So first up on our list is the remarkably uninteresting task of dealing with users and computers inside of the graphical tools that we have here in Windows Server. In a production world you’re probably not going to be performing these tasks on the domain controller itself. You will probably have management machine for this or if you are a powershell guy you can create new PSSession and import active directory module. On this way you don’t need to install RSAT tools on every machine you are using. I will show you later how this can be done.
There are actually a pair of different tools you can use for managing users and computers here in the operating system. The first of which is the old tool active directory users and computers (ADUC)
The second of which, which I’ll just open up here so we can see it, is the new tool called active directory administrative center. Now these two tools perform many of the same functions but the biggest difference here is that the adac, different from the aduc, runs on top of Windows PowerShell.
Now I’m going to use the old tool, because I’m old school, and old habits die hard. I will also show you how you can use powershell to accomplish the same tasks but much faster. If you need to create only one user you can use ADUC but if you need to create many from CSV file or if you need to copy many members from one AD group to another then performing those operations manually can take a lot of time.
Here on the left you can see the long list of organizational units and other containers that exist here in our domain nm.com. And over on the right, because we focused here on the list of users, are those users and then the groups that are available right out-of-the-box.
For us to create a new user is to right-click on the Users Container or any other OU if you have specific one that you want to use (I will create new one in Test Users) and select new user
and then we need to provide the first name and last name and then a user logon name for the individual. Under Full Name section you can see what we call the upn suffix for that user logon name. Here we have the ability to log on via either of these two approaches. The Pre-Windows 2000 approach, which is what many of us still use today, the domain name/a user logon name approach. Or the more new school method which is user name at domain name nm.com. Click Next
For any user that we many enter in; we’re going to have to punch in a password that supports whatever our password restrictions are going to be, those rules that we’ve applied. I will choose Pas never expires but you can choose any of these. In production you will probably uncheck Pass never expire. Next and finish
Now once I’ve created the user then there are a large number of different fields that we could potentially enter in that are associated with the user account. So a description of the user, their office, their telephone number, their email, their physical address information etc.
ACCOUNT TAB
- If the account ends up getting locked for one reason or another, perhaps they’ve entered in their password incorrectly too many times, well I can unlock the account by choosing the checkbox here.
2. Account Expires field –> I can also set an expire on the account at the bottom which is used most often when I have temporary accounts or perhaps consultants, external users that are coming in. That when I create that account I want to make sure that that account doesn’t inadvertently stick around past the point that that person should no longer be a part of the organization.
3. LOG ON TO –> This is very useful because we can restrict user access to a few servers in your Active Directory domain.
4. Logon Hours –> This will open an interface where you can restrict user login days and time by highlighting the appropriate area and clicking on Logon Denied.
One more tab to mention before we move forward is the Member Of. (We will check few more later in these series). Now anytime I create a new user, well that users going to be created with the domain users membership, you have to be in domain users in order to support attaching to and working with any of the objects that make up an active directory domain. In order to give additional access I would need to add that additional access by clicking on ADD.. and add user in additional AD groups which will give that user additional access to the resources.
Set Primary Group –> Is it not needed for every day Active Directory usage and can safely be ignored by almost everyone.
COPY USER
There are always situations where we need to create a new user with a similar set of privileges. This can be done very easily by copying existing user account and creating new one from existing user account. To copy user account, right-click on it and select Copy
Give it a name and logon name and on the last page give it a new password.
and that’s it.
To delete a user account right-click on it and select delete
Now this is the user side of the equation. We also have the computer side of the equation as well. We can actually right-click to create a new computer object however you don’t find yourself doing that all too often, and the reason is that the process to add a computer into the active directory domain automatically creates the computer account as part of that process. One reason for pre-creating computer accounts would be offline domain join.
USER ACCOUNT TEMPLATES
We went through a very short explanation of the process to copy an account and we went to the Nedim Mehic account and attempted to copy it to some other user and in a world where you may have another user, who may be coming in and working in the same group as the Nedim person it makes sense then to just copy the account so that you can very easily replicate all the different configurations to what new user will need. But there comes a time also where when you’re creating new accounts you may have a certain minimum baseline set of configurations that every new account may require. You may have a set of baseline security groups that the users may need to be added. In this case we can create a user template. A template user account is essentially a non-functioning user account that you create in ADUC. That you can use as the container for all those baseline configurations. To create a user template right-click on Users container and select new user. In the new user window start it with an underbar for the only reason that when you go about sorting the active directory users and computers interface that the underbar will force this template account to the top of the list. And if I come down here to the user logon name, I’ll do the same thing and create it as underbar template. Click next
I’m going to leave the password as blank. Now here’s a really cool trick that you can do when you’re creating these template accounts. If I create this password as blank I’m not going to be able to actually create the user because in order to create the password as blank well I’m not going to meet the password complexity requirements for my active directory domain. So you can’t actually create a blank password on a user. But if I do create the password as blank and set the password so it cannot be changed, so the password never expires and so that the account is disabled. I’m then allowed to go about creating this new user. The neat part about this template user is that in no way can I ever enable the account because if I enable the account the blank password is not going to fit within those password complexity requirements. So this creates, as I said, kind of a nonfunctioning account. Click Next and finish
Now what you can do is to edit that template and configure it. When you need to create a new user just copy the template and create a new account.
