Active Directory Tutorial for Beginners

Paul Hill

September 23, 2020

What is Active Directory?

Active Directory is a Microsoft Technology for identity management in computer networks. It’s a database that contains users and computer accounts as well as their passwords.

When you install the AD DS server role, you will finish the installation by promoting the server to a domain controller. This will install several tools including:

  • Active Directory Administrative Center
  • Active Directory Domains and Trusts
  • Active Directory Module for Windows PowerShell
  • Active Directory Sites and Services
  • Active Directory Users and Computers

In this tutorial we will be focusing on the tool that you will be using the MOST when it comes to Active Directory, which is Active Directory Users and Computers.

If you’re looking for an IT job or just want to freshen up your IT skills then this tutorial is perfect for you!

Get access to our IT labs

In this lesson we will be using ServerAcademy.com’s IT labs which you can connect to through your web browser. We have this exact IT lab (and many more) available which you get access to when you become a member at ServerAcademy.com.

What I recommend is that you sign up for the free trial here so you can use the IT labs with this tutorial.

You can also download and install VirtualBox which will allow you to run Virtual Machines on your home computer. This works when you have a powerful computer that can run multiple VMs and the time to set them up.

How do I open Active Directory?

Identifying Domain Controllers

To open Active Directory, you will need to identify your Active Directory Domain Controller. Thankfully, you can check to see if you’re logged in to a Domain Controller by opening Server Manager and looking on the left hand side for the AD DS server role.

Image
AD DS Server Role

You will also see “Active Directory Users and Computers” listed under tools:

Image 1
Open the Active Directory Users and Computers console

Remotely Open Active Directory with RSAT (Remote Server Administration Toolset)

It’s possible that either you can’t or don’t want to log directly into the Domain Controller. In this case you can download a tool called RSAT to install the Active Directory consoles on your local computer, and then you will connect to your Active Directory domain controllers

You can install RSAT by downloading and running this script which appears to be a great way to install RSAT on Windows 10 1809, 1903 and 1909.

I saved the script to my C:\Users\*******\Downloads folder. So I opened up PowerShell as an administrator then CD to that directory. Then I called the script and said “R” to run once:

Image 7
Quickly install RSAT

This will quickly install all the tools you need for your specific version of Windows. Now when I click the start button, I can go to Windows Administrative Tools and start the Active Directory Users and Computers console:

Image 11
RSAT Active Directory Consoles

Organizational Units and Containers

When you first launch Active Directory, you will see a collection of what appears to be folders. These “folders” are comprised of a builtinDomain, Containers and Organizational Units.

Image 12
AD Container Types

In order:

BuiltinDomain

The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.

Containers

Containers are structural objects that are included by default within Active Directory. The most important difference between OUs and containers is that you cannot apply Group Policy Objects (GPOs) to containers. This will make more sense to you when you get to the Group Policy section of this course. You also cannot create a container in Active Directory although you can use ADSI Edit to create containers.

By default, the containers you will immediately see in Active Directory are Computers, ForeignSecurityPrincipals, Managed Service Accounts and Users.

Organizational Units (OUs)

Organizational Units (commonly referred to as OUs) are used to organize and separate objects within active directory. The objects could be anything that Active Directory could store like user accounts, computers, printers, file shares etc.

If your company had a marketing team, you might create a new OU called “Marketing” and store all your marketing users accounts inside this OU.

So just like it sounds, OUs are used to help you organize your domain within Active Directory. But it is much more important than just having a tidy Active Directory. A lot of times System Administrators will assign specific permissions to OUs. For example, all users inside of the Marketing OU may have a special desktop background, and special permissions to a file share that other uses may not have.

This is why its important that you insert Active Directory objects into the correct OU, as picking the wrong OU could lead to some users having security privileges they are not supposed to have. This not only applies to user accounts, but every object that is stored within Active Directory.

BuiltinDomain

The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.

Create an Organizational Unit

To create a new Organizational Unit, right-click on the desired location (in my case, ad.serveracademy.com) and select Organizational Unit. I am going to name this “Test OU”.

