Finding Objects in Active Directory
You have learned how to create objects in Active Directory, but
as your Active Directory becomes populated with user, group, computer, and other objects, it may become
difficult to find a specific object or objects that you want to
modify. You will need to locate objects in Active Directory on many
occasions:
-
Granting permissions When you
configure permissions for a file or folder, you must select the
group (or user) to which permissions should be assigned.
-
Adding members to
groups A group’s membership can consist of users,
computers, groups, or any combination of the three. When you add
an object as a member of a group, you must select the
object.
-
Creating links Linked properties are properties of one object that
refer to another object. Group membership is, in fact, a linked
property. Other linked properties, such as the Managed By setting
discussed earlier, are also links. When you specify the Managed By
name, you must select the appropriate user or group.
-
Looking up an object You can
search for any object in your Active Directory domain.
Many other situations involve searching Active Directory, and
you will encounter several user interfaces. In this section, you learn
some techniques for working with each.
Using the Select Users, Contacts, Computers, Or Groups Dialog
Box
When you add a member to a group, assign a permission, or
create a linked property, you are presented with the Select Users,
Contacts, Computers, Or Groups dialog box shown in Figure 4. This dialog
box is referred to as the Select dialog box
throughout this training kit. To see an example, open the properties
of a group object, click the Members tab, and then click the Add
button.
If you know the names of the objects you need, you can type
them directly into the Enter The Object Names To Select text box. Multiple
names can be entered, separated by semicolons, as shown in Figure 4. When you
click OK, Windows looks up each item in the list, converts it into a
link to the object, and then closes the dialog box. The Check Names button also converts each name to a link
but leaves the dialog box open, as shown in Figure 5.
You do not need to enter the full name; you can enter either the
user’s first or last name, or even just part of the
first or last name. For example, Figure 4 shows the
names jfine and dan. When you click OK or Check Names, Windows
attempts to convert your partial name to the correct object. If
there is only one matching object, such as the logon name jfine, the
name is resolved as shown in Figure 6. If there are
multiple matches, such as the name Dan, the Multiple Names Found box, shown in Figure 6, appears. Select
the correct name or names and click OK. The selected name appears as
shown in Figure 5.
By default, the Select dialog box searches the entire domain.
If you are getting too many results and want to narrow down the
scope of your search, or if you need to search another domain or the
local users and groups on a domain member, click
Locations.
Additionally, the Select dialog box, despite its full
name—Select Users, Contacts, Computers, Or Groups—rarely
searches all four object types. When you add members to a group, for
example, computers are not searched by default. If you enter a
computer name, it will not be resolved correctly. Click Object
Types, use the Object Types dialog box shown in Figure 7 to select the correct
types, and then click OK.
If you are having trouble locating the objects you want, click Advanced in the Select dialog box. The advanced view, shown in Figure 8, allows you to
search both name and description fields as well as disabled
accounts, non-expiring passwords, and stale accounts that have not
logged on for a specific period of time.
Some of the fields on the Common Queries tab might be
disabled, depending on the object type you are searching. Click
Object Types to specify exactly the type of object you
want.
Controlling the View of Objects in the Active Directory Users
And Computers Snap-in
The details pane of the Active Directory Users And Computers
snap-in can be customized to help you work effectively with the
objects in your directory. Use the Add/Remove Columns command on the View menu to add
columns to the details pane. Not every attribute is available to
display as a column, but you are certain to find columns that are
useful to display, such as User Logon Name. You might also find that
some columns are unnecessary. If your OUs have only one type of
object (user or computer, for example), the Type column may not be
helpful.
When a column is visible, you can change the order of columns
by dragging the column headings to the left or right. You can also
sort the view in the details pane by clicking the column: the first
click sorts in ascending order, the second in descending order, just
like Windows Explorer. A common customization is to add the Last
Name column to a view of users so that they can be sorted by last name.
It is generally easier to find users by last name than by the Name
column, which is the common name (CN) and is generally first name -
last name.
To add the Last Name column to the details pane:
-
On the View menu, click Add/Remove Columns.
-
In the Available Columns list, click Last Name.
-
Click Add.
-
In the Displayed Columns list, click Last Name and click
Move Up twice.
