Search

Active Directory Management

What is Active Directory?


Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. However, Active Directory became an umbrella title for a broad range of directory-based identity-related services.


A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network. Assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.Also, it allows management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services, and Rights Management Services.


1. User and Group Management


To ease users management, users are created under Active Directory Organizational Unit (OU) based on their department or location. OU is containers that hold other AD objects. They have three main functions:


- To visually organize objects

- To group objects so Group Policies can be assigned to them

- To group objects so permissions can be delegated to them so they can be managed by a subset of administrators


However, Active Directory OUs are not security principals, you cannot assign a common set of permissions to all the users in an OU. You can only assign permissions to users and groups but it is best to assign permissions to groups rather than to individuals


How to create a new OU in Active Directory?


1. Click Start, point to Server Manager

2. Click Tools, and then click ActiveDirectoryUsersandComputers

3. In the left pane (console tree), right-click the domain name, point to New and click OrganizationalUnit

4. Enter a name for the OU and click OK. This will create a new OU. (in this guidelines the OU is called Accounting)


How to create Group in Active Directory?


1. Open ActiveDirectory Users and Computers

2. Navigate to OU where you wish to locate the group

3. Right-click on OU, point to New, and then click Group. (in this guidelines, new group will be added to OU Accounting)

4. Enter the group name, and then click OK


How to add Users in Active Directory?


1. Open ActiveDirectory Users and Computers

2. Navigate to OU where you wish to locate the user

3. Right-click on OU, point to New, and then click User. (in this guidelines, new user will be added to OU Accounting)

4. Type the first name, last name, and user logon name of the new user, and then click Next.

5. Type a new password, confirm the password, and then click to select one of the following check boxes:

· Users must change password at next logon (recommended for most users)

· User cannot change password

· Password never expires

· Account is disabled

Click Next

6. Review the information that you provided, and if everything is correct, click Finish.


How to edit some of the configuraton for users we added in Active Directory?


1. Open ActiveDirectory Users and Computers

2. Navigate to OU where the user located, double-click or right-click on user and select Properties

3. User properties window will pop up and you can make change to selected user. Click Apply and then OK when you finished.


How to add Users to a Group in Active Directory?


1. Open ActiveDirectory Users and Computers

2. Navigate to OU where the user located, right-click on user and select Add to a group

3. Select Groups window will pop up, click Advanced. On the next window, click Find Now and select the group (in this guidelines, we will add user to Accounting Group)

4. Click OK when you finished


2. Group Policy Management


Group policy is a feature of Microsoft Windows Active Directory that adds additional controls to user and computer accounts. Group policies provide centralized management and operating systems configurations of user’s computing environments.


A Group Policy Object (GPO) is a virtual collection of policy settings. Group Policy settings are contained in a GPO and are evaluated by clients using the hierarchical nature of Active Directory. The GPO can be associated with one or more of the Active Directory containers, such as sites, domains, or organizational units (OUs).


How to setup a new Group Policy Object (GPO) in Active Directory?


1. Click Start, point to Server Manager

2. Click Tools, and then click Group Policy Management

3. In the left pane (console tree), point to Group Poliy Objects and click New

4. Enter the group name, and then click OK

5. Right-click on new created policy and click Edit

6. Group Policy Management Editor window will pop up. (In this guidelines, we will create policy to enforce password setting on user PC)

7. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

8. Configure the policy, then close the window when you finished


For reference to what setting you can apply to Group Policy please refer: https://www.microsoft.com/en-us/download/details.aspx?id=25250


How to link Group Policy Object (GPO) to Active Directory Containers?


A GPO can be associated (linked) to one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be linked to the same GPO, and a single container can have more than one GPO linked to it. If multiple GPOs are linked to one container, you can prioritize the order in which GPOs are applied.


Linking GPOs to Active Directory containers enables an administrator to implement Group Policy settings for a broad or narrow portion of the organization, as required.


The following list contains example applications of policy:

· A GPO linked to a site applies to all users and computers in the site.

· A GPO applied to a domain applies to all users and computers in the domain and, by inheritance, to all users and computers in child organizational units. Be aware that policy is not inherited across domains.

· A GPO applied to an OU applies directly to all users and computers in the OU and, by inheritance, to all users and computers in child OUs.


Link GPO to OUs


1. Open Group Policy Management

2. Right-click on OU where you want to link GPO and then click Link an Existing GPO

3. Select the GPO and click OK

Disable (Unlink) GPO to OUs


1. Open Group Policy Management

2. Expand the OU where you want to unlink GPO, right-click the GPO and uncheck Link Enabled


How to exclude a User or Group from Group Policy Object?


1. Open Group Policy Management

2. In the group policy management editor, open the group policy object you want to apply an exception on (Located in Group Policy Objects)

3. Click Delegation tab > Advanced