Image 13
Create Organizational Unit

Notice you have the option of disabling the Protect container from accidental deletion checkbox, for most cases I recommend that you leave this option checked.

Click OK to create the OU. Now you can see that it has been created under the root domain ad.serveracademy.com.

Delete an Organizational Unit

Occasionally you will need to delete an OU, and unfortunately this is not as simple as it sounds. If you right-click on an OU, select Delete and Yes, you will be presented with a message stating “You do not have sufficient privileges to delete [the OU], or this object is protected from accidental deletion”.

Image 21
Delete an Organizational Unit in Active Directory
Image 14
Deleting an Organizational Unit

If you remember when we created the OU we checked the Protect this OU from accidental deletion checkbox. In order to remove the protection, we need to enable the advanced view within Active Directory and turn off the protection with the OU’s properties. Click OK to close the warning message. Select View > Advanced Features.

Image 15
Enable Active Directory Advanced Features

Immediately you will notice that your view will refresh and you will have a lot more items listed under your domain. You can ignore all of this for now, and simply right-click on the Test OU and choose Properties:

Image 16
Selecting OU Properties

Select the Object tab and uncheck the Protect object from accidental deletion checkbox, then click OK.

Image 20
Removing OU protection

Now when we right-click the OU and select Delete we will no longer get the error and the OU has been deleted.

Image 22
Deleted Organizational Unit

Creating and Managing User Accounts

Creating and managing user accounts within Active Directory is a common task that you will need to fully understand to have a successful career as a Windows Server administrator.

When it comes to creating and managing user accounts you really have two options, first use the Active Directory Users and Computers console or secondly the PowerShell command line. This tutorial will focus on using using the Active Directory GUI for Active Directory.

Create a new AD user

To create a new Active Directory user, right click your desired location in AD UC (Active Directory Users and Computers), and select New > Users. I’m going to do this inside of a Server Academy > Domain Users OUs I created:

Image 23
Creating new Active Directory user account

Now the new user window will appear:

Image 24
New User Object window

You need to type in the desired user account info like the first and last name, full name (which should be auto populated) and the username. I like to use the first.last naming convention, but your place of work will likely differ.

Once you’re done click Next and you will be able to specify the user password as well as deciding the following:

  • User must change password at next logon

Use this when you’re creating a user account and you’re emailing them the password or using the same password for multiple accounts.

  • User cannot change password

You will rarely use this. Possibly useful for service accounts, but again not a common choice.

  • Password never expires

This is a bad security practice – but it can be useful for service accounts if you don’t care about the security issues with using the same password for a very long time (like in a lab environment).

  • Account is disabled

Use this when you are creating the user account for a new hire and they haven’t started the job yet.

Image 25
Username and Password Screen

Now click next:

Image 26
Finish new AD user account creation

Now inside of Active Directory I can see the new user account:

Image 27
New AD User Account

Resetting User Passwords in Active Directory

To reset a user password, simply right click on the user and select Reset Password as shown in the image below:

Image 37
Resetting AD User Password

If you cannot locate the user account, click the Find objects in Active Directory Services button, type in the name of the user, and change the In dropdown to Entire Directory:

Image 38
Search for Active Directory User Accounts

Once you find your user account you can right-click the user and select Reset Password

Image 39
Reset Password Window

You can force the user to change their password at the next login. If you enable this option then the user will see this screen the next time they log in:

Image 40
The user’s password must be changed before signing in.

If the user account is locked, you can check the second check box to unlock the account at the same time you reset the user password.

Managing Group Memberships

You can manage a users group membership by double clicking on the user and selecting the Member Of tab:

Image 41
Manage User Groups

You can add or remove groups by clicking either the Add or Remove buttons respectively. You can learn more about the Active Directory groups that are available to you by default by clicking here.

We can open any of the listed Active Directory Groups by double clicking on them. In this example I am going to double-click Domain Users:

Image 43
Members of Domain Users Group

Here you can look at all of the users who are members of the Domain Users Group. You will notice that you can also add or remove users from this view as well.

