Windows Active Directory, how it works? Users, Permissions, Policies

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody this is Christian and today I want to go back to the Windows server from one of my recent videos remember that's what I've installed in a virtual machine and promoted as an active directory to make controller in my home lab today we will expand on that I show you some of the incredible things you can do with the Microsoft active directory such as centralized user and group management how to configure file permissions or enforce policies that can control particular settings on all your windows clients in the network it's really cool and it will give you a much better understanding of how the active directory works and what's the whole point of running a Windows server in your network [Music] by the way if you haven't watched this first part of my windows video where I've installed and configured the active directory on this virtual server I will leave you a link in the description down below so you can check it out but if you're familiar with the basics you should be ready to just follow along because we're going step by step over how to add new windows PCS to an active directory and how to create users and groups and policies I hope you will enjoy that but first a few words about today's sponsor of this video teleport which is a free and open source access proxy you can use to securely access all your it infrastructure like Linux servers databases kubernetes clusters web applications and also remote desktop and the best it's completely free and the community version so you can just download and run it in your entire home lab or if you would like to use it in your company teleport also offers many professional features like auditing single sign-on in many more so just reach out to their team I will leave you a link to their website in the description of this video and let's now start with this video tutorial but before we jump right into the active directory functions and create our users and policies let's first recap and check what you need to have ready in place so first you should have a functional active directory running on a Windows Server this can be a virtual machine or a bare metal installation it doesn't really matter I'm using the existing one from my last video that I've installed on my proxmox server as a virtual machine and second you also need a Windows PC to connect it to your active directory so we can test the centralized user lock in the policies and so on again you can also do this in a virtual machine or just run a regular Windows 10 or Windows 11 PC just keep one thing in mind that you can only control a Windows PC with active directory if it is running the professional Enterprise or educational version of Windows so if you're running Windows home I'm sorry that's not going to work but to do a short test you can also just download the Enterprise version of Windows 11 as an official evaluation that's going to work for 90 days in my case I've just installed another virtual machine on proxmox besides my Windows domain controller and called it win prod 1 which just runs a regular Windows 11 operating system I've installed in the professional version I hope I don't need to walk you step by step Through the Windows installation so I've just skipped it for this video just make sure that you have Windows PC ready somewhere and what's also pretty important before you can join an active directory with this PC is that it has a working network connection and it needs to be able to resolve your active directory domain via DNS otherwise the Windows PC will not find your domain controller in the network I've already explained this in my last video where I have covered the active directory installation of the Windows server but just recap it there are two possible ways to achieve this the first is pretty easy your Windows Server just becomes the primary DNS server in your entire network you can configure this on your router as a DHCP option or of course you can configure the DNS server manually on your Windows PC static IP address configuration but keep in mind that when you do it this way and set the Windows Server as a primary DNS server that also means that every DNS query from that client will be sent to it and if there is a problem with your Windows Server maybe it's offline or it's doing updates your clients are not able to connect to the internet anymore because they are always asking the Windows server to resolve everything so the second end in my opinion the better way is to just keep your Prime read DNS server which is usually your router or firewall and configure it to only forward specific requests to your active directory domain so that's also called a conditional forwarding or request routes depending on what system you're using with that configuration your DNS queries for websites will still go to your router but DNS queries to the active directory domain will be going to the domain controller so it's now depending on your router or DNS server how you're setting up this on my home lab firewall the surface XG for example this can be configured very easily there is a setting in the DNS menu which is called DNS request route and here I've just added a new one that forwards all the requests to my active directory domain ad.cocreative.home to the IP address of the domain controller by the way if you're interested in this firewall system you can protect your entire home lab network with that completely for free I've already made a video about this office XG firewall I will also link you that in description down below and that's very useful for testing active directory authentication or configure DNS settings like this but you can use any of these two ways so configure your domain controller as a primary DNS or just create a forwarding or conditional forwarding to your ID domain you can test if this if this is working with a simple NS lookup in the terminal of your Windows PC if you can resolve the name of your domain and you get a response everything should be ready to go and you should be able to join your active directory domain on this PC okay so that's everything you should have configured before adding a Windows PC to an active directory domain and now we need to join our active directory domain to make this Windows 11 PC part of it and to do that just simply open the computer settings on Windows and go to the system and about section