Microsoft Official

Course
Module 3

Managing Active Directory

Domain Services Objects
Module Overview

Managing User Accounts

Managing Groups
Managing Computer Accounts
• Delegating Administration
Lesson 1: Managing User Accounts

AD DS Administration Tools
Creating User Accounts
Configuring User Account Attributes
Creating User Profiles
Demonstration: Managing User Accounts
• Demonstration: Using Templates to Manage
User Accounts
AD DS Administration Tools

To manage AD DS objects, you can

use the following graphical tools:
• Active Directory Administration
snap-ins
• Active Directory Administrative
Center

You can also use the following

command-line tools: C:/
• Active Directory module in Windows
PowerShell
• Directory Service commands
Creating User Accounts

The Account section of the Active

Directory Administrative Center Create
User window
Configuring User Account Attributes

The Log on hours dialog box

Creating User Profiles

The Profile section of the User

Properties window
Demonstration: Managing User Accounts

In this demonstration, you will see how to:

• Use the Active Directory Administrative
Center to manage user accounts
• Delete a user account
• Create a new user account
• Move the user account
• View the WINDOWS POWERSHELL HISTORY
• Use Windows PowerShell to manage user
accounts
• Find inactive user accounts
• Find disabled user accounts
• Delete disabled user accounts
Demonstration: Using Templates to
Manage User Accounts

In this demonstration, you will see how to:

• Create a user template account

• Use Windows PowerShell to create a user from

the user template

• Verify the properties of the new user account
Lesson 2: Managing Groups

Group Types
Group Scopes
Implementing Group Management
Default Groups
Special Identities
• Demonstration: Managing Groups
Group Types

• Distribution groups
• Used only with email
applications
• Not security-enabled (no SID);
cannot be given permissions

• Security groups
• Security principal with a SID;
can be given permissions
• Can also be email-enabled

Both security groups and

distribution groups can be
converted to the other type of
Group Scopes
Members
Members Can be
Members from
Group from trusted assigned
from same domain in
scope external permissions to
domain same
domain resources
forest
U, C,
GG, DLG, UG U, C, U, C, On the local
Local
and local GG, UG GG computer only
users
Domain U, C, U, C, U, C, Anywhere in the
-local GG, DLG, UG GG, UG GG domain
Univers U, C, U, C, Anywhere in the
N/A
al GG, UG GG, UG forest
Anywhere in the
U, C,
Global N/A N/A domain or a
GG
trusted domain
U User DLG Domain-local group
C Computer UG Universal group
GG Global group
 Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of ACL_Sales_Read
DLDomain-local groups (Domain-local group)
Which provide
management
such as resource access,
which areaccess to a
A Assigned
resource
This best practice for
nesting groups is known
as IGDLA.
 Implementing Group Management

I Identities
Users or computers,
which are members
of
 Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of
 Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
group)
based on members’ (Global
roles, group)
ACL_Sales_Read
which are members of
DLDomain-local groups (Domain-local group)
Which provide
management
such as resource access,
which are
 Implementing Group Management

I Identities
Users or computers,
which are members
G of
Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of ACL_Sales_Read
DL Domain-local groups (Domain-local group)
Which provide
management
such as resource access,
which areaccess to a
A Assigned
resource
 Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of ACL_Sales_Read
DL Domain-local groups (Domain-local group)
Which provide
management
such as resource access,
A which are access to a
Assigned
resource
This best practice for
nesting groups is known as
IGDLA
Special Identities

• Special identities:
• Are groups for which membership is controlled by
the operating system
• Can be used by the Windows Server operating
system to provide access to resources:
• Based on the type of authentication or connection
• Not based on the user account

• Important special identities include:

•Anonymous Logon •Interactive
•Authenticated Users •Network
•Everyone •Creator Owner
Demonstration: Managing Groups

In this demonstration, you will see how to:

• Create a new group
• Add members to the group
• Add a user to the group
• Change the group type and scope
• Modifying the group’s Managed By property
Lesson 3: Managing Computer Accounts

What Is the Computers Container?

Specifying the Location of Computer
Accounts
Controlling Permissions to Create Computer
Accounts
Performing an Offline Domain Join
Computer Accounts and Secure Channels
Resetting the Secure Channel
• Bring Your Own Device
What Is the Computers Container?
Active Directory Administrative Center, opened to the
Adatum (local)\Computers container
Distinguished Name is
cn=Computers,DC=Adatum,DC=com
Controlling Permissions to Create Computer
Accounts
The Delegation of Control Wizard
window
The administrator is creating a custom
delegation for computer objects
Lesson 4: Delegating Administration

Considerations for Using Organizational Units

AD DS Permissions
Effective AD DS Permissions
• Demonstration: Delegating Administrative
Permissions
Considerations for Using Organizational
Units

• OUs allow you to

subdivide the domain for
management purposes
• OUs are used for:
• Delegation of control
• Application of GPOs
• The OU structure can be:
• Flat, one to two levels
deep
• Deep, more than 5 levels
deep
• Narrow, anything in
between
AD DS Permissions

Advanced Security Settings for IT

Effective AD DS Permissions
Permissions assigned to users and groups
accumulate
Best practice is to assign permissions to groups, not
to individual users
In the event of conflicts:
• Deny permissions override Allow permissions
• Explicit permissions override Inherited
permissions
• Explicit Allow overrides Inherited Deny

To evaluate effective permissions, you can use:

• The Effective Access tab
• Manual analysis
Demonstration: Delegating Administrative
Permissions
In this demonstration, you will see how to:
• Create an OU
• Move objects into an OU
• Delegate a standard task
• Delegate a custom task
• View AD DS permissions resulting from these
delegations
 Lab: Managing Active Directory Domain
Services Objects

Exercise 1: Delegating Administration for a

Branch Office
Exercise 2: Creating and Configuring User
Accounts in AD DS
• Exercise 3: Managing Computer Objects in
AD DS
Logon Information
Virtual machines 20410D‑LON‑DC1

20410D‑LON‑CL1
User name Adatum\
Administrator
Estimated
PasswordTime: 70 minutesPa$$w0rd
Lab Scenario

You have been working for A. Datum Corporation as

a desktop support specialist and have visited
desktop computers to troubleshoot app and
network problems. You have recently accepted a
promotion to the server support team. One of your
first assignments is to configure the infrastructure
service for a new branch office.
To begin deployment of the new branch office, you
are preparing AD DS objects. As part of this
preparation, you need to create an OU for the
branch office and delegate permission to manage
it. Then you need to create users and groups for
the new branch office. Finally, you need to reset
the secure channel for a computer account that
has lost connectivity to the domain in the branch
Lab Review

What are the options for modifying the

attributes of new and existing users?
What types of objects can be members of
global groups?
What types of objects can be members of
domain-local groups?
• Which two credentials are necessary for any
computer to join a domain?
Module Review and Takeaways

Review Questions
• Best Practices
• Tools