Maintain Active Directory Accounts

The most important task that network administrators need to perform is the management of Active Directory users, computers, and groups. A properly configured system ensures that only properly authenticated users and computers can logon to the network and access the resource. Windows Server 2008 provides many tools such as Server Manager and Active Directory Users and Computers to manage AD accounts.

The Active Directory Users and Computers snap-in allows you to create, modify, and delete AD objects which are nested inside Organizational Units. The Active Directory should be designed considering the security in mind. You may have separate OUs for each department that has different policies or different department with same kind of policies can be a part of just one OU.

AD objects in Server 2008 have meaningful names and include a Description column that tells you what each default object does. Each object is made up of a group of properties, which describe the object and what it can do. The properties windows of the object can be viewed by right-clicking the object and selecting Properties from the menu that appears. The most important objects of AD are Computers, Users and Groups.

The Computer object allows you to find out the computers on the network and the rights that each computer has on the network. It contains domain controllers, member servers, and workstations. However, the domain controllers are found in the Domain Controllers container. Member servers and workstations appear in the Computers container. Properties window of a computer object allows you to manage the computer object. The User object describes about the users of your organization. The properties window of each user allows you to configure the properties of the user.

There are different types of group objects in the Active Directory. For example, the security distribution group, which allows you to manage access rights for multiple users all at once. The other kind of group is the distribution group that is used solely for email distribution. Most of the maintenance tasks are performed with Active Directory Users and Computers. Some of the common tasks that you can perform with Active Directory Users and Computers include:

• Create a new user: To create a new user, you need to right-click the OU or the container, where you want to add the new user and then click New-> User to start the New Object – User wizard that guides you through the process of creating the new user. Follow the prompts in the screen and provide the information asked.
• Create a new group: To create a new user, you need to right-click the OU or the container, where you want to add the new group and then click New-> Group to start the New Object – Group wizard that guides you through the process of creating the new group. Follow the prompts in the screen and provide the information asked. For most common needs, the Global Security group is created.
• Create an OU: To create a new OU, you need to right-click the OU or the container, where you want to add the new OU and then click New-> Organization Unit to start the New Object – Organization Unit wizard that guides you through the process of creating the new group. Follow the prompts in the screen and provide the information asked.
• Add user to a group: To add user to a group, you need to right-click the user object and then select Add to a group. In the Select Groups window, type the name of the group in the Enter the Object Name to select field and click Check Names, as shown in Figure 5-7. Alternatively, if you don’t know the group name, then click Advanced and then click Find Now to display all groups. From the list of groups, select the group you want the user to belong to and click OK. Click OK again to close the Select Group window and finish.
  

  

• Change a password: To change the password, you need to right-click the user object and then select Reset Password. In the Reset Password window, type the new password in the appropriate fields and then select Users Must Change Password check box to force a user to change a password immediately. Click OK.
• Unlock a user account: To unlock a user, you need to right-click the user object and then select Properties. In the Account tab of the Properties window, deselect the option Account is locked out.
• Disable/Enable a user account: To disable a user account, you need to rightclick the user object and then select Disable Account. You can re-enable the account by right-clicking the user object and selecting Enable Account.
• Move a user: To move a user from one container to another, you need to drag and drop the user to the target container.
• Restrict logon times: To restrict the logon hours of a user, you need to right-click the user object and then select Properties. In the Properties windows click the Account tab and then click Logon hours. In the Logon Hours window, select Logon Denied and click the time blocks when you don’t want the user to log on.
• Delete a group: To delete a group, right-click the group object and then select Delete from the menu that appears.
• Delegate authority: To delegate the authority, you need to right-click the container object where you want to delegate tasks. Select Delegate Control. Follow the The Delegation of Control Wizard prompts on screen to add users or groups that you want to give control to and what powers you want to grant to those users or groups.
• Allow users to use VPN: To allow users to use VPN, you need to right-click the user object and then select Properties. In the Properties windows click the Dialin tab. Select Allow Access. Alternatively, if you have implemented Windows Server 2008’s Network Access Protection, then click Control access through NPS Network Policy. Click OK to close.
• Edit object attribute: To edit the attributes of an object right-click the object and then select Properties. In the Properties window click the Attribute Editor tab. Select the attribute that you want to modify. Click the Edit button. Make your change and click OK.

