Step-by-Step Guide to Managing the Active Directory

©2008 Microsoft Corporation. All rights reserved.

Step-by-Step Guide to Managing the Active Directory

Abstract

This guide introduces you to administration of the Windows® 2000 Active Directory™ service. The
procedures in this document demonstrate how to use the Active Directory Users and Computers snap-in to
add, move, delete, and alter the properties for objects such as users, contacts, groups, servers, printers,
and shared folders.

On This Page

Introduction
Using Active Directory Domains and Trusts Snap-in
Using the Active Directory Users and Computers Snap-in
Publishing a Shared Folder
Finding Specific Objects
Filtering a List of Objects

Introduction

This guide introduces you to administration of the Microsoft® Windows® 2000 Active Directory™ service
and the Active Directory Users and Computers snap-in. This snap-in allows you to add, move, delete, and
alter the properties for objects such as users, contacts, groups, servers, printers, and shared folders.

Prerequisites

This Software Installation and Maintenance document is based on Step-by-Step Guide to the Common
Infrastructure for Windows 2000 Server Deployment, http://www.microsoft.com/windows2000/techinfo/
planning/server/serversteps.asp [ http://www.microsoft.com/windows2000/techinfo/planning/server/
serversteps.asp ] .

Before beginning this guide, please build the common infrastructure, which specifies a particular hardware
and software configuration. If you are not using the common infrastructure, you need to make the
appropriate changes to this instruction set.

You can run the Administrative Tools from the server, or you can run the tools from a computer running
Windows 2000 Professional. The Administrative Tools are installed by default on all Windows 2000 domain
controllers.

You must be logged on as a user with administrative privileges to run through the procedures in this
document.

If you are working on a domain controller, the Active Directory Schema snap-in might not be installed. To
install it:

1. Click Start, point to Settings, click Control Panel, and then click Change or Remove Programs.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (1 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

2. When prompted, reinstall all the Administrative Tools.

On Windows 2000-based stand-alone servers or workstations, Active Directory Administrative Tools are
optional. You can install them from Add/Remove Programs in Control Panel, using the Windows
Components wizard, or from the ADMINPAK on the Windows 2000 Server or Professional CD.

In this Step-by-Step Guide:

Common Administrative Tasks · Creating Organizational Units

· Creating Users and Contacts
· Creating Groups and adding members to Groups

Advanced Administrative Tasks · Publishing shared network resources, such as shared folders and printers.
· Moving Users, Groups, and Organizational Units
· Using Filters and Searches to retrieve objects

Top of page

Using Active Directory Domains and Trusts Snap-in

The Active Directory Domains and Trusts snap-in provides a graphical view of all domain trees in the
forest. Using this tool, an administrator can manage each of the domains in the forest, manage trust
relationships between domains, configure the mode of operation for each domain (native or mixed mode),
and configure the alternative User Principal Name (UPN) suffixes for the forest.

Starting the Active Directory Domains and Trusts Snap-in

1. Click Start , point to Programs, point to Administrative Tools, and then click Active Directory
Domains and Trusts. The Active Directory Domains and Trusts snap-in appears as in Figure 1
below.

[ http://technet.microsoft.com/
en-gb/library/Bb742437.managa01_big(en-us,TechNet.10).gif ]

Figure 1: Active Directory Domains and Trust snap-in

2. The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active
Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred
to as a mailaddress. The default UPN suffix is the forest DNS name, which is the DNS name of the
first domain in the first tree of the forest. In this and the other step-by-step guides on this site, the

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (2 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

default UPN suffix is reskit.com.

3. You can add alternate User Principal Name suffixes, which increase logon security. And you can
simplify user logon names by providing a single UPN suffix for all users. The UPN suffix is only used
within the Windows 2000 domain and is not required to be a valid DNS domain name.

4. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click
Properties.

5. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.

6. Click OK to close the window.

Changing the Domain Mode

Windows 2000 domains operate in one of two modes:

● Mixed Mode. Allows domain controllers running both Windows 2000 and earlier versions of
Windows NT® Server to co-exist in the domain. In mixed mode, the domain features from previous
versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled.

