• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Active Directory Articles
• Understanding Active Directory
• Active Directory Management Tools
• Active Directory Objects
• Active Directory replication
• Active Directory Security
• Active Directory Security Principal Accounts
• Active Directory Terminology and Concepts
• Backing Up and Restoring Active Directory
• Configuring and Troubleshooting Active Directory Replication
• Managing Active Directory Performance
• Publishing Resources in Active Directory
• Troubleshooting Active Directory availability
• What is New in Windows Server 2003 Active Directory
• Deploying Software through Group Policy
• Group Policy Terminology and Concepts
• Implementing and Managing Group Policy Objects
• Implementing Folder Redirection using Group Policy
• Planning a Group Policy
• Troubleshooting Group Policy
• Creating and Managing Domain Controllers
• Creating and Managing Forests and Domains
• Forest and Domain Functional Levels
• The Global Catalog Server
• Managing Recipient Objects Address List and Distribution and Administrative Groups
• Operations Master Roles
• Understanding Forests and Domains
• Understanding Group Types and Scopes
• Understanding Organizational Units
• Understanding Trust Relationship
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Active Directory Objects

An Overview of Active Directory Objects

The Active Directory data store, also referred to as directory, contains data on users, groups, computers, as well as information on which resources these users, groups, computers can access. It holds all Active Directory information. Each domain controller within a domain holds a readable/writable replica of the Active Directory data store that consists of information pertaining to the particular domain to which it belongs. Users and computers can continue to access the Active Directory data store when one domain controller in a domain is offline because they can use any other domain controller to do this. Domain controllers also have a domain directory partition, configuration directory partition, and schema directory partition. Information on the domain exists in the domain directory partition. This consists of information on users, groups, and the network resources which they can access within the domain. The configuration directory partition contains information on the Active Directory topology. This consists of configuration information on the forests, domains, and domain trees within the Active Directory environment. Domains, trees and forests are referred to as the logical components of Active Directory. The schema directory partition contains information that controls which objects and attributes can exist in Active Directory.

Now that you have had an extremely brief introduction on Active Directory, lets look at what Active Directory objects are. As mentioned previously, each directory partition on the domain controllers contain various information. Certain information relates to network resources. Network resources stored in Active Directory consist of users, groups, computers, security policies, printers, and so forth. Information on the services that make the information on network resources available to network users also exists in Active Directory. It is the network resources stored in Active Directory that are known as Active Directory objects. In fact, most of the components in Active Directory are objects. Active Directory is therefore made up of different objects. The schema partition contains information that defines what objects and attributes can exist in Active Directory. It is the schema partition that holds the rules that control which objects and attributes can exist in Active Directory.

Because Active Directory contains information on specific types of objects, such as printer objects, user objects, and computer objects, Active Directory objects are divided into object classes. An objects class is a grouping of attributes with an accompanying name. The unique grouping of attributes defines a particular object and therefore contains information on the configuration and characteristics of the object. Attributes are also at times called properties. The attributes differ for each object class, and the attributes associated with one object class distinguishes the particular object class from the other objects classes. For instance, a user object would have a different set of attributes than a computer object, and these two object classes would have different attributes than printer objects and domain controller objects. A user object would have attributes such as user name, department, and password; while a printer object would have make, model, and manufacturer as attributes.

Object classes also inherit attributes from their associated parent objects. What this means is that an Administrator can create a new child class to a parent class if the attributes that are needed for the new child class are similar. The Administrator would then only need to define the additional attributes for the new child class. The new class would be made up of the inheritable attributes of the parent class, and the new attributes that the Administrator explicitly defined for the class.

Because each object in Active Directory stems from a particular object class, you can conclude that each object represents an instance of an object class . An instance of an object class also differs from other instances of the same class because each instance has different values for each set of attributes of that class.

There are three object class types within Active Directory:

• Abstract classes: Active Directory has 14 abstract classes, such as Top, Device and Security Object. These classes merely exist to create other objects classes.
• Structural classes: These are classes such as User, and Computer that have objects within Active Directory.
• Auxiliary classes: These classes are used to customize the definition of an Abstract class. The Auxiliary classes in Active Directory are Security Principal, Sam Domain, Sam Domain Base, Dynamic Object, MS MMS Object, and Mail Recipient.

