Microsoft Virtual Labs. Active Directory New User Interface



Similar documents
How to install Small Business Server 2003 in an existing Active

Core Active Directory Administration

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Active Directory Restoration

ILTA HAND 6B. Upgrading and Deploying. Windows Server In the Legal Environment

Module 1: Introduction to Active Directory Infrastructure

Active Directory Commands ( )

Active Directory Disaster Recovery Workshop. Lab Manual Revision 1.7

Module 4. Managing Groups. Contents: Lesson 1: Overview of Groups 4-3. Lesson 2: Administer Groups Lab A: Administer Groups 4-36

Administering Group Policy with Group Policy Management Console

UNIT 5 ADDITIONAL PROJECTS BEFORE YOU BEGIN. Installing a Replica Domain Controller. You want to improve fault tolerance and performance on

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Searching for accepting?

Microsoft. Jump Start. M11: Implementing Active Directory Domain Services

CHAPTER THREE. Managing Groups

R4: Configuring Windows Server 2008 Active Directory

How to. Install Active Directory. Server 2003

Introduction to Auditing Active Directory

How do I install Active Directory on my Windows Server 2003 server?

Migrating Active Directory to Windows Server 2012 R2

Windows Server 2012 Directory Partition Containers- A Walk Through

Chapter 4: Implementing and Managing Group and Computer Accounts. Objectives

Windows Server 2008 R2: What's New in Active Directory

Create, Link, or Edit a GPO with Active Directory Users and Computers

Installing Active Directory

Understanding Active Directory. Heng Sovannarith

SAM 8.0 Backup and Restore Guide. SafeNet Integration Guide

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

LAB: Enterprise Single Sign-On Services. Last Saved: 7/17/ :48:00 PM

Module 3: Implementing an Organizational Unit Structure

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Security Explorer 9.5. User Guide

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

This article was previously published under Q SUMMARY

Configuring Windows Server 2008 Active Directory

Number: Passing Score: 700 Time Limit: 145 min

How To Install And Configure Windows Server 2003 On A Student Computer

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

PASS4TEST 専 門 IT 認 証 試 験 問 題 集 提 供 者

11 essential tools for managing Active Directory

Setting up Active Directory Domain Services

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

SAM Backup and Restore Guide. SafeNet Integration Guide

FastPass Password Manager Version 3.5.1

Managing an Active Directory Infrastructure O BJECTIVES

In the Active Directory Domain Services Window, click Active Directory Domain Services.

Creating Organizational Units, Accounts, and Groups. Active Directory Users and Computers (ADUC) 21/05/2013

Video Administration Backup and Restore Procedures

Configuring Microsoft Active Directory for Integration with NextPage NXT 3 Access Control

Course: WIN310. Student Lab Setup Guide. Summer Microsoft Windows Server 2003 Network Infrastructure (70-291)

Windows Server 2003 Service Pack 1 (SP1) or later service packs Enhanced version of Ntdsutil.exe

WINDOWS 2000 Training Division, NIC

Module 4: Implementing User, Group, and Computer Accounts

SafeGuard Enterprise Administrator help

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

DeviceLock Management via Group Policy

Group Policy 21/05/2013

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Using LDAP Authentication in a PowerCenter Domain

You need to identify the minimum password length required for each marketing user. What should you identify?

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

MS Outlook 2002/2003. V1.0 BullsEye Telecom

DeviceLock Management via Group Policy

Joining. Domain. Windows XP Pro

The Windows Server 2003 Environment. Introduction. Computer Roles. Introduction to Administering Accounts and Resources. Lab 2

Administering Active Directory Administering W2K Server

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

How to Install the Active Directory Domain Services (AD DS) Role in Windows Server 2008 R2 and Promote a Server to a Domain Controller

How the Active Directory Installation Wizard Works

Moving the TRITON Reporting Databases

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Installation of MicroSoft Active Directory

Deploying System Center 2012 R2 Configuration Manager

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Restructuring Active Directory Domains Within a Forest

