www.kreslavsky.com

Creating a Group Using a graphical user interface

1. Open the Active Directory Users and Computers .
2. In the left pane, browse to the parent container of the new group, right-click on it, and select New Group.
3. Enter the name of the group and select the group type (global, domain local, or universal) and group type (security or distribution).
4. Click OK.

Using dsadd in command-line interface

dsadd group “<GroupDN>” -scope <GroupScope> -secgrp yes|no -desc “<GroupDesc>“

Where <GroupDN> replace with DN of the group ,

Where <GroupScope> use one of the above

• l – for domain local
• g – for global
• u – for universal

Where –secgroup

• yes if the group is a security group
• no for any other

Where desc fill group description

Using dsadd in command-line interface

> admod -b “<GroupDN>” objectClass::group groupType::
“<GroupType>” sAMAccountName::”<Pre-Windows2000Name>” -add

Example: We will create global security group called “Accounting” in Accounting OU in testdomain.com

> dsadd group "cn=Accounting,ou=Accounting,dc=testdomain,dc=com"-scope global-
secgrp yes

> admod-b "cn=Accounting,ou=Accounting,dc=testdomain,dc=com" groupType::-2147483646
sAMAccountName::"Finance Users" -add

When using AdMod, you need specify the numeric value for group type, These values are predefined in Active Directory

Universal Distribution Group Value – “8”

Universal Security Group Value – “–2147483640”

Domain Local Distribution Group Value – “4”

Domain Local Security Group Value – “–2147483644”

Global Distribution Group Value – “2”

Global Security Group Value – “–2147483646”

Create Group Using VBScript

Example bellow shows how to create a global security group.

' ------  CONFIGURATION ------
strGroupParentDN = "<GroupParentDN>" ' e.g. ou=Groups,dc=testdomain,dc=com
strGroupName     = "<GroupName>"     ' e.g. Accounting
strGroupDescr    = "<GroupDesc>"     ' e.g. Accounting group
' ------ END CONFIGURATION ---------

' Constants taken from ADS_GROUP_TYPE_ENUM
Const ADS_GROUP_TYPE_GLOBAL_GROUP       = 2
Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 4
Const ADS_GROUP_TYPE_SECURITY_ENABLED   = -2147483648
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 8

set objOU = GetObject("LDAP://" & strGroupParentDN)
set objGroup = objOU.Create("group","cn=" & strGroupName)
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _
                         Or ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.Put "sAMAccountName", strGroupName
objGroup.Put "description", strGroupDescr
objGroup.SetInfo

Create Group Using PowerShell

To create a group using the Quest cmdlets, use the following syntax:

Where <Parent OU DN> – Fill OU DN

Where <GroupName> – Fill Group Name

After –grouptype – set group type (Distribution or Security)

After –groupscope – set if (Universal, Domain Local)

• Leave a comment... (0)

In Windows 2008 Active Directory Users and Computers Microsoft activated new feature “Protect Container from accidential deletion”
During OU creation you have the ability to mark OU as protected from accidental deletion , and if you try to delete OU you will receive the following error “You do not have sufficient privileges to delete “OU Name” , or this object is protected from accidential deletion”

To unlock OU from accidential deleting protection do the following actions

• Open Active Directory Users and Computers
• Go to View
• Mark with “V”  ” Advanced Features”
• Right click protected OU
• Go to  Properties
• Navigate to “Object” Tab
• Remove the “V” from “Protect object from accidental deletion “

• Leave a comment... (4)

