……………………………………………….Expertise in .NET Technologies

  • Categories

  • Advertisements

Step-by-Step Guide to Managing Active Directory

Posted by Ravi Varma Thumati on October 16, 2009

This guide introduces you to administration of the Windows Server 2003 Active Directory service and the Active Directory Users and Computers snap-in.

On This Page
  • Introduction
  • Overview
  • Using Active Directory Domains and Trusts Snap-In
  • Using the Active Directory Users and Computers Snap-In
  • Additional Resources


Step-by-Step Guides

The Microsoft Windows Server 2003 Deployment step-by-step guides provide hands-on experience for many common operating system configurations. The guides begin by establishing a common network infrastructure through the installation of Windows Server 2003, the configuration of Active Directory, the installation of a Windows XP Professional workstation, and finally the addition of this workstation to a domain. Subsequent step-by-step guides assume that you have this common network infrastructure in place. If you do not wish to follow this common network infrastructure, you will need to make appropriate modifications while using these guides.

The common network infrastructure requires the completion of the following guides.

  • Part I: Installing Windows Server 2003 as a Domain Controller
  • Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain

Once the common network infrastructure is configured, any of the additional step-by-step guides may be employed. Note that some step-by-step guides may have additional prerequisites above and beyond the common network infrastructure requirements. Any additional requirements will be noted in the specific step-by-step guide.

Microsoft Virtual PC

The Windows Server 2003 Deployment step-by-step guides may be implemented within a physical lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005. Virtual machine technology enables customers to run multiple operating systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are designed to increase operational efficiency in software testing and development, legacy application migration, and server consolidation scenarios.

The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur within a physical lab environment, although most configurations can be applied to a virtual environment without modification.

Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the scope of this document.

Important Notes

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and Domain Name System (DNS) name used in the common infrastructure are not registered for use on the Internet. You should not use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how Windows Server 2003 Change and Configuration Management works and functions with Active Directory. It was not designed as a model for configuring Active Directory for any organization.


This guide introduces you to administration of the Windows Server 2003 Active Directory service. The Active Directory administrative tools simplify directory service administration. You can use the standard tools or, using Microsoft Management Console (MMC), create custom tools that focus on single management tasks. You can combine several tools into one console. You can also assign custom tools to individual administrators with specific administrative responsibilities.

The Active Directory administrative tools can only be used from a computer with access to a domain. The following Active Directory administrative tools are available on the Administrative Tools menu:

  • Active Directory Users and Computers
  • Active Directory Domains and Trusts
  • Active Directory Sites and Services

You can also remotely administer Active Directory from a computer that is not a domain controller, such as a computer running Windows XP Professional. To do this, you must install the Windows Server 2003 Administration Tools Pack.

The Active Directory Schema snap-in is an Active Directory administrative tool for managing the schema. It is not available by default on the Administrative Tools menu and must be added manually.

For advanced administrators and network support specialists, there are many command-line tools that can be used to configure, manage, and troubleshoot Active Directory. You can also create scripts that use Active Directory Service Interfaces (ADSI). Several sample scripts are supplied on the operating system installation media.


  • Part 1: Installing Windows Server 2003 as a Domain Controller
  • Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain
  • Step by Step Guide to Setting up Additional Domain Controllers
  • You must be logged on as a user with administrative privileges to perform the procedures in this document.
  • If you are working on a domain controller, the Active Directory Schema snap-in might not be installed. To install it:
  • At a command-line prompt, type
    regsvr32 schmmgmt.dll 

Guide Requirements

The Active Directory Schema management snap-in will now be available within MMC. 

  • On Windows Server 2003–based stand-alone servers or Windows XP Professional workstations, Active Directory Administrative Tools are optional. You can install them from Add/Remove Programs in the Control Panel using the Windows Components wizard or from the ADMINPAK on the Windows Server 2003 CD.

Using Active Directory Domains and Trusts Snap-In

The Active Directory Domains and Trusts snap-in provides a graphical view of all domain trees in the forest. Using this tool, an administrator can manage each of the domains in the forest, manage trust relationships between domains, configure the mode of operation for each domain (native or mixed mode), and configure the alternative User Principal Name (UPN) suffixes for the forest.

Starting the Active Directory Domains and Trusts Snap-In

To start the snap-in

  1. On HQ-CON-DC-01, click the Start button, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts. The Active Directory Domains and Trusts snap-in appears as in Figure 1.


Figure 1.  Active Directory Domains and Trust Snap-In

The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred to as a mail address. The default UPN suffix is the forest DNS name, which is the DNS name of the first domain in the first tree of the forest. In this guide and the other step-by-step guides in this series, the default UPN suffix is

You can add alternate UPN suffixes, which increase logon security. You can also simplify user logon names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows Server 2003 domain and is not required to be a valid DNS domain name.

