Active Directory (AD) is the backbone of Windows enterprise networks. It's the directory service that stores information about all network objects—users, computers, printers, groups, and resources—and enables centralized management, authentication, and access control across your entire organization.
Understanding Active Directory
Active Directory is a hierarchical database designed to manage network resources efficiently. When you implement AD, you create a domain—a logical grouping of network objects that share the same AD database and security policies. All computers and users in a domain trust the Domain Controller (DC) to authenticate credentials and enforce policies.
🔑 Why Active Directory Matters
Without AD, managing 100 users and 100 computers means 10,000 individual configurations. With AD, you configure once and apply to all. This centralization saves time, reduces errors, and improves security.
AD Core Components
1. Users
User accounts represent people in your organization. Each user has:
- Username: Unique identifier (sAMAccountName)
- Email: For communication and authentication
- Password: Encrypted and hashed in AD database
- Profile: Home directory, logon scripts, preferences
- Group Memberships: Determines resource access
- Attributes: Title, department, manager, phone, location
Creating a User in Active Directory
- Open Active Directory Users and Computers
- Navigate to the appropriate Organizational Unit
- Right-click and select New → User
- Enter first name, last name, and username
- Set password and configure password policy
- Add user to appropriate groups
- Click Finish to create the user
2. Groups
Groups are collections of users, computers, and other groups. Instead of assigning permissions to individual users, you assign them to groups, making management scalable.
Group Types:
- Security Groups: Control access to resources (files, printers, applications)
- Distribution Groups: Send emails to multiple people
Group Scopes:
- Global: Members from same domain, can be used in any domain
- Domain Local: Control access to resources in same domain
- Universal: Can span forests and contain members from any domain
Recommended Group Strategy: Global Group → Domain Local Group → Resource Permissions
3. Organizational Units (OUs)
OUs are containers within a domain that organize objects into a logical hierarchy. They're primarily used for:
- Organizing users and computers logically
- Applying Group Policies to specific collections
- Delegating administrative control
- Managing access permissions
4. Computers
Computer objects represent devices joined to the domain. They contain:
- Computer name and DNS name
- Operating system information
- Last logon timestamp
- Hardware configuration
- Security policies and GPO applications
Authentication Process
How Kerberos Authentication Works (5 Steps):
- User Logon: User enters credentials (username and password)
- Authentication Service (AS): Domain Controller validates credentials and issues Ticket-Granting Ticket (TGT)
- Request Service Ticket: User presents TGT to request access to a resource
- Grant Service Ticket: Domain Controller issues service ticket for requested resource
- Access Resource: User presents service ticket to resource and gains access
Permissions and Access Control
Access Control Lists (ACLs) determine who can access resources and what they can do with them. Each file or network resource has a list of users/groups with specific permissions.
| Permission | Effect | Applied To |
|---|---|---|
| Read | View file/folder content | Files & Folders |
| Write | Modify file/folder content | Files & Folders |
| Execute | Run executable files | Files |
| Modify | Change files and properties | Files & Folders |
| Full Control | Complete access including deletion and permission changes | Files & Folders |
| Traverse Folder | Move through folder structure | Folders |
Group Policy Objects (GPOs)
GPOs are collections of policy settings that control the appearance and behavior of Windows systems and AD objects. They enable mass deployment of configurations without touching individual machines.
Common GPO Applications:
- Enforce password complexity requirements
- Configure security settings and firewall rules
- Deploy software to specific users or computers
- Configure desktop backgrounds and screensavers
- Control access to Windows features
- Configure printer and network drive mappings
- Enable auditing and logging
Applying a Group Policy to an OU
- Open Group Policy Management console
- Navigate to the OU where you want to apply policy
- Right-click and select Create a GPO in this domain, and Link it here
- Name the GPO descriptively
- Right-click the new GPO and select Edit
- Navigate to Computer or User Configuration
- Apply desired policy settings
- Users/computers refresh group policy every 90 minutes (with 30-minute randomization)
AD Replication and Sites
In large organizations, you deploy multiple Domain Controllers across different physical locations. AD replication keeps all DCs synchronized.
Replication Topology:
- Intra-site replication: Between DCs in same location (frequent, full updates)
- Inter-site replication: Between DCs in different locations (less frequent, bandwidth-aware)
- Replication delay: Typically 15 minutes within sites, depends on links between sites
Common AD Problems and Solutions
Problem: Users Cannot Logon to Domain
Causes: DC unreachable, incorrect credentials, account disabled, account locked out, password expired
Solutions:
- Verify network connectivity to DC
- Check if user account is enabled in AD
- Verify account not locked out (check lockout duration)
- Reset user password through AD Users and Computers
- Check if password expired (requires change on next logon)
- Verify user's computer is joined to domain
Problem: Computer Cannot Join Domain
Causes: DC unreachable, network issues, DNS not resolving DC, insufficient permissions
Solutions:
- Ping domain controller:
ping DC_NAME - Verify DNS resolution:
nslookup DC_NAME - Check network connectivity and firewall rules
- Ensure computer name doesn't already exist in AD
- Verify user account has permissions to add computers to domain
- Restart the computer and try joining again
Problem: User Cannot Access Resource
Causes: User not in correct group, permissions misconfigured, NTFS and share permissions conflict
Solutions:
- Verify user is member of resource's access control list
- Check NTFS permissions (must have Read or Modify)
- Verify shared folder permissions
- Check inheritance settings (may override parent permissions)
- Test access from different computer to isolate user vs. computer issue
- Clear cached credentials:
gpupdate /force
Best Practices for Active Directory
- Plan OU structure carefully: Design should reflect your organization and support Group Policy application
- Use meaningful naming conventions: Users (jsmith), computers (W10-SALES-01), groups (GRP_Sales_FolderAccess)
- Implement strong password policies: Minimum length 12 characters, complexity requirements, history
- Regularly audit permissions: Identify unnecessary access and reduce attack surface
- Document your infrastructure: Maintain current documentation of OUs, groups, and policies
- Implement least privilege: Users should have minimum permissions necessary for their role
- Regular backups: Back up AD database regularly and test recovery procedures
- Monitor logons: Enable audit logon events to detect suspicious activity
- Delegate administration: Use OUs to delegate management tasks to department administrators
Key Takeaways
- Active Directory centralizes management of users, computers, and resources
- Users and groups form the foundation of access control
- Kerberos provides secure mutual authentication
- Group Policies enable mass configuration deployment
- OUs organize objects and support policy application
- Proper design prevents security issues and simplifies administration