{"id":1391,"date":"2018-05-05T18:53:47","date_gmt":"2018-05-05T18:53:47","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=1391"},"modified":"2018-05-06T19:16:57","modified_gmt":"2018-05-06T19:16:57","slug":"active-directory-users-and-computers","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=1391","title":{"rendered":"Active Directory Users and Computers"},"content":{"rendered":"<p><a href=\"http:\/\/wiki.thomasandsofia.com\/2018\/04\/18\/microsoft-windows-server-2016\/\">Main Menu<\/a><\/p>\n<h1>What is Active Directory Users and Computers<\/h1>\n<p>28: <a href=\"https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6537816?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6537816?start=0<\/a><\/p>\n<h2>Active Directory Users and Computer<\/h2>\n<ul>\n<li>Also known as Active Directory, or AD<\/li>\n<li>Is a tool that is installed on any Windows Server that has the AD DS role installed.\n<ul>\n<li>May also be installed if DS is NOT installed, but mostly with it.<\/li>\n<\/ul>\n<\/li>\n<li>Is a live directory (Database) that stores:\n<ul>\n<li>User accounts and their passwords<\/li>\n<li>Computers<\/li>\n<li>Printers<\/li>\n<li>File Shares<\/li>\n<li>Security Groups<\/li>\n<li>Etc.<\/li>\n<li>Permissions for all of the above.<\/li>\n<li>Each of these is considered it&#8217;s own &#8216;Object&#8217;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Security Groups<\/h2>\n<ul>\n<li>Groups only contain other objects (see above)<\/li>\n<li>Groups of\n<ul>\n<li>Users<\/li>\n<li>Computers<\/li>\n<li>File Shares, etc.<\/li>\n<li>Other Groups!<\/li>\n<\/ul>\n<\/li>\n<li>Permissions can then be assigned to a &#8216;Group&#8217; vs. against each object by itself.<\/li>\n<\/ul>\n<h2>Purpose of Active Directory<\/h2>\n<ul>\n<li>Security Authentication\n<ul>\n<li>Only allow authorized users to login to network computers<\/li>\n<\/ul>\n<\/li>\n<li>Centralized security management of network resources\n<ul>\n<li>User accounts are stored in one place (AD) instead of each individual computer.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Most common task for AD<\/h2>\n<ul>\n<li>Reset passwords<\/li>\n<li>Create \/ Delete user accounts<\/li>\n<\/ul>\n<h2>Life without Active Directory<\/h2>\n<ul>\n<li>Create user account for John<\/li>\n<\/ul>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1395\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad01.png\" alt=\"\" width=\"440\" height=\"148\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad01.png 440w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad01-300x101.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad01-150x50.png 150w\" sizes=\"auto, (max-width: 440px) 100vw, 440px\" \/><\/a><\/p>\n<ul>\n<li>Every time you need to reset John&#8217;s password or Delete John&#8217;s acct:\n<ul>\n<li>change on every computer!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Life with Active Directory<\/h2>\n<ul>\n<li>Central management<\/li>\n<li>Reset password in one location<\/li>\n<li>Same principle applies to all objects\n<ul>\n<li>printers, file shares, groups, etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad-02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1396\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad-02.png\" alt=\"\" width=\"386\" height=\"314\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad-02.png 386w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad-02-300x244.