In this video we’ll further discuss Active Directory Groups, Organizational Units and then move on to Delegation of Control.
Let’s move back to group memberships again, so that I can show you how to force a user to be part of a specific group in every computer and especially if it’s a local group. For example I’ll add a user to a domain local group, and it could be a member of that domain local group no matter where they are in the domain, no matter which computer they log on to, for him to Admin an organizational unit and you don’t want to put too much access permissions to these users. And it is too much of a hassle to go through every computer in the domain and make a user an admin on each one of them. So you’re gonna need to make a Group Policy.
Let me show you how to make a Group Policy:
- Open Group Policy Management, it’s under Tools in the Server Manager.
- Right click on the Organizational Unit that your want to set up a Group Policy.
- Click on Create a GPO in this domain, and Link it there
- Enter name and Press ok
- Then right click on the GPO, click Edit
- Then under Computer Configuration>Policies>Windows Settings>Security Settings> Then right click on Restricted Groups.
- Add Group
- Then type Administrations, click Ok
- Click on Add, Browse for the user that you want to add. Then click ok.
- Click browse again, add domain Admins, and the other accounts that should have access to this specific Organizational unit.
(Adding the domain admins is very important because this will make sure that they still have access to the computers after adding the new account. Otherwise the only one that could access this OU is the user we just added earlier.)
- Then restart the computer to see the changes.
Here’s another way to adjust the Group Membership:
- Open Group Policy Manager again
- Here, I’ve prepared a policy called hoitUsersAdministrator
- Open and Edit hoitUsersAdministrator. You can either go to computer configuration or user configuration to do so, depending on what contents of the Organizational Unit are. And because this one is linked to a User container, I’m gonna go through User Configuration.
- So my goal here is to control the membership of this group or any other group. Retaining the administrators group, I would create a new local group for the computers where this would apply. Although, you may also just update an existing group of you already have one or you also delete it and replace it with a new one.
- So I gonna select a group name or type in a new one. . Again, do not click on browse because it will look up administrators in the domain, which is not what we want here because we just want to adjust the membership for the local administrators group, not the whole domain. We don’t also want to use the built in group templates under the down arrow right here.
Note: Here, “Add the Current User” doesn’t mean the current user logged on to the computer but the users we specified right here below.
- I’m gonna use HoitUser01, and add this to the group, then click one apply then ok.
All that’s left is to try if the user has access to the computers. Since the group policy that we’ve made applies to the OU that this user is in, it should also apply to this user.
Now let’s move on to Organizational Units
The main point of Organizational Units is to simplify administration of objects. So, there’s no point in making one if there are no:
- computers or
- Groups inside the OU.
They cannot act as permissions, meaning you cannot just right click on a folder and share it to an Organizational Unit, but they are very powerful when it comes to GPO’s (Group Policy Objects), so either you could easily create a group policy for hundreds of accounts or misconfigure a group policy and do a lot of damage to the domain in just a few clicks. Although, they can be divided into:
- Departments or
- Job Roles.
Note: The default Containers, like “Users” and “Computers” are not Organizational Units. Also, if you’ve used scripts or batch files to create a user account, it would automatically put those accounts into the Users container. And you cannot put a Group Policy Object to that container because it’s not an OU.
Redirect User and Redirect Computer
- If you create a batch file or scripts to create your user accounts, and you don’t specify a path for users or computers, it’ll automatically dump the users into the users’ container, the computers into the computers container.
- A lot more control
For example, if I create an OU named Blocked Users which strips the privileges of every account inside the OU so that we won’t accidentally give a certain account a lot of privileges. And if it’s already time for this to be unblocked to start working, you can just drag to the OU that want to put it into.
To do this:
- Run cmd as Administrator
- Enter redirusr then the path and then distinguished name for the destination OU.
- To see if it works, let’s try creating a new user w/o specifying a path. Type in net user the username */add
- Enter password
- Then hit refresh
Creating and Deleting Organizational Units
Protect container from Accidental Deletion – This is a new level of protection for the organizational units which is not present in the older version of windows server. This is to protect your Directory from unwanted data loss.
Now, to get rid of the Organizational unit:
- Go to View then click on Advanced Features
- Then right click on the OU that you want to delete, choose Properties
- Go to the Object Tab
- Deselect “Protect object from accidental deletion”.
- Then now you can delete the Organizational Unit. Though it still does give you a warning if there are still others things inside the organizational unit upon before deleting.
This allows certain users or group to have certain level of administration privileges to an Organizational Unit. Which is very useful if you want this user to admin and organizational unit but not give him the privileges of a Domain Administrator.
Now to set these permissions:
- Right click on the OU that you want to edit
- Choose Delegate Control
- Select the Users or Groups you want to have higher level of access to this OU. (Normally done in groups)
- Click on next
- Then choose the tasks that you want to give to this user. I’ll just go with this for now, you can experiment on the other tasks if you want.
- Click on next, then Finish. (Probably best to restart your computer, even if it doesn’t say you have to.)
You can also create a custom task to delegate. Which is useful so that you can delegate access to specific child objects.
And now we’re done with Organizational Units and Delegation.
Thanks for watching and I hope you learned much in this video.