How to add Employee ID to Active Directory Users and Computers

1. Open ADSI Edit
2. Expand the CN=Configuration node and go to CN=DisplaySpecifiers, CN=409. Select the 409 node in the left hand pane.
3.In the right-hand pane, select the CN=user-Display object. Right click and select Properties.
4.Select the adminContextMenu attribute and click Edit.
5. We now need to add the value that will be used to create the additional menu item and direct it to the employeeID.vbs script. The syntax is very important. Be sure to include the comma at the beginning and after the menu name (Employee-ID). Add the following syntax to the Value to Add: line:
,&Employee-ID,\\servername\sharename\employeeID.vbs (your VBS file must be stored on shared location in order to allow all domain controllers to access it)
6.Change the servername and sharename items to reflect your current environment and then click Add.
7.Click OK to accept the changes and close ADSI Edit.
8.Allow some time for replication to populate the changes throughout the directory.
9.Open ADUC and select a user. Right click on the user and notice the new menu item now available.
10. Select Employee-ID to launch the script from within the ADUC. From here we can either enter a new value for the employeeID attribute for the user or hit Cancel to leave the current value intact. (Note: If no value is present in the field, then the attribute value is empty for that user.)

VBSscript – just copy and paste in notepad, than save as employeeID.vbs and copy to shared folder.

Dim objEmployeeID
Dim objSelectedUser
Dim strNewEmployeeID
Set objEmployeeID = Wscript.Arguments
Set objSelectedUser = GetObject(objEmployeeID(0))
strNewEmployeeID = InputBox(“Employee ID: ” & objSelectedUser.employeeID & vbCRLF _
& vbCRLF _
& “To enter a new Employee ID number,” _
& ” type it into the text box” _
& ” below and click OK.”)
if strNewEmployeeID <> “” Then
objSelectedUser.Put “employeeID”,strNewEmployeeID
end if
objSelectedUser.SetInfo
WScript.Quit
When you right click on user in ADUC you will see new field (EmployeeID)

• Leave a comment... (12)

In order to configure and use server query do the following.
Go to Active Directory Users and Computers:

1. Right click the Saved Queries folder and select New, Query.
2. Enter an appropriate Name and Description.
3. Make sure the query root is set to the domain level you want the query to pertain to.
4. Select the Include subcontainers check box if you want the query to search all subcontainers.
5. Click Define Query.
6. In the Find dialog box, click the Find drop-down arrow and select Custom Search.
7. On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
8. Click OK twice.
9. Active Directory Saved Queries Templates

Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)

Find users who have admin in description field
(objectcategory=person)(description=*admin*)

Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)

Empty Groups with No Members
(objectCategory=group)(!member=*)
Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group
(groupType:1.2.840.113556.1.4.804:=14)

Find all User with the name Bob
(objectcategory=person)(samaccountname=*Bob*)

Find user accounts with passwords set to never expire
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Find all users that never log in to domain
(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))

Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)

Finds non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)

Finds all Users with Email Address set
(objectcategory=person)(mail=*)

Finds all Users with no Email Address
(objectcategory=person)(!mail=*)

Find all Users, Groups or Contacts where Company or Description is Contractors
(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=Contractors*))

Find all Users with Mobile numbers 712 or 155
(objectcategory=user)(|(mobile=712*)(mobile=155*))

Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Find All printers with Color printing capability
Note: server name must be changed
(&(&(&(uncName=*Servername*)(objectCategory=printQueue)(printColor=TRUE))))

Find Users Mailboxes Overriding Exchange Size Limit Policies
(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))

Find all Users that need to change password on next login.
(&(objectCategory=user)(pwdLastSet=0))

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)

Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)

Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

Find all Windows 2000 SP4 computers
(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))

Find all Windows XP SP2 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Vista SP1 computers
(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

Find All Workstations
(sAMAccountType=805306369)

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

Related Blogs

• Related Blogs on Active Directory
• History of Active Directory
• Whitepaper: VMware and VSS: Application Backup and Recovery

• Leave a comment... (6)

First let’s understand when it happens. After move of mailboxes between 2 exchange stores some times duplicate mailboxes remain .. When you try to delete them you receive error “The operation cannot be performed because this mailbox was already reconnected to an existing user.” ID no. c1034ad6.
So to delete the annoying mailbox go to active directory users and computers , select the user that holds both mailboxes run “exchange tasks” and select “remove exchange attributes” then go to duplicate mailbox with red X and reconnect the mailbox. When duplicate mailbox is connected you can delete him. After successful delete purge the red X mailbox and reconnect the old mailbox back..

