Understanding Active Directory and Group Policy

Welcome to the Active Directory Domain Services overview. I'm Kevin Brown and I'll be your trainer for this lesson. The topics that will actually be covered will include answering the question exactly what is Active Directory. I will also talk about why a company. you really need Active Directory. I'm going to demonstrate the complete installation of Active Directory and I'm also going to demonstrate how you can create user accounts,

group

s of computer accounts, and other objects and how you can manage them through

group

policy

. Be sure to check out our other courses at RTS networking.com slash demo.

There are two types of logical network designs, one is called workgroup and the other is called domain. A workgroup is synonymous with a home network as in a very small network there are usually less than 20 devices now the easiest way to think about this is to think of it as your home network, let's say I have four computers in my house. I'm going to say this belongs to Bob. Bob's password is Happy Trees, so Bob logs into the PC with that. Account PC Four belongs to Sally Sally's password is Blue Goose Bob can log in to PC One, but only to PC One if Bob sits at PC Two, Three, or Four and types the username Bob, the Happy Trees password doesn't work, it doesn't have one. a user account on those computers in the same way, Sally does not have a user account on any non-PC computer for now, where are these accounts stored when you are in a workgroup like your home network, each computer has something called Sam means Security Account Manager. this Sam is actually a database containing the local user accounts, so Sam's database only resides on the computer you created your user account on and is not shared or replicated between other computers now on a home network.

This is probably exactly what I want if Bob is the dad he has his PC if Sally is the mom Sally has her PC if you have kids they have PCs two and three each person logs on to their own PC the only thing these computers have in common in a workgroup environment, they all connect to the The same network that is the only common point between everything configured on a computer will be unique to that computer, so, as we said, that is probably exactly what there are at home, but now think of this as a work environment, let's say you have 3000 computers at work. let's say 3000 units, imagine if you were to go to each computer and you had to create a user account for that user on that computer, if the user ever forgot their password you would have to go back to that computer and have to reset the password on that computer, that is a non-viable solution, so what all companies will run is a domain-based environment.

A domain-based environment builds on this image by adding a domain controller, so we have a Windows server that functions as a domain. controller now, that is always called DC, this domain controller is actually nothing more than a window server. I mean this could be Windows Server 2019 2016 20 12 2008, any Windows operating system has the ability to be a domain controller or should I say any Windows server operating system. has the ability to be a domain controller a domain controller is nothing more than a server on which you install this software called Active Directory now everyone calls Active Directory the full name is Active Directory Domain Services or ad DES but it's almost always just called Active Directory and whoever you're talking to is clear about what you mean when you install Active Directory.

This is the software that allows me to create user accounts, computer accounts, so let's say we have three thousand computers and I have three thousand users. now go to Active Directory and I will create the user account for Bob. I was able to define his password, so now when Bob sits down at PC one, logs in, types Bob, types his password, and sends that Qwest over the network to a domain controller, the domain controller authenticates those credentials and says yes, that's the correct username, that's the correct password and Bob can log in to PC one, but his account does not reside in Sam's database from the security account manager, it now lives in the domain controller in this Active Directory software and it will be managed from this Active Directory software if Bob went out and I needed to disable his user account I would do it from the domain controller, if he forgets his password I would reset it from the domain controller, everything The thing about your user account is now managed in the Active Directory software on the domain controller, not on the local machine, so what we need to do is install this Active Directory and we need to see how to join this computer to the domain. same so you know that it is supposed to communicate with Active Directory and how we can create these user counts before installing Active Directory.

There are just a few things you need to make sure you do: You need to name the computer when you install the operating system. Windows system generates a default name, it is always WI n, such as random letters and numbers, so you want to rename it before installing Active Directory; whatever name it should really be, in my case I will name mine RTS - dc1 and you also want to set the IP settings, the only thing to keep in mind when you set the IP settings is to choose the IP address that is the appropriate subnet mask which will be dictated by the environment you are in or just click the box and it will automatically populate with the default gateway you need if you want to connect to the internet or other networks that are not of our interest in right now, so I'm not even going to define a default gateway, the important setting is the DNS server.

