Managing Windows Small Business Server 2011 : Using Windows Server 2008 R2 Tools (part 1)

The Active Directory Users And Computers Console is the primary administration tool for AD DS. The console provides access to all the objects in the AD DS hierarchy and most of the attributes in each object. If you want to work with objects or attributes that do not appear in the Windows SBS Console, Active Directory Users and Computers provides a more comprehensive view.

Windows Server 2008 R2 installs the console on all domain controllers automatically; to run it on a computer that is not a domain controller, you can install the console using the Remote Server Administration Tools.

The Active Directory Users And Computers Console displays a hierarchical view of the AD DS domain to which you are currently attached, as shown in Figure 1. You can browse through the organizational units (OUs) in the domain to find and manage existing objects or create new ones. Double-clicking an object opens its Properties sheet, which, depending on the object type, can be simple or quite complex, and which provides access to the object’s attributes.

Figure 1. The Active Directory Users And Computers Console.

To display all the objects and attributes in an AD DS domain, you must select View > Advanced Features in the console to display the interface shown in Figure 2.

Figure 2. The Advanced Features display of the Active Directory User And Computers Console.

Group Policy is one of the most powerful and useful administrative tools provided with Windows SBS 2011 and Windows Server 2008 R2. Group Policy is essentially a method for deploying Windows registry settings to large numbers of users or computers on a network. Windows SBS 2011 uses Group Policy settings to configure several critical functions on your network workstations, including folder redirection, Windows Firewall, and the Windows Update client.

The Group Policy Management Console, shown in Figure 3, enables you to control the links between Group Policy objects (GPOs) and AD DS objects. GPOs contain the actual Group Policy settings, and linking them to AD DS domain, site, or OU objects deploys those settings to all the users and computers contained by those objects.

Figure 3. The Group Policy Management Console.

Windows SBS 2011 creates a number of GPOs for its own use, including the Default Domain Policy and Default Domain Controllers Policy objects. Although you can modify the settings in these GPOs for your own use, the best practice is to create your own GPOs and link them to your domain or OU objects as needed. You can link multiple GPOs to a single AD DS object, and the users and computers receiving the settings apply them in the order you specify.

For example, by default Windows SBS 2011 links six different GPOs to your AD DS domain, which are numbered 1 to 6 in the Group Policy Management Console, as shown in Figure 4. Each user and computer in the domain applies the settings in the number 6 GPO, Update Services Common Settings Policy, followed by the settings in GPO number 5, number 4, and so forth. If two GPOs contain different values for the same settings, the settings applied later overwrite the existing ones. This way, the settings in the number 1 GPO, which the users and computers apply last, always take precedence over those with higher numbers.

Figure 4. The GPOs linked to a Windows SBS 2011 domain.

To modify the settings in a GPO, or to create settings in a new GPO, you use the Group Policy Management Editor Console, as shown in Figure 5. Each GPO has separate settings for computers, which clients apply when the computer starts, and users, which apply when a user logs on to the domain. Each of the hundreds of settings has a dialog box that contains the controls you use to configure its value. In many cases, settings have three possible values: enabled, which explicitly activates the setting; disabled, which explicitly deactivates it; and undefined, which does nothing to modify the setting’s existing value, if any.

Figure 5. The Group Policy Management Editor Console.