Administrivia Anyone? (Controlling Domains and Directories)

team lib

If you don't have sufficient tools available to manipulate and manage Active Directory, its power won't do you much good. Fortunately, not only does Windows Server 2003 come with a complete set of ready-made tools, but you can also write your own tools and scripts using the Active Directory Scripting Interface (ADSI).

The directory management console

As with everything else in Windows 2003, management of Active Directory is accomplished using a Microsoft Management Console (MMC) snap-in. The snap-in you'll use most often is the Active Directory Users and Computers snap-in (shown in Figure 12-2), which is what you use to create, manage, and delete everything from users to computers. It includes some of the features of the old User and Server Manager from Windows NT.

click to expand
Figure 12-2: The Active Directory Users and Computers MMC snap-in.

To access the Active Directory Users and Computers snap-in, choose Start Administrative Tools Active Directory Users and Computers. When you first start the snap-in, you see your domain name (represented as a DNS domain name ) at the top of the directory. You'll also notice several containers (known more commonly as folders). Some of these containers are built-in organizational units (OUs), which contain objects in a domain that are organized into logical containers, thus allowing finer segregation and control in a domain. Certain container objects appear in all typical Active Directory installations:

  • Builtin: By default, the details of the old Windows NT 4.0 groups, such as Administrators and Backup Operators.

  • Computers: The computer accounts that were managed using Windows NT's Server Manager. Computer objects in other organizational units are not listed in this container.

  • Domain controllers: A built-in organizational unit that contains all domain controllers.

  • Users: The default store for all domain users. Again, users in other organizational units are not listed.

In a fully functional domain, you'll find various organizational units, depending on the services you have installed and the organizational units you create.

Tip 

Everything is context driven in Windows Server 2003. This means that if you right-click an object or container, a menu specific to that object or container is displayed. This is much better that hunting through huge standard menus for options relevant to the chosen object.

Creating directory objects

Windows Server 2003 has tons of objects, such as computer, user, group , and shared folder objects. In this section, we concentrate on the creation of only the first two (computer and user objects) because the others are fairly intuitive and don't support many configuration options.

In a Windows NT 4.0 domain, it never took too much planning to create new user or computer objects. You just did it. In Windows Server 2003, however, you can't be quite so spontaneous . You first need to think about where you want to create such an object. Placement is important because, although you can still move objects around, it's much easier in the long run if you create an object in the correct location from the get-go. However, because you may not always have the time to plan and do it right the first time, you can always move the object later if you have to (just don't say we didn't warn you).

Tip 

Use OUs to help you organize your data into logical containers. First you create an OU for the various departments in your organization (for example, one for accounting, one for engineering, one for personnel, and so on). Then you can put all user and computer objects in a particular department in its OU. In addition, you can lighten your administrative load by assigning a person in each department the rights necessary to manage his or her OU and that OU only. Pretty nifty, huh?

You can create a user object in one of two places: in the default User/Computer container or in some organizational unit they or someone else has already created. If you delegate the ability to create objects, you can set it up so that the delegated users will be able to create objects in only one location or certain selected locations.

To create a user object, perform the following steps:

  1. Start Active Directory Users and Computers (Start Administrative Tools Active Directory Users and Computers).

  2. In Active Directory Users and Computers, right-click the container (such as Users) in which you want to create the user object and then choose New User.

    The first page of the User Creation Wizard (the New Object - User dialog box) is displayed, as shown in Figure 12-3.

    click to expand
    Figure 12-3: The first page of the User Creation Wizard.

  3. Type the user's name and a logon name, and then click Next .

    The next page of the Wizard allows you to set the new password and the following options:

    • User must change password at next logon

    • User cannot change password

    • Password never expires

    • Account is disabled

  4. Make the appropriate selections, and then click Next.

    A summary of the proposed addition is displayed.

  5. Click Finish.

That's it; you've created a new user. You're probably thinking, "What about all the other user attributes, such as security features?" Well, you no longer define those settings during the creation of the user. After you create the user object, you right-click it and select Properties. The Properties dialog box for the user appears (as shown in Figure 12-4).

click to expand
Figure 12-4: The Elvis A. Presley user object.

Each tab pertains to various aspects of the selected user object. These tabs vary depending on the Windows Server 2003 subsystems in use, on other back office applications such as Exchange Server or SQL Server, and even on what third-party software you might have installed.

Computer account creation is much simpler and doesn't bombard you with quite so many tabs. Again, in Active Directory Users and Computers, right-click the container in which you want to create the new computer object (such as computers) and choose New Computer. The New Object - Computer dialog box appears, as shown in Figure 12-5. You have to only type a computer name and select who can add the computer to the domain.

click to expand
Figure 12-5: We're creating a new computer object named Fried-Banana-Sandwich.

Finding directory objects

Finding objects is one of Active Directory's greatest pluses. Using the Global Catalog, you can find an object anywhere in an enterprise forest by querying Active Directory.

You can search for anything - a user, a computer, even a printer - and you can search for many attributes. (The attributes presented vary depending on the type of object you're searching for.) For example, you can ask Active Directory to find the closest color -capable, double-sided printer at your site. You don't even have to tell Active Directory where you are. It figures that out automatically.

On a Windows Server 2003 system, there's a Search component that you can access from the Start menu (Start Search). Under this menu, a number of options can be used to search for users, folders, and printers. The available options are as follows :

  • For Files or Folders

  • On the Internet

  • Find Printers

  • For People

For example, if you want to search for a color printer, you would choose Start Search Find Printers. There are three available tabs: Printers, Features, and Advanced. You would choose the Advanced tab because it allows you to specify that you're searching for a color printer. After you enter all your details, click Find Now and your results appear. In a large enterprise, many listings that meet your requirements may appear, so always try to be as specific and detailed as possible when performing a search.

A word on ADSI

Active Directory Scripting Interface (ADSI for short) allows you to manipulate the directory service from a script. You can use Java, Visual Basic, C, or C++ scripts. With ADSI, you can write scripts that automatically create users, including their setup scripts, profiles, and details.

If you need to manage a medium or large domain, you should learn ADSI. In the long run, it will save you a great deal of time and aggravation.

Search the Microsoft Web site at http://www.microsoft.com/windows/ for ADSI, and you'll find loads of great information (more than you would want!). Also check the Windows Server 2003 Resource Kit for details.

team lib


Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net