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad-02-150x122.png 150w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2018\/05\/ad-02-220x180.png 220w\" sizes=\"auto, (max-width: 386px) 100vw, 386px\" \/><\/a><\/p>\n<h2>The Active Directory Interface<\/h2>\n<ul>\n<li>Server Manager &gt; Tools &gt; Active Directory Users and Computers<\/li>\n<li>Action tab &gt; Same as Rclick<\/li>\n<li>View &gt; Good for filtering results<\/li>\n<li>Help &gt; Versions<\/li>\n<li>Domain (the domain you&#8217;ve choses)\n<ul>\n<li>Delegate Control\n<ul>\n<li>Allow other users to manage AD<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Lots more here, but none make sense ATM<\/li>\n<\/ul>\n<h1>Understanding Organizational Units and Containers<\/h1>\n<p>29: <a href=\"https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6637808?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6637808?start=0<\/a><\/p>\n<h2>Containers<\/h2>\n<ul>\n<li>A Container is a structural Object included by default with AD<\/li>\n<li>YOU CANNOT apply Group Policy Objects directly to Containers\n<ul>\n<li>This will make sense later<\/li>\n<li>You can apply GPOs to the Domain that will then affect the containers, but you cannot apply them directly.<\/li>\n<li>You cannot create Containers in AD\n<ul>\n<li>There are back doors to this.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>YOU CANNOT create OUs in a Container\n<ul>\n<li>Not mentioned in the class, just an observation.<\/li>\n<\/ul>\n<\/li>\n<li>Default Containers\n<ul>\n<li>Builtin\n<ul>\n<li>Groups that are required by AD to operate<\/li>\n<li>Cannot be deleted<\/li>\n<\/ul>\n<\/li>\n<li>Computers\n<ul>\n<li>Default container for new computers that join the domain<\/li>\n<li>Best practice not to leave computers here, but to move them to an OU (Orgainzational Unit)\n<ul>\n<li>Place GPOs against the OU<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Domain Controllers<\/li>\n<li>ForeignSecurityPrincipals\n<ul>\n<li>Only used when a trust is created between your domain and another.<\/li>\n<\/ul>\n<\/li>\n<li>Managed Service Accounts (MSAs)\n<ul>\n<li>for software?\n<ul>\n<li>Virus scanners &#8211; users for these programs<\/li>\n<\/ul>\n<\/li>\n<li>No passwords for these<\/li>\n<li>Requires Powershell to create these<\/li>\n<\/ul>\n<\/li>\n<li>Users\n<ul>\n<li>Administrator, Guest and Default Security Groups<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Organizational Units (OUs)<\/h2>\n<ul>\n<li>Used to organize and separate Objects within AD\n<ul>\n<li>Objects can be anything AD can store<\/li>\n<li>Example: If your company has a Marketing team, you can create an OU for marketing users and computers.<\/li>\n<\/ul>\n<\/li>\n<li>Can assign specific permissions to OUs\n<ul>\n<li>All users in Marketing OU have a special desktop background, or access to a specific file share.<\/li>\n<\/ul>\n<\/li>\n<li>Creating an OU\n<ul>\n<li>Rclick the domain &gt; New &gt; Organizational Unit<\/li>\n<li>Protect container from accidental deletion\n<ul>\n<li>To Delete &#8211; View &gt; Advanced Features\n<ul>\n<li>Rclick the OU &gt; Properties<\/li>\n<li>Object tab &gt; Uncheck &#8216;Protect object&#8230;&#8217;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>OUs can be created within other OUs<\/li>\n<\/ul>\n<h1>Creating and Managing User Accounts<\/h1>\n<p>30: <a href=\"https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6733684?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6733684?start=0<\/a><\/p>\n<p><span style=\"color: #ff0000;\"><strong>You must know how to do this!<\/strong><\/span><\/p>\n<p>This is mostly a lab&#8230;\u00a0 Will create a master OU for all of our users, and 2 sub OUs to segrate their permissions<\/p>\n<ul>\n<li>Tools &gt; Active Directory Users and Computers<\/li>\n<li>Create an OU for your organization\n<ul>\n<li>Thomas Co<\/li>\n<\/ul>\n<\/li>\n<li>Create the Sub OUs\n<ul>\n<li>Administrators<\/li>\n<li>Domain Users<\/li>\n<\/ul>\n<\/li>\n<li>Create an Administrator\n<ul>\n<li>Rclick Administrators &gt; New &gt; User<\/li>\n<li>Enter user info &gt; Next<\/li>\n<li>Enter Password &gt; Next &gt; Finish<\/li>\n<li>Dclick the username for Properties (or Rclick &gt; Properties)<\/li>\n<li>[Add&#8230;] &gt; Enter &#8216;Domain admins&#8217; &gt; [Check name]\n<ul>\n<li>When Domain Admins is underlined, you know the system found that group.