometimes will become unavailable. For example, if you go to the Computers container, you can't use the Create New Organizational Unit button.

Take special note of the Show/Hide action pane button. In most of their new products, Microsoft has moved to a screen layout that includes what they call an action pane. The action pane provides quick access to all of the functions available with regard to a particular object.

In Figure C below, note that the user object named Administrator is selected. In the Action pane on the right, there are two More Actions options. One is below the Users heading and provides shortcut access to the same options that would be available if you right-clicked Users container. Likewise, underneath the Administrator heading, the More Actions button provides quick access to the options that would be available if you were to right-click the Administrator user.

Figure C

The Action Pane provides quick access to the functions available to an object.

Before you proceed through the rest of this article, make sure you are looking at the Advanced view, which gives you a look at many more objects and containers. Of course, the more access you have, the easier it is to make a mistake, so be careful, too. Figure C above was taken when the Advanced view was active. To enable Advanced mode, choose View | Advanced Features.

The Console Tree

The left pane is called the Console Tree. This tree displays all of the container objects for Active Directory. Navigate through the Console Tree by clicking the plus signs to expand the various options/containers. As you expand the tree, you'll start to get to Active Directory objects. The default objects you'll find in Windows Server 2008's Console Tree are:

  • Saved Queries: Allows you to store queries that perform actions on groups of objects. Saved queries give you a way to quickly access objects that you need to manage on a relatively regular basis.
  • Domain: In your own environment, the name of your Active Directory domain is listed here. This object is the main container for your Active Directory environment and contains all of the other container and organizational unit objects.
  • Builtin: Contains all of the default security groups that come with Windows Server 2008, which are listed below. The descriptions of what each group allows/denies is right from Active Directory Users and Computers:
    • Account Operators: Members can administer domain user and group accounts
    • Administrators: Administrators have complete and unrestricted access to the computer/domain
    • Backup Operators: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
    • Certificate Service DCOM Access: Members of this group are allowed to connect to Certification Authorities in the enterprise
    • Cryptographic Operators: Members are authorized to perform cryptographic operations.
    • Distributed COM Users: Members are allowed to launch, activate and use Distributed COM objects on this machine.
    • Event Log Readers: Members of this group can read event logs from local machine
    • Guests: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
    • IIS_IUSRS: Built-in group used by Internet Information Services.
    • Incoming Forest Trust Builders: Members of this group can create incoming one-way trusts to this forest
    • Network Configuration Operators: Members in this group can have some administrative privileges to manage configuration of networking features
    • Performance Log Users: Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
    • Performance Monitor Users: Members of this group can access performance counter data locally and remotely
    • Pre-Windows 2000 Compatible Access: A backward compatibility group which allows read access on all users and groups in the domain
    • Print Operators: Members can administer domain printers
    • Remote Desktop Users: Members in this group are granted the right to logon remotely
    • Replicator: Supports file replication in a domain
    • Server Operators: Members can administer domain servers
    • Terminal Server License Servers: Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
    • Users: Users are prevented from making accidental or intentional system-wide changes and can run most applications
    • Windows Authorization Access Group: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
  • Computers: Contains all of the workstations and member server objects in your Active Directory.
  • Domain Controllers: Contains all of the domain controllers used in your Active Directory domain.
  • ForeignSecurityPrincipals: The container holds security identifiers associated with objects from external, trusted domains.
  • LostAndFound: Here you'll find the objects that were supposed to replicate across the directory but couldn't for some reason. Objects will appear here if they were created at the same time the container that holds them was deleted. This will probably only happen where you have multiple network administrators working in Active Directory.
  • Program Data: Contains object information pertaining to network applications, specifically data stored directly into Active Directory.
  • System: Contains additional containers that store system information for Active Directory such as Group Policies, DNS, IPSec, and DFS Configurations.
  • Users: This is the default container for Active Directory users.
  • NTDS Quotas: Stores quota objects, which restrict the number of objects a user can create in a container.
  • Additional organizational units: Your Active Directory hierarchy can be structured to reflect your organizational structure. You're not limited to placing every single user object into the Users container, for example. You can create additional containers as necessary to meet your goals. Additional containers can contain objects beyond users, such as groups, printers, shared folders, or even other Organizational Units.

Common Active Directory objects

Within each container reside Active Directory objects, which represent every resource that has been added to your Active Directory hierarchy. As you look through the various containers discussed above, you'll see the objects appear in the right pane.

Microsoft has done a pretty good job of giving the objects meaningful names. You can usually quickly guess what an object does by its name. For example, the DHCP Users object is a group object containing members that have read-only access to DHCP. Even if you can't discern an object's purpose by its name, Microsoft has included a Description column that tells you what each default object does. And, if worse comes to worse, there's always Google!

