Module 2Administering Active Directory Securely and Efficiently

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Module OverviewWork with Active Directory Administration ToolsCustom Consoles and Least PrivilegeFind Objects in Active DirectoryUse Windows PowerShell to Administer Active Directory

Lesson 1: Work with Active Directory Administration ToolsActive Directory Administration Snap-InsWhat Is the Active Directory Administrative Center?Find Active Directory Administration ToolsDemonstration: Perform Administrative Tasks by Using Active Directory Administrative Tools

Active Directory Administration Snap-InsActive Directory Users and ComputersManage most common day-to-day objects, including users, groups, computers, printers, and shared foldersActive Directory Sites and ServicesManage replication, network topology, and related servicesActive Directory Domains and TrustsConfigure and maintain trust relationships and the domain and forest functional levelActive Directory SchemaAdminister the Schema

What Is the Active Directory Administrative Center?Task-oriented tool based upon Windows PowerShell

Find Active Directory Administration ToolsActive Directory snap-ins are installed on a domain controllerServer Manager: Users and Computers, Sites and ServicesAdministrative Tools folderInstall the RSAT on a member client or serverWindows Server 2008Server Manager Features Add Feature Remote Server Administration ToolsWindows Vista SP1, Windows 7Download RSAT from www.microsoft.com/downloadsDouble-click the file, then follow the instructions in the Setup WizardControl Panel Programs And Features Turn Windows Features On Or Off Remote Server Administration Tools

Demonstration: Perform Administrative Tasks by Using Active Directory Administration ToolsIn this demonstration, you will see:How to perform administrative tasks by using Active Directory Users and ComputersHow to perform administrative tasks by using Active Directory Administrative Center

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Lesson 2: Custom Consoles and Least PrivilegeDemonstration: Create a Custom MMC Console for Administering Active DirectorySecure Administration with Least Privilege, Run As Administrator, and User Account ControlDemonstration: Secure Administration with User Account Control and Run As Administrator

Demonstration: Create a Custom MMC Console for Administering Active DirectoryIn this demonstration, you will see:How to create a custom MMC console with multiple snap-insHow to register the Active Directory Schema snap-inWhere to save a custom console

Secure Administration with Least Privilege, Run As Administrator, and User Account ControlMaintain at least two accountsA standard user accountAn account with administrative privilegesLog on to your computer as a standard userDo not log on to your computer with administrative credentialsStart administrative consoles with Run As AdministratorRight-click the console and click Run As AdministratorClick Use another accountEnter the user name and password for your administrative account

Demonstration: Secure Administration with User Account Control and Run As AdministratorIn this demonstration, you will see:How to run a custom console as an administratorWhy it is important to save a custom console to a shared location

Lab A: Administer Active Directory by Using Administrative ToolsExercise 1: Perform Basic Administrative Tasks by Using Administrative ToolsExercise 2: Create a Custom Active Directory Administrative ConsoleExercise 3: Perform Administrative Tasks with Least Privilege, Run As Administrator, and User Account ControlLogon informationEstimated time: 30 minutes

Lab ScenarioIn this exercise, you are Pat Coleman, an Active Directory administrator at Contoso, Ltd. You are responsible for a variety of Active Directory support tasks, and you have found yourself constantly opening multiple consoles from the Administrative Tools folder in Control Panel. You have decided to build a single console that contains all the snap-ins you require to do your work. Additionally, the Contoso IT security policy is changing, and you will no longer be permitted to log on to a system with credentials that have administrative privileges, unless there is an emergency. Instead, you are required to log on with non-privileged credentials.

Lab ReviewWhich snap-in are you most likely to use on a day-to-day basis to administer Active Directory?When you build a custom MMC console for administration in your enterprise, what snap-ins will you add?

Lesson 3: Find Objects in Active DirectoryScenarios for Finding Objects in Active DirectoryDemonstration: Use the Select Users, Contacts, Computers, or Groups Dialog BoxOptions for Locating Objects in Active Directory Users and ComputersDemonstration: Control the View of Objects in Active Directory Users and ComputersDemonstration: Use the Find CommandDetermine Where an Object Is LocatedDemonstration: Use Saved QueriesDemonstration: Find Objects by Using Active Directory Administrative Center

Scenarios for Finding Objects in Active DirectoryWhen you assign permissions to a folder or fileSelect the group or user to which permissions are assignedWhen you add members to a groupSelect the user or group that will be added as a memberWhen you configure a linked attribute such as Managed BySelect the user or group that will be displayed on the Managed By tabWhen you need to administer a user, group, or computerPerform a search to locate the object in Active Directory, instead of browsing for the object

