Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals
37. Visualizing AD DS users and organizational units
Now, if you’re working with AIDS Active Directory Domain Services, something that’s going to be very important for you to understand is the concept of user accounts as well as use of user also known as organizational units.
So user accounts are going to be used as identities for you or your people to be able to log on and authenticate and get access to the resources that they need. And then IOUs are going to be needed for helping you sort of containerized things and separate these objects from other objects so that they’re they’re visually easy for you to navigate and locate the objects you need, the user accounts that you need.
OK, so very important concept here. I wanted to spend a couple of moments drawing a few things out for you.
So, we start with with user accounts, and we’re just going to use a little smiley face symbol as our as our user account, my usual little symbol here. As always, goofy look and smile, but there’s my little user account, right? And, you know, I might have lots and lots and lots of users, and I might have different users that are going to be in different departments, different locations and different job roles.
So you want to be thinking about, you know, you maybe we’ve got a user who is going to be located in, let’s say, the New York site. He is a user that’s located in New York. I might have another user who is located in Dallas, I might have another user who’s located in Birmingham.
So you start thinking in regards to sites.
OK. And that’s one way you can manage your users is base your users on their location, where they’re at, where they work.
OK. All right.
So, we’ll say, you know, New York users, Dallas users in Birmingham users. All right. And let me just add the word users to that. All right. And so, we can base our users on their location. And so that’s where oh, use come into play. All right.
So you have these little objects, they’re called, Oh, use an 0U is going to be the symbol of a little folder.
So, it’ll be a little a little folder looking thing kind of like this and it’ll have it’ll have this kind of like weird looking symbol in it kind of looks like a little like a little book kind of like this. All right.
Something like that. And that’s going to be what you’re oh, so one of the things you do inside of Active Directory is you’re going to create your organizational units, and one strategy to do that would be to base it on your sites.
So you’ll have a very, very similar concept as you have an active victory sites which are your locations, your name, your own use based on that.
So, I might have a I might have an 0U called New York. You? Right? You know, just copy these really quick, right? And then from there, I might have Dallas you and then I might have an 0U called Birmingham Birmingham. O.U. Right? And so you can base those anywhere you want. You can configure those anywhere you want, and then you could just put your users down inside these containers. Right.
So the New York users would go in the New York 0U, the Dallas users, you go in the Dallas, so you Birmingham users, go in the in the Birmingham you.
So from there you can also go further with it. You can. You can base your own use on, let’s say, job role if you want.
OK. Or you could base your O.U on the type of object, for example, I could have underneath the New York O.U. I could have another 0U was to space these out a little bit better. Let’s move these out a little bit more.
So, for example, I could have a underneath that. I could have an you called users and A. You called computers. All right. For each of those, so, I’ll say this users and this computers, so this would be basing it on objects, right? If I wanted to. And we’ll just draw little lines to kind of connect them, because this how you’re going to see these in Active Directory, which of course, we’re going to take a look at here coming up. But so, I could do the same thing. I can replicate that in each one of my locations here. Let’s move this over just a little bit this way. All right. And so then what you would basically do is you would put your, you know, your New York user would go in that container and your Dallas user to go in that container and your Birmingham users would go in the Birmingham users container over here, OK? And we’ll just move all this over just a little bit more this way. There we go.
Now, it kind of all fits. And then, of course, you would have your computer objects right to represent your computers and they would go inside the computers container.
So that is one strategy that you can go with. All right. Another strategy that you can go with is you could simply use the method of the departments themselves. The department’s strategy is a pretty common one as well. And so what a lot of a lot of companies will do is they’ll have an IOU, a route IOU for each one of their departments. All right. And so you might have a sales you let’s say you’ve got maybe a finance IOU for the finance department and we’ll say a H.R. 0U for the H.R. department. And of course, you would have other departments, but I’m going to put these three up here and then if you wanted. You could go with this same strategy right here. You could actually say, you know, go this route. Let’s just move all this up just a little bit, make a little bit more room. But yeah, you could you could go the same route if you wanted with departments and you can do a hybrid as well. And when I say hybrid, I mean, you can mix all this together, maybe in New York, in your New York office, that’s where your main sales team is at. And in Dallas, that’s where your main finance teams that so you can have New York go you and then sales underneath that of Dallas and finance and anything that or maybe you got a company where you’ve got salespeople that are in every department, so you could have a sales. Oh, you underneath in New York, as sales owner in Dallas sells you underneath Birmingham. My point is that you can really mix and match. Oh, use any way you want. But here’s a couple of considerations as well. A user account can only be part of one O.U as a parent.
