What is Active Directory? Active Directory is a Microsoft Technology for identity management in computer networks. It’s a database that contains users and computer accounts as well as their passwords. When you install the AD DS server role, you will finish the installation by promoting the server to a domain…
23 September, 2020 - 15 min read
What is Active Directory?
Active Directory is a Microsoft Technology for identity management in computer networks. It’s a database that contains users and computer accounts as well as their passwords.
When you install the AD DS server role, you will finish the installation by promoting the server to a domain controller. This will install several tools including:
- Active Directory Administrative Center
- Active Directory Domains and Trusts
- Active Directory Module for Windows PowerShell
- Active Directory Sites and Services
- Active Directory Users and Computers
In this tutorial we will be focusing on the tool that you will be using the MOST when it comes to Active Directory, which is Active Directory Users and Computers.
If you’re looking for an IT job or just want to freshen up your IT skills then this tutorial is perfect for you!
Get access to our IT labs
In this lesson we will be using ServerAcademy.com’s IT labs which you can connect to through your web browser. We have this exact IT lab (and many more) available which you get access to when you become a member at ServerAcademy.com.
What I recommend is that you sign up for the free trial here so you can use the IT labs with this tutorial.
You can also download and install VirtualBox which will allow you to run Virtual Machines on your home computer. This works when you have a powerful computer that can run multiple VMs and the time to set them up.
How do I open Active Directory?
Identifying Domain Controllers
To open Active Directory, you will need to identify your Active Directory Domain Controller. Thankfully, you can check to see if you’re logged in to a Domain Controller by opening Server Manager and looking on the left hand side for the AD DS server role.
You will also see “Active Directory Users and Computers” listed under tools:
Remotely Open Active Directory with RSAT (Remote Server Administration Toolset)
It’s possible that either you can’t or don’t want to log directly into the Domain Controller. In this case you can download a tool called RSAT to install the Active Directory consoles on your local computer, and then you will connect to your Active Directory domain controllers
You can install RSAT by downloading and running this script which appears to be a great way to install RSAT on Windows 10 1809, 1903 and 1909.
I saved the script to my C:\Users\*******\Downloads folder. So I opened up PowerShell as an administrator then CD to that directory. Then I called the script and said “R” to run once:
This will quickly install all the tools you need for your specific version of Windows. Now when I click the start button, I can go to Windows Administrative Tools and start the Active Directory Users and Computers console:
Organizational Units and Containers
When you first launch Active Directory, you will see a collection of what appears to be folders. These “folders” are comprised of a builtinDomain, Containers and Organizational Units.
In order:
BuiltinDomain
The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.
Containers
Containers are structural objects that are included by default within Active Directory. The most important difference between OUs and containers is that you cannot apply Group Policy Objects (GPOs) to containers. This will make more sense to you when you get to the Group Policy section of this course. You also cannot create a container in Active Directory although you can use ADSI Edit to create containers.
By default, the containers you will immediately see in Active Directory are Computers, ForeignSecurityPrincipals, Managed Service Accounts and Users.
Organizational Units (OUs)
Organizational Units (commonly referred to as OUs) are used to organize and separate objects within active directory. The objects could be anything that Active Directory could store like user accounts, computers, printers, file shares etc.
If your company had a marketing team, you might create a new OU called “Marketing” and store all your marketing users accounts inside this OU.
So just like it sounds, OUs are used to help you organize your domain within Active Directory. But it is much more important than just having a tidy Active Directory. A lot of times System Administrators will assign specific permissions to OUs. For example, all users inside of the Marketing OU may have a special desktop background, and special permissions to a file share that other uses may not have.
This is why its important that you insert Active Directory objects into the correct OU, as picking the wrong OU could lead to some users having security privileges they are not supposed to have. This not only applies to user accounts, but every object that is stored within Active Directory.
BuiltinDomain
The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.
