AD Overview
Windows Domain
A Windows Domain is a group of user and computers under the administration of a business.
Centralizes the administration of common windows components
Stores it all in a centralized repo called Active Directory
The server that runs AD is called a Domain Controller
Advantages to Domains
Centralized Identity Management - All users across the network can be configured from AD with minimum effort
Managing Security Policies - You can configure security policies from AD and apply them to users and computers across the network
AD DS
Active Directory Domain Service (AD DS) is at the core of every domain
This service is a catalogue that holds all the information of the "objects" that exist in your network
In terms of objects there are users, groups, machines, printers, shares, etc, etc
Users
Users are one of the objects known as security principles
Means they can be authenticated by the domain and can be assigned privileges over a resource like a file or printer
Security Principles can act upon a resource in a network
People vs Services
Users can represent two types of entities
People: users will generally represent peoples that need to access a network
Services: you can difine users to be used by services i.e. IIS, MSSQL
Every service requires a user to run but services differ from regular users as they will only have the privileges needed to run their specific service
Machines
Machines are another type of object in a domain.
For every computer that joins AD a machine object will be recreated
Machines are considered Security Principles
They are assigned an account just like a user
This account has limited rights within the domain itself
The machine accounts themselves are local administrators on the assigned computer
They are generally not supposed to be accessed by anyone except the computer itself
But if you have the password you can use them
Machine account passwords are automatically rotated out and are generally comprised of 120 random chars
Identify Machine Accounts
They are easy to identify
They follow a specific naming scheme
Machine account name is the computer name followed by a $
i.e. if the computer name is
SRV01the machine account isSRV01$
Security Groups
You can define user groups to assign access rights to files and other resources to a group vice a user
Security groups are also considered security principals and can have privileges over resources on a network
Default Domain Groups
| Security Group | Description |
|---|---|
Domain Admins | Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs. |
Server Operators | Users in this group can administer Domain Controllers. They cannot change any administrative group memberships. |
Backup Operators | Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers. |
Account Operators | Users in this group can create or modify other accounts in the domain. |
Domain Users | Includes all existing user accounts in the domain. |
Domain Computers | Includes all existing computers in the domain. |
Domain Controllers | Includes all existing DCs on the domain. |
AD Users and Computers
To config users or groups or machines in AD we need to log into the DC and run
Active Directory Users and ComputersThis is located on the start menu
Will open a hierarchy of users, computers and groups that exist in a domain
They are all organized in
Organizational UnitsOUsThese are contain objects that allow you to classify users and machines
OUs are mainly used to define sets of users with similar policing requirements
Users can be a part of a single OU at a time
If you open any of the OUs you can see the users they contain
This is where you can create, delete or modify them as needed
Can also reset passwords here
Default Containers
There are default containers in domains
Created by windows automatically
Builtin: Contains default groups available to any Windows host.
Computers: Any machine joining the network will be put here by default. You can move them if needed.
Domain Controllers: Default OU that contains the DCs in your network.
Users: Default users and groups that apply to a domain-wide context.
Managed Service Accounts: Holds accounts used by services in your Windows domain.
Security Groups vs OUs
OUs - handy for applying policies to users and computers
Include specific configs that pertain to sets of users depending on their particular role
Users can only be a member of a single OU at a time
Cant apply two different policies to the same user
Security Groups
Used to grant permissions over resources
If you use groups and want to allow some users to have access over a shared folder
Users can be in many groups at the same time
Deleting extra OUs and users
OUs are protected against accidential deletion
To delete them enable
Advanced Featuresin theViewmenuThis will show you some more containers and enable you to toggle the accidental deletion protection on or off.
Delegation
You can and should give specific users some control over some OUs
This is known as delegation and it allows specific privileges to perform advanced tasks on OUs without needing a DA to step in
One common example is granting
ITStaff the ability to reset other low privilege users passwords
How to Delegate
To delegate control over an OU right click and select Delegate Control
This should open a new window where you should input the users name that you want to delegate to
Use the check names box to avoid a miss type
Now you can see a new window that allows more granular delegation controls
AD Password Resets Powershell
Now make sure to force the user to update their password on next login so they dont keep using a password that we know!
Managing Computers in AD
All machines that join the domain (minus DC) will be put in a container called
ComputersYou will want to group the different machine types to be able to apply different policies to them
You do not want to have the same policies for your end user workstations as your servers
At minimum it pays off to have these three groups
1. Workstations
Workstations are one of the most common devices within an Active Directory domain. Each user in the domain will likely be logging into a workstation. This is the device they will use to do their work or normal browsing activities. These devices should never have a privileged user signed into them.
2. Servers
Servers are the second most common device within an Active Directory domain. Servers are generally used to provide services to users or other servers.
3. Domain Controllers
Domain Controllers are the third most common device within an Active Directory domain. Domain Controllers allow you to manage the Active Directory Domain. These devices are often deemed the most sensitive devices within the network as they contain hashed passwords for all user accounts within the environment.
Group Policies
Windows manages policies to OUs with
Group Policy Objects (GPO)GPOs are simply a collection of setting that can be applied to OUs
GPOs can contain policies aimed at either users or computers, allowing you to set a baseline
To configure GPOs, you can use the Group Policy Management tool, available from the start menu:
GPO Hierarchy
You will notice a GPO hierarchy when you open GPO Management tool
To configure GPOs you first create a GPO under
Group Policy Objectsand then link it to the GPO where you want the policies to apply
Last updated
