Using the Active Directory Users And Computers Tool


Active Directory Users And Computers is the primary administration tool you'll use to manage Active Directory. You use this utility to handle all user , group , and computer- related tasks and to manage organizational units.

Starting Active Directory Users And Computers

You can start Active Directory Users And Computers by selecting its related option on the Administrative Tools menu. You can also add Active Directory Users And Computers as a snap-in to any updateable console. To do that, follow these steps:

  1. In MMC, click File, and then click Add/Remove Snap-In. This opens the Add/Remove Snap-In dialog box.

  2. In the Standalone tab, click Add.

  3. In the Add Snap-In dialog box, click Active Directory Users And Computers, and then click Add. Then click Close and then OK.

Getting Started with Active Directory Users And Computers

By default, Active Directory Users And Computers works with the domain your computer is currently connected to. You can access computer and user objects in this domain through the console tree, as shown in Figure 7-1. However, if you can't find a domain controller or if the domain you want to work with isn't shown, you might need to connect to a domain controller in the current domain or a domain controller in a different domain. Other high-level tasks you might want to perform with Active Directory Users And Computers are viewing advanced options or searching for objects.

When you access a domain in Active Directory Users And Computers, you'll note that a standard set of folders is available. These folders are:

  • Saved Queries

    Contains saved search criteria so that you can quickly perform previously run Active Directory searches.

  • Builtin

    The list of built-in user accounts.

  • Computers

    The default container for computer accounts.

  • Domain Controllers

    The default container for domain controllers.

  • ForeignSecurityPrincipals

    Contains information on objects from a trusted external domain. Normally, these objects are created when an object from an external domain is added to a group in the current domain.

  • Users

    The default container for users.

Active Directory Users And Computers has advanced options that aren't displayed by default. To access these options, click View and then select Advanced Features. You now see additional folders:

  • LostAndFound

    Contains objects that have been orphaned. You can delete or recover them.

  • NTDS Quotas

    Contains directory service quota data.

  • Program Data

    Contains stored Active Directory data for Microsoft applications.

  • System

    Contains built-in system settings.

You can also add folders for organizational units. In Figure 7-1, there are four organizational units in the domain.local domain: Customer Support, Engineering, Marketing, and Sales.

Figure 7-1. When you're working with Active Directory Users And Computers, you can access computer and user objects through the console tree.

graphics/f07ap01.jpg

Connecting to a Domain Controller

Connecting to a domain controller serves several purposes. If you start Active Directory Users And Computers and no objects are available, you can connect to a domain controller to access user, group, and computer objects in the current domain. You might also want to connect to a domain controller when you suspect replication isn't working properly and want to inspect the objects on a specific controller. Once you're connected, you'd look for discrepancies in recently updated objects.

To connect to a domain controller, complete the following steps:

  1. In the console tree, right-click Active Directory Users And Computers. Then select Connect To Domain Controller.

  2. You'll see the current domain and domain controller you're working with in the Connect To Domain Controller dialog box shown in Figure 7-2.

    Figure 7-2. Select a new domain controller to work with using the Connect To Domain Controller dialog box.

    graphics/f07ap02.jpg

  3. The Available Controllers list box lists the available controllers in the domain. The default selection is Any Writable Domain Controller. If you select this option, you'll connect to the domain controller that responds to your request first. Otherwise, choose a specific domain controller to connect to. Click OK.

Connecting to a Domain

In Active Directory Users And Computers, you can work with any domain in the forest, provided you have the proper access permissions. You connect to a domain by completing the following steps:

  1. In the console tree, right-click Active Directory Users And Computers. Then select Connect To Domain.

  2. The Connect To Domain dialog box displays the current (or default) domain. Type a new domain name and then click OK. Or click Browse, and then select a domain in the Browse For Domain dialog box.

Searching for Accounts and Shared Resources

Active Directory Users And Computers has a built-in search feature that allows you to find accounts, shared resources, and other directory objects. You can easily search the current domain, a specific domain, or the entire directory.

You search for directory objects by completing the following steps:

  1. In the console tree, right-click the current domain or a specific container that you want to search. Then select Find. This opens a Find dialog box similar to the one shown in Figure 7-3.

    Figure 7-3. Use the Find dialog box to find resources in Active Directory.

    graphics/f07ap03.jpg

  2. Use the Find selection list to choose the type of search. The options include:

    • Users, Contacts, And Groups Search for user and group accounts, as well as contacts listed in the directory service

    • Computers Search for computer accounts by type, name, and owner

    • Printers Search for printers by name, model, and features

    • Shared Folders Search for shared folders by name or keyword

    • Organizational Units Search for organizational units by name

    • Custom Search Perform an advanced search or LDAP query

    • Common Queries Allows you to quickly search for account names , account descriptions, disabled accounts, nonexpiring passwords and days since last logon

  3. Use the In selection list to choose the location to search. If you right-clicked a container, such as Computers, this container is selected by default. To search all objects in the directory, select Entire Directory.