● Native Mode. Requires all the domain controllers in a domain to run Windows 2000 Server. In
native mode, you can take advantages of new features such as Universal groups, nested group
membership, and inter-domain user move. (A Universal group is a collection of user accounts that
can contain members from any Active Directory domain in the forest, and permissions can be
assigned to a universal group to resources on any member computer in the forest. Universal groups
are available only in native mode.)

When a domain is first installed, it is in mixed mode. The mode of operation can be changed from mixed
mode to native, but this is not reversible. In native mode, Windows NT 4.0 Domain Controllers cannot
participate in the domain.

You can change to native mode after making sure all domain controllers in your domain are running
Windows 2000 Server.

To switch to native mode

1. Right-click the domain object (in our example, reskit.com), and then click Properties.

2. Click Change Mode.

3. You receive a message requiring confirmation. Click Yes to continue. Click OK to proceed, or No to
stop this action. If you plan to add Windows NT 4.0 domain controllers to your configuration, do not
proceed.

Top of page

Using the Active Directory Users and Computers Snap-in

1. To start the Active Directory Users and Computers snap-in, click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Users and Computers.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (3 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

2. Expand Reskit.com by clicking +.

Figure 2 below displays the key components of the Active Directory Users and Computers snap-in.

[ http://technet.microsoft.com/
en-gb/library/Bb742437.managa02_big(en-us,TechNet.10).gif ]

Figure 2: The Active Directory Users and Computers Snap-In

Recognizing Active Directory Objects

The objects described in the following table are created during the installation of Active Directory.

Icon Folder Description

Domain The root node of the snap-in represents the domain being administered.

Computers Contains all Windows NT® and Windows 2000-based computers that join a domain.
This includes computers running Windows NT versions 3.51 and 4.0, as well as those
running Windows 2000. If you upgrade from a previous version, Active Directory
migrates the machine account to this folder. You can move these objects.

System Contains Active Directory systems and services information.

Users Contains all the users in the domain. In an upgrade, all users from the previous
domain will be migrated. Like computers, the user objects can be moved.

You can use Active Directory to create the following objects.

Icon Object Description

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (4 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

User A user object is an object that is a security principal in the directory. A user
can log on to the network with these credentials and access permissions can
be granted to users.

Contact A contact object is an account that does not have any security permissions.
You cannot log on to the network as a contact. Contacts are typically used to
represent external users for the purpose of e-mail.

Computer An object that represents a computer on the network. For Windows NT-based
workstations and servers, this is the machine account.

Organizational Unit Organizational units are used as containers to logically organize directory
objects such as users, groups, and computers in much the same way that
folders are used to organize files on your hard disk.

Group Groups can have users, computers, and other groups. Groups simplify the
management of large numbers of objects.

Shared Folder A shared Folder is a network share that has been published in the directory.

Shared printer A shared printer is a network printer that has been published in the directory

Adding an Organizational Unit

This procedure creates an organizational unit (OU) in the Reskit domain. Note that you can create nested
organizational units and there is no limit to the nesting levels.

These steps follow the Active Directory structure begun in the the "Step-by-Step Guide to a Common
Infrastructure for Windows 2000 Server Deployment" http://www.microsoft.com/windows2000/techinfo/
planning/server/serversteps.asp [ http://www.microsoft.com/windows2000/techinfo/planning/server/
serversteps.asp ] . If you did not create that structure, add the OUs and users directly under Reskit.com;
that is, where Accounts is referred to below, substitute Reskit.com.

1. Click the + next to Accounts to expand it.

2. Right-click Accounts.

3. Point to New and click Organizational Unit. Type Construction as the name of your new
organizational unit. Click OK.

For the rest of the exercises in this guide, repeat steps 1 and 2 above to create additional organizational
units, as follows:

● Organizational unit Engineering under Reskit.com.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (5 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

● Organizational unit Manufacturing under Reskit.com.

● Organizational unit Consumer under the Manufacturing organizational unit. (To do this, right-click
Manufacturing, point to New, and then click Organizational Unit.)

● Organizational units Corporate and Government under the Manufacturing organizational unit.
Click Manufacturing so that its contents will display in the right pane.

