🐉 neospace ~

📝 Latest Posts

Summary - Active Directory Basics

Jan 17, 20253 min read

Windows Domains & Active Directory: A Simplified Overview

This note summarizes key concepts of Windows domains and Active Directory (AD), focusing on practical application.

1. Why Domains?

Managing a small network is easy (manual user accounts, individual settings). But scaling up is difficult:

  • Overwhelming workload: Manual configuration becomes time-consuming and error-prone.
  • Inconsistent settings: Maintaining uniformity across many computers is challenging.
  • Security risks: Individual policy management is less secure.
  • Inefficient support: On-site support across multiple locations is impractical.

Solution: Windows Domains and Active Directory (AD) centralize management.

graph LR
    A[Small Network] --> B(Manual Management);
    C[Large Network] --> D(Windows Domain & AD);
    D --> E{Centralized Management};
    D --> F{Improved Security};
    D --> G{Simplified Administration};

2. Active Directory (AD)

AD is the central database of a Windows domain, storing information about: users, computers, groups, printers, etc. Key AD objects:

  • Users: Represent people (employees) or services (e.g., IIS, SQL Server). They are security principals (can access resources).
  • Computers: Each domain-joined computer has a machine account (e.g., PC-Name$). It’s a local administrator on that machine.
  • Security Groups: Combine users/computers to manage permissions easily. (e.g., “Domain Admins,” “Sales Team”).
  • Organizational Units (OUs): Containers for organizing users and computers. Used to apply policies to groups of users or computers. A user belongs to only one OU.
graph LR
    A[Active Directory] --> B(Users);
    A --> C(Computers);
    A --> D(Security Groups);
    A --> E(Organizational Units);
    B --> F{Security Principal};
    C --> F;
    D --> F;

OUs vs. Security Groups: OUs manage policies, security groups manage permissions. A user can be in multiple security groups.

3. Managing Users & Computers in AD

  • Managing Users: Create, delete, modify user accounts in Active Directory Users and Computers (ADUC).
  • Delegation: Grant specific users limited AD control (e.g., allowing the IT Help Desk to reset passwords).
  • Managing Computers: Organize computers into OUs (e.g., “Workstations,” “Servers”) for easier policy management.

4. Group Policy Objects (GPOs)

GPOs are collections of settings applied to OUs. They can target users or computers.

  • Creating GPOs: Create a GPO, configure settings (e.g., password policy, control panel access), and link it to the desired OU(s).
  • GPO Distribution: GPOs are distributed via the SYSVOL share on the Domain Controller. Use gpupdate /force to force immediate update.

5. Authentication

  • Kerberos: The default and most secure authentication protocol in modern Windows domains.
  • NetNTLM: An older protocol, maintained for backward compatibility.

6. Trees, Forests, and Trusts (brief)

  • Tree: A single AD database.
  • Forest: Multiple trees, allowing for organizational separation.
  • Trusts: Relationships between domains or forests, enabling access across different organizational structures.

This simplified overview provides a foundational understanding of Windows domains and AD for managing networks of all sizes. For detailed information, refer to the official Microsoft documentation.

Graph View

Backlinks