Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers (ADUC) Active Directory Users and Computers (ADUC) After installing AD DS, the next task is to create your Organizational Units, Users, groups etc. The primary tool you ll use is Active Directory Users and Computers (ADUC). This is a GUI application with a point and click interface You can also complete the tasks from the command line If you re running Server Core, you won t have access to ADUC locally. Anything that can be entered from the command line can be scripted. 1
LAB : NAVIGATING ACTIVE DIRECTORY USERS AND COMPUTERS (ADUC) Launch Active Directory Users and Computers by selecting Start Administrative Tools Active Directory Users and Computers. Active Directory Users and Computers opens 2
Expand your Domain This exposes the containers for the Different Objects Select Builtin This shows you the predefined security Groups within AD DS Click Computers You will notice that there are presently no computers setup 3
If you view ADUC you will now see that there are two domain controllers there Click foreign Security Principal No security principals exist (this will be explained later) Click Managed service Accounts Again this is currently blank 4
Select Users This displays the prebuilt users and security groups ORGANIZATIONAL UNITS Organizational units are used to organize objects within Active Directory. Any objects (such as users, computers, groups, and so on) can be placed within an OU to make them easier to administer. 5
The two primary technical reasons why you ll create an OU: Management through Group Policy Administrative delegation It s common for administrators to create OUs to match each department in their organization or to create OUs to group Users with similar responsibilities. OU Management Through Group Policy Group Policy objects (GPOs) can be created and linked to sites, domains, and OUs. If you want some users to have a specific Group Policy assigned to them, you can create an OU, place the accounts within the OU, and link the GPO to the OUs. OU Administrative Delegation The second technical reason to create an OU is related to delegation. 6
LAB : CREATING OUs WITH ADUC Launch Active Directory Users and Computers by selecting Start Administrative Tools Active Directory Users and Computers. Right click the domain, and select New Organizational Unit. 7
Enter Sales as the name of the OU in the text box. Ensure the check box Protect container from accidental deletion is selected Click OK Note : Protect container from accidental deletion is a neat feature that prevents anyone (even administrators) from accidentally deleting an object. If you really want to delete an object, you still can. Modify this setting by selecting View Advanced Features in ADUC, selecting the properties of the object, selecting the Object tab, and deselecting the Protect object from accidental deletion option. Then you can delete the object The new Organizational Unit is created 8
It s also possible to create children OUs. Right click the Sales OU you just created, and select New Organizational Unit. Type in Users for the name, and click OK. The nested Organizational unit appears within Sales 9
You now have two Users objects within Active Directory. They Are very different to each other: The Users OU within the Sales OU is an OU and can have GPOs linked to it. The Users container under the domain is only a container (not an OU) and cannot have GPOs linked to it. OUs have a slightly different icon to identify them it s not just a folder but instead a folder with an icon embedded on the front of the folder reminding you it s something more. ACTIVE DIRECTORY NAMING STANDARDS 10
Active Directory uses the Lightweight Directory Access Protocol (LDAP) for communication. LDAP uses a distinguished name (DN) to uniquely identify each object within the directory. Since the introduction of LDAP, it has become a defacto standard which enables data exchange between directory services and applications The LDAP defines the naming of all objects in the Active Directory database It therefore provides a directory that can be integrated with other directory services For example Novell edirectory and Active Directory applications like Exchange etc. 11
LDAP refers to an object using its Distinguished Name (DN) This DN, references each object in the Active Directory Database using its entire hierarchical path starting with the object itself going up to the root of the domain. LDAP defines the naming of attributes that identify each part of the objects name. Object Class LDAP Naming Attribute Definition of Naming Attribute User or any Leaf CN Common Name object Organizational Unit OU Organizational Unit Name Domain DC Domain Components. One for each part of the DNS name The format of a DN uses objecttype=objectname with several object types separated by commas it is best not to use spaces in the Distinguished Name LDAP is not case sensitive If we have a user Jsmith, their distinguished name could be cn=jsmith,ou=sales,dc=ipa,dc=com 12