Create an Organizational Unit
To create a new Organizational Unit, right-click on the desired location (in my case, ad.serveracademy.com) and select Organizational Unit. I am going to name this “Test OU”.
Notice you have the option of disabling the Protect container from accidental deletion checkbox, for most cases I recommend that you leave this option checked.
Click OK to create the OU. Now you can see that it has been created under the root domain ad.serveracademy.com.
Delete an Organizational Unit
Occasionally you will need to delete an OU, and unfortunately this is not as simple as it sounds. If you right-click on an OU, select Delete and Yes, you will be presented with a message stating “You do not have sufficient privileges to delete [the OU], or this object is protected from accidental deletion”.
If you remember when we created the OU we checked the Protect this OU from accidental deletion checkbox. In order to remove the protection, we need to enable the advanced view within Active Directory and turn off the protection with the OU’s properties. Click OK to close the warning message. Select View > Advanced Features.
Immediately you will notice that your view will refresh and you will have a lot more items listed under your domain. You can ignore all of this for now, and simply right-click on the Test OU and choose Properties:
Select the Object tab and uncheck the Protect object from accidental deletion checkbox, then click OK.
Now when we right-click the OU and select Delete we will no longer get the error and the OU has been deleted.
Creating and Managing User Accounts
Creating and managing user accounts within Active Directory is a common task that you will need to fully understand to have a successful career as a Windows Server administrator.
When it comes to creating and managing user accounts you really have two options, first use the Active Directory Users and Computers console or secondly the PowerShell command line. This tutorial will focus on using using the Active Directory GUI for Active Directory.
Create a new AD user
To create a new Active Directory user, right click your desired location in AD UC (Active Directory Users and Computers), and select New > Users. I’m going to do this inside of a Server Academy > Domain Users OUs I created:
Now the new user window will appear:
You need to type in the desired user account info like the first and last name, full name (which should be auto populated) and the username. I like to use the first.last naming convention, but your place of work will likely differ.
Once you’re done click Next and you will be able to specify the user password as well as deciding the following:
- User must change password at next logon
Use this when you’re creating a user account and you’re emailing them the password or using the same password for multiple accounts.
- User cannot change password
You will rarely use this. Possibly useful for service accounts, but again not a common choice.
- Password never expires
This is a bad security practice – but it can be useful for service accounts if you don’t care about the security issues with using the same password for a very long time (like in a lab environment).
- Account is disabled
Use this when you are creating the user account for a new hire and they haven’t started the job yet.
Now click next:
Now inside of Active Directory I can see the new user account:
Resetting User Passwords in Active Directory
To reset a user password, simply right click on the user and select Reset Password as shown in the image below:
If you cannot locate the user account, click the Find objects in Active Directory Services button, type in the name of the user, and change the In dropdown to Entire Directory:
Once you find your user account you can right-click the user and select Reset Password
You can force the user to change their password at the next login. If you enable this option then the user will see this screen the next time they log in:
If the user account is locked, you can check the second check box to unlock the account at the same time you reset the user password.
Managing Group Memberships
You can manage a users group membership by double clicking on the user and selecting the Member Of tab:
You can add or remove groups by clicking either the Add or Remove buttons respectively. You can learn more about the Active Directory groups that are available to you by default by clicking here.
We can open any of the listed Active Directory Groups by double clicking on them. In this example I am going to double-click Domain Users:
Here you can look at all of the users who are members of the Domain Users Group. You will notice that you can also add or remove users from this view as well.
Disabling and Deleting User Accounts in Active Directory
You can disable a user account by right-clicking on the user and selecting Disable Account:
The next time the user attempts to log in they will see the following message:
Usually you will disable a user account for a period of time (like 90 days) before deleting the user account.
To delete a user account you can simply right-click the user and select Delete:
Once the account has been deleted obviously it will be gone permanently and can no longer be used.
Conclusion
That wraps up this tutorial! Hopefully you enjoyed it. If you are interested in joining our IT training program you can start a free trail by clicking here.