The main point of Active Directory is to make managing large amounts of users and computers much easier. If you had 5,000 computers and users in a company, having a local account on every single computer for each user simply wouldn’t be manageable. If someone joined or left the company, got a promotion/demotion and needed different permissions/restrictions it would be infeasible to go to every single computer and make the necessary changes. Active Directory solves this by having a large database of users and computers and allows you to manage them easily within Groups and Organizational Units.
In this article I’ll be covering creation of User Accounts, adding Computers and managing both within Groups.
Creating User Accounts
To begin with, open Server Manager, go to Tools in the top right and go to Active Directory Users and Computers. Expand down your domain name and there will be a folder called Users. Right click on Users and go New > User.
In the Window that comes up, fill out details as needed and click Next.
Finally, fill in a password and if you’re in a lab environment for learning you may want to uncheck User must change password at next logon. However in a real environment you’ll generally never want to know anyone’s password. In that case, you’ll be putting in a temporary password and they can change it when they logon.
Click Finish and you’ll have a new user created.
Adding Computers to the Domain
To add a computer to the domain you’ll need to be on the client computer (not the server). If you’re on a physical machine press the Windows Key + Pause/Break to open system properties. In a VM go Control Panel > View by Small Icons > System. Under Computer name, domain and workgroup settings click Change settings.
Click on Network ID….
The Join a Domain or Workgroup Window will pop up and we can start adding the computer to the domain.
After these two pages, make sure you have your Administrator Password for your Windows Server and click Next.
Enter the administrator details for your Server and the Domain name here.
Pick a name for the computer and enter your domain name again.
Now we need an account with permission to add computers to the Domain Controller. We can use the administrator account for this again. After this, click Finish, OK and Restart Now. Upon rebooting you’ll be able to click Other user and logon as a domain account.
Creating Groups and Adding Users/Computers
Often you’ll have a large groups of users who will have the exact same permissions, in this case you’ll use groups to manage them. In fact, it’s best practice even if you only have 1 user in a role to place them in a group and manage permissions through the group. Often they will have more people join them as the company scales who will want access to the same resources.
You can also place groups in to other groups and computers in to groups. If you have a more accessible area with computers located there, you may not want those computers to have access to shares with sensitive data even if someone loges in who would normally have access.
Lets get to creating our first group. Bring up the Active Directory Users and Computers MMC. Under the domain, Right click on Users and go New > Group.
Name your group and leave the bottom options on the default settings. Click OK and your group will be made.
Adding Users or Computers to the Group
Groups wouldn’t be very useful on their own now would they? Lets add a user and computer to the group just to get the concept down.
Right click the group you just created and go to Properties.
Go to the Members tab and click Add….
Type the name of the user you want to add in to this box and click Check Names then OK. You can add other groups in the exact same way however if you want to add a computer you’ll have to go in to Object Types… and tick the Computers box first.
That’s it, as always playing with users and groups will be the best way to learn.