I am building the first domain controller in my entire Active Directory domain so the DNS server has to point to the local machine so here I could set the DNS to be the loopback address which is 27001 or you can use the exact IP address of the domain controller you are on so you could set it to one seven two sixteen dot zero dot ten both are pretty common I prefer to use one 2700 one preference there is no reason for this when we install Active Directory it has to write many records on this DNS server, now the main purpose of DNS is to take a name and resolve the name to an IP address, like when you surf the internet and go to google.com, that name doesn't mean anything. your computer your computer has to take the main Google and it has to consult these D&I services to determine what Google's IP address actually is.

When you install Active Directory, many records must be created on the first domain controller. Look at this preferred DNS settings here and it creates all the records on that machine, so I want them to be created on the machine that I'm using, so you always set your first domain controller to a point towards itself for the DNS that it will have all those records. generated now we will see that in the interface when you go to configure your client computer on the IP configuration side, you will give your client an IP address and the preferred DNS on your client will always be the IP address of your domain controller. your DNS server Microsoft recommends as a best practice that your domain controllers also run this DNS service, so every time my computer resolves something by name, it will go out over the network and query this machine to look up the address name IP, if so. a website file server, a print server, will pass all queries to that machine, so those are the only prerequisites we need, but for you and the missus, make sure you name the computer and set the settings of IP.

Now I am in my virtual machine. I want to install Active Directory, all I've actually done is installed the operating system and I've defined the name and I have to find the IP address, so I'm going to log in to this machine here, this server manager will open up default. Every time you log in to the server OS, if it is not open for you when you log in, you can go to Start and you will see Server Manager appear in the Start menu. Click on that if it didn't open by default. What I can do in server manager is name the computer now you see, just for the sake of time, my computer already has the RTS name, which is dc1, but if I wanted to change that, I could just click on that link, I could go to change and in my system properties here, just type the name that you really want.

Also notice that this computer is actually in a workgroup called worker, so it is not domain joined. Active Directory has not been installed yet. I also defined the IP settings here, it says Ethernet. and I can see my IP address if you click on it it will open the network connection. If I double click on my network connection and go to properties, you can see TCP IP v4 in the list. If I double click, you can see the IP. address I define 1 7 2 dot 16.0 about 10 the subnet mask I'm using I'm not using a default gateway and my preferred DNS server is that loopback address 127 dot 0 dot 0 dot 1 or you could have 172 dot 16 dot 0 point 10 same end result, both would be acceptable, so I already meet all the prerequisites to install Active Directory.

I'm just going to click on manage and there's an option to add roles and features, and this before I start, I'm just going to Click Next, you can read it, but it's just generic information. We're choosing a role-based or role-based installation for Active Directory, so we'll choose next, this is the machine I'm installing on, so the name of my computer. IP address, so I'll click Next. I'm just selecting Active Directory Domain Services when I check it shows me this little popup that basically says these other components will be installed as well so I need to add them. so I'll click Add Features and these components are actually management tools like the DDS tools, so we'll add features for that, we'll click Next on the features, we're not selecting anything, so we'll just click.

Next, on these Active Directory Domain Services, this is just information to help you configure this according to best practices, so it says things to keep in mind: You should have a minimum of two domain controllers so you don't have a single point of failure. It also says Active Directory. Domain services require the installation of a DNS server. If you do not have one, you will be prompted to install one on this machine. That's just informational, but we'll click Next there and click Install Now. What's happening now is The first part of a two-step process installs the feature, but then we have to go back and configure Active Directory the way we want, so we'll let it install and then walk through the Active Directory Promotion Wizard .

Well, that insult. has completed step 2. I can click on promote the server to a domain controller or if you actually close this window, which I do all the time, you can go to these notifications here, this little yellow triangle, if you click on it, you also have the same option to promote the server to a domain controller, well, I'll select that and we'll walk through this wizard. Now I'm creating a new

active

directory

structure, so let's assume I'm like a startup. I do not have a domain present. in the environment or something like that, then what we will do is create a new forest.