Demonstration: Use the Select Users, Contacts, Computers, Service Accounts, or Groups Dialog BoxIn this demonstration, you will see:How to select users with the Select dialog box

Options for Locating ObjectsSorting: Use column headings to find the objects based on the columns

Demonstration: Control the View of Objects in Active Directory Administrative ToolsIn this demonstration, you will see:How to add or remove columns in the details paneHow to sort objects based on columns in the details pane

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Demonstration: Use the Find CommandIn this demonstration, you will see:How to search for objects in Active Directory by using the Find command

Determine Where an Object is LocatedEnsure that Advanced Features is enabledFind the objectOpen its Properties dialog boxClick the Object tabView the Canonical name of object orIn the Find dialog box, click View, click Choose Columns, and then add the Published At column

Demonstration: Use Saved QueriesIn this demonstration, you will see:How to create a saved queryHow to distribute a saved queryWhy saved queries are an efficient and effective tool for administration

Demonstration: Find Objects by Using Active Directory Administrative CenterIn this demonstration, you will see:How to find objects by using the Active Directory Administrative CenterHow to save queries by using the Active Directory Administrative Center

Lab B: Find Objects in Active DirectoryExercise 1: Find Objects in Active DirectoryExercise 2: Use Saved Queries

Logon informationEstimated time: 15 minutes

Lab ScenarioContoso now spans five geographic sites around the world, with over 1,000 employees. As your domain has become populated with so many objects, it has become more difficult to locate objects by browsing. You are tasked with defining best practices for locating objects in Active Directory for the rest of the team of administrators. You are also asked to monitor the health of certain types of accounts.

Lab ReviewIn your work, what scenarios require you to search Active Directory?What types of saved queries could you create to help you perform your administrative tasks more efficiently?

Lesson 4: Use Windows PowerShell to Administer Active DirectoryWhat Is Windows PowerShell?Installation Requirements for Windows PowerShell 2.0 Overview of the Windows PowerShell SyntaxWindows PowerShell Cmdlets for Active DirectoryDemonstration: Manage Users and Groups by Using PowerShell

What Is Windows PowerShell?Windows PowerShell is not a scripting languageAt least, it is not only a scripting languagePowerShell is an engine designed to run commands that perform administrative tasks, for example:Creating user accountsConfiguring servicesDeleting mailboxesPowerShell provides a foundation that Microsoft GUI-based administrative tools can build uponActions can be accomplished in the command-line consoleActions can also be invoked within GUIs by running PowerShell commands in the background

Installation Requirements for Windows PowerShell 2.0 Windows PowerShell is pre-installed by default in Windows Server 2008 R2 and Windows 7Windows PowerShell is a web download for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008Windows PowerShell requires Microsoft .NET Framework 2.0 with Service Pack 1Active Directory Module for Windows PowerShell is included with Windows Server 2008 R2Active Directory Module for Windows PowerShell is installed with AD DS or AD LDS

Overview of the Windows PowerShell SyntaxAll Windows PowerShell cmdlets use the same syntaxCmdlets can be pipelined to other cmdlets:Get-ADuser Don | Set_Aduser Department Marketing

VerbNounParametersExampleGetADUserGet-Aduser DonSetADUserSet-Aduser Department MarketingGetADUser-FilterGet-Aduser Filter Name like *

Windows PowerShell Cmdlets for Active DirectoryPowerShell provides cmdlets to assist in the following:User, Computer, and Group ManagementOrganizational Unit ManagementPassword Policy ManagementSearch and Modify ObjectsForest and Domain ManagementDomain Controller and Operations Master ManagementManaged Service Account Management

Demonstration: Manage Users and Groups by Using Windows PowerShellIn this demonstration, you will see how to:Create a new OUCreate a new userMove a user to a new OUView group membershipAdd members to a groupSet the password on a new user and enable the user account

Lab C: Use Windows PowerShell to Administer Active DirectoryExercise: Use PowerShell Commands to Administer Active DirectoryLogon informationEstimated time: 15 minutes

Lab ScenarioContoso is growing, and changes need to be made to objects in Active Directory. You are an administrator of AD DS, and you know that it is easier to view, create, delete, and modify objects by using Windows PowerShell.

