Active Directory Basics
A) Introduction:
Microsoft’s Active Directory is a crucial business tool that makes it easier to manage users and devices in a corporate environment. We will go thoroughly into the core components of Active Directory in this space.
Goals for the space:
To improve our comprehension of Active Directory, the following subjects will be covered in this space:
The components of Active Directory
Definition of Active Directory Domain
The different components of an Active Directory domain
Domain Trust and Forests.
And a tonne of other relevant subjects!
Room requirements:
Windows fundamental knowledge is required. See the Windows Basics section for further information.
B) Windows Domain:
Consider yourself the administrator of a small business networks with five computers and five employees. It would be simple to personally configure each computer in such a small network. Each machine would require a manual login, and you would need to set up individual user accounts for each employee. You would probably visit the worker’s office to address the problem if one of the computers broke down.
Nevertheless, monitoring each computer separately and offering on-site support for everyone would become difficult, if not impossible, if your company were to develop and extend to 157 computers and 320 users dispersed across four sites. A Windows domain is helpful in such a scenario. A Windows domain is basically an organization of users and computers under the control of a single company. The purpose of a domain is to consolidate management of Windows networks’ common components into a single database called Active Directory (AD). A domain controller is the server that hosts the Active Directory services (DC).
The following are the key advantages of using a set-up Windows domain:
Centralized identity management: With a Windows domain, it is simple to administer and modify any user just on network using the Active Directory.
Managing security policies: Security measures can be easily configured in Active Directory and then implemented as necessary to users and computers throughout the network.
A real-world example:
You probably already encountered the idea of a Windows domain in your school, institution, or place of employment, so don’t worry if it confuses you.
On school or university networks, for illustration, you are typically given a login and password that you can use on any of the available computers on campus. Your user accounts are accepted by all computers because when you input them, a computer will check them by contacting Active Directory. This indicates that your login information is available across the network and does not need to be stored locally on each computer.
Moreover, Active Directory oversees preventing you from using specific functions on computers owned by schools or universities, including the control panel. To prevent you from having administrator rights over these systems, policies are usually implemented throughout the network.
C) Active Directory:
The Active Directory Domain Service (AD DS), which serves as a directory and keeps the data associated with every “object” existing on your network, is a major part of a Windows domain. Users, groups, machines, printers, shares, and some other things fall into this category. Examples of certain of these things are as follows:
Users:
Users, a frequent entity category in Active Directory, are protection guardians. These users can still have authorization to facilities like files or printers after being verified by the domain. Objects immediately called authorities have the power to influence network resources.
Users could represent the public and commodities, which are the two basic categories of entities. Users can represent people, such as employees, who typically need network connectivity. IIS and MSSQL, for example, need a user to run, but that user only has access to operate the service itself. Normal users may have more permissions inside this network, which is separate from this.
Machines:
Every computer that joins the domain is represented by an object type named Machines in Active Directory. Devices are given accounts with restricted domain permissions since they are also considered “security principals,” such as users. These credentials are regularly generated, contain 120 random letters, and are often only accessible by the machine itself. The unique standard for machine accounts, which consists of the computer’s name followed by a dollar sign, can be used to identify them. The machine account for a device called DC01, for instance, would be called DC01$.
Security Groups:
In Windows, groups may be configured to grant collective users with collective accessibility privileges to services as opposed to a single user. As new users can indeed be assigned to a current group and take on all the group’s responsibilities, this improves administration. In addition to being security administrators, network administrators can also have access rights to available bandwidth.
Users and computers are both eligible to join organizations, and additional communities can be formed as appropriate. In a domain, a few groups are automatically generated to grant users with particular rights. For instance, the Domain System administrator’s category has operational control over the whole domain, which includes all domain machines, including DCs. In contrast to the Backing Operations group, which is used to execute backup copies on computers and has accessibility to any files, independent of restrictions, the Server Operations group may administrate DCs but cannot modify management team enrollment. The Domains Users group contains all current user accounts in the domain, the Domain Devices group contains all current machines within domain, and the Identity Administrators group could create or edit other credentials in the domain. All of the domain’s current DCs are included in the group known as Network Elements.
Active Directory Users and Computers:
Whereas the Domain Administrators group cannot create or edit other accounts within the domains, the Account Administrators group On the Domain Controller, we must open “Active Directory Users and Computers” from the start menu to configure Active Directory objects like users, companies, and computers. This application shows the domain’s users, computers, and groups in a hierarchical format. Organizational Units (OUs), which seem to be containment entities used to categorise persons and computers, are utilised to group these things. You can create groups of users with related policies using OUs. A user can only be a member of one OU at once. The IT, Management, Marketing, and Sales divisions are all represented by child OUs of the THM machine’s parent OU.
