Creating Objects in Active Directory

Active Directory is the Windows directory service, and its role is to maintain information about enterprise resources, including users, groups, and computers. Resources can be divided into Organizational Units (OUs) to facilitate manageability and visibility—that is, they can make it easier to find objects. In this lesson, you will learn how to create OUs, users, groups, and computers.

Use the buttons below to navigate through the lesson

Select Start>Administrative Tools>Active Directory Users and Computers. Right click the domain. Select New. Organizational Unit. Assign a descriptive name.

The Windows Server 2008 administrative tools adds a new option: the Protect Container From Accidental Deletion. This option adds a safety switch to the OU so that it cannot be accidentally deleted. Two permissions are added to theOU:

and Everyone:: Deny::Delete Subtree.
No user, not even an administrator, will be able to delete the OU and its contents accidentally. It is highly recommended that you enable this protection for all new OUs.

Click OK.

The Managers OU has been created. OUs can contain other OUs, to create a sub OU right click the OU.

Select New> Select Organizational Unit. Assign a descriptive name, and then click OK. Sales Managers OU has been created.


Right click the container and Select New> Right click the container and Select User. Fill in the users details and click Next. Assign a temporary password and ensure User must change password at next logon is selected. Then click Next. Click Finish. User Geoff Prior has been created.


There are three types of groups in Active Directory: Universal, Global, and Domain Local.

There are two main functions of groups in Active Directory:

Gathering together objects for ease of administration
Assigning permissions to  objects or resources within the Directory.

Group Scopes will be covered in detail later in the course.

There are two types of groups in Active Directory: Security and Distribution.

Security groups are used for assigning permissions and are the most commonly used.

Distribution groups are solely used for grouping users together for administrative purposes,  for example e-mail and messaging. You cannot assign permissions to distribution groups.

Right click the container and Select New> Group. Assign a descriptive name and a group scope and group type Click OK to create the group. Store Managers group has been created.


Right click the container and Select New>Computer. Assign Computer name. User or group who have the permissions to join a computer to the domain, default is Domain Admins.

Do not select the check box labeled Assign This Computer Account As A Pre-Windows 2000 Computer unless the account is for a computer running Microsoft Windows NT 4.0.

Click Next.

This is a managed computer option will be discussed later in the course leave unchecked

Click Next. Click Finish. The computer object has been created.