An account with a name of Sally.Smith located in the Sales OU would have this DN: cn=sally.smith,ou=sales,dc=bigfirm,dc=com An account with a name of Joe.Johnson located in the Users container would have this DN: cn=joe.johnson,cn=users,dc=bigfirm,dc=com If OUs are nested, or have OUs within them, the lowest level OU comes first in the DN name. For example, if the Sales OU had a child OU named Users and then had a user named Maria within it, the DN would be as follows: cn=maria,ou=users,ou=sales,dc=bigfirm,dc=c om The use of spaces in LDAP Distinguished Names If the DN includes any spaces, it needs to be enclosed with quotes to ensure it is interpreted correctly. For example, this doesn t require quotes because there are no spaces: cn=maria,ou=users,ou=sales,dc=bigfirm,dc=com However, the same DN with spaces must include quotes: cn=maria, ou=users, ou=sales, dc=bigfirm, dc=com 13
CREATING OUs WITH DSADD You can use DSAdd to create a variety of Active Directory different objects You need to execute the DSAdd command from the command line. Although it s easier to run the command from a domain controller, you can also run it from other locations by specifying the server and domain parameters. In the command Prompt you can enter DSAdd /? to view the help on DSAdd. 14
Imagine you had a bunch of clowns in your organization that you wanted to manage using Group Policy. The following command can be entered from the command line to create an OU named Clowns in the Bigfirm.com domain. Notice the DN is ou=clowns,dc=bigfirm,dc=com. DSAdd ou ou=clowns,dc=bigfirm,dc=com LAB : USING DSADD TO CREATE A ORGANIZATION UNIT Here we wish to add a OU called Service in Active Directory Open the command prompt on the DC and enter the following DSAdd ou ou=service,dc=tombrett,dc=local Obviously replace the DC parameters to match your infrastructure 15
When you press enter the OU is added If you receive an error check the syntax and the structure Review Active Directory Users and Computers to see if it was successful Active directory objects can also be created using powershell and Windows Scripting Host (using VB scripts) 16
USER ACCOUNTS A user account is an object that contains all of the information that defines a user in Windows Server 2008 R2 With a user account, you can: Allow or deny users to log on based on their identity Grant users access to processes and services Manage users' access to resources CREATING ACCOUNTS 17
Both users and computers need accounts in order to access the domain. Just as with OUs, you can use either Active Directory Users and Computers or DSAdd to create the accounts. Some accounts are created automatically For example when you join a computer to the Domain, its account (computer) is automatically created in the Active Directory system CREATING ACCOUNTS WITH ADUC To create a user account using Active Directory Users and Computers, follow these steps 18
Launch Active Directory Users and Computers by selecting Start Administrative Tools Active Directory Users and Computers. Right click the Users OU within the Sales OU you created earlier, and select New User. The new user object dialog box appears 19
Enter the first name, last name, and user logon name for the user. Click Next. Enter a password for the user in the Password and Confirm Password text boxes. Ensure the check box is selected for User must change password at next logon. Review the information on the Summary page, and click Finish. 20
CREATING ACCOUNTS BY USING DSADD You can use the same DSAdd command line tool to create user accounts. The basic syntax is as follows: DSAdd user DN Although most parameters are optional, you ll find that the default domain policy will prevent you from creating an enabled account with a blank password. Not only will it be disabled, but you won t be able to enable it until you set a password. You will also probably want to add information such as first name, last name, and display name. 21
The DSAdd user command includes the following parameters that can be used for each of the following options: Pwd: Password Fn: First name Ln: Last name Display: Display name Samid: SAMID name Upn: User principal name The Equivalent parameters in ADUC would be The full name in ADUC is the display name. When using ADUC, this is automatically created but needs to be specified with DSAdd or else it s left blank. The user logon name is developed from the UPN name, and the SAMID identifies the legacy logon name and is the same as the text in the user logon name text box. If you re creating the account with a password, you want to ensure the user changes the password as soon as they log on. The DSAdd command includes the mustchpwd parameter. When set to Yes, it will force the use to change their password. 22
So, to create an enabled user named JoeBloggs in the Users Sales OU with a password of Pa$$w0rd, who must change the password at next logon you could use the following command. DSAdd user CN=JoeBloggs,OU=Users,OU=Sales,DC=tombret t,dc=local disabled no pwd Pa$$w0rd mustchpwd Yes Press enter to run the dsadd command After running check ADUC to see if the user is there You may need to refresh the container (right click Refresh) 23