To effectively deploy standard policies that apply to all divisions, OUs typically reflect the organisational structure of the firm. But, beneath any OU, you are free to arbitrary create OUs. The Domain Computers group contains all the domain’s current machines, while the p variable contains all the domain’s current registered users. Last but not least, all of the domain’s current DCs are included in the Domain Controllers category.
You can inspect the users that make up an OU whenever you browse it, and you may perform simple tasks like adding, deleting, or changing user profiles as necessary. Also, you have the option to reset credentials, which is useful for the help desk.
The taxonomy of individuals, machines, and organisations that are present in the domain is displayed in a window that appears after you log in to the Domain Controller and launch “Active Directory “Users and Machines” from the start menu.
In additional to the THM OU, which has child OUs for the IT, Management, Marketing, and Sales departments, other default receptacles are dynamically established by Windows.
any kind of Windows host can access the predefined groups stored in the Builtin containers.
Any device that joins the network is initially stored in the computer’s container, but you can relocate it to another location if appropriate.
The standard OU that houses the DCs in your network is the Domain Controllers containers.
Default setting users and organizations that apply to a domain-wide contexts are contained in the Users container.
Credentials used by applications in your Domain controller are stored in the Managed Security service Credentials containers.
Security Groups and OUs:
The functions of OUs and Security Groups varies from one another:
OUs are helpful for enforcing regulations on people and computers in accordance with their organisational functions. Since it would be pointless to apply competing policies to the same user, each user can only be a member of one OU at a time.
On the opposite hand, protection teams are used to assign privileges to services. For illustration, you might put together a group and provide it the proper authorization if you wanted to grant specific users access to a communal folder or a network printer. A user may belong to many groups to gain access to different resources.
D) Managing Users in AD:
Reviewing the present AD OUs and users is your first duty as the new domain administrator because changes to the company have been made. You are required to adjust the AD to conform to the organisational structure you have been given.
Deleting extra OUs and Users:
You should be mindful that your present AD configuration includes an additional department OU that does not show up in the chart. Its closure because of funding cuts, we were told, calls for its deletion from the domain. But, if you right-click on the OU and try to remove it, you will get an error notice saying that OUs are by standard safeguarded against inadvertent deletion. You must first enable Advanced Features in the View menu before you can remove the OU.
You’ll be able to see more containers and turn off the safeguard against accidentally deleting by doing this. To accomplish this, right-click the OU and select Properties. On the Object tab, there is an option to disable the protection. Retry removing the OU after unchecking the box. Any individuals, groups, or OUs that are contained within the OU will be deleted as a result of your confirmation that you want to remove the OU.
You should really be aware that some of the department users in the AD do not correspond to those on the organisational chart after deleting the superfluous OU. Create and remove items as required to complement them.
Delegation:
Giving specified users specialised power over assigned OUs through delegation in Active Directory permits them to carry out complex activities without even a Domain Administrator’s assistance. Giving IT support permission to reset passwords for users with minimal privileges is a regular occurrence. According to our organisational chart, Phillip oversees IT assistance at our company, thus we would want to give him access to reset passwords for the Sales, Marketing, and Management OUs. By picking Delegate Responsibility from the context menu when we right-click the Sales OU, we can give Phillip control of it to achieve this.
A fresh window will display after executing the operation of right clicking an OU and choosing Delegate Control. You’ll be asked to list the users with whom you want to provide power in this window. It is advised that you type “Phillip” and then click the Verify Names option to avoid any typing errors. By doing this, Windows will be able to fill the user’s name for you immediately.
Phillip should be able to reset passwords for any Sales department user after repeatedly hitting the Next button. It is advised that you repeat this procedure to grant the Marketing and Management departments access to reset their passwords. We will, however, stop here for the purposes of this task. You can further establish other OUs if you so choose.
While connecting via RDP, you must enter the login “THMphillip” to log in as “Phillip” on the THM domain. Although Phillip has been given access to reset passwords, he might not have enough rights to access Active Directory Users and Computers. Hence, password resets will need to be done via different techniques. To finish what is needed in this situation, Powershell will be used.
We can give a command to force a password reset at the following logon to stop Sophie from using a password that is already known.
E) Managing Computers in AD:
Except for network elements, any machine that joins a domain is immediately added to the “Computers” container. We may see a collection of servers, laptops, and Desktops that correspond to individuals on our network if we look at the network interface. It’s not ideal to have all devices in one container, though, as server regulations could differ from those for typical user PCs. As a result, it is advised to group devices according to their intended use, even though there is no standardised method for doing so. In general, there should be at least three types for devices.
1) Workstations:
Each user often logs into a specific workstation to conduct business or access the internet in Active Directory domains, where workstations are regularly utilised. The use of privileged users on these devices must be avoided at all costs.
2) Servers:
Servers, which are often used to deliver services to other servers or users, are the second most frequently used devices in an Active Directory domain.