here you will find a link that says domain or work group and just click on change and this is where you can change the computer's name and make it a member of a domain instead of a usual work group just enter the domain name of your active directory and when you click on OK it will try to connect to it via DNS if that is successful you also need to confirm this with your domain administrator credentials and then you can see a welcome screen this PC is now part of your active directory so these are all the steps the way how you get to the systems menu has obviously changed a bit in the recent windows version so Windows 7 8 10 or 11 might now have some different ways how you get to this computer name menu but as you can see this is still the old menu from like Windows XP also Microsoft hasn't changed much there so you should be able to do this on any Windows version but just the way how you get to this menu might be different and once we join the active directory domain what do you believe comes now yes a restart of course when a Windows PC becomes part of an active directory you can usually see in the login screen where you select other user there is a text under the login prompt that shows we are not signing in with a local user account anymore but instead with the domain account and the idea is by the way the net bios name of my active directory domain just to let you know you can still log in with your old user account or to a different domain of course you just need to type in the net bios name in front of your username so your local PC name when you want to log in with a local user account or the other active directory name however you might want to have this just as a backup method going forward and maybe disable this old user account because usually we want users in an active directory to log in with our active directory user not the local user because the domain user they have by default limited permissions on this PC now so it can change a couple of personal things like the desktop screen and so on but you can't install or remove applications for instance that might be a task only for a system administrator though not to say it isn't all configurable of course depending on your organization requirements you can very specifically decide what a user can do on a Windows domain PC and whatnot it's much more granular than on a Windows PC that's just part of a work group and let's now have a closer look at that let's create a new user in this active directory so that we can use it to log into this Windows PC I'm switching now to my Windows server and log in with a domain administrator account and in the start menu under the administrative tools we need to open the active directory users and computers program this is where you just like the name suggests can manage users groups and computers under computers you will find this new Windows PC here for instance the win prod 1 in my example and you can also inspect details about these objects here like at a computer object the operating system the location and so on by the way if you're missing the domain controller in here the WDC prod one that's because here are only PCS or servers which are clients in this active directory that controlling servers are in a different section in the domain controllers unit which you might notice has a special icon but we will talk about what that means in a few minutes first let's inspect the users folder as well where you can find users but also groups and here we can just create a new user I'll just enter some details like my name and a user login name that's what you need to enter at the login screen of Windows and give it a strong password by the way you can also type in a temporary password in here because by default Windows requires the user to set up a new password at the first login that's pretty useful if you want to create users for your employees with an initial password because you as an admin you shouldn't actually know the real one but in a test scenario I'm going to disable this checkbox and also enable the password does not expire one otherwise you would need to change this password after some time and that's a bit annoying and it's even questionable if this is a secure thing I know this is completely off topic but I would not recommend doing this at least with the default time frame I've seen some companies they try to harden their user accounts by adding a policy that every user needs to reset their password to a different one every month or even every week because they want to be secure right but what do you think will happen the users tend to write down their password somewhere maybe on a post it right under the keyboard because they can't remember these passwords anymore more when they need to change it every week which is a much bigger problem than just having them choosing one passport forever so perhaps just add a policy to let the users update their passwords maybe in two or three years or just don't do it at all in my opinion that's much better and much more secure anyway this is how you add users to an active directory and here is our new user who is ready to log into our Windows PC we can now switch back to it and log in with these credentials you can see that this creates always a new and fresh user profile on this PC because every domain user has a separate profile just like a local user with a personal directory to store documents and user settings this might take a while and when the PC is ready we are now locked in with our domain user account you can see the personal home folder with the user's login name here are all the documents in user settings and config stored so they're centralized login management this is one of these core features you can do very easily with an active directory it allows you to remotely create update or delete users that's an important topic because when you are in an organization you need to somehow control who has access to which company resources what you can also do is you can configure file permissions for these domain users and you can also add them to groups to control based on user and group level who has access to which files in the company that works by the way on any PC any server all devices that have joined this active directory let me give you a demonstration of that let's create a new folder on this PC which I call shared folder content and let's assume I have a group of people in my organization the content creators