An Active Directory forest can really just be a collection of domains if you're in a larger environment, but the first domain controller you build will always be the first domain controller in your entire Active Directory forest, now the other two options, that we will not select. One of the notes we saw earlier said that, at a minimum, you should have two domain controllers if you've already created Active Directory and already installed it. and now you just want it to be fault tolerant, I would choose option 1: adding a domain controller to an existing domain, so it would be like a second domain controller if I'm in a fairly large company or maybe geographically separated.

If you have an office in the UK and an office in Canada, you can create separate domains, one for Canada and one for the UK. If you have an office in the US, they can be a separate domain. If that is true, you will have this father-son. relationship which is this option to add a new domain to an existing forest. We're not worried about any of those details because again we're creating a new forest from scratch, so add a new forest and it's like, what do you want to name this? I'll name it RT s dot local.

I'll just click Next to verify that the name is not already in use in the environment, so it only takes a second and now it says what demand controller options you want. canconfigure these functional levels 2008-2012, the functional level does nothing more than enable newer features and operating systems, so if all your domain controllers are running on Windows Server 2016, you can configure your functional level to be Server 2016 and Any new features associated with Active Directory in Server 2016 will be enabled. I can tell you for sure that there are very few improvements in the functional levels, the only major functional level was actually Server 2008 r2, if you chose that functional level then all your domain controllers had their own 2008 r2 or newer and if you did that , you could enable this recycle bin for Active Directory, so if you deleted a user you could go to this recycle bin and you could restore the user directly from there, other than that the changes are actually pretty small changes.

I'm going to leave them. those in the default I don't have a DNS server, so I'm going to leave my DNS checked and the last thing we're going to do here is set this

directory

services restore mode password. If I ever have to restore this from a backup, I would. I need to use the password that I have defined here, so it only requires you to type a password, so I'll enter it and we'll click Next. It says that a delegation cannot be created for this DNS server because the primary authorized zone cannot be found, all it means is that a DNS server could not be found, so it will install DNS for us and configure it completely so that it always sees this when I build a new forest it just looks alarming because it has that warning triangle on it but it isn't so I'm going to choose the following it will take just a moment and it will tell me my NetBIOS domain name which is always the name of your domain without the extension as I named it.

Non-local RTS, the NetBIOS name will just be RT, so I'll click Next for that and we're almost done. Active Directory is actually a database, it's really a database that contains the user accounts, the computer accounts, and all these other objects. this pass is just the location. Now I'm going to leave all of this in the default location, but Windows NT bs will contain my Active Directory database, which is actually a twenty meg base file by default, so it's very small and we also have all these transactions . logs going to the same location see windows in TBS and also create this sister failures folder.

This will actually be a shared folder containing policies and a handful of other settings. We'll leave them at the default location, so not changing anything here, I'm just going to click Next, these are all the options that we defined. I'm going to click Next, to make sure we meet your prerequisites, which we'll do as soon as that's done, we'll click install and this. the machine will become a domain controller in our new local RTS point forest, so it says we passed all the prerequisite checks here, so we'll just click install, that's all there is to do to create a new domain, bill the new Active Directory forest it will take. maybe five minutes to install, the machine has to reboot, but every domain in the world started exactly that way with someone installing Active Directory on a single server, our installation is complete, it says I want to log out and it will reboot automatically. and this machine will now be running Active Directory and will be a domain controller.

The attack on Active Directory is complete. My server restarted. Now I'm going to log in to my RTS domain administrator. The username I am using is administrator. I'm going to type my password, now we're authenticating with our Active Directory account. Some things are noticeably different. If I click on this local server, you can see that the domain now says RTS non-local and here on the left I also have this DS banner. for Active Directory Domain Services, this is actually called the root server, but this will give you a list of all the domain controllers that you have in your environment and I also have this DNS that was installed.

It appears, you will always see this as BBS. on all your domain controllers, if I go to tools I see several options for Active Directory, the only one we care about in this lesson is Active Directory users and computers, so I'll open it, this is my RTS domain, not local , that's the name I have. I selected when I installed Active Directory. I have some objects listed here. These are containers and organizational units. I'm just going to slide it a little bit if I go to this user container. These are the default accounts that exist. This is my administrator user account. the ones with like two heads would be groups, I saw a few user accounts and a handful of groups that exist by default.

