A group is a simple concept that has been used in many different types of standalone and networked systems over the years. In generic terms, a group is just a collection of objects. Groups are often used to apply security in an efficient manner, where you create a collection of users and assign certain permissions or rights to that group, rather than to each individual user within the group. When applying security settings, it’s much easier to use a group than to use individual users, because you only need to apply the security setting once per group instead of once per user. In addition, groups are also frequently used to send email messages to an entire group of users at once rather than requiring the sender to address each person individually.
In Active Directory, groups are flexible objects that can contain
virtually any other type of object as a member, although they’ll generally
contain only users, inetOrgPersons,
computers, and other groups. Active Directory groups can be used for many
different purposes, including controlling access to resources, defining a
filter for the application of group policies, and serving as an email
distribution list.
The ways in which a group can be used in an Active Directory forest are defined by the group’s scope and type. The type of a group can be either security or distribution. Security groups can be used to grant or restrict access to Windows resources, whereas distribution groups can be used only as a simple grouping mechanism for sending email messages or for some other non-Windows security-related function. Both security and distribution groups can be used as email lists, but only security groups can be used to assign access to resources.
The scope of a group determines where members
of the group can be located within the forest and where in the forest you
can use the group in an ACL. The supported group scopes include
universal, global, and
domain local. Universal groups and domain local
groups can have members that are part of any domain in the same forest
(or, in the case of domain local groups, a separate forest if a
cross-forest trust exists), whereas global groups can only have members
that are part of the same domain that the group is contained in. When
assigning permissions to group objects,
universal and global groups can be assigned permissions to resources
anywhere in the forest (or any trusted forest), whereas domain local
groups can only be assigned permissions to resources in the same domain.
(In this way, domain local and global groups are functional opposites of
each other.)
Groups are represented in Active Directory by group objects. Table 7-1 contains a list of some of the
noteworthy attributes that are available on group objects.
Table 7-1. Attributes of group objects
Attribute | Description |
|---|---|
| Relative distinguished
name of |
| Timestamp of when the OU was created. |
| Text description of the group. |
| Flag containing the group scope and type. See Changing the Scope or Type of a Group for more information. |
| Additional notes about a group. |
| Local RID for the group.
This matches the |
| DN of a user or group that is the owner of the group. |
| List of DNs of objects
for which this group is listed in the |
| List of DNs of members of the group. |
| List of DNs of the groups this group is a member of. |
| Timestamp of when the OU was last modified. |
| Down-level account name
for the group. Typically this is the same as the |
| URL of the home page for the group. |
| Describes the type of
account that was created for an object, such as a domain object,
a |
In the left pane, click to highlight the desired domain.
Enter the name of the group, enter the
sAMAccountName, select the group scope (Domain local, Global, or Universal), and select the group type (Security or Distribution).Enter any other desired information into the optional fields and then click OK.
In the following example,
<GroupDN> should be replaced with the
DN of the group to create,
<GroupScope> should be l, g, or
u for domain local, global, and
universal groups, respectively, and -secgroup should be set to yes if the group is a security group or
no otherwise. Another recommended
option is to set -desc for
specifying a group description:
> dsadd group "<GroupDN>" -scope<GroupScope>-secgrp yes|no -desc "<GroupDesc>"
You can also create a group
object with admod, using the
following syntax:
> admod -b "<GroupDN>" objectClass::group groupType::↵ "<GroupType>" sAMAccountName::"<Pre-Windows2000Name>" -add
For example, to create a global security group called “Finance Users” in the Finance OU of the adatum.com domain, you can use either of the following commands:
> dsadd group "cn=Finance Users,ou=Finance,dc=adatum,dc=com"-scope g -secgrp yes > admod-b "cn=Finance Users,ou=Finance,dc=adatum,dc=com" groupType::-2147483646↵ sAMAccountName::"Finance Users" -add
In the case of AdMod, you must specify the numeric value for the group type, which can be any one of those listed in Table 7-2.
