Active Directory: Groups

It’s been a while since I wrote my last post and before I start my next post I would like to wish everyone a happy new year (I know its lateSad smile)!

Groups in Active Directory are very useful to us administrators. First of all why do we need groups in Active Directory? If you think about it its just to manage your entire active directory environment more easily and to make your life easier.

When you look at how groups are going to make your life easier, imagine this, you have a network resource to which you need to restrict/grant access to everyone in the sales Organizational Unit (OU). If you don’t use groups, then you will add the Users one by one to the resources Discretionary Access Control List (DACL). Lets say another sales person was hired you will have to add him manually to the DACL. Instead you create a Group in your AD and make all the sales users member of that group and assign the permission to that group. That’s more effective and when a new sales person joins just make him a member of that group. 

So what are these groups that we are talking about? Groups are also an Object in Active Directory, like User Accounts, Computer Accounts, Organizational Units, etc. groups are also similar objects which at times contains a Security Identifier (SID) and sometimes does not.

You can create groups in 2 ways,

  • by using the Active Directory users and computers snap-in
  • by using the DSadd command line tool

To create a group using the Active Directory users and computers, open the snap-in, right click inside an Organizational Unit and select New and then Group

To create a group named “sales” inside the default “users” container under a domain named “cloud.com” using DSadd,                                                                                dsadd group cn=sales,cn=users,dc=cloud,dc=com

Either way you select, it works like a charmSmile

While creating a group you have to consider two main points,

  • Group Type
  • Group Scope

There are two Group Types

Security Group: You will be creating a Security Group to assign permissions to files and folders. Usually Security groups are the default selection when you are creating a new group. Security Groups will be a Security Principal which is assigned with a Security Identifier (SID). The SID will check the access level when ever a user who is a member of a security group tries to access a network resource (Using the User’s Access Tokens – Will Explain in another posts).

Distribution Group: This type of group cannot be called as a Security Principal as it will not be assigned with a SID hence a distribution group will only be used to send email messages to a group or a collection of users. To be more specific it’s a distribution list where Mail servers such as Exchange uses to send emails to a particular address such as everyone@test.com in turn email will be delivered to every single email enabled user in that domain (who is a member of the everyone distribution group). Its not possible to list a Distribution Group inside an “ACL” and assign permissions to it.

This does not limit that a Security Group cannot be an email enabled group.

When you look at Group Scopes,

Local Groups: These are the groups which resides in the Security Accounts Manager (SAM) of a local computer. Built in groups such as Administrators, Backup Operators, Power Users, etc.    

Domain Local Group: Can be created in a domain environment and these groups can be used on anywhere in the DOMAIN

Universal Groups: Can be created in a domain environment and these groups can be used anywhere in a FOREST 

Global Groups: Can be created in a domain environment and these groups can be used anywhere in the DOMAIN or TRUSTED DOMAINS

Well I hope the above information was useful to you. Do leave your comments Smile

Installing Active Directory on a Windows Server 2008R2

After my previous post on the introduction and the new features of Active Directory in Windows Server 2008R2, I thought of posting on a step by step procedure on how to install Active Directory on Windows Server 2008R2.

The following post will comprise the steps on how to install a primary domain controller for a new forest.

Here we go!

First of all you will have to plan out your IP Addressing schemes, domain names, computer names, DNS infrastructure, DHCP scopes, Forest name, number of domain controllers, user account naming conventions, site links, group policies, etc. Once you have the above planned out according to your requirement you can go ahead with your Windows Server 2008R2 installation on the first server in your forest. the installation of Windows server 2008R2 is very simple and straight forward. When the installation is done and you log on to your server you will be given the Initial Configuration Tasks (ICT) window automatically for certain configurations of your server.

You can initiate the installation of the Active Directory Domain Services (AD DS) role from the ICT window or you can start the Server Manager and start the installation of the AD DS role. 

