Learning Active Directory From Scratch

Jason Moore

Active directory makes managing a lot of users and machines a doable task. It
organizes all of your resources and users. 

 

Samsung Store on Amazon!

 

Table of Contents

 

Creating Accounts

Users must have access to resources to access them. To access anything, they
have to be authenticated. Authentication is proving who you are and can happen
in many ways. The most common is by logging on to your computer at the beginning
of the day. However, your company could use smart cards or fingerprint devices.
Often, large companies will use more than one option.

When you log on in the mornings, you are logging in to the domain and not just
the local computer. It uses the Kerberos protocol when authenticating a user.
The local computer must have an accurate time or you will not be able to
authenticate. 

Once a user has been authenticated onto the system, they must have authorization
to access any particular resources. Resources are things like file shares and
email. This is done by a token that is created on your computer. The token
contains various data and talks to the resource you are trying to access. It
decides if you will be able to do so. Tokens are created locally and are not
supposed to travel across the network. 

You decide if you need Active Directory or not by considering if you want to do
this manually for all your users. I am sure a few is no problem but if you have
10,000 users that would just be impossible. 

You will encounter a lot of terminology. One of the first is called a forest.
This is your Active Directory. It can contain one or more domains. The first
domain is called the root domain. All the domains you create share a common
configuration that you set up. 

A domain is a container. It includes users, machines, groups, and other things.
Administrators of one domain will not have access to other domains. It is the
same with permissions. Objects inside one domain cannot affect objects outside
the domain. Policies work the same way. They should only be applied to their one
domain. 

An organizational unit is another type of container. It exists within domains.
It holds user, computer, and other object data. These units exist to give split
up the duties of administrators and dictate how group policies get applied.

Creating users and managing their accounts accounts for a lot of the work of an administrator. Their is work to do anytime a user leaves, joins, changes groups,
or needs a password reset. Many times users are put into groups because they
have similar needs. An example of this can be the users from a certain
department because they all need similar permissions to resources. User accounts
change the most because of this. 

When creating new accounts, it is often best to base them off a template. Then,
you are just duplicating something that works instead of not remembering
everything. User accounts are created with the Active Directory graphical tools
or with Powershell. Run Powershell commands an as administrator. 

You will need to first download the Active Directory module into Powershell.

import-module ActiveDirectory

It will probably be easier to use the graphical tools for most people. Just open
one of the graphical tools and click new user from the menu. Give the
information that is asked of you. In fact, the best practice for this sort of
thing is to use a template that you know works correctly. Then just duplicate
that for each new user. It is something like this:

 

  • open ADUC
  • choose account to use as template
  • right click and choose copy
  • give the correct name for new user
  • enter logon name then click next
  • enter password and click next
  • click finish


When you have to create many new users at once, it is much better to use
Powershell for this. You know it works and it is much faster. Here is an
example:

$newpass = read-host "password" -assecurestring
new-aduser -name "moore jason" -samaccountname jmoore `
-userprincipalname "[email protected]" -accountpassword $newpass `
-path "cn=users,dc=aindien,dc=com" -enabled:$true

Modify this as needed. There are a lot more options you can use to script new
user creation. Powershell documentation for the Active Directory module will
show you these details.


Updating Accounts

Part of account management includes updating and deleting accounts. We update
accounts because phone numbers and addresses can change. We can also disable or
enable accounts as needed. 

Delete accounts when those users have left the company. Otherwise, it is a
security risk. Active Directory has to be updated so it can be efficient. 

