1
00:00:00,740 --> 00:00:02,090
Alright, in this demonstration,

2
00:00:02,090 --> 00:00:05,830
we're going to work with built‑in groups, and we'll create a group and

3
00:00:05,830 --> 00:00:10,050
show its scope of action in terms of that hierarchy I mentioned a moment

4
00:00:10,050 --> 00:00:14,160
ago in terms of global groups, universal groups, domain‑local groups and

5
00:00:14,160 --> 00:00:16,390
how that factors into permissions.

6
00:00:16,390 --> 00:00:19,190
So we are on my Windows 11 desktop machine.

7
00:00:19,190 --> 00:00:21,460
And I actually want to start by opening the local

8
00:00:21,460 --> 00:00:23,640
computer management MMC console.

9
00:00:23,640 --> 00:00:26,020
And to let you know, hopefully you know this already,

10
00:00:26,020 --> 00:00:28,960
but when you domain join a client box,

11
00:00:28,960 --> 00:00:31,730
you'll find that the Users group on that machine is

12
00:00:31,730 --> 00:00:36,040
automatically populated with the Domain Users global group in

13
00:00:36,040 --> 00:00:39,140
the domain in which this workstation belongs.

14
00:00:39,140 --> 00:00:43,060
This is what allows domain users immediately to be able to sign on

15
00:00:43,060 --> 00:00:45,940
to any domain‑joined workstation by default.

16
00:00:45,940 --> 00:00:49,580
Likewise, if we look at this workstation's local Administrators group,

17
00:00:49,580 --> 00:00:52,340
we can see that by joining the domain, the domain's

18
00:00:52,340 --> 00:00:55,340
Domain Admins group now is in scope.

19
00:00:55,340 --> 00:01:00,090
This machine is part of the timw.info forest root domain.

20
00:01:00,090 --> 00:01:03,840
That's why it says TIMW\Domain Admins.

21
00:01:03,840 --> 00:01:06,690
But let me bring up Active Directory Users and

22
00:01:06,690 --> 00:01:08,840
Computers, and let's take a look here.

23
00:01:08,840 --> 00:01:11,490
If we look at the hierarchy, again,

24
00:01:11,490 --> 00:01:16,250
I'm on timw.info rootdc1, specifically. Depending upon

25
00:01:16,250 --> 00:01:17,960
how you've configured permissions,

26
00:01:17,960 --> 00:01:22,840
we can right‑click and change to browse to another domain in the hierarchy.

27
00:01:22,840 --> 00:01:23,430
In this case,

28
00:01:23,430 --> 00:01:29,420
I've got my child.timw.info and my timw.info domains. We see here

29
00:01:29,420 --> 00:01:32,940
the built‑in Computers and Users containers.

30
00:01:32,940 --> 00:01:35,120
Those are good to start you off with, but you're going to

31
00:01:35,120 --> 00:01:38,520
want to have organizational units before too long so you can

32
00:01:38,520 --> 00:01:40,290
start applying group policies.

33
00:01:40,290 --> 00:01:44,650
Notice that your Domain Controllers objects are in an OU out of the box.

34
00:01:44,650 --> 00:01:48,440
But in Builtin, we have all our subadministrative groups and

35
00:01:48,440 --> 00:01:52,170
honest‑to‑goodness administrative groups. Particularly, we have the

36
00:01:52,170 --> 00:01:56,610
Administrators domain local security group that has a default membership, as

37
00:01:56,610 --> 00:02:01,230
you can see, of Enterprise Admins and also the Domain Admins.

38
00:02:01,230 --> 00:02:02,080
So once again,

39
00:02:02,080 --> 00:02:05,850
all of your domain controllers will allow domain admins

40
00:02:05,850 --> 00:02:08,220
full privileges on those machines.

41
00:02:08,220 --> 00:02:12,550
Enterprise Admins is, by default, located in the Users container.

42
00:02:12,550 --> 00:02:15,190
This, like I had mentioned a few times, is the most

43
00:02:15,190 --> 00:02:17,030
important group in your forest.

