Active Directory management 2: User Management

Generally, OU is used to classify AD users. Before getting started, we will introduce the concept of Organization Unit (OU.

Organization Unit: OU is some ActiveDirectory containers where users, groups, computers, and other OU can be placed. OU cannot contain objects from other domains. OU is the minimum scope or unit to which you can assign group policy settings or assign management power. You can use OU to create a container in the domain that represents the hierarchy and logical structure of the Organization. You can manage the configuration and use of accounts and resources based on the organizational model.

Note: OU cannot be used to assign permissions to resources.

Compared with OU, some default containers are created by installing ADDS. Area Group OU and default container method to view the icon. 650) this. width = 650; "width =" 27 "height =" 19 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6425633-0.png "border =" 0 "/> this icon is OU, 650) this. width = 650; "width =" 25 "height =" 21 "title =" image "style =" margin: 0px; borde R-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6424U5-1.png "border =" 0 "/> this icon is the default container. By default, containers cannot connect to group policies. Only OU can connect to group policies. This is why OU is recommended to manage users and computer accounts, we do not recommend that you directly put the user and computer account in the Users and Computers default containers.

I. OU design and delegate control

1. Create OU based on different account types.

650) this. width = 650; "width =" 517 "height =" 354 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H64261H-2.png "border =" 0 "/>

2. You can create corresponding OU under the user account OU to manage the accounts of each department. This facilitates the application of group policies in the future, because different departments may need to apply different policies.

650) this. width = 650; "width =" 417 "height =" 216 "title =" image "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H64252K-3.png "border =" 0 "/>

3. OU delegate management.

OU delegate management is often used in enterprises. For example, it is inappropriate for a department manager to manage the account or Helpdesk of his or her own department to maintain the AD account, the permission is too large. This is the role of OU's delegate control. The delegated user can be a DomainUser who can use the remote management tool RSAT to manage the user.

RSATForWindows7SP1: http://www.microsoft.com/zh-cn/download/details.aspx? Id = 7887

RSATForWindows8: http://www.microsoft.com/zh-cn/download/details.aspx? Id = 28972

• Open ActiveDirectory users and computers, right-click the OU to be delegated, and select "delegate control ".

650) this. width = 650; "width =" 370 "height =" 262 "title =" image "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H642JD-4.png "border =" 0 "/>

• Add the user or group you want to delegate control.

650) this. width = 650; "width =" 610 "height =" 404 "title =" image "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6423Y4-5.png "border =" 0 "/>

• Select the task to be assigned as needed. If you need to assign more permissions, you can select a custom task and click "finish"

650) this. width = 650; "width =" 586 "height =" 473 "title =" image "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6422460-6.png "border =" 0 "/>

If you want to delete a delegate, enable the advanced function, right-click the OU you want to delete, select "attribute", and delete the user on the "Security" page.

650) this. width = 650; "width =" 504 "height =" 287 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H642IE-7.png "border =" 0 "/>

650) this. width = 650; "width =" 337 "height =" 352 "title =" image "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H64210U-8.png "border =" 0 "/>

650) this. width = 650; "width =" 477 "height =" 527 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H642C05-9.png "border =" 0 "/>

Ii. User Management

Use CSVDE to import users

The command line tool CSVDE can use the existing csv files to import (export) AD objects in batches.

Basic syntax of the CSVDE command:

Csvde-I-fc: \ filename.csv-k

Use csvde /? View

The "-I" parameter is specified as the import mode. If this parameter is not used, the default export mode is used. -F specifies the path and file name to import or export. -K can ignore existing, restriction conflicts, attribute and other errors.

First, set user information in the excel file and save the file as a csv file. Specific format

650) this. width = 650; "width =" 953 "height =" 243 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H642K03-10.png "border =" 0 "/>

Enter csvde-I-fD: \ users.csv-k in the cmd command, and you can see that the import is successful.

650) this. width = 650; "width =" 433 "height =" 219 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6422c6-11.png "border =" 0 "/>

650) this. width = 650; "width =" 515 "height =" 378 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6422I3-12.png "border =" 0 "/>

The CSVDE command cannot import passwords, so the imported users are disabled. To set passwords in batches, enable accounts, and set passwords for the first login, run the following command:

Dsqueryuser "ou = users, ou = long, dc = lab, dc = com" | dsmoduser-pwdP @ ssw0rd-mustchpwdyes-disableno

650) this. width = 650; "width =" 666 "height =" 263 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6421627-13.png "border =" 0 "/>

CSVDE exports user information, which is not demonstrated here. If you are interested, try it on your own. It is easier to export data using Powershell than CSVDE.

Use LDIFDE to import users

The ldifde.exe tool can also import AD objects. The format of the information file imported by ldifde is. ldf. Like csvde, ldifde cannot import user passwords, but ldifde can modify the attributes of existing objects.

Basic syntax of the LDIFDE command:

Ldifde-I-fc: \ filename. ldf

For specific command parameter descriptions, use ldifde /? View.

LDIF file format:

DN: CN = RayWang, OU = long, dc = lab, dc = com

Changetype: add

Objectclass: user

Samaccountname: ray. wang

Userprincipalname: ray.wang@lab.com

Givenname: Ray

Sn: Wang

Save the preceding files as the. ldf file to import them. This is not demonstrated here.

