This document provides an overview of a Microsoft course module on managing Active Directory Domain Services objects. The module includes lessons on managing user accounts, groups, computer accounts, and delegating administration. It demonstrates how to perform tasks like creating users and groups, managing computer objects, and delegating administrative permissions to organizational units. The goal is to prepare students to configure Active Directory infrastructure for a new branch office by creating and managing required objects and delegating permissions.
Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool
In presentation describe the structure of active directory architecture & also several components like object , attribute, Schema, Containers , Object Types, Data Model, Security Model & other components also describe.
How to Bring HCL Nomad Web and Domino Together Without SafeLinxpanagenda
Webinar Recording: https://www.panagenda.com/webinars/how-to-bring-hcl-nomad-and-domino-together-without-safelinx/
HCL Nomad Web is the way forward. It allows users to decide for themselves when and where they want to use the application. Naturally promoting business flexibility and increasing overall employee productivity. Besides, the way forward gets a lot easier if you can bring HCL Nomad Web and Domino together without SafeLinx.
So, you want to start with Nomad Web, the new and shiny client in the browser. But there are so many hurdles in the way. Luckily, with Domino 12.0.2, a big one is gone. The new Nomad Web Server on Domino makes it possible to have Nomad Web talk directly to Domino. You do not have to use SafeLinx unless you really want to!
Join Christoph Adler, HCL Ambassador & panagenda Senior Consultant, on December 13 for this webinar featuring live demos and hands-on examples. Gain the skills you need to run Nomad Web directly with Domino and to use HCL Nomad and Domino without SafeLinx. You will leave with a simple recipe that makes it easy to get going in your environment.
In our webinar, about how to run HCL Nomad Configurations on any device, we showed you that MarvelClient Roaming can help you solve many challenges. It enables you to automatically back up, restore, and share configurations (desktop, recent apps, settings, and more) among devices using Nomad. It uploads configurations to your Domino servers whenever they are changed, and then transparently updates any current and new devices used by the same person, with a tiny network and processing footprint. This time we go a little further.
What you will learn
- How to use HCL Nomad Web and Domino together without SafeLinx
- How to install and configure the Nomad Web Server
- How the Nomad Web Server works from a user’s point of view
- Which scenarios you might want to keep using SafeLinx
Alles was Sie über HCL Notes 14 wissen müssenpanagenda
Webinar Recording: https://www.panagenda.com/webinars/alles-was-sie-uber-hcl-notes-14-wissen-mussen/
Die Release von HCL Notes 14 ist immer noch in aller Munde. Wenn Sie an diesem Webinar teilnehmen, könnte die Version sogar schon verfügbar sein. Aufregend! Es gibt viel zu bestaunen: neue Version der JVM, neue Eclipse-Version, und der Client ist nur noch als 64-Bit-Version verfügbar – um nur einige Highlights zu nennen. Ein guter Zeitpunkt, um darüber nachzudenken, ob, wie und wann der Umstieg auf Notes 14 sinnvoll sein könnte. Seien Sie versichert, dass alle Antworten, die Sie brauchen, in diesem Webinar bekommen werden.
Nehmen Sie an unserem Webinar mit dem HCL-Botschafter und führenden Experten Marc Thomas teil. Sie erhalten einen umfassenden Überblick und können den geschäftlichen Nutzen, aber auch die Kosten einer Umstellung besser einschätzen. Alles, was Sie wissen müssen und tun sollten, egal ob Sie bereits mitten im Upgrade sind oder noch die Vor- und Nachteile abwägen.
Was Sie lernen werden
- Was ist neu in HCL Notes 14?
- Ist HCL Notes 14 die richtige Wahl für Sie oder ist Notes 12 besser?
- Was ist vor einem Upgrade zu beachten?
- Welche Herausforderungen bringen 64-bit Notes Clients mit sich?
- Welche Probleme sind bekannt und welche Lösungen gibt es?
- Tipps und Tricks, um das Meiste aus Notes 14 herauszuholen
Everything You Need to Know About HCL Notes 14panagenda
Webinar Recording: https://www.panagenda.com/webinars/everything-you-need-to-know-about-hcl-notes-14/
The release of Notes 14 is not too far away. By the time you are joining this webinar it might even be out already. An exciting time! And there’s so much to consider: A new JVM, an updated Eclipse version, and the client is now exclusively 64-bit – just for a start. It’s the perfect time to consider if, when, and how you want to upgrade, and we have all the facts you need right here.
Join this webinar with HCL Ambassador and leading expert Christoph Adler to get the complete rundown of everything you need to know and do. Whether you have already started to plan your upgrade or are just considering the pros and cons, this is the session for you.
Get answers on questions like
- What’s new in Notes 14
- Is Notes 14 right for you (yet), or is Notes 12 a better choice
- What do you need to consider before upgrading
- What challenges come with 64-bit clients
- What are the know issues and workarounds
- What are the best tweaks to get the most out of Notes 14
Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool
In presentation describe the structure of active directory architecture & also several components like object , attribute, Schema, Containers , Object Types, Data Model, Security Model & other components also describe.
How to Bring HCL Nomad Web and Domino Together Without SafeLinxpanagenda
Webinar Recording: https://www.panagenda.com/webinars/how-to-bring-hcl-nomad-and-domino-together-without-safelinx/
HCL Nomad Web is the way forward. It allows users to decide for themselves when and where they want to use the application. Naturally promoting business flexibility and increasing overall employee productivity. Besides, the way forward gets a lot easier if you can bring HCL Nomad Web and Domino together without SafeLinx.
So, you want to start with Nomad Web, the new and shiny client in the browser. But there are so many hurdles in the way. Luckily, with Domino 12.0.2, a big one is gone. The new Nomad Web Server on Domino makes it possible to have Nomad Web talk directly to Domino. You do not have to use SafeLinx unless you really want to!