44
00:02:17,030 --> 00:02:19,200
It's a universal security group.

45
00:02:19,200 --> 00:02:22,640
And the only account that's going to be in there by default is your

46
00:02:22,640 --> 00:02:26,280
original domain administrator from your forest root.

47
00:02:26,280 --> 00:02:29,480
And that administrator, in my case, doesn't use the well‑known

48
00:02:29,480 --> 00:02:32,790
name administrator for an account name. Mine is Tim instead.

49
00:02:32,790 --> 00:02:34,770
That's a good best practice, by the way,

50
00:02:34,770 --> 00:02:39,030
is to rename the built‑in administrator so it's not administrator

51
00:02:39,030 --> 00:02:42,090
because anybody who's leveraging an attack against Active

52
00:02:42,090 --> 00:02:45,120
Directory is going to try high‑privileged accounts, and you can't

53
00:02:45,120 --> 00:02:47,050
get higher than administrator.

54
00:02:47,050 --> 00:02:50,310
So, I wanted to create an organizational unit here.

55
00:02:50,310 --> 00:02:53,520
So let me right‑click my domain, come down to New, and

56
00:02:53,520 --> 00:02:56,420
let's pretend that we're supporting a data team that will

57
00:02:56,420 --> 00:02:58,650
be distributed across our forest.

58
00:02:58,650 --> 00:03:01,250
And in our case, remember that we have an acquisition.

59
00:03:01,250 --> 00:03:06,460
So we have a bidirectional forest trust with acq.com, and we want all of our

60
00:03:06,460 --> 00:03:09,890
data team members to be able to work happily together.

61
00:03:09,890 --> 00:03:15,480
So I'm going to call this organizational unit HQ Data Team. And the OU,

62
00:03:15,480 --> 00:03:20,100
organizational unit, is simply a container into which user accounts and

63
00:03:20,100 --> 00:03:23,340
computer accounts go. Now to create a user account, I'm going to actually

64
00:03:23,340 --> 00:03:27,320
use another tool just to make sure I'm covering all of the different tools

65
00:03:27,320 --> 00:03:28,600
to some degree or another.

66
00:03:28,600 --> 00:03:31,980
Active Directory Administrative Center never really caught on in my

67
00:03:31,980 --> 00:03:35,540
experience the way that Active Directory Users and Computers does. It's

68
00:03:35,540 --> 00:03:38,740
going to focus on the local domain here, but if you want to add in

69
00:03:38,740 --> 00:03:41,100
references to other domains in the forest,

70
00:03:41,100 --> 00:03:42,270
we can go to Manage,

71
00:03:42,270 --> 00:03:46,190
Add Navigation Nodes, and I can connect to the child domain and

72
00:03:46,190 --> 00:03:50,470
bring in those OUs and containers if I want to. Here we can see our

73
00:03:50,470 --> 00:03:54,380
HQ Data Team organizational unit, and I'm going to right‑click and

74
00:03:54,380 --> 00:03:55,870
create a new user account.

75
00:03:55,870 --> 00:03:58,580
Let me stretch this window out so we can see it more.

76
00:03:58,580 --> 00:04:00,160
I'm going to populate it,

77
00:04:00,160 --> 00:04:03,430
give it an initial pass. Some important points I want you to see

78
00:04:03,430 --> 00:04:07,880
here is the User Principal Name is in the format of an SMTP

79
00:04:07,880 --> 00:04:10,140
email address, but it's really not.

80
00:04:10,140 --> 00:04:12,870
We're going to see in the next lesson that you may have to add an

81
00:04:12,870 --> 00:04:17,500
additional UPN suffix when you're doing hybrid identity with Azure AD. The

82
00:04:17,500 --> 00:04:22,610
SamAccountName has been that old, old Windows NT format where you have a

83
00:04:22,610 --> 00:04:28,100
short 15 character or fewer logon name, and then backslash, and then just

84
00:04:28,100 --> 00:04:30,600
the NetBIOS portion of the domain.