So this user right here? I wouldn’t be underneath New York and Dallas at the same time ever, and this where things are different with groups all right than they are with, oh, use words. A user can be a member of more than one group at a time. Users are only going to be a member of a single 0U at a time.
OK. And so that is that’s something to think about. Your user is going to be under a certain O.U. And if you want to move that user, you can.
Now here’s the other thing to understand about overuse. All right. Oh, use can be used to handle what are known as group policy objects.
So, I can create this thing called a GPO, a group policy object. All right. And in group policy, objects can be used to give out settings and enable things, disable features and things like that. In my environment, I can apply a GPO at an o u. When you apply it in a no you, it’s going to filter down to all the abuse below it.
So, if I apply to GPO, let’s say I apply to GPO. That was going to forest every employee to have a certain wallpaper on their screen and I attached it to sales. Then it’s going to not just go to sales, it’s going to go to the objects below that.
So, it’s going to go to the cells, the user container here, the computer’s container here, it’s going to filter down. It’s not going to affect finance people. It’s not going to affect people.
So one of the reasons that people will break their objects up into use is so that they can use these things called GPOs to control settings on people’s devices for the for the user in the computers.
OK. Another reason for using overuse is because you can delegate control over an organizational unit, for example. Let’s say that we have administrator in New York. This an I.T. person in New York, and this it person is just over the New York branch of our company, not Dallas, not Birmingham.
So, instead of giving this making this person like a domain administrator and giving them all this power over the entire domain, we could make them just an admin over New York in the way you do that as you just delegate control for this admin over this parent New York 0U, and it’ll also give it admin rights over the child. Oh, use as well. And the other interesting thing is this crazy about this the admin doesn’t necessarily even have to be in there, so the admin doesn’t even have to hit the house. The admin can be over in Dallas and be given control over New York. Interestingly enough, so where the user account is at as far as an admin goes, really doesn’t matter.
OK? The user can be given access. In fact, maybe this admin is the admin over New York, New York and Dallas, and so you could delegate control over both of these IOUs if you want.
OK, so the fundamental principles here we want to make sure we understand is that, oh, use are helpful because they can help us visually. Separate objects from other objects and object can only be part of a single Oh, you OK? So again, the user that’s in the New York new users, oh, you cannot be also located over in Dallas, but the user can be given rights to things and other places.
OK. The other thing is, and oh, you is a container, if you delete it, then it will delete all the child objects as well. If I delete this New York, oh you, it’s going to delete everything below it, just like folders do on our filesystem.
Now the good news is, is that Microsoft has added some protection to that when you create an IOU by default. It’s going to be set to read only.
So you can’t delete it because in the early days of Active Directory, people made the mistake of accidentally deleting entire trees of abuse. They delete and hire a our hierarchy of abuse, and that was not a good thing, obviously.
So now they’ve actually added protection to that and you’ll see that when you create an IOU. All right.
So ultimately, though, the other reason the Oh user beneficial is GPOs. We can apply these things called GPOs, which can deploy settings and features out to our our objects. And these GPOs can be applied at a parent, O.U or a child. Only if I apply this GPO at the cells only right here, it’s going to affect everything below. If I applied the GPO at this user’s oh, right here, it’s only going to affect this one. Oh.
OK. But ultimately, oh, use are going to help us visually separate things and help us strategize on how we want everything to be laid out.
38. Create and manage AD DS users and organizational units
I’m now going to walk through the process of creating some organizational units as well as users and give you some visualization on that.
So here we are on our NYC DC one. I’m going to click start. I’m going to go to server manager. We’re going to let server manager go ahead and load up when it’s done loading up, we’re going to open up Active Directory users of computers now. I would also like to point out there are various ways you can do this. You can use Active Directory user computers. There is actually another tool called Active Directory Administrative Center.
So a lot of people refer to actor, director use or computers that refer to it as a duck. And people refer to Active Directory Administrative Center as a DAC.
So, we’re just going to jump right in now to act trajector users and computers. All right, we’re going to load that up. And this would be the traditional tool. I would say this tool has been around since the beginning, really of Active Directory.
So, when I get an actor, director, users computers, I can expand my domain. And then from there, I’ve got these different folders now. First off, you’re going to notice that I’ve got two little folders here that have the little book looking thing inside of them and that those are actually, oh, use. The rest of these are just called system folders, and they’re created by Active Directory for use for specific needs of Active Directory. But the ones with the little book looking symbols and those are the actual organizational units.
