Corentin
8e1b06e090
Complete Active Directory teaching environment based on dockurr/windows: - Windows Server domain controller, Windows 11 client, Debian 12 client - docker-compose orchestration, env-driven configuration - Bilingual documentation (FR + EN) for students - Dual approach (GUI + PowerShell) in every procedure - Instructor course plan and reference scripts - RDP launcher scripts for Linux, macOS and Windows Made by AcadéNice - https://acadenice.fr/
3.5 KiB
3.5 KiB
Organizational Units, users, groups
Goal: build the AD tree (OUs), populate it with users and groups, apply the AGDLP nesting recommended by Microsoft.
What is an OU
An Organizational Unit is a logical container for AD objects (users, computers, groups). OUs are used to apply policies, delegate admin, or just structure the directory.
An OU grants no permission by itself. It is purely a structuring tool.
Proposed tree
corp.lab
└── CORP
├── Users
│ ├── Direction
│ ├── Teaching
│ ├── IT
│ ├── Admin
│ └── Students
├── Computers
│ └── (same sub-OUs)
├── Groups
└── Services
Mirror or adapt to your context.
Creating OUs
GUI
- Open
Active Directory Users and Computers(dsa.msc) - Right-click domain >
New > Organizational Unit - Name it
CORP - Inside, create
Users,Computers,Groups,Services - Create department sub-OUs under
UsersandComputers
PowerShell
Key cmdlet: New-ADOrganizationalUnit.
New-ADOrganizationalUnit -Name "CORP" -Path "DC=corp,DC=lab"
New-ADOrganizationalUnit -Name "Users" -Path "OU=CORP,DC=corp,DC=lab"
Loop for departments:
$deps = @("Direction","Teaching","IT","Admin","Students")
foreach ($d in $deps) {
New-ADOrganizationalUnit -Name $d -Path "OU=Users,OU=CORP,DC=corp,DC=lab"
}
Creating users
GUI
- Right-click a department OU >
New > User - Fill in the fields (First, Last, SamAccountName, UPN)
- Initial password, tick
User must change password at next logon
PowerShell
Key cmdlet: New-ADUser.
New-ADUser `
-Name "Paul Martin" `
-GivenName "Paul" `
-Surname "Martin" `
-SamAccountName "pmartin" `
-UserPrincipalName "pmartin@corp.lab" `
-Path "OU=Teaching,OU=Users,OU=CORP,DC=corp,DC=lab" `
-AccountPassword (ConvertTo-SecureString "UserP@ss!2026" -AsPlainText -Force) `
-Enabled $true `
-ChangePasswordAtLogon $true
Creating groups
Two group types:
- Global groups (GG): group users by department/role.
GG_Teaching,GG_Students. - Domain local groups (DL): hold permissions on resources.
DL_Share_Common_R,DL_Share_Teaching_RW.
GUI
- Right-click
OU=Groups>New > Group - Scope:
GlobalorDomain localas needed - Type:
Security
PowerShell
Key cmdlet: New-ADGroup.
New-ADGroup -Name "GG_Teaching" -GroupScope Global -GroupCategory Security `
-Path "OU=Groups,OU=CORP,DC=corp,DC=lab"
New-ADGroup -Name "DL_Share_Common_R" -GroupScope DomainLocal -GroupCategory Security `
-Path "OU=Groups,OU=CORP,DC=corp,DC=lab"
Apply AGDLP nesting
AGDLP is a Microsoft convention:
- Account in
- Global group (department) member of
- Domain Local group (resource) holding the
- Permission
Concretely:
- Add users to matching global groups
- Add global groups to matching domain local groups
- Put NTFS/share permissions on domain local groups
Key cmdlet: Add-ADGroupMember.
Add-ADGroupMember -Identity "GG_Teaching" -Members "pmartin"
Add-ADGroupMember -Identity "DL_Share_Common_R" -Members "GG_Teaching","GG_Students"
Validation
Get-ADUser -Filter * -SearchBase "OU=CORP,DC=corp,DC=lab" | Select Name, SamAccountName
Get-ADGroup -Filter * -SearchBase "OU=Groups,OU=CORP,DC=corp,DC=lab" | Select Name, GroupScope
Get-ADGroupMember -Identity "GG_Teaching"
dsa.msc should show your hierarchy, users in their OUs, groups with members.
Next
04-gpo.md for Group Policy.