who should have access to this folder but no other users just this one group how do you do this well first you need to create a new group so let's switch back to my domain controller here when I inspect my user account you can see which groups this user is a member of usually every new user is a member of the domain users group but you can add as many group memberships as you want so let's create a new group which I will call content creators and open the properties of this group and here I can add my user account as a member and then we can modify the permissions of this shared folder so only that content creators group and all users within that group have access to it one thing that I sometimes forget if you are changing the group memberships of a user in the ID the affected users need to log off and log in again to make these changes active so the membership to the contact Traders group is only updated with the next login of my user account to change the permissions of files or directories just select them and open the properties and the NTFS permissions are configured in the security menu and as you can see by default there are four groups that currently have access to this folder the authenticated users which can modify execute read and write their systems group the administrators group and the users group however if you select these groups you can see that a user for example only has read access not right access but because our current users and all other domain users are part of both groups so they are a user of course but also an authenticated user it always matches the highest privileges so currently my user and any other domain you user has access to this directory and can read write change or execute files but that's not what we want so let's click on edit and I want to add our content creators group in here first so that we've just created and let's give this group full access to this directory which means all privileges below read write execute everything and I also need to remove these other entries here that are matching for other users they shouldn't have any permissions at all and this is where you usually get a warning because some permissions on this directory they are inherited from parent folders in this case the parent folder is the C drive which all users have access to and to remove these entries in here we first need to disable the inherited permissions so let's apply this for now and go to Advanced here you can get a more detailed view of the file permissions and you can also see the inherited entries and where they are originated from and let's disable this inheritance which will ask you if you want to convert the inherited permissions to explicit permissions or if we want to remove them completely and start from scratch be careful when you're doing this so sometimes if you miss adding some important permissions that were inherited for example the systems group it could be that some programs will also lose access to this folder and if you don't pay attention you can also log out yourself so that's why it's always safe to convert the inherited permissions and then just remove the entries you don't need like in my case the group's users and also the authenticated users can be removed so only the content creators group has no full control the administrators of this PC have access to it and assistive Services as well and that's it one thing I'm just noticing right now this is where you need to be accurate and really pay attention the group administrators here for example you can see this is not the domain administrator group it is the administrators group on this PC and that's an important difference because if you have a local user account which is not part of the domain but still active and it is an administrator account on this PC this one has also access to this folder so you can see it's not always as simple as you might think sometimes it takes some time to think through especially if you have many subfolders where all these folders have different permissions some are inherited some are explicit I've seen pretty confusing setups on customer sites which can get you in real trouble if you're messing up permissions so therefore just as a side note and a quick tip don't make it too complex and take a look in the windows system settings which users are actually part of which groups because Windows has many default settings like the domain administrators are also part of the local administrators group and so that's what takes some time to figure out and you should also disable any local user accounts that are not protected with a password and maybe don't store critical company files on a client PC again this is just a demo setup but usually in a real world you would store files for a group of users not on a single PC but some some way out on a storage server or on a nest that's also joined the active directory and then you would configure the permissions there possibly that's something I could show you in another video but that would go too far for this one anyway that's how you use a centralized authentication active directory to manage permissions on all your PCS and servers there's another important concept that you might have already seen in the active directory users and computers tool if you paid attention and that's often confused with groups or folders the organizational units remember when I showed you the domain controllers this has a different icon and I said this is a unit so we can create these organizational units by just adding them in the left menu and let's create a new one let's create an organizational unit that's called content creators and let's move my user account from the usual users folder to this organizational unit here this warning message should already tell you this is not a simple folder or something like a group it's something special and moving objects between organization units that can have an impact on these objects don't worry I will show you in a minute what that exactly means but let's first move another user here to this unit and also a computer or Windows PC because you can move any type of resources and objects to an organization unit now some people are confused by this concept of user groups and organizational units when do you use what well I always try to remember it like this if you are managing file permissions because you want to give a group of users access to certain files or resources you should use a