In this Guide, we will use Active Directory Domain Services (AD DS), an Active Directory service that allows you to manage multiple users and computers from a single repository. We'll go over a variety of use scenarios, including object creation, control delegation, and security group creation. This book covers the most important commands for generating and managing objects, as well as how to develop a PowerShell script to create users. The purpose of this article is to educate others about the benefits of Active Directory and how to use it in an IT environment. Whether you're new to IT or trying to improve your skills, this tutorial will provide you with the knowledge you need to manage Active Directory successfully.
Contents
- Important Definitions
- Installing Active Directory Domain Service(AD DS)
- Understanding Structure
- Creating OUs
- Creating Users
- Adding Computers
- Delegating Controls
- Creating Groups
- Deleting OUs
- Basic PowerShell Commands
- Creating Basic Accounts
- See The Properties Of A User
- Adding Information
- Unlocking Accounts
- Locked Out Accounts
-
Simple User Creation PowerShell Script
Important Definitions
Windows domain: A domain is a collection of devices and users that are managed by a particular business.
Active Directory (AD): Domain administrators tend to centralize the domain into a single repository to make administration much easier. This is called Active Directory. Active Directory is useful when an organization has potentially hundreds of users and computers to manage.
Domain controller: The server that runs Active Directory and authenticates user credentials when a user attempts to log in.
Object: Any element that represents a resource. This can be a user, computer, printer, or group.
Installing Active Directory Domain Services (AD DS)
Note: If you are using Virtual Box, change the network from NAT to a bridged adapter, or to a NAT network if you are only using VMs.
Step 1: Download Windows Server — https://www.microsoft.com/en-ca/windows-server. Be sure to download the GUI version during installation.
Step 2: Follow these Steps — “Sever Manager” > Select “Manage” > “Add Roles and Features” > “Next” > “Role-Based or Feature-based Installation” > “Next” > Select the Server (We Only Have One For Now) > “Next” > Checkbox “Active Directory Domain Services” > “Next” > Finish Up The Installation.
Step 3: Click on the flag with the yellow triangle at the top and select “Promote this server to a domain controller”.
Step 4: Click “Add a New Forest” > Name Your Root Domain. I will Name It “educate.com” > “Next” > Type The Password for DRSM (This is Used for Repairing and Recovery) > “Next” > Name Your NetBIOS (Typically is the Subdomain of the DNS Domain). I’ll Name It “EDUCATE” > “Next” > Finish up the Installation > Restart Your Computer.
Step 5: From the Server Manager, go onto: “Tools” > “Active Directory Users and Computers”. You Can also Search it up from the Windows Taskbar.
Understanding Structure
On the left, you'll see organized folders for users, computers, and domain groups. These folders containing objects are known as Organizational Units (OUs). OUs are used to organize things with comparable responsibilities. For example, you may have one OU for the sales department and another for the IT department. Remember that objects (users, computers, and groups) can only belong to one OU at a time in a domain. You may also move things by right-clicking and selecting "move" or by pressing Ctrl + x, Ctrl + v.
You can also make an OU inside of another OU. This is called a child OU and is used to structure it into a neat format.
Creating OUs
Step 1: Right Click on “educate.com” (the domain) > “New” > “Organizational Unit”. We’ll call it “educate”.
Step 2: Right Click on “educate” and Create 3 Child OUs. Name them “IT support”, “Sales”, and “Marketing”. These will be our Departments to which We Will Assign Users.
Creating Users
To Manage Users, We First Need to Make the User.
Step 1: Right click on the Sales Department OU > “New” > “User”.
Step 2: I'm Naming My User “Batman Night”. The User Logon Name Will be “Batman.Night” ( Firstname.Lastname Naming Convention).
Step 3: Create a password for your user and require them to change it at the next logon. Repeat steps 1,2, and 3 for the IT support and marketing department. IT support’s user will be called “Spider Man” and the marketing OU will be called “Wonder Woman”.
Congratulations, You’ve Created Users! Lets go over what you can do with it.
Here are some of the Useful Settings:
Account: Logon hour management, account expiration, force password change, change username, disable and enable accounts, reset accounts.
Remote control: Control or observe a user’s session.
Sessions: Manage Sessions.
Adding Computers
When a Computer Connects to a Domain, it should Automatically be added to Active Directory.
Step 1: Go on your a desired client computer > “Control Panel” > “Network and Internet” > “Network Connections”
Step 2: Right Click on Your Connection > “Properties”
Step 3: Double click on “Internet Protocol Version 4 (TCP/IPV4)”> Click on “Use the following DNS server address:”.
Step 4: Type in Your Domain Controller’s IP Address (Note: To find the IP address, go onto Command Prompt in the Domain Controller and Type in “Ipconfig” and Locate the IPv4 Address) > Click “OK”.
Now to Connect to the Domain:
Step 5: Go to Your “Settings” > Select “System” > “About” > “Advanced System Settings” > “Computer Name” > “Change” > “Domain”. Type in educate.com (or Whatever You Named Your Domain). You May Also Change the Computer Name (I’ll name it “Knight”) > “OK” > Type in the Domain Admin’s Username and Password > Restart Your Computer. (Note if you are having trouble connecting, disable the “Internet Protocol Version 6 (TCP/IPv6).
Step 6: Go back to “Active Directory Users and Computers” and click on the “Computers” OU.
You Should See that Your Computer has been Connected.
Delegating Controls
The delegate control option allows users to handle certain OUs with precise permissions without the need for an administrator to be present. For example, a user from IT support may have delegation rights over the sales department to reset passwords.