Join Christoph Adler, HCL Ambassador & panagenda Senior Consultant, on December 13 for this webinar featuring live demos and hands-on examples. Gain the skills you need to run Nomad Web directly with Domino and to use HCL Nomad and Domino without SafeLinx. You will leave with a simple recipe that makes it easy to get going in your environment.
In our webinar, about how to run HCL Nomad Configurations on any device, we showed you that MarvelClient Roaming can help you solve many challenges. It enables you to automatically back up, restore, and share configurations (desktop, recent apps, settings, and more) among devices using Nomad. It uploads configurations to your Domino servers whenever they are changed, and then transparently updates any current and new devices used by the same person, with a tiny network and processing footprint. This time we go a little further.
What you will learn
- How to use HCL Nomad Web and Domino together without SafeLinx
- How to install and configure the Nomad Web Server
- How the Nomad Web Server works from a user’s point of view
- Which scenarios you might want to keep using SafeLinx
Alles was Sie über HCL Notes 14 wissen müssenpanagenda
Webinar Recording: https://www.panagenda.com/webinars/alles-was-sie-uber-hcl-notes-14-wissen-mussen/
Die Release von HCL Notes 14 ist immer noch in aller Munde. Wenn Sie an diesem Webinar teilnehmen, könnte die Version sogar schon verfügbar sein. Aufregend! Es gibt viel zu bestaunen: neue Version der JVM, neue Eclipse-Version, und der Client ist nur noch als 64-Bit-Version verfügbar – um nur einige Highlights zu nennen. Ein guter Zeitpunkt, um darüber nachzudenken, ob, wie und wann der Umstieg auf Notes 14 sinnvoll sein könnte. Seien Sie versichert, dass alle Antworten, die Sie brauchen, in diesem Webinar bekommen werden.
Nehmen Sie an unserem Webinar mit dem HCL-Botschafter und führenden Experten Marc Thomas teil. Sie erhalten einen umfassenden Überblick und können den geschäftlichen Nutzen, aber auch die Kosten einer Umstellung besser einschätzen. Alles, was Sie wissen müssen und tun sollten, egal ob Sie bereits mitten im Upgrade sind oder noch die Vor- und Nachteile abwägen.
Was Sie lernen werden
- Was ist neu in HCL Notes 14?
- Ist HCL Notes 14 die richtige Wahl für Sie oder ist Notes 12 besser?
- Was ist vor einem Upgrade zu beachten?
- Welche Herausforderungen bringen 64-bit Notes Clients mit sich?
- Welche Probleme sind bekannt und welche Lösungen gibt es?
- Tipps und Tricks, um das Meiste aus Notes 14 herauszuholen
Everything You Need to Know About HCL Notes 14panagenda
Webinar Recording: https://www.panagenda.com/webinars/everything-you-need-to-know-about-hcl-notes-14/
The release of Notes 14 is not too far away. By the time you are joining this webinar it might even be out already. An exciting time! And there’s so much to consider: A new JVM, an updated Eclipse version, and the client is now exclusively 64-bit – just for a start. It’s the perfect time to consider if, when, and how you want to upgrade, and we have all the facts you need right here.
Join this webinar with HCL Ambassador and leading expert Christoph Adler to get the complete rundown of everything you need to know and do. Whether you have already started to plan your upgrade or are just considering the pros and cons, this is the session for you.
Get answers on questions like
- What’s new in Notes 14
- Is Notes 14 right for you (yet), or is Notes 12 a better choice
- What do you need to consider before upgrading
- What challenges come with 64-bit clients
- What are the know issues and workarounds
- What are the best tweaks to get the most out of Notes 14
Active Directory Domain Services Installation & Configuration - Windows Ser...Adel Alghamdi
- Windows Server 2012
Active Directory Domain Services Installation & Configuration
this is my first time making guide it hope it help someone
feel free to share and like :)
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...Toni Frankola
The number of services end-users have under their fingertips in Office 365 has been dramatically growing, and there are just a minimum number of hurdles stopping end-users to go completely wild with all these options.
This means the amount of digital data that is being stored in Office 365 and company processes that touch Office 365, has been ever-increasing and organizations and IT professionals are struggling to keep up to govern the data.
In this session, we are going to dig deep in order to discuss best practices for governing such a system, what are some of the typical use cases and scenarios and typical pitfalls with governance. We are going to review what kind of reports and tools are available at our disposal as part of the built-in Office 365 offering, and when to use the programmable approach to automate governance.
Working with user accounts,modification,deletion and creating a group its policies and share and printer sharing over a network and windows server backup 2008
ADManager Plus Active Directory Management & ReportingPhuongTam6
ADManager Plus is a simple, easy-to-use Windows Active Directory Management and Reporting Solution that helps AD Administrators and Help Desk Technicians with their day-to-day activities. With a centralized and Intuitive web-based UI, the software handles a variety of complex tasks like Bulk Management of User accounts and other AD objects, Delegate Role based access to Help Desk Technicians, and generates an exhaustive list of AD Reports, some of which are an essential requirement to satisfy Compliance Audits.
What problems does it solve?
Eliminates repetitive, mundane and complex tasks associated with AD Management.
Automates routine AD Management and Reporting activities for AD Administrators.
Facilitates Creation, Management and deletion of AD objects in Bulk.
Acts as an essential resource during Compliance Audits like SOX, HIPAA, etc
What features does it offer?
Single and Bulk User Management
Computer Management
Group Management
OU-based Administration
Contact Management
Help Desk Delegation
AD reports (Schedulable/Compliance Oriented)
What platforms/vendors/technologies does it support?