Table 7-2. Numeric values for group types
Group type | Numeric value |
|---|---|
Universal Distribution Group | 8 |
Universal Security Group | −2147483640 |
Domain Local Distribution Group | 4 |
Domain Local Security Group | −2147483644 |
Global Distribution Group | 2 |
Global Security Group | −2147483646 |
These values are defined in the ADS_GROUP_TYPE_ENUM enumeration; see Changing the Scope or Type of a Group for more
information.
Note
If you omit the sAMAccountName attribute when creating the
group, it will be automatically populated with a random
string.
In each solution, a group was created with no members. For more information on how to add and remove members, see Adding and Removing Members of a Group.
The groupType attribute
contains a flag indicating both group scope and type. The available flag
values are defined in the ADS_GROUP_TYPE_ENUM enumeration. Changing the Scope or Type of a Group contains more
information on setting the group scopes and types.
The Active Directory Administrative Center is used to perform this solution. This allows you to completely configure the group during the creation process (whereas, if you used ADUC to create the group, you would have had to create the group and then go back into the properties to completely configure it).
Adding and Removing Members of a Group for adding and removing group members; “Understanding Group Accounts”; MSDN: ADS_ GROUP_TYPE_ENUM
Open the Active Directory Users and Computers (ADUC) snap-in (dsa.msc). Click on View and ensure that there is a checkmark next to Advanced Features.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click on the Security tab. The users and groups that have been assigned permissions to the object are listed in the bottom pane; select each entry to view the permissions that have been assigned to it.
Click on Advanced to view the owner of the group, as well as any auditing that has been configured.
In an Active Directory environment, you can set permissions on an object within the directory in much the same way that you can set NTFS permissions on files and folders. Each AD object has a Security Descriptor (SD) associated with it that is made up of a Discretionary Access Control List (DACL) that dictates which users and groups can access an object, and a System Access Control List (SACL) that controls which users’ or groups’ activities should be audited. The DACL and SACL are each made up of one or more Access Control Entries (ACEs), one for each user or group and its associated permission.
In the right pane, enter the name of the group in the Global Search box, select the desired domain in the scope, and then click the search icon.
In the search results, double-click the name of the group to open the group properties.
The member attribute of a
group object contains the
distinguished names of the direct members of the group. By direct
members, we mean the members that have been directly added to the group.
This is in contrast to indirect group members, which are members of the
group due to nested group membership. See Viewing the Nested Members of a Group for how to find the
nested membership of a group.
The memberOf attribute is a
backlink to member. This means that, for each group
membership listed in a group’s member
attribute, the DN of the group itself appears in that
user/computer/group’s memberOf
attribute. Think of it this way: if the
FinanceUsers group has Jane as a member, then Jane
is a member of the FinanceUsers group. In this way,
Active Directory uses forward links and backlinks to maintain
consistency between groups and their membership.
Viewing the Nested Members of a Group for viewing nested group membership
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click the Members tab.
As described in Viewing the Direct Members of a Group, group membership is
stored in the multivalued member
attribute on group objects. But the
member attribute will not show the
complete picture because of group nesting. To view the complete group
membership, you have to recursively search through the group membership
of each group. (The exception to this is the memberof command-line utility, which correctly
displays primary group memberships.)
Viewing the Direct Members of a Group for viewing group membership; MSDN: IADsMember
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click the Members tab.
To remove a member, click on the member name, click the Remove button, click Yes, and click OK.
To add a member, click on the Add button, enter the name of the member, and click OK twice.
The -addmbr option in
dsmod adds a member to a
group:
> dsmod group "<GroupDN>" -addmbr "<MemberDN>"
To add a group member with admod, use the following syntax:
> admod -b "<GroupDN>" member:+:"<MemberDN>"
The -rmmbr option in dsmod removes a member from a group:
> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"
To remove a group member with admod, use the following syntax:
> admod -b "<GroupDN>" member:-:"<MemberDN>"
The -chmbr option in dsmod replaces the complete membership
list:
> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN ... >"
To replace the membership of a group with admod, use the following command:
> admod -b "<GroupDN>" member:+-:"<Member1DN>;<Member2DN>;<Member3DN>"
Since there are no restrictions on what distinguished names you
can put in the member attribute, you
can essentially have any type of object as a member of a group. Although
OUs are typically used to structure objects that share certain criteria,
group objects can be used to create
loose collections of objects.