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

WORKING WITH COMPUTER ACCOUNTS

Active Directory. By: Kishor Datar 10/25/2007

StarTeam/CaliberRM LDAP QuickStart Manager Administration Guide

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

Windows Server 2003 Active Directory MST 887. Course Outline

Migrate to Windows Small Business Server 2011 Standard from Windows Small Business Server 2008

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

6425C - Windows Server 2008 R2 Active Directory Domain Services

Module 10: Maintaining Active Directory

2003 O/S. when installed (gets installed as a stand alone server) to promoting to D.C. We have to install A.D.

Moving the Web Security Log Database

Admin Report Kit for Active Directory

Module 8: Implementing Group Policy

SHARING FILE SYSTEM RESOURCES

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

8.7. Target Exchange 2010 Environment Preparation

Objectives. At the end of this chapter students should be able to:

Transcription:

Microsoft Virtual Labs Active Directory New User Interface

2 Active Directory New User Interface Table of Contents Active Directory New User Interface... 3 Exercise 1 User Management and Saved Queries...4 Exercise 2 Permissions User Interface...8 Exercise 3 Active Directory Management...10

Active Directory New User Interface 3 Active Directory New User Interface Objectives After completing this lab, you will be able to: Employ Queries as a tool for managing objects. Manage permissions on Active Directory objects. Prevent accidental deletion of domain controller computer objects. Configuring the caching of universal group membership per site so that Global Catalog (GC) servers are not needed when users log on. Reset the Directory Services Restore Mode Administrator account password. Use new command line tools to query, create, modify and delete users, groups and other objects in Active Directory. Scenario Windows Server 2003 Active Directory has improvements in such areas as performance, management and usability. Over the course of the next hour, we will step through some of the improvements to the user interface, both in the graphical user interface and the command line interface. We will see how easy it is to create, manage and manipulate Active Directory objects singly and in groups through Active Directory Users and Computers. We will see how the Saved Queries functionality both finds objects based an LDAP queries and allows us to manage those objects. We will see improvements in permissions management that apply not only to managing Active Directory objects, but also to NTFS file system and Registry permissions. Finally, we will look at the new way to protect domain controller computer objects, how to configure caching for universal group membership and new command line tools to do everything from query, create, modify and delete objects to resetting the Directory Services Restore Mode password. Estimated time to complete this lab: 60 minutes

4 Active Directory New User Interface Computers used in this Lab: Paris Exercise 1 User Management and Saved Queries In this exercise, we will examine some of the new user interface improvements in the Active Directory management tools for creating, managing and manipulating Active directory objects. We will also see how Saved Queries can be a powerful and dynamic tool for managing objects. Tasks 1. We will use the enhanced Active Directory Users and Computers snap-in to create an Organizational Unit for our Sales department and a new User for that department. Then we will drag and drop the user into the OU. 2. Now we will add a new User directly to the Organizational Unit where we want him. Then, using the extended functionality of Active Directory Users and Computers, we will see how certain Active Directory attributes can be modified for multiple objects at the same time. Detailed steps a. Click Start Administrative Tools and click Active Directory Users and Computers. b. In the Active Directory Users and Computers console, expand contoso.com. c. Right-click contoso.com, point to New and click Organizational Unit. d. In the New Object - Organizational Unit dialog box, type Sales OU and click OK. e. Right-click contoso.com, click New and click User. f. In the New Object - User dialog box, type UserA in the First name and User logon name boxes. g. Click Next. h. In the next New Object - User dialog box, enter and confirm the password Password1. i. Click Next. Info: By default, Windows Server 2003 requires that passwords are complex when created, changed or reset. j. In the final New Object - User dialog box, click Finish. k. In the left pane, select contoso.com. l. In the right pane, drag UserA to the Sales OU. Info: Active Directory Users and Computers now supports drag-and-drop functionality for objects. a. Right-click Sales OU, point to New and click User. b. In the New Object - User dialog box, type UserB in the First name and User logon name boxes. c. Click Next. d. In the next New Object - User dialog box, enter and confirm the password Password1. e. Click to deselect the User must change password at next logon check box. f. Click Next. g. In the final New Object - User dialog box, click Finish.