Platforms: Windows (32-bit/64-bit support).
Technology: Windows Active Directory.
Vendor: Microsoft.
Secure active directory in one day without spending a single dollarDavid Rowe
You wouldn’t leave the front or back door of your house unlocked and wide open, would you? Then why aren’t you as diligent with your work environment? Idle permissions and forgotten accounts – which often aren’t cleaned up – are two key areas ripe for compromise in your identity system. Learn how: - An attacker can use back doors into your Active Directory environment to gain access to your systems, applications, and confidential information. - Having your administrators make a few minor changes, can increase your security footprint and lower your attack surface. Session Outcomes: - Learn 5 free methods to secure your Active Directory. - Deploy validated and tested policies that enhance your security footprint. - Identify and define privileged groups in your organization.
Many Microsoft partners have found success driving revenue and delivering solutions with Office 365. Partners have built profitable service portfolios by selling, implementing, and creating value-added services for Office 365.
But there are many additional opportunities from Microsoft which enable Office 365 partners to elevate productivity for their customers. Microsoft Dynamics CRM Online is such an opportunity.
Dynamics CRM Online is a customer relationship management solution which allows your customers to track relationships and interactions, automate business processes and gain valuable insights into their own customers. Capabilities include Sales Force Automation, Marketing Automation, Customer Service and Social Media Insight.
O365 and CRM Online give customers an incredible solution and partners a fantastic new offering. Adding CRM Online to O365 lets customers cut through the clutter—to zero in and easily identify what they need to do next. It lets them find a relevant way to connect with their customer so they can win faster. And lets them collaborate with people, find, and access the information they need to ultimately sell more and grow their business.
By adding CRM Online, you elevate the discussion to business solutions. Plus, in addition to sales, Dynamics CRM has great solutions across marketing, customer service, and social listening & engagement.
xRM extends this to industry-specific solutions.
In this technical training we introduce Dicker Data reseller partners to Managing and deploying customizations; Configuring role-based security; Customizing entities, adding fields and relationships; Building forms for users to input and retrieve data; Presenting clear information in views and charts; Combining data sources on a dashboard; Going beyond role-based record-level security and assisting users through their business processes.
Similar to Microsoft Offical Course 20410C_03 (20)
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
2. Module Overview
• Managing User Accounts
• Managing Groups
• Managing Computer Accounts
• Delegating Administration
3. Lesson 1: Managing User Accounts
• AD DS Administration Tools
• Creating User Accounts
• Configuring User Account Attributes
• Creating User Profiles
• Demonstration: Managing User Accounts
• Demonstration: Using Templates to Manage User
Accounts
4. AD DS Administration Tools
To manage AD DS objects, you can use the
following graphical tools:
• Active Directory Administration snap-ins
• Active Directory Administrative Center
You can also use the following command-
line tools:
• Active Directory module in Windows
PowerShell
• Directory Service commands
C:/
8. Demonstration: Managing User Accounts
In this demonstration, you will see how to:
• Use the Active Directory Administrative Center to
manage user accounts
• Delete a user account
• Create a new user account
• Move the user account
• Use Windows PowerShell to manage user accounts
• Find inactive user accounts
• Find disabled user accounts
• Delete disabled user accounts
9. Demonstration: Using Templates to Manage
User Accounts
In this demonstration, you will see how to:
• Create a user template account
• Use Windows PowerShell to create a user from the
user template
• Verify the properties of the new user account
10. Lesson 2: Managing Groups
• Group Types
• Group Scopes
• Implementing Group Management
• Default Groups
• Special Identities
• Demonstration: Managing Groups
11. Group Types
• Distribution groups
• Used only with email applications
• Not security-enabled (no SID);
cannot be given permissions
• Security groups
• Security principal with an SID;
can be given permissions
• Can also be email-enabled
Both security groups and distribution
groups can be converted to the other
type of group.
12. Group Scopes
U User
C Computer
GG Global Group
DLG Domain Local Group
UG Universal Group
Group
scope
Members from
same domain
Members
from domain
in same
forest
Members from
trusted
external
domain
Can be
assigned
permissions to
resources
Local
U, C,
GG, DLG, UG
and local users
U, C,
GG, UG
U, C,
GG
On the local
computer only
Domain
Local
U, C,
GG, DLG, UG
U, C,
GG, UG
U, C,
GG
Anywhere in the
domain
Universal
U, C,
GG, UG
U, C,
GG, UG
N/A
Anywhere in the
forest
Global
U, C,
GG
N/A N/A
Anywhere in the
domain or a
trusted domain
13. Implementing Group Management
ACL_Sales_Read
(Domain local group)
Sales
(Global group) Auditors
(Global group)
Domain local groups
Which provide management
such as resource access,
which are
DL
Global groups
Which collect members
based on members’ roles,
which are members of
G
Identities
Users or computers,
which are members of
I
Assigned access to a resourceA
This best practice for nesting
groups is known as IGDLA.
15. Implementing Group Management
Sales
(Global group) Auditors
(Global group)
Global groups
Which collect members
based on members’ roles,
which are members of
G
Identities
Users or computers,
which are members of
I
16. Implementing Group Management
ACL_Sales_Read
(Domain local group)
Sales
(Global group) Auditors
(gGlobal group)
Domain local groups
Which provide management
such as resource access,
which are
DL
Global groups
Which collect members
based on members’ roles,
which are members of
G
Identities
Users or computers,
which are members of
I
17. Implementing Group Management
ACL_Sales_Read
(Domain local group)
Sales
(Global group) Auditors
(Global group)
Domain local groups
Which provide management
such as resource access,
which are
DL
Global groups
Which collect members
based on members’ roles,
which are members of
G
Identities
Users or computers,
which are members of
I
Assigned access to a resourceA
18. Implementing Group Management
ACL_Sales_Read
(Domain local group)
Sales
(Global group) Auditors
(Global group)
Domain local groups
Which provide management
such as resource access,
which are
DL
Global groups
Which collect members
based on members’ roles,
which are members of
G
Identities
Users or computers,
which are members of
I
Assigned access to a resourceA
This best practice for nesting
groups is known as IGDLA.