Use Poweshell to import and export users

I. Import users

Powershell manages AD objects far better than csvde and ldifde, and powershell can import user passwords.

To create an AD user using Powershell, you can use New-ADUser. The syntax is as follows:

New-ADUser [-Name] <string> [-WhatIf] [-Confirm] [-AccountExpirationDate <datetime>] [-AccountNotDelegated <bool>]
[-AccountPassword <securestring>] [-AllowReversiblePasswordEncryption <bool>] [-AuthType <ADAuthType> {Negotiate |
Basic}] [-CannotChangePassword <bool>] [-Certificates <X509Certificate []>] [-ChangePasswordAtLogon <bool>] [-City <
String>] [-Company <string>] [-CompoundIdentitySupported <bool>] [-Country <string>] [-Credential <pscredential>] [
-Department <string>] [-Description <string>] [-DisplayName <string>] [-Division <string>] [-EmailAddress <string>]
[-EmployeeID <string>] [-EmployeeNumber <string>] [-Enabled <bool>] [-Fax <string>] [-GivenName <string>] [-HomeDi
Rectory <string>] [-HomeDrive <string>] [-HomePage <string>] [-HomePhone <string>] [-Initials <string>] [-Instance
<ADUser>] [-export osencryptiontype <ADKerberosEncryptionType> {None | DES | RC4 | AES128 | AES256}] [-LogonWorkstat
Ions <string>] [-Manager <ADUser>] [-MobilePhone <string>] [-Office <string>] [-OfficePhone <string>] [-Organizatio
N <string>] [-OtherAttributes OrdNotRequired <bool>] [-Path <string>] [-POBox <string>] [-PostalCode <string>] [-PrincipalsAllowedToDelegateToAcc
Ount <ADPrincipal []>] [-ProfilePath <string>] [-SamAccountName <string>] [-ScriptPath <string>] [-Server <string>]
[-ServicePrincipalNames <string []>] [-SmartcardLogonRequired <bool>] [-State <string>] [-StreetAddress <string>] [-
Surname <string>] [-Title <string>] [-TrustedForDelegation <bool>] [-Type <string>] [-UserPrincipalName <string>]
[<CommonParameters>]

Create a single user example. Note the format of the red password:

New-ADUser-Name "RayWang"-SamAccountNameray.wang-UserPrincipalNameray.wang@lab.com-Giv
EnNameRay-SurnameWang-DisplayName "RayWang"-AccountPassword (convertid-SecureString "P @ ssw0rd"-AsPlainText-Force
)-ChangePasswordAtLogon $ true-path "ou = it, ou = long, dc = lab, dc = com"-Enabled $ true

Note: to add more attributes, see attribute fields in the syntax. If the system is 2008, Import the data to the AD module using Import-ModuleActiveDirectory, but Import the data automatically in 2012.

The following describes how to create users in batches using powershell.

1. Create a. CSV format user information table first.

650) this. width = 650; "height =" 335 "title =" image "style =" margin: 0px; border: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6424919-14.png "border =" 0 "/>

2. Use powershell commands to import user information in csv

Import-Csvd: \ adduser.csv | foreach {New-ADUser-Name $ _. name-SamAccountName $ _. samaccountna
Me-UserPrincipalName $ _. userprincipalname-GivenName $ _. givenname-Surname $ _. surname-DisplayName $ _. displayname-Path
$ _. Path-AccountPassword (convertify-SecureString "P @ ssw0rd"-AsPlainText-Force)-ChangePasswordAtLogon $ true-Enabled
$ True}

650) this. width = 650; "height =" 215 "title =" image "style =" margin: 0px; border: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6421025-15.png "border =" 0 "/>

3. You can see that users are created in both IT and HR.

650) this. width = 650; "height =" 337 "title =" image "style =" margin: 0px; border: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6426446-16.png "border =" 0 "/>

650) this. width = 650; "height =" 337 "title =" image "style =" border: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H642N04-17.png "border =" 0 "/>

II. Export user information

Powershell allows you to set user information, such as the last logon time, password modification time, and logon time.

The Get-ADUser command can be used to query AD user information.

Export the logon information of the specified OU user. The Last Logon Time and password change example:

Get-ADUser-Filter *-Properties *-SearchBase "ou = it, ou = users, ou = long, dc = lab, dc = com" | Select-ObjectName, passwordlastset, logonworkstations, lastlogondate | Export-Csv-NoTypeInformation-EncodingUTF8-Path "d: \ userinfo.csv"

650) this. width = 650; "height =" 204 "title =" image "style =" margin: 0px; border: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1H6423036-18.png "border =" 0 "/>

The information is blank because these users have not been logged on or changed their passwords.

So far, the management and creation of AD users have been completed. Compared with csvde and ldifde, powrshell can greatly facilitate the O & M process and provide more functions than csvde and ldifde. We recommend that you learn some basic powershell commands at ordinary times.

This article is from the "crayon mavericks" blog, please be sure to keep this source http://labixiaoniu.blog.51cto.com/695063/1259605