The
creation of objects (computer, contact, group, OU, printer user, and so
on) can all be handled with the tool Active Directory Users and
Computers. To open this tool, you select Start, Administrative Tools,
Active Directory Users and Computers. You then see a hierarchy of items
under your domain.
Note
that there are automatic containers in place (such as Computers and
Users). You also see objects that were created automatically for you
when you created the first DC. The computer that is the first DC
becomes an object (for example, in the DCs built-in OU). As you add new
DCs, they are automatically added. Computers you join to the domain go
in the Computers container automatically. Users and groups—such as the
Administrator account and various groups, such as the Enterprise Admins
and Domain Admins security groups—already exist in the Users container.
Before you begin inadvertently creating new objects, it’s a good idea to consider an OU structure to put in place.
Design and Create an OU Structure
Creating
an OU design is important when you first establish your Active
Directory domain. Over time, your OUs may grow beyond your initial
plan, but you should start things off right. Now, the matter of “right”
is a matter of opinion. For example, you might create an OU structure
based on location. Or perhaps on department. Or perhaps a combination
of both. Each environment is a little different, so this requires some
thought.
Let’s
consider an example. Primatech is a company that has a main
headquarters with four branch offices. Let’s say the offices are all
under a single domain structure. In this case, you might create an OU
based on each branch office location. However, if each branch has its
own child domain, you might create departmental OUs within each domain.
In
keeping with the first scenario, you could create OUs that relate to
locations and then sub-OUs for individual departments. If it seems like
a lot of planning and work, well...planning takes the majority of the
time. Actually creating an OU once you have the design in place takes
seconds.
To create an OU in Active Directory, perform the following steps:
1. | Select Start, Administrative Tools, Active Directory Users and Computers.
| 2. | Your
first OU is at the domain level, so begin by right-clicking the domain
name and then choosing New, Organizational Unit (as shown in Figure 1).
| 3. | When you are asked for a name, provide the name and click OK.
|
You
should see your OU in the hierarchy now, and it will stand out as being
different from containers because the folder will have a little graphic
inside.
Note
When
creating an OU, you see the Protect Container from Accidental Deletion
checkbox, which is enabled by default. Enabling this checkbox denies
all administrators or users of the domain and DC the ability to delete
this object.
Note
To
create OUs within OUs, you simply right-click the OU you want to nest
within and then select New, Organizational Unit. The console knows you
are attempting to create the OU within that particular OU.
Create Computer Objects
Typically,
a computer object is created automatically if you add that computer to
the domain manually at the workstation level. At that time, you are
asked for the credentials necessary to accomplish the addition, and the
computer is added to the Computers container. You can choose to move it
from there to an OU at a later time.
However,
you can also add computers to Active Directory ahead of time, but you
need to be a member of the Account Operators group, the Domain Admins
group, or the Enterprise
Admins group (or been assigned the correct permissions). Adding
computer objects prior to their deployment may facilitate the process
when you are deploying many systems through an automated deployment
across your organization.
Note
The concept of linking physical computers to computer account objects is called prestaging.
(Prestaged clients are also referred to as known computers.) The
benefits of prestaging include added security and greater flexibility.
To add a computer object, perform the following steps:
1. | Select the domain or OU you want to add the computer to.
| 2. | Right-click the domain/OU and then select New, Computer.
| 3. | Provide a computer name (for peer connections) and a computer name (for legacy pre-Windows 2000).
| 4. | Select a user or group. The default is Domain Admins.
| 5. | Select the Pre-Windows 2000 Computer checkbox if applicable.
| 6. | Click OK.
|
After
the computer account is created, you can right-click the account and
select Properties. You then see seven tabs you can work with to include
further details regarding that account:
General:
This tab provides mostly preset information regarding the name, DNS
name, DC type, site, and a configurable description. (On DCs there is a
button for NTDS options.) Operating System: This is another tab that shows the OS name, version, and service pack. Member Of: This tab indicates the groups or built-in security principles the computer belongs to. Delegation:
Delegation is a security-sensitive operation that allows services to
act on behalf of another user. Options include trusting or not trusting
the computer for delegation and combinations of trust for Kerberos only
or specified services. Location: On this tab, you can indicate the location of the system. Managed By:
Here you can configure the user or built-in security principle that
manages this computer. If attributes are configured for the user (for
example, office, street, city), those options are automatically
displayed on this tab. Dial-in: This tab offers a variety of important settings, as you can see in Figure 2.