The common object types within Active Directory are:

• User: A user account is made up of information such as user logon name, first name, last name, display name, and telephone number. The user account information enables a user to log on to Windows 2000 or Windows Server 2003.
• Contact: This is information on a person which has some connection to the organization such as telephone number, e-mail, and address.
• Group: A group consists of user accounts, other groups, and computers. Groups enable policy based administration within Active Directory.
• Shared Folder: This is a pointer to a shared folder on the computer. Pointers basically contain the location of the data. The data is not stored in the pointer. When you publish resources in Active Directory, an object that holds the pointer to the location of the data or printer is created.
• Printer: This is a pointer to a printer on the computer.
• Computer: The information relates to a computer within a domain.
• Domain Controllers: The information relates to a domain controller within a domain such as its DNS name, description, pre-Windows 2000 name, and its owner.
• OU (Organizational Unit): Organizational Units (OUs) are logical containers that can contain objects such as user accounts, groups, computers, shared resources, and other OUs. You can use OUs to organize Active Directory objects. For instance, you can create OUs to mirror the structure of the organization. By grouping directory objects in a domain into OUs, you are better able to manage resources. OUs also enable you to delegate administrative control for one OU in a domain, and not for another OU in the same domain.

Active Directory objects fall into one the following categories:

• Container objects: A container object holds other objects. Container objects also have a defined location in the directory subtree hierarchy.
• Leaf Objects: Unlike container object, leaf objects do not contain other objects. Leaf objects are located at the end of the subtree hierarchy.

How to create a new user object in Active Directory

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. In the console tree, select the OU wherein you want to create the new user object
3. From the Action menu, click New, and then click User
4. In the New Object - User dialog box, enter information for the fields listed below:
• First name, Initials, Last name, Full name (automatically populated), User logon name, User logon name (pre-Windows 2000).
Click Next
5. Enter a password in the Password field, and verify the password in the Confirm password field.
6. If you leave the User must change password at next logon checkbox enabled, the user has to specify a new password at next logon. Click Next
7. Verify the settings that you entered on the Summary screen.
8. Click Finish
9. The new user object is created using the settings that you specified.

Locating (Finding) Active Directory Objects

You can use the following methods to find Active Directory objects:

• Active Directory Users And Computers console
• Dsquery command

Active Directory Users And Computers console - Find Option

The Active Directory Users and Computers (ADUC) console in the Administrative Tools Menu can be used to find Active Directory objects. Active Directory Users and Computers contain a Find Option that you can use to create a Lightweight Directory Access Protocol (LDAP) query to find the particular object(s). You can create a LDAP query to find common Active Directory objects such as users, contacts, groups, computers, printers, shared folders, and OUs. You can even create a LDAP query to find common remote installation servers and clients. The LDAP query searches the Global Catalog to find Active Directory objects. Because the Global Catalog holds a partial copy of the entire Active Directory directory, it stores information on all objects in all domains in the forest. The contents of the Global Catalog are created by Active Directory. When specifying criteria through the Find Option to locate objects, you can specify that the search should be performed on the Active Directory directory, or on a particular OU; and you can specify various other search criteria or options.

The different options that can be set on the Find dialog box are outlined below:

• Find: This option contains the objects types that you want to search. This includes users, contacts, and groups; computers; printers; shared folders; OUs; and custom search. The Custom search option enables you to create custom LDAP queries.
• In: This is the parameter used to set where you want the search performed. You can search the Active Directory directory, or a particular OU or domain.
• Browse: You can use alternatively use the Browse button to specify the path of the search
• Advanced: You can use the Advanced tab to set further search criteria for the objects you want to find.
• Field: Field contains those attributes that can be specified for the object type specified for the search.
• Condition: You can further define the search criteria for an attribute by setting a condition.
• Value: This parameter is associated with the condition of the attribute that was set in Field. This is where you indicate the value for the condition of the attribute.
• Search Criteria: This box contains the search criteria that you set for the search. Search criteria are defined through the use of Field, Condition, and Value. You can remove search criteria by selecting the criteria that you want to remove, and then clicking the Remove button.
• Find Now: Click this button to start the search for the Active Directory object that is defined by your search criteria.
• Stop: Click this button to stop the current search being performed. Any items that were found before the Stop button was clicked, is displayed in the Search Results pane.
• Clear All: Click this button to clear the search criteria
• Search Results: This is the pane at the bottom of dialog box that displays the results of the search.

