Step-by-Step Guide to Managing Active Directory

Published: September 17, 2004

This guide introduces you to administration of the Windows Server 2003 Active Directory service
and the Active Directory Users and Computers snap-in.
On This Page
Introduction

Overview

Using Active Directory Domains and Trusts Snap-In

Using the Active Directory Users and Computers Snap-In

Additional Resources

Introduction
Step-by-Step Guides
The Microsoft Windows Server 2003 Deployment step-by-step guides provide hands-on experience
for many common operating system configurations. The guides begin by establishing a common
network infrastructure through the installation of Windows Server 2003, the configuration of Active
Directory, the installation of a Windows XP Professional workstation, and finally the addition of this
workstation to a domain. Subsequent step-by-step guides assume that you have this common
network infrastructure in place. If you do not wish to follow this common network infrastructure,
you will need to make appropriate modifications while using these guides.
The common network infrastructure requires the completion of the following guides.

• Part I: Installing Windows Server 2003 as a Domain Controller

Part II: Installing a Windows XP Professional Workstation and Connecting It to a
•
Domain
Once the common network infrastructure is configured, any of the additional step-by-step guides
may be employed. Note that some step-by-step guides may have additional prerequisites above and
beyond the common network infrastructure requirements. Any additional requirements will be noted
in the specific step-by-step guide.

Microsoft Virtual PC
The Windows Server 2003 Deployment step-by-step guides may be implemented within a physical
lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft
Virtual Server 2005. Virtual machine technology enables customers to run multiple operating
systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are
designed to increase operational efficiency in software testing and development, legacy application
migration, and server consolidation scenarios.
The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur
within a physical lab environment, although most configurations can be applied to a virtual
environment without modification.
Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the
scope of this document.

Important Notes

1
Step-by-Step Guide to Managing Active Directory
The example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious. No association with any real company,
organization, product, domain name, e-mail address, logo, person, places, or events is intended or
should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name
and Domain Name System (DNS) name used in the common infrastructure are not registered for
use on the Internet. You should not use this name on a public network or Internet.
The Active Directory service structure for this common infrastructure is designed to show how
Windows Server 2003 Change and Configuration Management works and functions with Active
Directory. It was not designed as a model for configuring Active Directory for any organization.
Top of page
Overview
This guide introduces you to administration of the Windows Server 2003 Active Directory service.
The Active Directory administrative tools simplify directory service administration. You can use the
standard tools or, using Microsoft Management Console (MMC), create custom tools that focus on
single management tasks. You can combine several tools into one console. You can also assign
custom tools to individual administrators with specific administrative responsibilities.
The Active Directory administrative tools can only be used from a computer with access to a
domain. The following Active Directory administrative tools are available on the Administrative Tools
menu:
Active Directory Users and
•
Computers
• Active Directory Domains and Trusts

• Active Directory Sites and Services

You can also remotely administer Active Directory from a computer that is not a domain controller,
such as a computer running Windows XP Professional. To do this, you must install the Windows
Server 2003 Administration Tools Pack.
The Active Directory Schema snap-in is an Active Directory administrative tool for managing the
schema. It is not available by default on the Administrative Tools menu and must be added
manually.
For advanced administrators and network support specialists, there are many command-line tools
that can be used to configure, manage, and troubleshoot Active Directory. You can also create
scripts that use Active Directory Service Interfaces (ADSI). Several sample scripts are supplied on
the operating system installation media.

Prerequisites
• Part 1: Installing Windows Server 2003 as a Domain Controller
Part II: Installing a Windows XP Professional Workstation and Connecting It to a
•
Domain
• Step by Step Guide to Setting up Additional Domain Controllers

Guide Requirements
You must be logged on as a user with administrative privileges to perform the procedures in this
•
document.
If you are working on a domain controller, the Active Directory Schema snap-in might not be
•
installed. To install it:

2
Step-by-Step Guide to Managing Active Directory
At a command-line prompt, type
•
regsvr32 schmmgmt.dll
The Active Directory Schema management snap-in will now be available within MMC.
On Windows Server 2003–based stand-alone servers or Windows XP Professional workstations,
•
Active Directory Administrative Tools are optional. You can install them from Add/Remove
Programs in the Control Panel using the Windows Components wizard or from the ADMINPAK
on the Windows Server 2003 CD.
Top of page
Using Active Directory Domains and Trusts Snap-In
The Active Directory Domains and Trusts snap-in provides a graphical view of all domain trees in
the forest. Using this tool, an administrator can manage each of the domains in the forest, manage
trust relationships between domains, configure the mode of operation for each domain (native or
mixed mode), and configure the alternative User Principal Name (UPN) suffixes for the forest.