Lab ReviewWhich common Active Directory cmdlet parameter is used to limit search results to matches based on attributes? Which common Active Directory cmdlet parameter is used to specify the attributes that you want in your query results?How can you see a list of all attributes that are available for an Active Directory object?

Module Review and TakeawaysReview QuestionsToolsWindows Server 2008 R2 Features Introduced in this Module

Presentation: 65 minutesLab: 60 minutes ObjectivesAfter completing this module, you will be able to:Describe and work with Active Directory administration tools. Describe the purpose and functionality of custom consoles and least privilege.Locate objects in Active Directory.Administer Active Directory by using Windows PowerShell.

About This ModuleWhereas Module 1 covered the fundamental concepts related to Active Directory and AD DS, Module 2 covers the fundamental concepts and skills related to administering AD DS. In this module, you will introduce the concepts and tools used to administer Active Directory objects in a secure and efficient (best practice) manner. Less experienced students will gain the skills to perform basic administration tasks. All students will learn to administer AD DS with best practice skills, including Run As Administrator with secondary credentials (for secure administration), custom MMC consoles, Saved Queries, and the DS commands.The instructional design goal of this module is to ensure that when students are asked to perform specific administrative tasks in later modules, they have an understanding of:The AD DS snap-ins and the Active Directory Administrative Center.Common user interface components such as Select dialog boxes.Best practices like Run As Administrator.Tools for navigating and finding objects in Active Directory, such as Saved Queries. PowerShell commands.Do not make the mistake of diving into discussions of particular object classes (users, groups, and computers) or of specific administrative tasks in this module. Stay focused on the tools, skills, and concepts related to administration at a high level.See the instructor notes regarding the delegation content in Module 8. You may, optionally, deliver Lesson 1 of Module 8 (Delegation) after Lesson 4 of this module.

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C**Preparing for the demos in this moduleStart 6425C-NYC-DC1.Log on as Pat.Coleman_Admin, with the password, Pa$$w0rd.After NYC-DC1 has started, start 6425C-NYC-SVR1 and 6425C-NYC-CL1.

Preparation for LabsThere are three labs in this module. The labs have dependencies between each other so students should not shut down the virtual machines after each lab. If you wish to prepare for them now and save time taken for startup, you should ask students to start the virtual machine now. The virtual machine used in all labs is 6425C-NYC-DC1.

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Discuss the objectives of the module listed on this slide from the higher-level perspective of the two main goals of this module, which are to:Establish methods for working securely when administering Active Directory, which will be carried forward for all remaining modules.This is not a course where students will log on as Administrator to their computers. Rather, they log on with a standard user account, following best practices of least privilege.Share some of the most valuable secrets of efficient administration that are often learned only after months or years of experience, including:Working with customized MMC consoles.Controlling the view of objects in Active Directory.Mastering the many interfaces with which to search Active Directory.Administering from the command line..Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*-blank-Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: List the four major Active Directory administrative snap-ins. The course will be spending time with each of them, so do not cover these too deeply at this point. This is simply a list of the four most common snap-ins used to administer AD DS.

ReferencesActive Directory Domain Services: http://go.microsoft.com/fwlink/?LinkId=168715Managing Active Directory from MMC: http://go.microsoft.com/fwlink/?LinkId=168716Install the Active Directory Schema snap-in: http://go.microsoft.com/fwlink/?LinkId=168717

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: Describe the Active Directory Administrative Center. Point out that this is a task-oriented tool based upon Windows PowerShell. Also point out the installation requirements for this tool.

ReferenceActive Directory Administrative Center: Getting Started http://go.microsoft.com/fwlink/?LinkID=214182

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: Ensure that students can find the AD DS administrative tools.Point out that adding the AD DS role installs the Active Directory snap-ins automatically.The snap-ins in Server Manager are in the Administrative Tools folder.Emphasize that RSAT must be installed and enabled to administer Active Directory from a machine other than a domain controller.On Windows Server 2008 machines, the RSAT can be added as a feature.On Windows Vista SP1 (and newer versions) and Windows 7 clients, you must download the RSAT, install the RSAT, and then turn the RSAT feature on. Ask students if anyone has ever installed the RSAT and then wondered why the tools did not appear.Point out this common problem: The RSAT is installed but no administrative tools appear.It is important to remember that you must also turn on the RSAT featureinstalling the RSAT is not enough. This is done in Control Panel, Programs and Features, by choosing Turn Windows Features On Or Off.A tip to share with students: Add the administrative tools to your Start menu.By default, administrative tools are not added to the Start menu on Windows Vista clients. You can make the administrative tools easier to access by adding them to your Start menu. Right-click the Start button and click Properties. Click Customize.If you are using the default Start menu, scroll to System Administrative Tools, and click Display on the All Programs menu and the Start menu or Display on the All Programs menu. If you are using the Classic Start menu, click Display Administrative Tools.Click OK.ReferenceRemote Server Administration Tools Pack: http://go.microsoft.com/fwlink/?LinkId=168718

