Module 2

Creating Active Directory

Domain Services User and
Computer Objects
Module Overview
Managing User Accounts
Creating Computer Accounts
Automating AD DS Object Management
Using Queries to Locate Objects in AD DS
Lesson 1: Managing User Accounts
What Is a User Account?
Names Associated with Domain User Accounts
User Account Password Options
Standard User Management
Tools for Configuring User Accounts
What Is a User Account Template?
A user account can be stored:
In AD DS (AD DS account)



On the local computer (local account)





What Is a User Account?
Creating a user account also creates a Security ID (SID)
A user account is an object that enables authentication and
access to local and network resources
AD DS accounts enable log on to domains and provide
access to shared network resources
Local accounts enable log on to a single computer
and local resources
Naming options for domain user accounts:
Names Associated with Domain User Accounts
Object Names Example
Uniqueness
requirement
User logon name Gregory
Must be unique within
domain
User logon name
(pre-Microsoft
Windows 2000)
Woodgrove\Gregory
Must be unique within
domain
User principal
name (UPN)
Gregory@WoodgroveBank.co
m
Must be unique within
forest
LDAP
distinguished
name
CN=Gregory,OU=IT,DC=
WoodgroveBank,DC=com
Will be globally unique,
combining RDN, container
name, and domain names
Relative
distinguished
name (RDN)
CN=Gregory Must be unique in OU
User Account Password Options
User object passwords are a significant aspect of network
security and can have options configured for:
Password history
Length
Complexity
By default, Windows Server 2008 domain passwords must
meet three out of the following four complexity
requirements:
Uppercase
Lowercase
Special characters
Numbers
Standard User Management
Standard User management activities include:
Updating group membership: provides user group
membership and access rights

Resetting user passwords: resets security authentication
used to access domain computer
Setting user expiration: sets expiration date on how long
user can access domain
Setting logon hours: sets the hours in which users can log
on to the domain



Assigning profiles and setting home folders: Assign user
profiles and home folders to regulate access to resources

You use different tools for creating and managing local
and domain user accounts:
Tools for Configuring User Accounts
Account Tools
Local user account
Windows XP and Windows Vista:
User Accounts
Domain account
Windows Server 2003/2008: Active
Directory Users and Computers
Command-line utilities: dsadd,
Windows PowerShell, CSVDE,
LDIFDE
Demonstration: Configuring User Accounts
In this demonstration, you will see how to:
Create a new user account using Active Directory Users
and Computers
Rename user accounts
View complexity requirements
What Is a User Account Template?
User accounts templates take advantage of
similarity between user accounts
To use user templates:
Create several typical users reflecting various groups within
your organization
Copy the user account most like the new account you want to
create
Modify the attributes: names, e-mail address, logon name,
etc.
A user account template is an account with common properties
already configured
Demonstration: Creating and Using a User
Account Template
In this demonstration, you will see how to:
Create and use a User Account Template
Lesson 2: Creating Computer Accounts
What Is a Computer Account?
Options for Creating Computer Accounts
Managing Computer Accounts
Computer accounts:
What Is a Computer Account?
Are required for authentication and auditing
A computer account is an object in
AD DS that identifies a computer
in a domain
Enable managing computer by using group policies
Are required for all computers running Windows NT
or later
Options for Creating Computer Accounts
Scenario Process
Adding individual computers
to a domain
Add the computer to the domain through
computer system properties
Account will be created by default in
Computers container
Creating multiple computer
accounts in preparation for
automating an operating
system and software
deployment
1. Create an OU for each department
2. Pre-stage new computer accounts
3. Add the computer to the domain
Managing Computer Accounts
Computer management activities include:
Adding computer accounts: provides computer name and
specifies management option

Disabling computer accounts: maintains account, but
prevents log on from the account
Resetting the computer account: resets the security
association between the domain and the client computer
(re-join necessary)
Deleting computer accounts: removes computer from all
domain services