Starting the Active Directory Domains and Trusts Snap-In

To start the snap-in
1. On HQ-CON-DC-01, click the Start button, point to All Programs, point to
Administrative Tools, and then click Active Directory Domains and Trusts. The Active
Directory Domains and Trusts snap-in appears as in Figure 1.

Figure 1. Active Directory Domains and Trust Snap-In

The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active
Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred
to as a mail address. The default UPN suffix is the forest DNS name, which is the DNS name of the
first domain in the first tree of the forest. In this guide and the other step-by-step guides in this
series, the default UPN suffix is contoso.com.
You can add alternate UPN suffixes, which increase logon security. You can also simplify user logon
names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows
Server 2003 domain and is not required to be a valid DNS domain name.
To add additional UPN suffixes
1. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then
click Properties.
2. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.
3. Click OK to close the window.

Changing Domain and Forest Functionality

Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a
way to enable domain– or forest-wide Active Directory features within your network environment.
Different levels of domain functionality and forest functionality are available depending on your
environment.

3
Step-by-Step Guide to Managing Active Directory
If all domain controllers in your domain or forest are running Windows Server 2003 and the
functional level is set to Windows Server 2003, all domain– and forest-wide features are available.
When Windows NT® 4.0 or Windows 2000 domain controllers are included in your domain or forest
with domain controllers running Windows Server 2003, only a subset of Active Directory domain–
and forest-wide features are available.
The concept of enabling additional functionality in Active Directory exists in Windows 2000 with
mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain
controllers and cannot use Universal security groups, group nesting, and security ID (SID) history
capabilities. When the domain is set to native mode, Universal security groups, group nesting, and
SID history capabilities are available. Domain controllers running Windows 2000 Server are not
aware of domain and forest functionality.
Warning: Once the domain functional level has been raised, domain controllers running earlier
operating systems cannot be introduced into the domain. For example, if you raise the domain
functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot
be added to that domain.
Domain functionality enables features that will affect the entire domain and that domain only. Four
domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native,
Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the
Windows 2000 mixed functional level.
To raise domain functionality
1. Right-click the domain object (in the example, contoso.com), and then click Raise Domain
Functional Level.
2. From the Select an available domain functional level drop-down list, select Windows
Server 2003, and then click Raise.
3. Click OK on the warning message to raise domain functionality. Click OK again to complete the
process.
4. Close the Active Directory Domains and Trusts window.
Top of page

4
Step-by-Step Guide to Managing Active Directory

Using the Active Directory Users and Computers Snap-In

To start the Active Directory Users and Computers snap-in
1. Click the Start button, point to All Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Expand Contoso.com by clicking +.
Figure 2 displays the key components of the Active Directory Users and Computers snap-in.

Figure 2. Active Directory Users and Computers Snap-In

Recognizing Active Directory Objects

The objects described in the following table are created during the installation of Active Directory.

Icon Folder Description

Domain The root node of the snap-in represents the domain being administered.

Computers Contains all Windows NT, Windows 2000, Windows XP, and Windows Server
2003–based computers that join a domain. This includes computers running
Windows NT versions 3.51 and 4.0. If you upgrade from a previous version,
Active Directory migrates the machine account to this folder. You can move these
objects.

System Contains Active Directory systems and services information.

Users Contains all the users in the domain. In an upgrade, all users from the previous
domain will be migrated. Like computers, the user objects can be moved.
You can use Active Directory to create the following objects.

Icon Object Description

User A user object is an object that is a security principal in the directory. A user
can log on to the network with these credentials, and access permissions can
be granted to users.

Contact A contact object is an account that does not have any security permissions.
You cannot log on to the network as a contact. Contacts are typically used to
represent external users for the purpose of e-mail.