I also found Microsoft Article related to this issue , seems that the problem is related to Exchange 2003 sp2  installation. You need to obtain hotfix in order to resolve the problem. http://support.microsoft.com/kb/940012

• Leave a comment... (4)

1. Run Active Directory Users and Computers.
2. Right-click the container holding the users (or the domain name if you want to delegate all) and hit Delegate Control.
3. Welcome Screen – hit Next.
4. Users or Groups screen – click Add and select the person or group to delegate this control to. Click Next.
5. Tasks to Delegate screen – select “Create a custom task to delegate”. Click Next.
6. Active Directory Object Type screen – Select “Only the following objects in the folder:”. Check “User objects”. Click Next.
7. Permissions screen – uncheck “General” and check “Property-specific”. Check the boxes corresponding to the specific fields you would like the user or group to be able to edit. Click Next.
8. Completing screen – click Finish.

It Also can be done by script.
Just change marked with RED Fields

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_INHERIT_ACE = &H2

Set objSdUtil = GetObject(“LDAP://OU=OU Name,DC=exaple,DC=Com”)
Set objSD = objSdUtil.Get(“ntSecurityDescriptor”)
Set objDACL = objSD.DiscretionaryACL

Set objAce = CreateObject(“AccessControlEntry”)

objAce.Trustee = “DomainName.com\Example_secretary”
objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce.ObjectType = “{77b5b886-944a-11d1-aebd-0000f80367c1}”
objACE.InheritedObjectType = “{BF967ABA-0DE6-11D0-A285-00AA003049E2}”
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl

objSDUtil.Put “ntSecurityDescriptor”, Array(objSD)
objSDUtil.SetInfo

• Leave a comment... (0)

To disable the Security tab from Windows 2000/XP Professional-based workstations that are members of a Windows 2000/2003 domain:

1. Start Active Directory Users and Computers.
   
2. Right-click the domain, and then click Properties .
   
3. Click the Group Policy tab on the domain properties dialog box to view the default domain policy.
   
4. Click New . New Group Policy Object should appear in the list of objects. Rename this Policy to Remove Security Tab . Make sure this policy is positioned directly under the default domain policy.
   
5. Click Remove Security Tab , and then click Edit to start the Group Policy Editor.
   
6. Expand Computer Configuration, Windows Settings, Security Settings, and then click Registry .
   
7. Right-click in the left pane, and then click Add Key .
   
8. Paste the following key in the text box, and then click OK :
   CLASSES_ROOT\CLSID\{1F2E5C40-9550-11CE-99D2-00AA006E086C} Note that there may be a delay before you can proceed to the next step, and this is normal.
   
9. The Database Security Editor appears. You need to add the user or group that you want the Security tab to be removed from.
   
10. Change the permission on this key for the users and/or groups that you added in the previous step to “Deny Read.” This prevents the user from being able to instantiate the needed components to display the Security and Sharing tabs. Click OK twice to complete the settings and exit the Group Policy Editor.
    
11. Click New . New Group Policy Object should appear in the list of objects. Rename this Policy to Remove Sharing Tab . Make sure this policy is positioned directly under the default domain policy.
    
12. Click Remove Security Tab , and then click Edit to start the Group Policy Editor.
    
13. Expand Computer Configuration, Windows Settings, Security Settings, and then click Registry .
    
14. Right-click in the left pane, and then click Add Key .
    
15. Paste the following key in the text box, and then click OK :
    CLASSES_ROOT\CLSID\{40dd6e20-7c17-11ce-a804-00aa003ca9f6} Note that there may be a delay before you can proceed to the next step, and this is normal.
    
16. The Database Security Editor appears. You need to add the user or group that you want the Security tab to be removed from.
    
17. Change the permission on this key for the users and/or groups that you added in the previous step to “Deny Read.” This prevents the user from being able to instantiate the needed components to display the Security and Sharing tabs. Click OK twice to complete the settings and exit the Group Policy Editor.

• Leave a comment... (5)