Creating Organizational Units, Accounts, and Groups Tom Brett Active - - PDF document

21/05/2013 1

Creating Organizational Units, Accounts, and Groups

Tom Brett

Active Directory Users and Computers (ADUC)

Active Directory Users and Computers (ADUC)

• After installing AD DS, the next task is to create

your Organizational Units, Users, groups etc.

– The primary tool you’ll use is Active Directory Users and Computers (ADUC). This is a GUI application with a point and click interface – You can also complete the tasks from the command line

• If you’re running Server Core, you won’t have access to

ADUC locally.

• Anything that can be entered from the command line can be

scripted.

21/05/2013 2

LAB : NAVIGATING ACTIVE DIRECTORY USERS AND COMPUTERS (ADUC)

• Launch Active Directory Users and Computers

by selecting Start ‐ Administrative Tools ‐ Active Directory Users and Computers.

• Active Directory Users and Computers opens

21/05/2013 3

• Expand your Domain
• This exposes the containers for the Different

Objects

• Select Builtin
• This shows you the predefined security

Groups within AD DS

• Click Computers
• You will notice that there are presently no

computers setup

21/05/2013 4

• If you view ADUC you will now see that there

are two domain controllers there

• Click foreign Security Principal
• No security principals exist (this will be

explained later)

• Click Managed service Accounts
• Again this is currently blank

21/05/2013 5

• Select Users
• This displays the prebuilt users and security

groups

ORGANIZATIONAL UNITS

• Organizational units are used to organize
• bjects within Active Directory.
• Any objects (such as users, computers, groups,

and so on) can be placed within an OU to make them easier to administer.

21/05/2013 6

• The two primary technical reasons why you’ll

create an OU:

– Management through Group Policy – Administrative delegation

• It’s common for administrators to create OUs

to match each department in their

• rganization or to create OUs to group Users

with similar responsibilities.

OU Management Through Group Policy

• Group Policy objects (GPOs) can be created

and linked to sites, domains, and OUs.

• If you want some users to have a specific

Group Policy assigned to them, you can create an OU, place the accounts within the OU, and link the GPO to the OUs.

OU Administrative Delegation

• The second technical reason to create an OU is

related to delegation.

21/05/2013 7 LAB : CREATING OUs WITH ADUC

• Launch Active Directory Users and Computers

by selecting Start ‐ Administrative Tools ‐ Active Directory Users and Computers.

• Right‐click the domain, and select New ‐

Organizational Unit.

21/05/2013 8

• Enter Sales as the name of the OU in the text

box.

• Ensure the check box “Protect container from

accidental deletion” is selected

• Click OK
• Note :

– “Protect container from accidental deletion” is a neat feature that prevents anyone (even administrators) from accidentally deleting an

• bject.

– If you really want to delete an object, you still can.

• Modify this setting by selecting View – Advanced

Features in ADUC, selecting the properties of the

• bject, selecting the Object tab, and deselecting the

“Protect object from accidental deletion” option.

• Then you can delete the object
• The new Organizational Unit is created

21/05/2013 9

• It’s also possible to create

children OUs.

• Right‐click the Sales OU you

just created, and select New ‐ Organizational Unit.

• Type in Users for the name, and click OK.
• The nested Organizational unit appears within

Sales

21/05/2013 10

• You now have two Users objects within Active

Directory.

• They Are very different to each other:

– The Users OU within the Sales OU is an OU and can have GPOs linked to it. – The Users container under the domain is only a container (not an OU) and cannot have GPOs linked to it.

• OUs have a slightly different icon to identify

them—it’s not just a folder but instead a folder with an icon embedded on the front of the folder reminding you it’s something more.

ACTIVE DIRECTORY NAMING STANDARDS

21/05/2013 11

• Active Directory uses the Lightweight

Directory Access Protocol (LDAP) for communication.

• LDAP uses a distinguished name (DN) to

uniquely identify each object within the directory.

• Since the introduction of LDAP, it has become

a defacto standard which enables data exchange between directory services and applications

• The LDAP defines the naming of all objects in

the Active Directory database

• It therefore provides a directory that can be

integrated with other directory services

– For example Novell eDirectory and Active Directory applications like Exchange etc.

21/05/2013 12

• LDAP refers to an object using its

Distinguished Name (DN)

• This DN, references each object in the Active

Directory Database using its entire hierarchical path starting with the object itself going up to the root of the domain.

• LDAP defines the naming of attributes that

identify each part of the objects name.

