1
00:00:01,040 --> 00:00:02,140
In this demonstration,

2
00:00:02,140 --> 00:00:06,240
I'm going to start by showing you some of the built‑in Active

3
00:00:06,240 --> 00:00:09,810
Directory groups stuff that we talked about earlier.

4
00:00:09,810 --> 00:00:12,840
We'll look at the delegation of Control wizard,

5
00:00:12,840 --> 00:00:17,740
CredSSP Delegation, and Microsoft Defender for Identity.

6
00:00:17,740 --> 00:00:21,920
You're looking at a Windows 10 domain joined workstation I have here,

7
00:00:21,920 --> 00:00:25,440
and let me start by opening up Computer Management,

8
00:00:25,440 --> 00:00:27,830
and just to illustrate what I was talking about is that

9
00:00:27,830 --> 00:00:29,730
once you've domain joined a machine,

10
00:00:29,730 --> 00:00:34,110
and we can verify that join by opening the System Control Panel,

11
00:00:34,110 --> 00:00:40,310
I like to do the file name sysdm.cpl to open the Control Panel item directly.

12
00:00:40,310 --> 00:00:43,070
So we can see the fully qualified domain name for

13
00:00:43,070 --> 00:00:46,940
this machine is client1.timw.info.

14
00:00:46,940 --> 00:00:49,520
So the local built‑in administrators group here,

15
00:00:49,520 --> 00:00:50,230
as you can see,

16
00:00:50,230 --> 00:00:56,140
contains the timw domain admins global group that happened automagically.

17
00:00:56,140 --> 00:01:00,480
Now, do I have Active Directory users and computers on this machine?

18
00:01:00,480 --> 00:01:02,250
I typed dsa.msc.

19
00:01:02,250 --> 00:01:05,040
As it turns out, I do.

20
00:01:05,040 --> 00:01:07,610
As a reminder or if you don't know this,

21
00:01:07,610 --> 00:01:13,540
this is new, nowadays with Windows 10, as well as Windows 11,

22
00:01:13,540 --> 00:01:16,800
you can install the Remote Server Administration Tools by

23
00:01:16,800 --> 00:01:20,140
opening up the Optional features here.

24
00:01:20,140 --> 00:01:21,960
And I don't think we can,

25
00:01:21,960 --> 00:01:24,530
can we get to it from the settings or do we have to go

26
00:01:24,530 --> 00:01:26,350
to the old school Control Panel?

27
00:01:26,350 --> 00:01:29,040
I think we can stay in settings, yes.

28
00:01:29,040 --> 00:01:34,530
So we go to Add a feature and you can type rsat and that will filter the

29
00:01:34,530 --> 00:01:37,540
list for all of the Remote Server Administration Tools.

30
00:01:37,540 --> 00:01:39,910
Now I've already installed them as you can see here.

31
00:01:39,910 --> 00:01:40,810
In particular,

32
00:01:40,810 --> 00:01:44,800
I installed the Active Directory tools which gives the

33
00:01:44,800 --> 00:01:47,490
Active directory administration center,

34
00:01:47,490 --> 00:01:51,250
the Active Directory Users and Computers console as you see here.

35
00:01:51,250 --> 00:01:55,010
Okay, not a separate download anymore, although technically,

36
00:01:55,010 --> 00:01:56,790
the Settings app does download them.

37
00:01:56,790 --> 00:01:59,040
It just automates it for you.

38
00:01:59,040 --> 00:02:01,300
So here we have in Users and Computers.

39
00:02:01,300 --> 00:02:05,140
Again, we've got those built‑in groups like I've mentioned before,

40
00:02:05,140 --> 00:02:07,280
specifically in the built‑in container,

41
00:02:07,280 --> 00:02:12,320
these are our Active Directory domain local built‑in security groups.

42
00:02:12,320 --> 00:02:15,710
There is administrators, and if we look at the membership of it,

43
00:02:15,710 --> 00:02:20,430
we've got domain admins and enterprise admins in there by default.

44
00:02:20,430 --> 00:02:22,740
If we go to the Users container,

45
00:02:22,740 --> 00:02:27,540
we have our Enterprise Admin universal group that has only the

46
00:02:27,540 --> 00:02:30,560
root forest root domain administrator account.

47
00:02:30,560 --> 00:02:32,910
In it, notice that I've changed the default name.

48
00:02:32,910 --> 00:02:34,750
I hope that you've already done the same,

49
00:02:34,750 --> 00:02:37,380
that you've renamed the default administrator account.

50
00:02:37,380 --> 00:02:41,840
You can do that across your entire domain by using Group Policy.

51
00:02:41,840 --> 00:02:44,870
Now, in terms of delegated administration,

52
00:02:44,870 --> 00:02:48,610
you've seen thus far about the read‑only domain controller.

53
00:02:48,610 --> 00:02:50,120
Here, I have an RODC1.

54
00:02:50,120 --> 00:02:55,880
Let's assume that this staff organizational unit contains the accounts used,

55
00:02:55,880 --> 00:02:59,140
both computer and user and group accounts,

56
00:02:59,140 --> 00:03:01,540
that are going to be in that remote office.

57
00:03:01,540 --> 00:03:04,630
And so how could we give this Pat user, for example,

58
00:03:04,630 --> 00:03:08,110
the ability to do password resets at the OU level.

59
00:03:08,110 --> 00:03:09,770
Well, that's delegated control,

60
00:03:09,770 --> 00:03:14,240
so let's right‑click Staff and start the Delegate Control Wizard.

61
00:03:14,240 --> 00:03:18,140
Again, this is nothing new in Windows Server 2022.

62
00:03:18,140 --> 00:03:19,730
Selected users and groups.

63
00:03:19,730 --> 00:03:23,130
Well, I have this user named, I already forgot the user's name,

64
00:03:23,130 --> 00:03:25,020
Pat, so let me try that again.

65
00:03:25,020 --> 00:03:30,240
Delegate Control, Next, let's do Add, and look for Pat.

66
00:03:30,240 --> 00:03:34,160
So Pat Colleague is going to be the designated password resetter,

67
00:03:34,160 --> 00:03:37,420
and Microsoft has created a number of common tasks here,

68
00:03:37,420 --> 00:03:41,500
or you can go right down to the schema and determine

69
00:03:41,500 --> 00:03:43,990
individual tasks that you want to delegate.

70
00:03:43,990 --> 00:03:46,040
For something like passwords,

71
00:03:46,040 --> 00:03:50,350
it's easily enough accomplished just by selecting reset user

72
00:03:50,350 --> 00:03:59,000
passwords and force password change at next logon. Delegated administration, nice feature of Active Directory.