Active Directory New User Interface 5 Further, if we accidentally modify attributes so that they conflict with each other, we are warned and can make the corrections right away. 3. Now we will create a new global group in the Sales OU. This group is for our sales managers and we will examine the behavior of the object picker as we add our users to the group. 4. Using the saved query feature, we will create a way h. In the left pane, select Sales OU. i. In the right pane, select UserA, hold down CTRL and click UserB. j. Right-click the selected user accounts and click Properties. Note: Active Directory Users and Computers now supports modifying common attributes of multiple users at one time. k. In the Properties On Multiple Objects dialog box, click the Profile tab l. Click to select the Logon Script check box and type userlogon.vbs. m. Click the Account tab. n. In the Account options box, click to select the edit check box (the left hand check box) for User cannot change password. o. Click to select the User cannot change password check box (both check boxes next to User cannot change password should be selected). Note: Only the attributes for which the edit check box is enabled will be updated on the selected user accounts. p. Click OK to close the Properties On Multiple Objects dialog box. Note: A dialog box appears, indicating that for UserA two conflicting options are set. The account options for UserB are already applied. q. In the Active Directory dialog box, click Properties to change the settings for UserA. r. In the UserA Properties dialog box, click the Account tab, disable User must change password at next logon, and click OK. s. Click Close. t. In the Properties On Multiple Objects dialog box, click OK to continue applying the changes to the selected user accounts. Note: The Logon Script setting and the User cannot change password setting are applied to both UserA and UserB. a. Right-click Sales OU, point to New, and click Group. b. In the New Object - Group dialog box, type Sales Managers in the Group name box. c. Ensure that the Group scope is set to Global and the Group type is set to Security and click OK. d. Click Sales Managers to change the selection. e. Right-click Sales Managers, and the click Properties. f. In the Sales Managers Properties dialog box, click the Members tab and click Add. Info: Active Directory Users and Computers has a new dialog box to select objects. The new dialog box is called the object picker. g. In the Select Users, Contacts, or Computers object picker, type user and click Check Names. Note: The object picker lists all user accounts whose name starts with "user". h. In the Multiple Names Found dialog box, select UserA, hold down CTRL, click UserB and click OK. i. Click OK to close the Select Users, Contacts, or Computers object picker. j. Click OK to close the Sales Managers Properties dialog box. a. In Active Directory Users and Computers, select Saved Queries.

6 Active Directory New User Interface to find and keep up to date listings of all disabled user accounts. We will also see that administrative tasks can be performed on the objects that we have found through our query. 5. Now we will modify the query string to manually create a new query that finds objects with the attributes defining them as users who have never been authenticated by this domain controller. We also see that cut and paste functionality works throughout the interface. b. Right-click Saved Queries, point to New, and click Folder. c. In the New Folder text box, type User Management, and press Enter. d. In the right pane, right-click User Management, point to New and click Query. e. In the New Query dialog box, in the Name text box, type Disabled User Accounts, and click Define Query. f. In the Find Common Queries dialog box, click to select the Disabled accounts check box and click OK. g. Click OK to close the New Query dialog box. Note: In the right pane, three disabled user accounts appear (Guest, krbtgt and SUPPORT_388945a0). h. In the left pane, select Sales OU. i. In the right pane, right-click UserA and click Disable Account. j. Click OK to confirm that UserA has been disabled. k. In the left pane, select Disabled User Accounts, right-click Disabled User Accounts and click Refresh. Note: UserA now appears in the disabled user accounts list. l. In the right pane, right-click UserA and click Enable Account. m. Click OK to confirm that UserA has been enabled. n. Right-click Disabled User Accounts and click Refresh. Note: UserA no longer appears in the disabled users accounts list. o. In the left pane, select Sales OU, right-click Sales OU and click Refresh. Note: UserA is no longer displayed as disabled in the Sales OU. a. In Active Directory Users and Computers, select Disabled User Accounts. b. Right-click Disabled User Accounts and click Edit. c. Right-click in the gray Query string text box and click Select All. d. Right-click the selected query string and click Copy. e. Click Cancel to close the Edit Query dialog box. f. Right-click User Management, click New and click Query. g. In the New Query dialog box, in the Name text box, type Never Logged On and click Define Query. h. In the Find Common Queries dialog box, in the Find list box, select Custom Search. i. In the Find Custom Search dialog box, click the Advanced tab. j. Right-click in the empty Enter LDAP query text box and click Paste. k. Change the LDAP query text from: (&(objectcategory=person)(objectclass=user)(useraccountc ontrol:1.2.840.113556.1.4.803:=2)) To: (&(objectcategory=person)(objectclass=user)(logoncount=0) ) l. Click OK. Info: The logoncount attribute of a user indicates how many times the connected domain controller has authenticated the user's log on to the domain. (This number is kept per domain controller.) You can base the