To add additional UPN suffixes

  1. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click Properties.
  2. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.
  3. Click OK to close the window.

Changing Domain and Forest Functionality

Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to enable domain– or forest-wide Active Directory features within your network environment. Different levels of domain functionality and forest functionality are available depending on your environment.

If all domain controllers in your domain or forest are running Windows Server 2003 and the functional level is set to Windows Server 2003, all domain– and forest-wide features are available. When Windows NT® 4.0 or Windows 2000 domain controllers are included in your domain or forest with domain controllers running Windows Server 2003, only a subset of Active Directory domain– and forest-wide features are available.

The concept of enabling additional functionality in Active Directory exists in Windows 2000 with mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security ID (SID) history capabilities. When the domain is set to native mode, Universal security groups, group nesting, and SID history capabilities are available. Domain controllers running Windows 2000 Server are not aware of domain and forest functionality.

Warning:  Once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.

Domain functionality enables features that will affect the entire domain and that domain only. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level.

To raise domain functionality

  1. Right-click the domain object (in the example,, and then click Raise Domain Functional Level.
  2. From the Select an available domain functional level drop-down list, select Windows Server 2003, and then click Raise.
  3. Click OK on the warning message to raise domain functionality. Click OK again to complete the process.
  4. Close the Active Directory Domains and Trusts window.

Using the Active Directory Users and Computers Snap-In

To start the Active Directory Users and Computers snap-in

  1. Click the Start button, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand by clicking +.

Figure 2 displays the key components of the Active Directory Users and Computers snap-in.


Figure2.  Active Directory Users and Computers Snap-In

Recognizing Active Directory Objects

The objects described in the following table are created during the installation of Active Directory.

Icon Folder Description
  Domain The root node of the snap-in represents the domain being administered.
  Computers Contains all Windows NT, Windows 2000, Windows XP, and Windows Server 2003–based computers that join a domain. This includes computers running Windows NT versions 3.51 and 4.0. If you upgrade from a previous version, Active Directory migrates the machine account to this folder. You can move these objects.
  System Contains Active Directory systems and services information.
  Users Contains all the users in the domain. In an upgrade, all users from the previous domain will be migrated. Like computers, the user objects can be moved.

You can use Active Directory to create the following objects.

Icon Object Description
  User A user object is an object that is a security principal in the directory. A user can log on to the network with these credentials, and access permissions can be granted to users.
  Contact A contact object is an account that does not have any security permissions. You cannot log on to the network as a contact. Contacts are typically used to represent external users for the purpose of e-mail.
  Computer An object that represents a computer on the network. For Windows NT–based workstations and servers, this is the machine account.
  Organizational Unit Organizational units (OUs) are used as containers to logically organize directory objects such as users, groups, and computers in much the same way that folders are used to organize files on your hard disk.
  Group Groups can have users, computers, and other groups. Groups simplify the management of large numbers of objects.
  Shared Folder A shared Folder is a network share that has been published in the directory.
  Shared printer A shared printer is a network printer that has been published in the directory.

Adding an Organizational Unit

This procedure creates an additional OU in the Contoso domain. Note that you can create nested OUs, and there is no limit to the nesting levels.

These steps follow the Active Directory structure established in the common infrastructure step-by-step guides. If you did not create that structure, add the OUs and users directly under; that is, where Accounts is referred to in the procedure, substitute

To add an OU

  1. Click the + next to Accounts to expand it.
  2. Right-click Accounts.
  3. Point to New and click Organizational Unit. Type Construction as the name of your new organizational unit, and then click OK.

Repeat the previous steps to create additional OUs as follows:

  1. Organizational unit Engineering under Accounts.
  2. Organizational unit Manufacturing under Accounts.
  3. Organizational unit Consumer under the Manufacturing organizational unit. (To do this, right-click Manufacturing, point to New, and then click Organizational Unit.)
  4. Organizational units Corporate and Government under the Manufacturing organizational unit. Click Manufacturing so that its contents will display in the right pane.

When you are finished, you should have the following hierarchy as shown in Figure 3.


Figure 3.  New OUs

Creating a User Account

The following procedure creates the user account John Smith in the Construction OU.

To create a user account

  1. Right-click the Construction organizational unit, point to New, and then click User, or click New User on the snap-in toolbar.
  2. Type user information as shown in Figure 4.