CaptureFrom the server manager click on Add Roles

add roles 2

On the Add Roles Before you begin instruction window click next (after you read)

select server roles 3

Select the Active Directory Directory Services Role

donet -4

You will be prompted to install the .NET framework 3.5.1 features – click on add required features and click on next

role -5

An introduction to Active Directory Domain Services will be given on this screen and some points to note – you have to read and click next

role confirm -6

Next will be the confirmation and summary page of the role installation – Click Install

add role finish

Installation of the role finishes. If you see the above screen capture, it gives me a hyper link which says “close this wizard and launch DCPROMO.EXE” click on it and you will be prompted with the following screens (the DCPROMO welcome screen)

image

Click on next

image 

On the Operating System Compatibility Screen – click next

image

On the deployment configuration page select – create a new domain in a new forest option (initial requirement)

image

Provide the Fully Qualified Domain Name (FQDN) of the forest root domain – here its TEST.COM – Click next

image

On the Forest Functional Level – Select The Appropriate level

image

Since there is no DNS server installed you will be prompted to install DNS server here

image

On the above message, Click “Yes and Continue”

image

On the Location for Database, Log files and SYSVOL window either you can browse and change or leave the default – click next

image

On the directory services restore mode password – Assign a password and you may need this password when you start your you domain controller in Directory Services Restore mode

image

Review the Summary page and click Next

image

The installation starts

image

After the Installation click on finish and the server reboots.

And that’s about it on how to install Active Directory on a Windows Server 2008R2.

Active Directory in Windows Server 2008

It has been a while since I wrote a post in my blog and this will be my first post for the year 2010.

I was thinking on what should I write about and suddenly Active Directory came into my head. Most of you’ll who read this particular post would’ve heard about Active Directory, what really is this so called Active Directory? well here goes, I will try my level best to explain on what an Active Directory is 🙂

Active Directory is a Database and is the base of your network. It contains various sort of objects (such as user accounts, computer accounts, group policy) with regard to your infrastructure and functions as an Authentication Server when a user logs on to your Windows network as all the user accounts are stored in it.

Microsoft Active Directory was first introduced with Windows 2000 Server and has been improving with new features ever since. Previously known as Active Directory Directory Services has been renamed to Active Directory Domain Services (AD DS) in Windows Server 2008

Active Directory in Windows Server 2008 R2 has some interesting new features in it and to name a few

  • Active Directory Domain Service is now a restartable service
  • Directory Service Auditing
  • Read Only Domain Controllers (RODC)
  • Active Directory Recycle Bin
  • Powershell Module
  • Offline Domain Join
  • Active Directory Best Practices Analyzer

The above are some of the new features found in the Active Directory which comes along with Windows Server 2008 R2.

Well, That’s it for now, stay tuned as the next posts will be on How to install Active Directory and the explanation of some of the above mentioned features

Windows Server 2000/2003 Active Directory Directory Services Restore Mode Password Recovery

Recently on a Sunday evening I got a call from one of my friends who had a Windows Server 2003 Active Directory (AD) in his organization. He called me up and said that there is something wrong with his AD and he wants to restore a recent backup of his AD. The backup he had includes the system state backup of his AD.

My friend was asking me on how to restore the system state backup of the Active Directory. So I instructed him to restart his Domain Controller in Directory Services Restore Mode by pressing F8 while the server is restarting. Once in the Directory Services Restore Mode enter Administrator as user name and the password should be the password you have assigned as Directory Services Restore Mode Administration password while installing Active Directory.

Unfortunately, he has forgotten the DSRM administrative password and he called me again asking is there anyway on to reset it 😦 HMMMMM!!!

Well the following are the steps to reset the Directory Services Restore Mode Administrator Account Password incase you forget it 🙂

Log in to your Domain Controller with Administrative privilege

  1. Run => Ntdsutil
  2. At the Ntdsutil prompt type set dsrm password
  3. On the DSRM prompt type reset password on server null
  4. type the new password and confirm the password
  5. type q at the prompts to quit and exit command prompt

Now log in using the new password in Directory Services Restore Mode.       

Phew…

Creating users and Assigning Folder level permissions on a Windows Server 2003 Domain

After my previous post which was on How to install Active Directory on a Windows Server 2003, I thought creating user accounts in Active Directory and Assigning permissions to folders will be more suited to follow on.

First let’s look at how we can create user accounts in a domain (after installing active directory)

  • Log in to your domain controller with an administrative privileged account.
  • Click on Start -> All programs -> Administrative tools -> Active Directory Users and computers
  • Expand the domain -> Right Click on the User container and select New -> Select User
  • You will be prompted with the New Object – User Window
  • Fill in the necessary details and click Next
  • Assign and confirm the password -> click Next
  • On the summary screen verify your details and click Finish.

User account is created and you can create any number of users here to meet your requirements. 

I have created two user accounts namely, User A and User B. By default when you create a new user account it will be a member of the Users group. You can go into the properties of the user object and make the user a member of any other group if necessary.

