Understanding Active Directory in Windows Server 2012 R2 (Part 3 of 3)

Welcome to the final part of our three part series on Understanding Active Directory in Windows Server 2012 R2.

I gave you the theory behind Active Directory in my first post.

In the second post, I showed you step-by-step how to setup the Active Directory in Windows Server 2012 R2.

In this post, you’re going to learn:

  • How to create an Organizational Unit (OU)
  • How to create your first User
  • How to join a Windows 8.1 Pro workstation to your new Active Directory Domain.

Let’s go!  You’ve becoming an Active Directory maestro.

Creating an Organizational Unit

Alright  now let’s have some fun.  Crank up Spotify, throw on some DeadMau5 and jam out.  We’re about to create our OUs.


 

Go back to the Server Manager and click AD DS in the left pane.

Right-clicky the server name in the right pane and choose Active Directory Users and Computers.

Opening Active Directory Users and Computers in Windows Server 2012We’re going to create two Organizational Units (OU).  We’ll set one for your New York office and the other for the Atlanta branch.  Then we’ll add our new hire, Elmo Street, to the group.

Right-click our domain name in the left pane, mouse over New and select Organizational Unit from the flyout menu.

Creating an Organizational Unit in Windows Server 2012

Name it New York.  Then create your other OU and name it Atlanta.

Creating the Organizational UnitIncidentally, did you notice the little checkbox that says Protect container from accidental deletion?

This is on by default and I’m so glad it is!

As we populate our Active Directory database with additional objects, we’ll eventually approach a day when we want to clean things up.  Since accidental deletion protection is on, Active Directory will deny your right to delete the OU.  You’ll have to change the OU properties first before trying to remove it.

Microsoft is protecting us from ourselves.  Thanks Microsoft!

Great.

Adding a User to the OU

Now that we have our Organizational Unit lets create our user.

I created an OU named “Production” inside the New York OU because our new user is the EVP of Production for our company.  It makes sense to place him here.

Right-click the OU, go to New and choose User.

Creating a new user in Windows Server 2012

Fill out the user information and click Next.

It’s pretty standard to set the user logon name as the first initial last name so I’m following that convention here.

After we join his Windows 8.1 PC to the domain, he’ll press Ctrl + Alt + Del and login as SMOCKSOCKS\estreet.

Creating a New User Object in Windows Server 2012

Now we can create a password for the user and a few other things.

Creating the password for the New User Object in Windows Server 2012

Your user is going to need a password to access the domain but you can’t just type any old password.  Windows Server 2012 has password complexity requirements in place to make sure the password isn’t too easy to guess.

I like to use “Password-123” but then I put a check in User must change password at next login.

This is pretty important – don’t skip this step.  Microsoft is trying to give you plausible deniability in the event that Elmo commits unscrupulous acts on your network and then tries to blame you for his illicit actions.  Requiring the user to reset his password forces the password responsibility on the user.  That’s where you want it.  Don’t shoulder that burden my friend.

Alright, cool, so what about these other options?

  • User cannot change password
  • Password never expires

Here’s a secret: I never use these for User accounts.  In fact, they weren’t designed for people.  Users can also be system services!  And that’s what these are for.

Every system service needs an associated account.  By stopping those services from changing their passwords you add a little protection against any Malware that might try to hijack a service.  You’re saying the service account user cannot change its password.

Similarly, the Password never expires option is also perfect for service accounts because you don’t want a service account to stop working after 30 days because its password expired!  I wish Microsoft included a little parenthetical mark next to these two options that said “Ideal for Service Accounts”.  That would alleviate some confusion.

Finally, the last option, Account is Disabled, is good for new hires that haven’t officially started with the company yet.  You can leave the account disabled until they start or disable it when you fire them for watching Gangnam Style on Youtube.

Joining a PC to the Domain

Alright, we have our Active Directory Domain Controller setup and we have our test user ready to go.

Let’s join our Windows 8.1 Pro machine to the domain.

Login to the end users workstation as the local administrator.

Press the Windows Key + x, choose System from the context menu and click Change Settings in the bottom right corner of the System dialog window.Windows 8.1 Change System Settings

In the Member of section at the bottom of the Computer Name/Domain Changes dialog box, select the Domain radio button and enter your domain name:

SMOCKSOCKS

After a few moments you should be prompted to enter your administrator credentials and then Microsoft will cordially welcome you to your new domain.

Join PC to Domain

Reboot and sign in with your new account to make sure it works.

Notice how it says Sign in to: SMOCKSOCKS under the password box.  You can also click the little “eyecon” in the right corner of the password box to peek at your password behind the dots.

Sign in to Windows 8.1 Domain Controller

And that’s it.

Now you have a fully managed Windows 8.1 Pro machine joined to a Windows Server 2012 R2 domain controller.  You can push group policies, establish permissions and really have a lot of fun.  I may publish tutorials about how to do that later but for now I just hope you can see how easy it is to setup Active Directory in Windows Server 2012.

Windows 8.1 Logged in

Bottom Line

In the first guide of this three part series on Active Directory, I showed you the advantages of using Active Directory.  You learned that the biggest advantage is the removal of duplicate accounts and passwords on your network.

You also learned about how Active Directory is structured.  We touched on Domains, Trees and Forests.  We also very quickly talked about Federations and Trusts.

Finally we wrapped up the first series with the Users, Groups and Computer objects.  And I explained what Site and Site Link objects are used for.

In part two, we leaped over the theory and got our hands dirty installing Active Directory in Windows Server 2012 R2.  You learned how to add the Active Directory Domain Service option, how to promote our server to a domain controller and when to enable specific features.

In the last part of the series, we wrapped up by creating organizational units, our first user and then joining our Windows 8.1 Pro machine to our domain.

I sincerely hope you enjoyed this series.  Please leave a comment if you have questions or suggestions.

About

Connect with Vonnie on Twitter

Posted in Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , ,
  • Deep Bhatia

    Hello. I need your help with Windows Server 2012 R2 which I run on a VPS. I am using an application on the VPS which requires continuous internet connection. When I end the remote desktop connection using cross on blue bar the remote Windows logs off thus interrupting my application activity.
    So I found one solution online which worked for me. After connecting to the VPS through remote desktop connection I created a new user with a password and administrator rights. I then opened Remote desktop connection on the remote Windows and used the ip 127.0.0.1 and username and password same as created above. Now this is how the connection is : My local PC-VPS Main User and VPS second user-VPS Main user. I then terminate the connection between My local PC and VPS main user but since VPS second user is still connected to the Main user Windows doesn’t log off and the application continues running smoothly.
    After this whenever I want to connect to the VPS I use Main user credentials and when I am done I again terminate connection between local and Main user.
    Problem : When I use Microsoft Remote desktop Client App for Android to connect to the VPS using main user credentials it doesn’t work. However when I use second user credentials it does connect but when I terminate connection by closing the app Remote windows logs off. I need a solution to connect to the main user from Android app

  • Brianna Milot

    Active Directory is incredibly helpful when it comes to Microsoft Exchange. Some of the advantages can be found at: http://vocalipnetworx.co/activedirectory

    • James Haynes

      umm, Active Directory is a requirement of Exchange. its not helpful, its the backbone of the entire system. you cannot run Exchange without it. the reason all those features are so ‘helpful’ is because it was designed to work together…