When you are finished, you should have the following hierarchy as in Figure 3 below:

[ http://technet.microsoft.com/en-gb/
library/Bb742437.managa11_big(en-us,TechNet.10).gif ]

Figure 3: New OUs

Creating a User Account

The following procedure creates the user account James Smith in the Construction OU.

To create a new user account

1. Right-click the Construction organizational unit, point to New, and then click User, or click New
User on the snap-in toolbar.

2. Type user information as in Figure 4 below:

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (6 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

[ http://technet.microsoft.com/
en-gb/library/Bb742437.managa12_big(en-us,TechNet.10).gif ]

Figure 4: New User dialog

Note that the Full name is automatically filled in after you enter the First and Last names. Click Next
to proceed.

3. Type a password in both the Password and Confirm password boxes and click Next.

4. Accept the confirmation in the next dialog box by clicking Finish.

You have now created an account for James Smith in the Construction OU To add additional
information about this user:

5. Select Construction in the left pane, right-click James Smith in the right pane, and then click
Properties.

6. Add more information about the user in the Properties dialog box on the General tab as shown in
Figure 5 below, and click OK. You are provided with this selection of optional entries. Click each tab
you want to go to.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (7 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

[ http://technet.microsoft.com/
en-gb/library/Bb742437.managa13_big(en-us,TechNet.10).gif ]

Figure 5: Additional User Information

Moving a User Account

Users can be moved from one organizational unit to another in the same domain or a different domain.
For example, in this procedure, James Smith moves from the Construction division to the Engineering
division.

1. Click the James Smith user account in the right pane, right-click it, and click Move.

2. Click the + next to Accounts to expand it as in Figure 6 below.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (8 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

Figure 6: List of available OUs

3. Click the Engineering OU, and click OK.

If you upgrade from an earlier version of Windows NT Server, you might want to move existing users from
the Users folder to some of the OUs that you create.

Creating a Group

1. Right-click the Engineering OU, click New, and then click Group.

2. In the Name of New Group text box, type: Tools

Select the appropriate Group type and Group scope and then click OK.

❍ The Group type indicates whether the group can be used to assign permissions to other
network resources, such as files and printers. Both security and distribution groups can be used
for e-mail distribution lists.

❍ The Group scope determines the visibility of the group and what type of objects can be
contained within the group.

Scope Visibility May contain

Domain Local Domain Users, Domain Local, Global, or Universal Groups

Global Forest Users or Global groups

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (9 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

Universal Forest Users, Global, or Universal Groups

Adding a User to a Group

1. Click Engineering in the left pane.

2. Right-click the Tools group in the right pane, and click Properties.

3. Click the Members Tab and click Add.

4. Scroll to James Smith, select his name, click Add, then click OK as in Figure 7 below.

[ http://technet.microsoft.com/
en-gb/library/Bb742437.managa15_big(en-us,TechNet.10).gif ]

Figure 7: Add James Smith to the Tools Group

Note: You can select multiple users or groups in this dialog by pressing the CTRL key as you click them.
You can also type the name directly. If the name is ambiguous, a further list is displayed to confirm your
selection.

Alternatively, you can select the users from the results pane, right click then click Add members to a
Group. Or you can click Add the selected objects to a group you specify on the snap-in toolbar. This
may be more efficient for adding large numbers of members to a group.

Top of page

Publishing a Shared Folder

Any shared network folder, including a Distributed File System (Dfs) folder, can be published in Active
Directory. Creating a Shared folder object in the directory does not automatically share the folder. This is
a two-step process: you must first share the folder, and then publish it in Active Directory.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (10 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk
volumes.

2. In Windows Explorer, right-click the folder name, and then click Properties. Click Sharing, and
then click Share this folder.

3. In the New Object–Shared Folder dialog box, type ES in the Share name box and click OK. By
default, Everyone has permissions to this shared folder. If you want, you can change the default by
clicking the Permissions button.

4. Populate the folder with files, such as documents, spreadsheets, or presentations.

To publish the shared folder in the directory

1. In the Active Directory Users and Computers snap-in, right-click the Engineering OU, point to New,
and click Shared Folder.

