NIST's guidance for a Zero Trust Architecture

Active Directory Objects

Creating objects in Active Directory

What are Active Directory Objects?   

Active Directory (AD), Microsoft’s proprietary directory service for Windows Server, allows administrators to control permissions and network resource access. In AD, data is stored as objects. An object is a fundamental unit of data and is typically defined as a resource, such as printers or computers, or a security principle, such as people or groups. AD objects’ properties are defined by a set of information or data, known as AD object attributes. A user object in AD has attributes such as first name, middle name, and passwords, but a computer object has AD attributes such as computer name and DNS name. The AD schema defines the attributes contained in an AD object. The schema includes object classes that specify the different types of AD objects and the mandatory attributes they must have.

What are object categories in AD?   

AD objects are classified as follows:

  • Container objects: Objects that contain other objects and have a specific location in the directory subtree structure. Groups, Organizational Units are examples of container objects.
  • Leaf objects:  Objects that do not hold any other objects and are found at the bottom of the subtree hierarchy. Users and computers are examples of container objects.

How many object class types are there in AD?    

AD has three types of object classes:

  • Abstract class: This class exists solely to construct other object classes. There are 14 abstract classes in AD, including Device, Top, and Security Object.
  • Auxiliary class: It is used to modify an Abstract class’s definition. Security Principal, Sam Domain Base, Sam Domain, Dynamic Object, MS MMS Object, and Mail Recipient are the Auxiliary classes in AD.
  • Structural class: This class defines the primary type of object that an entry represents, such as a user, a group, or a computer. They can inherit from an abstract or structural object class, but not from an auxiliary class.

What are the common types of objects in AD? 

The following are the most common object types in Active Directory:

  • User: A user object in AD represents a user who is a member of the AD network of an organization. The user can be an employee of the organization, such as a manager, IT administrator, or Human Resource representative. A user object has attributes that contain information such as first name, middle name, last name, login credentials, phone number and so on.
  • Group: In AD, a group object is a container for other AD objects such as users, other groups, and computers. It is used to distribute permissions to group members and enable policy-based management. The attributes of a group object include information like the group name, group member objects, and more.
  • Computer: A computer object in AD represents a computer that is part of the AD network of an organization. It has attributes that contain information such as the computer name, its unique ID, OS version, DNS name, description, location, who manages the computer, and so on.
  • Contact: In AD, a contact object denotes a real contact person who is not a member of the organization but is related to it. They often do not require network access and are just used to refer to the contact person’s information. For example, a vendor of an organization is not a member of the organization but serves as a point of contact. A contact object has attributes that include information such as their name, email address, phone number, and more.
  • Printer: A printer object in AD is a pointer to the location of a physical printer in the AD network. It has properties that include information such as the printer’s name, driver name, color mode, port number, and so on.
  • Shared Folder: A shared folder is shared across AD network members, and only those members have access to the folder’s contents. In AD, a shared folder object is a pointer to the location of data in the shared folder on the computer. It has properties that include information such as the name of the folder, its location, access privileges, and so on.
  • Organizational Unit: An organizational unit (OU) in AD is an object that can contain other AD objects like users, groups, computers, shared resources, and other OUs. It is used to delegate roles to member AD objects inside the group, and help users better resource management, by organizing directory objects in a domain into OUs. An OU in AD has attributes that contain information like OU name, member objects in the OU, and more.
  • Domain: In AD, a domain is a major component of the network. Domains contain AD objects like users, computers, printers, and contacts, which can be arranged into OUs and groups. A domain has its own database and own set of established policies that apply to all AD objects inside the domain.
  • Domain Controller: In AD, a domain controller (DC) object refers to a server that functions as the domain controller for the domain in which it is located. The DC is in charge of maintaining rules, authenticating AD users, and performing responsibilities that all DCs in a domain should perform. 

Can the objects be identified by name?   

Yes. You can identify objects by using the following names:

  • Distinguished names: An object’s distinguished name contains information about the object’s location within AD, including the name of the object, the domain name, and the names of OUs to which it belongs. It is the current name of the object, which is stored in the distinguishedName attribute, and changes only when the object is moved or renamed. Also, it is similar to absolute paths of objects within a file system.
  • Relative distinguished names: The relative distinguished name is the name defined by an object’s naming attribute, rDnAttID. It is the portion of the distinguished name that is unique to the item, and any two objects in the same OU must have distinct, varying relative distinguished names. It is similar to relative paths of objects in the current directory of a file system.

How to create objects in AD?   

Let’s look at how to create objects in AD by using the AD users and computers console and PowerShell.

  1. Using ADUC console:
  • Go to Start -> Administrators tools -> Active Directory users and computers.
  • On the AD users and computers console, right-click on the container object within which you would like to create an object.
  • A submenu pops out, from that choose the New.
  • On choosing the option New, another submenu pops out with a list of objects, from that choose the object that you intend to create.
  • After you choose an object, respective dialogue boxes appear in which you can enter the attribute values for the object. When you complete this the object is created.
  1. Using PowerShell:
  • Create User Objects:

Active Directory user objects can be created using the New-ADUser cmdlet as follows:

New-ADUser -Name “Full Name” -GivenName “First Name” -Surname “Surname” -SamAccountName “User Name” -UserPrincipalName “UPN for the user account” -Path “OU path” -AccountPassword(Read-Host -AsSecureString “Type Password for User”) -Enabled $true

A user account can be created with just minimum information, including Name and UPN, however it will generate a disabled user account. A password is required to activate a user account. Use the Set-ADAccountPassword -Identity cmdlet to set a password, and the Enable-ADAccount -Identity cmdlet to enable an account.

  • Create computer objects:

You can construct computer objects using the New-ADComputer cmdlet.

The New-ADComputer cmdlet is a part of Windows PowerShell, and it can be used to construct computer objects. The computer objects that are created by this cmdlet are not linked to a domain.

New-ADComputer -Name <computer name> -path <distinguished name>

   Most of the time, only the cn (common name) and objectClass attributes are necessary to construct an object. However, simply creating an object does not guarantee that it will be functional. To be functional, additional qualities, such as those present in users and groups, are required.


People also read

Active Directory Object permissions: Step-by-Step guide to managing permissions using GPOs, ADUC, and PowerShell

Authenticating and authorizing objects in AD

How to locate Active Directory Objects

Related posts
Active Directory Objects

Active Directory User properties – General tab

Active Directory Objects

Active Directory Computer Object Security Tab

Active Directory Objects

Active Directory Computer Objects Tabs

Active Directory Objects

Active Directory Computer Object Management

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.