Active Directory Objects
The Active Directory data store, also referred to as directory, contains data on users, groups, computers, and on which resources these users, groups, and computers can access. It holds all Active Directory information. Each domain controller within a domain holds a readable/writable replica of the Active Directory data store that consists of information pertaining to the particular domain to which it belongs. Users and computers can continue to access the Active Directory data store when one domain controller in a domain is offline because they can use any other domain controller to do this. Domain controllers also have a domain directory partition, configuration directory partition, and schema directory partition. Information on the domain exists in the domain directory partition.
This consists of information on users, groups, and the network resources that they can access within the domain. The configuration directory partition contains information on the Active Directory topology. This consists of configuration information on the forests, domains, and domain trees within the Active Directory environment. Domains, trees, and forests are referred to as the logical components of Active Directory. The schema directory partition contains information that controls which objects and attributes can exist in Active Directory.
As mentioned previously, each directory partition on the domain controllers contain various information. Certain information relates to network resources. Network resources stored in Active Directory consist of users, groups, computers, security policies, printers, and so forth. Information on the services that make the information on network resources available to network users also exists in Active Directory. It is the network resources stored in Active Directory that are known as Active Directory objects. In fact, most of the components in Active Directory are objects. Active Directory is therefore made up of different objects. The schema partition contains information that defines what objects and attributes can exist in Active Directory. It is the schema partition that holds the rules that control which objects and attributes can exist in Active Directory.
Because Active Directory contains information on specific types of objects such as printer objects, user objects, and computer objects, Active Directory objects are divided into object classes. An objects class is a grouping of attributes with an accompanying name. The unique grouping of attributes defines a particular object and therefore contains information on the configuration and characteristics of the object. Attributes are also at times called properties. The attributes differ for each object class and the attributes associated with one object class distinguishes the particular object class from the other objects classes. For instance, a user object would have a different set of attributes than a computer object, and these two object classes would have different attributes from printer objects and domain controller objects. A user object would have attributes such as user name, department, and password, while a printer object would have make, model, and manufacturer as attributes.
Object classes also inherit attributes from their associated parent objects. What this means is that an Administrator can create a new child class to a parent class if the attributes that are needed for the new child class are similar. The Administrator would then only need to define the additional attributes for the new child class. The new class would be made up of the inheritable attributes of the parent class and the new attributes that the Administrator explicitly defined for the class.
Because each object in Active Directory stems from a particular object class, one can conclude that each object represents an instance of an object class. An instance of an object class also differs from other instances of the same class because each instance has different values for each set of attributes of that class.
There are three object class types within Active Directory:
- Abstract classes: Active Directory has 14 abstract classes such as Top, Device, and Security Object. These classes merely exist to create other objects classes.
- Structural classes: These are classes such as User and Computer that have objects within Active Directory.
- Auxiliary classes: These classes are used to customize the definition of an Abstract class. The Auxiliary classes in Active Directory are Security Principal, Sam Domain, Sam Domain Base, Dynamic Object, MS MMS Object, and Mail Recipient.
The common object types within Active Directory are:
- User: A user account is made up of information such as user logon name, first name, last name, display name, and telephone number. The user account information enables a user to log on to Windows 2000 or Windows Server 2003.
- Contact: This is information on a person who has some connection to the organization such as telephone number, e-mail, and address.
- Group: A group consists of user accounts, other groups, and computers. Groups enable policy based administration within Active Directory.
- Shared Folder: This is a pointer to a shared folder on the computer. Pointers basically contain the location of the data. The data is not stored in the pointer. When resources are published in Active Directory, an object that holds the pointer to the location of the data or printer is created.
- Printer: This is a pointer to a printer on the computer.
- Computer: The information relates to a computer within a domain.
- Domain Controllers: The information relates to a domain controller within a domain such as its DNS name, description, pre-Windows 2000 name, and its owner.
- OU (Organizational Unit): are logical containers that contain objects such as user accounts, groups, computers, shared resources, and other OUs. OUs can be used to organize Active Directory objects. For instance, users can create OUs to mirror the organization’s structure. By grouping directory objects in a domain into OUs, users are better able to manage resources. OUs also enable users to delegate administrative control for one OU in a domain and not for another OU in the same domain.
