Finding Objects in Active Directory

You have learned how to create objects in Active Directory, but what good is information in a directory service if you can’t get it out of the directory as well?

Use the buttons below to navigate through the lesson

You will need to locate objects in Active Directory on many occasions:

Granting permissions When you configure permissions for a file or folder, you must select the group (or user) to which permissions should be assigned.

Adding members to groups A group’s membership can consist of users, computers, groups, or any combination of the three. When you add an object as a member of a
group, you must select the object.

Creating links Linked properties are properties of one object that refer to another object. Group membership is, in fact, a linked property. Other linked properties, such as
the Managed By attribute, are also links. When you specify the Managed By name, you must select the appropriate user or group.

Looking up an object You can search for any object in your Active Directory domain.

There are many other situations that will entail searching Active Directory, and you will encounter several user interfaces. In this section, you’ll learn some techniques for working with each.

The details pane of the Active Directory Users and Computers snap-in can be customized to help you work effectively with the objects in your directory. Use the Add/Remove Columns command on the View menu to add columns to the details pane.

Select View and Add/Remove Columns. Highlight an Available Column. Highlight an Available Column and select Add. Click OK after adding all necessary columns. The details pane now displays the new columns.

Windows Server 2003 introduced the Saved Queries node of the Active Directory Users and Computers snap-in.
This powerful function enables you to create rule-driven views of your domain, displaying objects across one or more OUs.
In this tutorial we will create a Saved Query that will display all computers within the domain. To create a saved query:

Right click Saved Queries and select New>Query. Type in a name, description is optional. Query root is the entire domain by default or use the Browse button to narrow the scope of the query. Select Define Query. Select Computers from the Find dropdown list.  Then click OK. Click OK.

The query has run and the results are displayed in the details pane. The list of computers has been drawn from the entire domain. You can have saved queries for many objects within Active Directory. This will enable you to quickly search for objects computers, users, printers etc.

After your query is created, it is saved within the instance of the Active Directory Users And Computers snap-in, so if you open the Active Directory Users And Computers console (dsa.msc), your query will be available the next time you open the console.

When you add a member to a group, assign a permission, or create a linked property, you are presented with the Select Users, Contacts, Computers, Or Groups dialog box. This dialog box is referred to as the Select dialog box.
If you’d like to see an example, open the properties of a group object, click the Members tab, and then click the Add button.

Select the Members tab. Click Add. Type in part or all of the user’s name and select Check Names. Click OK to add the user. User has been added to the group, click OK to complete.

Windows provides command-line utilities that perform functionality similar to that of user interface tools, such as the Active Directory Users and Computers snap-in. Many of those commands begin with the letters DS, so they are often referred to as the DS commands. Dsquery can locate objects in Active Directory. Dsquery, like other DS commands, is well documented. Type dsquery /? to learn its syntax and usage.  dsquery.exe /? output. If we use the command dsquery user –name geoff*. This would search Active Directory for all users who’s name contained geoff. The output shows one user that meets the search criteria.

Understanding DNs, RDNs, and CNs

Distinguished names (DNs) are a kind of path to an object in Active Directory. Each object in Active Directory has a completely unique DN.
Our user, Geoff Prior, has the DN
CN=Geoff Prior,OU=Managers,DC=Es-net, DC=co, DC=uk.

The DN is a path starting at the object and working up to the top-level domain in the es-net.co.uk DNS namespace. CN stands for common name, and when you create a user, the Full Name box is used to create the CN of the user object. OU means organizational unit. And DC means domain component.

The portion of the DN prior to the first OU or container is called the relative distinguished name, or RDN. In the case of Geoff Prior, the RDN of the object is CN=Geoff Prior. Not every RDN is a CN. The DN of the Managers OU is OU=Managers,DC=es-net,DC=co,dc=uk. The RDN of the Managers OU is, therefore, OU=Managers.

Because the DN of an object must be unique within the directory service, the RDN of an object must be unique within its container. So if you hired a second user named Geoff Prior, and both user objects were in the same OU, you would have to give the second user a different CN. The same logic applies as files in a folder: you cannot have two files with identical names in a single folder.

You will encounter DNs regularly as you work with Active Directory, just as you encounter file paths regularly if you work with files and folders. It’s very important to be able to read and interpret them.