Table Of Contents
- Organizational Units (OUs)
- Step by step guide to create Organizational Units (OUs)
- Nested OUs
- Create Users
- Account Expiration
- Create the User Admins group
- Configure a user as a Protected User
- Delegate Security Permissions
- Configure City Attribute for a User
- Configure Domain Password Policy
- Configure Fine-Grained Password Policy
- Enable Active Directory Recycle Bin
- Configure security settings
- Audit User Account Management in USA
- Deny Log On As a Service
Organizational Units (OUs)
Organizational units are containers within a domain that are used to organize and manage objects like users, groups, computers, and other OUs. They are important in structuring and managing an Active Directory environment by allowing administrators to apply specific policies, delegate administrative tasks, and logically group objects.
Step by step guide to create Organizational Units (OUs)
On the top right side, locate Tools and click on it; on the drop-down, click on Active Directory Users and Computers.
once you open the Active Directory Users and Computers you will see your domain. If you click on it, you will now see a drop-down with some default OUs like built-in, Computer, Users etc.
Now let's create our own OUs
There are two ways you can create an OU.
First, you can create it by right-clicking on your domain name, select New, and then click on Organizational Unit and providing a name for your OU and click OK.
The second way is by highlighting your domain and go to the top and click on "Create a new organizational unit in the current container." You will see a pop-up; prove your OU name and click OK.
Nested OUs
The next thing we will do is to create three (3) nested OUs inside USA, which are Computer, Users, and Server.
I will use the same steps above to create two more UOs, which are the UK and France.
Create Users
To create a user, right-click on users, go to New, select user, provide the user's first name, last name, and user logon name.
select Next, provide password.
and click Finish.
I will use the same steps above to create two more users, one in the UK (Oliver Smith) and the other in France (Sophie Martin).
Account Expiration Date
You can set an expiring date for a user account if you are creating an account for a user that have a contract with an end date, it will be best to set the expiring date to the contract end date.
What Happens When a User Account Expires?
Authentication Fails :
The user will not be able to log in to any domain-joined computers.
They cannot access domain resources like shared folders, printers, or applications requiring domain authentication.Mail Access (if using Exchange) :
If the user has an Exchange mailbox, they won’t be able to send or receive emails unless the mailbox is reconnected to another active account or accessed via delegation.Access Revoked :
Any permissions or group memberships associated with the account are still present in AD, but the user can't use them until the account is re-enabled or the expiration date is updated.
To set account expiration, select the user OU. In the user OU, double-click the John white user account. In the Account tab, in the Account expires section, select End of: and set the date to Jan 1, 2030. Click OK.
Note: To log on as a user, you have to provide your user logon name and password, which at first you will change.
These two ways of creating both OUs, users, groups, etc., are ok; you can even use them to create nested OUs, etc. But I will recommend that you use the first method if you are a beginner. For instance, if you want to delegate control with the second method, you will highlight and then select the Action at the top before you see delegate, but with the first, you will just right click and select delegation of control
Create the User Admins group
Groups
There are three (3) scopes of groups, but we will focus on two: universal and global.
- Universal Groups: This group covers all accounts from the domain in the same forest, including global groups in the same forest; for example, if you have two or three domains or even more in the same forest, both universal and global, and you create an IT group with the scope of universal, it will manage all the domains.
- Global Groups: When you create a group with the scope of global, it will only apply to the domain where you created it in the same forest.
Group Types
There are two types of groups, which are security groups and distribution groups.
Distribution groups: It is used to create email distribution lists to send an email to a collection of users by using an email application like Exchange Server.
To create this group, right-click on users, go to New, select group, provide the group name, ensure distribution is selected, and click Ok.
Security groups: This group is used to assign permissions.
To create this group, right-click on users, go to New, select group, provide the group name (IT Admin), select Universal in group scope and ensure security is selected, and click Ok.
In the User OU, double-click the John White User account. In the Member Of tab, click Add.
Type IT Admin.
Click Check Names.
Click OK,
then click OK.
Configure a user as a Protected User
In this task, you configure the John White user account as a protected user.
** steps:**
In Demom.local, open Active Directory Users and Computers (or Administrative Center).
Navigate to the USA OU, select Users and double-click the John White User account. In the Member Of tab, click Add.
Type Protected Users. Click Check Names. Click OK,
then click OK.
Delegate Security Permissions to an OU to a security group
In this task, I will delegate the ability to reset passwords and force password change to the IT Admin group over accounts in the USA OU.
Steps:
Open Active Directory Users and Computers, In Demom.loca .
Right-click the USA OU and click Delegate Control.
On the Welcome page of the Delegation of Control Wizard, click Next.
Click Add and type IT Admin. Click Check Names. Click OK
and click Next.
On the Tasks to Delegate page, select the Reset user passwords and force password change at next logon option. Click Next.
