In this video I’m going to continue discussing Active Directory, specifically Managing Accounts also to make us understand what an Account really is. Afterwards we will discuss how to copy accounts and templates. After that we will go through User Rights then we will go ahead to Computer Accounts and end with Disabling and Enabling accounts.
So first of all let’s define what an account actually is, particularly its security identity. It is a security identifier and it is commonly abbreviated as SID. There is this common fallacy that new people in active directory sometimes make and might do, like, if I go to the user accounts then I choose Staff1 then I right click on that then I accidentally delete that account, which happens to be a very important account. So you’d probably create another user which is identical with the one you accidentally deleted. But that’s not really a good idea because even though you created the same account name with the same information as the one that you deleted accidentally, it actually has a different SID. A security identifier is a unique variable length that is used to identify a security principal or security group in Windows Operating Systems. Think of it as fingerprints of computer objects.
Let me show you an example, try to:
- Run Powershell as an Administrator.
- And then run the utility called adsiedit.
- And if you are not able to connect with your domain just click on the ADSI Edit. And then choose Connect to.
- Then try to look for a user under your domain. In my case, I’ll just use Staff1 under hoit users then look at its properties.
- And observe the last three numbers on the ObjectSid and try to remember it.
- The delete the user account that you chose.
- After that, try to recreate an identical user account with the one that you deleted. The take a look at the properties of the user that you created.
- You should noticed that the OBjectSid is different from the SID since the computer, permissions and many more really looks at the SID and even if it looks exactly the same as the user that you deleted, the SID is different, so the system will see this is a completely different user.
After that go back to your Server Manager and then select “Tools” then choose “Active Directory Administrative Center”.
So now let’s move on to Creating Accounts Manually, you can create an account using Active Directory Administrative Center, you can find it under:
- “Tools” in your Server Manager.
- Right click on your Domain.
- Choose “New”.
- And then choose “User”.
- The fill out all the necessary information and then click ok.
You can also create a user account using Active Directory Users and Computers, it can be found under:
- “Tools” in the Server Manager.
- You can just right click in the domain or the Organizational Unit that you want to put the user account in.
- Choose “New”, then “Users”.
- Then fill all the necessary information, then click ok.
Now let’s move on to “Copying Accounts and Create Templates” which very important for a productive administrator. Now I have here three users that I have put in a group name “hoit users”. And I’m gonna show you the convenience of copying an account. So I’m just gonna:
- Right click on staff1 and then select “copy”.
- Then fill up the necessary information.
- Then add a password and click finish.
Now if you look at the properties of the account that we’ve just created you’ll noticed that it’s already part of the hoit users group. It even copies the department that staff1 is in, the reason why we want to copy an account is to take the exact same properties of an account and used it for other accounts which makes the process more simpler than creating an account from scratch which means that you can used staff1 as a template for creating the new accounts.
Now let’s move on to User Rights, you can do that based upon group membership of a certain account and the membership may give them the additional user rights. To do that you need to:
- Go to “Active Directory Users and Computers”.
- Choose a specific user then right click and choose “Properties”.
- Then click on “Member OF”. Click Add.
- And then choose what type of membership you want that user to be part of. Then click OK.
But if you just want to apply User Rights to a local setting, you can just:
- Run “Powershell” as an “Administrator”.
- And then enter “gpedit.msc”
- Then inside the Computer Configuration click on “Windows Settings”, “Security Settings” and then “Local Policies”.
- And then click on “User Rights Assignment”.
- Then you can just choose the Local policy that you want to add it to. Then click “Add additional user”.
- Enter the necessary information and then click ok.
Now let’s go to “Creating Computer Accounts, it’s also called “Pre-staging” particularly when you place a computer in a specific OU (Organizational Unit). For example,
- If you have a Windows 8 client which is a standalone computer.
- Then choose an Organizational Unit or create a new one and then create the account in advance before it joins the domain.
- Right click on the selected organizational unit and then Choose New.
- Then select Computer. Then type the name of the Computer. Then click OK.
- The next thing you would do then is go back to the client and join to the domain.
- Go to the Control Panel. Then go to System and Security.
- Choose See the name of this computer. Then click on Change Settings.
- Click on Change.
- Then type in the name of your domain. The click ok.
- Then enter the administrator credentials.
- And then it will prompt you to restart your computer.
- Click on “Restart Now”.
Now to join a domain offline, you’re gonna need to prepare a cryptographic text file by running this command in your command prompt.
- Type “djoin /provision /domain (name of the domain) /machine (name of your machine) /savefile (path through the file). By the way the name of my file is “File.txt” which makes it easy to find. Then press enter.
- After that copy the output file to the client computer. And run this command in your client computer using CMD. “djoin /requestODJ /loadfile (the path through the file) /windowspath %systemroot% /localos”
- Restart the computer. And then reconnect it to the network, and then you’ll see that it is joined to the network.
Then finally we’re gonna go to Disabling and Enabling accounts, to easily find accounts like inactive and disable accounts. You’re gonna need to:
- Go to Active Directory Administrative Center.
- Then select the Organizational Unit that you want to filter or search in.
- Then click on the search under this node on the right side of the screen then add the criterias for your filter using the expand button on top.
- Then click “Criteria”. Then choose from the “Criteria”, for example users that haven’t log on for a certain number of days.
- Then select the number of days and click search.
- After that you’ll be shown the users that haven’t log on for the number of days that you specified.
- Then you can select the users that you want to disable, delete, move, or etc.
And that ends our discussion about Managing Accounts and I hope you learned much in this video.