The ADS (Active Directory Service) in Win2000 domain is a centralized database that contains all the information–such as users, groups and organizational units–of an organization. If there is any change in this information–for example, a change in the designation, phone number and department of a user–the entry has to be modified in the ADS accordingly. This is generally done at the server level. But, Win2000 Server has a tool called LDP (Lightweight Directory Protocol) that allows you to remotely modify ADS entries. We’ll see how you can use LDP to modify user details remotely.
STEP
ONE
On any Windows client, first put a Win2000 installation CD and run setup.exe from \support\tools folder. This will install required administrative tools on your client machine.
STEP
TWO
Run Active Directory Administration from Start>Programs> Windows2000 support tools> Tools. This will open an LDP window, which is divided in two sections. On the left side is the ADS database and on the right are the detail entries with attributes. You need to connect the LDP to the Win 2000 sever where the ADS is located. For this, click on ‘Connection’ from the menu bar. A small dialog box will open, where you give the IP address of the Win2000 server where the ADS is located. Click on OK to connect it. Then again click on ‘Connection’ from the menu bar and then on ‘Bind’ from the drop-down menu. Here, you will be asked to give the administrative username and password with the domain name of the ADS server.
|
STEP
THREE
After connecting to the server, click on ‘View’ from the menu bar and select ‘Tree’. This will open a Tree View dialog box, where you set BaseDN: text box blank and click on OK. Now on the left window panel you will get the entire directory. If you click on the plus sign of the directory on left window, it will expand your entire organization structure and show you the attributes on right window panel.
STEP
FOUR
Now you need to search the ADS to find out the entry that you want to modify. For example, if you need to modify a user’s telephone number, then click on Browse>Search from the menu bar. A dialog box will appear, where in BaseDN text box, give the attribute CN=Users, DC=Domain Name. Make sure Domain Name entry is replaced by the name of your domain controller name.
In the same dialog box, come to the filter text box and give the attribute displayname=username. The user name will be replaced by the user name that you want to search on the ADS.
Then click on the Run button to search the entry. After few second you will get all the attributes of the searched User on the right window panel.
STEP
FIVE
The next step is to modify the ADS entries for the User that we searched in Step 4. Modify the entry, click on the Browse>Modify from the menu bar. This will open a modify dialog box, in DN text box you need to fill the full path of the object that your are modifying. In our case, it’s a user object and we are modifying its telephone attribute. Now, from the right window panel, find out the DN: entry against the search we made in Step 4. Then select and copy this entire string (except DN:) from the right window and paste it to the DN text field box. Next, in the same dialog box, you will find attribute and value text box fields under Edit entry. Fill the attribute text field by the attribute that you want to modify, and then fill the value text field by the attributes value that you want to replace. For example, to change the phone number, you will give attribute name ‘telephonenumber’ and its value nnnnnnnn (nnnn is a number that we will replace).
Description in ADS |
|
Attributed | Description |
CN - Common Name |
CN=Anindya Roy Actually this LDAP attribute is made up from givenName joined to SN |
displayName | displayName =Anindya Roy. Avoid this attribute if possible, can be confused with CN or Description |
DN - also distinguishedName |
DN is simply the most important LDAP attribute |
CN=Anindya Roy, OU=PCQURST,DC=CMIL,DC=com |
|
name | name=Anindya Roy. Same as CN |
objectClass | objectClass =User. Also used for Computer, organizationalUnit, even container. Important top level container |
samAccountName | samAccountName = Anindya. Old NT 4.0 logon name, must be unique in the forest |
SN | SN=Roy. This would be referred to as last name or surname |
userAccountControl | Used to disable an account. A value of 514 disables the account, while 512 makes the account ready for logon |
userPrincipleName | userPrincipleName = anindyar.pcquest@cmil.com |
Often abbreviated to UPN*, and looks like an e-mail address. |
|
Very useful for logging on especially in a large forest |
|
*Note UPN must be unique in the forest |
|
Other LDAP |
|
Department | Name of the department where the user belong to |
His e-mail address |
|
msExchHomeServerName | Exchange server name if exist |
Location | Location where the user sits |
Ou | User Organization unit |
streetAddress | Address of users office |
telephoneNumber, extensionName |
User telephone numbers |
After filling the blanks, select the ‘Replace’ radio button and click on the ‘Enter’ button below the value text field. This will bring up an entry like this ‘
To cross check the modification process, you can go to the server and check that the value has been replaced from LDP.
once you’ve tried the above procedure a few times you’ll find it makes your job much easier.
The table shows a few attributes and description in ADS. In the same way you can add, modify and delete the attributes for any other ADS entries. If the administrator learns to use LDP, then he can manage multiple ADS servers off the site by using LDP.
Sanjay Majumder