85
00:04:30,600 --> 00:04:35,380
I like UPN, not only because ideally you've structured the UPN to

86
00:04:35,380 --> 00:04:40,190
resemble or match the user's SMTP email address, but also because it

87
00:04:40,190 --> 00:04:43,820
easily identifies which domain houses that user.

88
00:04:43,820 --> 00:04:47,870
We've got password expiration options over here. Create in,

89
00:04:47,870 --> 00:04:51,220
it's giving us the distinguished name syntax that we've got,

90
00:04:51,220 --> 00:04:56,840
OU=HQDataTeam,DC=timw,DC=info.

91
00:04:56,840 --> 00:04:57,410
That's true.

92
00:04:57,410 --> 00:05:01,430
I want to protect this object against accidental deletion, and I'll

93
00:05:01,430 --> 00:05:03,770
leave just about everything else at the default.

94
00:05:03,770 --> 00:05:07,270
I did populate the email field here, and the job title

95
00:05:07,270 --> 00:05:10,000
for Brett is Nashville Data Team Lead.

96
00:05:10,000 --> 00:05:14,330
So I've created a new user in the OU. So far, so good.

97
00:05:14,330 --> 00:05:17,660
Well, let's switch back to Users and Computers, and let me

98
00:05:17,660 --> 00:05:20,930
refresh my view so we can see Brett. And let's go ahead and

99
00:05:20,930 --> 00:05:23,180
build out some groups now. Number one,

100
00:05:23,180 --> 00:05:26,670
I'm going to right‑click, and in the HQ Data Team OU, I'm going

101
00:05:26,670 --> 00:05:29,620
to create a group, and we're going to make it a global security

102
00:05:29,620 --> 00:05:32,120
group called Nashville Data Team.

103
00:05:32,120 --> 00:05:36,330
And the idea here, again, is that you're aggregating user accounts that

104
00:05:36,330 --> 00:05:40,760
are scoped to the domain, and the global group will be accessible across

105
00:05:40,760 --> 00:05:43,160
the forest and even across forest trusts.

106
00:05:43,160 --> 00:05:46,010
So let's go to Members, and let me look up Brett's

107
00:05:46,010 --> 00:05:48,720
identity here. Click OK. So far, so good.

108
00:05:48,720 --> 00:05:50,570
Now we can stop there if we want to.

109
00:05:50,570 --> 00:05:54,140
We don't necessarily need to create a universal group.

110
00:05:54,140 --> 00:05:57,740
So at this point, we have an OU to contain our relevant team

111
00:05:57,740 --> 00:06:01,350
members, we've got an identity for a user, and we also have a

112
00:06:01,350 --> 00:06:03,780
Nashville Data Team global group.

113
00:06:03,780 --> 00:06:06,670
What if we wanted to create a super group that contains

114
00:06:06,670 --> 00:06:08,890
the data teams from all of our domains?

115
00:06:08,890 --> 00:06:13,170
Let me do another group, and I'll call this Global Data Team,

116
00:06:13,170 --> 00:06:15,570
and make this a universal security group.

117
00:06:15,570 --> 00:06:20,710
So this means I can populate this Global Data Team universal group with members,

118
00:06:20,710 --> 00:06:22,440
not only from the local domain.

119
00:06:22,440 --> 00:06:24,510
First, I'll start with the local domain.

120
00:06:24,510 --> 00:06:27,820
Do a search for Nashville, and bring in the Nashville Data Team.

121
00:06:27,820 --> 00:06:31,140
And now in addition to the Nashville Data Team global group,

122
00:06:31,140 --> 00:06:35,680
let's add the data team from the child domain, the Memphis Data team.

123
00:06:35,680 --> 00:06:38,730
Let's go to add. I've already created that group, by the way.

124
00:06:38,730 --> 00:06:40,540
So in the selection screen,

125
00:06:40,540 --> 00:06:43,750
let's make sure that our Object Types filter includes Groups.

126
00:06:43,750 --> 00:06:44,570
Yes, it does.

127
00:06:44,570 --> 00:06:47,290
And then for Locations, we're going to search our directory

128
00:06:47,290 --> 00:06:49,980
here for child, and we've got Child Data Team.