3) Domain Controllers:
Since they allow for domain management, domain controllers are crucial components of an Active Directory domain. They are often regarded as the most important network components since they store hashed passwords for each user account in the system.
Let’s make two distinct OUs for workstations as well as servers as we organise our Active Directory. Under the domain container for thm.local, we will immediately create them. Workstations, workstations, and the already-existing OU for domain controllers should all be included in the final OU structure.
After that, transfer servers from the Computing container and personal computers and laptops from the Workstations OU to the Servers OU. Later, we will be able to configure policies for each OU thanks to this.
F) Group Policies:
To organise people and computers, we’ve built OUs, but the true goal is to provide each OU its own set of regulations. This gives us the ability to impose various security settings and restrictions on users depending on their department.
Windows employs Group Policy Objects (GPO) as its policy management technology. GPO is a collection of settings that can be used with OUs, which may include policies for users or machines. We can create a baseline of settings for computers and people by utilising GPOs. The Group Policy Management tool, which can be launched from the Start menu, can be used to configure GPOs.
The previously configured OU hierarchy will be visible when you open the Group Policy Management tool. To set up Group Policies, you must first create a GPO in the Group Policy Objects folder and then link it to the OU where you want the policies to be applied. As an illustration, you can see several GPOs that are already present on your PC.
The default domain policy, the RDP policy, and the default domain controller’s policy are shown in the image above as three GPOs that have been created. The Default Domain Controllers Policy is solely tied toward the Directory Controllers OU, while the RDP Policy and the Default Domain Policy both cover the full thm.local domain. It is crucial to keep in mind that any GPO will be applicable to both the linked OU and any sub-OUs below it Let’s look at the Default Domain Policy to evaluate what is contained in a GPO. The first tab that opens when you pick a GPO shows the scope, or the location in the AD to which the GPO is connected. We can observe that the only domain to which the existing legislation has been attached is thm.local.
Additionally, the GPOs can have Security Filtering applied to them so that only particular people or computers within about an OU are subject to their enforcement. All users and computers are included in the default group that gets GPOs, which is Authenticated Users.
The Parameters tab when viewing the GPOs offers details on the GPO’s actual content and the configurations it affects. There are GPO settings for both people and computers. The only things present in the Default Domain Policy are computer settings.
By selecting the “display” links on the right side of each configuration, you can browse the GPO’s available items. In this instance, the Default Domain Policy contains essential settings that are common to most domains. These settings include, among other things, password, and account lockout restrictions.
The GPO is linked to the entire domain, so any changes made to it would impact every computer in the domain. Let’s enforce a minimum of 10 characters for user passwords by changing the minimum password length policy. We must do this by selecting Edit with the right-click menu on the GPO. We may view and change all the various configurations by opening a new window. Go to… to change the required length of the password.
It is impossible to cover all the policies that can be set up in a GPO in a single session because there are so many of them. You are urged to learn more about some of the policies on your own because they are simple to understand. You can double-click any of the policies for additional details, and then read the “Explain” page to find out more.
GPO Distribution:
A network share called SYSVOL that is housed in the DC is used to spread GPOs throughout the network. All users in a domain should typically have network access to this share to guarantee that GPOs are routinely synced. The C:\Windows\SYSVOL\sysvol directory is the default location for the SYSVOL share on all the network’s DCs.
It can take up to two hours for PCs to implement changes after changing any GPOs. But you may issue the following command on a specific computer if you need to instantly update its GPOs.
Creating some GPOs for THM Inc:
Creating GPOs will enable us to prevent non-IT users from accessing the Control Panel and force workstations and servers to lock their screens after five minutes of inactivity. We must specify the policies and where they should be connected in each GPO to do this.
We must limit access to the Control Panel for the first job to only IT personnel. We must make and modify a new GPO called “Restrict Control Panel Access” to do this. We must search under User Configuration since we only want specified users to be affected by this GPO.
It’s crucial to note that we have enabled the Restrict Access to Control Panel and PC Settings policy.
The GPO must be linked to the OUs that correspond to the users who shouldn’t have a connection to the Control Panel when its setting is complete. By simply dragging and dropping the GPO into each of the Marketing, Management, and Sales OUs, we will specifically connect the GPO with all of them.
We have two possibilities for implementing the second GPO, which automatically locks displays after five minutes of inactivity by the user. Applying the GPO directly to the OUs for Workstations, Servers, and Domain Controllers is one method. If we choose another route, we may apply the GPO to the root domain, which will have an impact on all machines in the domain, including the child OUs. Nevertheless, user-only OUs like Sales or Marketing will not be impacted by any Computer Configuration restrictions in the GPO.
We may give the GPO the name Auto Lock Screen and change it once it is open. The following approach leads to the policy that enables automatic screen locking:
To immediately lock any user’s PC if they leave their session open, we will set the time restriction for inactivity to 5 minutes. After making the required modifications to the GPO, we will drag the GPO to the parent domain and link it to it.