Object Class LDAP Naming Attribute Definition of Naming Attribute User or any Leaf

• bject

CN Common Name Organizational Unit OU Organizational Unit Name Domain DC Domain

• Components. One

for each part of the DNS name

• The format of a DN uses objectType=objectName

with several object types separated by commas –

– it is best not to use spaces in the Distinguished Name – LDAP is not case sensitive

• If we have a user Jsmith, their distinguished name

could be

– cn=jsmith,ou=sales,dc=ipa,dc=com

21/05/2013 13

• An account with a name of Sally.Smith located

in the Sales OU would have this DN:

– cn=Sally.Smith,ou=Sales,dc=bigfirm,dc=com

• An account with a name of Joe.Johnson

located in the Users container would have this DN:

– cn=Joe.Johnson,cn=Users,dc=bigfirm,dc=com

• If OUs are nested, or have OUs within them,

the lowest‐level OU comes first in the DN name.

– For example, if the Sales OU had a child OU named Users and then had a user named Maria within it, the DN would be as follows:

• cn=Maria,ou=Users,ou=Sales,dc=bigfirm,dc=c
• m

The use of spaces in LDAP Distinguished Names

• If the DN includes any spaces, it needs to be

enclosed with quotes to ensure it is interpreted correctly.

– For example, this doesn’t require quotes because there are no spaces:

• cn=Maria,ou=Users,ou=Sales,dc=bigfirm,dc=com

– However, the same DN with spaces must include quotes: – “cn=Maria, ou=Users, ou=Sales, dc=bigfirm, dc=com”

21/05/2013 14 CREATING OUs WITH DSADD

• You can use DSAdd to create a variety of

Active Directory different objects

– You need to execute the DSAdd command from the command line. – Although it’s easier to run the command from a domain controller, you can also run it from other locations by specifying the server and domain parameters.

• In the command Prompt
• you can enter DSAdd /? to view the help on

DSAdd.

21/05/2013 15

• Imagine you had a bunch of clowns in your
• rganization that you wanted to manage using

Group Policy.

• The following command can be entered from

the command line to create an OU named Clowns in the Bigfirm.com domain.

• Notice the DN is
• u=Clowns,dc=bigfirm,dc=com.

– DSAdd ou “ou=Clowns,dc=bigfirm,dc=com”

LAB : USING DSADD TO CREATE A ORGANIZATION UNIT

• Here we wish to add a OU called Service in Active

Directory

• Open the command prompt on the DC and enter the

following

• DSAdd ou “ou=service,dc=tombrett,dc=local”
• Obviously replace the DC parameters to match your

infrastructure

21/05/2013 16

• When you press enter the OU is added
• If you receive an error – check the syntax and

the structure

• Review Active Directory Users and Computers

to see if it was successful

• Active directory objects can also be created

using powershell and Windows Scripting Host (using VB scripts)

21/05/2013 17 USER ACCOUNTS

With a user account, you can: Allow or deny users to log on based on their identity



Grant users access to processes and services



Manage users' access to resources



A user account is an object that contains all of the information that defines a user in Windows Server 2008 R2

CREATING ACCOUNTS

21/05/2013 18

• Both users and computers need accounts in
• rder to access the domain.
• Just as with OUs, you can use either Active

Directory Users and Computers or DSAdd to create the accounts.

• Some accounts are created automatically

– For example when you join a computer to the Domain, its account (computer) is automatically created in the Active Directory system

CREATING ACCOUNTS WITH ADUC

• To create a user account using Active Directory

Users and Computers, follow these steps

21/05/2013 19

• Launch Active Directory Users and Computers

by selecting Start ‐ Administrative Tools ‐ Active Directory Users and Computers.

• Right‐click the

Users OU within the Sales OU you created earlier, and select New ‐ User.

• The new user object dialog box appears

21/05/2013 20

• Enter the first name, last name, and user

logon name for the user.

• Click Next.
• Enter a password for the

user in the Password and Confirm Password text boxes.

• Ensure the check box is

selected for “User must change password at next logon.”

• Review the information on the Summary page,

and click Finish.

21/05/2013 21 CREATING ACCOUNTS BY USING DSADD

• You can use the same DSAdd command‐line

tool to create user accounts.

• The basic syntax is as follows:
• DSAdd user DN
• Although most parameters are optional, you’ll

find that the default domain policy will prevent you from creating an enabled account with a blank password.

• Not only will it be disabled, but you won’t be

able to enable it until you set a password.

• You will also probably want to add information

such as first name, last name, and display name.

21/05/2013 22

• The DSAdd user command

includes the following parameters that can be used for each of the following options:

– Pwd: Password – Fn: First name – Ln: Last name – Display: Display name – Samid: SAMID name – Upn: User principal name

• The Equivalent parameters

in ADUC would be

• The full name in ADUC is the display name.
• When using ADUC, this is automatically

created but needs to be specified with DSAdd

• r else it’s left blank.
• The user logon name is developed from the

UPN name, and the SAMID identifies the legacy logon name and is the same as the text in the user logon name text box.

