3 Introduction to Active Directory Users & Computers

  Active Directory

< Main Menu | 4 Intro to Group Policy Management >

11: What is Active Directory Users & Computers

https://www.udemy.com/active-directory-group-policy-2012/learn/v4/t/lecture/8276670?start=0

Active Directory

Active Directory (AD) is a database (or Directory [think Phone directory]) for the following and their respective permissions:

  • User Accounts & Passwords
  • Computers
  • Printers
  • File Shares
  • Security Groups

Security Groups

Use AD and Group Policies together to define specific permissions to objects within AD

  • User Accounts
  • Computers
  • Printers
  • File Shares
  • Other Groups…

The Purpose for Active Directory

  • is to handle security authentication across a domain
  • Only allows authorized users to logon to network computers
  • Centralized security management of network resources.
    • Stores things like user names and passwords in 1 location instead of each individual computer.

Most common Task with AD

  • Reset Passwords
  • Create/Delete user accounts
    • Every time a new employee is hired, they will need log in credentials

Life without AD

  • User “John” requires access to several computers in the office.
  • You would need to create his login on each one.
  • If John lost his password, you would also need to reset it on each one.

With AD

  • Setup once
  • Reset in one location

Active Directory is a Multi-Master Database

  • Several computers can make changes to the database

Getting Started

  • Server Manager > Tools > Active Directory Users and Computers
  • Nav Pane > RtClck Domain > New to add users and computers

The rest is a walk through of all options in the Users and Computers admin window.

 

12: Understanding Organizational Units and Containers

https://www.udemy.com/active-directory-group-policy-2012/learn/v4/t/lecture/8276672?start=0

Active Directory Users and Computers > domain.tld

What are Containers?

  • Are structural objects that are included by default within Active Directory.
  • You cannot apply Group Policy Objects (aka GPOs) to Containers *IMPORTANT
  • You cannot create a Container with AD
    • (but you can use adsiedit but likely never required)

Think of Containers as Organizers

Computers Container

  • Serves as a default location for new computers that join your domain.
  • When joined, a new AD Computer Account Object will be created inside this container.
  • To apply GPOs to a computer, you’ll need to move that computer out of the container and into an Organizational Unit (then you can apply security policies such as custom wallpapers, etc.)
    • You can leave them in the Computers container, but generally not best practice.

ForeignSecurityPrincipals Container

  • Contains Proxy Objects for Security Principals for other trusted domains.
    • Could be a user account or security group that resides inside of another domain.
  • If you do not establish a trust between this domain and another, you will not be using this container at all.

Managed Service Accounts (MSAs) Container

  • Holds the user accounts that are used to operate the applications or services that run on your servers or workstations.
    • apache2, www-data
  • These accounts do not use passwords – these are handled automatically.
  • To create an MSA, you need to use the PowerShell command line. There is no Gui.

Users Container

  • Do not delete any of the default users and security groups!

builtinDomain

  • Contains a number of Security Groups required for the domain to operate
  • Unlike Users, these cannot be deleted

Organizational Units (OUs)

  • Used to organize and separate objects within AD.
  • Objects can be anything that AD can store
    • User Accounts
    • Computers, Printers, blah blah
  • If you have a Marketing Team, you can create an OU called Marketing and store all those users there.
  • You can assign specific permissions to OUs, that then automatically apply to all objects within that OU.

Domain Controllers OU

  • Only OU that comes by default.  This cannot be deleted.
  • Domain Controllers need to be placed inside this OU because there are specific policies that need to be applied to Domain Controllers for them to operate.

Creating a new OU

  • domain.tld [RtClk] > New > Organizational Unit
    • Name: Test OU > [ Save ]
    • Test OU [RtClk]
      • Delegate Control…
        • Give control of this OU to another person

Exporting a List

  • Right click on an OU to export a list of it’s sub contents.
  • These lists are not recursive, so the list will only be 1 level deep if you have nested OUs.