<\/li>\n<\/ul>\n<\/li>\n<li>[OK]\n<ul>\n<li>You will now see Domain Admins has been added to the user<\/li>\n<\/ul>\n<\/li>\n<li>[OK]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Resetting Passwords<\/h2>\n<ul>\n<li>Locate the user (possibly using the hint provided below<\/li>\n<li>Rclick &gt; Reset Password&#8230;<\/li>\n<li>Enter and confirm the new password\n<ul>\n<li>This is the exact same windows to create a password!<\/li>\n<li>If selecting &#8216;Password must be changed at login&#8217;, you cannot use the temp. password as the new one.<\/li>\n<\/ul>\n<\/li>\n<li>If the account is locked, unlock it.<\/li>\n<li><span style=\"color: #ff0000;\">** Make sure the user is using the correct login name!<\/span><\/li>\n<\/ul>\n<h3>Hint &#8211; Finding Users<\/h3>\n<ul>\n<li>To Find a user:\n<ul>\n<li>Find icon (Second from right)<\/li>\n<li>Find: Users, Contacts and Groups<\/li>\n<li>In: Entire Directory<\/li>\n<li>Type in part of the name &gt; [Find Now]<\/li>\n<\/ul>\n<\/li>\n<li>To search by email address:\n<ul>\n<li>Click Advanced tab &gt; Select &#8216;Email Address&#8217; under &#8216;Field&#8217;<\/li>\n<li>Starts with: username<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Groups and Memberships<\/h1>\n<p>31: <a href=\"https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/7105578?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/7105578?start=0<\/a><\/p>\n<p>Lab &#8211; Log into your AD Users and Computers Console<\/p>\n<h2>Create a users Security Group<\/h2>\n<ul>\n<li>Domain &gt; Domain OU &gt; Rclick &#8216;Domain Users&#8217; &gt; New &gt; Group<\/li>\n<li>Group name: Sales<\/li>\n<li>Group scope (Least accessible to most accessible)\n<ul>\n<li>Domain local\n<ul>\n<li>Only accessible from the local domain<\/li>\n<li>Cannot be accessed by other domains, even if a trust is established<\/li>\n<\/ul>\n<\/li>\n<li>Global\n<ul>\n<li>Same as Domain, but CAN be accessed by other domains if a trust is established.<\/li>\n<\/ul>\n<\/li>\n<li>Universal\n<ul>\n<li>Same as Global, but can be accessed by other Forests if a trust is esablished<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Group type\n<ul>\n<li>Security\n<ul>\n<li>Authentication &amp; access permissions<\/li>\n<\/ul>\n<\/li>\n<li>Distribution\n<ul>\n<li>Email lists<\/li>\n<li>Requires an Exchange server<\/li>\n<li>If the Group name is it-support, if an email is sent to it-support, that email will be distributed among all members of that group!\u00a0 Boom!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Adding users to a group<\/h2>\n<ul>\n<li>Rclick the group name &gt; Properties &gt; Members tab &gt; [Add]<\/li>\n<li>Add a user same as if you were searching for one<\/li>\n<\/ul>\n<h2>Adding a group to another group<\/h2>\n<ul>\n<li>Rclick the group name &gt; Properties &gt; Member Of tab &gt; [Add]<\/li>\n<li>Add the group same as if you were searching for one<\/li>\n<li><span style=\"color: #ff0000;\">Caution! Any group or user added to another group inherits all of the permissions assigned to that group..<\/span><\/li>\n<\/ul>\n<h1>Saved Queries<\/h1>\n<p>32: <a href=\"https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6837032?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6837032?start=0<\/a><\/p>\n<p>Saved Queries are used to make redundant tasks much easier.<\/p>\n<h2>Lab 1: Create a query for all users that have not logged in within the last 30 days.