5
Step-by-Step Guide to Managing Active Directory
Icon Object Description

Computer An object that represents a computer on the network. For Windows NT–based
workstations and servers, this is the machine account.

Organizational Organizational units (OUs) are used as containers to logically organize

Unit directory objects such as users, groups, and computers in much the same way
that folders are used to organize files on your hard disk.

Group Groups can have users, computers, and other groups. Groups simplify the
management of large numbers of objects.

Shared Folder A shared Folder is a network share that has been published in the directory.

Shared printer A shared printer is a network printer that has been published in the directory.

Adding an Organizational Unit

This procedure creates an additional OU in the Contoso domain. Note that you can create nested
OUs, and there is no limit to the nesting levels.
These steps follow the Active Directory structure established in the common infrastructure step-by-
step guides. If you did not create that structure, add the OUs and users directly under
Contoso.com; that is, where Accounts is referred to in the procedure, substitute Contoso.com.
To add an OU
1. Click the + next to Accounts to expand it.
2. Right-click Accounts.
3. Point to New and click Organizational Unit. Type Construction as the name of your new
organizational unit, and then click OK.
Repeat the previous steps to create additional OUs as follows:

• Organizational unit Engineering under Accounts.

• Organizational unit Manufacturing under Accounts.

Organizational unit Consumer under the Manufacturing organizational unit. (To do this, right-
•
click Manufacturing, point to New, and then click Organizational Unit.)
Organizational units Corporate and Government under the Manufacturing organizational unit.
•
Click Manufacturing so that its contents will display in the right pane.
When you are finished, you should have the following hierarchy as shown in Figure 3.

6
Step-by-Step Guide to Managing Active Directory

Figure 3. New OUs

Creating a User Account

The following procedure creates the user account John Smith in the Construction OU.
To create a user account
1. Right-click the Construction organizational unit, point to New, and then click User, or click
New User on the snap-in toolbar.
2. Type user information as shown in Figure 4.

Figure 4. New User Dialog Box

3. Click Next to continue.
4. Type pass#word1 in both the Password and Confirm password boxes, and then
click Next.
Note: The role that passwords play in securing an organization's network is often
underestimated and overlooked. Passwords provide the first line of defense against
unauthorized access to your organization. The Windows Server 2003 family has a new feature

7
Step-by-Step Guide to Managing Active Directory
that requires complex passwords for all newly established user accounts. For information about
this feature, see the Setting Password Policy step-by-step guide.
5. Click Finish to accept the confirmation in the next dialog box.
You have now created an account for James Smith in the Construction OU.
To add additional information about this user
1. Select Construction in the left pane, right-click John Smith in the right pane, and then click
Properties.
2. Add more information about the user in the Properties dialog box on the General tab as
shown in Figure 5, and then click OK. Click each available tab and review the optional user
information that may be defined.

Figure 5. Additional User Information

Moving a User Account

Users can be moved from one OU to another within the same domain or a different domain. For
example, in this procedure, John Smith moves from the Construction division to the Engineering
division.
To move a user from one OU to another
1. Click the John Smith user account in the right pane, right-click it, and then click Move.
2. On the Move screen, click + next to Accounts to expand it as shown in Figure 6.

8
Step-by-Step Guide to Managing Active Directory

Figure 6. List of Available OUs

3. Click the Engineering OU, and then click OK.

Creating a Group
To create a group
1. Right-click the Engineering OU, click New, and then click Group.
2. In the New Object – Group dialog box, type Tools for Name.
3. Review the type and scope of groups available in Windows Server 2003 as shown in the
following table. Leave the default settings, and then click OK to create the Tools group.
The Group type indicates whether the group can be used to assign permissions to other
•
network resources, such as files and printers. Both security and distribution groups can be
used for e-mail distribution lists.
The Group scope determines the visibility of the group and what type of objects can be
•
contained within the group.

Scope Visibility May Contain

Domain Local Domain Users, Domain Local, Global, or Universal Groups

Global Forest Users or Global Groups

Universal Forest Users, Global, or Universal Groups

Adding a User to a Group

To add a user to a group
1. Click the Engineering OUin the left pane.
2. Right-click the Tools group in the right pane, and then click Properties.
3. Click the Members tab, and then click Add.
4. In the Enter the object names to select text box, type John, and then click OK.

