IT Documentation

Active Directory & User Management Guide

Master Active Directory administration, user account management, group policies, and domain configuration for enterprise IT environments.

Project Type

IT administration and domain management documentation for enterprise environments.

Target Audience

Systems administrators, IT support staff, and network professionals.

Coverage

Active Directory User Mgmt GPO

Complete Active Directory Guide

📋 Topics Covered

AD Infrastructure Basics
Creating User Accounts
Group Management
NTFS Permissions
Group Policy Objects (GPO)
Password Policies

1. Active Directory Infrastructure Basics

What is Active Directory?

Active Directory is a centralized directory service that manages users, computers, and resources on a Windows domain. It authenticates and authorizes users and computers in a network.

Key Components

  • Domain Controller (DC): Server running Active Directory
  • Forest: Top-level container (usually one per organization)
  • Domain: Collection of computers sharing security policies
  • Organizational Units (OUs): Containers for organizing users/computers
  • Domain Users: User accounts with network access

AD Architecture

Forest (contoso.com)
├── Domain (corp.contoso.com)
│ ├── OU: Sales
│ │ ├── User: john.smith
│ │ └── Computer: SALES-PC01
│ ├── OU: IT
│ │ ├── User: admin
│ │ └── Computer: IT-SVR01

2. Creating & Managing User Accounts

STEP 1 Open Active Directory Users and Computers

  1. Press Windows + R
  2. Type: dsa.msc
  3. Press Enter
  4. Navigate to your domain and desired OU

STEP 2 Create New User

  1. Right-click OU → New → User
  2. Fill in user information:
    • First Name, Last Name
    • User logon name (e.g., john.smith)
    • UPN (User Principal Name): john.smith@contoso.com
  3. Click Next
  4. Set password and select appropriate options:
    • ✓ User must change password at next logon
    • ✓ Password never expires (optional)
    • ✓ Account is disabled (enable when ready)
  5. Click Next → Finish

BEST PRACTICE User Naming Convention

Recommended format: firstname.lastname

  • Examples: john.smith, maria.garcia, robert.johnson
  • Keep consistent and lowercase
  • Avoid special characters except periods and hyphens
  • Maximum 20 characters for compatibility

3. Group Management

Group Types

Security Groups

Used for permissions and access control. Can contain users and computers.

Distribution Groups

Used for email distribution lists. Cannot be used for permissions.

CREATE New Group

  1. Open Active Directory Users and Computers
  2. Navigate to desired OU
  3. Right-click → New → Group
  4. Enter group name (e.g., "Sales_Dept")
  5. Select Group type: Security or Distribution
  6. Select Group scope:
    • Global: For users within domain
    • Domain Local: For local permissions
    • Universal: For cross-domain access
  7. Click OK

ADD Users to Group

  1. Find and right-click group
  2. Click Properties
  3. Go to Members tab
  4. Click Add
  5. Type user names separated by semicolons
  6. Click Check Names → OK

4. NTFS Permissions Management

Common NTFS Permissions

Full Control Complete access: read, write, modify, delete

Modify Read and write, but cannot delete

Read & Execute View and run files, cannot modify

Read View files only

Write Create and modify files

SET Folder Permissions

  1. Right-click folder → Properties
  2. Go to Security tab
  3. Click Edit
  4. Click Add to add user/group
  5. Type user/group name → Check Names
  6. Select user/group, then set permissions:
    • Check Allow boxes for permissions
    • Uncheck Deny boxes to block
  7. Click Apply → OK

⚠️ Permission Best Practices

  • Always use groups, not individual users
  • Follow least privilege principle
  • Document all permission changes
  • Review permissions quarterly
  • Use inheritance wisely

5. Group Policy Objects (GPO)

What is Group Policy?

GPO is a set of rules that control how computers and users function. Centralized settings for security, software, and system configurations.

OPEN Group Policy Editor

  1. Press Windows + R
  2. Type: gpmc.msc (for domain GPO management)
  3. Or type: gpedit.msc (for local policy)
  4. Press Enter

Common GPO Configurations

  • Password Policies: Length, complexity, expiration
  • Account Lockout: Failed login attempts
  • Software Installation: Deploy apps to users/computers
  • Security Settings: Firewall, UAC, encryption
  • Desktop/Start Menu: Restrict user options
  • Windows Updates: Schedule and enforce

💡 Active Directory Pro Tips

  • • Always use descriptive group names (e.g., "Sales_Dept_ReadOnly")
  • • Enable "User must change password at next logon" for new accounts
  • • Regularly audit group membership and permissions
  • • Use OUs to organize users logically by department
  • • Test GPO changes on test OUs before domain-wide deployment
  • • Document all custom GPOs and their purposes
  • • Enable AD Recycle Bin for accidental deletion recovery

📚 Related Documentation

🛠️ Useful Tools & References

  • • Active Directory Users and Computers (dsa.msc)
  • • Group Policy Management (gpmc.msc)
  • • Active Directory Administrative Center (dsac.exe)
  • • PowerShell Active Directory Module