1. Managing User Attributes with Active Directory Users And
Computers
When you use the New Object–User Wizard in the Active Directory Users And
Computers snap-in to create a user, you are prompted for some common
properties, including logon names, password, and user first and last
names. A user object in Active Directory, however, supports dozens of
additional properties that you can configure at any time with the
Active Directory Users And Computers snap-in.
To read and modify the attributes of a user object, right-click
the user and then click Properties. The user’s Properties dialog box
appears, as shown in Figure 1.
Attributes of a user object fall into several broad categories
that appear on tabs of the dialog box:
-
Account attributes: the Account
tab These properties include logon names, the password,
and account flags. Many of these attributes can be
configured when you create a new user with the Active Directory Users And
Computers snap-in. The Account Properties section details account
attributes.
-
Personal information: the General,
Address, Telephones, and Organization tabs The General tab exposes the name properties that are
configured when you create a user object, as well as basic
description and contact information. The Address and Telephones
tabs provide detailed contact information. The Telephones tab also contains the Notes field, which
maps to the info attribute and is a very useful general-purpose
text field that is underused by many enterprises. The Organization
tab shows job title, department, company, and organizational relationships.
-
User configuration management: the
Profile tab Here you can configure the user’s profile path, logon script, and home folder.
-
Group membership: the Member Of
tab You can add the user to and remove the user from
groups and change the user’s primary group.
-
Terminal services: the Terminal
Services Profile, Environment, Remote Control, and Sessions
tabs These four tabs enable you to configure and manage
the user’s experience when the user is connected to a Terminal
Services session.
-
Remote access: the Dial-in
tab You can enable and configure remote access permission for a user on the Dial-in tab.
-
Applications: the COM+
tab This tab enables you to assign users to an Active Directory COM+ partition set. This feature
facilitates the management of distributed applications and is
beyond the scope of the 70-640 exam.
A user object has even more properties than are visible in its
Properties dialog box. Some of the so-called hidden
properties can be quite useful to your enterprise. The
Attribute Editor allows you to view and edit all
attributes of a user object. The Attribute Editor tab is not visible until you enable
Advanced Features from the View menu of the Microsoft Management
Console (MMC). Click the View menu and select the Advanced Features
option. Then open the Properties dialog box of the user to view the
Attribute Editor tab, as shown in Figure 2.
The Attribute Editor displays all the system attributes of the
selected object. The Filter button lets you choose to see even more
attributes, including backlinks and constructed
attributes.
Backlinks are attributes that result from
references to the object from other objects. The easiest way to
understand backlinks is to look at an example: the
memberOf attribute. When a user is added to a group, it is the group’s
member attribute that is changed: The
distinguished name of the user is added to this multivalued
attribute. Therefore, the member attribute of a
group is called a forward link attribute. A
user’s memberOf attribute is updated
automatically by Active Directory when the user is referred to by a
group’s member attribute. You do not ever write
directly to the user’s memberOf attribute; it
is dynamically maintained by Active Directory.
A constructed attribute is one of the
results from a calculation performed by Active Directory. An example
is the tokenGroups attribute. This attribute is
a list of the security identifiers (SIDs) of all the groups to which
the user belongs, including nested groups. To determine the value of
tokenGroups, Active Directory must calculate
the effective membership of the user, which takes a few processor
cycles. Therefore, the attribute is not stored as part of the user
object or dynamically maintained. Instead, it is calculated when
needed. Because of the processing required to produce constructed
attributes, the Attribute Editor does not display them by default.
They also cannot be used in LDAP queries.
As you can see in Figure 2,
some attributes of a user object could be quite useful, including
division, employeeID, employeeNumber, and
employeeType. Although the attributes are not
shown on the standard tabs of a user object, they are now available
through the Attribute Editor, and they can be accessed
programmatically with Windows PowerShell.
Managing Attributes of Multiple Users
The Active Directory Users And Computers snap-in enables you
to modify the properties of multiple user objects simultaneously.
To modify attributes of multiple users in the Active Directory
Users And Computers snap-in:
-
Select several user objects by holding the Ctrl key as you
click each user, or by using any other multiselection
technique.
Be certain that you select only objects of one class, such
as users.
-
After you have multiselected the objects, right-click any
one of them and then click Properties.
When you have multiselected the user objects, a subset of
properties is available for modification:
-
General Description,
Office, Telephone Number, Fax, Web Page, E-mail
-
Account UPN Suffix, Logon
Hours, Computer Restrictions (logon workstations), all Account
Options, Account Expires
-
Address Street, P.O. Box,
City, State/Province, ZIP/Postal Code, Country/Region
-
Profile Profile Path, Logon
Script, and Home Folder
-
Organization Title,
Department, Company, Manager
Tip
EXAM TIP
Be sure to know which properties can be modified for
multiple users simultaneously. Exam scenarios and
simulations that suggest a need to change
many user object properties as quickly as possible are often
testing your understanding of multiselecting. In the real world,
remember that you can and should use automation tools such as
DSMod, Windows PowerShell, and VBScript.