9
Step-by-Step Guide to Managing Active Directory

Figure 7. Add John Smith to the Tools Security Group

5. On the Tools Properties screen, verify John Smith is now a member of the Tools Security
Group, and then click OK.

Publishing a Shared Folder

To help users find shared folders more easily, you can publish information about shared folders in
Active Directory. Any shared network folder, including a Distributed File System (Dfs) folder, can be
published in Active Directory. Creating a Shared folder object in the directory does not automatically
share the folder. This is a two-step process: you must first share the folder, and then publish it in
Active Directory.
To share a folder
1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk
volumes.
2. In Windows Explorer, right-click the Engineering Specs folder, and then click Properties.
Click Sharing, and then click Share this folder.
3. On the Engineering Specs Properties screen, type ES in the Share name box, and then click
OK. Close Windows Explorer once complete.
Note: By default, the built-in Everyone group has permissions to this shared folder. You can
change the default permission by clicking the Permissions button.
Publishing the Shared Folder in the Directory
To publish the shared folder in the directory
1. In the Active Directory Users and Computers snap-in, right-click the Engineering OU, point
to New, and then click Shared Folder.
2. On the New Object – Shared Folder screen, type Engineering Specs in the Name box.
3. In the Network Path name box, type \\hq-con-dc-01.contoso.com\ES, and click OK.
4. Right-click Engineering Specs, and then click Properties.
5. Click Keywords. For New Value, type specifications, and then click Add to continue. Click
OK twice to finish.
Users may now search Active Directory by share name or keyword to locate this shared resource.
Searching for a Shared Folder
To find a shared folder
1. In the Active Directory Users and Computers MMC, right-click Contoso, and then click
Find.
2. In the Find drop-down list, click Shared Folders. Type specifications in the Keywords text
box, and then click Find Now.
3. In Search results, right-click Engineering Specs, and then click Open.

10
Step-by-Step Guide to Managing Active Directory

Figure 8. Searching for Shared Folders in Active Directory

Note: When populated, the ES shared folder contents will be available to end users through
directory searches. Users may also map this shared resource as a network drive.
4. Close the Find Shared Folders dialog box.

Publishing a Printer
You can also publish information about shared printers in Active Directory. Information about
printers shared from Windows NT must be published manually. Information about printers shared
from the Windows Server 2003 family or the Windows 2000 Server family is published to the
directory automatically when you create a shared printer. Use Active Directory Users and Computers
to manually publish shared printer information.
The print subsystem will automatically propagate changes to the printer attributes (location,
description, loaded paper, and so on) to the directory.
Note: This section details the steps to configure and publish a printer, which prints directly to a
file. If you want to use an IP, LPT, or USB–based printer, you must modify the steps in these
procedures.
Adding a New Printer
To add a new printer
1. Click the Start button, click Printers and Faxes, and then double-click Add Printer. The Add
Printer Wizard appears. Click Next.
2. Click Local printer attached to this computer, clear the Automatically detect and install
my Plug and Play printer check box, and then click Next.
3. In the Use the following port drop-down list, click the FILE: (Print to File) option, and then
click Next.
4. In the Manufacturer results pane, click Generic. In the Printers results pane, click Generic /
Text Only. Click Next to continue.
5. On the Name Your Printer page, change the Printer name to Print to File, and then click
Next.
6. On the Printer Sharing page, change the Share name to FilePrinter, and then click Next.
7. For Location on the Location and Comment page, type Headquarters – Bldg 4 – Room