The benefit of using group
objects as a collection mechanism is that the same object can be a
member of multiple groups, whereas an object can only be a part of a
single OU. Another key difference is that you can assign permissions on
resources to groups because they are considered security principals in
Active Directory, whereas OUs are not.
Viewing the Direct Members of a Group for viewing group membership; MSDN: IADsGroup::Add; MSDN: IADsGroup::Remove
In the right pane, enter the name of the group in the Global Search box, select the desired domain in the scope, and then click the search icon.
In the search results, right-click the name of the group and then click Move.
In the Move dialog box, browse to the desired destination container, click to highlight it, and then click OK to complete the move.
The DSMove utility can work against any type of object,
including groups. The first parameter is the DN of the group that you
want to move. The second parameter is the new parent container of the
group. The -s parameter can
additionally be used to designate a specific server to work
against.
Moving an Object to a Different OU or Container for moving an object to a different OU; Moving an Object to a Different Domain for moving an object to a different domain; Changing the Scope or Type of a Group for changing group scope and type; “Understanding Group Accounts”; MSDN: IADsContainer::MoveHere
To migrate user, computer, group, or OU objects between domains in the same forest, use the following steps:
Right-click on the Active Directory Migration Tool folder and select the Group Account Migration Wizard.
Click Next on the welcome screen.
On the Domain Selection screen, enter the DNS or NetBIOS name of the source and target domains and click Next.
On the Group Select Option screen, select the option to select the group from the domain and click Next.
On the Group Selection screen, add the
groupobjects that you wish to migrate and click Next. (You cannot migrate built-in or well-known groups such as Domain Users or Domain Admins using this process.)On the Organizational Unit Selection screen, enter the name of the target OU or select Browse to open an object picker in the target domain. Click Next to continue.
On the Group Options screen, select one or more of the following and click Next:
- “Update user rights”
Copies any user rights that are assigned in the source domain to the target domain.
- “Copy group members”
Specifies whether the user objects that belong to the group should be migrated along with the group. If you don’t select this option, the group will be created in the target domain with no members.
- “Update previously migrated objects”
Supports migrations that take place over time by comparing the source and target groups and migrating any changes that have taken place.
- “Fix membership of group”
Adds any migrated user accounts to groups in the target domain if the user accounts were members of the source groups in the source domain.
- “Migrate group SIDs to target domain”
Adds the security identifiers (SIDs) of the migrated group accounts in the source domain to the SID history of the new group in the target domain.
On the Naming Conflicts screen, select whether you want to migrate
groupobjects that conflict with objects in the target domain and click Next.Click Finish to complete the migration.
The only type of group that can be moved between domains using the built-in operating system tools is universal groups; additionally, the RID Master for both the source and the target domains needs to be available in order to complete the move. If you want to move a global or domain local group to a different domain, first convert it to a universal group, move the group, and then convert it back to a global or domain local group.
When you convert a group between types, you may encounter problems because different groups have different membership restrictions. See the Introduction section of this chapter for more information on group type membership restrictions.
Another way to accomplish interdomain (intraforest or interforest) group moves is by using ADMT, which might be quite useful if you need to move a large number of groups. With ADMT, you can move and restructure groups without needing to go to all the trouble of converting the group to a universal group and then modifying the group membership. For more on the latest version of ADMT, see “Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains”.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group you want to modify and click Find Now.
Double-click on the group in the results pane.
In the group properties dialog box, select the new scope or type, and click OK.
The following example changes the group scope for
<GroupDN> to
<NewScope>, which should be l for domain local group, g for global group, or u for universal group:
> dsmod group "<GroupDN>" -scope<NewScope>
The following example changes the group type for
<GroupDN>. For the -secgrp switch, specify yes to change to a security group or
no to make the group a distribution
group:
> dsmod group "<GroupDN>" -secgrp yes|noTo change the scope and/or type of a group using AdMod, use the following syntax:
> admod -b "<GroupDN>" groupType::<GroupType>
Just as when you created a group using AdMod, you must specify the numeric value for the group type. Refer to Creating a Group for more information.