<\/h2>\n<ul>\n<li>Active Directory Users and Computers &gt; Rclick Saved Queries &gt; New &gt; Query\n<ul>\n<li>Name: 30 Days Since Last Logon<\/li>\n<li>Description: List of users that have not logged in within the last 30 days<\/li>\n<li>Query Root:\n<ul>\n<li>Default should be OK since we only have one domain<\/li>\n<\/ul>\n<\/li>\n<li>[ X ] Include sub folders.\n<ul>\n<li>Leave this enabled.\u00a0 allows recursive scans into sub folders.<\/li>\n<li>Ok to disable if you&#8217;re sure your data is in a specific OU<\/li>\n<\/ul>\n<\/li>\n<li>Query String &gt; [Define Query]\n<ul>\n<li>Users, contacts&#8230;, Computers, Printers, Shared Folders, Organiz\n<ul>\n<li>These are the same as the &#8216;find&#8217; search<\/li>\n<\/ul>\n<\/li>\n<li>Custom Search\n<ul>\n<li>Allows searches based on an Object&#8217;s properties\n<ul>\n<li>Specific Fields &#8211; Email, Employee ID, etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Common Queries\n<ul>\n<li>Most common queries for Users, Computers, or Groups<\/li>\n<li>Select &#8217;30&#8217; from the drop down box next to &#8216;Days since last logon&#8217; &gt; [ OK ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>The Query String will now display\n<ul>\n<li>&#8220;The query is valid but will not be shown here because it contains values that must be computed when the query is run&#8221;<\/li>\n<li>This is because it will use variable values, such as the current date, to create the query string.<\/li>\n<\/ul>\n<\/li>\n<li>[ OK ]<\/li>\n<\/ul>\n<\/li>\n<li>To run the query\n<ul>\n<li>Saved Querys &gt; Rclick the Query name &gt; Export list to file<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Lab 2: Create a query for all users that are locked out.<\/h2>\n<p>This lab will require some LDAP, so don&#8217;t expect to understand everything yet.<\/p>\n<p>If a password is entered wrong 3 times, the account will lock.<\/p>\n<ul>\n<li>Active Directory Users and Computers &gt; Rclick Saved Queries &gt; New &gt; Query\n<ul>\n<li>Name: Locked User Accounts<\/li>\n<li>Description: Optional<\/li>\n<li>Query Root: Default<\/li>\n<li>[Define Query]\n<ul>\n<li>Find: Custom Search &gt; Advanced Tab<\/li>\n<li>Enter the LDAP query:\n<ul>\n<li>(objectCategory=Person)(objectClass=User)(lockoutTime&gt;=1)<\/li>\n<li>[ OK ]<\/li>\n<\/ul>\n<\/li>\n<li>The Query String will display the actual query required\n<ul>\n<li>(&amp;(&amp;(objectCategory=Person)(objectClass=User)(lockoutTime&gt;=1)))<\/li>\n<\/ul>\n<\/li>\n<li>[ OK ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Test the Query<\/p>\n<ul>\n<li>Create a new user with a new password.<\/li>\n<li>Set a Security rule to lock users after 3 attempts (not explained in class)<\/li>\n<li>Now attempt to log into the other computer (ws-01) with the new user and an incorrect password.<\/li>\n<li>After 3 attempts the account should lock.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Main Menu What is Active Directory Users and Computers 28: https:\/\/www.udemy.com\/windows-server-2016\/learn\/v4\/t\/lecture\/6537816?start=0 Active Directory Users and Computer Also known as Active Directory, or AD Is a tool that is installed on any Windows Server that has the AD DS role installed. May also be installed if DS is NOT installed, but mostly with it. Is a ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=1391\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[],"class_list":["post-1391","post","type-post","status-publish","format-standard","hentry","category-microsoft-windows-server-2016"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1391"}],"version-history":[{"count":4,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1391\/revisions"}],"predecessor-version":[{"id":1398,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1391\/revisions\/1398"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}