• If you’re creating the account with a

password, you want to ensure the user changes the password as soon as they log on.

• The DSAdd command includes the mustchpwd

parameter.

– When set to Yes, it will force the use to change their password.

21/05/2013 23

• So, to create an enabled user named

JoeBloggs in the Users Sales OU with a password of Pa$$w0rd, who must change the password at next logon

• you could use the following command.

DSAdd user “CN=JoeBloggs,OU=Users,OU=Sales,DC=tombret t,DC=local‐disabled no –pwd Pa$$w0rd ‐ mustchpwd Yes

• Press enter to run the dsadd command
• After running – check ADUC to see if the user

is there – You may need to refresh the container (right click Refresh)

21/05/2013 24

• For further details on dsadd
• http://technet.microsoft.com/en‐

us/library/cc753708(v=ws.10).aspx

SETTING DOMAIN‐BASED USER ACCOUNT PROPERTIES

• In AD DS, there are a lot more tabs with many

more settings available to you in a domain‐ based user account than there are in a local user account.

– This gives administrators much more control over their users. – It also allows you to store more information with each user account.

• This information can be used by users or by

applications.

21/05/2013 25

Local / Domain User Comparison

Local User Account Properties Domain User Account Properties

General Tab

• You’ll see the usual first name and last name.
• You also have the ability to store some other

information about the user in the user’s account object in Active Directory such as their office, telephone number, email address, and web page.

• You can make use of any defined email

address or web page settings for this user by right‐clicking the account object in Active Directory Users and Computers.

21/05/2013 26

Address Tab

• This allows you to define a postal address for

the user in question.

Account Tab

• You can see the user logon

name, the UPN, and the pre–Windows 2000 user logon name that you defined while creating the user.

• You can use these controls

to modify those usernames.

• Clicking the Logon Hours button will open the

dialog box below.

• This allows you to control when a user can log
• n to the network to access resources.

– It does not forcibly log the user off if they are logged in

21/05/2013 27

• The log on to dialog box allows you to control

which computers this user can use to log in to Active Directory.

Telephones Tab

• You can store telecommunications contact

information for the user in their user account

• bject.

Organization Tab

• The Organization tab is another information
• This tab allows you to describe the role of the

user within the organization tabs

21/05/2013 28

Personal Virtual Desktop Tab

• Personal virtual desktops are a

form of VDI where a virtual machine with a copy of Windows Vista or Windows 7 runs on a server in the computer room.

• The user will log into it using

Remote Desktop via a Remote Desktop Connection Broker.

• This broker is required to use

the functionality in this tab.

COM+ Tab

• This is more to do with

development

• A partition is an application

configuration.

• This is beyond the scope of

this course

Member Of Tab

• The Member Of tab allows you to control

group membership of this user account

• You can also control the

primary group of the user.

• This is required only in
• POSIX applications or

Macintosh client computers.

21/05/2013 29

• More Tabs will be available if you choose the

advanced view.

EDITING MANY USER ACCOUNTS AT ONCE

• If you want to modify the

same properties of multiple user accounts

• Simply select all of the

accounts and then right click

• ne and choose properties
• You will only see a subset of

the options

21/05/2013 30 ACTIVE DIRECTORY GROUPS

• The basic concept of Active Directory or domain‐

based groups does not differ from that of local groups.

• You use them to collectively treat a number of
• bjects in an identical manner.
• The most common reason to create groups is to
• rganize users.
• More specifically, global security groups are

created to organize users and then assign permissions to the groups.

• A single group to contain many domain‐based

security principals, such as users and computers, and to be used across all computers within the domain that the group resides

– you can use groups outside of their native domain, and there is even a category that can contain members from any domain in a forest.

21/05/2013 31

• Whenever possible, you should assign

permissions to groups rather than users.

Default Built‐In Groups

You can use the built‐in groups to simplify administration

• You can have several users in the sales department.
• Instead of assigning permissions to each individual in

the sales department, you could create a single global security group named G_Sales.

• You can then make all the users in the sales

department members of the G_Sales group, and assign permissions to the G_Sales group.

– If a user leaves, take them out of the G_Sales group, and they will no longer have the permissions of the group. – If a user joins the Sales team, put them into the G_Sales group, and they will have the permissions of everyone else in the group.

21/05/2013 32

• There are two types of groups:

– distribution and security.

• Distribution groups are used for email,
• Security groups are used to assign

permissions.

– Security groups can also be used for email.

Distribution Group

• A distribution group is used to group a number of
• bjects together that will be addressed

collectively.

• A mail server, such as Microsoft Exchange, can

present the distribution group to users as a destination address.