19. Default Groups
• Carefully manage the default groups that provide administrative
privileges, because these groups:
• Typically have broader privileges than are necessary for most
delegated environments
• Often apply protection to their members
Group Location
Enterprise Admins Users container of the forest root domain
Schema Admins Users container of the forest root domain
Administrators Built-in container of each domain
Domain Admins Users container of each domain
Server Operators Built-in container of each domain
Account Operators Built-in container of each domain
Backup Operators Built-in container of each domain
Print Operators Built-in container of each domain
Cert Publishers Users container of each domain
20. Special Identities
• Special identities:
• Are groups for which membership is controlled by the
operating system
• Can be used by the Windows Server operating system to
provide access to resources:
• Based on the type of authentication or connection
• Not based on the user account
• Important special identities include:
• Anonymous Logon
• Authenticated Users
• Everyone
• Interactive
• Network
• Creator Owner
21. Demonstration: Managing Groups
In this demonstration, you will see how to:
• Create a new group
• Add members to the group
• Add a user to the group
• Change the group type and scope
• Modifying the group’s Managed By property
22. Lesson 3: Managing Computer Accounts
• What Is the Computers Container?
• Specifying the Location of Computer Accounts
• Controlling Permissions to Create Computer
Accounts
• Performing an Offline Domain Join
• Computer Accounts and Secure Channels
• Resetting the Secure Channel
• Bring Your Own Device
24. Specifying the Location of Computer Accounts
• Best practice is to create
Organizational Units (OUs) for
computer objects
• Servers
• Typically subdivided by server role
• Client computers
• Typically subdivided by region
• Divide OUs:
• By administration
• To facilitate configuration with Group
Policy
26. Performing an Offline Domain Join
Offline Domain join can is used to join computers
to a Domain when they cannot contact a domain
controller.
• Create a domain join file using:
• Import the domain join file using:
djoin.exe /requestODJ /LoadFile <filepath>
/WindowsPath <path to the Windows directory of
the offline image>
djoin.exe /requestODJ /LoadFile <filepath>
/WindowsPath <path to the Windows directory of
the offline image>
27. Computer Accounts and Secure Channels
• Computers have accounts
• sAMAccountName and password
• Used to create a secure channel between the computer
and a domain controller
• Scenarios where a secure channel can be broken
• Reinstalling a computer, even with same name,
generates a new SID and password
• Restoring a computer from an old backup, or rolling
back a computer to an old snapshot
• Computer and domain disagree about what the
password is
28. Resetting the Secure Channel
• Do not delete a computer from the domain and
rejoin
• This process creates a new account, resulting in new SID
and lost group memberships
• Options for resetting the secure channel
• Active Directory Users and Computers
• DSMod.exe
• NetDom.exe
• NLTest.exe
• Windows PowerShell
29. Bring Your Own Device
AD FS has been enhanced to support bring your
own device programs
• Workplace Join – Creates an AD DS object for
consumer devices
• Multi-Factor Access Control – Increases security by
using claims-based authorization rules
• Multi-Factor Authentication – Increases security by
requiring more than one form of authentication
• Web Application Proxy – Allows apps to be
securely publish to the Internet
30. Lesson 4: Delegating Administration
• Considerations for Using Organizational Units
• AD DS Permissions
• Effective AD DS Permissions
• Demonstration: Delegating Administrative
Permissions
31. Considerations for Using Organizational Units
• OUs allow you to subdivide
the Domain for management
purposes
• OUs are used for:
• Delegation of control
• Application of GPOs
• The OU structure can be:
• Flat, one to two levels deep
• Deep, more than 5 levels deep
• Narrow, anything in between
33. Effective AD DS Permissions
Permissions assigned to users and groups accumulate
Best practice is to assign permissions to groups, not to
individual users
In the event of conflicts:
To evaluate effective permissions, you can use:
• Deny permissions override Allow permissions
• Explicit permissions override Inherited permissions
• Explicit Allow overrides Inherited Deny
• The Effective Access tab
• Manual analysis
34. Demonstration: Delegating Administrative
Permissions
In this demonstration, you will see how to:
• Create an OU
• Move objects into an OU
• Delegate a standard task
• Delegate a custom task
• View AD DS permissions resulting from these
delegations
35. Lab: Managing Active Directory Domain Services
Objects
• Exercise 1: Delegating Administration for a Branch
Office
• Exercise 2: Creating and Configuring User Accounts
in AD DS
• Exercise 3: Managing Computer Objects in AD DS
Logon Information
Virtual machines 20410C-LON-DC1
20410C-LON-CL1
User name AdatumAdministrator
Password Pa$$w0rd
Estimated Time: 60 minutes
36. Lab Scenario
You have been working for A. Datum as a desktop
support specialist and have visited desktop
computers to troubleshoot app and network
problems. You have recently accepted a
promotion to the server support team. One of
your first assignments is configuring the
infrastructure service for a new branch office.
(Continued on next slide)
37. Lab Scenario
(Continued)
To begin deployment of the new branch office,
you are preparing AD DS objects. As part of this
preparation, you need to create an OU for the
branch office and delegate permission to manage
it. Then you need to create users and groups for
the new branch office. Finally, you need to reset the
secure channel for a computer account that has lost
connectivity to the domain in the branch office.