ACTIVE DIRECTORY GROUPS
As you may know the reason why we have groups is to ensure that the right people have access to the right resources and conversely that the wrong people don’t have access to the resources they shouldn’t have access too. And so dealing with your groups requires a bit of strategy in ensuring that you create them and manage them correctly.
Managing your AD groups can at first blush seem like a really simple thing to do, but these groups and the sheer number of groups you will likely have and the nesting of one group into another can very quickly turn what would seem a simple active directory infrastructure into one that is far more complicated than you would ever expect. We will not just talk about how to put users in groups, but more specifically on the other things that you have to deal with when you’re talking about managing the groups themselves. Let’s get started.
Groups have multiple different types and they also have multiple different scopes so you’ll be creating different kinds of groups depending on what you actually need to use that group for. First up are the two different types of groups in active directory, security groups on one side and distribution groups on the other.
SECURITY –> In every case if you’re attempting to use a group to apply permissions to some folder or other object you’re going to use a security group to do that.
DISTRIBUTION –>The only case where you find yourself using distribution groups is when you’re dealing with email and the need to send out the email to a group of users for one reason or another.
Now when it comes to scopes this is where things get a little bit more challenging because the scopes can be a little confusing when you first start out.
DOMAIN LOCAL –> can include users, computers, universal groups, and global group, and groups from any domain in the forest and trusted domains. These groups are most often utilized to give permissions to resources and to provide access to resources in the domain where they’re located so in the same domain where you create domain local group.
GLOBAL –> can include users, computers and can include other global groups from the same domain. Most often you use global groups to organize users who have similar functions, so your finance group, your IT group, and so on. And so because of that these users will have similar requirements on the network. These groups are visible through-out the forest, but as I said they can only contain accounts and global groups from the same domain. Best practice is to not assign permissions directly to global groups.
UNIVERSAL –> these are kind of a special group that you have to pay careful attention too, because the universal groups and the membership of universal groups is something that’s taken care of by any domain controllers that are also global catalogs. And so because of that any change to the membership of a universal group is going to require that membership to be replicated around every global catalog server in your active directory forest. They can contain accounts, global groups and other universal groups from any domain in the forest (they cannot contain domain local groups). Universal groups should be used to nest global groups. By doing that, the group can assign permissions to resources in multiple domains. I would recommend to use them only in multi-domain environments. We can use them when we are creating Distribution lists as well.
So one more time the GLOBAL GROUPS are generally for people and the DOMAIN LOCAL GROUPS are for the resources.
Configure Group Nesting
Best practice for group nesting is that you add users to global groups and then you add global groups to domain local groups. When that is done you then apply permissions to domain local groups. In a single forest, single domain environment you may not need to follow this and you will notice that there are not too many companies that follows this approach in the real-world scenarios.
To create a new group, right click on the OU and select New –> Group
Give it a name and select the scope and the type and click OK.
DOMAIN ADMINS VS ENTERPRISE ADMINS VS BUILTIN/ADMINISTRATORS GROUP
I have seen many times that enterprise and domain admin groups have too many member and that many organizations simply add every administrator and help desk technician to the enterprise admins group to make it easy for them to fix and configure the computers they need to administer. Now the big problem is that those employees use their enterprise admin accounts to manage the network, as well as to pick up email and surf the Web. Enterprise admin group should be empty and it should be used only when configuring things that need enterprise admin permisions. Domain admin group should not have too many admins and we should configure delegation instead of giving domain admin rights to every help desk member. Let’s see the difference between these groups.
DOMAIN ADMINS –> This group has complete and unrestricted access to the entire domain, DC’s and memebers are able to logon to any pc or server that is a member of the domain. Keep in mind that Domain Admins group is a Global group and it is limited to the domain it resides. Every domain in the forest have Domain Admins Group. Members of this group can add themselves in Enterprise/schema admin group.
With domain admin right you can for example administer Domain / DC Group Policy Management, Domain user and computer administration, Delegation of rights within Domain, FSMO Role Seizure (RID, PDC, Infrastructure), Domain Controller Installation (DCPROMO) etc…
ENTERPRISE ADMINS –> This group lives only in the forest root domain and has full AD rights to every domain in the forest. This group is a universal group which means that permission can be defined in any domain and user can be from any domain. This group should contain no permanent members. Use this group only when needed.
