1
00:00:01,140 --> 00:00:05,640
Manage Active Directory Domain Services Users and Groups.

2
00:00:05,640 --> 00:00:09,800
The user account refers to a human being in our organization within our

3
00:00:09,800 --> 00:00:14,120
Active Directory domain. We can use graphical tools like Windows Admin

4
00:00:14,120 --> 00:00:18,580
Center or Active Directory Users and Computers or Active Directory

5
00:00:18,580 --> 00:00:20,710
Administrative Center to create accounts.

6
00:00:20,710 --> 00:00:24,860
But in the name of DevOps and automation practices, we should take a look

7
00:00:24,860 --> 00:00:27,930
now at using the Active Directory PowerShell module.

8
00:00:27,930 --> 00:00:33,370
For example, we use the New‑ADUser cmdlet here to define a new domain user.

9
00:00:33,370 --> 00:00:34,830
Now if you look in the docs,

10
00:00:34,830 --> 00:00:38,690
I give you links in the exercise files where you can see or you

11
00:00:38,690 --> 00:00:41,980
could just do a Google search for a New‑ADUser to visit the

12
00:00:41,980 --> 00:00:45,740
official docs page where there's lots of examples. There are some

13
00:00:45,740 --> 00:00:47,360
properties that are required.

14
00:00:47,360 --> 00:00:49,730
Of course, you're going to need name, data,

15
00:00:49,730 --> 00:00:52,020
SamAccountName, or the short name,

16
00:00:52,020 --> 00:00:56,980
the AccountPassword. You see the ChangePasswordAtLogon $true is critical

17
00:00:56,980 --> 00:01:00,930
because the user is not going to keep their starter password permanently, and

18
00:01:00,930 --> 00:01:03,180
we want to make sure that the account is enabled.

19
00:01:03,180 --> 00:01:05,690
There's a whole bunch of optional properties that you

20
00:01:05,690 --> 00:01:08,320
can add to your New‑ADUser definition.

21
00:01:08,320 --> 00:01:11,940
It depends on how granular you want to be at the outset.

22
00:01:11,940 --> 00:01:15,440
Now our individual users who represent our human beings and

23
00:01:15,440 --> 00:01:17,320
our organization are all well and good.

24
00:01:17,320 --> 00:01:21,030
But when it comes time to giving those folks authorization to

25
00:01:21,030 --> 00:01:24,890
domain resources, we're going to organize those users into groups

26
00:01:24,890 --> 00:01:28,380
and then put groups into groups, as the case may be. Active

27
00:01:28,380 --> 00:01:30,050
Directory has two group types.

28
00:01:30,050 --> 00:01:31,840
One is called the security group.

29
00:01:31,840 --> 00:01:34,510
This is what we're concerned with in this course. This is

30
00:01:34,510 --> 00:01:37,510
about assigning permissions and user rights.

31
00:01:37,510 --> 00:01:39,680
Then we have distribution groups.

32
00:01:39,680 --> 00:01:43,740
These are used strictly for email where you can have an email recipient

33
00:01:43,740 --> 00:01:47,940
mapped to a user, account, and an associated email address.

34
00:01:47,940 --> 00:01:51,570
Active Directory groups operate on four different scopes.

35
00:01:51,570 --> 00:01:54,910
We have the local group that you'll find on standalone

36
00:01:54,910 --> 00:01:57,260
workgroup servers and workstations.

37
00:01:57,260 --> 00:02:01,610
These groups have visibility only within that local machine.

38
00:02:01,610 --> 00:02:05,470
Once you have an Active Directory domain up and your domain controllers

39
00:02:05,470 --> 00:02:08,850
are running, there are built‑in domain local groups, and you, of course,

40
00:02:08,850 --> 00:02:12,590
can create your own that exist on the domain controllers across the

41
00:02:12,590 --> 00:02:15,830
domain and have scope or visibility.

42
00:02:15,830 --> 00:02:18,080
You can use them throughout the domain.