So, it’s kind of turning that into large icons. You can see the little index books look, look and things that are in there. Those are, oh, use now this archive when I created myself. But this one right here, this one called domain controllers. This the only you that you will. You will have an Active Directory when you first install Active Directory. And this the organizational unit where your domain controller objects are going to be. As you can see, I have in my CDK1 NYC server, one that are both inside the domain controller container. And then the rest of these are system folders. Your computers and stuff that are not domain controllers will go into the computer’s container. Your users are all users and groups are all going to go into the user’s container.
So that is the idea there.
Now there are some groups in what is called built in that’s going to involve what are called built in system groups, but for the most part, that’s how everything’s laid out.
Now, if you want to create organizational units, what you can do is you can right click your domain. My case example I practice .com, just click new and then create click on Organizational Unit. I’m going to create an organizational unit called sales, as you can see it says Protect container from accidental deletion.
OK. This the copy protection or not copy protection. Read only deletion protection that they’ve got on the 0U. And this to basically prevent somebody from accidentally deleting the O.U in the early days of Active Directory. People would go through and they meant to maybe delete a single user and they would accidentally delete the entire view. And when they did that, it would delete all the objects inside the O.U because again, it’s like a folder.
So that’s what that is.
OK. You can. You can remove that by going to the security settings of this.
So you if you ever decide you do want to delete it, but by default, that is going to be turned on.
OK.
So, I’m going to right click and create a couple more. Oh, use, I’m going to create one called finance so you can see that I’m kind of going with the departmental method of the creation of my organizational units, right? And will create one called H.R. and then underneath each one of these, I’ll just go, we’re just going to go underneath sales, we’re going to create another are you called users and another are you called computers? All right.
OK. Just to kind of kind of replicate my. Drawing here. Users, as you can see, it’s very easy to create organizational units, not not something that takes a lot of time. It does help if you spell things correctly. All right, so here we go. We’ll just finish this last one here. All right. And again, I could if I wanted to, I could go in and create an organization that is based on my locations as well sites, but in this case, I’m going to use departments. All right.
So very easy to create organizational units.
Now, if I want to create a user, I can create a user inside any of these containers. I’m going to go over here to sales. I’m going to right click and say, new user. All right. And I’m going to create a user account called Lee. Jones. Leigh Jones is going to be the username so very easy to create a user, as you can see, you’re just going to fill this little template out the user log on name and then you got the domain name over here, which is my case examlabpractice.com, which is basically the domain it’s associated with. If he had Microsoft Exchange, this could actually go through the process of helping you create a you could go through the process and create an email address and all that stuff here as well. This name that you see here is actually called a Eupen, a user principal name. That’s an acronym. I recommend that you are aware of Eupen user principal name.
So, it’s basically like an email address, type name and then the user log on name is what they call a pre Windows 2000 name below that.
So this under where it says user log or name, you’ve got your regular user log on and you got your pre Windows 2000 log on. The pre Windows 2000 logo name limits the character amount to 20 characters, and that’s because prior to the year 2000, we had Windows 90 Day Limited users to 20 characters. But so basically, if you just kept on adding characters to this, you would see that eventually you see how the user logging name. I can just keep adding characters, but it’s going to stop on 20 with the pre Windows 2000 name.
OK, so that’s how that works. Just because of that limitation, even though we probably don’t have a lot of, you know, 90, Windows 94 or any of that out there these days, they still have that pre Windows 2000 name just in case.
So, we’re going to click next, and we’re just going to give it a password. All right. And then from there you have the four. A little checkbox is a user must change password and log on. That’s turned on by default. That means when the user logs on for the first time, they’re going to be forced to change their password to something they know. You got user cannot change password. You would do that if you had an account that you didn’t want to use or to change the password on, like maybe some kind of a guest account or temp account or something like that. You got password ever expires. This going to make it where the user never has to change their password based on a password policy.
So, in your Microsoft domain, you have a password policy that can require users to change your passwords like, let’s say, forty forty three days, forty five days, 30 days, whatever. You could forest everybody change your password. If you check that box, this user would not have to change the password if the password policy expiration kicked in. And then lastly, you have account disabled that would be used for an account, maybe that you create in this account.
Now you’re going to go ahead and disable it and maybe enable it later down the road. Or you could always come back in and disable the account later if the employee no longer works there.
Something like that.
OK.