Active Directory objects fall into one the following categories:
- Container objects: A container object holds other objects. Container objects also have a defined location in the directory subtree hierarchy.
- Leaf Objects: Unlike container object, leaf objects do not contain other objects. Leaf objects are located at the end of the subtree hierarchy.
How to create a new user object in Active Directory
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- In the console tree, select the OU wherein the new user object will be created.
- From the Action menu, click New then click User.
- In the New Object – User dialog box, enter information for the fields listed below:
- First name, Initials, Last name, Full name (automatically populated), User logon name, User logon name (pre-Windows 2000). Click Next.
- Enter a password in the Password field and verify the password in the Confirm password field.
- The user has to specify a new password at next logon. Click Next.
- Verify the settings entered on the Summary screen.
- Click Finish.
- The new user object is created with the settings specified.
Locating (Finding) Active Directory Objects
Use the following methods to find Active Directory objects:
- Active Directory Users And Computers console
- Dsquery command
Active Directory Users And Computers console – Find Option
The Active Directory Users and Computers (ADUC) console in the Administrative Tools Menu can be used to find Active Directory objects. Active Directory Users and Computers contain a Find Option that creates a Lightweight Directory Access Protocol (LDAP) query to find the particular object(s). Users can create an LDAP query to find common Active Directory objects such as users, contacts, groups, computers, printers, shared folders, and OUs. They can even create an LDAP query to find common remote installation servers and clients. The LDAP query searches the Global Catalog to find Active Directory objects. Because the Global Catalog holds a partial copy of the entire Active Directory directory, it stores information on all objects in all domains in the forest. Active Directory created the Global Catalog’s contents. When specifying criteria through the Find Option to locate objects, specify that the search should be performed on the Active Directory directory or on a particular OU. Specify various other search criteria or options.
The different options that can be set on the Find dialog box are outlined below:
- Find: This option contains the object types to be searched. This includes users, contacts, groups, computers, printers, shared folders, OUs, and custom search. The Custom search option enables users to create custom LDAP queries.
- In: This is the parameter used to set where the search will be performed. Search the Active Directory directory or a particular OU or domain.
- Browse: Alternatively use the Browse button to specify the search’s path.
- Advanced: Use the Advanced tab to set further search criteria for the objects to be found.
- Field: Field contains those attributes that can be specified for the object type specified for the search.
- Condition: Further define the search criteria for an attribute by setting a condition.
- Value: This parameter is associated with the condition of the attribute that was set in Field. This is where users indicate the value for the condition of the attribute.
- Search Criteria: This box contains the search criteria set for the search. Search criteria are defined through the use of Field, Condition, and Value. Remove search criteria by selecting the criteria to remove, then click the Remove button.
- Find Now: Click this button to start the search for the Active Directory object that the search criteria defined.
- Stop: Click this button to stop the current search being performed. Any items that were found before the Stop button was clicked are displayed in the Search Results pane.
- Clear All: Click this button to clear the search criteria.
- Search Results: This is the pane at the bottom of the dialog box that displays the search results.
The Saved Queries feature is one of the new Windows Server 2003 Active Directory features. Through the saved queries feature, users can create, save, change, export, and even e-mail saved queries. Saved queries are located in the Active Directory Users And Computers console in a container called Saved Queries.
How to find Active Directory objects with ADUC
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- In the console tree, right click the domain, container, or OU to be searched for the particular Active Directory object(s) and click Find on the shortcut menu.
- The Find Dialog box opens.
- In the Find list box, choose the object type that the search should be conducted on.
- Using the In list box, enter the domain, container, or OU that the search should be performed on.
- Click the Advanced tab.
- In the Field list box, choose the attribute to be searched.
- Use the Conditions drop down box to set more criteria on the search for the attribute.
- Set the value for the condition of the attribute in the Value box.
- Click Add.
- The Advanced search criteria specified is added to the Conditions List box located at the bottom of the Advanced tab.