11
Step-by-Step Guide to Managing Active Directory
2200. Click Next to continue.
8. Click Next to print a test page, and then click Finish to complete the installation.
9. When prompted, type Test Print as the file name for the printer test page. Click OK once
complete.
The printer is automatically published in Active Directory.
Locating a Printer in Active Directory
To find a printer in Active Directory
1. On the Printers and Faxes screen, double-click the Add Printer icon.
2. The Add Printer Wizard dialog box appears. Click Next to continue.
3. Click A network printer, and then click Next.
4. Click Find a printer in the Directory (default), and then click Next.
5. The Find Printers dialog box appears. Click Find Now to search for all printers published in
Active Directory. Setting additional search options can limit results by available features or
printer location.
Printer Location Tracking: Use printer location tracking to streamline printer searches. When
printer location tracking is enabled and the user clicks Find Now, Active Directory lists all
printers matching the user's query that are in the user location. Users can change the location
field by clicking Browse to search for printers in other locations. For more information about
configuring printer location tracking, see the Windows Server 2003 Help and Support Center.
6. In the Search results on the Find Printers page, double-click Print to File to install the
printer. Click Yes (default) to set this printer as the default printer for your system, and then
click Next.

Figure 9. Searching for Shared Printers in Active Directory

7. Click Finish to complete the printer installation.
8. Close the Printers and Faxes window.
You can publish printers shared by operating systems other than Windows Server 2003, Windows
2000, or Windows XP in Active Directory. The simplest way to do this is to use the pubprn.vbs
script, although the Active Directory Users and Computers snap-in can be used. This script will
publish all the shared printers on a given server. It is located in the \winnt\system32 directory.
Publishing a Printer Manually Using the pubprn.vbs Script
To publish a printer manually using the pubprn.vbs script
1. Click the Start button, and then click Run. Type cmd in the text box, and then click OK.
2. Type cd \ windows\ system32,and then press Enter.
3. Type cscript pubprn.vbs prserv1 "LDAP://ou=accounts,dc=contoso,dc=com", and then

12
Step-by-Step Guide to Managing Active Directory
press Enter.
Note: This example publishes all the printers on the Prserv1 server to the Accounts OU. The
script copies only the following subset of the printer attributes including Location, Model,
Comment, and UNCPath. This script will not work on Windows Server 2003, it is
provided as a manual tool for publishing printers to Active Directory from down-level
print servers only.
4. Close the window.
Publishing a Printer Manually Using the Active Directory Users and Computers Snap-
In
1. Right-click the Marketing OU, click New, and then click Printer.
2. The New Object-Printer dialog box appears. In the text box, type the path to the printer, such
as \\server\share name, and then click OK.
End users experience seamless operations from printers being published in the directory since they
can browse for printers, submit jobs to those printers, and install the printer drivers directly from
the server.

Creating a Computer Object

A computer object is created automatically when a computer joins a domain. If you do not want to
give all users the ability to add computers to the domain, computer objects may also be created
before the computer joins a domain manually or via scripts.
To manually add a computer to the domain
1. Right-click the Engineering OU, point to New, and then click Computer.
2. For the computer name, type Legacy, and then click Next.
3. If the computer is a managed system, you can enter the system GUID. In this example, leave
the system GUID blank, click Next, and then click Finish.
4. To manage this computer from the Active Directory Users and Computers snap-in, right-
click the computer object, and then click Manage.
Optionally, you can select which users are permitted to join a computer to the domain. This allows
the administrator to create the computer account and someone with lesser permissions to install the
computer and join it to the domain.

Renaming, Moving, and Deleting Objects

Every object in the directory can be renamed and deleted, and most objects can be moved to
different containers. The following procedure expands the example for creating a computer object.
To move the Legacy computer object to different container
1. In the Accounts OU, click the Engineering OU.
2. Right-click the Legacy computer object, and then click Move.
3. Expand the Resources OU, and then click to highlight Servers as shown in Figure
10.

13
Step-by-Step Guide to Managing Active Directory

Figure 10. Moving a Computer Object

4. Click OK to move the computer to the Server OU within the Resources OU.

Managing Computer Objects

Computer objects in Active Directory can be managed directly from the Active Directory Users and
Computers snap-in. Computer Management is a component you can use to view and control many
aspects of the computer configuration. Computer Management combines several administration
utilities into a single console tree, providing easy access to a local or remote computer's
administrative properties and tools.
Note: The following example assumes that you are working from the HQ-CON-DC-01 console and
that HQ-CON-DC-02 is currently running.
Managing a Remote Computer
To manage a remote computer
1. In the Active Directory Users and Computers snap-in, right-click contoso.com, and then
click Connect to Domain.
2. Click Browse, and then click the + next to contoso.com. Double-click
vancouver.contoso.com, and then click OK.
3. Expand vancouver.contoso.com by clicking the +, and then click Domain Controllers.
4. Right-click HQ-CON-DC-02, and then click Manage. The system may now be remotely
managed as shown in Figure 11.