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: Demonstrate basic administrative tasks with Active Directory Users and Computers. See tasks in instructor notes.If not already started, start 6425C-NYC-DC1 and log on as Pat.Coleman_Admin, with the password, Pa$$w0rd.Open Active Directory Users and Computers from the Administrative Tools folder.Viewing objectsSelect several containers, starting with the domain, some organizational units, and the Users container. Show that the details pane displays the objects in the container.Refreshing the viewEmphasize that you must select a container (domain, organizational unit, or container) in the console tree and then click Refresh or press F5. If an item in the details pane is selected, the Refresh command does not refresh the view of all objects in the container.Creating objectsCreate a simple sample user account in the User Accounts\Marketing organizational unit to demonstrate that.You right-click a container, click New, and then click object.The New ObjectobjectType Wizard steps you through creating the object. Only a subset of available properties is presented during object creation, including, of course, those that are required.Configuring object attributesOpen the Properties dialog box for the user object you just created, to demonstrate that:You right-click an object and then click Properties to configure the attributes of an object.There are many attributes that were not presented during object creation.Attributes are organized on tabs.You can make changes on different tabs and those changes will persist until you click OK or Apply. You dont have to apply changes before navigating to another tab.Clicking OK or Apply are both valid ways of saving your changes. The only difference is that OK closes the dialog box, whereas Apply leaves the dialog box open and with focus.+Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Viewing all object attributesDemonstrate the Attribute Editor tab.Open the Properties of the user object and point out that there is no tab called Attribute Editor.Close the Properties box, and then click the View menu and select Advanced Features.Open the Properties of the user again and show that the Attribute Editor tab has appeared.Mention that when Advanced Features is viewed, the Security, Object, and other tabs appear, and containers in the console tree that were previously hidden. Active Directory administrators often find it helpful to work with Advanced Features turned on, even though it adds a little clutter to the interface.Scroll quickly through the list of attributes to demonstrate that there are dozens of attributes.Highlight several attributes that are both understandable and potentially useful, such as carLicense, division, employeeID, employeeNumber, and employeeType.Double-click division to edit the value.Do not go into detail about any specific attribute or about whether or how to use these hidden attributes. Just point out that the attributes exist, and that the Attribute Editor exposes them.Draw a comparison to ADSI Edit for students that know of that snap-in.Using Active Directory Administrative CenterOpen Active Directory Administrative Center from the Administrative Tools folder.Point out the Navigation pane and how you can change from List to Tree View. Change back to List View.Show how to Reset a Password for Contoso\Alan.brewer. Reset the password to Pa$$w0rd.Perform a Global Search for Don Roessler. Show how to perform tasks such as Add to group, Disable, and Locate.Show the Properties of Don Roessler.

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Start 6425C-NYC-DC1. Log on to NYC-DC1 as Pat.Coleman_Admin, with the password, Pa$$w0rd. Open the Run box and run the following command with administrative credentials: D:\Labfiles\Lab02a\Lab02a_Setup.bat. This command unregisters the schema mmc snap-in.In this demonstration, create a custom MMC console with all four of the Active Directory management snap-ins. This demonstration is a preview of an upcoming lab. Click the Start button. In the Search programs and files box, type mmc.exe, and then press ENTER. Click Yes in the User Account Control dialog box. An empty MMC console appears. Maximize it. Click File, and then click Add/Remove Snap-in. If snap-ins are missing, install RSAT and turn on the snap-ins. In the Add Or Remove Snap-ins dialog box, click Active Directory Users and Computers from the Available Snap-ins list, and then click the Add button to add it to the Selected Snap-ins list. Repeat for Active Directory Sites and Services and Active Directory Domains and Trusts. Notice that the Active Directory Schema snap-in is not available to add. Click OK to close the Add or Remove Snap-ins dialog box.Register the Schema management snap-in: Open a command prompt as administrator, type regsvr32.exe schmmgmt.dll, and then press Enter. Click OK. Close the command prompt.Return to the MMC console and click File, and then click Add/Remove Snap-in. Add the Active Directory Schema snap-in. Click OK to close the Add Or Remove Snap-ins dialog box. Click File, click Save, and save the console as C:\AdminTools\ADConsole.msc. Be sure to save the console to a new folder. In the next demo, you will open the console with a different user account that will not have access to your Desktop or Document folders. Close MMC. QuestionsHave you built a custom MMC console?What snap-ins have you found useful?Why did you build your own console? If a student suggests an answer related to least privilege and running the console as an administrator, use that answer as a transition to the next topic.ReferenceAdd, Remove, and Organize Snap-ins and Extensions in MMC 3.0: http://go.microsoft.com/fwlink/?LinkId=168724

