The very basics of Active Directory?

TxdoHawk

One thing I've noticed, applying to a lot of entry-level desktop support / IT jobs, is that companies expect even junior-level associates to be able to set up a new user account in Microsoft Active Directory. I worked on a college campus however, where the low-end workers were very restricted in their authority, so I never got my hands dirty with this. A quick Google search revealed the following:

Add an Active Directory User to Windows Server 2003

* Click the <Start> button
* Click the <Control Panel> menu item
* If you are in the Classic View, click "Switch to Category View"
* Double-click the <Performance and Maintenance> icon
* Click the "Administrative Tools" icon
* Click the "Active Directory Users and Computers" icon
* In the left window pane, click "Users"
* Right-click once in the right window pane to bring up a menu
* Click the "New" menu option
* Click the "User" menu option
* Enter the First name for the new account
* Enter the Intials for the new account
* Enter the Last name for the new account
* Edit the Full name for the new account (if necessary)
* Enter a User logon name for the new account
* Enter the domain for the new account or select it from the drop-down list
* Click the <Next> button
* Enter a password the new account
* Re-enter the same password to confirm
* Choose the appropriate options for the new account:
o User must change password at next login (Recommended)
o User cannot change password
o Password next expires
o Account is disabled
* Click the <Next> button
* Click the <Finish> button

Which seems pretty easy and understandable. I know the basic concepts of domains, and how most company policies will expect a new or reset account to be flagged with a password of my or the company's choosing + the option to have it immediately changed on next logon, I just want to make sure I am not missing any important information or common twists on the formula that an employer would expect me to know. Anything?

Feral

Do you have a spare computer lying around?

If so, you can download a trial version of Windows Server 2003 and play around with Active Directory to your heart's content.

As for twists, I'll tell you that companies of any reasonable size are not going to be creating their user accounts in "Users" but in subfolders (called Organizational Units) organized by department, employee level, and/or region.

TxdoHawk

Feral wrote: »

Do you have a spare computer lying around?

If so, you can download a trial version of Windows Server 2003 and play around with Active Directory to your heart's content.

As for twists, I'll tell you that companies of any reasonable size are not going to be creating their user accounts in "Users" but in subfolders (called Organizational Units) organized by department, employee level, and/or region.

Thanks for the link, I don't have a spare computer for the moment but I'll look into slapping together a VM. So will the Organizational Units show up as subfolders of Users in the left pane?

Feral

TxdoHawk wrote: »

Feral wrote: »

Do you have a spare computer lying around?

If so, you can download a trial version of Windows Server 2003 and play around with Active Directory to your heart's content.

As for twists, I'll tell you that companies of any reasonable size are not going to be creating their user accounts in "Users" but in subfolders (called Organizational Units) organized by department, employee level, and/or region.

Thanks for the link, I don't have a spare computer for the moment but I'll look into slapping together a VM. So will the Organizational Units show up as subfolders of Users in the left pane?

They don't necessarily have to be subfolders of Users, but yeah, they show up on the left. It looks like a file directory structure with the organizational units as subfolders of Users, root subfolders, or any other organizational tree you can imagine.

Feral

One example might be:

company.local
- North America
- US
- West
- California
- San Francisco
- Users
- Computers
- Workstations
- Servers
- Kiosks
- Los Angeles
- Users
- Computers
- Workstations
- Servers
- Kiosks

... etc. repeat for every combination of continent, country, state, and city the company has an office in.

OR!

company.local
- Marketing and Sales
- Advertising
- Executives
- Directors
- Managers
- Agents
- Sales
- Executives
- Directors
- Managers
- Representatives
- Research and Development

etc... repeat for every department and level.

I'm making these up off the top of my head based on stuff I've seen, but I think you're getting the general gist of it.

You might want to read up on stuff like account security policies, password strength policies, password expiration, etc.

Edit: I forgot that BBCode takes out extra spaces. Hmmm. Okay, well, that's supposed to look like an outline signifying subfolders. Use your imagination.

amateurhour

Yeah, the directions you got were pretty on the money, but I would set up a VM asap and get some serious practice. Once you do this, set up a few different subgroups within your "company" and practice assigning the computer to the user, and practice implimenting group policy. Make seven or eight user accounts (user1, user2, etc) and set each one to have different permissions on the network by using "member of" settings.

You can print off this setup through an infrastructure model, display it in chart or form, and use it on your resume.

embrik

Yeah, get that VM going. Once you get into AD Users and Computers, you'll be able to create users quickly, learn to copy existing users, etc. Pull up properties on a user and ask us questions about any/all of the tabs (there are a lot, and there's a bunch of really handy things you can do with accounts).
If you really want to impress folks, and you can add a workstation to your domain, start working with Group Policy, which is really important stuff to learn.

(AD & Group Policy Management are things I really enjoy working with, so if you want help, just ask)

HadjiQuest

I took the lowest level class for the first MCSA/MCSE test a year ago, and then started studying for the exams.

My parents made me get a job, and I haven't studied at all since September. I'm completely fucked; I've forgotten all of it.

Djeet

When creating user accounts on an AD domain, if Exchange is integrated then during user creation, "Create an Exchange Mailbox" will already be checked (this dialog comes up after the screen where you specify a password). But the mailbox isn't really created until a message is sent to it. So include sending a test email to the user in your user-creation procedure.

it's picking nits but: I think you can only create OU's (Organizational Units) within root, or inside another OU.

HadjiQuest

How would I get back into this?

I'd need to set up a PC with Server 2003 and then create a domain with that and this PC, correct?

Sounds like a summer project for when I quit my job and get back on track.

chamberlain

Once you get into it AD is much, much less complicated the DHCP, which is in turn much less complicated them DNS (in my opinion).

Creating different OU's for different group policies should be enough to show you know where to start. But remember, the only password policy that matters is the local password policy of the domain controller. Found that one out the hard way...

embrik

HadjiQuest wrote: »

How would I get back into this?

I'd need to set up a PC with Server 2003 and then create a domain with that and this PC, correct?

Sounds like a summer project for when I quit my job and get back on track.

Set up the Server 2003 box, run dcpromo on it to promote it to a Domain Controller. Then you can add workstations to the new domain.

Erandus

A lot of companies may also not simply "create new" user accounts. A solid practice many people use is to have "template" accounts that have basic security rights and restrictions set for several different levels, departments, etc, and are set inactive to keep anyone from logging in with them.

Instead of creating a new user from scratch, you can simply copy the existing user "template" account, and rename it. Then you don't miss any settings you might forget to configure during setup of an entirely new account.

You'll want to get comfortable with copying user accounts, as well as making sure you know how to move them between OU's as well as change their security group membership.

Mustang

I do this stuff for a living and have done for near on 8 years and to be perfectly honest any half baked Help Desk jockey could learn how to create a new user in AD in minutes, so I wouldn't stress about it.

However if you must know the steps.

1. Open AD in Control Panel/Admin Tools
2. Right click on the Organisational Unit where the users are stored New->User
3. Fill in the details, you'll need to know the company domain name and user naming convention.
4. Click Next
4. Add password and edit password properties acording to company policy
5. Click Next and Finish

That's it for user creation, of course there are other steps for adding them to groups and login scripts and the like, but it's all pretty easy stuff and you'll pick it up without too much brain strain. Honestly AD is a piece of piss.