Lab_AD_Complet/docs/etudiant/en/03-ou-users-groups.md

# Organizational Units, users, groups

Goal: build the AD tree (OUs), populate it with users and groups, apply the
AGDLP nesting recommended by Microsoft.

## What is an OU

An Organizational Unit is a logical container for AD objects (users,
computers, groups). OUs are used to apply policies, delegate admin, or just
structure the directory.

An OU grants no permission by itself. It is purely a structuring tool.

## Proposed tree

```
corp.lab
└── CORP
    ├── Users
    │   ├── Direction
    │   ├── Teaching
    │   ├── IT
    │   ├── Admin
    │   └── Students
    ├── Computers
    │   └── (same sub-OUs)
    ├── Groups
    └── Services
```

Mirror or adapt to your context.

## Creating OUs

### GUI

1. Open `Active Directory Users and Computers` (`dsa.msc`)
2. Right-click domain > `New > Organizational Unit`
3. Name it `CORP`
4. Inside, create `Users`, `Computers`, `Groups`, `Services`
5. Create department sub-OUs under `Users` and `Computers`

### PowerShell

Key cmdlet: `New-ADOrganizationalUnit`.

```
New-ADOrganizationalUnit -Name "CORP" -Path "DC=corp,DC=lab"
New-ADOrganizationalUnit -Name "Users" -Path "OU=CORP,DC=corp,DC=lab"
```

Loop for departments:

```
$deps = @("Direction","Teaching","IT","Admin","Students")
foreach ($d in $deps) {
    New-ADOrganizationalUnit -Name $d -Path "OU=Users,OU=CORP,DC=corp,DC=lab"
}
```

## Creating users

### GUI

1. Right-click a department OU > `New > User`
2. Fill in the fields (First, Last, SamAccountName, UPN)
3. Initial password, tick `User must change password at next logon`

### PowerShell

Key cmdlet: `New-ADUser`.

```
New-ADUser `
    -Name "Paul Martin" `
    -GivenName "Paul" `
    -Surname "Martin" `
    -SamAccountName "pmartin" `
    -UserPrincipalName "pmartin@corp.lab" `
    -Path "OU=Teaching,OU=Users,OU=CORP,DC=corp,DC=lab" `
    -AccountPassword (ConvertTo-SecureString "UserP@ss!2026" -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true
```

## Creating groups

Two group types:

- **Global groups (GG)**: group users by department/role. `GG_Teaching`, `GG_Students`.
- **Domain local groups (DL)**: hold permissions on resources.
  `DL_Share_Common_R`, `DL_Share_Teaching_RW`.

### GUI

1. Right-click `OU=Groups` > `New > Group`
2. Scope: `Global` or `Domain local` as needed
3. Type: `Security`

### PowerShell

Key cmdlet: `New-ADGroup`.

```
New-ADGroup -Name "GG_Teaching" -GroupScope Global -GroupCategory Security `
    -Path "OU=Groups,OU=CORP,DC=corp,DC=lab"

New-ADGroup -Name "DL_Share_Common_R" -GroupScope DomainLocal -GroupCategory Security `
    -Path "OU=Groups,OU=CORP,DC=corp,DC=lab"
```

## Apply AGDLP nesting

AGDLP is a Microsoft convention:

- **A**ccount in
- **G**lobal group (department) member of
- **D**omain **L**ocal group (resource) holding the
- **P**ermission

Concretely:

1. Add users to matching global groups
2. Add global groups to matching domain local groups
3. Put NTFS/share permissions on domain local groups

Key cmdlet: `Add-ADGroupMember`.

```
Add-ADGroupMember -Identity "GG_Teaching" -Members "pmartin"
Add-ADGroupMember -Identity "DL_Share_Common_R" -Members "GG_Teaching","GG_Students"
```

## Validation

```
Get-ADUser -Filter * -SearchBase "OU=CORP,DC=corp,DC=lab" | Select Name, SamAccountName
Get-ADGroup -Filter * -SearchBase "OU=Groups,OU=CORP,DC=corp,DC=lab" | Select Name, GroupScope
Get-ADGroupMember -Identity "GG_Teaching"
```

`dsa.msc` should show your hierarchy, users in their OUs, groups with members.

## Next

`04-gpo.md` for Group Policy.