WSA Module 02: Active Directory & Identity

Slide 1 of 14 ← Course Overview

Active Directory & Identity

The foundation of enterprise identity management in Windows environments.

What You'll Learn

  • AD DS Architecture - Forests, domains, trees, and trust relationships
  • Organizational Units - Structuring your directory for management
  • User & Group Management - Creating and managing identity objects
  • Group Policy Basics - Centralized configuration management
  • PowerShell AD Cmdlets - Automating identity management
AZ-800 Exam Weight: This module covers 30-35% of the exam - the largest domain! Master AD DS concepts thoroughly.
Active Directory: central identity store corp.local AD DS directory database user user PC PC group

Domain vs Workgroup

Before diving into Active Directory, understand the two network models for Windows computers.

Workgroup

  • Peer-to-peer networking
  • Each computer manages its own accounts
  • No central authentication
  • Limited to ~20 computers (practical)
  • No Group Policy
  • Best for: Home networks, small offices

Domain

  • Centralized management
  • Single sign-on across all resources
  • Central authentication via AD DS
  • Scales to thousands of computers
  • Group Policy for configuration
  • Best for: Enterprise environments
Key Concept: In a domain, users log on with domain credentials and can access any resource they're authorized for across the entire network - no separate accounts needed per machine.
Two ways to network Windows machines Workgroup peer to peer mesh PC1 PC2 PC3 PC4 each PC has its own users Domain centralized AD DS DC01 AD DS PC1 PC2 PC3 single sign-on across all PCs

AD DS Architecture

Active Directory Domain Services uses a hierarchical structure to organize objects.

Forest - Security boundary, schema container
Domain - Administrative boundary (e.g., hexworth.local)
Organizational Unit (OU) - Container for objects
Objects - Users, Groups, Computers
Component Description Boundary Type
Forest Top-level container; shares common schema and global catalog Security boundary
Domain Logical grouping with own database; replication boundary Administrative boundary
OU Container within domain for organizing objects Group Policy boundary
AD DS hierarchy: forest → tree → domain → OU Forest contoso.com Tree contoso.com us.contoso eu.contoso Sales OU users + groups IT OU users + groups Second Tree acquired.com trust to contoso.com trust Forest is the security boundary, contains one or more trees of domains

Domain Controllers

A Domain Controller (DC) is a server running AD DS that authenticates users and stores the AD database.

Domain Controller Functions

  • Authentication - Validates user credentials (Kerberos)
  • Directory Services - Stores and retrieves AD objects
  • Replication - Syncs changes with other DCs
  • DNS Integration - Usually hosts AD-integrated DNS zones
  • Group Policy - Distributes policy settings to clients
Best Practice: Always deploy at least 2 domain controllers for redundancy. If your only DC fails, no one can log on!

FSMO Roles

Five special operations roles distributed among DCs:

  • Schema Master - Controls schema modifications (1 per forest)
  • Domain Naming Master - Manages domain additions/removals (1 per forest)
  • RID Master - Allocates SID pools (1 per domain)
  • PDC Emulator - Time sync, password changes, legacy (1 per domain)
  • Infrastructure Master - Cross-domain object references (1 per domain)
Domain Controllers: multi-master replication DC01 writable copy DC02 writable copy change A change B Each DC accepts writes, syncs to others. Best practice: 2+ DCs per domain for redundancy.

Organizational Units (OUs)

OUs are containers that help organize objects within a domain. They're the primary targets for Group Policy.

OU Design Principles

  • Delegation - Assign admin rights to specific OUs
  • Group Policy - Link GPOs to OUs for targeted settings
  • Organization - Mirror your company structure or function
# Example OU Structure hexworth.local ├── Domain Controllers # Built-in OU for DCs ├── Workstations │ ├── IT Department │ ├── Finance │ └── HR ├── Servers │ ├── Web Servers │ ├── Database Servers │ └── File Servers └── Users ├── Employees ├── Contractors └── Service Accounts
Pro Tip: Keep OU depth to 5 levels or less. Deep nesting slows Group Policy processing and makes management complex.
Organizational Units: nest, inherit, delegate corp.local 📁 Sales OU delegated to sales-admins 📁 IT OU linked GPO: SecureBaseline 📁 HR OU linked GPO: KioskLockdown 📁 Helpdesk child OU 📁 Servers child OU GPO settings inherit to child OUs SecureBaseline applies to IT OU AND Servers OU

User Accounts

User accounts are the primary identity objects in AD DS, representing people or services that need authentication.