-
In the Displayed Columns list, click Type and click
Remove.
-
Click OK.
-
In the details pane, click the Last Name column header to
sort alphabetically by last name.
Windows systems also provide the Active Directory query tool,
called the Find box by many administrators. One way to launch the
Find box is to click the Find Objects In Active Directory Domain Services
button on the toolbar in the Active Directory Users And Computers
snap-in. The button and the resulting Find box are shown in Figure 9.
Use the Find drop-down list to specify the types of objects you want to query, or select Common Queries or
Custom Search. The In drop-down list specifies the scope of the
search. It is recommended that, whenever possible, you narrow the
scope of the search to avoid the performance impacts of a large,
domain-wide search. Together, the Find and the In lists define the scope of the
search.
Next, configure the search criteri. Commonly used fields are
available as criteria based on the type of query you are performing.
When you have specified your search scope and criteria, click Find
Now. In the results list, you can right-click any item and choose
administrative commands such as Move, Delete, and Properties.
For the most complete, advanced control over the query, choose
Custom Search in the Find drop-down list. If you
choose Custom Search and then click the Advanced tab, you can build
powerful LDAP queries. For example, the query OU=*main* searches for any OU with a name
that contains main and would return the Domain
Controllers OU. Without the custom search, you can search based on
the text at the beginning of the name only; the
custom search with wildcards enables you to build a “contains”
search.
The Find box also appears in other Windows locations,
including the Add Printer Wizard when locating a network printer.
The Network folder also has a Search Active Directory button. You
can add a custom shortcut, perhaps to your Start menu or desktop, to
make searches even more accessible. The target of the shortcut
should be rundll32
dsquery,OpenQueryWindow.
Determining Where an Object Is Located
Sometimes you want to find an object by using the Find
command, because you don’t actually know where the object is.
To determine where an object is located:
-
On the View menu, click Advanced Features.
-
Click the Find Objects In Active Directory Domain Services
toolbar button, and then perform a search for the object.
-
Right-click the object, click Properties, and then click
the Object tab.
-
The Canonical Name Of Object shows you the path to the
object, starting at the domain.
Alternately, in the Find dialog box, you can display the
Published At column:
-
In the Find dialog box, click View, and then click Choose
Columns.
-
In the Columns Available list, click Published At, and
then click Add.
-
Click OK.
Windows Server 2003 introduced the Saved Queries node of the Active Directory Users And
Computers snap-in. This powerful function helps you create
rule-driven views of your domain, displaying objects across one or more OUs.
To create a saved query:
-
Open the Active Directory Users And Computers
snap-in.
Saved Queries is not available in the Active
Directory Users And Computers snap-in that is part of Server
Manager. You must use the Active Directory Users And Computers
console or a custom console with the snap-in.
-
Right-click Saved Queries, point to New, and then click
Query.
-
Enter a name for the query.
-
Optionally, enter a description.
-
Click Browse to locate the root for the query.
The search is limited to the domain or OU that you select.
It is recommended that you narrow your search as much as
possible to improve search performance.
-
Click Define Query to define your query.
-
In the Find dialog box, click the tab for the type of
object you want to query.
The tabs in the dialog box and the input controls on each
tab change to provide options that are appropriate for the
selected query.
-
Configure the criteria for your query.
-
Click OK.
After your query is created, it is saved within the instance
of the Active Directory Users And Computers snap-in. So if you open
the Active Directory Users And Computers console (dsa.msc), your
query will be available the next time you open the console. If you
created the saved query in a custom console, it will be available in
that custom console. To transfer saved queries to other consoles or
users, you can export the saved query as an XML file and then import
it to the target snap-in.
The view of the saved query in the details pane can be
customized, as described earlier, with specific columns and sorting.
A very important benefit of saved queries is that the customized
view is specific to each saved query. When you add the Last Name
column to the normal view of an OU, the Last Name column is actually
added to the view of every OU, so you see an
empty Last Name column even for an OU of computers or groups. With
saved queries, you can add the Last Name column to a query for user
objects and other columns for other saved
queries.
Saved queries are a powerful way to virtualize the view of
your directory and monitor for issues such as disabled or locked
accounts. Learning to create and manage saved queries is a
worthwhile use of your time.