When you automate the creation of AD accounts, you need to create a user account template and then each time you need to create a user, you can copy the template and add the user details. The new account will be created will all the template details.

To create a user account template:

1. Create two OUs Staff and Group and create a Marketing group in the Group OU (for this example).
2. Click Start->Settings->Control Panel->Administrative tools->Active Directory Users and Computers.
3. Expand the domain tree and right-click the Staff OU.
4. Select New->User from the menu that appears, as shown in Figure 5-1.
   

   

   The New Object –User dialog box appears, as shown in Figure 5-2.

5. Type the template name prefixed with underscore (“_”) in the First name and then type Template in the Last name field . The underscore ensures that the template appears at the top of the list of users.
6. Provide the user logon name prefixed with underscore and click Next.
   

   

   The second page of the New Object –User wizard appears.

7. Type a password in the Password field and then confirm the password by retyping the password in Confirm password field.
8. Select Account is disabled option and then click Next and on the next page click Finish.

   The template is now ready and you can see the template appearing in the Staff OU. You can now set the other properties in the template that you want to be set in all the users that are created using this template.

9. Double-click the template to open the properties window of the template as shown in Figure.
10. Click Organization tab and then set the Department and the Company fields with desired values. For this example set Marketing in the Department field and Inscription in the Company field, as shown in Figure 5-3.
    

    

11. Click Member Of tab and then add the Marketing group to the list by clicking the Add button, as shown in Figure 5-4.
    

    

12. Click the Profile tab and then type the \\
    \profiles\%username% in the Profile path field, where
    is the name of your server, as shown in Figure 5-5:

    

13. Click OK to save the properties set.

You can now right-click the template and select Copy from the menu that appears to open the Copy Object –User dialog box, as shown in Figure 5-6. The dialog box allows you to create a new user with the same properties that you have set in the template. You just need to follow the initial steps that you follow in the New Object –User wizard to create a user.

Besides creating the multiple users using a template, you can also automate the task of creating users by using command line tools such as the Dsadd command and import the users from a text file using CSVDE and LDIFE commands.

To add user called Jim using Dsadd, you need to type the following command at the command prompt:

dsadd user cn=Jim,cn=users,dc=MyDomain,dc=com -disabled no

CSVDE and LDIFDE commands can be used for the bulk export and import of Active Directory objects. CSVDE allows exporting of virtually any object or attribute from the AD database whereas LDIFDE.exe exports the data into LDIF-based (LDAP Data Interchange Format) files. Another difference is that LDIFDE is primarily used to modify or delete Active Directory Objects.

Type the following command to the command prompt to import directory objects:

csvde -i -f filename -s servername:port -m -a username domain password

Type the following command to the command prompt to export directory objects:

csvde -e -f filename -s servername:port -m a username domain password

You can also use CSVDE to import users from a text file. Consider you have a text file called newusers that has values:

DN,objectClass,sAMAccountName,sn.givenName,userPrincipalName “cn=Michel.Crisp,ou=People,dc=inscription,dc=com”,user,michel.crisp,Michel,Crisp,mi chel.crisp@inscription.com “cn=Ben.Jhonson,ou=People,dc=inscription,dc=com”,user,ben.jhonson,Ben,Jhonson,ben. jhonson@inscription.com

You can now type the following command to import user records from the newuser.txt

Csvde –I –f newusers.txt –k

The LDIFDE.EXE does not want a typical delimited file. To create a .ldf file from which you can import user records, you need to save the text file with .ldf extension. The values in the .ldf files can be written as:

DN cn=ben jhonson, OU=people, dc=inscription,dc=com changeType: add CN: Ben Jhonson objectClass: user sAMAccountName: ben.jhonson userPrincipalName: ben.jhonson&inscription.com givenName: Ben sn: Jhonson displayName:Jhonson, Ben mail: ben.jhonson@inscription.com description: Sales representatives title: Sales representatives department: sales company: inscription, ltd

You can now type the following command to import user records from the newuser.ldf

Ldifde –I –f newusers.ldf -k