38. Lab Review
• What are the options for modifying the attributes
of new and existing users?
• What types of objects can be members of global
groups?
• What types of objects can be members of domain
local groups?
• What are the two credentials that are necessary
for any computer to join a domain?
39. Module Review and Takeaways
• Review Questions
• Best Practices
• Tools
Editor's Notes
Presentation: 90 minutes
Lab: 60 minutes
After completing this module, students will be able to:
Manage user accounts with graphical tools.
Manage groups with graphical tools.
Manage computer accounts.
Delegate permission to perform Active Directory® Domain Services (AD DS) administration.
Required materials
To teach this module, you need the Microsoft® Office PowerPoint® file 20410C_03.pptx.
Important: It is recommended that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not be displayed correctly.
Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations and lab exercises.
Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on‑the‑job performance.
Emphasize that managing users and computers has gotten so much more complex with the proliferation of consumer devices in the workplace. Instead of just managing a relatively simple system of users and workstations, students may be managing multiple device types, operating systems, locations, multiple devices per user, various levels of access requirements, various level of security depending on access level required, and many other factors.
One way to approach this lesson’s content is to make the demonstrations your focus. Start the demonstrations, and then discuss the content in the topics as you proceed. This might take a couple of practices before you can perform the demonstrations without reference to the notes pages, but it makes the lesson a more engaging experience for the students.
Consider demonstrating each tool as you discuss it.
Consider performing a demonstration of creating a user account, by using the steps that the student handbook provides.
Discussion Prompt
Ask your students about their user account naming strategies.
Consider opening users’ accounts and viewing their account properties as you discuss this content with your students.
Consider demonstrating this procedure while you discuss the content with your students.
Discussion Prompt
When discussing the content that precedes the demonstration steps, students might be interested in discussing how to communicate a password change to users. Ask your students how they currently do this, and have them think about other methods. Possible solutions include sending a text to their cell phones, sending an email to an alternate address such as a Microsoft Live account, making a telephone call, and so on.
Windows PowerShell
If appropriate, mention to your students that they can also use Windows PowerShell® commands to perform common user administration task, such as resetting a user’s password by using the Set‑ADAccountPassword command.
For example, the following command resets Amy‘s password:
Set ADAccountPassword ‑identity ‘cn=amy, ou=IT, dc=contoso, dc=com’ ‑Reset ‑NewPassword (ConvertTo SecureString ‑AsPlainText “Pa$$w0rd2” ‑Force)
To unlock a user account by using Windows PowerShell, you can use the following command:
Unlock ADAccount ‑identity ‘cn=amy strand, ou=IT, dc=contoso, dc=com’
To disable or enable a user account with Windows PowerShell, type the following cmdlets at a Windows PowerShell prompt:
Enable ADAccount ‑identity <name>
Disable ADAccount ‑identity <name>
Preparation Steps
Start the required virtual machine, 20410C‑LON‑DC1.
Demonstration Steps
Delete a user account
Sign in to LON‑DC1 as Adatum\Administrator with the password Pa$$w0rd.
On LON‑DC1, in Server Manager, click Tools.
Click Active Directory Administrative Center.
In the Active Directory Administrative Center, click Adatum (local), and then double‑click Managers.
In Managers, right‑click Ed Meadows, and then click Delete.
In the Delete Confirmation dialog box, click Yes.
(Continued)
Create a new user account
In the Action pane, click New, and then click User.
In the Create User dialog box, in Full name, type Ed Meadows.
In User UPN logon, type Ed.
In Password and Confirm password, type Pa$$w0rd, and then click OK.
Move the user account
Right‑click Ed Meadows, and then click Move.
Click the IT organizational unit (OU), and then click OK.
In the navigation pane, click Adatum (local).
In the results pane, double‑click IT.
Verify that Ed Meadow’s account is listed.
Find users that have not signed in during the last 30 days
On the taskbar, click the Windows PowerShell icon.
To create a variable to specify the past 30 days, type the following command, and then press Enter:
$logonDate = (get‑date).AddDays(‑30)
To find all the user accounts that have not signed in during the past 30 days, type the following command, and then press Enter:
Get‑ADUser ‑Filter{lastLogon ‑le $logonDate}
The results include nearly every account in the domain because most of the accounts have never signed in.
(Continued)
Find and delete all disabled user accounts
To find all the disabled user accounts, type the following command, and then press Enter:
Get-ADUser ‑Filter{enabled ‑ne $True}
The results should list four accounts in the Sales OU and 2 system accounts in the Users container, Guest and krbtgt.
To delete the disabled user accounts in the Sales OU without being prompted for confirmation, type the following command, and then press Enter:
Get-ADUser ‑SearchBase "OU=Sales,DC=Adatum,DC=com" ‑Filter{enabled ‑ne $true} | Remove‑adobject ‑Confirm:$False
If this command runs successfully there is no output.
To verify the disabled accounts have been deleted, type the following command, and then press Enter:
Get-ADUser ‑Filter{enabled ‑ne $True}
The results should list the two system accounts in the Users container, Guest and krbtgt.
Leave the virtual machine running for the next demonstration.
Discussion Prompt
Discuss the reasons for using template accounts. Typically, template accounts are used to save the time needed to fill out the properties on the user accounts. Explain that using Windows PowerShell to create users from a template only copies the properties that are specified. The properties that cannot be copied include the Member Of property. If you want to include the group memberships from a template then you need to use either Active Directory Users and Computers or the Active Directory Administrative Center.
Reference:
For a full list of the properties that can be copied from a template for a new user see the article "Copy a User's Properties" at: http://go.microsoft.com/fwlink/?LinkID=331092
Preparation Steps
Ensure the required virtual machine, 20410C‑LON‑DC1, is running.