User Account Types

Type Purpose Example
Domain User Standard employee accounts jsmith@hexworth.local
Service Account Run applications/services svc_sqlserver
Managed Service Account Auto-managed passwords for services MSA_WebApp$
Admin Account Elevated privileges for IT staff admin_jsmith

Key User Attributes

  • sAMAccountName - Legacy logon name (pre-Windows 2000)
  • userPrincipalName (UPN) - Modern logon (user@domain.com)
  • distinguishedName - Full LDAP path to object
  • objectSID - Unique security identifier
# Distinguished Name Example CN=John Smith,OU=Employees,OU=Users,DC=hexworth,DC=local
A user account is a directory object jdoe@corp.local John Doe Sales department sAMAccountName: jdoe userPrincipalName: jdoe@corp displayName: John Doe memberOf: Sales, AllUsers passwordLastSet: 14 days ago accountEnabled: True What it can do Log on to any domain PC Access shared resources Inherit Group Policy Receive email + Teams Be a group member Have audit history

Groups in Active Directory

Groups simplify permission management by allowing you to assign access to multiple users at once.

Group Types

Security Groups

  • Assign NTFS/share permissions
  • Control resource access
  • Used in ACLs
  • Can also receive email (if mail-enabled)

Distribution Groups

  • Email distribution only
  • No security permissions
  • Used with Exchange/M365
  • Can be converted to security

Group Scopes

Scope Members Can Be Can Access Resources In
Domain Local Any domain in forest + trusted forests Same domain only
Global Same domain only Any domain in forest
Universal Any domain in forest Any domain in forest
AGDLP Strategy: Accounts → Global groups → Domain Local groups → Permissions. This is the Microsoft-recommended nesting strategy.
Group scopes: AGDLP order of operations Global user accounts from this domain A = Accounts Global → DL add Global groups to Domain Local G = Global, DL = Domain Local Assign Permission give DL group access to resource P = Permission AGDLP: Accounts → Global → Domain Local → Permission Universal groups span multiple domains in the forest

Group Policy Basics

Group Policy Objects (GPOs) allow centralized management of user and computer settings across the domain.

Group Policy Processing Order

LSDOU (Local → Site → Domain → OU)

1. Local - Local Group Policy on each computer
2. Site - GPOs linked to AD sites
3. Domain - GPOs linked to the domain
4. OU - GPOs linked to OUs (nested: parent → child)
Key Concept: Later-applied policies override earlier ones. OU policies "win" over domain policies for conflicting settings.

Common GPO Settings

  • Password Policy - Complexity, length, expiration
  • Account Lockout - Failed attempts, lockout duration
  • Software Deployment - Install/remove applications
  • Security Settings - Firewall, audit policies
  • Drive Mappings - Network drive connections
GPO link → OU → users + computers SecureBaseline GPO settings password length: 14 lockout: 5 tries link 📁 IT OU target container in corp.local applies to user at logon password rules apply at boot firewall rules apply PC

Installing AD DS

Installing Active Directory Domain Services is a two-step process: install the role, then promote to DC.

Step 1: Install AD DS Role

First, install the AD DS server role and its management tools using PowerShell.

# Install the Active Directory Domain Services role PS C:\> Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Expected output: # ───────────────────────────────────────── Success Restart Needed Exit Code Feature Result ─────── ────────────── ───────── ────────────── True No Success {Active Directory Domain Services, ...}

Step 2: Promote to Domain Controller

To create the very first domain controller, you install a new AD forest. This establishes the root domain.

# Create a brand-new forest and root domain PS C:\> Install-ADDSForest -DomainName "hexworth.local" -DomainNetBIOSName "HEXWORTH"
# Expected output: # ───────────────────────────────────────── The server will be configured as the first domain controller in a new forest. DomainName : hexworth.local DomainNetBIOSName : HEXWORTH ForestMode : WinThreshold DomainMode : WinThreshold WARNING: The server will be restarted automatically.

To add a second DC for redundancy, promote an additional server into the existing domain.