- Click the Find Now button to search Active Directory for objects that match the search criteria.
- Search results are displayed in the Search Results box.
- Click the Clear All button to clear the current search criteria.
How to create saved queries in ADUC
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- In the console tree, right click the Saved Queries container and choose New, then Query from the shortcut menu. If the Saved Queries container contains subfolders, right click the particular subfolder wherein the new query should be saved.
- The New Query dialog box opens.
- In the Name box, enter a name for the new query.
- In the Description box, enter a description for the new query.
- In the Query Root box, enter the container that should be the starting point when the query executes.
- Alternatively, click the Browse button to find the particular container.
- If the search should be performed on all subfolders associated with the particular container, enable the Include Subcontainers checkbox.
- Click the Define Query button to open the Find dialog box.
- In the Find list box, choose the object type that the search will be performed on.
- Click the Advanced tab.
- In the Field box list, choose the attribute to be searched.
- Use the Conditions drop down box to set more criteria on the search for the attribute.
- Set the value for the condition of the attribute in the Value box.
- Click Add.
- Click OK in the New Query dialog box.
How to Create Subfolders to the Saved Queries Container to Better Organize Saved Queries
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- In the console tree, right click the Saved Queries container and choose New then Folder from the shortcut menu.
The Dsquery Command-line Tool
Use the Dsquery command-line tool to locate users, contacts, computers, groups, OUs, sites, subnets, and servers in Active Directory based on the search criteria specified. The Windows Server 2003 Help feature contains the syntax for each Dsquery command. Execute dsquery /? to view further information on using the dsquery command.
Use the dsquery commands listed below to search Active Directory for a particular object:
- Dsquery user – finds a user in the Active Directory data store.
- Dsquery contact – finds a contact in the Active Directory data store.
- Dsquery group – finds a group in the Active Directory data store.
- Dsquery computer – finds a computer in the Active Directory data store.
- Dsquery ou – finds an OU in the Active Directory data store.
- Dsquery site – finds a site in Active Directory.
- Dsquery subnet – finds a subnet in Active Directory.
- Dsquery server – finds a server in Active Directory.
- Dsuery partition – finds partition objects in Active Directory.
- Dsquery quota – finds quota specifications in Active Directory.
- Dsquery – finds any object using a generic LDAP query.
Managing Access to Active Directory Objects
Access control to Active Directory objects is implemented by either granting or denying permissions to security principals such as users, groups, and computers for resources/objects. A security principal has a unique security identifier (SID) that identifies it. Users can only specify access permissions for security principals and for drives that are formatted to use NTFS. The Active Directory permissions therefore define who has permission to access a particular Active Directory object and it also defines what access is allowed. In order for a security principal to access an Active Directory object, an Administrator must assign permissions to the object. The object’s owner also has sufficient rights to set permissions for an object.
For each Active Directory object, Windows 2000 and Windows Server stores a set of user access permissions that define those users that are allowed to access the object, as well as the actions that each particular user can perform. This is called the access control list (ACL) of the object. Each Active Directory object has an ACL. To assign access to an object for a security principal, include the particular security principal in the object’s ACL.
The Active Directory object type defines what permissions can be set. There are different permissions for the different object types. When setting permissions to Active Directory objects, set either Allow or Deny permissions. Any Deny permission takes precedence over any Allow permissions for users and groups. For instance, if someone denies a user access to an Active Directory object and the user is included in a group that has the Allow permission to the object, the user is denied access to the object.
For each Active Directory object type, set standard permissions and special permissions. Standard permissions can be defined as those permissions that are most commonly assigned for Active Directory objects. Standard permissions contain special permissions that users can use to further define the access that is allowed to the object. Special permissions are also called advanced security settings.
The standard object permissions that can be set for Active Directory objects are noted below:
- Full Control: This object permission enables a user to take ownership, change permissions, and to carry out all other tasks that the standard permissions permit for the object type.
- Read: This permission enables a user to view Active Directory permissions, view objects and its attributes, and to view object owner information.
- Write: The Write object permission allows a user to change object attributes.