Demonstration Steps
Create a template account
On LON‑DC1, on the taskbar, click the Active Directory Administrative Center icon.
In the Active Directory Administrative Center, click Adatum (local), and then double‑click Sales.
In the Action pane, click New, and then click User.
In the Create User dialog box, in First name, type _LondonSales, in Last name, type Template.
In User UPN logon, type _LondonSales.
Select Protect from accidental deletion.
Under Organization, in Department, type Sales.
In Company, type A. Datum.
In City, type London.
In Description, type London Sales users.
In the Member of section, click Add.
In Enter the object names to select, type Sales and then click OK.
In the Create User _LondonSales Template dialog box, click OK.
(Continued)
Create a user from the _LondonSales template
In the Windows PowerShell window, create a variable ($LondonSales) to hold the _LondonSales properties, type the following command, and then press Enter:
$LondonSales = Get‑ADUser ‑Identity "_LondonSales" ‑Properties Department,Company,City
To create a new Sales user in the Sales OU, type the following command, and then press Enter:
New‑ADUser ‑Name "Dan Park" ‑SamAccountName "Dan" ‑Path "OU=Sales,DC=Adatum,DC=com" ‑AccountPassword (ConvertTo‑SecureString ‑AsPlaintext "Pa$$w0rd" ‑Force) ‑GivenName "Dan" ‑Surname "Park" ‑DisplayName "Dan Park" ‑Enabled $True ‑UserPrincipalName "Dan@Adatum.com" ‑ChangePasswordAtLogon $true ‑Instance $LondonSales
Verify the User Properties
In the Windows PowerShell window, type the following command, and then press Enter:
Get-ADUser –Identity “Dan” –Properties *
Verify the properties that you defined in the template were copied to the new user.
Leave the virtual machine running for the next demonstration.
Some students who are inexperienced with Windows Server often have difficulty grasping the concept of groups within groups. Consider using your whiteboard to go through the following example:
Draw three domains as triangles and add a file resource to each domain.
Ask your students how many file permissions are required if each domain hosts 100 users that each need access to the three file resources in your three domains.
Group the three sets of 100 users and repeat the question.
Group the groups and repeat the question.
This elegantly demonstrates the benefit of nesting groups.
Now all you need to do is to explain the particulars of the types and scopes in Windows Server. As with lesson 1, consider making the demonstration the focus of this lesson.
Explain to students that they can use distribution groups to send email messages to collections of users, but only with messaging programs such as Microsoft Exchange Server. Stress that distribution lists are not security-enabled, so they cannot be listed in discretionary access control lists (DACLs).
Also explain to students that they can use security groups to assign rights and permissions to groups of users and groups of computers. A security group is security-enabled, and can be used to assign permissions to local and network resources.
Use the table to describe group scopes. Consider drawing a diagram with several domains that shows where you can create groups, and the implications of each group scope.
This slide and the next five explain the example in the student notes. This slide summarizes the example and the next five slides build up the example frame by frame. The five frames are:
Identities
Global groups
Domain local groups
Assigned resource access
A copy of the summary, as shown in the first slide above
Alternatively, draw an illustration on the whiteboard by using the following guidelines to illustrate the advantage of group nesting:
Draw three domain objects, each containing five users. Draw a file object in one of the three domains.
Question: How many file permissions do you need to create to assign permissions on this file for each user?
Answer: You need to create fifteen file permissions.
Draw a circle around the five users in each domain, explaining that the circles represent global groups.
Question: How many permissions on the file do you need to assign at the global group level?
Answer: You need to assign three permissions.
Draw a circle adjacent to the file. Draw arrows from your global groups to this circle, indicating that you have added these groups to a local group in the resource holding domain.
Question: How many permissions must you assign to the local group?
Answer: You must assign one permission to the local group.
This is the first of five frames.
Identities are assigned to users or groups.
This is the second of five frames.
The users and computers have been collected into two separate groups, the Sales (global group) and the Auditors (global group).
This is the third of five frames.
The two global groups have been combined into one domain local group which is called ACL_Sales_Read.
This is the fourth of five frames.
The domain local group has been given access to a resource.
This is the fifth of five frames.
This is a summary of the example. It is the same as the slide in the Student Manual.
Show your students the groups mentioned on the slide as you discuss them.
Show your students the identities that are mentioned on the slide, as you discuss them.
Preparation Steps
The required virtual machine, 20410C‑LON‑DC1 should already be running after the preceding demonstration.
Demonstration Steps
Create a new group
On LON‑DC1, switch to Active Directory Administrative Center.
Expand Adatum (Local), and then click IT.
In the Tasks list, under IT, point to New, and then click Group.
In the Create Group dialog box, in Group name, type IT Managers.
Add members to the group
Scroll down, and under Members, click Add.
In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select (examples), type April; Don.
Click Check Names, and then click OK.
In the Create Group IT Managers dialog box, click OK.
Add a user to the group
In the details pane, right‑click Ed Meadows.
Click Add to group.
In the Select Groups dialog box, in Enter the object names to select (examples), type IT Managers.
Click Check Names, and then click OK.
(Continued)
Change the group type and scope
In the details pane, double‑click IT Managers.
In the IT Managers dialog box, under Group scope, click Universal.
Under Group type, click Distribution, and then click OK.
Modify the group’s Managed By property
In the details pane, double‑click IT Managers.
In the details pane under Managed By, click Edit.
In the Select User, Contact or Groups dialog box, in Enter the object names to select (examples), type Ed Meadows, click Check Names, and then click OK.
Select Manager can update membership list, and then click OK.
Leave the virtual machine running for the next demonstration.
There are no demonstrations within this lesson. As you work your way through the content, consider performing small, impromptu demonstrations to help reinforce the content.
