Computer Objects
Objects are software constructs that represent the physical computers, and all computers have a computer object associated with them.
A computer object is used by Active Directory to:
- Identify that system when it is authenticated on the network
- Determine for auditing purposes whether it is a client computer, a member server, or a domain controller
Domain controllers use the server object to identify the domain controller in the replication process.
User, Group, Computer objects
User, group, and computer objects are actually containers, as they can contain other objects such as printers. However, they are not normally drawn as containers in domain diagrams such as this.
Icons
When you look at a container of objects in ADUC, it shows you an icon for each object that is appropriate to the specific object class for that object. The icons for organizational units look different than those for containers, users, and printers, for example. The icon can actually be used to represent different states of that object. For example, if you disable a user or computer object, the icon is changed to indicate that the object is disabled. All in all, 16 different state icons can be defined for any object class. The first three represent the states closed (the default state), open, and disabled; the last 13 are currently undefined and left for your own use. To modify the icon for an object class, simply use the iconPath attribute to store multivalued data of the following form:
Mastering Active Directory
0, c:\windows\system32\myicon.ico
1, c:\windows\system32\myicons.dll, 0
2, c:\windows\system32\myicons.dll, 2
3, c:\windows\system32\myicons.dll, 7
This sets the first four icon values. Remember that 0 is closed, 1 is open, and 2 is disabled; 3 through 15 are undefined. The first line uses a proper icon file with an ICO extension and so does not need a third parameter. The last three use the first (0), third (2), and eighth (7) icons from myicons.dll, using an index for the set of icons held in the DLL,
starting at 0. The icon path has to exist on the local machine for any client to properly display the icon. Remember to take that into account, since you may need to deploy the icon files to all clients in an enterprise if they are to display the icons properly.
What is ADUC?
ADUC is an MMC snap-in that enables administrators to manage Active Directory objects, including
- users,
- computers,
- groups,
- organizational units (OUs), and
- attributes.
While the features of ADUC and many other features have been added to a new tool named Active Directory Administrative Center, ADUC remains a popular tool that administrator's use to manage their environment. In addition to managing objects, ADUC can also manage domain operations. For example, you can raise the domain functional level from ADUC. You can also transfer the RID, PDC Emulator, and Infrastructure FSMO roles to a different domain controller by using ADUC. Managing an object consists of some of the more obvious tasks such as resetting a user's password (Netwrix has a freeware for bulk password reset), adding users to security groups, and moving computer objects. However, the Advanced Features setting within ADUC can also allow you to manage the LostAndFound container, NTDS Quotas, Program Data, and System information. This view is not enabled by default but you can enable through the View menu.
The Advanced Features option adds many tabs to the properties page of an object, including Published Certificates, Attribute Editor, Password Replication, and others. The View menu also allows you to filter the view based on the object type, such as user, computer, printer and more. Individual columns can also be added or removed, to customize the view to include other attributes that have been assigned to the object, for example the last modify date, city, country, email address, and more.