# Join an existing domain as an additional domain controller PS C:\> Install-ADDSDomainController -DomainName "hexworth.local"
# Expected output: # ───────────────────────────────────────── DomainName : hexworth.local SiteName : Default-First-Site-Name ReplicationSource: DC01.hexworth.local WARNING: The server will be restarted automatically.
Prerequisites:
  • Static IP address configured
  • DNS pointing to itself (or existing DC)
  • Strong DSRM password (Directory Services Restore Mode)
  • Appropriate Windows Server edition
Promoting a server to Domain Controller 1 Install the AD DS role Install-WindowsFeature AD-Domain-Services -IncludeManagementTools 2 Promote to Domain Controller Install-ADDSForest -DomainName "corp.local" -InstallDns 3 Set DSRM password, reboot Directory Services Restore Mode credentials for safe boot Verify replication + functional level Get-ADDomainController; Get-ADForest First DC creates the forest; subsequent DCs join an existing one

AD Management Tools

Several tools are available for managing Active Directory objects and settings.

Tool Purpose Best For
Active Directory Users and Computers (ADUC) Manage users, groups, computers, OUs Daily administration tasks
Active Directory Administrative Center (ADAC) Modern GUI with PowerShell history Learning PowerShell, complex tasks
Group Policy Management Console (GPMC) Create, edit, link GPOs Policy management
Active Directory Sites and Services Configure replication topology Multi-site environments
PowerShell (ActiveDirectory module) Scripting and automation Bulk operations, automation
Pro Tip: ADAC shows the PowerShell equivalent of every GUI action. Use it to learn AD cmdlets as you work!
Three primary AD management consoles ADUC Users and Computers 📁 corp.local └ Builtin └ Computers └ Sales OU ⤵ └ John Doe └ Jane Smith └ Users day-to-day user/group ops dsa.msc ADAC Admin Center Overview PS History Recycle Bin ▶ Restore deleted users Fine-grained password policies (PSO) modern admin + PS history dsac.exe Sites & Services replication topology US EU site link DC01 DC02 replication + subnets dssite.msc

Essential AD PowerShell

The ActiveDirectory module provides cmdlets for managing all AD objects. Import it first with Import-Module ActiveDirectory.

User Management

Retrieve all properties for a user account to inspect their attributes.

# Query a user and return all AD attributes PS C:\> Get-ADUser -Identity jsmith -Properties *
# Expected output: # ───────────────────────────────────────── DistinguishedName : CN=John Smith,OU=Employees,DC=hexworth,DC=local Enabled : True GivenName : John Name : John Smith SamAccountName : jsmith UserPrincipalName : jsmith@hexworth.local

Create a new domain user in a specific OU with an initial password and enable the account immediately.

# Provision a new user account in the Employees OU PS C:\> New-ADUser -Name "Jane Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@hexworth.local" -Path "OU=Employees,DC=hexworth,DC=local" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Enabled $true

Reset a password when a user is locked out or has forgotten their credentials.

# Force-reset a user's password to a new value PS C:\> Set-ADAccountPassword -Identity jdoe -Reset -NewPassword (ConvertTo-SecureString "NewP@ss1" -AsPlainText -Force)

Group Management

List the current members of a security group to audit who has access.

# Retrieve all members of a security group PS C:\> Get-ADGroupMember -Identity "IT Admins"
# Expected output: # ───────────────────────────────────────── distinguishedName : CN=John Smith,OU=Employees,DC=hexworth,DC=local name : John Smith objectClass : user SamAccountName : jsmith

Grant a user membership in a group so they inherit its permissions.

# Add a user to the IT Admins security group PS C:\> Add-ADGroupMember -Identity "IT Admins" -Members jdoe

Create a new Global security group for project-based access control.

# Create a new Global security group in the Groups OU PS C:\> New-ADGroup -Name "ProjectX" -GroupScope Global -GroupCategory Security -Path "OU=Groups,DC=hexworth,DC=local"
Essential ActiveDirectory module cmdlets Windows PowerShell, Import-Module ActiveDirectory PS> New-ADUser -Name "John Doe" -SamAccountName jdoe -Path "OU=Sales,DC=corp,DC=local" -Enabled $true PS> Add-ADGroupMember -Identity Sales -Members jdoe PS> Get-ADUser -Identity jdoe -Properties memberOf PS> Set-ADAccountPassword -Identity jdoe -Reset PS> Enable-ADAccount -Identity jdoe PS> New-ADGroup -Name "Sales-RW" -GroupScope DomainLocal PS> _

Searching Active Directory

Efficiently searching AD is critical for administration. Use filters to find exactly what you need.

Filter Examples

Search for all user objects within a specific Organizational Unit.