Figure 4.  New User Dialog Box

  1. Click Next to continue.
  2. Type pass#word1 in both the Password and Confirm password boxes, and then click   Next.  
  3. Note:  The role that passwords play in securing an organization’s network is often underestimated and overlooked. Passwords provide the first line of defense against unauthorized access to your organization. The Windows Server 2003 family has a new feature that requires complex passwords for all newly established user accounts.
  4. Click Finish to accept the confirmation in the next dialog box.

You have now created an account for James Smith in the Construction OU.

To add additional information about this user

1.       Select Construction in the left pane, right-click John Smith in the right pane, and then click Properties.

2.         Add more information about the user in the Properties dialog box on the General tab as shown in Figure 5, and then click OK. Click each available tab and review the optional user information that may be defined.


Figure 5.  Additional User Information

Moving a User Account

Users can be moved from one OU to another within the same domain or a different domain. For example, in this procedure, John Smith moves from the Construction division to the Engineering division.

To move a user from one OU to another

  1. Click the John Smith user account in the right pane, right-click it, and then click Move.
  2. On the Move screen, click + next to Accounts to expand it as shown in Figure 6.


Figure 6.  List of Available OUs

  1. Click the Engineering OU, and then click OK.
  2. Right-click the Engineering OU, click New, and then click Group.
  3. In the New Object – Group dialog box, type Tools for Name.
  4. Review the type and scope of groups available in Windows Server 2003 as shown in the following table. Leave the default settings, and then click OK to create the Tools group.

Creating a Group: To create a group

  • The Group type indicates whether the group can be used to assign permissions to other network resources, such as files and printers. Both security and distribution groups can be used for e-mail distribution lists.  
  • The Group scope determines the visibility of the group and what type of objects can be contained within the group.
Scope Visibility May Contain
Domain Local Domain Users, Domain Local, Global, or Universal Groups
Global Forest Users or Global Groups
Universal Forest Users, Global, or Universal Groups

 Adding a User to a Group: To add a user to a group

  1. Click the Engineering OUin the left pane.
  2. Right-click the Tools group in the right pane, and then click Properties.
  3. Click the Members tab, and then click Add.
  4. In the Enter the object names to select text box, type John, and then click OK.


Figure 7.  Add John Smith to the Tools Security Group

 5.  On the Tools Properties screen, verify John Smith is now a member of the Tools   Security Group, and then click OK.  

Publishing a Shared Folder

To help users find shared folders more easily, you can publish information about shared folders in Active Directory. Any shared network folder, including a Distributed File System (Dfs) folder, can be published in Active Directory. Creating a Shared folder object in the directory does not automatically share the folder. This is a two-step process: you must first share the folder, and then publish it in Active Directory.

To share a folder

  1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk volumes.
  2. In Windows Explorer, right-click the Engineering Specs folder, and then click Properties. Click Sharing, and then click Share this folder.
  3. On the Engineering Specs Properties screen, type ES in the Share name box, and then click OK. Close Windows Explorer once complete.

Note:  By default, the built-in Everyone group has permissions to this shared folder. You can change the default permission by clicking the Permissions button.

Publishing the Shared Folder in the Directory

To publish the shared folder in the directory

  • In the Active Directory Users and Computers snap-in, right-click the Engineering OU, point to New, and then click Shared Folder.
  • On the New Object – Shared Folder screen, type Engineering Specs in the Name box.
  • In the Network Path name box, type \\\ES, and click OK.  
  • Right-click Engineering Specs, and then click Properties.
  • Click Keywords. For New Value, type specifications, and then click Add to continue. Click OK twice to finish.

Users may now search Active Directory by share name or keyword to locate this shared resource.

Searching for a Shared Folder

To find a shared folder

  • In the Active Directory Users and Computers MMC, right-click Contoso, and then click Find.
  • In the Find drop-down list, click Shared Folders. Type specifications in the Keywords text box, and then click Find Now.  
  • In Search results, right-click Engineering Specs, and then click Open.


Figure 8.  Searching for Shared Folders in Active Directory

Note:  When populated, the ES shared folder contents will be available to end users through directory searches. Users may also map this shared resource as a network drive.

  • Close the Find Shared Folders dialog box.

Publishing a Printer

You can also publish information about shared printers in Active Directory. Information about printers shared from Windows NT must be published manually. Information about printers shared from the Windows Server 2003 family or the Windows 2000 Server family is published to the directory automatically when you create a shared printer. Use Active Directory Users and Computers to manually publish shared printer information.

The print subsystem will automatically propagate changes to the printer attributes (location, description, loaded paper, and so on) to the directory.

Note:  This section details the steps to configure and publish a printer, which prints directly to a file. If you want to use an IP, LPT, or USB–based printer, you must modify the steps in these procedures.

