© 2024 SkillPoint IT. All rights reserved.
Module 5: How to Administer Active Directory in Windows Server 2019/2022
Creating and Managing Active Directory Objects in Microsoft Windows Server
Active Directory (AD) objects represent real-world entities such as users, groups, computers, and organizational units (OUs). Effective AD object management is key to maintaining a secure and organized IT environment.
What Are Active Directory Objects?
Each object is a single data unit stored in the AD database. Common types:
User objects – represent individuals who log in
Computer objects – represent domain-joined machines
Group objects – collections of users/computers
Organizational Units (OUs) – containers for grouping objects
Printers, Shared Folders, and Contacts
🛠️ Creating Active Directory Objects
1. Using Active Directory Users and Computers (GUI)
Steps to create a user:
Open Active Directory Users and Computers.
Navigate to the OU where you want to create the object.
Right-click > New > User.
Fill in user details (name, logon, password).
Finish and configure properties.
Similarly, you can create:
Computers: New > Computer
Groups: New > Group
OUs: New > Organizational Unit
- Creating Organizational Units
- Creating User Accounts
- Creating Computer Accounts
- Moving and Locating Objects
- Moving Objects
- Object permissions move with the object
- Inherited permissions do not move
- You can move multiple objects
- Locating Objects
- Administrators can use Find in Active Directory Users and Computers to search for objects
- Users use Search on the Start menu, in Windows Explorer, and in My Network Places
Managing Groups in Active Directory (Microsoft Windows Server)
In Active Directory (AD), groups are essential for organizing users, computers, and other groups to simplify permission management, policy application, and access control.
Types of Active Directory Groups
1. Security Groups
Used to assign permissions to shared resources (files, folders, printers, etc.).
2. Distribution Groups
Used only for email distribution (mainly in Exchange environments); not for access control.
- Group Types
- Purpose of Group Types
- Security groups Use to assign or deny rights and permissions
- Distribution groups Use to send e-mail messages
- Selecting a Group Type
- Use distribution groups unless you need security capabilities
- Distribution groups improve logon performance
- Group Scope
- Domain Local Group
- Members from any domain in forest
- Use for access to resources in one domain
- Global Group
- Members from own domain only
- Use for access to resources in any domain
- Universal Group
- Members from any domain in forest
- Use for access to resources in any domain
- Creating Groups
- Modifying Groups
- Changing Group Type
- Change security to distribution or distribution to security
- Available in native mode
- Changing Group Scope
- Change global or domain local to universal
- Available in native mode
- Deleting a Group
- Deletes the group but not the objects that are members
- Cannot restore a group and its permissions
- Managing Local Groups
Controlling Access to Active Directory Objects (Microsoft Windows Server)
Controlling access to Active Directory (AD) objects is essential for maintaining security, delegation, and organizational control in an enterprise environment.
What Are AD Objects?
AD objects include:
Users
Groups
Organizational Units (OUs)
Computers
Printers
GPOs and more…
🔒 How Access Control Works
Access to AD objects is governed by:
✅ Access Control Lists (ACLs)
Each object has a Discretionary Access Control List (DACL) that defines who has access and what type of access they have.
✅ Access Control Entries (ACEs)
Each DACL contains ACEs specifying:
User or group
Allowed or denied permissions
Permission type (read, write, delete, modify, etc.)
- Active Directory Permissions
- Permissions Authorize Access
- Each object has discretionary access control list
- Object type determines available permissions
- Multiple Permissions
- Allowing and Denying Permissions
- Standard and Special Permissions
- Using Permissions Inheritance
- Granting Active Directory Permissions
- Changing Object Ownership
- Owner Controls Permissions for the Object
- Ownership Changes When:
- Owner or user with Full Control grants Modify Owner permission to a user who takes ownership
- Member of Administrators group takes ownership
Adding Object Attributes to the Global Catalog in Active Directory
In Microsoft Active Directory (AD), the Global Catalog (GC) is a distributed data repository that provides a searchable, partial representation of all objects in every domain within a forest.
Adding specific object attributes to the Global Catalog can improve search performance and application compatibility (such as Exchange).
What Is Stored in the Global Catalog?
By default, the GC holds:
A full replica of all objects in its own domain
A partial replica (certain attributes only) of objects in other domains
✅ Why Add Attributes to the Global Catalog?
You may want to add attributes to the GC when:
Custom applications need to query specific attributes across the forest
Services like Microsoft Exchange require fast access to attributes
You need to optimize AD searches
⚙️ How to Add Attributes to the Global Catalog
Option 1: Using Active Directory Schema MMC
⚠️ You must be a Schema Admin and register the snap-in before using.
🧭 Steps:
Run
regsvr32 schmmgmt.dllto register the schema snap-in (run as admin)Open MMC → Add Snap-in → Choose Active Directory Schema
In the console:
Expand Attributes
Locate the attribute (e.g.,
employeeID)Right-click → Properties
Check the box “Replicate this attribute to the Global Catalog”
Click OK
📝 It may take time for replication to update all Global Catalog servers.
Delegating Administrative Control of Active Directory (AD) Objects
Delegation of Control in Active Directory allows you to assign specific administrative tasks over OUs (Organizational Units) or other AD objects to selected users or groups—without granting them full domain admin rights.
Why Delegate Control?
Improve security by applying the principle of least privilege
Distribute workload by giving helpdesk/admins limited rights
Avoid overuse of Domain Admins
🧭 Common Tasks You Can Delegate
Resetting passwords
Creating or managing user/computer accounts
Managing group memberships
Modifying group policies
Managing printers or shared folders in AD
🛠️ How to Delegate Control (Step-by-Step)
📍 Using the Delegation of Control Wizard:
Open:
Active Directory Users and Computers(dsa.msc)Right-click the target OU → Select “Delegate Control”
Click Next
Add users or groups to whom you want to delegate rights → Next
Choose common tasks (like Reset passwords)
Or select “Create a custom task to delegate” for advanced options
Click Finish
- Using the Delegation of Control Wizard
- Administrators Can Delegate Control by:
- Granting permissions in a specific OU
- Granting permissions to modify permissions for an object
- Easiest to Track Permissions Delegated at OU Level
- Use Delegation of Control Wizard to Grant Permissions at OU Level
- Creating Customized Administrative Tools
- Creating Customized Consoles
- Open MMC
- Add snap-ins and extensions
- Save
- Selecting Console Modes
- Creating Taskpads
Add comment