The Saved Queries feature is one of the new Windows Server 2003 Active Directory features. Through the saved queries feature, you can create, save, change, export, and even e-mail saved queries. Saved queries are located in the Active Directory Users And Computers console, in a container called Saved Queries.

How to find Active Directory objects using ADUC

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. In the console tree, proceed to right-click the domain, container, or OU that you want to search for the particular Active Directory object(s), and click Find on the shortcut menu.
3. The Find Dialog box opens.
4. In the Find list box, choose the object type that you want the search conducted on.
5. Using the In list box; enter the domain, container, or OU that the search should be performed on.
6. Click the Advanced tab.
7. In the Field list box, choose the attribute that you want to search.
8. Use the Conditions drop down box to set more criteria on the search for the attribute.
9. Set the value for the condition of the attribute in the Value box.
10. Click Add.
11. The Advanced search criteria that you specified is added to the Conditions List box located at the bottom of the Advanced tab.
12. Click the Find Now button to search Active Directory for objects that match the search criteria.
13. The results of the search are displayed in the Search Results box.
14. Click the Clear All button to clear the current search criteria.

How to create saved queries in ADUC

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. In the console tree, right-click the Saved Queries container and choose New, and then Query from the shortcut menu. If the Saved Queries container contains subfolders, you can right-click the particular subfolder wherein the new query should be saved.
3. The New Query dialog box open.
4. In the Name box, enter a name for the new query.
5. In the Description box, enter a description for the new query.
6. In the Query Root box, enter the container that should be the starting point when the query executes.
7. You can alternatively click the Browse button to find the particular container. v
8. If the search should be performed on all subfolders associated to the particular container, enable the Include Subcontainers checkbox.
9. Click the Define Query button to open the Find dialog box.
10. In the Find list box, choose the object type that you want to perform the search on.
11. Click the Advanced tab.
12. In the Field box list, choose the attribute that you want to search.
13. Use the Conditions drop down box to set more criteria on the search for the attribute.
14. Set the value for the condition of the attribute in the Value box.
15. Click Add.
16. Click OK in the New Query dialog box.

How to create subfolders to the Saved Queries container to better organize your saved queries

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. In the console tree, right-click the Saved Queries container and choose New, and then Folder from the shortcut menu.

The Dsquery Command-line Tool

You can use the Dsquery command-line tool to locate users, contacts, computers, groups, OUs, sites, subnets, and servers in Active Directory based on the search criteria that you specified. The Windows Server 2003 Help feature contains the syntax for each Dsquery command. Execute dsquery /? to view further information on using the dsquery command.

Use the dsquery commands listed below to search Active Directory for a particular object:

• Dsquery user, for finding a user in the Active Directory data store.
• Dsquery contact, for finding a contact in the Active Directory data store.
• Dsquery group, for finding a group in the Active Directory data store.
• Dsquery computer, for finding a computer in the Active Directory data store.
• Dsquery ou, for finding an OU in the Active Directory data store.
• Dsquery site, for finding a site in Active Directory.
• Dsquery subnet, for finding a subnet in Active Directory.
• Dsquery server, for finding a server in Active Directory.
• Dsquery partition, for finding partition objects in Active Directory.
• Dsquery quota, for finding quota specifications in Active Directory.
• Dsquery*, for finding any object using a generic LDAP query

Managing Access to Active Directory Objects

Access control to Active Directory objects is implemented by either granting or denying permissions to security principals such as users, groups, and computers for resources/objects. A security principal has a unique security identifier (SID) that identifies it. You can only specify access permissions for security principals, and for drives that are formatted to use NTFS. The Active Directory permissions therefore define who has permission to access a particular Active Directory object, and it also defines what access is allowed. In order for a security principal to access an Active Directory object, an Administrator must assign permissions to the object. The owner of the object also has sufficient rights to set permissions for an object. For each Active Directory object, Windows 2000 and Windows Server stores a set of user access permissions that define those users that are allowed to access the object, as well as the actions that each particular user can perform. This is called the access control list (ACL) of the object. Each Active Directory object has an ACL. If you want to assign access to an object for a security principal, you have to include the particular security principal in the ACL of the object.

The Active Directory object type defines what permissions you can set. There are different permissions for the different object types. When setting permissions to Active Directory objects, you can set either Allow or Deny permissions. Any Deny permission takes precedence over any Allow permissions for users and groups. For instance, if you deny a user access to an Active Directory object, and the user is included in a group that has the Allow permission to the object, the user is denied access to the object.

