Exam 70-410 Objective 5.2 – Create and Manage AD Users and Computers


What’s up, fellow system admin?

It’s been a while that I blogged about the topic as I was busy with a few things, nevertheless continuing with where we left off in the last article -- Exam 70-410 Objective 5.1 -- Install Domain Controllers 

Now we have the understanding of how and what an Active Directory Domain is and the terminology that is used and what are the roles and functionalities of the Domain Controller.

Next up, we will look at the objects that can be part of the Domain, like Users and Computers.

In today’s objective, we will be looking at:

Create, Copy, Configure and Delete Users and Computers

Users and Computers are one of the most important objects of the Active Directory Domain.

In this section, we will see the various ways available to create them.

Using Active Directory Users and Computers

To launch ADUC on your Domain Controller, go to Server Manger > Tools > Active Directory Users and Computers.

You can also go to Run and type dsa.msc to launch ADUC.

Right Click on any OU > New > User.

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

Provide the basic details like the First Name, Last Name, and the User logon name to create the user account.

Similarly, you can create a Computer account, by right clicking on an OU > New > Computer.

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

You just have to provide the computer name to add the object to the domain.

Using Active Directory Administrative Center

Administrators when using Windows Server 2003 and Windows 2008 had only the option of ADUC when managing objects in the AD domain.

From Windows Server 2008 R2 onwards, Microsoft introduces Active Directory Administrative Center, which is another of managing the Domain and is completely built on PowerShell.

I really like this tool as it is very modern and has some really cool features.

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

As you can see, the design is very modern and it is a little more intuitive than the ADUC.

Similarly, you can create both Users and Computers using this tool.

Using dsadd

dsadd is a command line utility available from Windows Server 2008. This utility will only be available if the ADDS Server Role is installed.

For more information on dsadd, click here.

dsadd user CN=AdilArif,CN=NewUsers,DC=enterprisedaddy,DC=com -pwd Password -disabled No

This will create a user called AdilArif in the NewUsers OU with the above password.

By default, the user is created and disabled, hence we are providing the parameter as NO.

Similarly, you can create computer account as well.

dsadd computer CN=Server1,CN=NewComputers,DC=enterprisedaddy,DC=com

Using PowerShell

Microsoft has made it very easy to administer most of the services of Windows Server using PowerShell.

The cmdlet that you would use is New-ADuser

Here is an article that will show you how to add users using PowerShell.

Create Users in Active Directory using PowerShell

Configure Templates

In some cases, you are asked to create single user accounts, but they contain so many attributes, that it can be a time-consuming process.

We saw above that we can speed this up using various methods like dsadd.exe and New-ADUser cmdlet.

But there is another method in which you can create a user template.

A user template is a standard user account containing the most common attributes within the organization. You would usually start the name of the with the underscore.

Now if you have to create a user based on the template, you simply have  to right click on the template from ADUC and click on Copy.

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

Now you can enter the required information and enable the account.

Configure User Rights

To configure User Rights on a single machine, from Server Manager > Tools > Local Security Policies > User Rights management.

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

As mentioned before, the above mentioned is used for a single computer.

To configure for a whole of computers, we need to use Group Policy, which we will be discussing in the upcoming articles.

Automate the creation of AD Accounts

Some of the old ways of doing this are:

Using csvde.exe

A command line utility that can create new AD DS objects by importing from a CSV file.

The i parameter specifies import mode; without it, the default mode of CSVDE is export. The ‑f parameter identifies the file name to import from or export to. The ‑k parameter is useful during import operations because it instructs CSVDE to ignore errors.

The syntax is as below:

csvde.exe -i -f <filename.csv> [-k]

Using ldif.exe 

Like csvde.exe but with more functionality, LDIFDE is a utility that can import ADDS information and use it to add, delete or modify objects.

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

Using PowerShell

For computer accounts, you can use cmdlets like Get-ADComputer, New-ADComputer, and Remove-ADComputer.

For user accounts, you can use cmdlets like Get-ADUser, New-ADuser, and Remove-ADUser.

You can see how to automate the user account in the article that I had written before.

Create AD Users using PowerShell

Manage InActive and Disabled Accounts

For inactive accounts, the old way of doing it was to check the last logon date. This is when the user would have accessed the domain.

You can use PowerShell to achieve this.

Get-ADUser -Filter * -Properties lastLogonDate | Format-Table Name, lastLogonDate

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

To check disabled account, the old way is to check the account was enabled using the Get-ADuser cmdlet.

Get-ADUser -Filter {enabled -ne $true}

Exam 70-410 Objective 5.2 - Create and Manage AD Users and Computers

In the new OS, we have a new cmdlet to easily find inactive and disabled accounts.

Search-ADAccount -AccountDisabled

The above will list both the Users and Computer objects that are disabled within the domain.

Search-ADAccount -AccountDisabled -UsersOnly

Only Disabled user accounts will be displayed.

Similarly for Inactive accounts, you can check as below.

Search-ADAccount -AccountInActive

For Password related issues.

Search-ADAccoun t -PasswordExpired

Search-ADAccount -PasswordNeverExpires

Search-ADAccount -LockedOut

Perform Bulk AD Operations

As discussed in the above section, csvde.exe, ldif.exe, and PowerSehll were a few ways wherein one can automate the process of AD object creation, deletion and modification.

Offline Domain Join

During an offline domain join, a computer is configured to join a domain without contacting a domain controller.

This makes it easy to join the computers to the domain where there is no network connectivity.

I have written a complete guide on how to perform this procedure which you can find below.

Perform Offline Domain Join

Well, that completed the objectives for today. I hope that this has been informative and thank you for reading!


About Author

I am Adil Arif, working as a Senior Technical Support Engineer at Rubrik as well as an independent blogger and founder of Enterprise Daddy. In my current role, I am supporting infrastructure related to Windows and VMware datacenters.

Leave A Reply