Deleting an OU

  • If you cannot delete an OU, it may be protected.  To disable accidental deletion:
    • View > Advanced Features
    • Target OU [RtClk] > Properties
    • Click the Object tab, then deselect “Protect against accidental deletion”

Additional Notes here: https://wiki.thomasandsofia.com/active-directory-users-and-computers/

13: Creating User Accounts with AD

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8287548#content

Create the OUs for your users and computers

  • [RtClk] AD Domain name (domain.tld) > New > Organizational Unit
  • Name: domain.tld
    • Standard procedure is this should be the same to prevent misinterpretation.
    • Did not use the existing ‘Users’ container because you CANNOT apply group policies to containers!
  • Within this OU, create 2 sub OUs
    • ‘Domain Users’
    • ‘Domain Computers’

Create a user

  • [RtClk] Domain Users > New > User
  • Enter
    • First/Last names
    • Login name: first.last or however you wish
    • Select domain from drop down (should only have one now)
    • due to character limits in pre-2000, you can use an alt. login name
    • Next >
    • Create / Confirm password
    • Select password options
      • In ‘Production’ would probably leave the ‘User must change at next logon’ enabled.
      • This is also where you disable an active directory user account.
    • Next > Finish
  • Attempt to sign in with your user.

14: Searching for Objects in AD

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8300688#content

Purpose:

  • If you have 1000’s of users or computers

How to find objects and users

  • Use the ‘Find’ icon
  • [RtClk] the domain >  Find
  • Select the type of object you are looking for
    • Users, Contacts, and Groups
    • Computers
    • Printers
    • Shared Folders
    • Organizational Units
    • Customer Search
    • Common Queries
  • Select the Domain to search
    • You can use ‘Entire Directory’ but if you have trusted domains, this search could take a very long time to complete.
  • Click [ Find Now ]
  • When the object has been located, [RtClk] to perform common tasks
    • Rename
    • delete
    • add to group
    • Reset Password
    • Disable account
  • Nothing in this view will show you “Where” the located object is.

To find where an Object is:

  • View > Advanced Features > Enable
  • Repeat ‘Find’ steps above > Properties
  • Click the ‘Object’ tab
    • Canonical name of object “tas.local/tas/Domain Users/Thomas Roberts
    • domain/domainOU/userOU/user

Advanced Search

  • Accepts RegEx

 

15: Resetting User Passwords in AD Users and Computers

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8300702#content

How to reset a user’s password

  • Find using users First and Last name
  • Double click > Account tab or [RtClk] > Properties > Account tab
    • Make sure you ask for their Login Name
    • This helps prevent accidentally resetting the WRONG user
  • [RtClk] User > Reset Password …

Unlocking an account

  • On the account tab.
    • Can do from the Password reset screen, but will require a password change.

 

16: Understanding Groups and Memberships

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8351366#content

IMPORTANT to know how groups work!

Create a Group

  • Domain (tas.local)> Domain OU (tas)> Users OU (Domain Users)> [RtClk] New > Group
    • Group: Sales
    • Select Scope (Least to most accessible)
      • Domain Local: ONLY to the local domain (tas.local)
      • Global: Includes trusted domains
      • Universal: Can be accessed from other forests that trust your domain
    • Group Types
      • Security: Used to specify permissions
        • printers
        • file shares
      • Distribution Group
        • Only used as an Email distribution list.

Example Group: Sales

  • Create the group
    • Name: Sales
    • Scope: Global
    • Type: Security
    • [ OK ]
  • [RtClk] Sales > Properties
    • Members Tab: Add users to the group
      • [Add]
      • Find User
        • Start typing > Check Names
        • [ OK ]
    • Member Of: Add the group to another OU
      • Example: Can add Sales to the Administrators group

17: Disabling and Deleting User Accounts with AD

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8351662#content

Disabling a user account

Often a user should not be deleted until a certain amount of time has expired.

  • Create an OU called ‘Disabled Users’
  • Domain (tas.local)> Domain OU (tas)> [RtClk] New > Organizational Unit > Disabled Users
  • Disable the account:
    • Select the account, [RtClk] > Disable User
  • Move account to ‘Disabled Users” OU
    • Select account, [RtClk] > Move
    • Select OU to move to
    • * I tried dragging and dropping the user, but it barked at me…

Deleting a user account

  • Select the account, [RtClk] > Disable User

 

Quiz 1: AD Quiz

https://www.udemy.com/course/active-directory-group-policy-2012/learn/quiz/425420#content

4/27/2020

LEAVE A COMMENT