14
Step-by-Step Guide to Managing Active Directory

Figure 11. Remotely Managing a Computer

See full-sized image
5. Close the Computer Management window.

Nested Groups
Nested groups allow you to provide company-wide or department-wide access to resources with
minimum maintenance. Placing every team account group into a single company-wide resource
group is not an effective solution because it requires the creation and maintenance of a large
number of membership links. To use nested groups, administrators create a series of account
groups that represent the managerial divisions of the company.
For example, the top account group might be called "All Employees," and would be attached to a
resource group that gives access to resources and shared directories. The next level might contain
account groups that represent major divisions of the company. Each group at this level is a member
of All Employees, and is attached to a resource group giving access to shares and other resources
appropriate to the division it represents.
Within a division, the next level of account groups might represent departments. Shared resources
for the department might include project schedules, meeting schedules, vacation schedules, or any
network information appropriate to the whole department. The department account groups are all
members of the division account group.
Within a department, the management structure can be organized into security groups to any
required level of specificity. These might be team account groups and might represent leaf nodes in
the organization’s hierarchical tree.
With this group hierarchy in place, you can give a new employee instant access to the resources of
the team, the department, the division, and the company as a whole by placing the employee in a
team account group. This system supports the principle of least access because the new employee
cannot view the resources of adjacent teams, other departments, or other divisions.
Creating Nested Groups
To create a nested group

15
Step-by-Step Guide to Managing Active Directory
1. In the Active Directory Users and Computers snap-in, right-click vancouver.contoso.com,
and then click Connect to Domain.
2. Click Browse, and then click contoso.com. Click OK twice to finish.
3. Expand contoso.com, and then expand the Accounts OU.
4. Create a new group by right-clicking Engineering, pointing to New, and then clicking Group.
Type All Engineering, and then click OK.
5. Right-click the All Engineering Group, and then click Properties.
6. Click the Members tab, and then click Add.
7. In the Enter the objects name to select box, type Tools, and then click OK.
8. Click OK again. A nested group has been created.

Finding Specific Objects

In a large directory deployment, it may be unreasonable to browse a comprehensive list of objects
in search of a unique object. Often, it is more efficient to find specific objects that meet a certain
criteria. In the following example, you will find all users who have a logon name starting with “J” in
the Contoso domain.
To find users with a logon name starting with J
1. Click to select contoso.com. Right-click contoso.com, and then click Find.
2. Click the Advanced tab. In the Field drop-down list, select User, and then click Logon Name.
3. Type J for Value, and then click Add. Click Find Now. Your results should be similar to those
shown in Figure 12.

Figure 12. Employing Advanced Directory Search Techniques

4. Close the Find User, Contacts, and Groups window.

Filtering a List of Objects

Filtering the list of returned objects from the directory can allow you to manage the directory more
efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in. For
example, you can choose to view only users and groups, or you may want to create a more complex
filter. If an OU has more than a specified number of objects, the Filter function allows you to restrict
the number of objects displayed in the results pane. You can use the Filter function to configure this
option.

16
Step-by-Step Guide to Managing Active Directory
To create a filter designed to display users only
1. In the Active Directory Users and Computers snap-in, click Engineering under the
Accounts OU.
2. Click the View menu, and then click Filter Options.
3. Click the radio button for Show only the following types of objects, select Users, and then
click OK.
4. Expand Accounts, and then click Engineering to verify the filtering results.
5. Remove the filter.
Top of page
Additional Resources
For more information, see the following resources.
Active Directory Design Concepts at
•
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/depkit/D2FF1315-
1712-48E4-ACDC-8CAE1B593EB1.mspx
Microsoft Solutions for Management: Managing the Windows Server Platform Active Directory
•
Directory Service Product Operations Guide at
http://www.microsoft.com/downloads/details.aspx?familyid=84dfe61e-fb7b-4673-89b8-
55bcc801b431&displaylang=en
For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at
•
http://www.microsoft.com/windowsserver2003

17