For each Active Directory object type, you can set standard permissions and special permissions. Standard permissions can be defined as those permissions that are most commonly assigned for Active Directory objects. Standard permissions contain special permissions that you can use to further define the access that is allowed to the object. Special permissions are also called advanced security settings.

The standard object permissions that can be set for Active Directory objects are noted below.

• Full Control: This object permission enables a user to take ownership, change permissions, and to carry out all other tasks permitted by the standard permissions for the object type
• Read: This permission enables a user to view Active Directory permissions, view objects and its attributes, and to view object owner information.
• Write: The Write object permission allows a user to change object attributes.
• Create All Child Objects: This permission allows the user to add a child object to an organizational unit.
• Delete All Child Objects: This permission allows the user to remove a child object from an organizational unit.

A user that creates an Active Directory object is automatically the owner of that particular object. The owner of an Active Directory object determines who has access to the particular object. Because Administrators typically create the majority of Active Directory objects, they are automatically the owners of these objects. In other instances, where a user creates files on your network servers, they own those objects.

Ownership of an object can be taken by the following entities:

• Members of the Administrators group.
• Users that are assigned the Restore Files And Directories user right
• Users and groups that are assigned the Take Ownership permission for the particular object.

Active Directory objects are structured in parent-child hierarchy. This means that a parent object is the top-level object, and it contains child objects beneath it. Because of this structure, child objects can inherit the permissions you define for a parent object. This is known as object inheritance. Object inheritance enables the permissions of the parent object to be propagated to any child objects that it contains. Permissions that are explicitly defined for an object by its owner, are known as explicitly set permissions. You can also prevent permissions from being inherited by child objects of a particular parent object. This is known as blocking inheritance.

Security principals can be members of different groups that each defines different permissions to an object. In this case, the permissions that a user has are a combination of the user permission and group permissions, and any inherited permissions from parent objects. This is known as the effective permissions of the user for an Active Directory object.

Another feature of Active Directory is that you can delegate administrative control of Active Directory objects . Delegating administrative control of Active Directory objects is the process by which a higher-level Administrator assigns permissions to the object that enables other users or groups to perform administrative tasks on that particular object. The feature can be used if you are using OUs to logically group Active Directory objects. After your Active Directory objects are located in OUs, you are able to delegate administrative control of those Active Directory objects. You can also delegate administrative control of a domain or container.

How to view the standard permissions for an Active Directory object

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. Ensure that Advanced Features is enabled. You can verify this on the View menu.
3. In the console tree, find and right-click the particular Active Directory object whose standard permissions you want to view, and click Properties on the shortcut menu.
4. When the Properties dialog box for the object you selected opens, click the Security tab.
5. In the Group Or User Names box, select the security principal whose permission you want to view for the object
6. The standard permissions are displayed in the Permissions For box.

How to view the special permissions for an Active Directory object

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. Ensure that Advanced Features is enabled. You can verify this on the View menu.
3. In the console tree, find and right-click the particular Active Directory object whose special permissions you want to view, and click Properties on the shortcut menu.
4. When the Properties dialog box for the object you selected opens, click the Security tab.
5. Click the Advanced button.
6. The Advanced Security Settings dialog box for the object opens.
7. Select the security principal whose permission you want to view in the Permission Entries list. Click Edit
8. The Permission Entry dialog box for the object opens.
9. In the Object tab, you can view the special permissions for the object that is assigned to the particular security principal.

How to view the effective permissions granted to a security principal for an Active Directory object

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. Ensure that Advanced Features is enabled. You can verify this on the View menu.
3. In the console tree, find and right-click the particular Active Directory object whose effective permissions you want to view, and click Properties on the shortcut menu.
4. When the Properties dialog box for the object you selected opens, click the Security tab, and then click the Advanced button.
5. When the Advanced Security Settings dialog box for the particular object opens, click the Effective Permissions tab.
6. Click the Select button
7. Enter the name of the user/group in the Select User, Computer, Or Group dialog box. Click OK
8. The effective permissions of the user/group are displayed.

