What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. However, Active Directory became an umbrella title for a broad range of directory-based identity-related services.
A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network. Assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.Also, it allows management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services, and Rights Management Services.
1. User and Group Management
To ease users management, users are created under Active Directory Organizational Unit (OU) based on their department or location. OU is containers that hold other AD objects. They have three main functions:
- To visually organize objects
- To group objects so Group Policies can be assigned to them
- To group objects so permissions can be delegated to them so they can be managed by a subset of administrators
However, Active Directory OUs are not security principals, you cannot assign a common set of permissions to all the users in an OU. You can only assign permissions to users and groups but it is best to assign permissions to groups rather than to individuals
How to create a new OU in Active Directory?
1. Click Start, point to Server Manager
2. Click Tools, and then click ActiveDirectoryUsersandComputers
3. In the left pane (console tree), right-click the domain name, point to New and click OrganizationalUnit
4. Enter a name for the OU and click OK. This will create a new OU. (in this guidelines the OU is called Accounting)
How to create Group in Active Directory?
1. Open ActiveDirectory Users and Computers
2. Navigate to OU where you wish to locate the group
3. Right-click on OU, point to New, and then click Group. (in this guidelines, new group will be added to OU Accounting)
4. Enter the group name, and then click OK
How to add Users in Active Directory?
1. Open ActiveDirectory Users and Computers
2. Navigate to OU where you wish to locate the user
3. Right-click on OU, point to New, and then click User. (in this guidelines, new user will be added to OU Accounting)
4. Type the first name, last name, and user logon name of the new user, and then click Next.
5. Type a new password, confirm the password, and then click to select one of the following check boxes:
· Users must change password at next logon (recommended for most users)
· User cannot change password
· Password never expires
· Account is disabled
Click Next
6. Review the information that you provided, and if everything is correct, click Finish.
How to edit some of the configuraton for users we added in Active Directory?
1. Open ActiveDirectory Users and Computers
2. Navigate to OU where the user located, double-click or right-click on user and select Properties
3. User properties window will pop up and you can make change to selected user. Click Apply and then OK when you finished.
How to add Users to a Group in Active Directory?
1. Open ActiveDirectory Users and Computers
2. Navigate to OU where the user located, right-click on user and select Add to a group
3. Select Groups window will pop up, click Advanced. On the next window, click Find Now and select the group (in this guidelines, we will add user to Accounting Group)
4. Click OK when you finished
2. Group Policy Management
Group policy is a feature of Microsoft Windows Active Directory that adds additional controls to user and computer accounts. Group policies provide centralized management and operating systems configurations of user’s computing environments.
A Group Policy Object (GPO) is a virtual collection of policy settings. Group Policy settings are contained in a GPO and are evaluated by clients using the hierarchical nature of Active Directory. The GPO can be associated with one or more of the Active Directory containers, such as sites, domains, or organizational units (OUs).
How to setup a new Group Policy Object (GPO) in Active Directory?
1. Click Start, point to Server Manager
2. Click Tools, and then click Group Policy Management
3. In the left pane (console tree), point to Group Poliy Objects and click New
4. Enter the group name, and then click OK
5. Right-click on new created policy and click Edit
6. Group Policy Management Editor window will pop up. (In this guidelines, we will create policy to enforce password setting on user PC)
7. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
8. Configure the policy, then close the window when you finished
For reference to what setting you can apply to Group Policy please refer: https://www.microsoft.com/en-us/download/details.aspx?id=25250
How to link Group Policy Object (GPO) to Active Directory Containers?
A GPO can be associated (linked) to one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be linked to the same GPO, and a single container can have more than one GPO linked to it. If multiple GPOs are linked to one container, you can prioritize the order in which GPOs are applied.
Linking GPOs to Active Directory containers enables an administrator to implement Group Policy settings for a broad or narrow portion of the organization, as required.
The following list contains example applications of policy:
· A GPO linked to a site applies to all users and computers in the site.
· A GPO applied to a domain applies to all users and computers in the domain and, by inheritance, to all users and computers in child organizational units. Be aware that policy is not inherited across domains.
· A GPO applied to an OU applies directly to all users and computers in the OU and, by inheritance, to all users and computers in child OUs.
Link GPO to OUs
1. Open Group Policy Management
2. Right-click on OU where you want to link GPO and then click Link an Existing GPO
3. Select the GPO and click OK
Disable (Unlink) GPO to OUs
1. Open Group Policy Management
2. Expand the OU where you want to unlink GPO, right-click the GPO and uncheck Link Enabled
How to exclude a User or Group from Group Policy Object?
1. Open Group Policy Management
2. In the group policy management editor, open the group policy object you want to apply an exception on (Located in Group Policy Objects)
3. Click Delegation tab > Advanced
4. Click Add and choose the user or group whom you want to exclude from group policy enforcement.
5. Choose the user you entered, locate Apply group policy in permissions and check mark deny.
6. Click Apply and then OK
3. Join Computer to Domain
There are two ways to join computer to a domain described in this guidelines.
a) Using windows systems setting
A User Profile is where Windows stores your stuff. It is where your Desktop, Documents, Pictures and Music files are all saved. Your User Profile is also where Windows keeps all the information that makes your computer personal to you, like your desktop wallpaper, Internet favorites and the lists of documents you've recently opened.
After joining the domain, the account on the domain controller is different than user profile on local machine. You will have a completely new profile if you login to domain account after joining. You can copy the personal files to the new profile from the old afterward but the system will see this as a new and different account than what you had.
b) Using Profwiz to transfer your local profile to domain user profile
Profwiz is a migration tool that will migrate original user profile to new logon so that you can carry on using all existing data, and keep the same settings that you’ve always had.
The next step, before join computer to a domain make sure you have done the following:
1. Backup your personal and important data on system hard drive (eg. file on your documents, downloads, pictures, etc).
2. Backup your email on Outlook.
3. You must have the credentials (username and password) of a local administrator and secondly the credentials of a domain user who has the right to join the computer into the domain.
4. In order for a computer or server to join a domain, there must be communication with a DNS server that can locate at least one Domain Controller (DC). Change your network settings by specifying such a DNS Server or adding a new entry to the Windows Hosts file.
How to join a computer to domain using windows system setting?
To join a computer to a domain:
1. On the Start screen, type Control Panel and then press ENTER
2. Navigate to System and Security, and then click System.
3. Under Computer name, domain, and workgroup settings, click Change settings.
4. On the Computer Name tab, click Change.
5. Under Member of, click Domain, type the name of the domain that you wish this computer to join, and then click OK.
6. Click OK, and then restart the computer.
How to join a computer to domain using Profwiz?
To install Profwiz run the setup program by clicking Profwiz.msi. After installation finished click Profwiz.exe.
To join a computer to a domain:
1. When you start User Profile Wizard the first thing you see is the Welcome page. Click Next to continue.
2. The next step is to select the existing profiles that the new user accounts will use. Click Next to continue.
3. Enter the domain name and information about the new user who will be given access to an existing profile. Click Next to continue.
4. Enter your domain administrator credentials
.5. As soon as you click Next, the configuration process begins. Profwiz will update the progress window at each stage.
6. Click Finish to close the wizard and you will be prompted to reboot.