Adding a New Printer: To add a new printer

  1. Click the Start button, click Printers and Faxes, and then double-click Add Printer. The Add Printer Wizard appears. Click Next.
  2. Click Local printer attached to this computer, clear the Automatically detect and install my Plug and Play printer check box, and then click Next.
  3. In the Use the following port drop-down list, click the FILE: (Print to File) option, and then click Next.
  4. In the Manufacturer results pane, click Generic. In the Printers results pane, click Generic / Text Only. Click Next to continue.
  5. On the Name Your Printer page, change the Printer name to Print to File, and then click Next.
  6. On the Printer Sharing page, change the Share name to FilePrinter, and then click Next.
  7. For Location on the Location and Comment page, type Headquarters – Bldg 4 – Room 2200. Click Next to continue.
  8. Click Next to print a test page, and then click Finish to complete the installation.
  9. When prompted, type Test Print as the file name for the printer test page. Click OK once complete.

The printer is automatically published in Active Directory.

Locating a Printer in Active Directory: To find a printer in Active Directory

  1. On the Printers and Faxes screen, double-click the Add Printer icon.
  2. The Add Printer Wizard dialog box appears. Click Next to continue.
  3. Click A network printer, and then click Next.
  4. Click Find a printer in the Directory (default), and then click Next.
  5. The Find Printers dialog box appears. Click Find Now to search for all printers published in Active   Directory. Setting additional search options can limit results by available features or printer location.  

Printer Location Tracking:  Use printer location tracking to streamline printer searches. When printer location tracking is enabled and the user clicks Find Now, Active Directory lists all printers matching the user’s query that are in the user location. Users can change the location field by clicking Browse to search for printers in other locations. For more information about configuring printer location tracking, see the Windows Server 2003 Help and Support Center.

  1. In the Search results on the Find Printers page, double-click Print to File to install the printer. Click Yes (default) to set this printer as the default printer for your system, and then click Next.


Figure 9.  Searching for Shared Printers in Active Directory

  1. Click Finish to complete the printer installation.
  2. Close the Printers and Faxes window.

You can publish printers shared by operating systems other than Windows Server 2003, Windows 2000, or Windows XP in Active Directory. The simplest way to do this is to use the pubprn.vbs script, although the Active Directory Users and Computers snap-in can be used. This script will publish all the shared printers on a given server. It is located in the \winnt\system32 directory.

Publishing a Printer Manually Using the pubprn.vbs Script

To publish a printer manually using the pubprn.vbs script

  • Click the Start button, and then click Run. Type cmd in the text box, and then click OK.
  • Type cd  \ windows\ system32,and then press Enter.
  • Type cscript pubprn.vbs prserv1 “LDAP://ou=accounts,dc=contoso,dc=com”, and then press Enter.
  • Note:  This example publishes all the printers on the Prserv1 server to the Accounts OU. The script copies only the following subset of the printer attributes including Location, Model, Comment, and UNCPath. This script will not work on Windows Server 2003, it is provided as a manual tool for publishing printers to Active Directory from down-level print servers only.
  • Close the window.

Publishing a Printer Manually Using the Active Directory Users and Computers Snap-In

  1. Right-click the Marketing OU, click New, and then click Printer.
  2. The New Object-Printer dialog box appears. In the text box, type the path to the printer, such as \\server\share name, and then click OK.

End users experience seamless operations from printers being published in the directory since they can browse for printers, submit jobs to those printers, and install the printer drivers directly from the server.

Creating a Computer Object

A computer object is created automatically when a computer joins a domain. If you do not want to give all users the ability to add computers to the domain, computer objects may also be created before the computer joins a domain manually or via scripts.

To manually add a computer to the domain

  1. Right-click the Engineering OU, point to New, and then click Computer.
  2. For the computer name, type Legacy, and then click Next.
  3. If the computer is a managed system, you can enter the system GUID. In this example, leave the system GUID blank, click Next, and then click Finish.
  4. To manage this computer from the Active Directory Users and Computers snap-in, right-click the computer object, and then click Manage.

Optionally, you can select which users are permitted to join a computer to the domain. This allows the administrator to create the computer account and someone with lesser permissions to install the computer and join it to the domain.

Renaming, Moving, and Deleting Objects

Every object in the directory can be renamed and deleted, and most objects can be moved to different containers. The following procedure expands the example for creating a computer object.

To move the Legacy computer object to different container

  1. In the Accounts OU, click the Engineering OU.
  2. Right-click the Legacy computer object, and then click Move.
  3. Expand the Resources OU, and then click to highlight Servers as shown in Figure 10.