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: Understand the importance of User Account Control and secondary logon.Discuss the reasons behind non-administrative logon.Report the fact that many organizations do not allow administrators to log on directly with their administrative credentials. Ask students: Why it is risky to log on with administrative credentials? The privileges of the credentials could be used, accidentally or intentionally, to harm the environment. Ask students: What is the disadvantage of logging on with standard-user, non-administrative credentials? It is difficult to perform administrative tasks if you have to repeatedly enter administrative credentials.Describe the concept of using Run As Administrator to run processes that require elevation.The processes you start, run with an elevated credential, but the Explorer shell, and all processes that it spawns, run with standard user privileges. You will be demonstrating Run As Administrator next, so you do not have to detail the steps shown on this slideit can be a reference for students as you perform the demonstration.

ReferenceUsing Run as: http://go.microsoft.com/fwlink/?LinkId=168725

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: Demonstrate Run As Administrator.1.Log off from NYC-DC1.2.Log on with user-level credentials: CONTOSO\Pat.Coleman, with the password, Pa$$w0rd.3.Open the C:\AdminTools folder you created in the previous demonstration.4.Right-click the ADConsole.msc console and click Run as administrator.5.Enter the credentials of your administrative account, CONTOSO\Pat.Coleman_Admin, with the password, Pa$$w0rd.6.Click Yes.Optionally, open Task Manager and click Show processes from all users. Enter the same credentials: CONTOSO\Pat.Coleman_Admin; Pa$$w0rd. Point out that explorer.exe is running as Pat.Coleman, while mmc.exe is running with the credentials, Pat.Coleman_Admin.Point out why its important that users save custom consoles to a location that is accessible to both their user and administrative accounts. The administrator account (Pat.Coleman_Admin) may not have immediate access to the Desktop, Documents, or other folders that the user account (Pat.Coleman) has access to. If Pat.Coleman (user) saves the console to a location accessible only to that account, and runs it from there, the moment the process is elevated to the administrator (Pat.Coleman_Admin) account, it can no longer access the console.7. At the end of the demo, log off from NYC-DC1 and log back on as Contoso\Pat.Coleman_Admin, with the password, Pa$$w0rd.

ReferenceUsing Run as: http://go.microsoft.com/fwlink/?LinkId=168725

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*In this lab, students will create a custom Active Directory administrative console, then run the console and other administrative tools as an administrator. Lab Objectives Perform basic administrative tasks by using administrative tools.Create a custom console with the snap-ins required to perform typical AD DS administrative tasks.Perform administrative tasks while logged on with non-privileged credentials.ScenarioIn this exercise, you are Pat Coleman, an Active Directory administrator at Contoso, Ltd. You are responsible for a variety of Active Directory support tasks, and you have found yourself constantly opening multiple consoles from the Administrative Tools folder in Control Panel. You have decided to build a single console that contains all of the snap-ins you require to do your work. Additionally, the Contoso IT security policy is changing, and you will no longer be permitted to log on to a system with credentials that have administrative privileges, unless there is an emergency. Instead, you are required to log on with non-privileged credentials.Exercise 1In this exercise, students experience basic administrative tasks in the Active Directory Users and Computers snap-in and the Active Directory Administrative Center.Exercise 2In this exercise, students create a custom console with the snap-ins required to perform typical AD DS administrative tasks. Exercise 3In this exercise, students perform administrative tasks while logged on with standard user credentials.

NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in Lab B.

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*-blank-Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises.Question: Which snap-in are you most likely to use on a day-to-day basis to administer Active Directory?Answer: Answers will vary. Most students will use Active Directory Users and Computers regularly, to administer users, computers, and groups.Note: If a student suggests a different snap-in, ask the student to explain and justify his or her choice.------------------------------------------Question: When you build a custom MMC console for administration in your enterprise, what snap-ins will you add?Answer: Answers will vary. The answer will depend on students' job responsibilities and experience level. Note: Get students to think about what tools they can and should add to a custom console, with the goal of having one console with every tool needed to do their jobs.