I can also create new users here. An example would be if my company hired a new user named Bob. I just go. to click on this new user icon here or if you cancel that, you can just right click on this container and there's a new option and you get an option for the computer group user and various other objects. Some I think the new user here is my person's name. It's Bob. I'm going to say the last name is Ross now for Bob. I'm going to say the user's login is B. Ross, so first initial last name and we'll choose the next one.

I'm going to set Bob's password. I'm going to exit, the selected user must change the password the next login, it would violate every security principle we have if I could know my users passwords, so when Bob logs in for the first time it will force him to change that password. Well, I'm going to click. Next and done, I now have my user Bob Ross. Bob can log in to other computers in the environment. He is a fully functioning user. Now another common object that we have in Active Directory is a group. Let's say Bob works in the sales department.

I'm going to right click on users again and create a new group this time on the group name. I'm just going to call it Sales and click OK and now a sales group will appear in the list here. Okay, I'm going to open up that sales group, so I'm going to double click to get the properties. There is a members tab here. If I select members, I have the option to add a user to this group, so at the bottom I'll click Add Now. you could just type as Bob, but now I look advanced and good instead of just doing a search by name, but this gives me a list of all the users and groups I have.

I'm going to just select a bob ross from that list and click OK and OK, now you can see that Bob Ross is included in this members section here, so I'm going to click OK because Bob is now a member of this group. The purpose of this is to get back to the desktop of this machine here on my desktop. I'm going to create a new folder and I'm going to name it sales data. I want Bob Rost to have access to this and all other users in sales need to be able to read what's in this folder is where the concept of Active Directory groups comes into play.

If I right-click this folder and go to properties, I'll do two things: I'll click on this sharing tab, and in this advanced sharing, I'll just click share. this folder and I'm going to click OK now to take a look at it. Actually, I'm going to right click on Start and I'm going to run and in Run I'm going to type backslash backslash the name of my local machine. RTS - dc1 Now what this does is initiate a network connection, but it will connect to my machine so I can see the shares I have from my machine's point of view.

When I click OK, you'll see that the sales data appears as a shared folder so we know it's accessible over the network now that Active Directory groups come into play. I can limit what you can do with this, so when I click on the Security tab, I'm going to click on edit an ad and I'm just going to type Yes and this will verify the names that it will search for and the only thing I have in the user or group of Active Directory that starts with if it is this sales tree, so I'll accept that to be my sales group, now I can configure the level of permissions that I want them to have if I want them to only have read access, read and write, full control , whatever your needs, but that would be the purpose of a group if I have multiple users who need access to the same shared folder or the same application it is too tedious to have two permissions assigned individually to the users which is never recommended.

Instead, you would always create a group, add the users as members of that group, and then simply assign permissions to the group, so that would be the purpose of our group, but if we go back to Active Directory, so this is a brief overview of the user account itself and the group. The other thing we want to touch on is the computer account. If I go back to computers, I don't have computers joined to my domain right now, in the typical way you add a computer. to the domain is from the computer itself, we will go to our client machine and join that client machine to the domain.

When we do that, it will automatically create a computer object, it's what's called this computer object, which by default goes under these computers. container, so let's take a look at that from the client's point of view and see if we can join a computer to our local RTS dot domain. Be sure to check out my other courses I've hosted on the Udemy website. I have around 30,000 students. courses ranging from Azure administration to Azure fundamentals, PowerShell courses, Hyper-V security. I also have courses on server management and Active Directory group

policy

. These courses are some of the best sellers on the Udemy website, so be sure to check them out.

