Active Directory is the central identity database for a Windows network — every user, computer, and group lives in it.
Before diving into Active Directory, understand the two network models for Windows computers.
AD DS hierarchy. Each level enforces a different kind of separation — right panel shows the visual nesting.
| Level | Boundary type |
|---|---|
| Forest — top container, shared schema | Security |
| Domain — own database, replication scope | Administrative |
| OU — container for organizing objects | Group Policy |
| Object — users, groups, computers | (leaf) |
A Domain Controller (DC) runs AD DS, authenticates users (Kerberos), and replicates with other DCs.
Most AD is multi-master; these 5 need ONE authoritative DC to avoid conflicts:
OUs are containers that organize objects within a domain. Three reasons they exist: delegation (assign admin rights to specific OUs), Group Policy (link GPOs to OUs for targeted settings), organization (mirror company structure).
User accounts are the primary identity objects in AD DS — people or services that need authentication.
| Type | Purpose | Example |
|---|---|---|
| Domain User | Standard employee | jsmith@hexworth.local |
| Service | Run an app/service | svc_sqlserver |
| Managed Service (MSA) | Auto-managed password | MSA_WebApp$ |
| Admin | Elevated IT privileges | admin_jsmith |
sAMAccountName = legacy short logon · userPrincipalName (UPN) = modern email-style logon · distinguishedName (DN) = full LDAP path (e.g. CN=John,OU=Employees,DC=hexworth,DC=local) · objectSID = unique security ID.
Groups simplify permission management — assign access to many users at once. Two types, three scopes.
Security groups grant resource permissions (via ACLs). Distribution groups are email-only.
| Scope | Members | Resources |
|---|---|---|
| Domain Local | Any domain | Same domain |
| Global | Same domain | Any in forest |
| Universal | Any in forest | Any in forest |
GPOs deliver centralized settings across the domain — passwords, firewall, drive mappings, software install. Right panel shows a GPO linking to an OU.
Local → Site → Domain → OU (parent then child).
Once your GPOs are placed correctly (slide 8), here is what you typically PUT in them. Five of the most common settings categories you will configure.
Two-step install: install the role, then promote to DC. -IncludeManagementTools installs the GUI consoles + ActiveDirectory PowerShell module.
Your first DC creates the forest. Subsequent DCs join the existing domain for redundancy and load distribution. Best practice: always run at least two DCs.
Five tools for managing AD objects + settings.
| Tool | Best for |
|---|---|
| ADUC — Users and Computers | Daily admin |
| ADAC — Admin Center (modern) | Learning PowerShell |
| GPMC — Group Policy console | Policy management |
| Sites & Services | Multi-site replication |
| PowerShell ActiveDirectory module | Bulk + automation |
Load: Import-Module ActiveDirectory. Three cmdlets cover the user lifecycle:
Params: -SamAccountName = legacy logon. -Path = OU DN. -AccountPassword needs a SecureString.
Group management uses the same Verb-Noun pattern. List members, add members, create new groups — all standard cmdlets from the ActiveDirectory module.
Filters at the server (-Filter) are much faster than client-side Where-Object. Four common patterns:
Beyond exact matches: wildcards for naming conventions, recursive enumeration for nested groups, and native LDAP syntax for advanced queries.
-Filter vs -LDAPFilter: same speed. -Filter {Dept -eq 'Sales'} = PowerShell-style (default). -LDAPFilter "(department=Sales)" = native LDAP, for docs queries.
Four everyday admin tasks. Each uses cmdlets you already know.
Two patterns scale admin work from one-at-a-time to one-command-for-many: CSV-driven user creation and pipeline-chained group operations.
-WhatIf to any bulk command to preview the changes without applying them.
Get/New/Set-ADUser · Add-ADGroupMemberInstall-ADDSForest · Install-ADDSDomainController