Managing OUs, Groups, and Users in ADAM

  • Article

Applies To: Windows Server 2003 R2

ADAM is used most often to store information about users and the organizations and other groups they belong to. In these exercises, you create an organizational unit (OU) called “ADAM users” in the o=Microsoft,c=US application directory partition and add a group in ADAM called “ADAM testers,” and you create an ADAM user named Mary Baker with one of the user object classes that you imported earlier. Using ADAM ADSI Edit, you:

  • Step 1: Create an OU.

  • Step 2: Create a group in the new OU.

  • Step 3: Create an ADAM user.

  • Step 4: Add an ADAM user to the ADAM users group.

In addition you learn how to enable and disable ADAM user accounts.

Step 1: Create an OU

In this exercise, you create an OU.

To create an OU

  1. If it is not open already, open ADAM ADSI Edit, and then connect to the o=Microsoft,c=US application directory partition, as described in the procedure “To bind to, view, and browse an ADAM instance using ADAM ADSI Edit” in Using the ADAM Administration Tools.

  2. In the console tree, right-click O=Microsoft,c=US, point to New, and then click Object. The Create Object dialog box looks like the following:

    ADAM create OU

  3. In the Select a class list, click organizationalUnit, and then click Next.

  4. In Value, type ADAM users, and then click Next.

  5. On the next page, you can click More attributes to edit additional attributes on the object that you are creating. For this exercise, simply click Finish.

  6. In the console tree, double-click O=Microsoft,c=US. The ADAM ADSI Edit snap-in looks like the following:

    ADAM, viewing OU

Step 2: Create a group

In this exercise, you create a group in the OU.

To create a group in an OU

  1. In the console tree, right-click OU=ADAM Users, point to New, and then click Object.

  2. In Select a class, click group, and then click Next.

  3. In Value, type ADAM testers, and then click Next.

  4. In Value, type 2147483650 (equivalent to 0x80000002 hexadecimal, which signifies an account group), click Next, and then click Finish.

    Note

    For more information about the groupType attribute, see "Group-Type" on the Microsoft Web site (https://go.microsoft.com/fwlink?linkid=51093).

    The ADAM ADSI Edit snap-in looks like the following:

    ADAM, creating a group

Step 3: Create an ADAM user

In this exercise, you create an ADAM user in the ADAM Users OU, and then you add the user to the ADAM Testers group.

Note

The new user account is disabled by default because it has no associated password.

To create an ADAM user

  1. If it is not already open, open ADAM ADSI Edit.

  2. Connect and bind to your ADAM instance, as described in the procedure “To bind to, view, and browse an ADAM instance using ADAM ADSI Edit” in Using the ADAM Administration Tools. Then, in the console tree, double-click the ADAM instance.

  3. Double-click the O=Microsoft,c=US application directory partition.

  4. Right-click the OU=ADAM Users container that you created previously, point to New, and then click Object.

  5. In Select a class, click user, and then click Next.

    Note

    If you did not close ADAM ADSI Edit before importing the Adamuser.ldf user class object definitions, you may receive the following warning message during this step: “An invalid directory pathname was passed.”

  6. In Value, type Mary Baker as the common name (cn) for the new user, as shown below, and then click Next.

    ADAM, creating a user

  7. Click Finish. The ADAM ADSI Edit snap-in looks like the following:

    ADAM ADSI Edit, viewing a user

Step 4: Add a user to a group

You can add both ADAM users and Windows users to ADAM groups, as described in this exercise. First, you add Mary Baker, the user that you just created, to the ADAM testers group.

To add a user to a group

  1. In the details pane of ADAM ADSI Edit, right-click CN=ADAM testers, and then click Properties. The CN=ADAM testers Properties dialog box looks like the following:

    ADAM, editing group membership

  2. In Attributes, click Member, and then click Edit.

  3. Click Add ADAM Account, type the following as the distinguished name, and then click OK:

    CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US

    The Multi-valued Distinguished Name with Security Principal Editor dialog box looks like the following:

    ADAM ADSI Edit security principal editor

  4. You can also add Windows users to an ADAM group. In the Multi-valued Distinguished Name With Security Principal Editor dialog box, click Add Windows Account. The Select Users, Computers, or Groups dialog box looks like the following:

    ADAM ADSI Edit Select Users or Groups

  5. In the Select Users, Computers, or Groups dialog box, add a Windows user from your computer or domain to the ADAM testers group. In Enter the object names to select (examples), type an account name using the computer\account or domain\account format.

  6. Click OK. The new user name appears in the Multi-valued Distinguished Name With Security Principal Editor dialog box as a member of the group.

  7. Click OK twice to return to ADAM ADSI Edit.

Disabling and Enabling ADAM User Accounts

You can disable and enable ADAM user accounts by using the ADAM ADSI Edit snap-in. In this exercise, you disable the Mary Baker account and then enable it again.

To enable or disable an ADAM user account

  1. In ADAM ADSI Edit, connect and bind to an ADAM instance as described in the procedure “To bind to, view, and browse an ADAM instance using ADAM ADSI Edit” in Using the ADAM Administration Tools.

  2. In the console tree, double-click the O=Microsoft,c=US application directory partition.

  3. In the console tree, click the OU=ADAM Users container.

  4. In the details pane, right-click CN=Mary Baker, and then click Properties.

  5. In Attributes, click msDS-UserAccountDisabled, and then click Edit.

  6. Click True, and then click OK. The Mary Baker account is now disabled.

  7. To enable the Mary Baker account, edit msDS-UserAccountDisabled again, and this time set the attribute to False.