Each object is made up of a group of properties, which describe the object and what it can do. View the properties for an object by right-clicking the object and, from the resulting shortcut menu, selecting Properties. In this article, you will learn about the properties for the following kinds of objects:

  • Computers
  • Groups
  • Users

Only the default tabs for each object will be discussed here. If you have added applications that extend Active Directory's schema, such as Exchange, there may be additional tabs on some kinds of objects.

Computer Objects

The Computer object describes computers that have rights on the network. It can describe domain controllers, member servers, or workstations. You'll find domain controllers in the Domain Controllers container. Member servers and workstations will appear in the Computers container. When you right-click a Computer object and select Properties, you'll see the screen shown in Figure D.

Figure D

The Properties page for the computer named VISTA32.

As with most Properties pages, you'll find tabs with further information. Tabs on the Computer Properties page include:

  • General: This tab provides basic information about the object, including both its NetBIOS name, its DNS name, type, Active Directory site and description.
  • Operating System: This tab will show you the operating system running on the computer and what service packs, if any, have been applied to it.
  • Member Of: Here, you can view the computer's group memberships and make any necessary adjustments. By default, all new computers are added to the group named Domain Computers.
  • Delegation: In older versions of Windows Server, this information was located on the General tab. Select one of the 'trust' options if you want the computer to be able to request services from another computer.
  • Password Replication: The Password Replication tab holds a list of the Read-Only Domain Controllers that store cached versions of the directory.
  • Location: Enter details describing the computer's physical location.
  • Managed By: Provide information regarding the staff person responsible for the computer. You can quickly assign someone by selecting their information directly from Active Directory.
  • Object: This tab displays information about the object including its name, when it was created, when it was last updated, and the Update Sequence Numbers for it. Update Sequence Numbers are critical components when it comes to handling Active Directory updates and keep things in check. On this tab, you can also indicate that the object should be protected from accidental deletion.
  • Security: This tab controls the Active Directory rights other objects have to this object. The Group or user names box lists the objects with rights and the Permissions box describes the permissions the selected user or group has been granted or denied.
  • Dial-in: Decide whether or not users can remotely access the computer, whether by dial-up or VPN. You can also set callback options for extra security.
  • Attribute Editor (new tab in Windows Server 2008): In Windows Server 2008, Microsoft has borrowed from the ADSI Edit utility and added this tab, which allows you to directly manipulate all of the attributes associated with the selected object.

Group Objects

There are a couple of kinds of group objects that can be created in Active Directory. The first kind, the security distribution group, provide a way to manage access rights for multiple users (or other objects) all at once. Rather than assign individual permissions to a file share, for example, you can give rights to the security group and then add and remove group members as needed. Security groups can also be used as email distribution groups. The second kind of group, called a distribution group, is used solely as an email distribution list. This article focuses on security groups.

If you right click a Group object, you'll see the screen shown in Figure E.

Figure E

The Properties page for the Domain Admins group object.

Tabs on the Group object include:

  • General: This tab displays information about the object. You can view, but not change Group Scope and Group Type for Groups. You can change all other fields on this page.
  • Member: Here you can add and remove group members. By clicking the Add button, you can add individual objects or select multiple objects.
  • Member Of: This tab lists the groups that the object belongs to. You can add or delete group membership here.
  • Managed By: Here you can enter information about who's in charge of the computer. You can quickly assign someone by selecting their information directly from Active Directory.
  • Object: This tab displays information about the object including its name, when it was created, when it was last updated, and the Update Sequence Numbers for it. On this tab, you can also indicate that the object should be protected from accidental deletion.
  • Security: This tab controls the Active Directory rights other objects have to this object. The Group or users box lists the objects with rights and the Permissions box describes the permissions the selected object has.
  • Attribute Editor (new tab in Windows Server 2008): In Windows Server 2008, Microsoft has borrowed from the ADSI Edit utility and added this tab, which allows you to directly manipulate all of the attributes associated with the selected object.

User Objects

User objects are, well, users! Users, after all, are the foundation of your organization.

When you right-click a User object and select Properties, you'll see the screen shown in Figure F.

Figure F

The Properties page for a user object.

