Windows Server 2003 : Building an Active Directory Structure (part 4) - Managing Users and Groups - Using LDAP to create users, Delegation

9/14/2012 1:03:45 AM
5.2. Performing common administrative tasks

You can accomplish a couple of neat tricks using ADUC on multiple accounts at once, reducing some of the tedium involved in making repetitive changes. For one, you can select multiple accounts within ADUC by clicking one account and doing one of the following:

  • Holding down the Shift key and selecting another account to completely select the range of accounts within your two initial selections

  • Holding down the Ctrl key and clicking individual accounts to select them independently

Figure 33. The Sessions tab

Then you can right-click the group of accounts and perform actions such as changing common properties or sending email. When you right-click multiple accounts and select Properties, the screen in Figure 37 appears.

On this screen, you can make changes to multiple accounts at the same time. A subset of the options available on individual accounts is accessible, but such common tasks as changing the UPN suffix of an account, specifying that a user must change his or her password, or requiring a smart card for logon are easy to make with this screen.

5.3. Using LDAP to create users

LDAP is the foundation protocol for accessing and modifying the contents of Active Directory. You can use LDAP-style strings in conjunction with a couple of command-line tools to automate the creation of users and groups.

First let's look at what makes an LDAP identifier. For instance, let's say my full name is Jonathan Hassell, and I'm in the container SBSUsers within the hasselltech.local domain. My LDAP name, therefore, is:

    Cn="Jonathan Hassell",cn=SBSUsers,dc=hasselltech,dc=local

Figure 34. The General tab

Figure 35. The Members tab

Figure 36. The Member Of tab

Figure 37. Changing the properties of multiple accounts

The abbreviation CN refers to the container, and DC refers to the components of a domain name. Likewise, Lisa Johnson in the Marketing container within the Charlotte container of would have an LDAP name of:

    Cn="Lisa Johnson",cn=Marketing,cn=Charlotte,dc=enterprise,dc=com

Usernames in the directory are represented by a user principal name, or UPN. UPNs look like email addresses, and in some cases actually can be email addresses, but within the context of LDAP they serve to identify and select a specific user in the directory. So, if my username were jhassell, my UPN would be:


And if Lisa Johnson's username were ljohnson, her UPN would be:


Now that we know how to specify some properties in LDAP, we can use the DSADD utility to create users from the command line. The advantage to using DSADD is that you can script these commands to automate the creation and provision of user accounts.

DSADD adds a user to Active Directory . For example, to add a computer named JH-WXP-DSK to the Admin OU while authenticating as the domain administrator account, enter the following:

    dsadd computer CN=JH-WXP-DSK,OU=Admin,DC=hasselltech,dc=local -u
    administrator -p

You will be prompted for a password.

Here's another example: to add user sjohnson (for Scott Johnson, email address sjohnson@hasselltech.local with initial password "changeme") to the Sales OU and make him a member of the Presales group, use the following command:

    dsadd user cn=sjohnson,ou=sales,dc=hasselltech,dc=local -upn

     -fn Scott -ln Johnson -display
    "Scott Johnson" -password changeme -email

    -memberof cn=presales,ou=sales,dc=hasselltech,dc=local

Again, you will be prompted for a password.

You're getting the picture now. You also can add OUs with DSADD. To add an OU called support, use this command:

    dsadd ou cn=support,dc=hasselltech,dc=local

5.4. Delegation

One of the absolute best features within Active Directory is the ability to allow other users to take partial administrative control over a subset of your directory—a process known as delegation. By delegating administrative authority, you can take some of the IT person's burden and place it elsewhere. For example, you might want to give one person in your department the power to reset passwords for other employees in a department. Or you might want to employ some part-time college students to staff a helpdesk and you want to give them the ability to create new users and to help other employees with lost passwords. You can accomplish this easily through Active Directory delegation.

And there's even a wizard to help you do it, too. The entire process works something like this:

  1. You choose an Active Directory container over which you want to delegate administrative authority.

  2. You create a group of users (or identify an already existing one) that will have those new, delegated administrative powers.

  3. You use the Delegation of Control Wizard to actually grant the powers.

Let's get started. Within ADUC, select the organizational unit over which you want to delegate powers to others. Right-click it, and select Delegate Control from the pop-up context menu. The Delegation of Control Wizard appears. Click Next off the introductory screen, and the Users or Groups screen appears, as shown in Figure 38.

