Views: 10
Overview
- AD DS acts as a catalog for all objects in a network (users, groups, machines, printers, etc.).
- Some objects, such as users and machines, are security principals, meaning they can be authenticated and assigned privileges.
Users
- Represent people (employees) or services (e.g., IIS, MSSQL).
- Can be authenticated and assigned permissions over resources.
Machines
- Each computer that joins the domain has a machine account (e.g., DC01$).
- Machine accounts are local administrators on their own devices.
- Passwords for machine accounts are auto-rotated and are 120 characters long.
Security Groups
- Used to assign access rights efficiently to multiple users/machines.
- Groups can contain users, machines, or other groups.
- Default security groups:
Security Group | Description |
---|
Domain Admins | Full control over the domain. |
Server Operators | Can manage Domain Controllers but not admin groups. |
Backup Operators | Can access any file for backup purposes. |
Account Operators | Can create/modify user accounts. |
Domain Users | Includes all user accounts. |
Domain Computers | Includes all machines in the domain. |
Domain Controllers | Includes all DCs in the domain. |
- Full list available in Microsoft documentation.
Active Directory Users and Computers (ADUC)
- Used to manage users, groups, and machines in AD.
- Objects are organized in Organizational Units (OUs), which:
- Classify users and machines.
- Apply policies to users with similar roles (e.g., Sales vs. IT).
- Users can only be in one OU at a time.
Default AD Containers
- Builtin – Default Windows groups.
- Computers – Default container for new machines joining the network.
- Domain Controllers – Contains all DCs.
- Users – Holds default domain-wide users and groups.
- Managed Service Accounts – Accounts for Windows services.
Security Groups vs. OUs
Feature | Security Groups | Organizational Units (OUs) |
---|
Purpose | Grant permissions to resources | Apply policies to users/machines |
Membership | Users can be in multiple groups | A user can be in only one OU |
Example | Access to a shared folder | Enforcing password policies |
Like this:
Like Loading...
Related