129
00:06:49,980 --> 00:06:54,060
Let's do a search for m, and there we have it, Memphis Data Team.

130
00:06:54,060 --> 00:06:56,640
See how that works? So we've organized our

131
00:06:56,640 --> 00:06:59,640
site‑specific users into global groups.

132
00:06:59,640 --> 00:07:03,650
And now I've created a universal group that I can add to access lists

133
00:07:03,650 --> 00:07:07,440
all around the forest and across the forest trusts.

134
00:07:07,440 --> 00:07:10,450
You'll use your domain local groups for permissions.

135
00:07:10,450 --> 00:07:14,920
So now what I'll do is I'll create a new group, and this time I'll make a

136
00:07:14,920 --> 00:07:19,260
domain‑local security group, and I'll call this Data Managers.

137
00:07:19,260 --> 00:07:24,010
So presumably, I would give high privilege to anybody on access control lists,

138
00:07:24,010 --> 00:07:27,790
maybe for file shares and other assets, and it would just be selected

139
00:07:27,790 --> 00:07:31,050
folks. Or actually, let me create one called Data Readers because that

140
00:07:31,050 --> 00:07:33,700
one would presumably be more wide spectrum.

141
00:07:33,700 --> 00:07:36,700
So I've got domain local. And now what I can do if I want to

142
00:07:36,700 --> 00:07:40,950
make the Data Reader security group include as wide spectrum as

143
00:07:40,950 --> 00:07:43,000
possible in terms of our data team,

144
00:07:43,000 --> 00:07:47,980
I can just simply nest the universal or global group inside. Because I

145
00:07:47,980 --> 00:07:52,280
want to reach across domains and potentially even forests, I'm going

146
00:07:52,280 --> 00:07:54,480
to add in the universal group right now.

147
00:07:54,480 --> 00:07:58,300
I'll do a search in my local directory for global, and there it is.

148
00:07:58,300 --> 00:07:59,820
Click OK, and we're good to go.

149
00:07:59,820 --> 00:08:03,530
And just to demonstrate that scope, remember that we have a forest

150
00:08:03,530 --> 00:08:07,550
trust going on. Let me go back to our universal group, Global Data

151
00:08:07,550 --> 00:08:12,660
Team, and let's say we want to add in the folks in the acq.com

152
00:08:12,660 --> 00:08:14,500
domain across the forest trust.

153
00:08:14,500 --> 00:08:16,680
I'm imagining they're in Orlando, Florida.

154
00:08:16,680 --> 00:08:20,400
We may have global or universal groups defined over there for their

155
00:08:20,400 --> 00:08:23,940
data team that want to be data readers or we want to give them data

156
00:08:23,940 --> 00:08:26,410
reader access in our domain environment.

157
00:08:26,410 --> 00:08:30,030
So in this domain‑local security group, let's go to Members, Add.

158
00:08:30,030 --> 00:08:34,690
And if we go to Locations, you see that we can stretch across that forest trust.

159
00:08:34,690 --> 00:08:36,860
Remember that resources trust accounts.

160
00:08:36,860 --> 00:08:40,440
So in this case, timw.info is the trusting domain,

161
00:08:40,440 --> 00:08:43,520
and acq.com is the trusted domain.

162
00:08:43,520 --> 00:08:45,280
Let me do a search for Orlando.

163
00:08:45,280 --> 00:08:46,160
I didn't find that.

164
00:08:46,160 --> 00:08:48,750
Let me think about what that structure is over there.

165
00:08:48,750 --> 00:08:49,230
Ah, yes.

166
00:08:49,230 --> 00:08:51,600
I called it ACQ Data Team.

167
00:08:51,600 --> 00:08:56,670
So let me search the acq directory for acq, and now we can see that in our

168
00:08:56,670 --> 00:09:00,860
Data Readers domain local group, on which I'm going to grant permissions to

169
00:09:00,860 --> 00:09:05,170
resources, I'm able to bring in global and universal groups from the local

170
00:09:05,170 --> 00:09:12,000
environment and even global or universal groups from across the forest trust, as you can see here.