Active Directory Tutorial for Beginners

What is Active Directory?

Active Directory is a Microsoft Technology for identity management in computer networks. It’s a database that contains users and computer accounts as well as their passwords.

When you install the AD DS server role, you will finish the installation by promoting the server to a domain controller. This will install several tools including:

  • Active Directory Administrative Center
  • Active Directory Domains and Trusts
  • Active Directory Module for Windows PowerShell
  • Active Directory Sites and Services
  • Active Directory Users and Computers

In this tutorial we will be focusing on the tool that you will be using the MOST when it comes to Active Directory, which is Active Directory Users and Computers.

If you’re looking for an IT job or just want to freshen up your IT skills then this tutorial is perfect for you!

Get access to our IT labs

In this lesson we will be using ServerAcademy.com’s IT labs which you can connect to through your web browser. We have this exact IT lab (and many more) available which you get access to when you become a member at ServerAcademy.com.

What I recommend is that you sign up for the free trial here so you can use the IT labs with this tutorial.

You can also download and install VirtualBox which will allow you to run Virtual Machines on your home computer. This works when you have a powerful computer that can run multiple VMs and the time to set them up.

How do I open Active Directory?

Identifying Domain Controllers

To open Active Directory, you will need to identify your Active Directory Domain Controller. Thankfully, you can check to see if you’re logged in to a Domain Controller by opening Server Manager and looking on the left hand side for the AD DS server role.

Image
AD DS Server Role

You will also see “Active Directory Users and Computers” listed under tools:

Image 1
Open the Active Directory Users and Computers console

Remotely Open Active Directory with RSAT (Remote Server Administration Toolset)

It’s possible that either you can’t or don’t want to log directly into the Domain Controller. In this case you can download a tool called RSAT to install the Active Directory consoles on your local computer, and then you will connect to your Active Directory domain controllers

You can install RSAT by downloading and running this script which appears to be a great way to install RSAT on Windows 10 1809, 1903 and 1909.

I saved the script to my C:\Users\*******\Downloads folder. So I opened up PowerShell as an administrator then CD to that directory. Then I called the script and said “R” to run once:

Image 7
Quickly install RSAT

This will quickly install all the tools you need for your specific version of Windows. Now when I click the start button, I can go to Windows Administrative Tools and start the Active Directory Users and Computers console:

Image 11
RSAT Active Directory Consoles

Organizational Units and Containers

When you first launch Active Directory, you will see a collection of what appears to be folders. These “folders” are comprised of a builtinDomain, Containers and Organizational Units.

Image 12
AD Container Types

In order:

BuiltinDomain

The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.

Containers

Containers are structural objects that are included by default within Active Directory. The most important difference between OUs and containers is that you cannot apply Group Policy Objects (GPOs) to containers. This will make more sense to you when you get to the Group Policy section of this course. You also cannot create a container in Active Directory although you can use ADSI Edit to create containers.

By default, the containers you will immediately see in Active Directory are Computers, ForeignSecurityPrincipals, Managed Service Accounts and Users.

Organizational Units (OUs)

Organizational Units (commonly referred to as OUs) are used to organize and separate objects within active directory. The objects could be anything that Active Directory could store like user accounts, computers, printers, file shares etc.

If your company had a marketing team, you might create a new OU called “Marketing” and store all your marketing users accounts inside this OU.

So just like it sounds, OUs are used to help you organize your domain within Active Directory. But it is much more important than just having a tidy Active Directory. A lot of times System Administrators will assign specific permissions to OUs. For example, all users inside of the Marketing OU may have a special desktop background, and special permissions to a file share that other uses may not have.

This is why its important that you insert Active Directory objects into the correct OU, as picking the wrong OU could lead to some users having security privileges they are not supposed to have. This not only applies to user accounts, but every object that is stored within Active Directory.

BuiltinDomain

The BuiltinDomain object contains the security groups that are required for your domain to operate. You cannot delete any of these Security Groups as they are all required by the domain.

Create an Organizational Unit

To create a new Organizational Unit, right-click on the desired location (in my case, ad.serveracademy.com) and select Organizational Unit. I am going to name this “Test OU”.

Image 13
Create Organizational Unit

Notice you have the option of disabling the Protect container from accidental deletion checkbox, for most cases I recommend that you leave this option checked.

Click OK to create the OU. Now you can see that it has been created under the root domain ad.serveracademy.com.