For further details on dsadd http://technet.microsoft.com/enus/library/cc753708(v=ws.10).aspx SETTING DOMAIN BASED USER ACCOUNT PROPERTIES In AD DS, there are a lot more tabs with many more settings available to you in a domainbased user account than there are in a local user account. This gives administrators much more control over their users. It also allows you to store more information with each user account. This information can be used by users or by applications. 24
Local / Domain User Comparison Local User Account Properties Domain User Account Properties General Tab You ll see the usual first name and last name. You also have the ability to store some other information about the user in the user s account object in Active Directory such as their office, telephone number, email address, and web page. You can make use of any defined email address or web page settings for this user by right clicking the account object in Active Directory Users and Computers. 25
Address Tab This allows you to define a postal address for the user in question. Account Tab You can see the user logon name, the UPN, and the pre Windows 2000 user logon name that you defined while creating the user. You can use these controls to modify those usernames. Clicking the Logon Hours button will open the dialog box below. This allows you to control when a user can log on to the network to access resources. It does not forcibly log the user off if they are logged in 26
The log on to dialog box allows you to control which computers this user can use to log in to Active Directory. Telephones Tab You can store telecommunications contact information for the user in their user account object. Organization Tab The Organization tab is another information This tab allows you to describe the role of the user within the organization tabs 27
Personal Virtual Desktop Tab Personal virtual desktops are a form of VDI where a virtual machine with a copy of Windows Vista or Windows 7 runs on a server in the computer room. The user will log into it using Remote Desktop via a Remote Desktop Connection Broker. This broker is required to use the functionality in this tab. COM+ Tab This is more to do with development A partition is an application configuration. This is beyond the scope of this course Member Of Tab The Member Of tab allows you to control group membership of this user account You can also control the primary group of the user. This is required only in POSIX applications or Macintosh client computers. 28
More Tabs will be available if you choose the advanced view. EDITING MANY USER ACCOUNTS AT ONCE If you want to modify the same properties of multiple user accounts Simply select all of the accounts and then right click one and choose properties You will only see a subset of the options 29
ACTIVE DIRECTORY GROUPS The basic concept of Active Directory or domainbased groups does not differ from that of local groups. You use them to collectively treat a number of objects in an identical manner. The most common reason to create groups is to organize users. More specifically, global security groups are created to organize users and then assign permissions to the groups. A single group to contain many domain based security principals, such as users and computers, and to be used across all computers within the domain that the group resides you can use groups outside of their native domain, and there is even a category that can contain members from any domain in a forest. 30
Whenever possible, you should assign permissions to groups rather than users. Default Built In Groups You can use the built in groups to simplify administration You can have several users in the sales department. Instead of assigning permissions to each individual in the sales department, you could create a single global security group named G_Sales. You can then make all the users in the sales department members of the G_Sales group, and assign permissions to the G_Sales group. If a user leaves, take them out of the G_Sales group, and they will no longer have the permissions of the group. If a user joins the Sales team, put them into the G_Sales group, and they will have the permissions of everyone else in the group. 31
There are two types of groups: distribution and security. Distribution groups are used for email, Security groups are used to assign permissions. Security groups can also be used for email. Distribution Group A distribution group is used to group a number of objects together that will be addressed collectively. A mail server, such as Microsoft Exchange, can present the distribution group to users as a destination address. The user can choose to send a mail to the distribution group, and the mail server will attempt to send the mail to all members of thegroup, assuming that they have email addresses configured. Security Group A security group can also perform the mail distribution function. You can use a security group to assign permissions or rights to an object or a set of objects, such as an organizational unit, a folder, or a component of an application. This allows Active Directory to become not only your single authentication mechanism for your network but also your authorization mechanism. An end user can use a single user account to gain authorization to secured resources across the entire Active Directory forest, not just a domain or a single computer. 32