Tabs on User objects include:

  • General: Displays general descriptive information about the user, including name, email address and primary telephone number.
  • Address: This tab displays postal addresses for the selected user.
  • Account: The Account tab holds detailed account information for the user, including the logon name for the user and, via the Logon Hours button on this tab, account restrictions. The Account options section gives you a way to force users to change their password at next logon, prevent them from changing passwords, require a Smart Card for logon, and enable delegation for the account. You'll also use this page if the account gets locked out due to logon failures. Microsoft has made is easy to unlock accounts by adding an "Unlock account" option to this tab.
  • Profile: The Profile tab holds fields that specify the paths to any logon scripts the user needs to access. You can also specify a path to the user's profile and home folder here.
  • Telephones: This tab serves as a repository for any telephone numbers you have for the user, including pagers, cell phones, and IP telephone numbers.
  • Organization: Don't confuse this tab with Active Directory's Organizational Unit object. Here, you'll place information about the user's company, including job title, department, and company name. You can also link the user to his or her manager's Active Directory object.
  • Terminal Services Profile: This tab is similar to the Profile tab, but this only controls profile information for the Terminal Services session, including home folder location.
  • COM+: You can assign the user to be part of a COM+ partition set here. COM+ partition sets allow users in a domain to access COM+ applications throughout the domain.
  • Attribute Editor (new tab in Windows Server 2008): In Windows Server 2008, Microsoft has borrowed from the ADSI Edit utility and added this tab, which allows you to directly manipulate all of the attributes associated with the selected object.
  • Security: This tab controls the Active Directory rights other objects have to this object. The Group or users box lists the objects with rights and the Permissions box describes the permissions of the selected object.
  • Environment: This tab controls the Terminal Services startup environment for the user.
  • Sessions: The information on the Sessions tab helps you control how the user interacts with Terminal Services, including how long a session stays connected and what happens if she disconnect from the server.
  • Remote Control: This tab indicates whether a user's Terminal Server session can be remotely controlled. You can set options that allow you to establish view-only sessions or that allow interaction.
  • Published Certificates: This tab allows you to associate X.509 security certificates with the user.
  • Member Of: This tab lists the groups to which the user belongs. You can add or delete group membership here.
  • Password Replication (new tab in Windows Server 2008): The Password Replication tab holds a list of the Read-Only Domain Controllers that store cached versions of the user directory.
  • Dial-in: On the Dial-in tab, you'll decide whether or not users can remotely access the network, whether by dial-up or VPN. You can also set callback options for extra security.
  • Object: This tab displays information about the object including its name, when it was created, when it was last updated, and the Update Sequence Numbers for it. On this tab, you can also indicate that the object should be protected from accidental deletion.

Accomplishing common tasks with Active Directory Users and Computers

Now that you know your way around Active Directory Users and Computers, it's time to find out how to accomplish common administration tasks.

Create a new user

Right-click the container where you want the new user object to reside. Click New | User. Follow the prompts in the New Object - User screen to add information about the user such as logon name and user name. Click Next to see additional screens and enter appropriate information.

Create a new group

Right-click the container where you want the new group object to reside. Click New | Group. Follow the prompts in the New Object - Group screen to add information about the group such as group name and group type. For most groups you create, you'll create a Global Security group. Click OK to create the group.

Create a new container object

Right-click the domain or container where you want the new container object to reside. Click New | Organizational Unit. In the New Object - Organizational Unit screen, enter a unique name for your container. Click OK to create the container.

Make a user a member of a group

Right-click the user object. Select Add To A Group. When the Select Group window appears, type the name of the group in the Enter The Object Name To Select box and click Check Names. If you don't know the name, click Advanced. Click Find Now to display all groups. Select the group you want the user to belong to and click OK. Click OK again to close the Select Group window and finish.

Change a password

Right-click the user object. Select Reset Password. When the Reset Password screen appears, type the new password in the appropriate fields. To force a user to change a password immediately, select Users Must Change Password. Click OK.

Unlock an account

Right-click the user object. Select Properties. Click the Account tab. Remove the check from the Account Is Locked Out box.

Disable an account

Right-click the user object. Select Disable Account. Re-enable by right-clicking the user object and selecting Enable Account.

Move a user

Drag and drop the user to the target container.

Restrict logon times

Right-click the user object. Select Properties. Click the Account tab. Click Logon Hours. When the Logon Hours screen appears, select Logon Denied and click the time blocks when you don't want the user to log on.

Delete a group

Right-click the group object. Select Delete.

Delegate authority

Right-click the container object where you want to delegate tasks. Select Delegate Control. The Delegation Of Control Wizard appears. Follow the prompts on screen to add users or groups that you want to give control to and what powers you want to grant to those users or groups.

Allow users to use VPN

Right-click the user object. Select Properties. Click the Dial-in tab. Select Allow Access (or, if you have implemented Windows Server 2008's Network Access Protection, click Control access through NPS Network Policy. Click OK to close.

Make a change to a specific attribute for an object

Right-click the object. Select Properties. Click the Attribute Editor tab. Select the attribute that you want to modify. Click the Edit button. Make your change and click OK.

Summary

Overall, Active Directory Users and Computers has made it to Windows Server 2008 with its feature set intact and with some new features to make life a bit easier for the harried network admin. In particular, the Attribute Editor tab is an extremely welcome addition to this most-used tool.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

1 comments
streetglow
streetglow

how can i get a step by step tutorial of setting up a network

Editor's Picks