  4. After you've typed your search parameters, click Find Now. As shown in Figure 7-4, any matching entries are displayed in the Find view. Double-click an object to view or modify its property settings. Right-click the object to display a shortcut menu that you can use to manage the object.

    Figure 7-4. Matching objects are displayed in the Find view, and you can manage them by right-clicking their entries.

    graphics/f07ap04.jpg

Note

The search type determines which fields and tabs are available in the Find dialog box. In most cases you'll simply want to type the name of the object you're looking for in the Name field. But other search options are available. For example, with printers, you can search for a color printer, a printer that can print on both sides of the paper, a printer that can staple, and more.


Managing Computer Accounts

Computer accounts are stored in Active Directory as objects. You use them to control access to the network and its resources. You can add computer accounts to any container displayed in Active Directory Users And Computers. The best containers to use are Computers, Domain Controllers, and any organizational units that you've created.

Note

Microsoft Windows 95 and Microsoft Windows 98 computers access the network as Active Directory clients but don't have computer accounts. To learn more about accessing Active Directory domains, see the section entitled "Working with Active Directory Domains" in Chapter 6 , "Using Active Directory."


Creating Computer Accounts on a Workstation or Server

The easiest way to create a computer account is to log on to the computer you want to configure and join a domain as described in the section of this chapter entitled "Joining a Computer to a Domain or Workgroup." When you do this, the necessary computer account is created automatically and placed in the Computers folder or the Domain Controllers folder, as appropriate. You can also create computer accounts in Active Directory Users And Computers before you try to install the computer.

Creating Computer Accounts in Active Directory Users And Computers

Using Active Directory Users And Computers, you can create computer accounts by following these steps:

  1. In the Active Directory Users And Computers console tree, right-click the container into which you want to place the computer account.

  2. Click New and then click Computer. This starts the New Object - Computer Wizard shown in Figure 7-5. Type the client computer name.

    Figure 7-5. Create new computer accounts using the New Object - Computer Wizard.

    graphics/f07ap05.jpg

  3. By default, only members of Domain Admins can join computers to the domain. To allow a different user or group to join the computer to the domain, click Change. Then use the Select User Or Group dialog box to select a user or group account.

    Note

    You can select any existing user or group account. This allows you to delegate the authority to join this computer account to the domain.


  4. If Windows NT systems can use this account, select Assign This Computer Account As A Pre-Windows 2000 Computer.

  5. Click Next twice and then click Finish.

Viewing and Editing Computer Account Properties

You can view and edit computer account properties by completing the following steps:

  1. Start Active Directory Users And Computers. In the console tree, expand the domain node by clicking the plus sign (+) next to the domain name.

  2. Access the container or organizational unit in which the computer account is located.

  3. Right-click the account you want to work with, and then select Properties. This displays a properties dialog box that allows you to view and edit settings.

Deleting, Disabling, and Enabling Computer Accounts

If you no longer need a computer account, you can delete it permanently from Active Directory. Or you can temporarily disable the account and later enable it to be used again.

To delete, disable, or enable computer accounts, complete the following steps:

  1. On the Administrative Tools menu, start Active Directory Users And Computers by selecting it.

  2. In the console tree, click the container in which the computer account is located. Then right-click the computer.

  3. Select Delete to delete the account permanently; then confirm the deletion by clicking Yes.

  4. Select Disable Account to temporarily disable the account, and then confirm the action by clicking Yes. A red circle with an X should indicate that the account is disabled.

  5. Select Enable Account to enable the account so that it can be used again.

    Tip

    If an account is currently in use, you might not be able to disable it. Try shutting down the computer or disconnecting the computer session in the Sessions folder of Computer Management.


Resetting Locked Computer Accounts

Computer accounts have passwords, just like user accounts. Unlike user accounts, however, computer account passwords are managed and maintained automatically. To perform this automated management, computers in the domain store a computer account password, which by default is changed every 30 days, and a private key password for establishing secure communications with domain controllers. The private key password is also updated by default every 30 days, and both passwords must be synchronized. If the private key password and the computer account password get out of sync, the computer won't be allowed to log on to the domain and a domain authentication error message will be logged for the Netlogon service with an event ID of 3210 or 5722.

If this happens, you'll need to reset the account by completing the following steps:

  1. On the Administrative Tools menu, start Active Directory Users And Computers by selecting it.

  2. In the console tree, click the container in which the computer account is located. Then right-click the computer account.

