Advertisment

Remotely Manage Active Directory

author-image
PCQ Bureau
New Update

The ADS (Active Directory Service) in Win2000 domain is a centralized database that contains all the information–such as users, groups and organizational units–of an organization. If there is any change in this information–for example, a change in the designation, phone number and department of a user–the entry has to be modified in the ADS accordingly. This is generally done at the server level. But, Win2000 Server has a tool called LDP (Lightweight Directory Protocol) that allows you to remotely modify ADS entries. We’ll see how you can use LDP to modify user details remotely.

Advertisment

      

STEP 

ONE
            



On any Windows client, first put a Win2000 installation CD and run setup.exe from \support\tools folder. This will install required administrative tools on your client machine.

     

STEP 

TWO
            



Run Active Directory Administration from Start>Programs> Windows2000 support tools> Tools. This will open an LDP window, which is divided in two sections. On the left side is the ADS database and on the right are the detail entries with attributes. You need to connect the LDP to the Win 2000 sever where the ADS is located. For this, click on ‘Connection’ from the menu bar. A small dialog box will open, where you give the IP address of the Win2000 server where the ADS is located. Click on OK to connect it. Then again click on ‘Connection’ from the menu bar and then on ‘Bind’ from the drop-down menu. Here, you will be asked to give the administrative username and password with the domain name of the ADS server.

Searching of users in ADS, using LDP tool
Advertisment

     

STEP 

THREE
         



After connecting to the server, click on ‘View’ from the menu bar and select ‘Tree’. This will open a Tree View dialog box, where you set BaseDN: text box blank and click on OK. Now on the left window panel you will get the entire directory. If you click on the plus sign of the directory on left window, it will expand your entire organization structure and show you the attributes on right window panel.

     

STEP 

FOUR
          



Now you need to search the ADS to find out the entry that you want to modify. For example, if you need to modify a user’s telephone number, then click on Browse>Search from the menu bar. A dialog box will appear, where in BaseDN text box, give the attribute CN=Users, DC=Domain Name. Make sure Domain Name entry is replaced by the name of your domain controller name.

In the same dialog box, come to the filter text box and give the attribute displayname=username. The user name will be replaced by the user name that you want to search on the ADS. 

Advertisment

Then click on the Run button to search the entry. After few second you will get all the attributes of the searched User on the right window panel. 

      

STEP 

FIVE
          



The next step is to modify the ADS entries for the User that we searched in Step 4. Modify the entry, click on the Browse>Modify from the menu bar. This will open a modify dialog box, in DN text box you need to fill the full path of the object that your are modifying. In our case, it’s a user object and we are modifying its telephone attribute. Now, from the right window panel, find out the DN: entry against the search we made in Step 4. Then select and copy this entire string (except DN:) from the right window and paste it to the DN text field box. Next, in the same dialog box, you will find attribute and value text box fields under Edit entry. Fill the attribute text field by the attribute that you want to modify, and then fill the value text field by the attributes value that you want to replace. For example, to change the phone number, you will give attribute name ‘telephonenumber’ and its value nnnnnnnn (nnnn is a number that we will replace).

Description in ADS

Attributed Description
CN

- Common Name
CN=Anindya

Roy  Actually this LDAP attribute is made up from givenName joined to

SN
displayName displayName

=Anindya Roy.  Avoid this attribute if possible, can be confused with

CN or Description
DN

- also distinguishedName
DN is

simply the most important LDAP attribute
CN=Anindya

Roy, OU=PCQURST,DC=CMIL,DC=com
name name=Anindya

Roy.  Same as CN
objectClass objectClass

=User.  Also used for Computer, organizationalUnit, even container.

Important top level container
samAccountName samAccountName

= Anindya.  Old NT 4.0 logon name, must be unique in the forest
SN SN=Roy.

This would be referred to as last name or surname
userAccountControl Used to

disable an account.  A value of 514 disables the account, while 512

makes the account ready for logon
userPrincipleName userPrincipleName

= anindyar.pcquest@cmil.com 
Often

abbreviated to UPN*, and looks like an e-mail address. 
Very

useful for logging on especially in a large forest  
*Note

UPN must be unique in the forest

Other LDAP

attributes

Department Name of the

department where the user belong to
Mail His

e-mail address
msExchHomeServerName Exchange

server name if exist
Location Location

where the user sits
Ou User

Organization unit
streetAddress Address

of users office
telephoneNumber,

extensionName
User

telephone numbers
Advertisment

After filling the blanks, select the ‘Replace’ radio button and click on the ‘Enter’ button below the value text field. This will bring up an entry like this ‘telephonenumber:nnnnnnn’. Finally, click Run to execute the modification in ADS. If the ADS entry has been successfully modified, then the success result will be shown in the right window.

To cross check the modification process, you can go to the server and check that the value has been replaced from LDP.



once you’ve tried the above procedure a few times you’ll find it makes your job much easier. 

The table shows a few attributes and description in ADS. In the same way you can add, modify and delete the attributes for any other ADS entries. If the administrator learns to use LDP, then he can manage multiple ADS servers off the site by using LDP. 

Sanjay Majumder

Advertisment