Managing Active Directory Objects

The administration of Active Directory involves the management of domain objects and their associated properties. The objects managed within a domain include user accounts, group accounts, computer accounts, and organizational units primarily. Unlike NT 4 where we used one tool to manage users and groups (User Manager for Domains) and another to manage computer accounts (Server Manager), in a Windows 2000 domain all management of these objects is handled via a tool called Active Directory Users and Computers, an MMC snap-in. Note that this tool can quickly be accessed from the Run command, by running dsa.msc.

When opened, Active Directory Users and Computers will be focused on a particular domain controller. This will be the domain controller to which updates and additions will be written. It can be changed by right-clicking the domain object and choosing to connect to another domain controller instead. This is actually quite useful – because replication between sites can have associated schedules, you might decide to change a user’s properties on their local domain controller instead of another, and thus not have to wait for the changes to replicate. The AD Users and Computers program displays the domain object, and then a series of containers.

First and foremost, the folders that appear beneath the domain object are actually containers. Two types of containers exist – built-in containers, and OUs. A built-in container appears as a plain folder, while an OU looks like a folder with a book icon on it. Note that OUs can have group policies applied to them, while built-in containers cannot. However, both types of container allow you to delegate administrative control. The containers which are created automatically are described below:

  • Built-in: This container houses all built-in user and group accounts created when Active Directory is installed.
  • Computers: This container houses any upgraded computer accounts, or any new accounts added as part of joining a domain from a client system.
  • Domain Controllers: This OU contains all domain controllers for the domain.
  • ForeignSecurityPrincipals: Container for SIDs of user accounts from external trusted domains.
  • Users: This container is where upgraded user accounts are stored. You will also find the domain Administrator and Guest accounts here.

These are not the only built-in containers that exist, however. If you choose Advanced Features from the View menu, you will also find the following containers:

  • LostAndFound: This container houses orphaned objects. For example, imagine if an OU was deleted on one domain controller, and before replication had completed, a user was created in that OU on another domain controller. This user would be placed into the LostAndFound container, since its container object no longer exists.
  • System: This container holds settings relating to domain operational information, including AD-integrated DNS, domain DFS configuration, and so forth.

Within these containers (or the root of the domain) other objects can be created such as users, computers, groups and so forth. Note that there is no requirement to actually create users in the Users container, or computer accounts within the Computers container. You can use these, or create additional OUs according to your organizational needs and place accounts there instead. You can also easily move objects between contains by right-clicking the object and choosing Move. To create a new object within a container, right-click the object and choose New, and then choose the appropriate object type you wish to create.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.