# Organizational Units, users, groups Goal: build the AD tree (OUs), populate it with users and groups, apply the AGDLP nesting recommended by Microsoft. ## What is an OU An Organizational Unit is a logical container for AD objects (users, computers, groups). OUs are used to apply policies, delegate admin, or just structure the directory. An OU grants no permission by itself. It is purely a structuring tool. ## Proposed tree ``` corp.lab └── CORP ├── Users │ ├── Direction │ ├── Teaching │ ├── IT │ ├── Admin │ └── Students ├── Computers │ └── (same sub-OUs) ├── Groups └── Services ``` Mirror or adapt to your context. ## Creating OUs ### GUI 1. Open `Active Directory Users and Computers` (`dsa.msc`) 2. Right-click domain > `New > Organizational Unit` 3. Name it `CORP` 4. Inside, create `Users`, `Computers`, `Groups`, `Services` 5. Create department sub-OUs under `Users` and `Computers` ### PowerShell Key cmdlet: `New-ADOrganizationalUnit`. ``` New-ADOrganizationalUnit -Name "CORP" -Path "DC=corp,DC=lab" New-ADOrganizationalUnit -Name "Users" -Path "OU=CORP,DC=corp,DC=lab" ``` Loop for departments: ``` $deps = @("Direction","Teaching","IT","Admin","Students") foreach ($d in $deps) { New-ADOrganizationalUnit -Name $d -Path "OU=Users,OU=CORP,DC=corp,DC=lab" } ``` ## Creating users ### GUI 1. Right-click a department OU > `New > User` 2. Fill in the fields (First, Last, SamAccountName, UPN) 3. Initial password, tick `User must change password at next logon` ### PowerShell Key cmdlet: `New-ADUser`. ``` New-ADUser ` -Name "Paul Martin" ` -GivenName "Paul" ` -Surname "Martin" ` -SamAccountName "pmartin" ` -UserPrincipalName "pmartin@corp.lab" ` -Path "OU=Teaching,OU=Users,OU=CORP,DC=corp,DC=lab" ` -AccountPassword (ConvertTo-SecureString "UserP@ss!2026" -AsPlainText -Force) ` -Enabled $true ` -ChangePasswordAtLogon $true ``` ## Creating groups Two group types: - **Global groups (GG)**: group users by department/role. `GG_Teaching`, `GG_Students`. - **Domain local groups (DL)**: hold permissions on resources. `DL_Share_Common_R`, `DL_Share_Teaching_RW`. ### GUI 1. Right-click `OU=Groups` > `New > Group` 2. Scope: `Global` or `Domain local` as needed 3. Type: `Security` ### PowerShell Key cmdlet: `New-ADGroup`. ``` New-ADGroup -Name "GG_Teaching" -GroupScope Global -GroupCategory Security ` -Path "OU=Groups,OU=CORP,DC=corp,DC=lab" New-ADGroup -Name "DL_Share_Common_R" -GroupScope DomainLocal -GroupCategory Security ` -Path "OU=Groups,OU=CORP,DC=corp,DC=lab" ``` ## Apply AGDLP nesting AGDLP is a Microsoft convention: - **A**ccount in - **G**lobal group (department) member of - **D**omain **L**ocal group (resource) holding the - **P**ermission Concretely: 1. Add users to matching global groups 2. Add global groups to matching domain local groups 3. Put NTFS/share permissions on domain local groups Key cmdlet: `Add-ADGroupMember`. ``` Add-ADGroupMember -Identity "GG_Teaching" -Members "pmartin" Add-ADGroupMember -Identity "DL_Share_Common_R" -Members "GG_Teaching","GG_Students" ``` ## Validation ``` Get-ADUser -Filter * -SearchBase "OU=CORP,DC=corp,DC=lab" | Select Name, SamAccountName Get-ADGroup -Filter * -SearchBase "OU=Groups,OU=CORP,DC=corp,DC=lab" | Select Name, GroupScope Get-ADGroupMember -Identity "GG_Teaching" ``` `dsa.msc` should show your hierarchy, users in their OUs, groups with members. ## Next `04-gpo.md` for Group Policy.