2. In the Name box, type Engineering Specs.

3. In the Network Path name box, type \\hq-res-dc-01.reskit.com\ES and click OK.

The Engineering organizational unit appears as shown in Figure 8 below:

[ http://technet.microsoft.com/
en-gb/library/Bb742437.managa16_big(en-us,TechNet.10).gif ]

Figure 8: Engineering OU contents

Users can now see this volume while browsing in the directory.

To browse the directory

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (11 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

1. Double-click My Network Places on the desktop.

2. Double-click Entire Network, and then click Entire contents of the network.

3. Double-click the Directory.

4. Double-click the domain name, Reskit, and then double-click Engineering.

5. To view the files in the volume, either right-click the Engineering Specs volume, and click Open, or
double-click Engineering Specs.

Publishing a Printer

This section describes the processes for publishing printers in a Windows 2000 Active Directory-based
network.

Windows 2000 Printers

You can publish a printer shared by a computer running Windows 2000 by using the Sharing tab of the
printer Properties dialog box. By default, Listed in the directory is enabled. The directory is the Active
Directory data store. (This means that Windows 2000 Server publishes the shared printer by default.) The
print subsystem will automatically propagate changes made to the printer attributes (location, description,
loaded paper, and so forth) to the directory.

Note: For this section of this guide, you must have a printer available and know its IP address. If you do
not have an IP printer, you can still run through these procedures, substituting the correct port for
Standard TCP/IP Port.

To add a new printer

1. Click Start, point to Settings, click Printers, and then double-click Add Printer. The Add Printer
Wizard appears. Click Next.

2. Click Local Printer, clear the Automatically detect and install my Plug and Play printer
checkbox, and click Next.

3. Click the Create a new port option, then scroll to Standard TCP/IP Port, and click Next.

4. The Add Standard TCP/IP Printer Port Wizard appears. Click Next.

5. On the Add Port page, type the IP address of the printer in the Printer Name or IP Address box,
type the port name in the Port name box, and click Next. Click Finish.

6. Select your printer's manufacturer and model in the Printers list box, and then click Next.

7. In the Printer name text box, type the name of your printer.

8. On the Printer Sharing page, type a name for the shared printer. Choose a name no more than
eight characters long so computers running earlier versions of the operating system display it
correctly.

9. Type in the Location and Comment in those text boxes.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (12 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

10. Print a test page. Click Finish.

After you create the printer, the printer is automatically published in Active Directory and the Listed in
the Directory check box is selected.

You might also need to find the server from which a printer is shared out before adding it to the machine
you're working on.

To locate a printer

1. Click Start, point to Settings, and then click on Printers.

2. Double-click the Add Printer icon.

3. In the Add Printer Wizard dialog box, click the Next button.

4. Select the Network printer button, and then click Next.

5. Select the Find a printer in the Directory button, and then click Next.

6. The Find Printers dialog box displays. If you know which domain your printer resides in, click the
Browse button and choose that domain to narrow your search. Then, on the Printer tab, add the
printer Name, Location, or Model to those text boxes, and click the Find Now button.

Note: If you don't know the name, location, or model of the printer, you can simply click the Find Now
button, and all the printers in the domain you selected will be listed in the list box.

Adding Non-Windows 2000 Printers

You can publish printers shared by operating systems other than Windows 2000 in the directory. The
simplest way to do this is to use the pubprn script. This script will publish all the shared printers on a
given server. It is located in the \winnt\system32 directory.

To publish a printer shared from a non-Windows 2000 server using the pubprn.vbs script

1. Click Start, click Run, and type cmd in the text box. Click OK.

2. Type cd\ winnt/system32 and press Enter.

3. Type cscript pubprn.vbs printer server name where in this example "LDAP://ou=marketing,
dc=reskit,dc=com" and press Enter. This publishes the printer to the specified OU.

This script copies only the following subset of the printer attributes:

● Location

● Model

● Comment

● UNCPath

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (13 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

You can add other attributes by using the Active Directory Users and Computers snap-in. Note that
you can rerun pubprn and it will update rather than overwrite existing printers.

