4. Manage Users and Groups in Active Directory
To manage user and groups, you
can use a number of tools built in to Windows Server 2008 R2. Three
tools allow you to work with Active Directory users and groups:
Server Manager
Active Directory Users And Computers
Active Directory Administrator Center, a new tool in Windows Server 2008 R2
Using Server Manager
or Active Directory Users And Computers will take you to the same set of
tools. Server Manager is a new tool introduced in Windows Server 2008
and is a consolidated management tool with several management tools,
including Active Directory Users And Computers. The Active Directory
Users And Computers tool found in Administrative Tools is a dedicated
tool just for managing users and groups.
You can find both tools in the Administrative Tools group on the Start menu, as shown in Figure 1.
When you want to work with
the AD Users and Groups, load either tool, and you will be able to see
the AD Users and Groups. If you open AD Users and Computers, you are
taken directly to working with your AD objects. However, there is one
difference. If you load Server Manager, you will have to navigate to the
AD Users and Groups.
Click the + next to Roles.
Click the + next to Active Directory Domain Services.
Click the + next to Active Directory Users And Computers.
Click the + next to your domain name.
Click Users to begin managing your AD users and groups, and your screen should look like Figure 2.
Once you have opened your chosen administrative console, then it is matter of creating the groups and other objects you need.
4.1. Create Organizational Units
Once you have loaded the
console, you can start creating AD objects. OUs are one of the first
objects you may create. To create an OU, follow these steps:
Right-click the level of domain where you want to create the OU.
Select Organizational Unit.
Type
a name for your OU. You will also notice a default check mark for
Protect Container From Accidental Deletion. This will prevent
administrators from accidentally deleting the object.
4.2. Create Users
Creating users is similar to creating local users in a nondomain environment. To create a user, follow these steps:
Right-click the container of domain where you want to create the user.
Select User, and you will see a screen similar to Figure 3.
Fill the form, assign a logon name to the new user, and click Next.
Set the default password information for the user, and click Next.
Review the summary, and click Finish to create the user.
Just like users on a local
machine, after you create the user, you can right-click and view all the
properties for the user. You will notice there are several more
properties for the AD users. After you create the user, you can later
move the user by simply dragging and dropping the user into the
appropriate OU.
4.3. Create Groups
To create groups, follow these steps:
Right-click the container of the domain where you want to create the group.
Select Group, and you will see a screen similar to Figure 4
Fill out the form, and make the appropriate selections for the group type and scope.
Click OK to finish creating the group.
|
When you first view the
default containers and properties of objects inside AD, you are not
seeing the whole picture. There are several other AD objects and
additionally a Security tab becomes visible in the properties for the
various AD objects. To see these additional objects and tabs, you just
need to view the advanced features. To view the advanced features, when
you're managing your AD users and groups, go to the View menu and select
Advanced Features. If you do not want to see the advanced features
anymore, simply go back to the View menu and deselect the Advanced
Features options.
|
After you create the group,
you can add members to the group by right-clicking the group, selecting
Properties, and clicking the Members tab. You can then simply click Add,
and the Find Users dialog box will function similarly to the one for
local users. Also while in the Properties window, you can change the
group's existing group type and scope.
4.4. Active Directory Administrator Center
One of the new tools in
Windows Server 2008 R2 to make your life easier when working with
objects inside AD is the Active Directory Administrator Center (ADAC).
This tool makes it easy to search and reset passwords and perform other
administrative tasks. You can also create users and groups with this
tool. To load the tool, select Start => Administrative Tools => Active Directory Administrator Center, as shown in Figure 5.
The tool is intuitive; it's
tasked based, and it can be quite easy to run. The ADAC consists of
customizable panels that represent the most common tasks you can
perform. You can add and remove panels and customize the overview page
to enable you to quickly get to the tasks you perform most often.
A good use for the ADAC is
searching your AD for various objects. Similar to saved queries in the
AD Users And Computers, it is a quick way to find objects you're
interested in. In the overview pane on the right side, you'll see Global
Search. Type in your search parameter, and click the magnify glass
icon. Your results would look similar to Figure 6.
Fundamentally, creating new
users and groups follows the same guidance mentioned in the previous
sections. However, the ADAC provides a much more detailed interface to
allow you to create users and groups easier. To create a user, you
navigate to the container or OU as you may have done in the past,
right-click the container, and select New User. You will see that the
new user is a form that allows you to populate all the needed properties
for a user and much more. The interface will highlight required fields
with a red asterisk (*). Figure 7 shows the new user screen.
Creating groups follows the same form-based interface as the users. Figure 8 shows the new group interface.
The viewing of properties
also takes on the new enhanced interface of the tool. When you view the
properties of a user in ADAC, you will see a screen similar to Figure 9.
It is up to you if you want to
use the standard tools or the new ADAC. They both will take you to the
same management place. With Windows Server 2008 R2, you should get to
know the ADAC, because it may provide you with a more intuitive
interface to working with AD.