So, we’re going to click next. Finish. And there’s the account right there. All right. I was going to switch this back to the detail view. Speaking again about disabling an account, I can right click the account and I can disable the account, you’ll notice. Barely can see if there’s a little black arrow pointing down that indicates that the account is disabled, so currently Lee Jones could not log on to the account. All right. It’s a good idea, and this a best practice, something you’re going to want to remember that when an employee leaves the company, you should disable their account. Don’t just delete their account because you never know if you need to get into that account. You can imagine how bad it would be if you deleted an account and that had all this information associated with it. And then later down the road, we needed to get into the account. For some reason, we could it Microsoft to recommend, you know, you disable accounts and then maybe within a year or something like that, two years, if you’re sure you don’t need it, then you would go and delete the account. That’s that’s typically the rule of thumb.
OK, so that’s how you can do that. You can always enable the account like that. All right. You’ve also got the ability to reset the person’s password. If you want to reset their password, you can.
OK, if a user ever gets locked out of their account, you’ll also notice the account is locked out option. You can unlock somebody’s account. That would happen if they put their password in wrong too many times based on your password policy.
OK, so that’s how that’s done. All right.
So ultimately, though, you can also double click on the account and you’ve got all this information here. You can figure so you’ve got all these Tabs. This all information that gets stored in Active Directory, as well as the global catalog servers.
So the address you have information on the Account Tab Profile Telephones Organizational Organization Tab. You can specify job title department of all these different fields that information can be plugged into. You can also go right here and adjust the log on hours of the account.
So, for example, if I did not want Lee Jones working like being able to log on during the weekend, I could click Sun and say log on denied Saturday, log on, denied. And then maybe I don’t want to allow Lee Jones to log on earlier than, let’s say, 9:00 a.m.. And then we’ll make it where Lee Jones cannot log on after six p.m.. All right.
So at that point. Like, I got to shave off a little bit more here. There we go. And then it should say nine to six, so, If you highlight it all also right now, Lee Jones cannot log on AFT- before nine a.m. and cannot log on after six pm. Keep in mind if Lee Jones logs on at five fifty nine p.m. Even after six o’clock, the user can stay sign in. It just means the user cannot sign back in.
So, if the user signs out after six p.m. and tries to log back on, the user will not be able to OK once it log on, though they’re on. If you want to create a way to kick somebody off at a certain time, you’re going to use what are known as group policies. For that, you’re not going to use this right now. Also, you can control which computers the user can log on to.
So, if you got, you got to log on and you can see right now the user can log on to all computers that are not servers. You have to be an admin to log onto a server. But but this user can log on to pretty much any computer in your domain right now. You can, if you want, limit the user to what computer’s the user can log onto.
So, for example, if I had a, you know, a computer called Client One. Client to. Client three. Maybe, these are the only three computers that you would allow. Jones to log on to.
OK. And that’s how you’re going to limit which computers the user can log onto. All right. You can go up here to a member of you can see what groups the user is a member of, you can see the users only member of the Domain Users Group. You have the Darwin Tab, which involves remote access. All right. Environment Tab. This involves somebody connecting in through remote desktop, not getting into all that right now. That would involve basically a remote desktop sign and script. Sessions is also going to involve remote desktop. Not talking about that right now.
OK. Com Plus, this also something we’re not getting into. This would involve. What was what’s known as the partitions of Active Directory? But anyway, you have quite a few different Tabs here that you can store information in about your user.
So, I’m going to go in and click OK to this and I’m going to close out of this now, and we’re going to go into ols, Active Directory and administrative centers. We’re going to go there. We’re going to look at how we would do this through a dark. All right, so this tool is a little bit newer, came out around the 2008 period when Server 2008 and served as an eight hour to all that stuff came out.
So you just click on the domain here and in as you can see it, things look a little different, but it’s all still there.
OK? , for example, if I scroll down, I can see the sales of you. I can go in it and I can see users and then Knypersley journals. If I wanted to create another user, I could. Let’s go into finance. This time we’ll go to users and we’re going to create a user in finance. We’re going to click new and we’ll say user. And you’ll see the template looks different, it’s got same information, but it definitely looks different.
OK, so, I’m going to create a user this time named Sarah. Smith. All right. And from there, that’s the full name, and then the UPM will say, is Sarah Smith right exam lab practice column? In my case, I must set the password. All right.
OK. And down here, you’ll see it’s as create in O U equals users pharmaceuticals, finance, comedy sequels is the K that is called the distinguished name of Active Directory.
So Active Directory stores every object inside the Active Directory database, domain partition and inside that database, they use what are called distinguished names to identify every object. The distinguished name is the name of the object, which is the common name, which would be the user’s name here and then o u equals users a comma. O u equals finance comma DC equals exam lab practice. Comedy equals. Com You can’t have examiners practice .com because distinguished names don’t allow you to use dots.