Active Directory New User Interface 7 definition of a Saved Query on any LDAP query to the Active Directory. 6. Now we will see the warning shown by Windows if we accidentally have Caps Lock enabled and try to enter or change a password in the password text box. Info: Notice in the gray Query string text box, that Saved Queries adds an additional (&... ) around the LDAP query text. This does not change the result of the query. m. Click OK to close the New Query dialog box. Info: The Saved Queries are stored in a file named dsa in the %userprofile%\application Data\Microsoft\MMC folder. They are not stored in Active Directory. a. In Active Directory Users and Computers, select Sales OU, rightclick UserA and click Reset Password. b. In the Reset Password dialog box, press the Caps Lock key. Info: The same warning message is displayed when users have the Caps Lock key on at the Windows logon dialog box. c. Click Cancel to close the Reset Password dialog box. d. Press the Caps Lock key to deactivate caps lock.

8 Active Directory New User Interface Exercise 2 Permissions User Interface In this exercise, we will examine some of the new user interface improvements to manage permissions on Active Directory objects. Most of these improvements also apply to managing NTFS file system and Registry permissions. Tasks 1. By enabling Advanced Features in Active Directory Users and Computers, we are able to view and modify domain permissions. 2. We will create a new Organizational Unit and examine the default permissions for an object of this type in Active Directory. Detailed steps a. In Active Directory Users and Computers, click View Advanced Features. Info: Advanced Features shows additional options in Active Directory Users and Computers, such as the Security tab with object permissions for each object. b. In the left pane, select contoso.com, right-click contoso.com and click Properties. c. In the contoso.com Properties dialog box, click the Security tab. Note: Scroll down the permissions list to see the new domain permissions, which can be used to implement delegation of administrative control of the domain. An example is the Reanimate Tombstones permission, which allows delegation of restoring deleted objects. Other new domain permissions for Windows Server 2003 include Create Inbound Forest Trust, Generate Resultant Set of Policy, Migrate SID History and Read/Write Domain Password & Lockout Policies. d. Click Cancel to close the contoso.com Properties dialog box. Info: All the features of the permissions user interface that are described in the next tasks are not only applicable to Active Directory objects, but also to NTFS files and folders, Registry keys and Registry entries. a. In Active Directory Users and Computers, right-click contoso.com and point to New and click Organizational Unit. b. In the New Object - Organizational Unit dialog box, type Perms OU and click OK. c. Right-click Perms OU and click Properties. d. In the Perms OU Properties dialog box, click the Security tab. e. In the Permissions box, scroll to the bottom of the permissions list. Info: The last in any permissions list is Special Permissions. This is not an existing permission. Instead, a check mark in the Allow or Deny column for Special Permissions is an indication that the entire Access Control List (ACL) for this object could not be expressed with just the permissions list on the Security tab. You can click the Advanced button to see the entire list of permissions on the ACL of the object. f. Click Advanced. g. Scroll down the Permission entries list, so that the Administrators group is displayed in the middle of the list box (~10 entries down). Info: Notice the new Inherited From column. For each Access Control Entry (ACE) this column indicates whether the permission is applied directly (<not inherited>), or inherited from a higher OU (or NTFS folder, or Registry key).the Default button can be used to reapply the default permissions for this object from the Schema. This is not applicable to NTFS