Figure 38. The Users or Groups screen

On this screen, click Add and identify the users or groups to which you want to have the powers assigned. Click Next when you've added the users, and the Tasks to Delegate screen appears, as shown in Figure 39.

This screen lists the most common tasks you want to delegate, including such options as managing user accounts, resetting passwords, managing groups, and administering GP. For our example, let's select the second option (to reset user passwords), and click Next.

Figure 39. The Tasks to Delegate screen

On the final screen of the wizard, you're asked to confirm your choices. Click Finish to do so, and the delegation is complete.

  •  Windows Server 2003 : Active Directory Objects and Concepts
  •  Connecting To A Virtual Private Network From Your MAC
  •  Tips, Tricks And Tweaks For Microsoft's Mighty, Windows 7
  •  Maintaining Your Windows XP System : Backing Up Your Files
  •  Maintaining Your Windows XP System : Defragmenting Your Hard Disk
  •  Asus P8Z77-V Premium : Loads Up Every Conceivable Feature
  •  Brother DCP-J140W
  •  Intel 330 Series – SSD For Mid-rang Market
  •  Iomega StorCenter PX4-300D 4TB - New Small Business NAS Box
  •  Install Android on Your PC
  •  Ivy League All Stars : Acer Aspire S5, Apple MacBook Air, Samsung 900X4C
  •  Linux from Scratch
  •  Meet The New Benchmarks : Adobe Premiere Pro CS6, Gigapan Stitch.EFX 2.0, Techarp X264 HD 5.0, Proshow Producer 5.0
  •  Reliving the Commodore 64 Glory Days (Part 1)
  •  Reliving the Commodore 64 Glory Days (Part 2)
  •  SAM PowerPC With AmigaOS 4.1
  •  Speed Up Boot Times with Startup Delayer
  •  File Grinder - Rename Files Easily
  •  Back Up With Clonezilla (Part 1) - Prepare For Backup
  •  Back Up With Clonezilla (Part 2) - Start Clonezilla, Select The Backup Device
    Top 10
    Windows Vista : Installing and Running Applications - Launching Applications
    Windows Vista : Installing and Running Applications - Applications and the Registry, Understanding Application Compatibility
    Windows Vista : Installing and Running Applications - Practicing Safe Setups
    Windows Server 2003 : Domain Name System - Command-Line Utilities
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 2)
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 1)
    Brother MFC-J4510DW - An Innovative All-In-One A3 Printer
    Computer Planet I7 Extreme Gaming PC
    All We Need To Know About Green Computing (Part 4)
    All We Need To Know About Green Computing (Part 3)
    Most View
    Troubleshooting Reference: Printers
    Booting on HP 9000 Servers (part 2) - The setboot Command, Boot Console Handler (BCH) and Processor Dependent Code (PDC)
    SQL Server 2005 : Dynamic T-SQL - Supporting Optional Parameters (part 4) - sp_executesql: A Better EXECUTE
    Programming the iPhone User : UX Anti-Patterns - Memory Lapse
    BenQ XL2420T : Holy Swivelling Monitor!
    OLED Technology Casts A Spell On Big Screen TV
    Best Of The Year 2012 (Part 3)
    Active Directory Domain Services 2008 : Block & Remove Block Inheritance of Group Policy Objects, Change the Order of Group Policy Object Links
    Group Policy Basics : Creating Additional GPOs
    Windows 7 : Getting Help and Giving Others Assistance
    BizTalk 2006 : Managing Exceptions in Orchestrations (part 3) - Running the EAIProcess
    Web Security : Attacking AJAX - Observing Live AJAX Requests
    The Ubuntu Server Project (Part 2) - Web access
    SQL Server 2008 : Explaining Advanced Query Techniques - Controlling Execution Plans (part 1)
    Building Your First Windows Phone 7 Application (part 2) - Using Your First Windows Phone Silverlight Controls
    Windows Server 2008 : Active Directory Federation Services
    Home Security On A Budget (Part 2)
    Which MacBook Is Right For You (Part 3)
    SQL Server 2005 : Working with SQL Server Management Objects in Visual Studio (part 2) - Retrieving Server Settings
    IIS 7.0 : Managing Application Pools (part 2) - Managing Application Pool Identities