Group scope and type are stored as a flag in the groupType attribute on group objects. To directly update groupType, you must logically OR the values
associated with each type and scope, as shown in the API solution, or
use the raw numeric values listed in Creating a Group
when using AdMod. Note that there is no specific value for the
distribution list type. If you want to create a distribution list, just
do not include the ADS_GROUP_TYPE_SECURITY_ENABLED flag when
setting groupType. Additional group
types also are available through Authorization Manager.
Note
For a good description of the usage scenarios for each group type, see Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).
Creating a Group; “Understanding Group Accounts”; MSDN: ADS_GROUP_TYPE_ENUM; MSDN: What Type of Group to Use
In the right pane, enter the name of the group in the Global Search box, select the desired domain in the scope, and then click the search icon.
In the search results pane, double-click the group to display the group properties.
Scroll down to the Extensions section and then click the Attribute Editor tab.
Find the attribute that you want to modify, click to highlight the attribute, and then click Edit.
Enter the new value for the attribute and then click OK.
Click OK in the group properties window to complete the modification.
Create an LDIF file called modify_object.ldf with the following contents:
dn: cn=Finance Users,cn=users,dc=adatum,dc=com changetype: modify add: description description: Members of the Finance Department -
Then run the following command:
> ldifde -v -i -f modify_object.ldf
To modify a group using AdMod, you’ll use the following general syntax:
> admod-b "<GroupDN>"<attribute>:<operation>:<value>
For example, you can add a description to a group object using the following
syntax:
> C:>admod -b cn="Finance Users,cn=Users,dc=adatum,dc=com"description::"Members of the Finance Department"
You can also modify group
objects with the dsmod group
command using the following syntax:
> dsmod group "<GroupDN>"<options>
The available options for dsmod include the following:
-samid<NewSAMName>Updates the
sAMAccountNameattribute of thegroupobject-desc<NewDescription>Updates the
descriptionattribute of thegroupobject-secgrp {yes | no}Configures the
groupobject as a security group (yes) or a distribution group (no)-scope {l | g | u}Configures the group scope as domain local (
l), global (g), or universal (u){-addmbr | -rmmbr | -chmbr}<MemberDN1> <MemberDN2>Adds the specified objects to the group (
addmbr), removes the specified objects (rmmbr), or replaces the membership list wholesale with only the specified objects (chmbr)
If the parent container of the object you want to modify has a lot of objects in it, you may want to add a new connection entry for the DN of the target object. This will be easier than trying to hunt through a container full of objects. You can do this by right-clicking ADSI Edit and selecting “Connect to” under Connection Point, then selecting Distinguished Name and entering the DN of the object.
For more on ldifde, see Exporting Objects to an LDIF File.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the results pane.
Select the Managed By tab.
Click the Change button.
Locate the group or user to delegate control to and click OK.
Check the box beside “Manager can update membership list.”
> dsacls<GroupDN>/G<GroupName>@DomainName:WP;member;
In the following example, the SalesAdmin group will be given rights to modify membership of the PreSales group:
> dsacls cn=presales,ou=sales,dc=adatum,dc=com /G [email protected]:↵ WP;member;
In PowerShell, you can change the person or group who is listed as the manager of a group. However, note that the following example does not set the permissions for the manager to manage the group’s membership:
Set-ADGroup<Group Name>-ManagedBy "<GroupDN>"
You can use a PowerShell console on a computer where the Exchange Server 2007 or later management tools have been installed to grant the right to manage group membership:
Add-ADPermission -Identity<Group Name>-User<User or Group Name>↵ -AccessRights WriteProperty -Properties "members"
To grant a user or group the ability to manage group membership,
you have to grant the write property (WP) permission on the member attribute of the target group. You can
add this ACE directly using dsacls,
or more indirectly with ADUC. ADUC also has a feature that allows you to
simply check a box to grant the ability to modify group membership to
the object represented by the managedBy attribute.