To modify a user account, use one of the graphical tools:

  • search for the account you want to modify
  • right click that account and choose properties
  • choose the field you need to modify


When changing a field, clear it first and then type in the correct value. We can
also do it using Powershell.

set-aduser -identity "cn=Moore Jason, cn=users, dc=aindien, dc =com"
-officephone "345 6789"

If a user is going to be gone for a while, but still with the company, then
disabling the account should be considered. If they will not be accessing it
then it would be a security vulnerability. It can just be re-enabled when the
user gets back. It is easy to disable an account:

  • search for the account
  • right click it
  • choose disable

Using Powershell its easy too.

disable-adaccount -identity jmoore

You do the exact same process to enable accounts. Right click the account and
choose enable. 

enable-adaccount -identity jmoore

If a user leaves the company then it is time to delete the account. To do so:

  • search for the account in question
  • remove protection against deletion, if enabled
  • right click and choose delete
  • confirm that is what you want to do in pop-up box

 

Groups

Groups are another way to organize your users and data. You definitely want to
use them too. You put the users from some department into the same group. You
give the group certain permissions. All the users in that group now have the
same permissions. Groups makes you more efficient.

Groups are just containers. They can hold users, computers, and other groups
too. There are several kinds of groups. Each has advantages. The main action you
take to groups is adding and removing users. 

There are two types of groups, security and distribution. Security groups helps
you handle permissions for your users. Distribution groups are used in Exchange
to send messages to other groups. A group can contain user accounts, computer
accounts, and other groups. User accounts or computers belong to a global group,
global groups belong to domain local groups, and those belong to access control
lists. The access control lists control access to your resources. These
resources can be shares, folders, files, and printers.

Creating groups is a straightforward process. You can do it with either the
graphical tools or with Powershell. You have to know what container to create it
in, a group name, and the group samaccountname. 

  • open the graphical tool you prefer
  • go to the container you want to create it in
  • right click the container
  • choose new group
  • click ok to finish


Your new group is created. It can be modified as well in the future. We can
create a group using Powershell as well:

new-adgroup -name testgroup -path "cn=users, dc=aindien, dc=com"
-groupcategory security -groupscope global
-description "test group"

Deleting a group can be done when necessary. Make sure it is no longer needed
before you do. In your graphical tools just right click the group and click
delete. In Powershell we can do:

remove-adgroup -identity testgroup -confirm:$false

Managing groups boils down to viewing members, adding new members, and removing
members from the group. In the graphical tools, right click and select
properties. Once you have your list of members, select a user and click the
remove button. To add a user to a group using Powershell use:

add-adgroupmember -identity testgroup -members "cn=moore jason, cn=users,
dc=aindien, dc=com"

Removing a group member using Powershell is:

remove-adgroupmember -identity testgroup -members jmoore -confirm:$false

Troubleshooting Issues

Sometimes problems occur. It is just a fact of life. It is usually when someone
can't log on or access some resource they need to. The most common issues are
expired password, forgotten their password, locked their account from too many
password guesses, or they are not in the correct group in order to access those
resources. Most problems are password related, as you can see. 

When you have an issue with a user check to see if the account is disabled, see
if it is expired, then see if they are locked out. So, the first thing we need
to do is pull up his account and take a look at those afore-mentioned issues
first. 

If it is not one of the previous issues then the problem is probably password
related. Active Directory passwords expire every few weeks by default so you
need to be on top of this. Passwords will cause a lot of issues. You can see
what accounts have expired with a little Powershell:

search-adaccount -passwordexpired

If the account in question comes up in the list, you just reset the password.
You should have them reset their own password. You just have the system do this.
You do this by having the user much change password at next log on option. 

Locked accounts are another issue. They happen because users forget their
password and try too many times incorrectly in a time period. You will be able
to see when a particular account is locked when you open the account up in the
graphical tools. You can do the same thing with Powershell.

search-acaccount -lockedout

You can unlock just as easily.

search-adaccount -lockedout | unlock-adaccount

Group membership is the last main cause of problems. When a user cannot access
the resource they need. this is often the issue. You will have to find what
group this resource is part of so you can add the user to this group. This can
happen when a user is new or if they change positions. 

Machine Accounts

Most of the data in Active Directory is users, groups, and machine accounts. The
machine accounts have to be managed too. We do this by taking advantage of group
policy. Don't worry, it wont mind. Your workstations and servers should be in
here so everything will be much easier to manage. 