With Enterprise admin right you can for example: Administering the AD Schema,
Creating Certificate Authority, Managing Certificate Templates,
DHCP Authorization, Forest trust relationships, Forest Preparation and Functional Level management, Global Sites and Services Management and administration (for all domains), Creation of Sites & Site-Links, Creation of IP Subnets, Terminal Services Licensing, Creation and Destruction of Domains,FSMO Role Seizure (Domain Naming, Schema), take ownership of all forest and domain resources etc…
BUILTIN ADMINISTRATORS –> Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. The domain admins group, and the AD builtin\Adminstrators group (not the local admin group on clients) effectively grant users in them the same rights but the difference is that Builtin/Administrators is domain local group while Domain admins is domain global group.
ORGANIZATIONAL UNITS vs CONTAINERS
There is still misunderstanding when it comes to OUs and containers. They look almost the same but they are not the same. A generic Active Directory container is identifiable by its plain folder icon. The most common containers that appear in ADUC by default are the Computers and Users containers. By default, any workstation that is added to the domain will automatically be placed in the Computers container. Now problem with container is that you cannot apply group policy directly to it or delegate control. You can of course link a GPO to root domain and on that way apply policies to containers but if you do that all of your server objects will also get the same GPO applied to them.
OUs –> are here to make our job as IT admins easier. The icon for an organizational unit is similar, except that a small book is superimposed on the folder. An OU is like a container, but OUs can be manipulated by IT administrators by applying GPOs, permissions, child OUs, and delegates. OU can be used to segregate/filter department bases on the region or type of users/groups/computers.
You can create a new OU by right-clicking on domain name or on another OU. In this case I will create new OU in root.
When I create that OU I have the abilities to protect the container from accidental deletion, this sets a flag on the permissions for that OU that eliminates the abilities to accidently click and delete the entire organizational unit at once.
notice how this OU now has the little box next to it. What you can do now is to create additional sub-OUs and move computers/servers to it. You can create one for users, computers, groups etc under the Helsingborg OU.
Change default container when new computers get added into our active directory domain.
As I said any server/computer that is added to our domain will automatically be placed in the Computers container. There is a way to change this so what you need to do is to get distinguished name of the OU you want to be the new default and then use the command redircmp. Run powershell as admin and run
redircmp “OU=Helsingborg,DC=nm,DC=com”
This becomes particularly handy when I start applying group policy to that Helsingborg OU. And it helps me ensure that every new computer is going to end up getting that group policy that I’ve applied.
USERS, GROUPS, OU WITH POWERSHELL
USERS
If you need to create only 1 users then it does not matter which tool you are going to use but what if you get CSV file with 1000 users? If you would create those users manually it would take 5 days to complete. I have a csv sample with ad users which I downloaded from internet.
We can import that csv file and see how it looks like. The command to import CSV is
Import-CSV <path>
If you take a look at csv file you will notice that we have First Name and the Lastname But if you run Get-ADUser you will notice that in powershell we have GivenName and the Surname. If you try to import this you will get user accounts without First and the Last name.
HINT!!! This csv file has Name and samAccount name but if you get csv file without those fiels you will need to add them or create them. Those are mandatory.
Let’s run this and see how it looks like in ADUC.
ADUC –> we can see our users but as I said without first and the last name. It is important to understand that you will not be able to edit the csv file all the time or you will not have time to do it so you will need to rename those fiels on fly.
One example would be
Import-Csv C:\Users\Administrator\Desktop\ADusers.csv |
Select *, @{n=’GivenName’;e={$.FirstName}}, @{n=’Surname’;e={$.LastName}} |
New-ADUser -AccountPassword $(ConvertTo-SecureString “P@ssword10” -AsPlainText -Force) `
-Enabled $true -Path “OU=Helsingborg Users,OU=Helsingborg,DC=NM,DC=COM”
In second line we are using hash tables. Our csv file does not have GivenName and the Surname but we can create those using these hash tables. This is just an example on how we can fix the problem. This can be more advanced and complex but let’s leave it for another day.
Let’s say that we need to add Company name to all users in Helsingborg OU. Doing this manually is not the option if we need to change it on many users. PS can make this process much faster. We can apply same strategy to edit any field. Company parameter is just examle
If you are not familiar with powershell be sure to learn these 3 commands first
Get-Help
Get-Member
Get-command
AD GROUPS
When it comes to groups we can use New-ADGroup to create new groups. We have options to specify scope, path, category etc. Example
New-ADGroup “Test Group” -GroupScope Global -GroupCategory Security `
-Path “OU=Helsingborg Users,OU=Helsingborg,DC=NM,DC=COM”
To add group members you can use add-adgroupmember cmdlet
Add-ADGroupMember -Identity “Test Group” -Members nedimm
Now what if you have 100 users in one group and you need to add all of those users in another group. If you don’t want to use group nesting you can copy all users from one group to another with one command
Add-ADGroupMember -Identity “Test Group” -Members (Get-ADGroup -Identity “Office Users”)
These are only examples on how powershell can help us and why we need to know it.
That’s it. I hope this has been informative for you. Next part will focus on Operations Master Roles (FSMO) and Domain and Forest Functional Levels
Stay Tuned!
Cheers,
Nedim
Nedim's IT CORNER 