Active Directory Tutorial for Beginners

Paul Hill

September 23, 2020 • 10 min read

CONTENTS

    What is Active Directory?

    Active Directory is a Microsoft Technology for identity management in computer networks. It’s a database that contains users and computer accounts as well as their passwords.

    When you install the AD DS server role, you will finish the installation by promoting the server to a domain controller. This will install several tools including:

    • Active Directory Administrative Center
    • Active Directory Domains and Trusts
    • Active Directory Module for Windows PowerShell
    • Active Directory Sites and Services
    • Active Directory Users and Computers

    In this tutorial we will be focusing on the tool that you will be using the MOST when it comes to Active Directory, which is Active Directory Users and Computers.

    If you’re looking for an IT job or just want to freshen up your IT skills then this tutorial is perfect for you!

    Get access to our IT labs

    In this lesson we will be using ServerAcademy.com’s IT labs which you can connect to through your web browser. We have this exact IT lab (and many more) available which you get access to when you become a member at ServerAcademy.com.

    What I recommend is that you sign up for the free trial here so you can use the IT labs with this tutorial.

    You can also download and install VirtualBox which will allow you to run Virtual Machines on your home computer. This works when you have a powerful computer that can run multiple VMs and the time to set them up.

    How do I open Active Directory?

    Identifying Domain Controllers

    To open Active Directory, you will need to identify your Active Directory Domain Controller. Thankfully, you can check to see if you’re logged in to a Domain Controller by opening Server Manager and looking on the left hand side for the AD DS server role.

    Image
    AD DS Server Role

    You will also see “Active Directory Users and Computers” listed under tools:

    Image 1
    Open the Active Directory Users and Computers console

    Remotely Open Active Directory with RSAT (Remote Server Administration Toolset)

    It’s possible that either you can’t or don’t want to log directly into the Domain Controller. In this case you can download a tool called RSAT to install the Active Directory consoles on your local computer, and then you will connect to your Active Directory domain controllers

    You can install RSAT by downloading and running this script which appears to be a great way to install RSAT on Windows 10 1809, 1903 and 1909.

    I saved the script to my C:\Users\*******\Downloads folder. So I opened up PowerShell as an administrator then CD to that directory. Then I called the script and said “R” to run once:

    Image 7
    Quickly install RSAT

    This will quickly install all the tools you need for your specific version of Windows. Now when I click the start button, I can go to Windows Administrative Tools and start the Active Directory Users and Computers console:

    Image 11
    RSAT Active Directory Consoles

    Organizational Units and Containers

    When you first launch Active Directory, you will see a collection of what appears to be folders. These “folders” are comprised of a builtinDomain, Containers and Organizational Units.

    Image 12
    AD Container Types

    In order:

    BuiltinDomain

    The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.

    Containers

    Containers are structural objects that are included by default within Active Directory. The most important difference between OUs and containers is that you cannot apply Group Policy Objects (GPOs) to containers. This will make more sense to you when you get to the Group Policy section of this course. You also cannot create a container in Active Directory although you can use ADSI Edit to create containers.

    By default, the containers you will immediately see in Active Directory are Computers, ForeignSecurityPrincipals, Managed Service Accounts and Users.

    Organizational Units (OUs)

    Organizational Units (commonly referred to as OUs) are used to organize and separate objects within active directory. The objects could be anything that Active Directory could store like user accounts, computers, printers, file shares etc.

    If your company had a marketing team, you might create a new OU called “Marketing” and store all your marketing users accounts inside this OU.

    So just like it sounds, OUs are used to help you organize your domain within Active Directory. But it is much more important than just having a tidy Active Directory. A lot of times System Administrators will assign specific permissions to OUs. For example, all users inside of the Marketing OU may have a special desktop background, and special permissions to a file share that other uses may not have.

    This is why its important that you insert Active Directory objects into the correct OU, as picking the wrong OU could lead to some users having security privileges they are not supposed to have. This not only applies to user accounts, but every object that is stored within Active Directory.

    BuiltinDomain

    The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.

    Create an Organizational Unit

    To create a new Organizational Unit, right-click on the desired location (in my case, ad.serveracademy.com) and select Organizational Unit. I am going to name this “Test OU”.

    Image 13
    Create Organizational Unit

    Notice you have the option of disabling the Protect container from accidental deletion checkbox, for most cases I recommend that you leave this option checked.

    Click OK to create the OU. Now you can see that it has been created under the root domain ad.serveracademy.com.

    Delete an Organizational Unit

    Occasionally you will need to delete an OU, and unfortunately this is not as simple as it sounds. If you right-click on an OU, select Delete and Yes, you will be presented with a message stating “You do not have sufficient privileges to delete [the OU], or this object is protected from accidental deletion”.

