Step-by-Step Guide to Managing the Active Directory

Step-by-Step Guide to Managing the Active Directory

Document Change Control Table
Version
Number / Date of
Issue / Author(s) / Brief Description of Change(s)
1.00 / 2/10/04 / D. Aragon / Initial Version
1.01 / 5/12/04 / D. Aragon / Added section on user profiles.
1.02 / 5/21/04 / D. Aragon / Added Document Control Table and Table of Contents.
1.03 / 7/26/04 / D. Aragon / Added security warning and corrected several typo’s.
1.04 / 3/15/07 / D. Aragon / Updated guide to reflect procedures for Windows Server 2003 Active Directory FFL.

Table of Contents

Introduction

Prerequisites

In this Step-by-Step Guide

Using the Active Directory Users and Computers Snap-in tool

Recognizing Active Directory Objects

Adding an Organizational Unit

Creating a Computer Object

Adding a Computer to the Domain

Managing Computer Objects

Managing a Remote Computer

Creating a Group

Adding a User to a Group

Nested Groups

Creating Nested Groups

Finding Specific Objects

Filtering a List of Objects

Writing a Group Policy Object

Create a Group Policy Object

Edit a Group Policy Object

Use an ADM file to create a GPO

Publishing a Shared Folder

To publish the shared folder in the directory

To browse the directory

Publishing a Printer

Windows 2000 Printers

To add a new printer

To locate a printer

Adding Non-Windows 2000 Printers

To use the Active Directory Users and Computers snap-in to publish printers

Folder Redirection

Let the system create folders for each user

Use offline folder settings on the server share where the user's info is stored

Policy removal considerations

Offline Folders Tips and Tricks

User profiles overview

Advantages of using user profiles

User profile types

Contents of a user profile

NTuser.dat file

All Users folder

To copy a user profile

To create a preconfigured user profile

User Profiles and Roaming User Profiles Tips and Tricks

Attachments:

Creating a Local User Account

To create a new local user account

1

Step-by-Step Guide to Managing the Active Directory

Introduction

ITR in conjunction with TSAG Members have been tasked with implementation of the policies and management of the top level (root) organizational unit (OU) along with implementing TSAG approved changes to the schema and top level(root) Group Policy Object (GPO). As local autonomy of the individual colleges and organizations represented at the first level OU is desired, local administration of these OU’s will fall on TSAG members or their appointed representatives. This guide is provided to TSAG Members as an introduction to the administration of the Active Directoryservice and the Active Directory Users and Computers snap-in. This snap-inallows you to add, move, delete, and alter the properties for objects such as users,contacts, groups, servers, printers, and shared folders. It is available for download as part of the Active Directory administrative tools from the Active Directory web site ( The Active Directory administrative tools can only be used from a computer with access to a domain.

Prerequisites

This document is based on the following documents and web pages:

Step-by-Step How-To-Guide to the Common Infrastructure for Windows 2000 Server Deployment,

Part One:

Part Two: and

This document assumes you are familiar with Windows 2003 or Windows XP and that you have Administrative authority for your OU (i.e. you have an “a under-bar” account).

In this Step-by-Step Guide

Common Administrative Tasks

  • Adding an Organizational Unit
  • Creating a Computer Object
  • Adding a Computer to the Domain
  • Creating Groups and Adding Members to Groups
  • Creatingor Editing a Group Policy Object

Advanced Administrative Tasks

  • Publishing shared network resources, such as shared folders and printers
  • Renaming, Moving, and Deleting Objects
  • Creating Nested Groups
  • Using Filters and Searches to retrieve objects
  • Folder Redirection

Additional Useful Information

  • Policy Removal Considerations
  • Offline Folder Tips and Tricks
  • User Profile Overview
  • User Profiles and Roaming User Profiles Tips and Tricks

Attachments

  • Creating a User Account
  • Group Policy Object Settings Explanation
  • Root Group Policy Object settings
  • Blank Group Policy Object Worksheet

Using the Active Directory Users and Computers Snap-in tool

Note: / For security reasons direct access to the Domain Controllers is prohibited. Maintenanceof objects can only be performed through use of the Users and ComputersSnap-in.
Note: / If you have not done so already, install the Administrative Package found on the Active Directory Administration Web Site ( Download and install the correct administrative package for your operating system (admin2k.exe for Windows 2000 or adminxp.exe for Windows XP or Windows Server 2003). This will install the proper snap-in referenced in this section.
  1. To start the Active Directory Users and Computers snap-in, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand csun.edu by clicking the +.
  3. Figure 1 below displays the key components of the Active DirectoryUsers and Computers snap-in for csun.edu.

Figure 1 The Active Directory Users and Computers Snap-In

Recognizing Active Directory Objects

The objects described in the following table are created during the installation of Active Directory.

