Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Active Directory Configuration

Active Directory Users and Computers

Active Directory Users and Computers is a Microsoft Management Console snap-in. It is started by selecting "Start", "Programs", "Administrative Tools", and "Active Directory Users and Computers". Only members of the Domain Admins or Enterprise Admins group can use this tool. This tool is used to create, configure, locate, move, and delete objects including:

  • User (automatically published)
  • Group (automatically published)
  • Computer (Those in the domain are automatically published)
  • Contact (automatically published)
  • Domain
  • Organizational Unit (automatically published)
  • Shared folder
  • Printer (Most are automatically published) - Windows NT shared printers are not published automatically.

It is also used to publish resources, control security and access to objects, and set up administrative control of objects to users. Published resources allow users to find and use them without knowing what server they reside on. Most browse lists do not cross subnet boundaries, but published resources are seen across subnets. These published resources may be browsed from "My Network Places". The "Computer Management" administrative tool or "Active Directory Users and Computers" is used to publish resources in Active Directory.


Active Directory Administration

Active Directory is normally administered from domain controllers but can be administered from a Windows 2000 Professional workstation by using the ADMINPAK tool. It is on the Windows 2000 CDROM in the directory /i386/Adminpak.msi.

Action Items that can be selected from the domain:

  • New
    • Shared Folder
    • Printer
  • Find

View Menu items:

  • Advanced Features - Used to set object permissions.

When using Active Directory Users and Computers, once the domain is highlighted, the following options are available by selecting the menu item, "Action", and "New".

  • Organizational Unit

To configure an object, click the + next to the domain name, and highlight the object. The following selections are available by selecting "Action":

  • Properties

Searching With Windows Explorer

Windows Explorer can be used to search for Active Directory objects. This is done by selecting "View", Explorer Bar", and "Search".

Publishing Resources

Publishing is the act of making an object publically browseable and accessible using Active directory. Most objects are automatically listed in Active Directory when they are created, but some objects must be published to be made available. Things that are not automatically published:

  • Windows NT shared printers
  • Computers outside the domain.
Moving AD Objects

From Active Directory Users and Computers click the + next to the domain name, and highlight the object. Right click on the object in the right pane to be moved, and select Move. Expand any container objects required, and highlight the container to move the object to, then click "OK".

To move an object to another directory, use the command line program called MoveTree.exe. This program is part of the "Windows 2000 Support Tools "on the Windows 2000 Server or above CD in \Support\Tools.

Changes

When a user is moved from one OU to another the following is true:

  • The user inherits permissions from the new OU.
  • The user loses permissions from the original OU.
  • The users and groups that could manage the user still can manage the user.

The MoveTree.exe tool is used to move an OU from one domain to another.

The "Delegation of Control Wizard" or "Active Directory Users and Computers" can be used to delegate OU administrative control to a specific user.