    Image 21
    Delete an Organizational Unit in Active Directory
    Image 14
    Deleting an Organizational Unit

    If you remember when we created the OU we checked the Protect this OU from accidental deletion checkbox. In order to remove the protection, we need to enable the advanced view within Active Directory and turn off the protection with the OU’s properties. Click OK to close the warning message. Select View > Advanced Features.

    Image 15
    Enable Active Directory Advanced Features

    Immediately you will notice that your view will refresh and you will have a lot more items listed under your domain. You can ignore all of this for now, and simply right-click on the Test OU and choose Properties:

    Image 16
    Selecting OU Properties

    Select the Object tab and uncheck the Protect object from accidental deletion checkbox, then click OK.

    Image 20
    Removing OU protection

    Now when we right-click the OU and select Delete we will no longer get the error and the OU has been deleted.

    Image 22
    Deleted Organizational Unit

    Creating and Managing User Accounts

    Creating and managing user accounts within Active Directory is a common task that you will need to fully understand to have a successful career as a Windows Server administrator.

    When it comes to creating and managing user accounts you really have two options, first use the Active Directory Users and Computers console or secondly the PowerShell command line. This tutorial will focus on using using the Active Directory GUI for Active Directory.

    Create a new AD user

    To create a new Active Directory user, right click your desired location in AD UC (Active Directory Users and Computers), and select New > Users. I’m going to do this inside of a Server Academy > Domain Users OUs I created:

    Image 23
    Creating new Active Directory user account

    Now the new user window will appear:

    Image 24
    New User Object window

    You need to type in the desired user account info like the first and last name, full name (which should be auto populated) and the username. I like to use the first.last naming convention, but your place of work will likely differ.

    Once you’re done click Next and you will be able to specify the user password as well as deciding the following:

    • User must change password at next logon

    Use this when you’re creating a user account and you’re emailing them the password or using the same password for multiple accounts.

    • User cannot change password

    You will rarely use this. Possibly useful for service accounts, but again not a common choice.

    • Password never expires

    This is a bad security practice – but it can be useful for service accounts if you don’t care about the security issues with using the same password for a very long time (like in a lab environment).

    • Account is disabled

    Use this when you are creating the user account for a new hire and they haven’t started the job yet.

    Image 25
    Username and Password Screen

    Now click next:

    Image 26
    Finish new AD user account creation

    Now inside of Active Directory I can see the new user account:

    Image 27
    New AD User Account

    Resetting User Passwords in Active Directory

    To reset a user password, simply right click on the user and select Reset Password as shown in the image below:

    Image 37
    Resetting AD User Password

    If you cannot locate the user account, click the Find objects in Active Directory Services button, type in the name of the user, and change the In dropdown to Entire Directory:

    Image 38
    Search for Active Directory User Accounts

    Once you find your user account you can right-click the user and select Reset Password

    Image 39
    Reset Password Window

    You can force the user to change their password at the next login. If you enable this option then the user will see this screen the next time they log in:

    Image 40
    The user’s password must be changed before signing in.

    If the user account is locked, you can check the second check box to unlock the account at the same time you reset the user password.

    Managing Group Memberships

    You can manage a users group membership by double clicking on the user and selecting the Member Of tab:

    Image 41
    Manage User Groups

    You can add or remove groups by clicking either the Add or Remove buttons respectively. You can learn more about the Active Directory groups that are available to you by default by clicking here.

    We can open any of the listed Active Directory Groups by double clicking on them. In this example I am going to double-click Domain Users:

    Image 43
    Members of Domain Users Group

    Here you can look at all of the users who are members of the Domain Users Group. You will notice that you can also add or remove users from this view as well.

    Disabling and Deleting User Accounts in Active Directory

    You can disable a user account by right-clicking on the user and selecting Disable Account:

    Image 44
    Disabling Active Directory User Accounts

    The next time the user attempts to log in they will see the following message:

    Image 45
    Your account has been disabled in Active Directory

    Usually you will disable a user account for a period of time (like 90 days) before deleting the user account.

    To delete a user account you can simply right-click the user and select Delete:

    Image 46
    Delete an Active Directory User Account

    Once the account has been deleted obviously it will be gone permanently and can no longer be used.

    Conclusion

    That wraps up this tutorial! Hopefully you enjoyed it. If you are interested in joining our IT training program you can start a free trail by clicking here.

    System AdministratorWindows

    Want to improve your IT skillset? Start with a free account and get access to our IT labs!

    Blogpostctadesktop

    Sign up free and start learning today!

    Practice on REAL servers, learn from our video lessons, interact with the Server Academy community!