Click Finish.
Configure City Attribute for a User
In this task, I will configure a city attribute for a user account and then use the Find attribute to verify that the user is present.
Open Active Directory Users and Computers, In Demom.loca.
Select the USA OU, select Users and right-click the John White user account, and click Properties.
In the Address tab of the John White properties, set the City field to USA and click OK.
In Active Directory Users and Computers, right-click Demom.local and click Find.
In the Advanced tab of the Find Users, Contacts, and Groups dialog box, select Field, then User, then City. Set Condition to Is (exactly). Set Value to USA. Click Find Now.
Click Yes on the Find in the Directory pop-up.
Verify that user John White is listed in the Search results.
Close the Find Users, Contacts, and Groups dialog box.
Disable the Oliver Smith User
In this task, I will disable the Oliver Smith user
Open Active Directory Users and Computers, in Demom.local. and then open the UK OU.
In the UK OU, select users and right-click Oliver Smith and click Disable Account.
Click OK.
Reset the password of the Sophie Martin User
In this task, you reset the password of the Sophie Martin user.
Open Active Directory Users and Computers, in Demom.local. and then open the France OU. select users and Right-click the Sophie Martin user and select Reset Password.
On the Reset Password dialog box, type the password Pa66w.rdPa66w.rd twice and select OK.
Click OK again in the dialog that notifies you that the password has been changed.
Configure Domain Password Policy
In this task, I will configure the domain password policy.
In the search bar of your Windows Server, Type Group Policy management. You will see a pop-up; click on Group Policy management.
In the Group Policy Management console, expand the Demom.local forest, the Domains folder, and the Demom.local domain, then Right-click Default Domain Policy and click Edit.
In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy. Double-click the Minimum password length policy item, change the minimum number of characters to 14, click Ok, and then close the Group Policy Management Editor window.
Configure Fine-Grained Password Policy
In this task, I will configure a fine-grained password policy and apply it to the Domain Admins group.
In the search bar of your Windows Server, Type Active Directory Administrative Center. You will see a pop-up; click on Active Directory Administrative Center.
Under Overview, Click Demom (local).
In the Demom (local) pane, open the System container.
In the System container, open the Password Settings Container.
Right-click the Password Settings Container, click New, and then click Password Settings.
In the Name field, type Domain Admin Password Policy. Set the Precedence field to 1.
Set minimum password length to 16.
Click OK.
Open the new policy Domain Admins Password Policy.
In the Directly Applies to section, click Add, then type Domain Admins. Click Check Names and click OK.
Click OK.
Enable Active Directory Recycle Bin
In this task, I will enable the Active Directory Recycle Bin
In the search bar of your Windows Server, Type Active Directory Administrative Center. You will see a pop-up; click on Active Directory Administrative Center.
Click Demom (local) in the left pane.
In the right pane, select Enable Recycle Bin.
Click OK to dismiss the warning.
Click OK to dismiss the warning about replication latency.
Configure security settings
In this exercise, I will configure settings related to security, including disabling NTLM authentication for domain accounts, auditing account management activity, and denying log on as a service for members of a security group.
Restrict NTLM Authentication
In this task, I will restrict NTLM authentication.
In the search bar of your Windows Server, Type Group Policy management. You will see a pop-up; click on Group Policy management.
In the Group Policy Management console, expand the Demom.local forest, the Domains folder, and the Demom.local domain, then Right-click Default Domain Policy and click Edit.
Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
Select and double-click Network security: Restrict NTLM: NTLM authentication in this domain.
Click the Define this policy setting check box.
Select the value Deny all and click OK.
Click Yes in the Confirm Setting Change dialog box.
Close the Group Policy Management Editor.
Audit User Account Management in USA
In this task, I will enable auditing of User Account Management in the USA OU
In the search bar of your Windows Server, Type Group Policy management. You will see a pop-up; click on Group Policy management.
Navigate to the USA OU, right-click and select Create a GPO in this domain, and link it here….
Name the new GPO UsaOUPolicy.
Click OK
Right-click UsaOUPolicy and select Edit.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management.
Select and double-click Audit User account management.
Click the Configure the following audit events check box.
Select the Success and Failure values and click OK.
Close the Group Policy Management Editor
Deny Log On As a Service
In this task, I will configure the Deny Log On As A Service security option.
In the search bar of your Windows Server, Type Group Policy management. You will see a pop-up; click on Group Policy management.
Browse to the USA OU and right-click UsaOUPolicy. Select Edit.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Select and double-click the Deny Log on as a service policy.
Select the Define this policy setting.
Click Add User or Group.
Click Browse, click Advanced,
and then click Find now.
Select IT Admin group.
Click OK
Keep clicking on OK until dialogue boxes are closed (it may require four or five acknowledgements).
Thanks for reading till the end
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.