5.2. Performing common administrative tasks
You can accomplish a
couple of neat tricks using ADUC on multiple accounts at once, reducing
some of the tedium involved in making repetitive changes. For one, you
can select multiple accounts within ADUC by clicking one account and
doing one of the following:
Holding down the
Shift key and selecting another account to completely select the range
of accounts within your two initial selections
Holding down the Ctrl key and clicking individual accounts to select them independently
Then you can right-click
the group of accounts and perform actions such as changing common
properties or sending email. When you right-click multiple accounts and
select Properties, the screen in Figure 37 appears.
On this screen, you can
make changes to multiple accounts at the same time. A subset of the
options available on individual accounts is accessible, but such common
tasks as changing the UPN suffix of an account, specifying that a user
must change his or her password, or requiring a smart card for logon are
easy to make with this screen.
5.3. Using LDAP to create users
LDAP is the
foundation protocol for accessing and modifying the contents of Active
Directory. You can use LDAP-style strings in conjunction with a couple
of command-line tools to automate the creation of users and groups.
First let's look at what
makes an LDAP identifier. For instance, let's say my full name is
Jonathan Hassell, and I'm in the container SBSUsers within the
hasselltech.local domain. My LDAP name, therefore, is:
Cn="Jonathan Hassell",cn=SBSUsers,dc=hasselltech,dc=local
The abbreviation CN
refers to the container, and DC refers to the components of a domain
name. Likewise, Lisa Johnson in the Marketing container within the
Charlotte container of enterprise.com would have an LDAP name of:
Cn="Lisa Johnson",cn=Marketing,cn=Charlotte,dc=enterprise,dc=com
Usernames in the directory
are represented by a user principal name, or UPN. UPNs look like email
addresses, and in some cases actually can be email addresses, but within
the context of LDAP they serve to identify and select a specific user
in the directory. So, if my username were jhassell, my UPN would be:
jhassell@hasselltech.local
And if Lisa Johnson's username were ljohnson, her UPN would be:
ljohnson@hasselltech.local
Now that we know how to specify some properties in LDAP, we can use the DSADD
utility
to create users from the command line. The advantage to using DSADD is
that you can script these commands to automate the creation and
provision of user accounts.
DSADD adds a user to Active Directory
. For example, to add a computer named JH-WXP-DSK to the Admin OU while authenticating as the domain administrator account, enter the following:
dsadd computer CN=JH-WXP-DSK,OU=Admin,DC=hasselltech,dc=local -u
administrator -p
You will be prompted for a password.
Here's another example: to add user sjohnson (for Scott Johnson, email address sjohnson@hasselltech.local with initial password "changeme") to the Sales OU and make him a member of the Presales group, use the following command:
dsadd user cn=sjohnson,ou=sales,dc=hasselltech,dc=local -upn
sjohnson@hasselltech.local
-fn Scott -ln Johnson -display
"Scott Johnson" -password changeme -email
sjohnson@hasselltech.local
-memberof cn=presales,ou=sales,dc=hasselltech,dc=local
Again, you will be prompted for a password.
You're getting the picture now. You also can add OUs with DSADD. To add an OU called support, use this command:
dsadd ou cn=support,dc=hasselltech,dc=local
5.4. Delegation
One of the absolute
best features within Active Directory is the ability to allow other
users to take partial administrative control over a subset of your
directory—a process known as delegation. By delegating administrative
authority, you can take some of the IT person's burden and place it
elsewhere. For example, you might want to give one person in your
department the power to reset passwords for other employees in a
department. Or you might want to employ some part-time college students
to staff a helpdesk and you want to give them the ability to create new
users and to help other employees with lost passwords. You can
accomplish this easily through Active Directory delegation.
And there's even a wizard to help you do it, too. The entire process works something like this:
You choose an Active Directory container over which you want to delegate administrative authority.
You create a group of users (or identify an already existing one) that will have those new, delegated administrative powers.
You use the Delegation of Control Wizard to actually grant the powers.
Let's get
started. Within ADUC, select the organizational unit over which you want
to delegate powers to others. Right-click it, and select Delegate
Control from the pop-up context menu. The Delegation of Control Wizard
appears. Click Next off the introductory screen, and the Users or Groups
screen appears, as shown in Figure 38.
On this screen, click
Add and identify the users or groups to which you want to have the
powers assigned. Click Next when you've added the users, and the Tasks
to Delegate screen appears, as shown in Figure 39.
This screen lists the most
common tasks you want to delegate, including such options as managing
user accounts, resetting passwords, managing groups, and administering
GP. For our example, let's select the second option (to reset user
passwords), and click Next.
On the final screen of the wizard, you're asked to confirm your choices. Click Finish to do so, and the delegation is complete.