Alternatively, you can use the Active Directory Users and Computers snap-in to publish printers on
non-Windows 2000 servers.

To use the Active Directory Users and Computers snap-in to publish printers

1. Right-click the Marketing organizational unit, click New, and click Printer.

2. The New Object-Printer dialog box pops up. In the text box, type the path to the printer, such as \
\ server \ share name . Click OK.

End users can realize the benefit of printers being published in the directory because they can browse for
printers, submit jobs to those printers, and install the printer drivers directly from the server.

To browse and use printers in the directory

1. On the Desktop, click Start, click Search, and click For Printers.

2. In the Find Printers dialog, select the subdirectory in which you'd like to search for printers. Then
type information into the Name, Location, or Model text boxes. Click the Find Now button to get a
list of published printers.

Creating a Computer Object

A computer object is can be created automatically when a computer joins a domain. You can also create
the computer object before the computer joins a domain.

1. Right-click the Engineering organizational unit, point to New, and then click Computer.

2. For the computer name, type Vancouver.

3. You can manage this computer In the Active Directory Users and Computers snap-in, by right-
clicking the computer object, and then clicking Manage.

Optionally, you can select which users are permitted to join a computer to the domain. This allows the
administrator to create the computer account and someone with lesser permissions to install the computer
and join it to the domain.

Renaming, Moving, and Deleting Objects

1. Every object in the directory can be renamed and deleted, and most objects can be moved to
different containers.

2. To move an object, right-click the object, and then click Move.

3. Click Browse. The Directory Browser will appear, enabling you to select the destination container
for the object that you are moving.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (14 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

Creating Nested Groups

You can use nested groups providing that you are running the Active Directory in Native Mode. Nested
groups are easier to manage, and thus reduce administrative overhead.

1. Create a new group by right-clicking Engineering, pointing to New, and then clicking Group. Type
All Engineering and then click OK.

2. Right-click the All Engineering Group, and click Properties.

3. Click the Members tab and click Add.

4. In the list box, select Tools, click Add, and then click OK.

5. Click Apply, and then click OK. You've now created a nested group.

To check the nested groups

1. Right-click All Engineering, click Properties, and then click Membership. You will see Press Liaison
as a member of All Engineering.

2. Double-click Tools, and then click Membership. You will see Tools listed as a member of the group
All Engineering.

Top of page

Finding Specific Objects

Rather than browsing the list of objects in the results pane, it is often more efficient to find specific
objects that meet a certain criteria. In this example you will find all users who have a surname of "Smith"
and are in the Marketing organizational unit.

1. Select the Engineering OU. Right-click Engineering, and then click Find.

2. In the Name box, type Smith.

3. Click Find Now.

Top of page

Filtering a List of Objects

Filtering the list of returned objects from the directory can allow you to manage the directory more
efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in—for
example, you can choose to view only users and groups, or you may want to create a more complex filter.

If an OU has more than a specified number of objects, the filter function allows you to restrict the number
of objects displayed in the results pane. You can use the Filter function to configure this option.

In this example, you create a filter designed to retrieve users only.

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (15 of 16)4/1/2008 12:00:19 PM

Step-by-Step Guide to Managing the Active Directory

1. In the Active Directory Users and Computers snap-in, click the View menu, click Filter Options.

2. Click the radio button for Show only the following types of objects, and then select Users and
Groups.

3. Click OK.

After you click OK, whenever you view a container, it retrieves user and group objects only. For example,
if you now view the Engineering OU, the shared folder Engineering Specs will no longer be displayed. The
description bar above the contents of the right pane will show that the list is filtered.

Important Notes

The example company, organization, products, people, and events depicted in this step-by-step guide is
fictitious. No association with any real company, organization, product, person, or event is intended or
should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and
DNS name used in the common infrastructure are not registered for use on the Internet. Please do not
use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how Windows
2000 features work and function with the Active Directory. It was not designed as a model for configuring
an Active Directory for any organization—for such information see the Active Directory documentation.

Top of page

file:///C|/Documents%20and%20Settings/pci45.BKTPP/Desktop/bb742437(printer).aspx.htm (16 of 16)4/1/2008 12:00:19 PM