By entering in as a user in Marketing, Sales, or Management using Mark’s credentials through RDP, we can confirm that the GPOs have been appropriately deployed to the pertinent OUs and are functioning as intended. A notification from the administrator should appear when we try to visit the Control Panel to let us know that this is not permitted. We may also wait five minutes to check whether the screen locks on its own.
Users from that department can still log in and use the control panel since the control panel GPO has not been deployed to IT.
Using gpupdate /force will make the GPOs update even if they have already been established and connected but aren’t working.
G) Authentication Methods:
The Domain Controllers of Windows domains house all user credentials. Every time a user attempts to utilise domain credentials to access a service, the service must call the Domain Controller to confirm the credentials. Windows domains utilise Kerberos and NetNTLM as its two network authentication mechanisms.
Recently released Windows versions make Kerberos their default protocol, and domains frequently employ it. On the other hand, NetNTLM is an antiquated authentication mechanism that is maintained around for backwards compatibility even though it ought to be discarded.
NetNTLM is still often enabled in most networks with Kerberos even though it is no longer advised. Let’s investigate each protocol’s features more thoroughly.
Kerberos Authentication:
Recently released versions of Windows by default employ the Kerberos authentication mechanism to verify user identities. Users that access a service with Kerberos are given tickets as evidence of their prior authentication each time they log in. These tickets may be used to access a service and show that the user has already been authenticated into the network.
The Key Distribution Center (KDC), a service normally installed on the Domain Controller responsible for producing Kerberos tickets on the network, receives the user’s username and timestamp protected with a key generated from their password to begin the Kerberos authentication process. A Session Key and a Ticket Granting Ticket (TGT), which are created and returned by the KDC, are included. By using the TGT, a user may access more tickets for a given service without having to provide their login information each time they connect to it.
A user requests a Ticket Granting Service (TGS) from the KDC using their TGT when they wish to connect to a certain service. The user transmits a Service Principal Name (SPN) that identifies the service and server name they want to access, together with their username and timestamp encrypted using the session key, the TGT, and the SPN. A TGS and a Service Session Key are sent by the KDC, which are required for the user to be authenticated to the requested service. The TGS contains a copy of the Service Session Key in its encrypted contents so that the Service Owner may access it by reverse engineering the TGS. The TGS is encrypted using a key obtained from the System User Hash.
To complete the connection process, the TGS may be transmitted to the selected service. The service decrypts the TGS and verifies the Service Session Key using the defined account’s password hash.
NetNTML Authentication:
A conundrum system is used for NetNTLM identification. The server receives an authentication request from the client and responds with a challenge in the form of a random integer. The challenge and the client’s NTLM password hash is combined to create a response, which is then transmitted back to the server for validation. The server sends the challenge and answer to the domain controller, who then determines the answer again and contrasts it with the answer the client originally supplied. If they do, the client is authenticated, and the server and client are both given the outcome. Remember that for safety purposes, the user’s password or hash is never sent over a network.
H) Trees, Forests, and Trusts:
We have already discussed domain management and the function of a domain controller in connecting computers, servers, and users. Use of numerous domains may become necessary when a business expands to meet new demands.
Trees:
A firm’s IT staff in each nation must manage resources without interfering with one another if the company grows to a new country with distinct rules and regulations. A complicated organisational unit (OU) structure may not be the ideal answer since it is difficult to manage and prone to human error. Thankfully, Active Directory allows for the fusion of different domains, enabling the division of networks into separately managed pieces. A tree, consisting of a root domain like thm.local with subdomains for UK and US branches, can be created if two domains have the same namespace.
Given that each branch has its own domain controller (DC) for managing its resources separately, the tree’s segmented structure enables greater control over access to domain resources. Every domain in the tree has a set of configurable policies. Although each domains have its own Domain Administrators with administrator capabilities over their individual domains, the Business Admins organization could provide a user administrative privilege over all domains within an organisation.
Forests:
The configuration of the domains you oversee in various namespaces enables the merging of many trees with various modules into a single network. This would be referred to as a forest, and it is helpful for managing many domain trees for various businesses within of a single network.
Trusts:
Access to resources across domains can be allowed through trust connections when employing several domains arranged in trees and forests. You may provide a user from one domain with permission to use resources in a different domain thanks to trust connections. Users through one domain can access information from that other domain through one-way trust relationships, while two-way trust relationships allow users from both domains to authorise each other.
It’s vital to remember that trust connections across domains don’t always give access to all their services. Access to certain resources throughout many domains still needs authorisation.
I) Conclusion:
The basic components and ideas of Windows Domains and Active Directories are summarised in this area. To build up a successful Active Directory infrastructure for production purposes, it’s crucial to keep in mind that this introduction just scratches the surface and that much more must be learned.