group but if you would like to organize your active directory maybe you have a large company and you need to structure it in different sections like departments or buildings whatsoever then use an organizational unit the organizational units are also a great way to create and assign group policies and this is absolutely one of my most favorite features in an active directory because group policies they are so powerful they can control nearly all settings on the Windows PCS remotely and specify very explicitly what a user is allowed to configure on a PC or how specific settings are configured things like Windows update settings energy settings password policies screen savers even packages that should be installed and that's just a fraction of what you can Define in policies you can create and edit these policies in the windows administrative tools and then open the group policy management so this will show your current active directory forest and in this Forest my domain ad.c are creative at home and here we have one policy for example the default domain policy which is applied to the entire active directory and all authenticated users in all PCS but you can also see the organizational unit content creators we've just created in the users and computers tool so let's create a new policy here for this organizational unit and click on create a GPO in this domain and Link it here give it a name for example let's configure the Windows update settings here with this policy and then save it you can see this policy is now automatically active on all authenticated users within that organizational unit content creators however you can also change these settings and add other objects as well in the security filtering which computers users or groups should be applied but again same as for the fire permissions don't make it too complex in here to edit what this policy is actually doing make a right click on it and click on edit so this will launch a new window where you can see nearly all settings of computer configuration or user configuration that you can imagine and this is really a lot yeah for example let's go in the administrative templates for computer config here you can see things like control panel network printer start menu system let's just open the windows components here and you can see another long long list with all the different subcategories let's go to the Windows updates here and these are all settings for Windows update we can configure remotely and let's configure the automatic updates for instance so that's what I would always configure on all your Windows PC in an organization no matter how big it is they should do automatic updates and maybe not just randomly but in a maintenance window on specific dates or times so that the Windows update doesn't interrupt the work of your users because that's what most people hate about the Windows updates they are when the system restarts exactly when you're working on an important document or whatever and just like that example you can configure many of these useful settings for the group policy and just push it automatically to all your windows PCS honestly I guess that's where a big difference between a new windows admin like me who just knows how it generally works and can show you simple examples or an expert Windows admin who is actually deep inside these gpos and knows every single bit and where to find that particular policy that you're looking for but I guess you get the idea of this right the gpos are a very powerful control mechanism for your entire active directory hence it doesn't just configure the default settings enabling these policies also removes the user's ability to change them manually on their PC for example let's enable another one let's remove the access to the pause updates feature so that users can't pause updates that's something I really hate when users are doing this by the way so when they delay their PC updates while you as an admin at the same time you try to keep them all updated and secure so that's how you do it it probably takes a lot of time to go through this just like I said there are many many different policies and settings but yeah just have a look Microsoft has done a great documentation with great explanations directly in this tool what these policies means and how you configure them if you have done all of this and once you changed a policy on an organizational unit the affected PCS will pull these settings after some time it doesn't become immediately active so I downloaded the exact timeout value for this but it can be a few hours I believe so if you want to test that we need to force the update of all the gpos on a single client with the command so let's switch back to my PC open the terminal and type in the command GPO update slash Force you can see this just takes a few seconds but it updates all the policy settings for this PC and user and because we have modified the Windows update settings let's have a look and let's try to open the settings on this PC and you can see these settings for the pause update feature is for example no grayed out the user can't modify it anymore in some menus you can also see this message here this setting isn't available due to your organization's policy and this is basically how companies are using the active directory it's an amazing product yeah to maintain a centralized login and authentication process for all the users in your company control all the windows client settings fully remotely and it's well integrated in Windows in the NTFS file system and I guess there are so many more things I could show you about the active directory also some new things that I am currently learning because I'm just using this in my homeland for testing and stuff so please tell me do you like this Series so far and what are the things that you would like to see in an upcoming episode and if you enjoy them don't forget to give this one a thumbs up and subscribe to my channel if you want to see more and as always many thanks everybody a special Thanks goes out to my supporters on patreon you're always motivating me to make more free content available for everyone and of course I will catch you in the next episode take care everyone bye bye
Info
Channel: Christian Lempa
Views: 43,471
Rating: undefined out of 5
Keywords:
Id: ehKkPRR6PmI
Channel Id: undefined
Length: 24min 1sec (1441 seconds)
Published: Wed Oct 19 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.