• The user can choose to send a mail to the

distribution group, and the mail server will attempt to send the mail to all members of thegroup, assuming that they have email addresses configured.

Security Group

• A security group can also perform the mail distribution

function.

• You can use a security group to assign permissions or rights

to an object or a set of objects, such as an organizational unit, a folder, or a component of an application.

• This allows Active Directory to become not only your single

authentication mechanism for your network but also your authorization mechanism.

• An end user can use a single user account to gain

authorization to secured resources across the entire Active Directory forest, not just a domain or a single computer.

21/05/2013 33

• There are three group scopes:
• Global

– Global groups are used to organize users. This is the most commonly used group

• Domain Local

– are domain‐level groups that can be used to set up permissions on resources in the domain in which they exist.

• Universal

– Universal groups are used only in multiple domain environments.

• Groups can also contain other groups –

commonly referred to as group nesting.

– This may be used to simplify resource allocation

• The most common way to create these groups

is with Active Directory Users and Computers.

• You can use the following steps to create a

global security group.

21/05/2013 34

• Launch Active Directory Users and Computers

by selecting Start ‐ Administrative Tools ‐ Active Directory Users and Computers.

• Right‐click the Sales

OU, and select New ‐ Group.

• Enter G_Sales in the “Group name” box.

21/05/2013 35

• Right‐click the Sales OU, and select New ‐
• Group. Enter G_SalesAdmins in the “Group

name” box.

– This group will be granted permissions needed to administer the Sales OU. – Click OK.

• View the Sales Organizational Unit

EDITING GROUP PROPERTIES

21/05/2013 36

• To modify properties for a group
• Right click the group and choose properties
• The amount of tabs available will depend on

whether view – advanced features is selected from the ADUC menu

• The general tab allows you

to modify the scope or security type. It also allows you to specify a group email and description

• Changing a group from being a security group

to a distribution group means that it cannot be used for assigning permissions anymore.

• You are warned that any permission assigned

using this group may fail to function anymore.

• This is especially important if you are denying

access to critical resources using this group.

– Worse still is that the group appears to have / have not rights but they are not effective

21/05/2013 37

• You cannot directly change a group from being

a domain local group to a global group, or vice versa.

• You can change either scope to being a

universal group.

• From there, you can change it back to either a

domain local or a global group.

• The member functionality

for domain‐based groups works just like that of local groups.

• You can add and remove

members using the Add and Remove buttons.

• Domain‐based groups are capable of containing more types
• f objects than local groups can, such as the following:
• Other objects This flexible solution allows you to add

members that are created by applications, that is, not the usual users, computers, or groups.

• Contacts These objects are created in Active Directory to

store contact information about people or organizations. This could be used for distribution groups.

• Service accounts This is a new feature of Windows Server

2008 R2 where you can set up dedicated service accounts instead of creating user accounts and assigning them to services.

21/05/2013 38

• You cannot add security principals that are

local machine based, that is, local users or local groups.

• These security principals exist only on their

computer, so it makes no sense to add them to a domain‐wide or forest‐wide group.

• Domain‐based groups can be

nested; that is, a group can be a member of another group.

• The Member Of tab in the

group’s properties, allows you to manage what groups this group is a member of.

• The Managed By tab allows you

to elect a user or a group that can be the owner of this group.

– The group can be assigned rights to resources.

• The selected owner can be given

rights to manage the membership of the group by selecting the “Manager can update membership list” box

21/05/2013 39

Common Administrative Tasks

FORGOTTEN PASSWORDS

• If you are using the GUI, then you need to

navigate to the user account in question in Active Directory Users and Computers.

• Then right‐click the user and select Reset

Password to open the Reset Password dialog box.

• You can now enter in a new password for the user

– See that the check box to force the user to change their password after logon is selected? – This is the default. This is very convenient because, as you can see, the password that you gave to this user is probably the same one

21/05/2013 40

• You can change a user’s password using the

dsmod user command:

• Example

dsmod user “CN=Joe Bloggs,OU=Users,DC=bigfirm,DC=com” ‐pwd Password12345678 ‐mustchpwd yes

LOCKED‐OUT USERS

• Account lockouts are

disabled by default in the Default Domain Policy.

• When enabled after x

incorrect login attempts, AD will lock the account for 30 minutes

– To unlock the account prior to that an administrator will need to log in and reset the account

21/05/2013 41

• One of the bad possible outcomes here is a

Denial Of Service Attack, where a user would run a script to incorrectly login as all the users – therefore locking them all.

LAB : SETUP A ACTIVE DIRECTORY SYSTEM TO MIMIC AN ORGANIZATIONS STRUCTURE

• Think of an organization – maybe a college

and mimic its organization chart using AD