Active Directory For Beginners
Do you remember being in school and trying to play games on the computer? Access to those games was sometimes denied by the administrator, and you weren’t able to play your precious “Pinball” game. Some computers even blocked access to Solitaire. Not a problem, nobody actually enjoys playing Solitaire. But did you ever wonder what was actually blocking you from accessing those computer resources? It may have been a service called “Active Directory”.
Active Directory is a commonly-used, directory service that connects users with network resources. If you want to add a printer to the network, you would add it in Active Directory. If you want to add a user to your network, you would create a user account for them in Active Directory. Active Directory can even let you block certain users from accessing a computer’s control panel. Lucky for you, I am going to show you how to do some basic administration in an Active Directory environment.
In this post, we’ll explore some responsibilities that an entry-level, IT Support Specialist might have in a modern work environment. I am assuming you already have some basic IT knowledge and a general understanding of directory services.
- We will cover User Management, like creating user accounts and resetting user passwords.
- Lastly, we will cover Group Policy Objects and the useful things we can do when applying them to groups of users.
Managing Users In Active Directory
In Active Directory, all data, including user accounts and computers, is stored as objects. One way to organize these objects are Organizational Units. An Organizational Unit is exactly what it sounds like; a way to organize and manage network resources in your organization. Organizational Units can group network resources together. For example, user accounts might be saved under an organizational unit called “Users”, while computers might be saved under an organizational unit called “Domain Computers”.
How To Add Users In Active Directory
The first thing you need to do is open up the “Active Director Users and Computers” tool. Like the name suggests, Active Directory Users and Computers (ADUC) is where we add users to a domain. You can see the ADUC interface in the picture below.
Imagine you are part of a company that needs you to add the following employees to the company domain:
Sara Goldsmith (IT — Systems Administrator)
Mike Jones (IT — Help Desk)
John Cena (Management — Project Manager)
Suzy Collins (Marketing — Intern)
Michael Meyers (Marketing — Head Of Marketing)
Elon Musk (Sales — Sales Associate)
To add these employees to the domain, we will create four different organizational units: IT, Marketing, Management and Sales.
Right click the “mydomain” organizational unit and then click “New” and then “Organizational Unit”. You will then be prompted to name your new organizational units. Do this four times, one for each of the above work departments. Reference Figures 2 and 3, the images below.
Now that we have organizational units representing the four work departments in the company, we need to add each user into their respective departments. Simply right click the organizational unit/department you want to add a user into, then click “New” then click “User”. This will bring up an interface where you can create a user account. Refer to Figures 4 and 5, the images below.
After entering the name and login credentials for the new user, you will be prompted on what to do with the user’s password. You can give them a temporary password, and then click the option to make the user change their password when they logon (Refer to Figure 6, the image below). It is imperative that the user understands the importance of password security. Ensure you mention to the user that they need to create a strong password, and to include special characters when they make their password. Your workplace might have their own password policy, so ensure to follow your workplace standards and procedures.
If you’re following along in your own lab environment, make sure you add all the previously mentioned employees to their respective work departments. Now that you know how to add users to an Active Directory environment, another common task is to reset those user’s passwords. Let’s learn how to reset user passwords in Active Directory.
How To Reset User Passwords and Unlock Accounts in Active Directory
Resetting user passwords is fairly easy. You just right click the user you want to manage, and then click the “Reset Password” option. Notice you can also unlock and disable accounts in this interface. Refer to Figures 7 and 8, the images below.
What Is A Security Group?
A Security Group is an object in Active Directory that makes it easier to apply policies and restrictions to a group of employees. For example, the IT employees should always have access to a computer’s control panel, no matter what computer they log onto within the company domain. Sales employees, however, may not need access to the computer’s control panel. By applying a Group Policy Object to a Security Group, you can deny control panel access to every Sales employee in the domain, all at once.
Active Directory has builtin security groups, such as the Administrators security group, or the “Users” security group. You can find these builtin security groups in a folder called “Builtin” in the Active Directory Users and Computers Tool.
Let’s look at the security group called Domain Administrators. You can find this security group in the “Users” folder under “mydomain”. Right click it and you can see some information about the security group. Notice, you can see what users are members of this security group. I have three domain administrators in my active directory environment. Reference Figure 9, the image below.
Let’s create two security groups for practice; One group called IT Employees, and the other called Non-IT Employees.
To create a security group, right click the “Users” folder and click “New” and then “Group”. You’ll then be prompted to name your new group and to choose it’s Group Scope and Group Type. Reference Figures 10 and 11, the images below.
Adding Users To A Security Group
After you create your security groups, you will want to add users into them so that you can manage them. For example, we need to add all employees under the IT department into the IT Employees security group we just made.
To add users into a security group, you need to make them members of the security group. You can make each individual user a member of the security group, which is what we will do next.
I am going to individually add each member of the IT department into the IT Employees group. I will just open the properties of the IT Employees group and add the IT employees as members. Reference Figures 12 and 13, the images below.