Consider opening Active Directory Users and Computers or Active Directory Administrative Center and demonstrating the default location for computer objects.
Emphasize the best practice of creating custom OUs for computer objects, rather than relying on the default Computers container.
Help students understand just enough about delegation (assigning permissions to OUs) and about configuration (linking GPOs to OUs) to understand how they might choose to design OU branches for clients and servers. Later modules go into more detail about Group Policy and delegation, and their impact on OU design. Do not go into too much detail here, but rather use the opportunity to introduce students to these concepts.
Consider demonstrating the process of delegating control over computer creation and deletion.
Explain that offline domain join was introduced to help with joining computers to the domain over unreliable connections. In Windows 8 and Windows Server 2012 domain join was expanded to include DirectAccess. That way computers can join the domain without communicating with a domain controller and once the DirectAccess settings are applied the computers can interact with the domain through any internet connection.
Explain to students that the secure channel between a computer and a domain controller is used for all communication with the domain, including authentication of a user sign in to the computer. The secure channel is established when the computer authenticates to the domain by using its user name and password. Like users, computers have sign in names and passwords. If the computer is unable to sign in successfully, the secure channel is not established. The effect is similar to when a user enters the wrong user name or password. In both circumstances, the user is not able to authenticate to the domain.
There are several scenarios during which the secure channel can be broken. Three of them are listed on the slide.
What is not listed on the slide is Administrator errors in AD DS. These can include dangerous Active Directory actions, such as rolling back a domain controller that is running a snapshot. You should mention that there are several ways for an administrator to damage AD DS (manually, automatically, intentionally, or accidentally), and damage might become apparent when broken secure channels appear.
Discussion Prompt
Ask students:
What scenarios have you encountered in which you identified that the secure channel was broken?
How did you know the secure channel was broken?
After students have shared their experiences, ask the question a slightly different way:
What scenarios have caused you to remove a computer from the domain, and then rejoin it to the domain?
This is a very common technique that administrators use to reset a secure channel. They often do not realize what they are actually doing when they remove the computer and then rejoin the domain.
If students have not already mentioned the sign in message that states, “The trust relationship between the workstation and the primary domain failed,” ask the students the following question:
Have you ever tried to sign in to the domain and received a message telling you that the computer could not talk to the domain? What messages did you receive?
Help students delineate messages such as “A domain controller is not available,” which is typically the result of networking connectivity problems, from messages that mention trust with the domain or otherwise indicate problems with the secure channel.
The following topic discusses the steps to take when one of these scenarios happens.
A broken computer account manifests itself with a variety of symptoms, error messages, and event‑log entries.
Mention that a user might be able to sign in to a machine with a broken secure channel using cached credentials, but they will experience other strange behavior, because authentication cannot use Kerberos version 5 (V5) protocol without a functioning secure channel.
Because nltest and netdom reset the secure channel without requiring a reboot, you should try those commands first. Only if you are not successful should you use the Reset Account command or DSMod.exe to reset the computer account.
Resetting the secure channel requires the Reset Password permission on the computer object.
This topic is just a high level overview of the new features in Windows Server 2012 R2 that help support consumer devices in a bring your own device scenario.
Consider starting the demonstration topic, and then discussing the content in the other three topics. Start the lesson by asking your students to consider at what point a single administrator is unable to manage a network by themselves, and how best to consider allocating administrative tasks to other administrators.
Discuss the design of an organizational unit (OU) hierarchy. Discuss your experience with OU design and the students’ environments and the reasons they have created OUs. Explain that OUs should be created with a specific management goal in mind with ease of management as a goal.
Consider demonstrating the process of viewing permissions.
Consider demonstrating the process of viewing effective permissions.
Discussion Prompt
Delegation of control in Active Directory Domain Services (AD DS) can be done manually or by using the Delegation of Control Wizard. Typically it is easier to assign permissions in AD DS by using the Delegation of Control Wizard, however if you have a complex permission scenario you may need to manually configure the permissions.
Preparation Steps
The required virtual machine, 20410C‑LON‑DC1, should be running after the preceding demonstration.
Demonstration Steps
Create an OU
On LON‑DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
Expand the Adatum.com domain.
Right click Adatum.com, point to New, and then click Organizational Unit.
In the New Object – Organizational Unit dialog box, in Name, type Executives.
Note: Discuss the purpose of the Protect Container From Accidental Deletion setting.
In the New Object – Organizational Unit dialog box, click OK.
Move users into the Executives OU
Click the Managers OU.
Click Carol Troup and then hold down Shift while clicking Euan Garden.
Right click Euan Garden and then click Move.
In the Move dialog box, click Executives, and then click OK.
(Continued)
Delegate a standard task
In the navigation pane, right‑click Executives, and then click Delegate Control.
In the Delegation of Control Wizard, click Next.
On the Users or Groups page, click Add.
In the Select Users, Computers, or Groups dialog box, in Enter the object names to select (examples), type IT, and then click OK.
On the Users or Groups page, click Next.
On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following options, and then click Next
Create, delete, and manage user accounts,
Reset user passwords and force password change at next logon,
Read all user information
On the Completing the Delegation of Control Wizard page, click Finish.
Delegate a custom task
In the navigation pane, right‑click Executives, and then click Delegate Control.
In the Delegation of Control Wizard, click Next.
On the Users or Groups page, click Add.
In the Select Users, Computers, or Groups dialog box, in Enter the object names to select (examples), type IT, and then click OK.
On the Users or Groups page, click Next.
On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
On the Active Directory Object Type page, click Only the following objects in the folder.
In the list, select Computer objects.
Select Create selected objects in this folder and Delete selected objects in this folder, and then click Next.
On the Permissions page, in the Permissions list, select Full Control, and then click Next.