Configuring group policies: manages software or computer
desktop environments

Demonstration: Configuring Computer Accounts
In this demonstration, you will see how to:
Pre-stage a computer account
Configure computer account settings
Disable and reset a computer account
Lesson 3: Automating AD DS Object Management
Tools for Automating AD DS Object Management
Configuring AD DS Objects Using Command-Line Tools
Managing User Objects with LDIFDE
Managing User Objects with CSVDE
What Is Windows PowerShell?
Windows PowerShell Cmdlets
Tools for Automating AD DS Object Management
Active Directory
Users and Computers
Directory Service Tools
Dsadd
Dsmod
Dsrm
Csvde and Ldifde Tools Windows PowerShell
Configuring AD DS Objects Using Command-Line Tools
Command-line tools:
Dsadd - Add objects to AD DS
Dsmod - Modify objects in AD DS
Dsrm - Remove objects from AD DS
Dsget - Locate objects in AD DS
net user - Add or modify user accounts
Net group - Add or modify group access
Net computer - Add or remove computer
objects from AD DS
Managing User Objects with CSVDE




filename.csv





Active Directory
import
export

CSVDE.exe

HR Application







filename.ldf
Managing User Objects with LDIFDE




Active Directory
export
import
LDIFDE.exe
What Is Windows PowerShell?
Windows PowerShell is a scripting and command-line technology
that you can use to manage AD DS and other Windows components
Windows PowerShell features include:
Powerful single
line cmdlets
Aliases
Variables


Pipelining
Scripting support
Access to all
cmd.exe commands

Results from one cmdlet can be pipelined to another
Windows PowerShell Cmdlets
Windows PowerShell cmdlets all use the same syntax
Noun
Verb
Date

Parameters Example
Get

Get-Date

Start

Service

W3SVC

Start-Service
W3SVC


Get-Service W3svc | format-list

Get-Service | sort-object name
Get-Service |where-object {$_.status eq running} |
sort-object name
Demonstration: Configuring Active Directory
Objects Using Windows PowerShell
In this demonstration, you will see how to:
Configure Active Directory Objects using Windows
PowerShell
Lesson 4: Using Queries to Locate Objects in AD DS
Options for Locating Objects in AD DS
What Is a Saved Query?
Options for Locating Objects in AD DS
Sorting: use
column headings
in Active
Directory Users
and Computers
to find the
objects based on
the columns
Searching:
provide the
criteria for which
you want to
search
Command-line:
dsquery
parameter
Demonstration: Searching AD DS
In this demonstration, you will see how to:
Search AD DS for user accounts
What Is a Saved Query?
Saved queries provide:
A quick and consistent way to access a common set of
directory objects to monitor or to perform specific tasks
A saved query is a way to save search criteria
Options for searching attributes (e.g. last logon date)
Demonstration: Using a Saved Query
In this demonstration, you will see how to:
Create a saved query
Lab: Creating AD DS User and Computer Accounts
Exercise 1: Creating and Configuring User Accounts
Exercise 2: Creating and Configuring Computer Accounts
Exercise 3: Automating the Management of AD DS Objects

Logon information
Virtual computers 6419A-NYC-DC1, 6419A-NYC-CL1
User name Administrator
Password
Pa$$w0rd
Estimated time: 45 minutes
Lab Scenario
Woodgrove Bank is an enterprise that has offices located in
several cities throughout the world. Woodgrove Bank has
deployed AD DS for Windows Server 2008. As one of the
network administrators, one of your primary tasks will be to
create and manage user and computer accounts.
Lab Review
In order for the searches like the ones used in this lab to
return accurate results, what do you have to do when
creating the user accounts?
Your organization has a group of desktop support
technicians who need to be able to add all computers to
the AD DS domain. How can you ensure that these
technicians can add more than 10 computers to the
domain without granting them more permissions than
required?
Module Review and Takeaways
Review Questions
Considerations for Managing AD DS User and Computer
Accounts