Configuring Windows Server 2008 Active Directory : Creating Objects in Active Directory (part 3) - Finding Objects in Active Directory

When you add a member to a group, assign a permission, or create a linked property, you are presented with the Select Users, Contacts, Computers, Or Groups dialog box shown in Figure 4. This dialog box is referred to as the Select dialog box throughout this training kit. To see an example, open the properties of a group object, click the Members tab, and then click the Add button.

If you know the names of the objects you need, you can type them directly into the Enter The Object Names To Select text box. Multiple names can be entered, separated by semicolons, as shown in Figure 4. When you click OK, Windows looks up each item in the list, converts it into a link to the object, and then closes the dialog box. The Check Names button also converts each name to a link but leaves the dialog box open, as shown in Figure 5.

You do not need to enter the full name; you can enter either the user’s first or last name, or even just part of the first or last name. For example, Figure 4 shows the names jfine and dan. When you click OK or Check Names, Windows attempts to convert your partial name to the correct object. If there is only one matching object, such as the logon name jfine, the name is resolved as shown in Figure 6. If there are multiple matches, such as the name Dan, the Multiple Names Found box, shown in Figure 6, appears. Select the correct name or names and click OK. The selected name appears as shown in Figure 5.

By default, the Select dialog box searches the entire domain. If you are getting too many results and want to narrow down the scope of your search, or if you need to search another domain or the local users and groups on a domain member, click Locations.

Additionally, the Select dialog box, despite its full name—Select Users, Contacts, Computers, Or Groups—rarely searches all four object types. When you add members to a group, for example, computers are not searched by default. If you enter a computer name, it will not be resolved correctly. Click Object Types, use the Object Types dialog box shown in Figure 7 to select the correct types, and then click OK.

If you are having trouble locating the objects you want, click Advanced in the Select dialog box. The advanced view, shown in Figure 8, allows you to search both name and description fields as well as disabled accounts, non-expiring passwords, and stale accounts that have not logged on for a specific period of time.

Some of the fields on the Common Queries tab might be disabled, depending on the object type you are searching. Click Object Types to specify exactly the type of object you want.

The details pane of the Active Directory Users And Computers snap-in can be customized to help you work effectively with the objects in your directory. Use the Add/Remove Columns command on the View menu to add columns to the details pane. Not every attribute is available to display as a column, but you are certain to find columns that are useful to display, such as User Logon Name. You might also find that some columns are unnecessary. If your OUs have only one type of object (user or computer, for example), the Type column may not be helpful.

When a column is visible, you can change the order of columns by dragging the column headings to the left or right. You can also sort the view in the details pane by clicking the column: the first click sorts in ascending order, the second in descending order, just like Windows Explorer. A common customization is to add the Last Name column to a view of users so that they can be sorted by last name. It is generally easier to find users by last name than by the Name column, which is the common name (CN) and is generally first name - last name.

To add the Last Name column to the details pane:

Windows systems also provide the Active Directory query tool, called the Find box by many administrators. One way to launch the Find box is to click the Find Objects In Active Directory Domain Services button on the toolbar in the Active Directory Users And Computers snap-in. The button and the resulting Find box are shown in Figure 9.

Use the Find drop-down list to specify the types of objects you want to query, or select Common Queries or Custom Search. The In drop-down list specifies the scope of the search. It is recommended that, whenever possible, you narrow the scope of the search to avoid the performance impacts of a large, domain-wide search. Together, the Find and the In lists define the scope of the search.

Next, configure the search criteri. Commonly used fields are available as criteria based on the type of query you are performing. When you have specified your search scope and criteria, click Find Now. In the results list, you can right-click any item and choose administrative commands such as Move, Delete, and Properties.

For the most complete, advanced control over the query, choose Custom Search in the Find drop-down list. If you choose Custom Search and then click the Advanced tab, you can build powerful LDAP queries. For example, the query OU=*main* searches for any OU with a name that contains main and would return the Domain Controllers OU. Without the custom search, you can search based on the text at the beginning of the name only; the custom search with wildcards enables you to build a “contains” search.

The Find box also appears in other Windows locations, including the Add Printer Wizard when locating a network printer. The Network folder also has a Search Active Directory button. You can add a custom shortcut, perhaps to your Start menu or desktop, to make searches even more accessible. The target of the shortcut should be rundll32 dsquery,OpenQueryWindow.

Sometimes you want to find an object by using the Find command, because you don’t actually know where the object is.

To determine where an object is located:

Alternately, in the Find dialog box, you can display the Published At column:

Windows Server 2003 introduced the Saved Queries node of the Active Directory Users And Computers snap-in. This powerful function helps you create rule-driven views of your domain, displaying objects across one or more OUs.

To create a saved query:

After your query is created, it is saved within the instance of the Active Directory Users And Computers snap-in. So if you open the Active Directory Users And Computers console (dsa.msc), your query will be available the next time you open the console. If you created the saved query in a custom console, it will be available in that custom console. To transfer saved queries to other consoles or users, you can export the saved query as an XML file and then import it to the target snap-in.

The view of the saved query in the details pane can be customized, as described earlier, with specific columns and sorting. A very important benefit of saved queries is that the customized view is specific to each saved query. When you add the Last Name column to the normal view of an OU, the Last Name column is actually added to the view of every OU, so you see an empty Last Name column even for an OU of computers or groups. With saved queries, you can add the Last Name column to a query for user objects and other columns for other saved queries.

Saved queries are a powerful way to virtualize the view of your directory and monitor for issues such as disabled or locked accounts. Learning to create and manage saved queries is a worthwhile use of your time.