43
00:02:18,080 --> 00:02:22,830
The main tool for organizing your end users would be the global group, which has

44
00:02:22,830 --> 00:02:27,130
forest scope. I'm going to give you some additional info on that. Specifically,

45
00:02:27,130 --> 00:02:32,270
we use the global group to consolidate users who have similar properties. It

46
00:02:32,270 --> 00:02:35,050
could be part of geolocation or job role.

47
00:02:35,050 --> 00:02:38,930
You can assign permissions to a global group anywhere in your forest.

48
00:02:38,930 --> 00:02:41,480
If you're a multi‑domain forest or single domain,

49
00:02:41,480 --> 00:02:44,450
it doesn't matter, and also across forest trusts.

50
00:02:44,450 --> 00:02:45,020
However,

51
00:02:45,020 --> 00:02:47,700
it's important to know that the membership of global

52
00:02:47,700 --> 00:02:50,520
groups is limited only to the local domain.

53
00:02:50,520 --> 00:02:53,040
Global groups can contain user groups,

54
00:02:53,040 --> 00:02:56,780
computer groups, and other global groups from the local domain.

55
00:02:56,780 --> 00:02:58,850
Lastly, we have the universal group.

56
00:02:58,850 --> 00:03:03,090
This is used chiefly with multi‑domain networks, and there are

57
00:03:03,090 --> 00:03:06,030
implications to universal group membership,

58
00:03:06,030 --> 00:03:09,470
particularly as you get sprawl of multiple domains,

59
00:03:09,470 --> 00:03:13,070
multiple domain trees, and multiple forests that we don't

60
00:03:13,070 --> 00:03:14,740
need to get into at this point.

61
00:03:14,740 --> 00:03:18,960
But a couple of things, actually, to keep in mind with universal groups

62
00:03:18,960 --> 00:03:21,780
is that the membership can be anywhere in the forest,

63
00:03:21,780 --> 00:03:23,930
including across forest trusts,

64
00:03:23,930 --> 00:03:27,240
and we can assign user rights and permissions anywhere in the

65
00:03:27,240 --> 00:03:31,630
forest, similarly to how we can assign them to global groups. Let's

66
00:03:31,630 --> 00:03:34,140
sort out the built‑in administrator groups.

67
00:03:34,140 --> 00:03:37,540
The local administrators group appears on non‑domain

68
00:03:37,540 --> 00:03:39,930
servers and workstations, in other words,

69
00:03:39,930 --> 00:03:41,990
those that are in a workgroup environment.

70
00:03:41,990 --> 00:03:44,700
In an Active Directory Domain Services domain,

71
00:03:44,700 --> 00:03:48,930
each domain controller has its own domain local group.

72
00:03:48,930 --> 00:03:51,490
Again, these are shared across all DCs.

73
00:03:51,490 --> 00:03:56,240
The Domain Admins global group is going to be, again, domain‑specific.

74
00:03:56,240 --> 00:04:00,370
This is the easiest way to delegate administrative privileges

75
00:04:00,370 --> 00:04:02,970
in your domain. In the forest root domain,

76
00:04:02,970 --> 00:04:05,450
you have the Enterprise Admin global group.

77
00:04:05,450 --> 00:04:10,580
This is the most critical administrator group in your forest because all

78
00:04:10,580 --> 00:04:15,880
of your top‑level privileges are requiring membership in the Enterprise

79
00:04:15,880 --> 00:04:20,780
Admins group. The Enterprise Admins group is automatically made a member

80
00:04:20,780 --> 00:04:25,260
of the administrator's domain local group in every forest domain across

81
00:04:25,260 --> 00:04:26,080
your enterprise.

82
00:04:26,080 --> 00:04:30,110
When you're doing very high value operations like extending the Active

83
00:04:30,110 --> 00:04:33,300
Directory schema, that's going to require Enterprise Admins.

84
00:04:33,300 --> 00:04:35,900
You're working with sites and services and trusts.

85
00:04:35,900 --> 00:04:38,130
These require highest privileges.

86
00:04:38,130 --> 00:04:40,000
So from a security perspective,

87
00:04:40,000 --> 00:04:45,000
you want to control the membership of Enterprise Admins, above all else.