If you want to configure additional permissions, such as the
ability to modify the description attribute for the group,
you will need to go to the Security tab in ADUC or specify the
appropriate attribute with the /G
switch with dsacls. For example, this
will grant the write property on the description attribute:
/G <GroupName>@DomainDNSName:WP;description;Using the Delegation of Control Wizard for delegating control in Active Directory
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Type the name of the user and click Find Now.
In the Search Results window, double-click on the user.
Click the Member Of tab.
The Primary Group name is shown on the bottom half of the dialog box.
In the past, when trying to determine a user’s group membership
you had to look at the user’s memberOf attribute, which contains a list of
DNs for each group the user is a member of, as well as the user’s
primary group. By default, all users are assigned Domain
Users as their primary group. Therefore, by default all users
in a domain are implicitly members of the Domain
Users group. Unfortunately, a user’s primary group does not
show up in the memberOf
attribute.
Note
Services for Macintosh and POSIX-based applications are the main users of primary groups. If you don’t use either of those, you usually don’t need to worry about changing a user’s primary group.
The primary group is stored in the primaryGroupID attribute on user objects. Unfortunately, the information
that’s stored in that attribute is the relative identifier (RID) of the
group, not the DN or even sAMAccountName as you might expect. group objects have a primaryGroupToken attribute, which contains
the same value but is a constructed attribute. Because Active Directory
dynamically constructs it, you cannot utilize it in search filters. So
even if you have the primaryGroupID
of a user (e.g., 513), you cannot do a simple query to find out which
group it is associated with. However, with PowerShell and Active
Directory Users and Computers, this task is very
straightforward.
You want to enable universal group membership caching so that a global catalog server is not needed during most user logins.
Open the Active Directory Sites and Services snap-in (dssite.msc).
In the left pane, browse to the site you want to enable group caching for and click on it.
In the right pane, double-click on the
NTDS Site Settingsobject.Under Universal Group Membership Caching, check the box beside Enable Universal Group Membership Caching.
If you want to force the cache refresh from a particular site, select a site or else leave the default set to
<Default>.
You can use a combination of the dsquery site and dsget site commands to determine whether a
site has group caching enabled:
> dsquery site -name <SiteName> | dsget site -dn -cachegroups -prefGCSiteYou can use ldifde to enable group caching.
Create a file called enable_univ_cache.ldf with the following
contents, but change <SiteName> to
the name of the site you want to enable and
<ForestRootDN> to the distinguished
name of the forest root domain:
dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>changetype: modify replace: options options: 32 -
Then use the following command to import the change:
> ldifde -i -f enable_univ_cache.ldf
You can also perform this change in the adatum.com domain by using AdMod with the following syntax:
> admod -b "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,dc=adatum,dc=com" options::32You can use the following PowerShell syntax to find out whether a site has universal group membership caching enabled:
Get-ADReplicationSite "<Site Name>" -Properties UniversalGroupCachingEnabled | FL UniversalGroupCachingEnabledTo enable universal group membership caching on a site by using PowerShell, use the following syntax:
Set-ADReplicationSite "<Site Name>" -UniversalGroupCachingEnabled $TrueWhen a client logs on, the domain controller that authenticates the user needs to contact a global catalog server in order to fully authenticate the client (however, if the DC that authenticates the user is itself a GC, then it does not need to contact any other servers to complete the authentication process). This is necessary because global catalogs are the only servers that store universal group information, which is needed to completely determine a user’s group memberships upon logon.
Universal groups can be created and used anywhere in a forest. Objects located anywhere in a forest can be added as members of a universal group. Since a universal group could be created in a domain other than where the user object resides, it is necessary to store universal group membership in the global catalog. That way, during logon, domain controllers can query a global catalog to determine all universal groups a user is a member of. Microsoft’s primary reason for making this a requirement during logon is that a user could be part of a universal group that has been explicitly denied access to certain resources. If universal groups aren’t evaluated, a user could gain access to resources that are supposed to be restricted.
