Whether you are new to Active Directory or a seasoned professional, you need to access advanced settings that are available within the enterprise. These advanced settings allow you to view in depth objects, containers, and settings that are available, but not by default. The Active Directory Users and Computers (ADUC) interface does not show these settings by default, but you need to know how to access the settings, as well as know what you are looking at with the advanced settings.
Viewing Advanced Settings
When you open up the ADUC in a default installation of Active Directory, you are only presented with the basic containers. These basic containers include the only organizational unit (OU), which is the Domain Controllers OU, as well as the other containers such as Users and Computers. To see more in-depth containers, you need to configure the ADUC by going to the View option on the toolbar, then selecting Advanced Features. This will refresh the view within the ADUC and add some new containers. There are no hidden (or Advanced) OUs that will show up when you configure the ADUC in this way.
Additional Advanced Settings
When you configure the Advanced Features, you now see additional containers within the ADUC. These containers include the following containers, which provide the described functions:
- LostandFound - This container is used to house Active Directory objects that are orphaned with the directory. This might occur by an administrator deleting a container or OU, while another administrator is attempting to move an object to that same container or OU. This is a way to protect and store objects that don't have an existing container within the Active Directory anymore.
- NTDS Quotas - This container is responsible for storing objects which are used to assign ownership quotas for users, groups, computers, or services. The ownership quotas limit the number of Active Directory objects that can be owned by any other object within Active Directory. This is not used very often, which is one reason it is hidden by this feature.
- Program Data - This is used by directory related applications to store information within the Active Directory database.
- System - The largest and most useful of the hidden containers, this is used to store a variety of system services and objects. This includes the Group Policy Containers, DFS configurations, IPSec settings, WinSock configurations, and WMI Policies, just to name a few.
By the way, after you enable the Advanced Features within the Active Directory, you will also be able to see the Security tab when looking at the properties of any of the Active Directory objects.
The additional containers that are available by configuring the Advanced Features within the ADUC don't seem that useful, but are essential for advanced configurations and troubleshooting of Active Directory. By far, the LostandFound and System containers are the most useful containers in the event that you need to troubleshoot Active Directory. By knowing that these containers are available, you will be able to support your Active Directory enterprise more efficiently.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for
DesktopStandard Corp. He has written the only books on auditing Windows security available at The
Institute of Internal Auditors' bookstore. He also wrote the Group Policy Guide for Microsoft Press
-- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.
This was first published in January 2006