You can now see that Mike and Sara, the IT employees I created earlier, are both members of the IT Employees security group. To see this, reference Figure 14, the image below.
Now, go back and add all the other employees we created into the Non-IT Employees security group. We will later add a Group Policy Object to restrict Non-IT Employee access on company computers.
What Is A Group Policy Object?
A Group Policy Object allows you to apply specific restrictions on Users and Computers. If we want to restrict large groups of users, we can apply restrictions onto security groups, themselves. For example, earlier we talked about Sales employees not needing access to the control panel. We can create a Group Policy Object that denies access to the computer control panel and apply it on the Sales Employees group. This will deny all employees within the Sales Employees group access to their control panel.
To practice using Group Policy Objects, we will create a Group Policy Object that denies all Non-IT employees from opening their computer’s control panel. Since we already created a security group that contains all the Non-IT employees, we simply need to create a Group Policy Object and configure it to only effect the Non-IT Employees security group.
To create a Group Policy Object, open up the Group Policy Management Tool. The interface for the Group Policy Manager looks like Figure 15, the image below.
If you look under the container that says “Group Policy Objects” you can see there are already two group policy objects created on this domain;
Default Domain Controllers Policy and the Default Domain Policy.
Right click the “Group Policy Objects” and click “New”. This will bring up a prompt that asks you to name your new group policy object. Name the policy “Control Panel — DENY Access” so you can clearly understand the purpose of the group policy object. Reference Figures 16 and 17, the images below.
Now that we have created our group policy object, we need to edit it so that it does what we want. To edit a group policy object, right click the object and click “Edit”.
This will open the Group Policy Management Editor for that specific policy object. Here you can manage the group policy object’s configuration. The Group Policy Management Editor looks like Figure 18, the image below.
In the Group Policy Management Editor, you can specify two types of configuration settings: User Configuration and Computer Configuration. Since we want to make sure certain users can’t access the computer control panel, we need to edit the User Configuration settings.
It can be a bit difficult finding specific settings, so to find the Control Panel Settings, follow this path:
User Configuration > Administrative Templates > Control Panel
From there, you will see the setting to “Prohibit access to Control Panel and PC settings”. Click on this setting and enable it, and then click apply. Notice, you can see a description of the setting and what enabling the setting will do to your file system. Reference Figures 19 and 20, the images below.
You will also want to ensure that the settings of this group policy object only apply to Non-IT Employees. Click on the “Control Panel — DENY Access” group policy object and under the “Security Filtering” section, add the Non-IT Employees group. You also want to remove the default, “Authenticated Users” from the security filtering, or else all authenticated users will be effected, not just Non-IT Employees. Reference Figure 21, the image below.
Now that we have successfully created a group policy object, we need to link it to an object in our domain so it can take effect.
In order to link our group policy object to our domain, right click on “mydomain.com” (the entire domain) and then click on “Link an Existing GPO”. From here, you need to click on the “Control Panel — DENY Access” policy. This will link the group policy object, and because we filtered the group policy object, it will only effect the Non-IT Employees even though it is linked to the entire domain. Reference Figures 22 and 23, the images below.
We have now successfully created and linked a group policy object to our domain. We know this group policy object should only effect the Non-IT Employees security group, so let’s try and log into a Sales employee account and see if we can access our control panel.
Lets try logging into Elon Musk’s account. Elon is a sales associate in our fictional domain, so they should not have access to their control panel.
Once you are logged into the Sale’s Employees account, try and access the control panel. You should be denied and get a pop-up prompt like in Figure 24, the image below.
Now that we have verified that Non-IT employees can not access their computer control panel, let’s make sure that all other employees can. We are verifying that the Security Filtering on our group policy object works correctly.
Let’s try to log into a known IT employee account and see if they can access their computer control panel. We will access the Mike Jones user account to verify this. Reference Figure 25, the image below.
It looks like our security filtering and group policy object both work, as configured. Great job!
Wrapping It Up
Active Directory is a commonly-used, directory service that connects users with network resources. Adding users, computers, servers, etc. can all be done from within Active Directory. If you are trying to work in the IT industry, you will definitely want to know about Active Directory. If you have a virtual domain controller and a virtual computer, you can follow along with this exercise. I used a virtual image of Windows Server 2019 for the domain controller, and a virtual image of Windows 10 for my client computer.
I appreciate all of you who read this post and learned some basic, Active Directory Management. If you want to learn how to set up this Active Directory environment, you can lookup Josh Madakor on YouTube and follow along with his lab-setup. OR, since you’re here, you can click on my profile here on medium, I have another post which will take you through the steps I took to set up this lab. From there, you have your own Active Directory lab environment, and you can play around as much as you want.
I wish you all good luck, and follow me on YouTube (youtube.com/@dantesderivatives) if you want to learn more IT and Cybersecurity topics. Feel free to connect with me on LinkedIn (linkedin.com/in/dantefalls). Thank you for learning and don’t ever be afraid to ask for help!
*******ALL USER DATA IN THIS POST IS FICTIONAL*****