There are three group scopes: Global Global groups are used to organize users. This is the most commonly used group Domain Local are domain level groups that can be used to set up permissions on resources in the domain in which they exist. Universal Universal groups are used only in multiple domain environments. Groups can also contain other groups commonly referred to as group nesting. This may be used to simplify resource allocation The most common way to create these groups is with Active Directory Users and Computers. You can use the following steps to create a global security group. 33
Launch Active Directory Users and Computers by selecting Start Administrative Tools Active Directory Users and Computers. Right click the Sales OU, and select New Group. Enter G_Sales in the Group name box. 34
Right click the Sales OU, and select New Group. Enter G_SalesAdmins in the Group name box. This group will be granted permissions needed to administer the Sales OU. Click OK. View the Sales Organizational Unit EDITING GROUP PROPERTIES 35
To modify properties for a group Right click the group and choose properties The amount of tabs available will depend on whether view advanced features is selected from the ADUC menu The general tab allows you to modify the scope or security type. It also allows you to specify a group email and description Changing a group from being a security group to a distribution group means that it cannot be used for assigning permissions anymore. You are warned that any permission assigned using this group may fail to function anymore. This is especially important if you are denying access to critical resources using this group. Worse still is that the group appears to have / have not rights but they are not effective 36
You cannot directly change a group from being a domain local group to a global group, or vice versa. You can change either scope to being a universal group. From there, you can change it back to either a domain local or a global group. The member functionality for domain based groups works just like that of local groups. You can add and remove members using the Add and Remove buttons. Domain based groups are capable of containing more types of objects than local groups can, such as the following: Other objects This flexible solution allows you to add members that are created by applications, that is, not the usual users, computers, or groups. Contacts These objects are created in Active Directory to store contact information about people or organizations. This could be used for distribution groups. Service accounts This is a new feature of Windows Server 2008 R2 where you can set up dedicated service accounts instead of creating user accounts and assigning them to services. 37
You cannot add security principals that are local machine based, that is, local users or local groups. These security principals exist only on their computer, so it makes no sense to add them to a domain wide or forest wide group. Domain based groups can be nested; that is, a group can be a member of another group. The Member Of tab in the group s properties, allows you to manage what groups this group is a member of. The Managed By tab allows you to elect a user or a group that can be the owner of this group. The group can be assigned rights to resources. The selected owner can be given rights to manage the membership of the group by selecting the Manager can update membership list box 38
Common Administrative Tasks FORGOTTEN PASSWORDS If you are using the GUI, then you need to navigate to the user account in question in Active Directory Users and Computers. Then right click the user and select Reset Password to open the Reset Password dialog box. You can now enter in a new password for the user See that the check box to force the user to change their password after logon is selected? This is the default. This is very convenient because, as you can see, the password that you gave to this user is probably the same one 39
You can change a user s password using the dsmod user command: Example dsmod user CN=Joe Bloggs,OU=Users,DC=bigfirm,DC=com pwd Password12345678 mustchpwd yes LOCKED OUT USERS Account lockouts are disabled by default in the Default Domain Policy. When enabled after x incorrect login attempts, AD will lock the account for 30 minutes To unlock the account prior to that an administrator will need to log in and reset the account 40
One of the bad possible outcomes here is a Denial Of Service Attack, where a user would run a script to incorrectly login as all the users therefore locking them all. LAB : SETUP A ACTIVE DIRECTORY SYSTEM TO MIMIC AN ORGANIZATIONS STRUCTURE Think of an organization maybe a college and mimic its organization chart using AD 41