Delete an Organizational Unit

Occasionally you will need to delete an OU, and unfortunately this is not as simple as it sounds. If you right-click on an OU, select Delete and Yes, you will be presented with a message stating “You do not have sufficient privileges to delete [the OU], or this object is protected from accidental deletion”.

Image 21
Delete an Organizational Unit in Active Directory
Image 14
Deleting an Organizational Unit

If you remember when we created the OU we checked the Protect this OU from accidental deletion checkbox. In order to remove the protection, we need to enable the advanced view within Active Directory and turn off the protection with the OU’s properties. Click OK to close the warning message. Select View > Advanced Features.

Image 15
Enable Active Directory Advanced Features

Immediately you will notice that your view will refresh and you will have a lot more items listed under your domain. You can ignore all of this for now, and simply right-click on the Test OU and choose Properties:

Image 16
Selecting OU Properties

Select the Object tab and uncheck the Protect object from accidental deletion checkbox, then click OK.

Image 20
Removing OU protection

Now when we right-click the OU and select Delete we will no longer get the error and the OU has been deleted.

Image 22
Deleted Organizational Unit

Creating and Managing User Accounts

Creating and managing user accounts within Active Directory is a common task that you will need to fully understand to have a successful career as a Windows Server administrator.

When it comes to creating and managing user accounts you really have two options, first use the Active Directory Users and Computers console or secondly the PowerShell command line. This tutorial will focus on using using the Active Directory GUI for Active Directory.

Create a new AD user

To create a new Active Directory user, right click your desired location in AD UC (Active Directory Users and Computers), and select New > Users. I’m going to do this inside of a Server Academy > Domain Users OUs I created:

Image 23
Creating new Active Directory user account

Now the new user window will appear:

Image 24
New User Object window

You need to type in the desired user account info like the first and last name, full name (which should be auto populated) and the username. I like to use the first.last naming convention, but your place of work will likely differ.

Once you’re done click Next and you will be able to specify the user password as well as deciding the following:

  • User must change password at next logon

Use this when you’re creating a user account and you’re emailing them the password or using the same password for multiple accounts.

  • User cannot change password

You will rarely use this. Possibly useful for service accounts, but again not a common choice.

  • Password never expires

This is a bad security practice – but it can be useful for service accounts if you don’t care about the security issues with using the same password for a very long time (like in a lab environment).

  • Account is disabled

Use this when you are creating the user account for a new hire and they haven’t started the job yet.

Image 25
Username and Password Screen

Now click next:

Image 26
Finish new AD user account creation

Now inside of Active Directory I can see the new user account:

Image 27
New AD User Account

Resetting User Passwords in Active Directory

To reset a user password, simply right click on the user and select Reset Password as shown in the image below:

Image 37
Resetting AD User Password

If you cannot locate the user account, click the Find objects in Active Directory Services button, type in the name of the user, and change the In dropdown to Entire Directory:

Image 38
Search for Active Directory User Accounts

Once you find your user account you can right-click the user and select Reset Password

Image 39
Reset Password Window

You can force the user to change their password at the next login. If you enable this option then the user will see this screen the next time they log in:

Image 40
The user’s password must be changed before signing in.

If the user account is locked, you can check the second check box to unlock the account at the same time you reset the user password.

Managing Group Memberships

You can manage a users group membership by double clicking on the user and selecting the Member Of tab:

Image 41
Manage User Groups

You can add or remove groups by clicking either the Add or Remove buttons respectively. You can learn more about the Active Directory groups that are available to you by default by clicking here.

We can open any of the listed Active Directory Groups by double clicking on them. In this example I am going to double-click Domain Users:

Image 43
Members of Domain Users Group

Here you can look at all of the users who are members of the Domain Users Group. You will notice that you can also add or remove users from this view as well.

Disabling and Deleting User Accounts in Active Directory

You can disable a user account by right-clicking on the user and selecting Disable Account:

Image 44
Disabling Active Directory User Accounts

The next time the user attempts to log in they will see the following message:

Image 45
Your account has been disabled in Active Directory

Usually you will disable a user account for a period of time (like 90 days) before deleting the user account.

To delete a user account you can simply right-click the user and select Delete:

Image 46
Delete an Active Directory User Account

Once the account has been deleted obviously it will be gone permanently and can no longer be used.

Conclusion

That wraps up this tutorial! Hopefully you enjoyed it. If you are interested in joining our IT training program you can start a free trail by clicking here.

Blogpostctadesktop

Free trial to boost your IT skills

Practice on REAL servers, learn from our video lessons, interact with the Server Academy community!