On the Completing the Delegation of Control Wizard page, click Finish.
(Continued)
View AD DS permissions resulting from these delegations
On the View menu, click Advanced Features.
In the navigation pane, right‑click Executives, and then click Properties.
In the Executives Properties dialog box, on the Security tab, click Advanced.
In the Advanced Security Settings for Executives dialog box, notice the Allow permissions that are assigned to IT (ADATUM\IT). These were created during the delegation process.
Click Cancel twice, and then close all open windows except Server Manager.
After you complete the demonstration, revert all the virtual machines.
Before the students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind the students to complete the discussion questions after the last lab exercise.
Exercise 1: Delegating Administration for a Branch Office
A. Datum delegates management of each branch office to a specific group. This allows an employee who works onsite to be configured as an administrator when required. Each branch office has a branch administrators group that is able to perform full administration within the branch office OU. There is also a branch office help desk group that is able to manage users in the branch office OU, but not other objects. You need to create these groups for the new branch office and delegate permissions to the groups.
Exercise 2: Creating and Configuring User Accounts in AD DS
You have been a given a list of new users for the branch office, and you need to begin creating user accounts for them.
Exercise 3: Managing Computer Objects in AD DS
A workstation has lost its connectivity to the domain and cannot authenticate users properly. When users attempt to access resources from this workstation, access is denied. You need to reset the computer account to recreate the trust relationship between the client and the domain.
Lab Review Questions
Question
What are the options for modifying the attributes of new and existing users?
Answer
To modify attributes of new and existing users, you can select multiple users and then open the Properties dialog box, you can use the dsmod command, or you can create a user account based on a user account template. Alternatively, you can use the set‑ADUser Windows PowerShell command.
Question
What types of objects can be members of global groups?
Answer
Global groups can include as members users and other roles (global groups) from the same domain.
Question
What types of objects can be members of domain local groups?
Answer
Domain local groups can contain roles (global groups) and individual users from any trusted domain in the same forest or an external forest, and other domain local groups in the same domain. Finally, domain local groups can contain universal groups from anywhere in the forest.
Question
What are the two credentials that are necessary for any computer to join a domain?
Answer
The necessary credentials are the local credentials that are in the local Administrators group of the computer, and domain credentials that have permissions to join a computer to the computer account.
Module Review Questions
Point students to the appropriate section in the course so that they are able to answer the questions that this section presents.
Question
A company with branches in multiple cities has members of a sales team that travel frequently between domains. Each of these domains has their own printers that are managed by using domain local groups. How can you provide these members with access to the various domains printers?
Answer
You can create a group with domain local scope, and assign it permission to access the printer. Put the Sales user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the Sales users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope receive access to the new printer automatically.
Question
You are responsible for managing accounts and access to resources for your group members. A user in your group transfers to another department within the company. What should you do with the user’s account?
Answer
Although your company might have a Human Resources representative with AD DS permissions to move user accounts, the best solution is to move the user account into the appropriate OU of the new department. In this manner, the Group Policies associated with the new department are enforced. If applying the correct Group Policies is important, the user’s account should be disabled until somebody with appropriate security permissions can move it into the new OU.
Question
What is the main difference between the Computers container and an OU?
Answer
You cannot create an OU within a Computers container, so you cannot subdivide the Computers container. In addition, you cannot link a GPO to a container. Because of this, as a best practice you should move newly created computer accounts from the Computers container to an OU.
Module Review Questions (continued)
Question
When should you reset a computer account? Why is it better to reset the computer account rather than to disjoin and then rejoin it to the domain?
Answer
You should reset a computer account when the computer is no longer able to authenticate to the domain. That can happen if the operating system is reinstalled, if the computer is restored from backup, or if the password is out of the synchronization interval.
It is better to reset the computer account because if you disjoin the computer from a domain and then rejoin it, you risk losing the computer account completely, which results in the computer’s SID being lost, and more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be recreated.
Question
A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS; however, you do not want to give the project manager permission to manage anything else in AD DS. What is the best way to do this?
Answer
The best way to do this is to create a new global security group and then add the project members to the group. Create a new OU outside your department’s OU, and then assign full control of the OU to the project manager. Add the global group to the new OU, and then add resources to the OU such as shared files and printers. Keep track of the project, and delete the global group when the work finishes. You can keep the OU if another project requires it; however, you should delete it if there is no immediate need for it.
Question
You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server–based infrastructure. You have to find a method for joining new Windows 8.1‑based computers to a domain during the installation process, without intervention of a user or an administrator. What is the best way to do this?
Answer
The best way to do this is to provision the computer accounts to AD DS by using the Djoin.exe command‑line tool with the /provision switch, and then use an unattended setup to perform the installation. By using a tool such as Windows System Image Manager, you can perform an unattended domain join during an operating system installation by providing information in an Unattend.xml file that is relevant to the domain join.
Best Practices
Best Practices for User Account Management
Do not let users share user accounts. Always create a user account for each individual, even if that person will not be with your organization for long.
Educate users about the importance of password security.
Ensure that you choose a naming strategy for user accounts that enables you to identify the user to whom the account relates. Also ensure that your naming strategy uses unique names within your domain.
Best Practices for Group Management
When managing access to resources, try to use both domain local group and role groups.
Use universal groups only when necessary because they add weight to replication traffic.
Use Windows PowerShell with Active Directory Module for batch jobs on groups.
Avoid adding users to built‑in and default groups.
Best Practices Related to Computer Account Management
Always provision a computer account before joining computers to a domain, and then place them in appropriate OU.
Redirect the default Computers container to another location.
Reset the computer account, instead of disjoining and rejoining.
Integrate the offline domain join functionality with unattended installations