Active Directory New User Interface 9 3. Using the built-in graphical user interface, it is easy to change the owner of the Perms OU to the Enterprise Admins group. 4. It is also easy to see the effective permissions on Active Directory objects. Here we sill examine the effective permissions on the Perms OU for the Account Operators group, the Administrators group and the Administrator account. permissions or Registry permissions. a. In the Advanced Security Settings for Perms OU dialog box, click the Owner tab. Info: Notice that you can take or assign ownership of this object. Although this was also possible in Windows 2000 Server, assigning ownership to other users was highly unusual. b. Click Other Users or Groups. c. In the Select User, Computer, or Group object picker, type Enterprise Admins and click OK. d. In the Change owner to list box, ensure that Enterprise Admins is selected, and click Apply. Info: You can only assign ownership to object, if you have the Restore files and directories user right. Even the Full Control permission on the object is not sufficient. a. In the Advanced Security Settings for Perms OU dialog box, click the Effective Permissions tab. Info: The Effective Permissions for an object can be calculated for any user or group. b. Click Select. c. In the Select User, Computer, or Group object picker, type Account Operators and click OK. Note: Scroll down the Effective permissions list to see that members of the Account Operators group only have create/delete permissions for computer, group, inetorgperson and user objects. d. Click Select. e. In the Select User, Computer, or Group object picker, type Administrators and click OK. Note: Members of the Administrators group have almost all the permissions on the Perms OU. f. Click Select. g. In the Select User, Computer, or Group object picker, type Administrator and click OK. h. In the Multiple Names Found dialog box, ensure that Administrator is selected and click OK. Note: The Administrator has Full Control permission on the Perms OU. Info: Determining the effective permissions does not take everything into account. Logon-specific information, such as membership in the Interactive, Network or Service group, and the effect of share permissions in the case of effective permissions on files and folders are not considered. i. Click Cancel to close the Advanced Security Settings for Perms OU dialog box. j. Click Cancel to close the Perms OU Properties dialog box.

10 Active Directory New User Interface Exercise 3 Active Directory Management In this exercise, we will explore several improvements for managing Active Directory. These improvements include: The options preventing accidental deletion of domain controller computer objects The process for configuring the caching of universal group membership per site so that Global Catalog (GC) servers are not needed when users log on The process for resetting the Directory Services Restore Mode Administrator account password New command line tools to query, create, modify and delete users, groups and other objects in Active Directory Tasks 1. We will create a new domain controller computer object in Active Directory and examine the options for modifying it without deleting it. Then we will look at the actual process for deleting the object. Detailed steps a. In Active Directory Users and Computers, right-click Domain Controllers point to New and click Computer. b. In the New Object - Computer dialog box, type DALLAS in the Computer Name box. c. Click to select the Assign this computer account as a backup domain controller check box and click Next. d. In the Managed dialog box, click Next. e. Click Finish. f. In the left pane, select Domain Controllers. g. In the right pane, right-click DALLAS and click Properties. Note: The role of this computer account is set to Domain controller. h. Click Cancel. Note: Although a physical computer is not associated with the Dallas computer account, Active Directory considers the account to represent a true replica domain controller when attempting to remove the account in the next steps. i. Right-click Dallas and click Delete. j. Click Yes to confirm that you want to delete this object. Info: The Deleting Domain Controller dialog box appears. You can choose from three possible reasons for deleting the computer account. Only the third option actually deletes the account. The first two options are not valid reasons for deleting the account. k. In the Deleting Domain Controller dialog box, click to select the I want to restart Active Directory replication for this domain controller radio button and click Delete. l. Click OK to confirm that deleting the computer account is not required to manage Active Directory replication. Note: The DALLAS computer account is not deleted. m. Right-click DALLAS and click Delete. n. Click Yes to confirm that you want to delete this object. o. In the Deleting Domain Controller dialog box, click to select the This

