Basics of Active Directory

Basic Active Directory Functions

Technicians sometimes have to use a Windows server and specifically

the Active Directory (AD) service on the server to manage users and
devices on the network as part of security best practices in the
corporate environment. You can use Active Directory to define
domains. Remember that a domain makes it possible to organize user
accounts and devices such as computers and printers.

Within Active Directory, users can be placed in groups so that

administration (for example, assigning security rights) is easier. Figure
18.17 shows a corporate structure in which one group of users is the
Information Technology Services group. By expanding the group, you
can see the users listed there.
Figure 18.17: Active Directory Groups
Groups can further be combined into a domain group for even more
centralized administration. When you create a domain group, you must
choose between one of two types: security or distribution. A security
group makes it possible to apply group policy settings or permissions
to any shared resource. Distribution groups are merely email
distribution lists. Organizational units (OUs) are useful when you apply
policies such as security policies or other corporate Windows rules to a
part of an organization. OUs can contain groups, users, computer
accounts, and even other OUs. OUs are useful when you want to
delegate or let one or more administrators have control over a specific
area of users, computers, and groups.
To do account creation in AD (that is, add a user to a particular group),
open the User Manager by going to the Start button
> Programs > Administrative Tools > Active Directory Users and
Computers. Expand the domain (the section that starts with “ad.xxx”)
until you see the group you want; click on that group. From the menu
bar, select Action > New > User. In the dialog box shown in Figure
18.18, enter the user information and click Next. Enter the password
and select any appropriate security settings, such as User must
change password at next logon, as shown in Figure 18.19. Figure 18.20
shows the user account properties screen, where you click OK.

Figure 18.18: Active Directory > creating a new user

Figure 18.19: Active Directory > setting a new user password
Figure 18.20: Active Directory > viewing properties of a new user
Users are commonly placed in groups so that they can be managed
more easily. To place a user in a group, expand the particular group the
user is currently in or just select the Users folder > locate the user that
has been added previously and right-click on the name > Add to a
group. Note that you can also add a user to a group from the
user’s Properties window (refer to Figure 18.20) and select the Member
Of tab > Add button. Either way, you are presented with the Select
Groups window, as shown in Figure 18.21.
Figure 18.21: Active Directory > adding a user to a group
At the bottom of the textbox, type the name of the group you want the
user to be in. Look at the groups within the domain shown to the left of
this window (refer to Figure 18.17), such as HR or Information
Technology Services. A user can be a member of multiple groups, and
those groups are shown on the Members Of tab.

Other functions within the user account properties that might need to
be set by a technician are the logon script, home folder, and folder
redirection. A logon script (sometimes referred to as a login script) is a
set of tasks configured in one file that run when a user logs in, such as
running a specific application, performing an operating system function
on the local computer, or setting system environment variables. The
logon script can be defined as part of a group policy (covered in the
next section) or through the Properties window > Profile tab, as shown
in Figure 18.22.
Figure 18.22: Active Directory > using the Profile tab
Notice in Figure 18.22 the Home Folder section. A home folder is a
network folder that allows users to store their files and have access to
them from any device that they log onto within the same domain.
Commonly the Connect radio button is used to assign a drive letter in
the first drop-down menu, and then the network path where the files
are stored is provided (for example, \\ServerName\FolderName\
%username%).

Another technique used for user data storage is folder

redirection. Folder redirection involves mapping a folder on the local
machine to a network location such as a server. The user then has
access to the files within that folder from any device on the network
domain.

To delete an account, right-click on someone’s name (see Figure 18.23)

and select the Delete option. Some companies have a policy of not
deleting user accounts in case users come back or in case you might
for some other reason need to access accounts. Instead, some
managers disable an account and put that disabled account into a
group with all the other disabled accounts. To manually disable an
account, locate and right-click on the user account and select Disable
Account.
Figure 18.23: Active Directory > right-clicking on user account
Local and Group Policies

Another method of controlling login passwords is through a local- or

domain-based group account policy. Policies do more than just define
password requirements. They can define the desktop, what
applications are available to users, what options are available through
the Start menu, whether users are allowed to save files to external
media, and so on. A domain policy, or group policy, can be created,
updated, and applied to every computer on the domain. This practice
is common in Microsoft Active Directory (AD) domain networks.
A local security policy is created on a computer, and it could be used to
disable auto-playing of media such as USB thumb drives and optical
discs, prevent users from shutting down or restarting a computer, turn
off personalized menus, or prevent someone from changing the
Internet Explorer or Microsoft Edge home page. A local security policy
might be implemented in a workgroup setting. A group policy is more
common in a corporate environment, and a group policy can overwrite
a local policy. If any computer settings on a networked computer in a
corporate environment are grayed out, the settings are probably
locked out due to the policy deployed throughout the domain.

Tech Tip
Accessing the local security policy and group policy
Access the Local Group Policy Editor window by typing gpedit.msc at a
command prompt or in the Search textbox. Use the gpresult command
to display group policy settings. Use the gpupdate command to update
all domain users with a newly deployed group policy. Use
the secedit command to configure or analyze a security policy.

The following list describes some best practices for securing a

workstation in a corporate environment:

 Restrict login times. If someone works during the daytime

Monday through Friday, then restrict Saturday and Sunday or
evenings.
 Set expiration requirements. Require the user to change their
password after 60 or 90 days unless a long, complex passphrase
is required. Then, only require changing the password if a security
breach is suspected.
 Disable guest account. Use the Computer Management Console >
expand System Tools > expand Local Users and Groups > double-
click on the Guest account > select the Account is
disabled checkbox.
  Enable the failed attempts lockout feature to lock out users after
a specific number of failed login attempts. In the group policy
editor, expand Security Settings > Account Lockout Policy to
access how long someone is locked out and how many failed
attempts are allowed.
 Configure a timeout/screen lock for when users are away from
their workstations to automatically lock their screens after a
period of nonuse.
 Restrict user permissions and apply the principle of least privilege
(which is covered later in this lesson).
Through the defined policy, criteria for auditing can also be set.
Auditing, sometimes called event logging or just logging, is the process
of tracking events that occur on the network, such as someone logging
in to the network. In a business environment, a server with special
auditing software is sometimes devoted to this task because it is very
important to security. Figure 18.24 shows the Local Group Policy Editor
window.

Figure 18.24: Local Group Policy Editor window

Tech Tip
Requiring password protection
You can enable or disable password protection through the Network
and Sharing Center on a workgroup computer. If password protection is
enabled, a person accessing a shared folder from a remote location
must have a user account and password on the computer that holds
the network share.