Windows Server 2008 : Create Active Directory Objects

The creation of objects (computer, contact, group, OU, printer user, and so on) can all be handled with the tool Active Directory Users and Computers. To open this tool, you select Start, Administrative Tools, Active Directory Users and Computers. You then see a hierarchy of items under your domain.

Note that there are automatic containers in place (such as Computers and Users). You also see objects that were created automatically for you when you created the first DC. The computer that is the first DC becomes an object (for example, in the DCs built-in OU). As you add new DCs, they are automatically added. Computers you join to the domain go in the Computers container automatically. Users and groups—such as the Administrator account and various groups, such as the Enterprise Admins and Domain Admins security groups—already exist in the Users container.

Before you begin inadvertently creating new objects, it’s a good idea to consider an OU structure to put in place.

Design and Create an OU Structure

Creating an OU design is important when you first establish your Active Directory domain. Over time, your OUs may grow beyond your initial plan, but you should start things off right. Now, the matter of “right” is a matter of opinion. For example, you might create an OU structure based on location. Or perhaps on department. Or perhaps a combination of both. Each environment is a little different, so this requires some thought.

Let’s consider an example. Primatech is a company that has a main headquarters with four branch offices. Let’s say the offices are all under a single domain structure. In this case, you might create an OU based on each branch office location. However, if each branch has its own child domain, you might create departmental OUs within each domain.

In keeping with the first scenario, you could create OUs that relate to locations and then sub-OUs for individual departments. If it seems like a lot of planning and work, well...planning takes the majority of the time. Actually creating an OU once you have the design in place takes seconds.

To create an OU in Active Directory, perform the following steps:

1.	Select Start, Administrative Tools, Active Directory Users and Computers.
2.	Your first OU is at the domain level, so begin by right-clicking the domain name and then choosing New, Organizational Unit (as shown in Figure 1). Figure 1. Creating an OU.
3.	When you are asked for a name, provide the name and click OK.

You should see your OU in the hierarchy now, and it will stand out as being different from containers because the folder will have a little graphic inside.

Create Computer Objects

Typically, a computer object is created automatically if you add that computer to the domain manually at the workstation level. At that time, you are asked for the credentials necessary to accomplish the addition, and the computer is added to the Computers container. You can choose to move it from there to an OU at a later time.

However, you can also add computers to Active Directory ahead of time, but you need to be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group (or been assigned the correct permissions). Adding computer objects prior to their deployment may facilitate the process when you are deploying many systems through an automated deployment across your organization.

To add a computer object, perform the following steps:

After the computer account is created, you can right-click the account and select Properties. You then see seven tabs you can work with to include further details regarding that account:

• General: This tab provides mostly preset information regarding the name, DNS name, DC type, site, and a configurable description. (On DCs there is a button for NTDS options.)

• Operating System: This is another tab that shows the OS name, version, and service pack.

• Member Of: This tab indicates the groups or built-in security principles the computer belongs to.

• Delegation: Delegation is a security-sensitive operation that allows services to act on behalf of another user. Options include trusting or not trusting the computer for delegation and combinations of trust for Kerberos only or specified services.

• Location: On this tab, you can indicate the location of the system.

• Managed By: Here you can configure the user or built-in security principle that manages this computer. If attributes are configured for the user (for example, office, street, city), those options are automatically displayed on this tab.

• Dial-in: This tab offers a variety of important settings, as you can see in Figure 2. You can allow or deny or control network access permission. You can verify caller ID, set callback options, and assign static IP addresses and static routes.

Create User Objects

Ultimately, it all comes down to the user, doesn’t it? What is the point of setting up a directory service if a user cannot sit down at his system, type in a user name and password, and access the network? From the administrator’s perspective, it’s the fact that you can track, control, and enforce policy over users that gives Active Directory its true value. In either case, however, the user object must be created first.

To create a new user, you perform the following steps:

1.	Select the domain, built-in users container, or specific OU and then right-click that element. Choose New, User.
2.	In the New Object – User dialog shown in Figure 3, provide basic information such as first name, initials, last name, and full name. Also provide the user logon name and the domain it belongs to. The pre-Windows 2000 portion fills itself in when you put in the logon name. Make alterations to these items, if needed, and then click Next. Figure 3. Creating a new user.
3.	Create a password and confirm that password. Also choose any of the following four checkboxes, as necessary: User Must Change Password at Next Logon User Cannot Change Password Password Never Expires Account Is Disabled After you’ve selected your options, click Next.
4.	Review your options and create the user by clicking Finish.

After the new user is created, you can right-click the user and click Properties to see the many tabs with available properties to configure regarding a user. These are the tabs:

• General: This tab allows you to include quite a bit of personal information regarding the person: name, description, office, telephone, e-mail address, and more.

• Address: This tab allows you to provide the full address of the person, including city, state, zip, and country.

• Account: This tab is an important one for administrators because you can configure items such as logon hours (to determine a set time when a person can log in), logon options (to establish which machines the individual can log on to), account options, and expiration date settings.

• Profile: This tab allows you to configure the location of a computer profile (which includes items such as your wallpaper and personal settings that make up your unique profile) and logon script. It also allows you to determine the location of a home folder.

• Telephones: This tab allows you to configure all the possible phone numbers a person might use (home, pager, mobile, fax, and IP phone) and also has a Notes section.

• Organization: This tab contains the person’s job title, department, company, manager name, and a Direct Reports section.

• Remote Control: This tab allows you to manually configure Terminal Services remote control settings. You can enable/disable, require the user’s permission, and specify a level of control.

• Terminal Services Profile: You use this tab to configure the Terminal Services user profile, such as the profile path and home folder.

• COM+: This tab allows you to configure a COM+ partition set for the user.

  Note

  COM+ partitions are a very specific set of COM components that are developed to work together for services such as queuing, role-based security, and so forth. Unless you have a need to configure multiple COM+ partitions, such as when you need to make two or more versions of an application available to users within your domain, you don’t typically need to worry about this feature.

  
  

• Member Of: This tab indicates the groups a person belongs to or is a member of.

• Dial-in: Much like this identical tab for computer properties, this tab allows you to configure a variety of settings, such as allow/deny or control network access permission. You can verify caller ID, set callback options, and assign static IP addresses and static routes.

• Environment: You use this tab to configure the Terminal Services startup environment. You can configure a starting program and whether you want certain devices to be connected (drives, client/main printers).

• Sessions: You use this tab to set Terminal Services timeout and reconnection settings.