The link is in the description below, so now I'm on a different machine and I want to take this computer and join it to the

active

RTS local domain. The things we must verify. I'm going to boot and open the control panel. and in the control panel, now I'm going to go to a system. The reason I use Control Panel and System is because it is consistent across all Microsoft operating systems. You could be on Windows Vista, which no one would use except Windows 8 8 1 10 running the server. systems if you go to control panel you will always see this computer called domain workgroup here so you can see my computer currently called RTS CL 1 that's what I want and right now it's in a workgroup so that's what we want. change, I'll also check the network settings, so I'll right click on my little network icon here and open the Network and Sharing Center and click on Ethernet and just go to the tcp/ip version properties. 4 and you can see that my IP address is already defined 172 point 16 point 0 point 11 that is the configuration that I want on this machine and if you remember 170 2.16 point 0 point 10 is the IP address of my domain controller the RTS DC 1 that is also a DNS server, so that's already correct, so all I'm going to do is join this to the domain in this configuration change.

I'm going to switch and select a domain member and just type the name. of the domain which is RTS dot local, that will ask me for the credentials for the RTS dot local domain, so I will use my administrator and the password for that account, just click OK which says welcome to the domain, so I was going to Click OK and this machine will reboot and is now a member of a domain, so we'll say shutdown and reboot now. When this restarts, we'll go back to our domain controller to have the other machine restart the container for this computer we're looking for.

A moment ago it was blank here, if I click refresh I can see the RTs that CL 1 is now listed as a member of the domain so I make my computer join the domain so it can now be managed via Active Directory . I have my user Bob. Ross, so the user account can be managed through Active Directory if you are in an environment with thousands of users, all your users have been added to Active Directory similarly all the computers your users actually use are have added to Active Directory in a similar way. Fashion is quite fascinating and very simple now, the other thing we want to touch on is how this is organized.

I'll click on my domain RTS dot local notice when you look at this, if I slide some of these down a little bit to make it a little bit easier to read, notice under type, some of these say container and only one of them has OU and if you look at the icon, notice the ones that say container have this blank folder icon, the only OU that are domain controllers have this little icon in the center of the folder now it's supposed to be a book in the center of the folder the difference between a container and an organizational unit the main difference an organizational unit allows you to apply storage policies to itgroup Group Policy gives me over 3000 settings that I can use to manage computer accounts and user accounts.

Containers are now created by default. The user container is present and has some default accounts. The computer container is always present and by default when you join a computer to the domain. where an inactive factory appears, but what we do to structure this is create organizational units. An example. I'm going to right-click on my domain and go to a new OU. Now how these OUs are structured is different from business to business, so there is no right or wrong way, it would be very specific to exactly your organization's needs, but the common ways you see this are based on the location and in the department, for example, let's say I have a location in Atlanta.

I'm going to create an OU called Atlanta, so I'll click OK for that and I also have a location in Boston. I'm going to right click on my domain again. New organizational unit. I'm going to call this one Boston, so I have offices in each location. You could create an OU to represent those locations and organize these objects well in Atlanta. I'm going to create a oh you like a boy, oh you, sometimes known as a sub, oh you, but I'm going to name it user. If he is a user and is in Atlanta, his account goes to this location.

I'm going to create another one for computer accounts, so new OU computers again, how you structure this depends on what your needs are, very often you'll see in Atlanta. I'll see eka sales oh marketing oh so it depends on what your needs are for these OUs which are almost always referred to as oh use because it just takes too long to say OU but the easiest way to Think about this and you will never be confused, think of it as a folder if you create a folder on your desktop and call it my personal finances, why would you do that?

Two reasons why you want to take all your personal financial documentation and want to place it. a single folder so it's organized for you, that's why an organization of similar items or similar objects, the other reason why you essentially want to manage it, you put all your financial documents in the folder and then you can apply permissions to the folder to say I'm the only one who can access this folder determines permissions and organizes similar objects together everywhere in Microsoft, you see a folder icon that has the same purpose, groups similar objects together, and then you can manage those objects centrally, what do I mean by that. click this user container and I'm going to find Bob Ross.

Now I can right click and move is an option and I can select like my Atlanta users, but I'll click cancel. Usually what I do is I just click and drag and I can drag Bob to those users now when I click on this user's OU, Bob Ross appears there. I could go to the computers container for my RTS than cl1. You could drag it to the Atlanta computers, you'll see some environments. you have computers oh you like this and underneath they will have a child oh you for desktops another for laptops so how it's structured really depends on the environment you're in but like I said before one of the Key considerations are to apply group policy.

