|
Active Directory is a directory service, and it is the role of a
directory service to maintain information about enterprise resources,
including users, groups, and computers. Resources are divided into OUs
to facilitate manageability and visibility—that is, they can make it
easier to find objects. In this lesson, you learn how to create OUs,
users, groups, and computers. You also learn important skills to help
you locate and find objects when you need them.
The practice exercises at the end of this lesson are important for
you to complete, because they create some of the objects that will be
used in future practices.
Organizational units (OUs) are administrative containers within
Active Directory that are used to collect objects that share common
requirements for administration, configuration, or visibility. What
this means will become more clear as you learn more about OU design
and management. For now, just understand that OUs provide an
administrative hierarchy similar to the folder hierarchy of a disk
drive: OUs create collections of objects that
belong together for administration. The term
administration is emphasized here because OUs are
not used to assign permissions to resources—that is what groups are
for. Users are placed into groups that are given permission to
resources. OUs are administrative containers within which those users
and groups can be managed by administrators.
To create an organizational unit:
-
Open the Active Directory Users And Computers
snap-in. -
Right-click the Domain node or the OU node in which you want
to add the new OU, point to New, and then click Organizational
Unit. -
Type the name of the organizational unit.
Be sure to follow the naming conventions of your
organization. -
Select Protect Container From Accidental Deletion.
You’ll learn more about this option later in this
section. -
Click OK.
OUs have other properties that can be useful to configure.
These properties can be set after the object has been
created. -
Right-click the OU and click Properties.
Follow the naming conventions and other standards and
processes of your organization.
You can use the Description field to
explain the purpose of an OU.
If an OU represents a physical location, such as an office,
the OU’s address properties can be useful.
You can use the Managed By tab to link to the user or group
that is responsible for the OU. Click the Change button under the
Name box. You’ll learn about the Select Users, Contacts, Or Groups
dialog box later in this lesson. The remaining contact information
on the Managed By tab is populated from the account specified in
the Name box. The Managed By tab is used solely for contact
information—the specified user or group does not gain any
permissions or access to the OU. -
Click OK.
Windows Server 2008 introduced a new option when creating an OU: Protect Container From Accidental
Deletion. This option adds a safety switch to the OU so that it cannot
be accidentally deleted. Two permissions are added to the OU:
Everyone::Deny::Delete and Everyone::Deny::Delete Subtree. No user,
not even an administrator, will be able to delete the OU and its
contents accidentally. It is highly recommended that you enable this
protection for all new OUs.
If you want to delete the OU, you must first turn off the safety
switch. To delete a protected OU, follow these steps:
-
In the Active Directory Users And Computers snap-in, click
the View menu and select Advanced Features. -
Right-click the OU and click Properties. -
Click the Object tab.
If you do not see the Object tab, you did not enable
Advanced Features in step 1. -
Clear the check box labeled Protect Object From Accidental
Deletion. -
Click OK. -
Right-click the OU and click Delete. -
You are prompted to confirm that you want to delete the OU.
Click Yes. -
If the OU contains any other objects, you are prompted by
the Confirm Subtree Deletion dialog box to confirm that you want
to delete the OU and all the objects it contains. Click
Yes.
To create a new user in Active Directory, perform the following steps.
Be certain to follow the naming conventions and processes specified by
your organization.
-
Open the Active Directory Users And Computers
snap-in. -
In the console tree, expand the node that represents your
domain (for instance, contoso.com) and navigate to the OU or
container (for example, Users) in which you want to create the
user account. -
Right-click the OU or container, point to New, and then
click User.
The New Object – User dialog box appears, as shown in Figure 1. -
In First Name, type the user’s first name. -
In Initials, type the user’s middle initial(s).
Note that this property is, in fact, meant for the initials
of a user’s middle name, not the initials of the user’s first and
last name. -
In Last Name, type the user’s last name. -
The Full Name field is populated automatically. Make
modifications to it if necessary.
The Full Name field is used to create several attributes of
a user object, most notably the common name (CN), and to display name properties. The CN of a
user is the name displayed in the details pane of the snap-in. It
must be unique within the container or OU. Therefore, if you are
creating a user object for a person with the same
name as an existing user in the same OU or container, you must
enter a unique name in the Full Name field. -
In User Logon Name, type the name that the user will
log on with and, from the drop-down list, select the user
principle name (UPN) suffix that will be appended to the
user logon name following the @ symbol.
User names in Active Directory can contain some
special characters (including periods, hyphens, and apostrophes),
which allows you to generate accurate user names such as O’Hara
and Smith-Bates. However, certain applications can have other
restrictions, so it is recommended that you use only standard
letters and numerals until you have fully tested the applications
in your enterprise for compatibility with special characters in
logon names.
You can manage the list of available UPN suffixes by using
the Active Directory Domains And Trusts snap-in. Right-click the
root of the snap-in, Active Directory Domains And Trusts, choose
Properties, and then use the UPN Suffixes tab to add or remove
suffixes. The DNS name of your Active Directory domain will always
be available as a UPN suffix and cannot be removed. -
In the User logon name (Pre–Windows 2000) box of the Active
Directory Users And Computers snap-in, enter the pre–Windows 2000
logon name, often called the downlevel logon name.
-
Click Next. -
Enter an initial password for the user in the Password and
Confirm Password boxes. -
Select the User Must Change Password At Next Logon check
box.
It is recommended that you always select this option so that
the user can create a new password unknown to the IT staff.
Appropriate support staff members can always reset the user’s
password at a future date if they need to log on as the user or
access the user’s resources. However, only users should know their
passwords on a day-to-day basis. -
Click Next. -
Review the summary and click Finish.
The New Object – User interface allows you to configure a limited
number of account-related properties such as name and password
settings. However, a user object in Active Directory supports
dozens of additional properties. These can be configured after the
object has been created. -
Right-click the user object that you created and click
Properties. -
Configure user properties.
Be certain to follow the naming conventions and other
standards of your organization.
-
Click OK.
|