# List every user in the Employees OU PS C:\> Get-ADUser -Filter * -SearchBase "OU=Employees,DC=hexworth,DC=local"
# Expected output: # ───────────────────────────────────────── DistinguishedName : CN=John Smith,OU=Employees,DC=hexworth,DC=local Enabled : True Name : John Smith SamAccountName : jsmith DistinguishedName : CN=Jane Doe,OU=Employees,DC=hexworth,DC=local Enabled : True Name : Jane Doe SamAccountName : jdoe

Locate disabled accounts that may need cleanup or re-enabling.

# Find all disabled user accounts in the domain PS C:\> Get-ADUser -Filter {Enabled -eq $false}

Identify stale accounts by checking last logon dates against a threshold.

# Find users inactive for 90+ days PS C:\> $date = (Get-Date).AddDays(-90) Get-ADUser -Filter {LastLogonDate -lt $date} -Properties LastLogonDate

Use wildcard patterns to find computers matching a naming convention.

# Search for workstations starting with "WKS-" PS C:\> Get-ADComputer -Filter {Name -like "WKS-*"}
# Expected output: # ───────────────────────────────────────── DistinguishedName : CN=WKS-001,OU=Workstations,DC=hexworth,DC=local DNSHostName : WKS-001.hexworth.local Enabled : True Name : WKS-001

Recursively enumerate group membership to see every user, including those in nested groups.

# List all Domain Admins, including nested group members PS C:\> Get-ADGroupMember -Identity "Domain Admins" -Recursive
Performance Tip: Always use -Filter at the server instead of Where-Object client-side. Server-side filtering is much faster for large directories.
Get-ADUser -Filter narrows down to what you need All users 847 accounts in corp.local filter Department -eq "Sales" 42 users Sales dept only ready to act on PS> Get-ADUser -Filter {Department -eq 'Sales'} -Properties Department, Office PS> Get-ADUser -LDAPFilter "(department=Sales)" for power-users: native LDAP query syntax

Common Admin Tasks

These are everyday tasks you'll perform as an AD administrator.

Account Unlock

Unlock a user who has been locked out after too many failed password attempts.

# Unlock a locked-out user account PS C:\> Unlock-ADAccount -Identity jsmith

Move Object to Different OU

Transfer a user from one OU to another when their role changes within the organization.

# Move a user from the Contractors OU to Employees PS C:\> Move-ADObject -Identity "CN=John Smith,OU=Contractors,DC=hexworth,DC=local" -TargetPath "OU=Employees,DC=hexworth,DC=local"

Bulk Operations

Import multiple users at once from a CSV file to avoid creating accounts one by one.

# Create user accounts from each row in a CSV file PS C:\> Import-Csv "C:\newusers.csv" | ForEach-Object { New-ADUser -Name $_.Name -SamAccountName $_.Username -Path "OU=Employees,DC=hexworth,DC=local" }

Use pipeline chaining to query a set of users and add them all to a group in one step.

# Pipe all users from the IT OU directly into a group PS C:\> Get-ADUser -Filter * -SearchBase "OU=IT,DC=hexworth,DC=local" | Add-ADGroupMember -Identity "IT Staff"
Always Test First! For bulk operations, use -WhatIf parameter to preview changes before executing.
A day in the life of an AD admin Onboard new hire (user + groups) Reset locked-out passwords Add/remove group memberships Disable accounts (offboarding) Audit stale accounts (90+ days) Verify DC replication health Automate the repeating CSV onboarding Import-Csv hires.csv | ForEach { New-ADUser ... } Find stale users Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 Replication report repadmin /replsummary

Module Summary

Key Takeaways

  • AD Architecture: Forest → Domain → OU → Objects
  • Domain Controllers: Always deploy 2+ for redundancy
  • OUs: Organize objects and target Group Policy
  • Groups: Use AGDLP strategy (Accounts → Global → Domain Local → Permissions)
  • Group Policy: Processes in LSDOU order (Local → Site → Domain → OU)
  • PowerShell: ActiveDirectory module for automation and bulk tasks
Ready for Practice! Complete the GUI Lab to manage AD objects visually, then master the PowerShell Lab to automate identity tasks.
GUI Lab: AD Users & Computers → PowerShell Lab → Take Quiz Back to Course
Module 2 takeaways Hierarchy Forest → Domain → OU Multi-master 2+ DCs replicate Users/Groups AGDLP pattern Group Policy GPO → OU → object Tools ADUC, ADAC, Sites PowerShell New/Get/Set-ADUser Search Filter / LDAPFilter Ready for AD-related Labs and Quiz