Step 1: To Set it up, Right Click on the “Sales” OU and Click on Delegate Control > Click “Add” and Type in “Spider Man” > Click the “Check Names” and it Should Auto Fill the Account > Click “OK” > Select “Reset User Passwords and Force Password Change at Next Login”. Spider Can Now Change Passwords for the Sales Department Users.
Let’s Change Batman Night’s Password.
Step 2: Log into Spider Man’s Account (Username: Spider.Man) on the Domain Controller. We Will be Using PowerShell since Spider Man Doesn't Have Access to AD DS. Type in the Following Command:
Set-ADAccountPassword Batman.Night -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password')
Log into Batman to Confirm.
Creating Groups
Groups are used to add people to a group with access to specified resources. The difference between groups and GPOs is that groups provide users access to resources, whereas GPOs apply policies to objects.
Step 1: Add Another User to the Marketing OU. I’ll Name it “Hulk Smash”.
Step 2: Left Click on the OU > “New” > “Group”.
We can see three possibilities in the Group scope: Domain Local, Global, and Universal. "Domain local" indicates that the group will only contain users from the domain. "Global" allows us to add users from any domain across the entire forest. "Universal" allows you to pick users from multiple woods who have established trust with one another, for as by inheriting another firm.
The Group Type menu contains two options: Security and Distribution. Security allows objects to access shared files. When you have an email server, you can distribute emails.
Step 3: Create a Global Security Group in the Marketing OU. I’ll Name it “heroes”.
Step 4: Double Click “heroes” > “Members” > “Add” > Add Hulk Smash and Check the Name > Click “OK” (Note: You can also Add a Group to a Group in the “member of” tab). Repeat the Same for Wonder Woman.
Step 5: Go to Your “file explorer” > “documents” > Create a File Named “Villains” > Create a Text File Named “test.txt”.
Step 6: Properties of the File > “Security” > “Edit” > “Add” > Add “heroes” > “Check name” > “OK” > Checkbox “Full Control > Click “Apply”.
Step 7: “Properties” of the File > “Sharing”> “Advanced Sharing” > Make Sure to Remember Your Network Path (mine is \\WIN\villains) > “Permissions” > “Add” > Type in “heroes” > “Check name” > “OK” > Checkbox “Full Control” > Click “Apply”.
Deleting OUs
Step 1: Create An OU called “deleteme” Under “educate”.
Step 2: Click “View” at the top > “Advanced Features” > Right Click on “deleteme” > “Properties” > “objects” > Uncheck “Protect object from accidental deletion” > Click “Apply”.
Step 3: Delete the “deleteme” OU.
Basic PowerShell Commands
See the Available Commands Related to Active Directory and Their Syntax:
Get-Command *aduser
Get-Command *adcomputer
Get-Command *-AD*
Creating Basic Accounts
new-aduser -SamAccountName Mini.Mouse -GivenName Mini -Surname Mouse -UserPrincipalName Mini.Mouse@educate.com -accountpassword (Read-Host -AsSecureString “Type in password”) -Enabled $true
See The Properties Of A User
Get-ADUser Mini.Mouse -Properties *
Adding Information
Set-ADUser Mini.Mouse -Country Ca
Get-ADUser Mini.Mouse -Properties Country
Locked Out Accounts
None Are Locked Out So It Should Return Nothing.
Search-ADAccount -LockedOut
Unlocking Accounts
It’s Already Unlocked So Nothing Will Happen.
Unlock-ADAccount Mini.Mouse
Use this Link from Microsoft to Learn the Syntax. For Example You can Force Change the Password at next Logon with the Syntax:
-ChangePasswordAtLogon $true
Simple User Creation PowerShell Script
Open PowerShell ISE:
Import-Module
ActiveDirectory
$firstname =Read-Host -Prompt "please enter your first name"
$lastname =Read-Host -Prompt "please enter your last name"
$password =Read-Host -AsSecureString - "please enter your password"
$email =Read-Host -Prompt "please
enter your email"
$country =Read-Host -Prompt "please enter your Country's ISO code"
New-ADUser `
-Name "$firstname
$lastname" `
-GivenName $firstname `
-Surname $lastname `
-UserPrincipalName
"$firstname.$lastname@educate.com" `
-SamAccountName
"$firstname.$lastname" `
-EmailAddress $email `
-Country $country `
-AccountPassword $password `
-Path
"OU=Sales,OU=educate,DC=educate,DC=com" `
-ChangePasswordAtLogon $True `
-Enabled $True
Refer To The Above Code: We begin by importing the Active Directory module and defining variables that read the input. The password must include the -ASSecureString Option.
We next establish a new Active Directory user and use the various syntaxes to add information, calling the variables associated with each syntax. Keep in mind that quote marks are required when there is a space in a string, but not otherwise.
To avoid receiving one long line, we can use the grave accent key (') at the conclusion of a statement to move the command to the following line.
In Order to Get the Path, go to: “Active Directory Users and Computer” > “View” > “Advanced Features” > “Properties” of desired OU > “Attributed Editor > “Distinguished Name”.
Feel Free to Add More Information to the Code Such as the Employee ID, Telephone, or Postal Code.
As you continue to investigate the complexities of Active Directory, remember that practice and hands-on experience are essential for learning this powerful tool. Whether you are a cybersecurity enthusiast, an IT professional, or a student pursuing a career in technology, understanding Active Directory can help you navigate today's complicated digital landscape. So, keep researching, learning, and using the potential of Active Directory to shape the future of your organization's IT infrastructure.
Stay Informed, Stay Safe!
