Basics
PRACTICE ! PRACTICE ! PRACTICE !
Windows Domain
5 computer and 5 employees => Easily configured and managed whereas,
500 computers and 500 employees in 4 different places => Most likely No, To overcome this we use something called Windows Domain
It is a group of users and computers under the administration of a given business
The main idea behind a domain is to centralise the administration of common components of a Windows computer network in a single repository called Active Directory (AD)
The server that runs the Active Directory services is known as a Domain Controller (DC)
The advantages of having a Windows Domain are
All users across the network can be configured from Active Directory
We can configure security policies directly from Active Directory and apply them to users and computers across the network as needed
Active Directory is usually implemented in our Universities, where every computer has a different name and the same credential, So whenever we log in to the computer, it will forward the authentication process back to the Active Directory, where your credentials will be checked and thanks to Active Directory, your credentials don't need to exist in each machine and are available throughout the network
Active Directory is also the component that allows our University to restrict us from accessing the control panel on your University machines => Firewall Blocks !
Security Policies will usually be deployed throughout the network so that you don't have administrative privileges over those computers
Active Directory
The core of any Windows Domain is the Active Directory Domain Service
This service acts as a catalogue that holds the information of all of the Objects that exist on your network - Amongst the many objects supported by AD, we have users, groups, machines, printers, shares and many others
Users
Users are one of the most common object types in Active Directory
Users are one of the objects known as security principals, which means that they can be authenticated by the domain and can be assigned privileges over resources like files or printers
What is a security principal then? - A security principal is an object that can act upon resources in the network
Users can be used to represent two types of entities
Users will generally represent persons in your organisation that need to access the network, like employees
We can also define users to be used by services like IIS or MSSQL
Every single service requires a user to run, but service users are different from regular users as they will only have the privileges needed to run their specific service and cannot act upon other resources in the network like the regular users
Machines
Machines are another type of object within Active Directory
For every computer that joins the Active Directory domain, a machine object will be created
Machines are also considered as security principals and are assigned an account just as any regular user
This account has somewhat limited rights within the domain itself
The Machine accounts themselves are local administrators on the assigned computer, they are generally not supposed to be accessed by anyone except the computer itself, but as with any other account, if you have the password, you can use it to log in
Machine Account passwords are automatically rotated out and are generally comprised of 120 random characters
Identifying machine accounts is relatively easy as thier computer's name if followed by a $ sign
For a machine name DC01 will have a machine account DC01$
Security Groups
Same as Linux permissions, In windows we can define user groups to assign access rights to files or other resources to entire groups instead of single users - we can add users to an existing group, and they will automatically inherit all of the group's privileges
Security groups are also considered security principals and, therefore, can have privileges over resources on the network
Security Groups can have both users and machines as members - If needed, groups can include other groups as well
Active Directory Users and Computers
To configure users, groups or machines in Active Directory, we need to log in to the Domain Controller and run Active Directory Users and Computers application
This will open up a window where you can see the list of users, computers and groups that exist in the domain
These objects are organised in Organizational Units (OUs) which are container objects that allow you to classify users and machines - OUs are mainly used to define sets of users with similar policing requirements
The people in the Sales department of the organisation are likely to have a different set of policies applied than the people in IT - Keep in mind that a user can only be a part of a single OU at a time
We can see that there is already an OU called THM with four child OUs for the IT, Management, Marketing and Sales departments - To create a new child OU we can simply Right-Click the THM OU and create one - For example, A Students one !
If we open any OUs, we can see the users they contain and perform simple tasks like creating, deleting or modifying them as needed - We can also reset passwords if needed [ Pretty useful for the helpdesk / IT support Team ]
We can see that there are already other default containers apart from the THM OU - These containers are created by Windows automatically and contain the following !
Builtin: Contains default groups available to any Windows host user
Computers: Any machine joining the network will be put here by default, we can move them if needed
Domain Controllers: Default OU that contains the DCs in your network
Users: Default users and groups that apply to a domain-wide context
Managed Service Accounts: Holds accounts used by services in your Windows domain
Security Groups Vs Organizational Units
Organization Units are helpful while applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise [The Sales department has a different set of policies when compared to an IT department]
Remember, a user can only be a member of a single OU at a time, as it wouldn't make sense to try to apply two different sets of policies to a single user
Security Groups on the other hand, are used to grant permissions over resources - We will use groups if you want to allow some users to access a shared folder or network printer
A user can be a part of many groups, which is needed to grant access to multiple resources
Last updated