Object group policy is how we manage all of these settings, so an example of this right now, know your name, domain controllers. I have an Atlanta oh you with users and computers oh you underneath and a Boston oh you all the others are containers like this user container computer container what I'm going to do is go back to my manager servers and in server manager I will go to tools and in tools I will click on group policy management under this group policy management. to expand my forest, I will expand my domains and expand RTS, not local.

I'm also going to make this full screen so it's easier to see, but notice that you don't see the user container. See, the computer containers appear here, what we get is the OU, so I have Atlanta with the computer users, oh, below, and I have Boston and the domain controller, so none of the containers appear here, So what does that mean? It means that you cannot directly create a policy and apply it to that location now. To see some interesting settings in a policy, I'm going to configure the wallpaper and I want to define some power settings, but before we do that we want to check. what our other system looks like right now, so I'm going to go back to that RTS - CL, so on my RTS cl1 I'm going to log in as Bob Ross or be Ross was the username and I'm going to enter the password.

It says that the users password must be changed before logging in because we left that checkbox set, you'll remember. I'm going to say okay because I have to reset it and I'm going to type in a new password and we'll just log in. The password has actually now been changed in Active Directory now Bob Ross is logged in two things I want to show you now the reason I'm going to show you this is to make it clear that we have managed some of these new policy settings when this notice appears the background of screen is the default Windows wallpaper and I will also right click on Start and choose power options from the Start menu and in Power Options I have this balanced and high performance, my power plans are and if I click this down arrow To display additional information, only this energy saving appears.

I actually need to click on this chain of settings that are currently unavailable to make them a little bit easier to see, they're not hidden, but I only have three. I'm going to change that through group policy, so I'll go back to our other machine, the domain controller. I'm back on my demand controller. What I actually did was copy a wallpaper that I just downloaded from the Internet and I'm also going to set the power options, so the first thing I'm going to do on my desktop here, just for demonstration purposes, I'm going to create a new folder and give it I will put the name as wallpaper. -click on the folder, I'll go to properties and in this sharing tab, I'll just click on advanced sharing and select share this folder and that's fine, I'm not going to change the permissions or anything like that in the sharing tab and in safety. tab I'm just going to click on edit and add and I'm going to put these authenticated users in summer, type authenticitys, click on verify names, that does a quick search and I'll see that authenticated users are here in the list, so I'm going to choose that authenticated users and ok and ok and you'll see that Reve has agreed to run the folder contents list, that's fine, so authenticated users, anyone who logs in will let you know read access to this, that's what we want, so I'm going to accept that and Close and I'm going to take this orange wallpaper and I'm going to drag it into that shared folder.

Now that that folder is network accessible, I'm going to go back to my Group Policy Management Console and do two things on this Atlanta, oh you, I have these users, oh you, that I created. I'm going to right click on that, oh you, and there's an option to create a GPO that stands for Group Policy Object on this domain and link it here. I'm going to choose that and I'm going to name this GPO wallpaper, it looks good and now if I expand the users, this wallpaper appears. I'll remove some of these popups here. I'm going to right click on that wallpaper and edit it.

Now there are over 3000 settings in Group Policy, so I have a dedicated course that only covers Group Policy and a separate dedicated course that only covers Active Directory, but for wallpaper it is a basic setting that we can define in my user settings. I'm going to click. policies administrative templates I'm going to expand the desktop, pause it a little bit and there's this desktop folder underneath and there's a desktop wallpaper, all I need to do is specify the path for that wallpaper, so I'm going to click on enabled and I'm going to type your shared path for that or UNC path is what it is known but most people call it that. shared backslash backslash RTS - dc1 backslash wallpaper backslash orange dot jpg now I don't want this to be centered so I'm going to set this to Phil, just so I know what's consuming the entire desktop and I'm going to drag it up so I can do Click the OK button, so that the wallpaper is set under this GPO and that GPO is linked to the Atlanta users if there are a thousand users under it. this, oh, thousand users, now we will have that wallpaper set.