Active Directory New User Interface 11 2. We will create a new site and configure that site to cache universal group membership so that a Global Catalog will not be required for log on in that site. 3. With the powerful Ntdsutil.exe command, we can perform many actions on the Active Directory. Here, we will use it to reset the Directory Services Restore Mode (DSRM) Administrator password on Paris. domain controller is permanently offline radio button and click Delete. p. Minimize Active Directory Users and Computers. Info: Normally, you must delete the associated Server object in Active Directory Sites and Services as well. a. Click Start Administrative Tools and click Active Directory Sites and Services. b. In Active Directory Sites and Services, expand Sites, right-click Sites and click New Site. c. In the New Object - Site dialog box, type Office-Houston in the Name text box, select DEFAULTIPSITELINK and click OK. d. Click OK to confirm the steps needed to finish configuration of the Office-Houston site. Info: In order to make the site less dependent on the availability of a Global Catalog (GC) server when users log on, you can configure the site to cache the universal group membership data that is normally only kept on the GC. e. In the left pane, ensure that Office-Houston is selected. f. In the right pane, right-click NTDS Site Settings and click Properties. g. In the NTDS Site Settings Properties dialog box, click to select the Enable Universal Group Membership Caching check box. h. Select Default-First-Site-Name from the Refresh cache from dropdown box and click OK. Note: The domain controllers in the Office-Houston site will cache the universal group membership data per user account. When users log on to domain controllers in the site, a GC is no longer contacted. The cached data per user account is automatically refreshed every 8 hours. i. Close Active Directory Sites and Services. a. Click Start Command Prompt. b. Type ntdsutil.exe and press Enter. c. At the ntdsutil: prompt, type help and press Enter. Info: Ntdsutil shows the list of available commands. d. Type set dsrm password and press Enter. Info: This password is used to log on to the domain controller in Directory Services Restore Mode (DSRM) or to log on when using the Recovery Console. The password is initially set when the Active Directory Installation Wizard (dcpromo.exe) is run. e. At the Reset DSRM Administrator Password: prompt, type reset password on server Paris and press Enter. f. At the Please type password for DS Restore Mode Administrator Account: prompt, type password and press Enter. g. At the Please confirm new password: prompt, type password and press Enter. Note: Ntdsutil fails to set the password. The DSRM password must meet complexity requirements. h. At the Reset DSRM Administrator Password: prompt, type again reset password on server Paris and press Enter. i. At the Please type password for DS Restore Mode Administrator Account: prompt, type Password1 and press Enter.

12 Active Directory New User Interface 4. We will use the dsquery and dsget commands to display information about users and computers in Active Directory 5. Earlier, we used Active Directory Users and Computers to create and modify an OU and user. Here we will use the dsadd and dsmod commands to add and modify an organizational unit and user in Active Directory. j. At the Please confirm new password: prompt, type Password1 and press Enter. Note: Because this password meets the domain password complexity requirements, Ntdsutil successfully sets the DSRM password. k. At the Reset DSRM Administrator Password: prompt, type quit and press Enter. l. At the ntdsutil: prompt, type quit and press Enter. a. At the Command Prompt, type cd \ and press Enter. b. Type dsquery user and press Enter. Info: The dsquery command finds and displays users or other objects in Active Directory. c. Type (on one line) dsget user cn=administrator,cn=users,dc=contoso,dc=com -memberof and press Enter. Note: The dsget command displays properties of users or other objects. In this example, it displays the 6 groups that explicitly list the Administrator as member. d. Press the Up Arrow key to recall the previous command. At the end of the line, type a space and -expand and press Enter. Note: The -memberof -expand combination recursively expands the list of groups of which the user is a member. In this example, the Users group is added to the list because Domain Users is a member of the Users group. e. Type dsquery user dsget user -samid -sid and press Enter. Info: The output of the dsquery command can be used as input for the dsget command by using a pipe ( ). In this example, the SAM account name and the security ID (SID) of each user is displayed. f. Type dsquery server and press Enter. Info: The dsquery server command displays all domain controllers. g. Type dsquery server -o rdn -hasfsmo pdc and press Enter. Info: The command displays the relative distinguished name (rdn) of the domain controller that currently is the PDC operations master. (FSMO is another term for operations master.) Other operations masters can be found by using the parameter schema, name, infr, or rid. h. Type dsquery server dsget server -dnsname -site -isgc and press Enter. Info: The command displays the DNS host name, the site name, and whether the server is Global Catalog (GC) server for each domain controller. a. At the Command Prompt, type dsadd ou ou=guestou,dc=contoso,dc=com and press Enter. Info: The dsadd command adds organizational units (OU), users or other objects to Active Directory. b. Type dsadd user cn=greg,ou=guestou,dc=contoso,dc=com and press Enter. c. Type dsquery user -name Greg dsget user -dn -disabled and press Enter. Note: The new user account is still disabled. d. Type dsmod user cn=greg,ou=guestou,dc=contoso,dc=com -pwd Password2 and press Enter.