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*-blank-Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: Think about all the times you need to select a user, group, or computer, and the tools you use to search for or specify that object.Discuss the scenarios in which you must search for or select an object from Active Directory. Involve the studentswhat scenarios require searching or selecting? What tools and user interfaces are applied?

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: This is UI training. Make sure everyone knows all the ins-and-outs of the Select dialog box, and the variety of ways it can be used.The first scenarios mentioned on the previous slide (selecting users or groups to assign permissions, and adding members to a group) each involve using the Select dialog boxes.Step users through examples of using the Select dialog boxes.If not already started, start 6425C-NYC-DC1 and log on as Pat.Coleman_Admin, with the password, Pa$$w0rd.Add users to the Instructors group (in the Groups\Role OU) by using the Members tab of the group.Open Active Directory Users and Computers and then browse to the Groups\Role OU. Open the Properties of the Instructors security group and perform the following steps:On the Members tab, click Add. Type linda;joan and click Check Names. This demonstrates a full first name and partial first name, and that semicolons delimit multiple users.Type carole and click OK. This demonstrates that OK will also check names.Click Add. Type tony;jeff and click OK. Pick Tony Krijnen and Jeff Ford. This demonstrates the Multiple Names Found box, and shows that it works with semicolons also.Add a user to the Instructors group by using the Add To Group command of the user.Browse to the User Accounts\Employees OU.Right-click Pat Coleman and click Add to a group. Type Instr and click Check Names. This demonstrates the resolution of a group. Point out that Computers are not included by default. Click OK.Set up the scenario: You want to deploy Microsoft Office Visio to NYC-CL1. It is licensed per computer, not per user, so the deployment of Visio should be targeted to a computer object (like most software). You have a group that represents the computers that should have Visio.Open the APP_Visio group from the Groups\Application OU.On the Members tab, try to add NYC-CL1. Point out that it fails.Try again. This time, click the Object Types button and select Computers.

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: This is an overview slide. Both Sorting and Searching are demonstrated in the next slides.Point out that navigating, browsing, or hunting through Active Directory is usually not the most efficient way to locate an object. Both the Active Directory Users and Computers and the Active Directory Administrative Center allows you to sort and search, each of which can help you locate an object more quickly. Use this slide to set up the concepts of sorting and searching, then move on quickly to demonstrations.

ReferenceSearch Active Directory: http://go.microsoft.com/fwlink/?LinkId=168729

Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*Objective: Demonstrate the use of sorting and column-choosing to facilitate locating objects in AD.In the User Accounts OU, add the Last Name column and arrange it so that it is the second column.A common complaint is that it is difficult to locate users in Active Directory Users and Computers because the Name column, which displays the common name (CN) attribute, is displayed as FirstName LastName by default. That makes finding "Bill Malone" difficult: is he listed as Bill or William?The solution is to add the Last Name column. Then you can sort by last name.While you are arranging columns, you can point out that the Type column is not necessary, because all objects in the OU are users. You can remove that column.Sort by the Last Name column. Point out that this solves the problem. It is not necessary--in fact, it is not recommended--to configure the Name of users (the cn attribute) in the LastName, FirstName format.Advanced technical note and tipUnfortunately, some organizations resolve this problem of finding users in Active Directory Users and Computers by configuring the CN as LastName, FirstName. This is not recommended! Instead, use the Last Name column to solve the problem.Sharing this tip is a good setup for one of the advantages of Saved Queries.Module 2: Administering Active Directory Securely and EfficientlyCourse 6425C*To add the Last Name column to the details pane in the Active Directory Users and Computers console:1. Click the View menu, and then click Add/Remove Columns.2. In the Available columns list, click Last Name.3. Click the Add button.4. In the Displayed columns list, click Last Name, and then click Move Up two times.5. In the Displayed columns list, click Type, and then click Remove.6. Click OK.7. In the details pane, click the Last Name column header to sort alphabetically by last name.To add the Last Name column to the details pane in the Active Directory Administrative Center:1. In the details pane, right-click a column heading, and then click Select Columns.2. In the Available Columns list, click Last Name.3. Click the >> button.4. In the Selected columns list, click Last Name, and then click Move Up two times.5. In the Selected columns list, click Type, and then click