- Create All Child Objects: This permission allows the user to add a child object to an organizational unit.
- Delete All Child Objects: This permission allows the user to remove a child object from an organizational unit.
A user that creates an Active Directory object is automatically the owner of that particular object. The owner of an Active Directory object determines who has access to the particular object. Because Administrators typically create the most Active Directory objects, they are automatically the owners of these objects. In other instances, where a user creates files on one’s network servers, they own those objects.
Ownership of an object can be taken by the following entities:
- Members of the Administrators group
- Users that are assigned the Restore Files And Directories user right
- Users and groups that are assigned the Take Ownership permission for the particular object
Active Directory objects are structured in parent-child hierarchy. This means that a parent object is the top level object and it contains child objects beneath it. Because of this structure, child objects can inherit the permissions defined for a parent object. This is known as object inheritance. Object inheritance enables the parent object’s permissions to be propagated to any child objects that it contains. Permissions that an owner explicitly defined for an object are known as explicitly set permissions. Users can also prevent permissions from being inherited by child objects of a particular parent object. This is known as blocking inheritance.
Security principals can be members of different groups that each defines different permissions to an object. In this case, the permissions that a user has are a combination of the user permission and group permissions and any inherited permissions from parent objects. This is known as the effective permissions of the user for an Active Directory object.
Another feature of Active Directory is that users can delegate administrative control of Active Directory objects . Delegating administrative control of Active Directory objects is the process by which a higher level Administrator assigns permissions to the object that enables other users or groups to perform administrative tasks on that particular object. The feature can be used if using OUs to logically group Active Directory objects. After the Active Directory objects are located in OUs, users can delegate administrative control of those Active Directory objects. Users can also delegate administrative control of a domain or container.
How to View the Standard Permissions for an Active Directory Object
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- Ensure that Advanced Features is enabled. Verify this on the View menu.
- In the console tree, find and right click the desired Active Directory object to view its standard permissions and click Properties on the shortcut menu.
- When the Properties dialog box for the object selected opens, click the Security tab.
- In the Group Or User Names box, select the desired security principal in order to view its permission for the object.
- The standard permissions are displayed in the Permissions For box.
How to View the Special Permissions for an Active Directory Object
- Click Start, Administrative Tools, and Active Directory Users And Computers console.
- Ensure that Advanced Features is enabled. Verify this on the View menu.
- In the console tree, find and right click the desired Active Directory object in order to view its special permissions and click Properties on the shortcut menu.
- When the selected object’s Properties dialog box opens, click the Security tab.
- Click the Advanced button.
- The Advanced Security Settings dialog box for the object opens.
- Select the desired security principal in order to view its permission in the Permission Entries list. Click Edit.
- The Permission Entry dialog box for the object opens.
- In the Object tab, view the special permissions for the object that is assigned to the particular security principal.
How to View the Effective Permissions Granted to a Security Principal for an Active Directory Object
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- Ensure that Advanced Features is enabled. Verify this on the View menu.
- In the console tree, find and right click the desired Active Directory object in order to view its effective permissions and click Properties on the shortcut menu.
- When the Properties dialog box for the object elected opens, click the Security tab then click the Advanced button.
- When the Advanced Security Settings dialog box for the particular object opens, click the Effective Permissions tab.
- Click the Select button
- Enter the name of the user/group in the Select User, Computer, or Group dialog box. Click OK.
- The effective permissions of the user/group are displayed.
How to Assign Standard Permissions for an Active Directory Object
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- Ensure that Advanced Features is enabled on the View menu.
- In the console tree, right click the desired Active Directory object to assign standard permissions for and click Properties from the shortcut menu.
- When the Properties dialog box for the object opens, click the Security tab.
- Click the Add button.
- When the Select Users, Computers, Or Groups dialog box opens, type the name of the desired security principal to specify permissions for in the Enter The Object Names To Select box. Click OK.
- In the Permissions For box on the Properties dialog box for the object, use the Allow and Deny checkboxes to set the appropriate permissions.
- Click OK.
How to Remove a Security Principal and its Associated Permissions
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- Ensure that Advanced Features is enabled on the View menu.
- In the console tree, right click the desired Active Directory object to remove a security principal from and click Properties from the shortcut menu.
- When the Properties dialog box for the object opens, click the Security tab.
- Select the security principal in the Group Or User Names list box.
- Click the Remove button.
How to Assign Special Permissions for an Active Directory Object
- Click Start, Administrative Tools, and the Active Directory Users And Computers console. Ensure that Advanced Features is enabled on the View menu.
- In the console tree, right click the desired Active Directory object in order to assign special permissions to it and click Properties from the shortcut menu.
- When the Properties dialog box for the object opens, click the Security tab then the Advanced button.
- When the Advanced Security Settings dialog box for the particular object opens, click Add to set special permissions for a new security principal or to set additional special permissions for an existing security principal.
- Enter the security principal’s name in the Enter The Object Name To Select box. Click OK.
- Set the special permissions in the Permission Entry dialog box’s Object tab and Properties tab.
- Click OK.
How to Remove Special Permission for an Active Directory Object
- Click Start, Administrative Tools, and the Active Directory Users And Computers console. The Advanced Features should be enabled. Use the View menu to verify that it is enabled.
- In the console tree, right click the desired Active Directory object in order to remove special permissions and click Properties from the shortcut menu.
- When the Properties dialog box for the object opens, click the Security tab.
- Click the Advanced button to open the Advanced Security Settings dialog box.
- Click the appropriate permission in Permission Entries box.
- Click the Remove button.
How to Set Inheritance for a Standard Permission or Special Permission
- Click Start, Administrative Tools, and the Active Directory Users And Computers console. Ensure that Advanced Features is enabled on the View menu.
- In the console tree, right click the desired Active Directory object that inheritance will be set for and click Properties from the shortcut menu.
- When the Properties dialog box for the object opens, click the Security tab then click the Advanced button to open the Advanced Security Settings dialog box for the particular object.
- The Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With Entries Explicitly Defined Here checkbox should be enabled. Clearing the checkbox prevents the object from inheriting permissions from its parent.
- In the Permissions Entries box, choose the permission and click the Edit button.
- When the Permission Entry dialog box for the object opens, set the following:
- Set Apply Onto to the This Object Only option in order to prevent any child objects from inheriting this permission
- Set Apply Onto to This Object And All Child Objects option to allow child objects to inherit this permission.
- Enable the Apply These Permissions To Objects And/Or Containers Within This Container Only checkbox to allow this object’s direct child objects to inherit the particular permission.
- Click OK and click OK again in the object’s Advanced Security Settings dialog box and in the Properties dialog box.
How to Transfer Ownership of an Active Directory Object
- Click Start, Administrative Tools, and the Active Directory Users And Computers console. Ensure that Advanced Features is enabled on the View menu.
- In the console tree, right click the particular Active Directory object that ownership will be transferred for.
- When the Properties dialog box for the object opens, click the Security tab then click the Advanced button.
- When the Advanced Security Settings dialog box for the particular object opens, click the Owner tab.
- Click Other Users Or Groups if the owner to be selected is not listed in the Change Owner To box.
- Select the new owner in the Change Owner To box.
- Click OK.
How to Delegate Administrative Control of Active Directory Objects
- Click Start, Administrative Tools, and the Active Directory Users And Computers console.
- Ensure that Advanced Features is enabled on the View menu.
- In the console tree, right click the desired OU to delegate administrative control to and click Delegate Control from the shortcut menu.
- The Delegation of Control Wizard starts. This is the wizard used to delegate administrative control of Active Directory objects.
- Click Next on the Welcome To The Delegation Of Control Wizard page.
- When the User or Groups page opens, click the Add button.
- In the Enter The Object Names To Select box, enter the name of the user or group identified to receive administrative control. Click OK then click Next.
- When the Tasks to Delegate page opens, specify the tasks to be delegated. Click Next.
- On the Completing Delegation of Control page, verify the settings that were specified.
- Click Finish.
Comments - 2 Responses to “Active Directory Objects”
Sorry but comments are closed at this time.