Welcome to the final part of our three part series on Understanding Active Directory in Windows Server 2012 R2.
I gave you the theory behind Active Directory in my first post.
In the second post, I showed you step-by-step how to setup the Active Directory in Windows Server 2012 R2.
In this post, you’re going to learn:
- How to create an Organizational Unit (OU)
- How to create your first User
- How to join a Windows 8.1 Pro workstation to your new Active Directory Domain.
Let’s go! You’ve becoming an Active Directory maestro.
Creating an Organizational Unit
Alright now let’s have some fun. Crank up Spotify, throw on some DeadMau5 and jam out. We’re about to create our OUs.
Go back to the Server Manager and click AD DS in the left pane.
Right-clicky the server name in the right pane and choose Active Directory Users and Computers.
We’re going to create two Organizational Units (OU). We’ll set one for your New York office and the other for the Atlanta branch. Then we’ll add our new hire, Elmo Street, to the group.
Right-click our domain name in the left pane, mouse over New and select Organizational Unit from the flyout menu.
Name it New York. Then create your other OU and name it Atlanta.
Incidentally, did you notice the little checkbox that says Protect container from accidental deletion?
This is on by default and I’m so glad it is!
As we populate our Active Directory database with additional objects, we’ll eventually approach a day when we want to clean things up. Since accidental deletion protection is on, Active Directory will deny your right to delete the OU. You’ll have to change the OU properties first before trying to remove it.
Microsoft is protecting us from ourselves. Thanks Microsoft!
Great.
Adding a User to the OU
Now that we have our Organizational Unit lets create our user.
I created an OU named “Production” inside the New York OU because our new user is the EVP of Production for our company. It makes sense to place him here.
Right-click the OU, go to New and choose User.
Fill out the user information and click Next.
It’s pretty standard to set the user logon name as the first initial last name so I’m following that convention here.
After we join his Windows 8.1 PC to the domain, he’ll press Ctrl + Alt + Del and login as SMOCKSOCKS\estreet.
Now we can create a password for the user and a few other things.
Your user is going to need a password to access the domain but you can’t just type any old password. Windows Server 2012 has password complexity requirements in place to make sure the password isn’t too easy to guess.
I like to use “Password-123” but then I put a check in User must change password at next login.
This is pretty important – don’t skip this step. Microsoft is trying to give you plausible deniability in the event that Elmo commits unscrupulous acts on your network and then tries to blame you for his illicit actions. Requiring the user to reset his password forces the password responsibility on the user. That’s where you want it. Don’t shoulder that burden my friend.
Alright, cool, so what about these other options?
- User cannot change password
- Password never expires
Here’s a secret: I never use these for User accounts. In fact, they weren’t designed for people. Users can also be system services! And that’s what these are for.
Every system service needs an associated account. By stopping those services from changing their passwords you add a little protection against any Malware that might try to hijack a service. You’re saying the service account user cannot change its password.
Similarly, the Password never expires option is also perfect for service accounts because you don’t want a service account to stop working after 30 days because its password expired! I wish Microsoft included a little parenthetical mark next to these two options that said “Ideal for Service Accounts”. That would alleviate some confusion.
Finally, the last option, Account is Disabled, is good for new hires that haven’t officially started with the company yet. You can leave the account disabled until they start or disable it when you fire them for watching Gangnam Style on Youtube.
Joining a PC to the Domain
Alright, we have our Active Directory Domain Controller setup and we have our test user ready to go.
Let’s join our Windows 8.1 Pro machine to the domain.
Login to the end users workstation as the local administrator.
Press the Windows Key + x, choose System from the context menu and click Change Settings in the bottom right corner of the System dialog window.
In the Member of section at the bottom of the Computer Name/Domain Changes dialog box, select the Domain radio button and enter your domain name:
SMOCKSOCKS
After a few moments you should be prompted to enter your administrator credentials and then Microsoft will cordially welcome you to your new domain.
Reboot and sign in with your new account to make sure it works.
Notice how it says Sign in to: SMOCKSOCKS under the password box. You can also click the little “eyecon” in the right corner of the password box to peek at your password behind the dots.
And that’s it.
Now you have a fully managed Windows 8.1 Pro machine joined to a Windows Server 2012 R2 domain controller. You can push group policies, establish permissions and really have a lot of fun. I may publish tutorials about how to do that later but for now I just hope you can see how easy it is to setup Active Directory in Windows Server 2012.
Bottom Line
In the first guide of this three part series on Active Directory, I showed you the advantages of using Active Directory. You learned that the biggest advantage is the removal of duplicate accounts and passwords on your network.
You also learned about how Active Directory is structured. We touched on Domains, Trees and Forests. We also very quickly talked about Federations and Trusts.
Finally we wrapped up the first series with the Users, Groups and Computer objects. And I explained what Site and Site Link objects are used for.
In part two, we leaped over the theory and got our hands dirty installing Active Directory in Windows Server 2012 R2. You learned how to add the Active Directory Domain Service option, how to promote our server to a domain controller and when to enable specific features.
In the last part of the series, we wrapped up by creating organizational units, our first user and then joining our Windows 8.1 Pro machine to our domain.
I sincerely hope you enjoyed this series. Please leave a comment if you have questions or suggestions.