Disabling and Deleting User Accounts in Active Directory

You can disable a user account by right-clicking on the user and selecting Disable Account:

Image 44
Disabling Active Directory User Accounts

The next time the user attempts to log in they will see the following message:

Image 45
Your account has been disabled in Active Directory

Usually you will disable a user account for a period of time (like 90 days) before deleting the user account.

To delete a user account you can simply right-click the user and select Delete:

Image 46
Delete an Active Directory User Account

Once the account has been deleted obviously it will be gone permanently and can no longer be used.

Conclusion

That wraps up this tutorial! Hopefully you enjoyed it. If you are interested in joining our IT training program you can start a free trail by clicking here.

Blogpostctadesktop

Sign up free and start learning today!

Practice on REAL servers, learn from our video lessons, interact with the Server Academy community!

More from our blog

How to Become a Hacker

By Paul Hill | October 15, 2022

Becoming a hacker can be an exciting and rewarding six-figure job. Any product that uses digital technology is a potential target to be hacked – that means not just computers and phones but also your car, thermostats, garage door openers, smart coffee machines, and any other smart home device. That is why ethical/white hat hackers…

System Administrator Salary in 2022

By Ricardo P | August 27, 2022

Before deciding to become a System Administrator full-time, you might ask yourself, what is the system administrator salary and what can you expect? And, it is reasonable to research if becoming a System Administrator full-time will be a lucrative career. But the answer is that it all depends on your education, certifications, skills, location, and…

How to Easily Automate Tasks with PowerShell

By Ricardo P | July 1, 2022

You might know PowerShell as the improved command prompt version of Microsoft Windows, but PowerShell is more than that. It is also a scripting language that can be used for automation, and in this article we’ll show you how to automate tasks with PowerShell.

Assign License to a User using Licensing Group

By Jefferd Facundo | March 13, 2022

In this lesson, we will go through the steps on how to add user(s) to a licensing group in your Microsoft 365 tenant. Step 1: Access Microsoft Admin Center to manage the user’s license. On your browser, login to Microsoft 365 Admin Portal via https://portal.office.com On the Sign in page, enter your Global Admin username in an email…

Running Message Trace in Exchange Admin Center

By Jefferd Facundo | February 5, 2022

In this tutorial, you will learn how to run a message trace using Exchange Admin Center to track any messages that was not delivered correctly or simply getting the status of the message sent or supposed to be received by the user(s). Step 1. Log in to Exchange Admin Center for Exchange Online. On your…

How to Create a Licensing Group in Microsoft 365 Tenant

By Jefferd Facundo | February 4, 2022

In this lesson, we will go through the steps on how to Create a Licensing Group in your Microsoft 365 tenant. Step 1: Access Azure Active Directory On your browser, login to Microsoft 365 Admin Portal via https://portal.office.com On the Sign in page, enter your Global Admin username in an email format and then enter your password on…

Windows Cyber Security – STIGs for Beginners

By Paul Hill | February 1, 2022

This tutorial will show you how you can get started learning the technical side of Cyber Security for Windows environments. This tutorial is going to show you how to use STIGs (Security Technical Implementation Guides) to identify low, medium and high vulnerabilities and patch them in your Windows Environments. What is a STIG? A STIG…

Creating Mail Flow Rules

By Jefferd Facundo | January 19, 2022

In the lesson you will access the Exchange Admin Center for Exchange Online and create a mail flow rule that checks for sensitive information in emails sent from inside your organization. Step 1. Log in to Exchange Admin Center for Exchange Online. On your browser, login to Microsoft 365 Admin Portal via https://admin.microsoft.com On the…

How to run SQL Commands from PowerShell

By Paul Hill | July 23, 2021

If you want to run SQL commands from your PowerShell terminal you can do so by simply installing the SQLServer module with the command below: You will be prompted to install from an untrusted source. Type “A” to accept and install the module. Once it is complete you can see all the new commands you…

Adding Multiple Cloud Users to Microsoft 365 tenant.

By Jefferd Facundo | July 18, 2021

In this lesson, you will learn how to import multiple cloud users to your Microsoft 365 tenant. If you want to learn about getting started with Microsoft 365, click here. Step 1. Create your users’ information into CSV file using the given template in your tenant. On your browser, login to Microsoft 365 Admin Portal…