Figure 10.  Moving a Computer Object

  1. Click OK to move the computer to the Server OU within the Resources OU.

Managing Computer Objects

Computer objects in Active Directory can be managed directly from the Active Directory Users and Computers snap-in. Computer Management is a component you can use to view and control many aspects of the computer configuration. Computer Management combines several administration utilities into a single console tree, providing easy access to a local or remote computer’s administrative properties and tools.

Note:  The following example assumes that you are working from the HQ-CON-DC-01 console and that HQ-CON-DC-02 is currently running.

Managing a Remote Computer: To manage a remote computer

1.       In the Active Directory Users and Computers snap-in, right-click, and then click Connect to Domain.

2.       Click Browse, and then click the + next to Double-click, and then click OK.

3.       Expand by clicking the +, and then click Domain Controllers. 

4.         Right-click HQ-CON-DC-02, and then click Manage. The system may now be remotely managed as shown in Figure 11.


Figure 11.  Remotely Managing a Computer
5.       Close the Computer Management window.

Nested Groups

Nested groups allow you to provide company-wide or department-wide access to resources with minimum maintenance. Placing every team account group into a single company-wide resource group is not an effective solution because it requires the creation and maintenance of a large number of membership links. To use nested groups, administrators create a series of account groups that represent the managerial divisions of the company.

For example, the top account group might be called “All Employees,” and would be attached to a resource group that gives access to resources and shared directories. The next level might contain account groups that represent major divisions of the company. Each group at this level is a member of All Employees, and is attached to a resource group giving access to shares and other resources appropriate to the division it represents.

Within a division, the next level of account groups might represent departments. Shared resources for the department might include project schedules, meeting schedules, vacation schedules, or any network information appropriate to the whole department. The department account groups are all members of the division account group.

Within a department, the management structure can be organized into security groups to any required level of specificity. These might be team account groups and might represent leaf nodes in the organization’s hierarchical tree.

With this group hierarchy in place, you can give a new employee instant access to the resources of the team, the department, the division, and the company as a whole by placing the employee in a team account group. This system supports the principle of least access because the new employee cannot view the resources of adjacent teams, other departments, or other divisions.

Creating Nested Groups: To create a nested group

  1. In the Active Directory Users and Computers snap-in, right-click, and then click Connect to Domain.
  2. Click Browse, and then click Click OK twice to finish.
  3. Expand, and then expand the Accounts OU.
  4. Create a new group by right-clicking Engineering, pointing to New, and then clicking Group. Type All Engineering, and then click OK. 
  5. Right-click the All Engineering Group, and then click Properties.
  6. Click the Members tab, and then click Add.
  7. In the Enter the objects name to select box, type Tools, and then click OK.
  8. Click OK again. A nested group has been created.

Finding Specific Objects

In a large directory deployment, it may be unreasonable to browse a comprehensive list of objects in search of a unique object. Often, it is more efficient to find specific objects that meet a certain criteria. In the following example, you will find all users who have a logon name starting with “J” in the Contoso domain.

To find users with a logon name starting with J

  1. Click to select Right-click, and then click Find.
  2. Click the Advanced tab. In the Field drop-down list, select User, and then click Logon Name.
  3. Type J for Value, and then click Add. Click Find Now. Your results should be similar to those shown in Figure 12.


  1. Figure 12.  Employing Advanced Directory Search Techniques
  2. Close the Find User, Contacts, and Groups window.

Filtering a List of Objects

Filtering the list of returned objects from the directory can allow you to manage the directory more efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in. For example, you can choose to view only users and groups, or you may want to create a more complex filter. If an OU has more than a specified number of objects, the Filter function allows you to restrict the number of objects displayed in the results pane. You can use the Filter function to configure this option.

To create a filter designed to display users only

  1. In the Active Directory Users and Computers snap-in, click Engineering under the Accounts OU.
  2. Click the View menu, and then click Filter Options.
  3. Click the radio button for Show only the following types of objects, select Users, and then click OK.
  4. Expand Accounts, and then click Engineering to verify the filtering results.
  5. Remove the filter.

5 Responses to “Step-by-Step Guide to Managing Active Directory”

  1. We all require much more this sort of site owners just like you on the web and also much fewer spammers.

  2. Good site! I truly love how it is easy on my eyes and the data are well written. I’m wondering how I could be notified whenever a new post has been made. I’ve subscribed to your feed which must do the trick! Have a nice day!

  3. Definitely one of many challenges which people beginning a new on-line company face is that of obtaining guests to their net site.

  4. I have to admit that i generally get bored to read the entire thing however i feel you can add some value. Bravo !

  5. Certainly one of the challenges which individuals starting a new on-line company face is that of acquiring visitors to their web site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: