Friday, 15 June 2012

Managing Organizational Units, Users and Groups using AD commands


Introduction

What is a Domain?
Domains are the main logical structure in Active Directory because they contain Active Directory objects. Network objects such as users, printers, shared resources, and more are all stored in domains. Domains are also security boundaries.

What is an Organizational Unit?
An Organizational Unit (OU) is a container that enables users to organize objects such as users, computers, and even other OUs in a domain to form a logical administrative group. An OU is the smallest Active Directory component to which users can delegate administrative authority.

Why to use OU?
Using organizational units, you can create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts and resources based on your organizational model.


As shown in the figure, organizational units can contain other organizational units. A hierarchy of containers can be extended as necessary to model your organization's hierarchy within a domain. Using organizational units will help you minimize the number of domains required for your network.

You can use organizational units to create an administrative model that can be scaled to any size. A user can have administrative authority for all organizational units in a domain or for a single organizational unit.

Practical

Once you will go through the given exercise, you will be familiar with the working of various  AD commands.

Organizational Units

Designing the organizational structure with the help of Organizational Units (OU) is easy if you use GUI. Let's do the same thing using commands. This is helpful if you are working with Windows Server 2008 core as only a command prompt and notepad will be available.

We are going to design the following structure.


We are working with domain mcitp.com

We will use the dsadd command to create OU ciots and inside OU ciots other OUs Sales, Marketing and HR.

dsadd OU "ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=Sales, ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=Marketing, ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=HumanResource, ou=CIOTS, DC=mcitp, DC=com"


Oh By mistake instead of making OU as HR, I made HumanResource. Now there are two ways to rename.

Way 1 - Remove OU HumanResource and create a new OU as HR using dsrm and dsadd

dsrm "ou=HumanResource, ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=HR, ou=CIOTS, DC=mcitp, DC=com"

Way 2 - Rename the OU HumanResource to HR using dsmove

dsmove "ou=HumanResource, ou=CIOTS, DC=mcitp, DC=com" -newname "HR"

Now fire the dsquery command to check that all the OUs are created properly.

dsquery ou "dc=mcitp, dc=com"


You can also verify it in Active Directory Users and Computers Snap-in


Users & Groups

Each OU will have some users and groups. The users which perform the same task can be added to a group. Any permissions or changes applied to a group will be applied to all its users.

Let's learn how to create a user first. We have to create users S1, S2 and S3 in OU Sales. We will use Dsadd user command.

Dsadd user "CN=S1, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-pwd admin@123 -mustchpwd yes

This will create a user S1 in OU Sales with default password as admin@123 and user will be asked to change the password at first login.

We will use the following command to create user S2.

Dsadd user "CN=S2, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-pwd * -mustchpwd yes

This is same as previous. Only the password will be entered separately at the time of executing this command as shown in the following figure.


If I do not want that user S3 to change the password at first login, I will use the following command.

Dsadd user "CN=S3, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" -pwd admin@123

Now query and check that all the users are created in the OU sales using the following command.

Dsquery user "ou=Sales, ou=CIOTS, dc=mcitp, dc=com"


Note: When you create a user and do not provide the password then account will be disabled.

Next is to create a group Managers and adding S2 and S3 to this group. This task can be accomplished by using the following two commands. First command creates the group Managers.

Dsadd group "CN=Managers, ou=Sales, ou=CIOTS, dc=mcitp, dc=com"

and second command adds S2 and S3 to this group using Dsmod group

Dsmod group "CN=Managers, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-addmbr 
"CN=S2, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
"CN=S3, ou=Sales, ou=CIOTS, dc=mcitp, dc=com"

Now to check that the users are added to the group fire the following query command (Dsget).

Dsget group "CN=Managers, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-members

You can also verify it in Active Directory Users and Computers Snap-in.


When a user leaves our organization, we do not delete the account. Instead we disable it as follows.

Dsmod user "CN=S2, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" -disabled yes

S1 has changed the department. Now he is in marketing. In order to move the user from OU Sales to OU Marketing, use the following command (Dsmove).

Dsmove "CN=S1, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" -newparent
"ou=Marketing, ou=CIOTS, dc=mcitp, dc=com"

And finally if you want to delete the entire OU structure use Dsrm command as follows.


dsrm -subtree -noprompt -c "OU=CIOTS,DC=mcitp,DC=com"

No comments:

Post a Comment

Your comments are very much valuable for us. Thanks for giving your precious time.