2. Managing Object Properties
Once you've created the necessary Active Directory
objects, you'll probably need to make changes to their default
properties. In addition to the settings you made when you were creating
Active Directory objects, you can configure several more properties. In
addition, you can access object properties by right-clicking any object
and selecting Properties from the pop-up menu.
Each object type contains a unique set of properties.
2.1. User Object Properties
The following list describes some of the properties of a user object.
General: General account information about this user
Address: Physical location information about this user
Account: User logon name and other account restrictions, such as workstation restrictions and logon hours
Profile: Information about the user's roaming profile settings
Telephones: Telephone contact information for the user
Organization: The user's title, department, and company information
Member Of: Group membership information for the user
Dial-In: Remote Access Service (RAS) permissions for the user
Environment: Logon and other network settings for the user
Sessions: Session limits, including maximum session time and idle session settings
Remote Control: Remote control options for this user's session
Terminal Services Profile: Information about the user's profile for use with Terminal Services
COM+: Specifies a COM+ partition set for the user
2.2. Computer Object Properties
Computer objects have different properties than user
objects. Computer objects refer to the systems that clients are
operating to be part of a domain. The following list describes some
computer object properties.
General: Information about the name of the computer, the role of the computer, and its description
You
can enable an option to allow the Local System Account of this machine
to request services from other servers. This is useful if the machine
is a trusted and secure computer.
Operating System: The name, version, and service pack information for the operating system running on the computer
Member Of: Active Directory groups that this Computer object is a member of
Location: A description of the computer's physical location
Managed By: Information about the User or Contact object that is responsible for managing this computer
Dial-in: Sets dial-in options for the computer
2.3. Setting Properties for Active Directory Objects
Now that you have seen the various properties that
can be set for the Active Directory objects, let's go through an
exercise on how to configure some of these properties.
Exercise 2
walks you through how to set various properties for Active Directory
objects. In order to complete the steps in this exercise, you must have
first completed Exercise 1.
|
Although it may seem somewhat tedious, it's always a
good idea to enter as much information as you know about Active
Directory objects when you create them. Although the name Printer1 may
be meaningful to you, users will appreciate the additional information
when they are searching for objects.
|
|
Open the Active Directory Users And Computers tool. Expand the name of the domain, and select the RD container. Right-click the John Q. Admin user account, and select Properties. Here,
you will see the various Properties tabs for the User account. Make
some configuration changes based on your personal preferences. Click OK
to continue.
Select
the HR OU. Right-click the All Users group, and click Properties. In
the All Users Properties dialog box, you will be able to modify the
membership of the group.
Click the Members tab, and then click
Add. Add the Maria D. President and John Q. Admin User accounts to the
Group. Click OK to save the settings and then OK to accept the group
modifications. Select
the Sales OU. Right-click the Workstation1 Computer object. Notice that
you can choose to disable the account or reset it (to allow another
computer to join the domain under that same name). From the right-click
menu, choose Properties. You'll see the properties for the Computer
object. Examine the various options and make
changes based on your personal preference. After you have examined the
available options, click OK to continue.
Select
the Corporate OU. Right-click the Maria D. President User account, and
choose Reset Password. You will be prompted to enter a new password and
then you'll be asked to confirm it. Note that you can also force the
user to change this password upon the next logon and you can also
unlock the user's account from here. For this exercise, do not enter a
new password; just choose Cancel. Close the Active Directory Users And Computers tool.
|
By now, you have probably noticed that Active
Directory objects have a lot of common options. For example, Group and
Computer objects both have a Managed By tab.
Windows Server 2008 allows you to manage many user
objects at once. For instance, you can select several user objects by
holding down the Shift or Ctrl key while selecting. You can then
right-click any one of the selected objects and select Properties to
display the properties that are available for multiple users. Notice
that not every user property is available, because some properties are
unique to each user. You can configure the description field for
multiple object selections that include both users and non-users, such
as computers and groups.
NOTE
A very important thing to think about when it
comes to accounts is the difference between disabling an account and
deleting an account. When you delete an account, the Security ID (SID)
gets deleted. Even if you later create an account with the same
username, it will have a different SID number and therefore, it will be
a different account.
It is sometime better to disable an account and
place it into a non-active OU called Disabled. This way if you ever
need to re-access the account, you can do so.
Another object management task is the process of
deprovisioning. Deprovisioning is managing Active Directory objects in
the connector space . To learn more about deprovisioning, visit Microsoft's website.
As was mentioned earlier, it's always a good idea to
enter in as much information as possible about an object. This allows
systems administrators and users alike to get the most out of Active
Directory and its properties.