Now let’s look at how to assign permissions to a Shared Folder

  • Create a folder and Share the folder by right clicking on the folder and selecting Sharing and Security
  • You will be prompted with the Folder properties Window where you will have two options (Do not share this folder and share this folder)
  • Select Share this folder option 
  • Click on Permissions and you will be prompted with the Permissions window which shows who can access this shared folder over the network. By default “Everyone” can access the folder.
  • I am going to make this folder accessible only to User A. To achieve this, I am going to remove all other users permission and add only User A.
  • On the Sharing Permissions for Folder window click on “Everyone” and click on Remove.
  • After removing the everyone group from the permissions window click on Add and add User A and grant him full control permission
  • Click Apply and Ok.
  • Now click on the Security Tab, here you will be able to see the permissions given for each user or group towards this folder.
  • Remove all users and groups and then add User A, if you want you can add the Administrator acccount so that only User A and the Administrator will have access to the folder and no one else.
  • After you add User A, give User A full control permission over his folder and click Apply and Ok.

After you perform these tasks, only User A will be able to access the Shared Folder. 

Screen shots attched below 🙂

How to install Active Directory on a Windows Server 2003

I was thinking to write something on Windows Server 2008 until now when a friend of mine called me and asked on how to install Active Directory on Windows Server 2003.

Well, before I begin let’s make a list on what you should have before you start installing Active Directory on a Windows Server 2003 computer.

  • You should have Installed Windows Server 2003 or Windows Server 2003R2 on a NTFS partition and of course the partition should have enough free space.
  • The computer should be connected to a network
  •  You should have an idea about the Domain name you are going to assign
  • The Windows Server 2003 CD or Media kit

Once you finish installing the Windows Server 2003 Operating system on your server computer (a default installation), configure your computer with the necessary IP configurations and assign that computers IP address as the DNS server IP Address as we will be installing the DNS server on the same computer.

 Once you have all these things setup, then you can start installing Active Directory to promote the computer as a domain controller.

Installing Active Directory

  • Run -> dcpromo.exe
  • Welcome Screen -> Click Next
  • Operating System Compatibility Screen -> Click Next
  • Domain Controller Type Screen -> Select Domain controller for a new domain (first option) -> Next
  • Type of Domain to be created -> Select the first option Domain in a New Forest -> Next
  • New Domain Name -> type the domain name (we will be using DEMO.LOCAL) -> Next
  • NetBIOS Domain Name -> it will have a name by default or you can type a name (maximum 15 characters) here i will take DEMO as the name -> Next
  • Location for the Active Directory Database & Log files -> browse and change or keep the default (here its default) -> Next
  • Shared System Volume Location -> Browse and change or keep default (here its default) -> Next
  • The Wizard will try to find a DNS server and display failure screen (since there are no DNS available) and give you three options. Select the second option which is Install and Configure DNS on this computer (default)    -> Next
  • Permissions Screen -> Two Options (select the second option which is the default or select according to your requirement) -> Next
  • Directory Services Restore Mode Administrator Password -> type a password and confirm password -> Next
  • Summary screen -> Verify -> Next
  • Active Directory Installation Starts
  • In the midst of the Active Directory installation DNS installation will start automatically and if your server is on dynamic IP it will prompt you to assign a static IP.
  • And finally when its done you will get the finish screen and upon clicking the finish button you will have to restart the computer.

Note

Remember, If you have an existing forest with a Windows Server 2000, or 2003 Root Domain controller and if you are trying to promote a Windows Server 2003R2 as a Child Domain Controller, It will give you an error asking you to run the Adprep.exe Command line tool on the parent domain and modify the schema. For more information regarding this error please visit http://support.microsoft.com/kb/917385

 

The screen shots are below 🙂

Domain Admins vs. Enterprise Admins

Many people have asked me this question on “What is the difference between an Enterprise Admin and a Domain Admin group in an Active Directory environment?” for an example the Enterprise Admin group have complete control of the entire forest (all the domains in the forest) where as the Domain Admins have access only to their specific domain.

The following table is an extract from TechNet

Group

Description

Default user rights

 

 

 

 

 

 

 

 

 

Domain Admins

Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

 

 

 

 

 

 

Enterprise Admins (only appears in the forest root domain)

Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

 

Most of the IT guys misunderstands the roles of these user groups and their user rights in a domain environment and a forest environment. Now I hope you have a pretty clear picture on what members of these two groups can do.