Module 2
Creating Active Directory
®

Domain Services User and
Computer Objects
Module Overview
•
Managing User Accounts
•
Creating Computer Accounts
•
Automating AD DS Object Management
•
Using Queries to Locate Objects in AD DS
Lesson 1: Managing User Accounts
•
What Is a User Account?
•
Names Associated with Domain User Accounts
•
User Account Password Options
•
Standard User Management
•
Tools for Configuring User Accounts
•
What Is a User Account Template?
A user account can be stored:
In AD DS (AD DS account)
On the local computer (local account)

What Is a User Account?
Creating a user account also creates a Security ID (SID)
A user account is an object that enables authentication and
access to local and network resources
A user account is an object that enables authentication and
access to local and network resources
AD DS accounts enable log on to domains and provide
access to shared network resources
AD DS accounts enable log on to domains and provide
access to shared network resources
Local accounts enable log on to a single computer and
local resources
Local accounts enable log on to a single computer and
local resources
Naming options for domain user accounts:
Names Associated with Domain User Accounts
Object Names Example Uniqueness requirement
User logon name Gregory
Must be unique within
domain
User logon name
(pre-Microsoft®
Windows® 2000)
Woodgrove\Gregory
Must be unique within
domain
User principal
name (UPN)

m

Must be unique within
forest
LDAP
distinguished
name
CN=Gregory,OU=IT,DC=
WoodgroveBank,DC=com
Will be globally unique,
combining RDN, container
name, and domain names
Relative
distinguished
name (RDN)
CN=Gregory Must be unique in OU
User Account Password Options
User object passwords are a significant aspect of network
security and can have options configured for:
Password history
Length
Complexity
By default, Windows Server® 2008 domain passwords must
meet three out of the following four complexity
requirements:
Uppercase
Lowercase
Special characters
Numbers
Standard User Management
Standard User management activities include:
Updating group membership: provides user group

membership and access rights


Resetting user passwords: resets security authentication
used to access domain computer
Setting user expiration: sets expiration date on how long
user can access domain
Setting logon hours: sets the hours in which users can log
on to the domain






Assigning profiles and setting home folders: Assign user
profiles and home folders to regulate access to resources


You use different tools for creating and managing local
and domain user accounts:
Tools for Configuring User Accounts
Account Tools
Local computer account
Windows XP and Windows Vista®:
User Accounts
Domain account
•
Windows Server 2003/2008: Active
Directory Users and Computers

•
Command-line utilities: dsadd,
Windows PowerShell™, CSVDE,
LDIFDE
Demonstration: Configuring User Accounts
In this demonstration, you will see how to:
•
Create a new user account using Active Directory Users
and Computers
•
Rename user accounts
•
View complexity requirements
What Is a User Account Template?
User accounts templates take advantage of
similarity between user accounts
To use user templates:
Create several typical users reflecting various groups within
your organization
Copy the user account most like the new account you want to
create
Modify the attributes: names, e-mail address, logon name, etc.
A user account template is an account with common properties
already configured
A user account template is an account with common properties
already configured
Demonstration: Creating and Using a User
Account Template
In this demonstration, you will see how to:
•

Create and use a User Account Template
Lesson 2: Creating Computer Accounts
•
What Is a Computer Account?
•
Options for Creating Computer Accounts
•
Managing Computer Accounts
Computer accounts:
What Is a Computer Account?
Are required for authentication and auditing
A computer account is an object in
AD DS that identifies a computer
in a domain
A computer account is an object in
AD DS that identifies a computer
in a domain
Enable managing computer by using group policies
Are required for all computers running Windows NT
or later
Options for Creating Computer Accounts
Scenario Process
Adding individual computers
to a domain
•
Add the computer to the domain through
computer system properties
•
Account will be created by default in
Computers container

Creating multiple computer
accounts in preparation for
automating an operating
system and software
deployment
1. Create an OU for each department
2. Pre-stage new computer accounts
3. Add the computer to the domain
Managing Computer Accounts
Computer management activities include:
Adding computer accounts: provides computer name and
specifies management option


Disabling computer accounts: maintains account, but
prevents log on from the account
Resetting the computer account: resets the security
association between the domain and the client computer
(re-join necessary)
Deleting computer accounts: removes computer from all
domain services






Configuring group policies: manages software or computer
desktop environments



Demonstration: Configuring Computer Accounts
In this demonstration, you will see how to:
•
Pre-stage a computer account
•
Configure computer account settings
•
Disable and reset a computer account
Lesson 3: Automating AD DS Object Management
•
Tools for Automating AD DS Object Management
•
Configuring AD DS Objects Using Command-Line Tools
•
Managing User Objects with LDIFDE
•
Managing User Objects with CSVDE
•
What Is Windows PowerShell?
•
Windows PowerShell Cmdlets
Tools for Automating AD DS Object Management
Active Directory
Users and Computers
Directory Service Tools
• Dsadd
• Dsmod
• Dsrm
Csvde and Ldifde Tools Windows PowerShell

Configuring AD DS Objects Using Command-Line Tools
Command-line tools:
•
Dsadd - Add objects to AD DS
• Dsmod - Modify objects in AD DS
• Dsrm - Remove objects from AD DS
• Dsget - Locate objects in AD DS
• net user - Add or modify user accounts
•
Net group - Add or modify group access
•
Net computer - Add or remove computer
objects from AD DS
filename.ldf
Managing User Objects with LDIFDE
Active Directory
import
export
• LDIFDE.exe
Managing User Objects with CSVDE
filename.csv
Active Directory
import
export
• CSVDE.exe
HR Application
What Is Windows PowerShell?
Windows PowerShell is a scripting and command-line technology
that you can use to manage AD DS and other Windows components
Windows PowerShell features include:

•
Powerful single
line cmdlets
•
Aliases
•
Variables
•
Pipelining
•
Scripting support
•
Access to all
cmd.exe commands
Results from one cmdlet can be pipelined to another
Windows PowerShell Cmdlets
Windows PowerShell cmdlets all use the same syntax
Noun
Verb
Date
Parameters Example
Get
Get-Date
Start
Service
W3SVC
Start-Service
W3SVC

•

Get-Service W3svc | format-list
•
Get-Service | sort-object name
• Get-Service |where-object {$_.status –eq “running”} |
sort-object name
Demonstration: Configuring Active Directory
Objects Using Windows PowerShell
In this demonstration, you will see how to:
•
Configure Active Directory Objects using Windows
PowerShell
Lesson 4: Using Queries to Locate Objects in AD DS
•
Options for Locating Objects in AD DS
•
What Is a Saved Query?