OK, but that’s just the name of the object where it’s stored inside the database.
OK, then you got the same thing. Account expires stuff over here. You got you can fill out this other information. This also friendly with Web browsers as well, so you can enable something called Active Directory Web Services, and you could actually connect into this through the web services and create users that way.
So that’s kind of the reason why they built it to where it sort of looks like a web page. All right. It’s the same thing, member of theirs, your group’s password settings, profile settings, policies that are associated, the user not getting into that any of that stuff right now. But once I’ve got my account, the way I want it, I’ve specified everything. I’m going to click OK, and I’ve now created a user called Serve Smith.
Now, as far as creating O Use goes, you can do the same thing. Click over here on domain, you can say new organizational unit. If you wanted to create a new O.U, you could, for example, if I wanted to create an O.U. Hold it. All right. I could create a no, you call it, and I now have an you call it.
So let’s jump back over real quick and just look at see how what this looks like back over on the aid up side.
So go back over the server manager tools. I’m going to go to Active Directory users and computers. And let that load up, and then we should notice that you’ve pretty much got a reflection of how things look over here.
OK, so refresh my screen here. And we’ve got our H.R.. Finance and there is Sarah Smith, OK? And when I created the I t o u. Where did I put that on? I might have actually put it in the. Created it in the wrong place. Let me just try this again, new. Oh, you! I T. Oh, I know what I’m doing, I’m creating it in that’s created in the wrong place. We’re just going to make sure that we don’t put it in the archive. Oh, here we put it in the room.
So, I want to make sure that it’s in the root this time.
OK, so now there we go, and we should be able to refresh up here. And there is so there’s our itto you actually was I was accidentally creating it inside this archive, which is where the first one ended up. I’m just going to delete that one, OK? Now notice that it won’t let me delete it says you do not have sufficient privileges. Delete it with this object. Protect axonal, which is so, If we go to the properties of that. All right, you’ll see that we don’t have the ability to. There’s nowhere on here is the check box or anything for Delaney for changing this.
So what I’m going to do. I’m going to go to view and I’m going to go to advanced features and turn that on.
OK, so now I’m going to right click to go in here, I’m going to right click, I’m going to go to properties and you’ll notice that I now have some additional Tabs, namely the Tab here called Object. I’ve got this protect object from accidental deletion and turn that off. And now we should be able to delete it. And there you go. All right. You know, I’m going to create one more user in the IT department.
OK. And. This user will be called Joe. France and.
OK, Joe, Franson, all right. And this going to be an it person, and what I want to show you is real quick how we can delegate control. Over this user or for this user over and over.
So, we’re going to say Joe and Joe Franzen is not like a full blown domain admin. We just want to give Joe Franson control over, let’s say, say it’s all right.
So Joe Franzen is going to be an ad man just over the sales of you.
So, we’ll go right here. We’re going to right click sales. We’re going to say delegate control. All right, and then from there, we’re going to click next. We’re going to select the user, Joe. There’s Joe France and click, OK, next, and then you can give Joe all these rights if you want. There’s lots and lots of rights you create and manage users reset. Read all information creatively. Manage groups, so lots of different stuff here that you can give even over Einat. Org If you’re turning on web services with this, maybe I don’t want Joe to be able to control group policy links, so, I’m going to turn that off, give him access to do everything else, but nothing involving policy.
So, we’ll turn off the three policy related ones here. All right, so, we’ll click next. And then finish. And at that point, Joe now has admin rights over sales and the child objects below sales, but not over these other areas.
OK, now if you ever want to see what rights Joe has, you can go to. You’ve got to make sure you’ve turned on advanced features, but you can right click sales, go to properties and you would separate. You would do permissions through the Security Tab. If you want to add permissions to Joe, you can just delegate again. It’s sure to add Joe back over here. All right. And then you can re delegate what rights you want to give Joe, but to see what rights Joe has, you need to right click Go to Properties Security Tab and then you can see the permissions that Joe has through here. Advanced.
OK.
So you have to click on Joe, go to advance, and then from there you can edit the full sets of rights that Joe has.
Now some of these obviously, there’s lots of permissions here. If you don’t know what a specific permission is. If you go to Microsoft’s support page, they list out each individual permission.
OK, if you’re interested to dig deeper into what all these different rights are because there is a lot of permissions involved in Active Directory that can be set. All right. But hopefully that gives you now a good understanding of creating oh use and creating users in some of the management involved in dealing with that.