The workstation will join the domain just like a user does. This is often when
the workstation account gets created too. This machine authenticates to the
domain controller as well. Someday, when this machine gets replaced, this
account will get deleted like everything in Active Directory. 

You can create machine accounts in the graphical tools and Powershell. You
should do so in your machine container or OU. You can put them elsewhere if and
when you need to after you are very familiar with the process. It is a good idea
to just keep them here and separate from your user accounts. 

  • open ADAC
  • choose machine container
  • choose task menu then new
  • choose computer
  • type computer name
  • check protect from accidental deletion
  • add the computer to any groups it needs
  • choose ok to create the account

Powershell can do this just as easily.

new-adcomputer -enabled $true -name finance3 -path "cn=computers, dc=aindien,
dc=com -samaccountname FINANCE3

Joining a computer to the domain is usually the next step. This should be
limited to some type of administrator. The machine needs to have DNS set up and
local administrator permissions. You will need an account name and password that
can join the domain. Lastly, you should rename it to its final form and restart. 

  • open control panel and choose system
  • select advanced system settings
  • select computer name
  • choose domain and provide a domain name
  • select ok


Give your admin credentials. Select okay and then restart. 

Issues can occur between a machine and the domain controller. Most often you
will see a message stating there are no log on servers available. There are
other messages but they mean mostly the same thing. The cause is usually because
a machine has not been turned on to authenticate with the domain controller in a
long time. This time can vary but something like 30 days is usually the culprit.
The easiest solution is to rejoin the machine to the domain and restart. You can
also reset it in the graphical tools but I prefer the first way.

Deleting a machine account is the last thing you will do with it. You will
usually do this when the machine has been replaced through a hardware upgrade.
Then the machine account process is restarted. Delete them through the graphical
tools or Powershell. Be careful not to delete a domain controller if it shows
up.

Organizational Units

Organizational units help separate all your different objects into something
manageable. It makes it easier to delegate permissions and set group policy. An
OU is just a container. There won't be much to do with it after its created and
you have objects in it. You will move objects from one OU to another. 

An OU is a container inside a domain. It can hold machines, users, and groups.
It is created when you want a certain few admins to be responsible for this OU
or to help with group policy. OU's are mainly used to divide departments,
locations, users and machines, and possibly servers if you have a lot. You can
create OU's within other OU's but you shouldn't do this too much. Just do it if
needed because it can impact performance if done too much. 

Organizational units can be created with graphical tools or Powershell. Try to
make your names consistent. Everything does not have to be perfect but the more
you try the fewer problems and conflicts you will have later. 

To create an OU with ADAC:

  • choose OU or the domain to create it in
  • choose new, then organizational unit from the menu
  • give it a name
  • give any information that is helpful to you
  • click ok


You can also create OU's with Powershell. There are several commands for working
with OU's.

  • new-adorganizationalunit
  • get-adorganizational unit
  • set-adorganizational unit
  • remove-adorganizational unit


Here is a short example:

new-adorganizational unit -name Hillsboro -path "dc=aindien, dc=com"
-protectfromaccidentaldeletion:$true -passthru

There is not a lot to do to manage an OU. Typically, it involves renaming,
setting the description, changing the manager, and deleting it when necessary.
To rename an OU, select, right click and choose properties, then you should see
an option to rename.

Giving an OU a description can be useful. To do so, right lick it, choose
properties, and enter the description. 

Changing who manages an OU is really just a reminder. You still have to give
that user the permissions to do his job. 

Eventually you might have to delete an OU. To do so, right click the OU, choose
delete, remove the protection, then do it again, lastly select yes to delete the
OU. 

Moving objects between OU's will happen occasionally. You do this when some
objects are created in default containers but they should belong elsewhere, a
user has changed roles and needs different permissions.  

Creating Group Policies

Group policy is how we manage security and configuration of all your machines.
Group policy can be applied to the domain or a certain organizational unit. A
group policy object defines a bunch of settings. You can fine tune a lot of
these settings in Windows. These settings can be applied to users by
organizational unit or domain. A group policy object can contain thousands of
settings. It depends on how much you want to fine tune things in your
environment. 