How to assign standard permissions for an Active Directory object

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. Ensure that Advanced Features is enabled on the View menu.
3. In the console tree, right-click the particular Active Directory object which you want to assign standard permissions for, and click Properties from the shortcut menu.
4. When the Properties dialog box for the object opens, click the Security tab.
5. Click the Add button.
6. When the Select Users, Computers, Or Groups dialog box opens, type the name of the security principal that you want to specify permissions for in the Enter The Object Names To Select box. Click OK.
7. In the Permissions For box on the Properties dialog box for the object, use the Allow and Deny checkboxes to set the appropriate permissions.
8. Click OK.

How to remove a security principal and its associated permissions

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. Ensure that Advanced Features is enabled on the View menu.
3. In the console tree, right-click the particular Active Directory object which you want to remove a security principal from, and click Properties from the shortcut menu.
4. When the Properties dialog box for the object opens, click the Security tab
5. Select the security principal in the Group Or User Names list box.
6. Click the Remove button.

How to assign special permissions for an Active Directory object

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console. Ensure that Advanced Features is enabled on the View menu.
2. In the console tree, right-click the particular Active Directory object for which you want to assign special permissions, and click Properties from the shortcut menu.
3. When the Properties dialog box for the object opens, click the Security tab, and then click the Advanced button.
4. When the Advanced Security Settings dialog box for the particular object opens, click Add to set special permissions for a new security principal, or to set additional special permissions for an existing security principal.
5. Enter the name of the security principal in the Enter The Object Name To Select box. Click OK.
6. Set the special permissions in the Permission Entry dialog box's Object tab, and Properties tab.
7. Click OK

How to remove special permission for an Active Directory object

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console. The Advanced Features should be enabled. Use the View menu to verify that it is enabled.
2. In the console tree, right-click the particular Active Directory object from which you want to remove special permissions, and click Properties from the shortcut menu.
3. When the Properties dialog box for the object opens, click the Security tab
4. Click the Advanced button to open the Advanced Security Settings dialog box
5. Click the appropriate permission in Permission Entries box.
6. Click the Remove button

How to set inheritance for a standard permission or special permission

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console. Ensure that Advanced Features is enabled on the View menu.
2. In the console tree, right-click the particular Active Directory object which you want to set inheritance for, and click Properties from the shortcut menu.
3. When the Properties dialog box for the object opens, click the Security tab, and then click the Advanced button to open the Advanced Security Settings dialog box for the particular object.
4. The Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With Entries Explicitly Defined Here checkbox should be enabled. Clearing the checkbox would prevent the object from inheriting permissions from its parent.
5. In the Permissions Entries box, choose the permission and click the Edit button.
6. When the Permission Entry dialog box for the object opens, you can set the following:
• Set Apply Onto to the This Object Only option if you do not want any child objects to inherit this permission
• Set Apply Onto to This Object And All Child Objects option if you want child objects to inherit this permission.
7. Enable the Apply These Permissions To Objects And/Or Containers Within This Container Only checkbox if you only want direct child objects of this object to inherit the particular permission.
8. Click OK, and click OK again in the object's Advanced Security Settings dialog box, and in the Properties dialog box

How to transfer ownership of an Active Directory object

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console. Ensure that Advanced Features is enabled on the View menu.
2. In the console tree, right-click the particular Active Directory object which you want to transfer ownership for, and click Properties from the shortcut menu.
3. When the Properties dialog box for the object opens, click the Security tab, and then click the Advanced button.
4. When the Advanced Security Settings dialog box for the particular object opens, click the Owner tab.
5. Click Other Users Or Groups if the owner you want to select is not listed in the Change Owner To box
6. Select the new owner in the Change Owner To box
7. Click OK

How to delegate administrative control of Active Directory objects

1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console.
2. Ensure that Advanced Features is enabled on the View menu.
3. In the console tree, right-click the particular OU for which you want to delegate administrative control, and click Delegate Control from the shortcut menu.
4. The Delegation of Control Wizard starts. This is the wizard used to delegate administrative control of Active Directory objects.
5. Click Next on the Welcome To The Delegation Of Control Wizard page
6. When the User or Groups page opens, click the Add button
7. In the Enter The Object Names To Select box, enter the name of the user or group whom you have identified to receive administrative control. Click OK, and then click Next.
8. When the Tasks to Delegate page opens, specify the tasks that you want to delegate. Click Next.
9. On the Completing Delegation of Control page, verify the settings that you have specified.
10. Click Finish.

Bookmark Active Directory Objects

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum