AD Overview

Windows Domain

A Windows Domain is a group of user and computers under the administration of a business.
Centralizes the administration of common windows components
Stores it all in a centralized repo called Active Directory
The server that runs AD is called a Domain Controller

Advantages to Domains

Centralized Identity Management - All users across the network can be configured from AD with minimum effort
Managing Security Policies - You can configure security policies from AD and apply them to users and computers across the network

AD DS

Active Directory Domain Service (AD DS) is at the core of every domain
This service is a catalogue that holds all the information of the "objects" that exist in your network
In terms of objects there are users, groups, machines, printers, shares, etc, etc

Users

Users are one of the objects known as security principles
Means they can be authenticated by the domain and can be assigned privileges over a resource like a file or printer
Security Principles can act upon a resource in a network

People vs Services

Users can represent two types of entities
- People: users will generally represent peoples that need to access a network
- Services: you can difine users to be used by services i.e. IIS, MSSQL
Every service requires a user to run but services differ from regular users as they will only have the privileges needed to run their specific service

Machines

Machines are another type of object in a domain.
For every computer that joins AD a machine object will be recreated
Machines are considered Security Principles
They are assigned an account just like a user
This account has limited rights within the domain itself
The machine accounts themselves are local administrators on the assigned computer
They are generally not supposed to be accessed by anyone except the computer itself
But if you have the password you can use them
Machine account passwords are automatically rotated out and are generally comprised of 120 random chars

Identify Machine Accounts

They are easy to identify
They follow a specific naming scheme
Machine account name is the computer name followed by a $
i.e. if the computer name is SRV01 the machine account is SRV01$

Security Groups

You can define user groups to assign access rights to files and other resources to a group vice a user
Security groups are also considered security principals and can have privileges over resources on a network

Default Domain Groups

Security Group

Description

Domain Admins

Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs.

Server Operators

Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.

Backup Operators

Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.

Account Operators

Users in this group can create or modify other accounts in the domain.

Domain Users

Includes all existing user accounts in the domain.

Domain Computers

Includes all existing computers in the domain.

Domain Controllers

Includes all existing DCs on the domain.

AD Users and Computers

To config users or groups or machines in AD we need to log into the DC and run Active Directory Users and Computers
This is located on the start menu

Will open a hierarchy of users, computers and groups that exist in a domain
They are all organized in Organizational Units OUs
These are contain objects that allow you to classify users and machines
OUs are mainly used to define sets of users with similar policing requirements
Users can be a part of a single OU at a time

If you open any of the OUs you can see the users they contain
This is where you can create, delete or modify them as needed
Can also reset passwords here

Default Containers

There are default containers in domains
Created by windows automatically
- Builtin: Contains default groups available to any Windows host.
- Computers: Any machine joining the network will be put here by default. You can move them if needed.
- Domain Controllers: Default OU that contains the DCs in your network.
- Users: Default users and groups that apply to a domain-wide context.
- Managed Service Accounts: Holds accounts used by services in your Windows domain.

Security Groups vs OUs

OUs - handy for applying policies to users and computers
- Include specific configs that pertain to sets of users depending on their particular role
- Users can only be a member of a single OU at a time
- Cant apply two different policies to the same user
Security Groups
- Used to grant permissions over resources
- If you use groups and want to allow some users to have access over a shared folder
- Users can be in many groups at the same time

Deleting extra OUs and users

OUs are protected against accidential deletion
To delete them enable Advanced Features in the View menu
This will show you some more containers and enable you to toggle the accidental deletion protection on or off.

Delegation

You can and should give specific users some control over some OUs
This is known as delegation and it allows specific privileges to perform advanced tasks on OUs without needing a DA to step in
One common example is granting IT Staff the ability to reset other low privilege users passwords

How to Delegate

To delegate control over an OU right click and select Delegate Control

This should open a new window where you should input the users name that you want to delegate to
Use the check names box to avoid a miss type
Now you can see a new window that allows more granular delegation controls

AD Password Resets Powershell

PS C:\Users\phillip> Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

New Password: *********

VERBOSE: Performing the operation "Set-ADAccountPassword" on target "CN=Sophie,OU=Sales,OU=THM,DC=thm,DC=local".

Now make sure to force the user to update their password on next login so they dont keep using a password that we know!

PS C:\Users\phillip> Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose

VERBOSE: Performing the operation "Set" on target "CN=Sophie,OU=Sales,OU=THM,DC=thm,DC=local".

Managing Computers in AD

All machines that join the domain (minus DC) will be put in a container called Computers
You will want to group the different machine types to be able to apply different policies to them
You do not want to have the same policies for your end user workstations as your servers
At minimum it pays off to have these three groups
- 1. Workstations
  Workstations are one of the most common devices within an Active Directory domain. Each user in the domain will likely be logging into a workstation. This is the device they will use to do their work or normal browsing activities. These devices should never have a privileged user signed into them.
- 2. Servers
  Servers are the second most common device within an Active Directory domain. Servers are generally used to provide services to users or other servers.
- 3. Domain Controllers
  Domain Controllers are the third most common device within an Active Directory domain. Domain Controllers allow you to manage the Active Directory Domain. These devices are often deemed the most sensitive devices within the network as they contain hashed passwords for all user accounts within the environment.

Group Policies

Windows manages policies to OUs with Group Policy Objects (GPO)
GPOs are simply a collection of setting that can be applied to OUs
GPOs can contain policies aimed at either users or computers, allowing you to set a baseline
To configure GPOs, you can use the Group Policy Management tool, available from the start menu:

GPO Hierarchy

You will notice a GPO hierarchy when you open GPO Management tool
To configure GPOs you first create a GPO under Group Policy Objects and then link it to the GPO where you want the policies to apply

PreviousDonPapi NextEnumerating Forests

Last updated 1 year ago

Was this helpful?