You should keep user and machine settings separate. Do as little as possible with
group policy objects to fix the issue you need fixed. Use templates when
possible as these are pre-configured. 

You create group policy objects in the group policy management console. Create
your objects in the group policy object container. You cannot add a description
to the object when using the management console. We can use Powershell to create
an object too.

First, import the group policy module.
import-module grouppolicy

As with other modules, checkout all the commands that come with this module.
get-command -module grouppolicy

To create a group policy object, we use:
new-gpo -name labpcs -comment "settings for all lab pc's"

There are a bunch of other settings you can add like display name, domain name,
ID, description, and many others. You will see those options in the help for the
commands. 

After you have created a group policy object, you will need top modify it to put
in your settings and who it will affect. It is a good idea to configure a group
policy object with either user or machine settings. A computer configuration
applies to a machine no matter what user is on it. A user configuration applies
to the user no matter what computer they are on. You can use the group policy
management console to designate whether you will use user or machine settings. 

When configuring your settings in the management console, try to use as few as
possible to get the job done. You do not want to duplicate a lot of settings
across the containers you have or other group policy objects. When a group
policy object is created you will have a lot of settings to look at and
configure. Go through them and double click them to change or set up for the
first time. 

Managing Group Policies

This chapter will be about linking group policy objects you have created to your
domains and organizational units. Group policy objects will need to be removed
once they are no long needed. 

Applying a group policy object is known as linking. Linking can be done in an AD
site, a domain, and in an organizational unit. I wouldn't link a group policy
object to a site. The reason why is that anything you do later in a domain or
organizational unit can override the site settings. That makes your effort spent
inefficient. You can apply a group policy object as it is created and set an
existing one to a domain or organizational unit. It is very easy to have
conflicting policies so be careful and apply them as little as possible. 

You use the group policy management console to set group policy objects. 

  • open the management console
  • go to where the group policy object is to be linked
  • right click and choose link existing gpo
  • select it and hit ok


The management console will show you what linked policies you have. They will be
in the right window pane. You can create a link using Powershell also:

get-gpo -name lab_machines | new-gplink -target "ou=lab_machines, dc=aindien,
dc=com"

One part of managing an environment is knowing how group policy objects affect
your users and machines. The main way of doing this is looking through the
management console. It shows you organization units and what group policy
objects are linked to it. You can see the reverse view as well, what links a
group policy object has. 

Links can be removed too. You can delete the group policy object which will
remove all of the links or you can unlink the objects from the organizational
unit it is applied too. 

  • open the management console
  • choose the group policy objects container
  • right click the group policy object and select delete
  • Confirm your action in the pop up box and choose yes


We can delete a group policy object using Powershell:

remove-gpo -name lab_machines

If you just want to unlink the group policy from a container then open up the
management console:

  • open management console
  • go to where the group policy is linked, like an OU or domain
  • right click the group policy and choose delete
  • confirm your action and choose ok


We can unlink a group policy using Powershell as well:

remove-gplink -name lab_machines -target "ou=lab_machines, dc=aindien, dc=com"

Group policy objects are applied in a certain order when a user logs on or when
the machine is turned on. They are local policies on the machine, group policies
on the site, group policies on the domain and group policies on the OU. 

Managing Passwords

Customizing your password needs is an important part of managing active
directory. They are called password settings objects, or pso's. Password
settings allow you to have multiple objects for the same domain.

You can have settings for admins and users. You can have several if you want and
they are tied to the groups you have created. This gives you a lot of
flexibility. You can manage password settings through a graphical tool and
Powershell. 

Password settings can be set to groups or users. However, it is best to just use
groups for your settings. This will be a lot easier in the long run. 