Now I'll go to the computers in Atlanta and create another GPO and name it power settings. I'll right click on that. GPO and editing for this. I'm going to expand my computer settings preferences, control panel settings. You'll see in the control panel settings there are power options, so I'll right click and create a new power plan. It says at least Windows 7, so Windows has a newer version. This is the energy plan you would create under action. I'm going to choose create and name this power plan. Green exclamation marks will appear. Now I don't want this to be like this. the active power plan on my system, so I won't click on this set as active power plant.

I'm going to leave it unselected, but remember the name of this is going to turn green and I'm going to click OK and close it. GPO, if there are a thousand computers under this computer, then you will hear that a thousand computers now have this power plan. Now let's take a look to see if that has actually had an effect. I'm back on my RTS CL one machine, so I have the wallpaper we started with. with and I don't have the power options now, what you can do a lot of times is type gpupdate and a lot of things will take effect.

Maybe you want to do it right now. Well, I'll show you something before I do it. I want to click on Power Options and I'll choose to change the settings that are currently unavailable to make it easier to see, but notice that I only have the three options because we still updated the three options. What I'm going to do is right click and go to run and then run. I'm going to type gpupdate gpupdate just tells my computer to go back to the domain controller and check for policy updates so I'm going to click OK for that and it says update policy and in a moment it's I'm going to say the settings of the computer is up to date, it's kind of a baseline user configuration, so I can see the sides of the computer that are already done, user side stuff.

If we refresh this view now it's like magic, my green color appears in the list. Now the interesting thing is that the wallpaper is not. changing some settings can be updated in the background some settings require you to restart the machine if it is a computer setting some user settings require you to simply log out and log out again the background does not update in the background or should i say background screen doesn't refresh in the background, it requires you to log out and log back in, so we'll do that, but we see that the power settings have already taken effect via policy, so in the system here I'll just log out and I will log in again.

I'll go in and log in again as Ross with my same password. We love all the paper, okay, maybe it's not charming, but we know our policy worked because my wallpaper is now a bunch of oranges, very similar to how you get by. your own local machine. I can go to group policy and I can manage over three thousand settings on all the computers in my entire domain, which could be tens of thousands of computers. You can dictate the wallpaper if I want to block USB drives. Numerous settings if I can think of, you can manage it, restrict it through a policy so that we know that our client machine is configured to join the domain.

Everything is working now. Earlier I also said that Active Directory is a database server. I'm going to install it on my domain controller. I was going to go through file explorer and in file explorer I'm going to navigate through this PC to the C drive, the Windows folder. There is a folder called NTD in that list. If we click on this in TBS, we get 20 megs in size, which is the Active Directory Database File, you'll see some log files also appear here, but every user account you create, every computer account, the groups OUs, everything that resides in the TBS database file, long story short, Active Directory is a feature we install in Windows. server once you install it, the machine on which it is installed is now known as domain controller.

The benefitsActive Directory are centralized administration. I create policies that allow me to manage all my users on all my computers and the other is centralized authentication. I no longer use. send to individual computers and create user accounts or reset passwords, everything that is done in Active Directory on the domain controller now, as we saw earlier, you must have at least two domain controllers. What's very interesting about Active Directory is that Active Directory actually replicates all of its objects, so if I have two domain controllers, I could create my user like I did with Bob on one domain controller, that user is then replicated on the another so that you never duplicate your work if I disable the user, count on one, the fact that it is disabled is replicated on the other domain controllers, so no matter where you make a change, it is replicated on your other domain controllers.

Now this is intended to serve as an overview just to give you an

understanding

of Active Directory if you want to check out additional courses that I've looked at. in the links below and you can go deeper into some of these topics if you want to learn more visit us on the web at RTS networking.com slash demo where we have free demo videos and I also have courses for sale for as little as $ 9.99 covering various Microsoft topics, be sure to check out my other courses that I have hosted on the udemy website. Around 30,000 students. I have courses ranging from Azure administration to Azure fundamentals.

PowerShell Courses. Hyper-V Security. I also have courses on server administration. Group Policy and Active Directory. These courses are some of the best sellers on the Udemy website, so be sure to check them out. The link is in the description below.