  3. Select Reset Account. If the account was reset successfully, you should see a confirmation dialog box. Click OK.

Moving Computer Accounts

Computer accounts are normally placed in the Computers, Domain Controllers, or customized organizational unit containers. You can move an account to a different container by selecting the computer account in Active Directory Users And Computers, pressing and holding down the left mouse button while moving the mouse, and then releasing the mouse button when you've dragged the account to the new location.

The following steps list another technique you can use to move computer accounts:

  1. On the Administrative Tools menu, start Active Directory Users And Computers by selecting it.

  2. In the console tree, click the container in which the computer account is located.

  3. Right-click the computer account you want to move, and then select Move. This displays the Move dialog box shown in Figure 7-6.

  4. In the Move dialog box, click the domain node and then click the container to which you want to move the computer. Click OK.

    Figure 7-6. Move computer accounts to different containers using the Move dialog box.

    graphics/f07ap06.jpg

Managing Computers

As the name indicates, you use Computer Management to manage computers. When you're working with Active Directory Users And Computers, you can open Computer Management and connect to a specific computer directly by right-clicking the computer entry and selecting Manage on the shortcut menu. This launches Computer Management and automatically connects to the selected computer.

Joining a Computer to a Domain or Workgroup

Joining a computer to a domain or workgroup allows a Windows NT, Windows 2000, Microsoft Windows XP, or Windows Server 2003 computer to log on and access the network. Windows 95 and Windows 98 computers don't need computer accounts and don't join the network using this technique. With Windows 95 and Windows 98, you must configure the computer as an Active Directory client. For details, see the section of Chapter 6 entitled "Installing Active Directory Clients."

Before you get started, make sure that networking components are properly installed on the computer. These should have been installed during the setup of the operating system. You might also want to refer to Chapter 16 , "Managing TCP/IP Networking," for details on configuring Transmission Control Protocol/Internet Protocol (TCP/IP) connections. TCP/IP settings must be correct and permit communications between the computer you're configuring and a controller in the domain. If Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), and DNS are properly installed on the network, workstations don't need to be assigned a static IP address or have a special configuration. The only requirements are a computer name and a domain name, which you can specify when joining the domain.

Real World

Windows Server 2003 automatically grants the Add Workstations To The Domain user right to the implicit group Authenticated Users. This means that any user who logs on to the domain as a User and is authenticated can add workstations to the domain without needing administration privileges. However, as a security precaution, the number of workstations any such user can add to the domain is limited to 10. If an Authenticated User exceeds this limit, an error message is displayed. For Windows NT workstations this message states The Machine Account For This Computer Either Does Not Exist Or Is Unavailable. For Windows 2000 and Windows XP workstations, this message states Your Computer Could Not Be Joined To The Domain; You Have Exceeded The Maximum Number Of Computer Accounts You Are Allowed To Create In This Domain. Although you can use the Ldp.exe tool from the Windows Server 2003 Support Tools to override the default limit on the number of computers an Authenticated User can join to a domain (as set by the ms-DS-MachineAccountQuota attribute), this isn't a good security practice. A better technique, and a more appropriate technique where security is a concern, is to precreate the necessary computer account or to grant the user the advanced security privilege Create Computer Objects.

During installation of the operating system, a network connection was probably configured for the computer. Or you might have previously joined the computer to a domain or workgroup. If so, you can join the computer to a new domain or workgroup by completing the following steps. (The steps for configuring Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, and Windows Server 2003 are nearly identical.)

  1. Log on to the workstation or server you want to configure.

  2. Access Control Panel and then double-click System. In the System Properties dialog box, select the Computer Name tab as shown in Figure 7-7.

    Figure 7-7. Use the Computer Name tab to change properties or reconfigure the network ID.

    graphics/f07ap07.jpg

  3. Click Change.

  4. To rename the computer, type a new name in the Computer Name field, such as Zeta.

  5. To join a new domain, in the Member Of panel select Domain and then type the local part of the domain name, such as SEATTLE for the domain seattle.microsoft.com .

  6. To join a new workgroup, in the Member Of panel select Workgroup and then type the workgroup name, such as TestDevGroup.

  7. If you made changes, click OK. When prompted, type the name and password of a user account with administrator permission to make these changes. Click OK again.

  8. The changes are made and a new computer account is created, as necessary. If the changes are successful, you'll see a confirmation dialog box to this effect. Click OK to reboot the computer.

  9. If the changes are unsuccessful, you'll see either a message informing you that they're unsuccessful or a message telling you that the account credentials already exist. This problem can occur when you're changing the name of a computer that's already connected to a domain and when the computer has active sessions in that domain. Close applications that might be connecting to the domain, such as Windows Explorer accessing a shared folder over the network. Then repeat this process.

    Tip

    If you have problems joining a domain, ensure that the computer you're configuring has the proper networking configuration. The computer must have Networking Services installed, and the TCP/IP properties must have the correct DNS server settings.




Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net