You can create password settings in ADAC or Powershell. ADAC is probably the
easiest to begin with but Powershell lets you automate things if you want to
script something for your environment. To create password settings:

  • open ADAC
  • choose system folder
  • select password settings and then choose new
  • select password setting
  • complete all the questions in the box
  • choose ok


There will be some mandatory fields and default values. Choose what makes sense
for your environment. 

If this is not the first policy you have created, you may want to see what
settings are already there. Open ADAC, choose system folder, then choose
password settings. The current password objects will appear. You can click any
password policy listed there and modify if you need to. 

You can see the same thing using Powershell:

get-adfinegrainedpasswordpolicy -filter *

It will show you everything it has. 
You can see any particular policy using its name:

get-adfinegrainedpasswordpolicy -identity admins

When applying password settings, set them at the group level. In ADAC, after you
have created the policy, just apply them at the same time. You do this by using
the Directly Applies To box. Just choose the group. You can remove a policy by
doing the same thing, just open the drop down box and choose. 

Domain Controllers

Domain controllers control your Active Directory. If you have a new setup of
Active Directory then you need a new domain controller also. A domain controller
is a piece of server software. It works within a domain. It needs AD domain
services installed to function. Inside it there is the Active Directory
database. It also has logon scripts and the group policy files. They handle
authentication by users and computers. 

Domain controllers are created when you have a new location, some hardware has failed, or you
are creating a first domain controller in your new setup. You will need to
install AD domain services from the graphical tools. Just follow the prompts.
You get there by choosing it from Add Roles and Features.

We can install it with Powershell too.

install-windowsfeature -name ad-domain-services -confirm:$false

We now have to promote the domain controller. This has been differently in the
past. From your server manager window, choose Promote This Server To A Domain
Controller. There are several prompts to follow. After everything is done you
will need to restart. When it comes back up you will have a domain controller.

The next thing to think about is finding your domain controllers if you are new
to an environment. There is an easy way of discovering your domain controllers.
First, open ADAC and go to the domain controllers OU. You should always
leave your domain controller in this OU. It makes it easier. Some people do not
and that is why we have the issue of finding our domain controllers at times. 

A domain controller can exist but not be available to take authentication
requests. the simplest way is to just use ping from a terminal. You also need to
check if the services are available. They should be if you can ping it but it is
good to check anyway.

get-service -computername domaincontroller1 -name adws, netlogon, dfsr, ntfrs,
dns, kdc,w32time

Domain controllers can offer a lot for your environment. A domain controller is
part of your domain. It can only authenticate users from that domain. The global
catalog contains a subset of the attributes of every object in your forest. They
are domain controllers with more functionality. You can modify the global
catalog if you need to. The first domain controller in a forest is the global
catalog by default.

Securing Your Data 

The data in Active Directory is what lets users log on and access resources.
Securing it is a top priority. Do as much as is practical because more is
better. 

The basic way of securing your data is to enable Protection From Accidental
Deletion on anything that has it. It has already been mentioned several times
before and that is because it is a good thing to have. For any object just look
at the properties tab of that object. It cannot protect you if you forget to
turn it on so always try to check its box on an object.

Snapshots are another way to secure your data. If you work with backup tools
then this concept will be very familiar. It is the same thing. You are capturing
a moment in time that describes your system. I would do this regularly. How much
you do it will depend on the size of your system and complexity. Snapshots are
created through the ntdsutil tool but can be run using Powershell. 

ntdsutil snapshot 'Creating Snapshot' create quit quit

The first snapshot will take a while. Later snapshots will be much quicker
because it only captures what has changed. Snapshots are taken from whatever
domain controller you are on so be aware of that. You can see a list of existing
snapshots:

ntdsutil snapshot "list all" quit quit

You will get a list of your snapshots with information about when they were
taken and their ID's. You can restore users and even OU's from here.

Another way to secure your data is by using the backup and restore tool. This
tool is for restoring large amounts of data in case something goes horribly
wrong. You will want to restore domain controllers that do not have specialized
roles. To use backup and restore you have to install the tools. These are
accessed from server manager.