Lesson 5 - Active Directory Objects Management

SAAM

Organizational Units (OU)

• Used to group users, computers, and other resources for easier management.

• Is a fundamental container within Active Directory (AD) that organizes and holds objects such as user accounts, computers, groups, and other OUs. Acting like a folder within the directory, OUs help administrators logically structure and manage resources in a scalable and hierarchical way.

• Management of OUs is restricted to domain administrators or users who have been granted delegated permissions for specific OUs, ensuring controlled and secure administration.

Active Directory

• Has two forms of common security principals:

  • user accounts and computer accounts.

• These accounts represent a physical entity that is either a person or a computer. A user account also can be used as a dedicated service account for some applications.

Security Groups

Are a way to collect user accounts, computer accounts, and other groups into manageable units.

Two Types of Administrator in Active Directory

1. Service administrators

2. Data administrators

Service Administrators

Responsible for maintaining and delivering Active Directory Domain Services (AD DS), including managing domain controllers and configuring AD DS.

Data Administrators

Responsible for maintaining the data that's stored in AD DS and on domain member servers and workstations.

How Active Directory Security Groups Work

Use groups to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps you simplify network maintenance and administration.

Two Types of Groups in Active Directory

1. Security Groups

2. Distribution Groups

Security Groups

• use to assign permissions to shared resources.

• Assign user rights to a security group - to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person's administrative role in the domain.

• Assign permissions to security groups for resources

Distribution Groups

• use to create email distribution lists.

• You can use this only to send email to collections of users by using an email application like Exchange Server. Distribution groups aren't security enabled, so you can't include them in DACLs.

• scope: universal, global, domain local

Delegation of Control

• Means you can assign a range of administrative tasks to different users and groups. You can assign basic administrative tasks to regular users or groups, and leave domain-wide and forest-wide administration to members of the Domain Admins and Enterprise Admins groups.

• By delegating administration, you can allow groups within your organization to take more control of their local resources.

You Can Use the Delegation of Control Wizard to Delegate the following tasks:

• Create, delete, and manage user accounts

• Reset user passwords and force password change at next logon

• Read all user information

• Modify the membership of a group

• Join a computer to a domain

• Manage Group Policy links

• Generate Resultant Set of Policy (Planning)

• Generate Resultant Set of Policy (Logging)

• Create, delete, and manage inetOrgPerson accounts

• Reset inetOrgPerson passwords and force password change at next sign-in

• Read all inetOrgPerson information

Delegation of Control Prerequisites

• You must be a member of the Domain Admins group or have been delegated the necessary permissions to perform the tasks you want to delegate.

• On the computer where you'll delegate control, you must have the AD DS Remote Server Administration Tools (RSAT) installed.

Steps to Use Delegation of Control Wizard

• In Active Directory Users and Computers, select the parent container. For example, select the domain or organizational unit over which you want to delegate control.

• On the Action menu, select Delegate control. This action starts the Delegation of Control Wizard.

• On the Users or Groups page, select the users or groups to which you're delegating privileges.

• On the Tasks to Delegate page, select the task that you want to delegate from a list of common tasks, as described earlier in this article.

• Select Finish to complete the delegation process.

Common Methods in Managing Active Directory Objects

1. Active Directory Users and Computers (ADUC)

2. PowerShell

3. Active Directory Administrative Center (ADAC)

Active Directory Users and Computers (ADUC)

• is a Microsoft Management Console (MMC) snap-in that administrators use to manage objects (users, computers, groups, and OUs) in Active Directory.

• Capabilities:

  • Create, delete, and manage users, groups, and computers

  • Organize objects into OUs

  • Delegate administrative tasks

  • Reset passwords and unlock accounts

• Example: A system admin creates a new user account for a new employee in the “HR” OU and assigns them to the “HR_Staff” security group using ADUC’s graphical interface.

PowerShell

• provides cmdlets for managing Active Directory domains, domain controllers, users, and computers.

• Capabilities:

  • Automates bulk operations (e.g., creating hundreds of users)

  • Provides scripting and repeatability for administrative tasks

  • Enables advanced searches and modifications of AD objects

• Example: When onboarding 50 new interns, an admin runs a PowerShell script to create all accounts automatically instead of using the GUI.

Active Directory Administrative Center (ADAC)

• is an enhanced management console that provides a task-oriented user interface for managing Active Directory, including the AD Recycle Bin and fine-grained password policies.

• Capabilities:

  • Modern GUI with PowerShell history viewer (shows the cmdlets run in the background)

  • Manage OUs, users, groups, and computers

  • Recover accidentally deleted objects using the Recycle Bin

  • Apply fine-grained password policies

• Example: An admin uses ADAC to restore a deleted user account from the AD Recycle Bin without needing to re-create it manually.