Icon / Folder / Description
/ Domain / The root node of the snap-in represents the domain being administered.
/ Default Computers / Contains all Windows NT, Windows 2000, Windows XP, and Windows Server 2003–based computers that join our domain incorrectly. This includes computers running Windows NT versions 3.51 and 4.0. If you upgrade from a previous version, Active Directory migrates the machine account to this folder. Computers in this folder will display a message to the user at logon, warning them the computer is in the wrong location, and to notify their IT Tech to move it. You must get an Active Directory Enterprise Administrator to move these objects.
/ System / Contains Active Directory systems and services information.
/ Auth/People / Contains all the users in the domain. Like computers, the user objects can be moved, however, this will cause them to become out of sync with the enterprise and therefore moving a user object is not allowed.
/ Users / Contains all the user types in the domain.

You can use Active Directory to create the following objects.

Icon / Object / Description
/ User / A user object is an object that is a security principal in the directory. A user can log on to the network with these credentials and access permissions can be granted to users.
/ Contact / A contact object is an account that does not have any security permissions. You cannot log on to the network as a contact. Contacts are typically used to represent external users for the purpose of e-mail.
/ Computer / An object that represents a computer on the network. For Windows NT-based workstations and servers, this is the machine account.
/ Organizational Unit / Organizational units are used as containers to logically organize directory objects such as users, groups, and computers in much the same way that folders are used to organize files on your hard disk.
/ Group / Groups can have users, computers, and other groups. Groups simplify the management of large numbers of objects.
/ Shared Folder / A shared Folder is a network share that has been published in the directory.
/ Shared printer / A shared printer is a network printer that has been published in the directory

Adding an Organizational Unit

This procedure creates an organizational unit (OU) in the CSUN domain.

Note: / You can create nested organizational units and there is no limit to the nesting levels, though Microsoft suggests that nesting more than five levels deep might slow the logon process.

These steps follow the Active Directory structure begun in the "Step-by-Step Guide to a Common Infrastructure for Windows 2000 Server Deployment" For your own organization, add the OU’s under your organizational OU contained within the csun.edu active directory forest.

Note: / You are not allowed to add a first level OU. Unauthorized first level OU’s will be deleted without warning.
  1. Click the + next to your OU to expand it.
  2. Right-click the location you wish to insert the new OU under.
  3. Point to New and click Organizational Unit. Type the name of your new organizational unit. Click OK.
  4. Repeat steps 2 and 3 above to create additional organizational units, as needed

For example, the screen shot in figure 2 shows

Organizational unit ITR under csun.edu.

Organizational unit Network Engineering & Operationsunder the ITRorganizational unit.

Organizational unit Computersand Groups Network Administration and Operations under the Network Engineering & Operationsorganizational unit. (To do this, right-click Network Engineering & Operations, point to New, and then click Organizational Unit.)

Click Network Engineering & Operations so that its contents will display in the right pane.

When you are finished, you should have a hierarchy similar to Figure 2 below:

Figure 2 New OUs

Creating a Computer Object

A computer object is created automatically when a computer joins a domain;however, this places the computer object in the (first level) OU = Default Computers. Additionally, a warning is displayed on the computer that pops up whenever someone logs into the machine stating the system is in the wrong location and to contact his or her local IT Tech staff or UHD to have it moved. To get it out of this OU and into your OU requires an Active Directory Enterprise Administratorto move it for you. A better method is for you to create the computer object before the computer joins a domain so it will join in the correct OU.

Note: / There is no unified object naming conventions employed at CSUN, however, object naming should be standardized within your OU to enable the rapid and correct identification of each object within your organization.
Note: / Each object name must be unique within the entire Active Directory.
Note: / To view the name of the computer you plan to add to Active Directory.
  1. To view the computers name in Windows 2000
  2. Right click on My Computer
  3. Click on Properties
  4. In panel on the left side, click the Network Identificationlink
  5. Computer Name is shown as Full Computer Name (use portion preceding the .csun.edu if it is present).
  6. For example if the full computer name is daxps.csun.edu, the computer name you will want to enter is daxps.
  7. To view the computers name in Windows XP
  8. Right Click on My Computer
  9. Click on Properties
  10. Click on Computer Name Tab
  11. Computer Name is shown as Full Computer Name (use portion preceding the .csun.edu if it is present).
  12. For example if the full computer name is daxps.csun.edu, the computer name you will want to enter is daxps..