You can allow or deny or control network access permission. You can
verify caller ID, set callback options, and assign static IP addresses
and static routes.
Create User Objects
Ultimately,
it all comes down to the user, doesn’t it? What is the point of setting
up a directory service if a user cannot sit down at his system, type in
a user name and password, and access the network? From the
administrator’s perspective, it’s the fact that you can track, control,
and enforce policy over users that gives Active Directory its true
value. In either case, however, the user object must be created first.
To create a new user, you perform the following steps:
1. | Select the domain, built-in users container, or specific OU and then right-click that element. Choose New, User.
| 2. | In the New Object – User dialog shown in Figure 3,
provide basic information such as first name, initials, last name, and
full name. Also provide the user logon name and the domain it belongs
to. The pre-Windows 2000 portion fills itself in when you put in the
logon name. Make alterations to these items, if needed, and then click
Next.
| 3. | Create a password and confirm that password. Also choose any of the following four checkboxes, as necessary:
After you’ve selected your options, click Next.
| 4. | Review your options and create the user by clicking Finish.
|
After
the new user is created, you can right-click the user and click
Properties to see the many tabs with available properties to configure
regarding a user. These are the tabs:
General:
This tab allows you to include quite a bit of personal information
regarding the person: name, description, office, telephone, e-mail
address, and more. Address: This tab allows you to provide the full address of the person, including city, state, zip, and country. Account:
This tab is an important one for administrators because you can
configure items such as logon hours (to determine a set time when a
person can log in), logon options (to establish which machines the
individual can log on to), account options, and expiration date
settings. Profile:
This tab allows you to configure the location of a computer profile
(which includes items such as your wallpaper and personal settings that
make up your unique profile) and logon script. It also allows you to
determine the location of a home folder. Telephones:
This tab allows you to configure all the possible phone numbers a
person might use (home, pager, mobile, fax, and IP phone) and also has
a Notes section. Organization: This tab contains the person’s job title, department, company, manager name, and a Direct Reports section. Remote Control:
This tab allows you to manually configure Terminal Services remote
control settings. You can enable/disable, require the user’s
permission, and specify a level of control. Terminal Services Profile: You use this tab to configure the Terminal Services user profile, such as the profile path and home folder. COM+: This tab allows you to configure a COM+ partition set for the user. Note
COM+
partitions are a very specific set of COM components that are developed
to work together for services such as queuing, role-based security, and
so forth. Unless you have a need to configure multiple COM+ partitions,
such as when you need to make two or more versions of an application
available to users within your domain, you don’t typically need to
worry about this feature.
Member Of: This tab indicates the groups a person belongs to or is a member of. Dial-in:
Much like this identical tab for computer properties, this tab allows
you to configure a variety of settings, such as allow/deny or control
network access permission. You can verify caller ID, set callback
options, and assign static IP addresses and static routes. Environment:
You use this tab to configure the Terminal Services startup
environment. You can configure a starting program and whether you want
certain devices to be connected (drives, client/main printers). Sessions: You use this tab to set Terminal Services timeout and reconnection settings.
Note
In
the event that a user leaves the company and you aren’t certain about
deleting the account right away, you can right-click the account and
choose Disable Account (and, conversely, if the person returns, you
choose Enable Account). You can also right-click an account and choose
Reset Password if a user has lost her password. And if a user account
has property settings you need to duplicate for other users you need to
create, you can right-click the account and choose Copy. Finally, if
you need to move a user or computer account from one container or OU to
another, you can right-click the object(s) and choose Move.
|