To remove this limitation, Microsoft introduced universal group caching. Universal group caching can be enabled on a per-site basis and allows domain controllers to cache universal group information locally, thus removing the need to query the global catalog during client logon.
You can enable universal group caching manually by enabling the
10000 bit (32 in decimal) on the options attribute of the NTDS Site Settings object. See Modifying a Bit-Flag Attribute for more information on
properly setting a bit flag attribute. The Sites and Services snap-in
just requires you to check a box. Another setting can also be configured
that relates to universal group caching. By default, domain controllers
will use the site topology to determine the optimal site to use to query
a global catalog server for universal group information. You can
override this feature and explicitly set which site domain controllers
should use by selecting the site in the Sites and Services snap-in or by
setting the attribute msDS-Preferred-GC-Site on the NTDS Site Settings object to the DN of the
target site.
You want to restore a group
object that has been inadvertently deleted, as well as restore its
members.
Note
These solutions assume that the Active Directory Recycle Bin was enabled prior to the deletion. If you have not enabled the AD Recycle Bin, you can do so from the Tasks pane in the Active Directory Administrative Center.
Prior to the introduction of the Active Directory Recycle Bin, the
most common way to restore a deleted object was to perform an
authoritative restore by using ntdsutil. However, the Active Directory
Recycle Bin and PowerShell have greatly simplified the process. While
legacy restore methods are still valid and occasionally necessary, many
restores can use the newer and more efficient methods.
Note that in both the GUI solution and the PowerShell solution,
the group membership is restored along with the group object. In situations where you have
deleted user objects and a deleted
group object that contained some of
the deleted user objects as members,
restore the user objects first before
restoring the group object. This will
ensure that an accurate group membership is maintained after the group
restore.
MS KB 216993 (Useful Shelf Life of a System-State Backup of Active Directory); “Rebooting Windows Server 2012-based Domain Controllers into Directory Services Restore Mode”; Chapter 16 for more on recovering and restoring Active Directory
You want to prevent a group
object from being accidentally deleted by an administrator who selects
the incorrect option in Active Directory Users and Computers.
Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.
Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click “Change domain”; select the appropriate domain and then drill down to it.
Right-click on the group that you want to modify and click Properties.
Click on the Object tab.
Place a checkmark next to “Protect object from accidental deletion.”
Set-ADObject "<GroupDN>" -ProtectedFromAccidentalDeletion $TrueIf you have Exchange 2007 or later installed in your environment, you can also use the following Exchange cmdlet to modify this information:
Add-ADPermission -Identity<Group Name>-User<User or Group Name>-AccessRights Delete,DeleteTree -Deny $true
By default, all new OUs that are created in Windows Server 2008 or later will have this protection enabled; however, no other object types are configured with this default protection. If you attempt to delete a group that is protected using this option, even when signed on as a Domain Admin or other similarly elevated account, you will receive an “Access Denied” message until you manually remove the checkbox or manually remove the deny ACE associated with it.
By using the command-line or PowerShell method, you can apply this
protection to group objects in
all versions of Windows Server, even though the GUI
checkbox is available only in Windows Server 2008 or later.
In the top-left pane, click the tree view icon.
Expand the
Systemcontainer.Scroll down and right-click
Password SettingsContainer, expand the New menu, and then click Password Settings.Fill in the desired password settings in the top pane. Note that the fields with a red asterisk are required fields.
In the Directly Applies To section, click the Add button to add a security group that will be the target of the FGPP.
Click OK to create the FGPP.
Once a PasswordSettingsObject
has been created, you can modify the password and account lockout
settings controlled by the object, as well as the users and groups that
the PSO should apply to. Since the PasswordSettingsObject is an Active Directory
object class, these modifications can be made using any interface that
can modify objects. When working from the command line, the psomgr
tool allows you to modify one or multiple PSOs at a time, and
can also create “starter” PSOs using the -quickstart command-line switch. The full
syntax for psomgr.exe can be
obtained by typing psomgr.exe /? at a
command prompt or by visiting the joeware
website.