Figure 3 Computer Name

Using the previous structure as an example, if we wanted to add a computer named GDUHON to the Computers OU under the Network Engineering & Operations OUwe would complete the following tasks:

Note: / Naming a computer with the name of the primary user may present an unnecessary security risk by alerting those who may be snooping on the network of the identity of the user of a particular machine, thereby making a particular machine a target of a directed attack. From a security stand point, it would be better to name the computers in your OU something less identifying.
  1. Right-click the Computers organizational unit under the Network Engineering & Operations OU, point to New, and then click Computer.
  2. Type in the computer name: GDUHON.
  3. You can manage this computer in the Active Directory Users and Computers snap-in, by right clicking the computer object, and then clicking Manage.
  4. Optionally, you can select which users are permitted to join a computer to the domain. This allows the administrator to create the computer account and someone with lesser permissions to install the computer and join it to the domain.
  5. Once created, you should right click the object, select the Security tab. Insure that your a_account is not present, if it is then remove it. Also insure your Administrative group is listed. If it isn’t, then add it. Not doing this could restrict your administrative control of this object.

Note: / If you cannot see the Security tab, from the top line menu select View and select Advanced Features.

Figure 4 Adding a New Computer

Adding a Computer to the Domain

After creating a computer object but prior to first use, a computer must be physically joined to the Domain. This process insures that the appropriate policies are applied. The first step in this process is to ensure that the local computers clock is synchronized with the network.

Note: / It is important to create the computer object in active directory prior to joining the computer to the domain. If there is no object in active directory for the computer to join to, an object will be automatically created and placed in OU = computers. You must then contact one of the e_account holders or a member of ITR-Admin group to move it to its correct location.
  1. Open up a command window (Select Start, select Run and type cmd in the text box)
  2. At the prompt, type: net time /setsntp:ntp.csun.edu
  3. You should get a response that states: The command completed successfully.
  4. Type: net stop w32time
  5. You should get a response that states: The Windows Time service was stopped successfully.
  6. Type: net start w32time
  7. You should get a response that states: The Windows Time service was started successfully.
  8. Close the command window.

Now join the computer to the network

  1. Right click My Computer and select Properties
  2. In Windows 2000 select Network Identification followed by Properties, in Windows XP select Computer Name followed by Change.
  3. Select Member of Domain and enter csun.eduor just csun.
  4. You will be prompted to enter your username and password, use your a_account name and password to authenticate your authority to perform this action.
  5. If successful you will receive a notice welcoming you to the domain and informing you to reboot the system.
  6. Reboot the system.
  7. Users may now logon to the csun domain

Managing Computer Objects

Computer objects in Active Directory can be managed directly from the Active Directory Users and Computers snap-in. Computer Management is a component you can use to view and control many aspects of the computer configuration. Computer Management combines several administration utilities into a single console tree, providing easy access to a local or remote computer's administrative properties and tools.

Note: / The following example assumes that you are working from a system and with an account that has management privileges on the system being managed and that the system being managed is currently running.

Managing a Remote Computer

To manage a remote computer

  1. In the Active Directory Users and Computers snap-in, click the + next to csun.edu.
  2. Select the appropriate OU and expand it by clicking the +. Repeat this process until you get down to the level of the computer you wish to remotely manage.
  3. Right-click the computer object and then click Manage.
  4. If you are authorized to do so, a management window will open as shown in Figure 5. If the system can not be remotely managed a warning will be issues (figure 6) and a management window will open as shown in Figure 7. If you are not authorized a management window will open as shown in Figure 8. .

Figure 5Remotely Managing a Computer

Figure 6Remote Computer not Found Warning

Figure 7Remote Computer not Found

Figure 8Remote Computer Management not Authorized

Creating a Group

A group is a container for people who have something in common and that need to be managed in a similar fashion. A few examples of the members that might be used to form a group could include students in a specific class are the only ones authorized to utilize the resources of a particular computer lab or the administrative staff. However, a group could just as easily be those people with birthdays in August.

For example, to create a group called Comp100Users in the ECS OU:

  1. Right-click the ECS OU, click New, and then click Group.
  2. In the Name of New Group text box, type: Comp100Users
  3. Select the appropriate Group type and Group scope and then click OK.
  • The Group type indicates whether the group can be used to assign permissions to other network resources, such as files and printers.
  • The Group scope determines the visibility of the group and what type of objects can be contained within the group.

Scope / Visibility / May contain
Domain Local / Domain / Users, Domain Local, Global, or Universal Groups
Global / Forest / Users or Global groups
Universal / Forest / Users, Global, or Universal Groups

Adding a User to a Group

For example, to add users to the Comp 100 group created above:

  1. Click ECS in the left pane.
  2. Right-click the Comp100Users group in the right pane, and click Properties.
  3. Click the Members Tab and click Add.
  4. Enter their user identification (UID). If adding multiple users separate them with a semi-colon (;). When finished adding names click on the Check Names button as in Figure 9 below, this will check the entered names against the list of current users. Any discrepancies will be identified and you will be asked to correct or remove the UID from the list (Figure 10).
  5. If you do not know the UID click on the Advanced button and follow instructions in the section called Finding Specific Objects below.

Figure 9 Add User to the Comp100Users Group