Active Directory New User Interface 13 6. We can also set limits on the number of objects a particular user can create in Active Directory. With the dsadd command, we will assign a quota to the user we created above, view that quota and then remove it through Active Directory Users and Computers. 7. We will now use the dsrm command to remove the newly created organizational unit. 8. We will use the dsquery * command, which display information about objects in Active Directory by using an LDAP query, to display information about the Administrator and then about the ismemberofpartialattrib uteset attribute which defines the information that replicates to Global Catalog servers. Info: The dsmod command modifies existing objects. a. At the Command Prompt, type dsadd quota -part dc=contoso,dc=com -acct contoso\greg -qlimit 25 -desc "Max 25" and press Enter. Info: The dsadd quota command defines the maximum number of objects that a user can create or own in a partition. b. Type dsget partition dc=contoso,dc=com -dn -qtmbstnwt and press Enter. Info: The qtmbstnwt value (quota tombstone weight) specifies the percentage weight given to a deleted object (tombstone) for the partition. For example, if the value is set to 50 (or 50%) and Greg owns 10 deleted objects, then he can create 20 additional objects to reach his maximum quota of 25. The default value is 100 (or 100%). c. Expand Active Directory Users and Computers. d. In the left pane, select NTDS Quotas. Note: In the right pane, the CONTOSO_Greg object represents the quota specification for the user Greg. Note that you cannot change the quota specification through the graphical user interface of the console. e. Right-click CONTOSO_Greg, and click Delete. f. Click Yes to confirm that you want to delete the object. g. Close the Active Directory Users and Computers console. a. At the Command Prompt, type dsrm ou=guestou,dc=contoso,dc=com -subtree and press Enter. b. At the prompt, type Y to confirm that you wish to delete GuestOU and press Enter. Info: The dsrm command removes objects from Active Directory. In this example, the -subtree parameter causes all the objects in the container to be deleted as well The dsrm command is unrelated to directory services restore mode (DSRM). a. At the Command Prompt, type dsquery * -filter (cn=administrator) -attr * and press Enter. Info: The dsquery * command can use any LDAP query to display information of objects in Active Directory. In this example all attributes of the Administrator account are displayed. b. Type dsquery * -filter (dc=contoso) -attr * and press Enter. Note: This example displays all attributes of the contoso.com domain object. c. Type (on one line) dsquery * cn=schema,cn=configuration,dc=contoso,dc=com -filter "(&(objectcategory=attributeschema)(ismemberofpartialattribu teset=true))" -limit 0 -attr name and press Enter. Note: This complex example displays the names of all attributes (150) that Windows Server 2003 replicates to Global Catalog servers. (If the command displays no attributes, ensure that you typed TRUE in capital letters.) d. Close Command Prompt.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information