Windows Active Directory, how it works? Users, Permissions, Policies
Рет қаралды 42,097
Күн бұрынHow does the Microsoft Active Directory work? This is Part 2 of my Windows Server Tutorial, where I explain how to join an Active Directory with a Windows 11 Professional PC, and how to centralize the user authentication, file permissions and group policies. #Windows #ActiveDirectory #HomeLab
Teleport-*: goteleport.com/thedigitallife
Windows Server (Part 1): • Installing a Windows S...
Sophos XG Video: • Protect your home netw...
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
01:02 - Advertisement-*
01:35 - What you need (Pre-requisites)
05:29 - Join the Active Directory
06:47 - Centralized User Authentication
11:31 - File Permissions
16:56 - Organizational Units
18:21 - Group Policies
________________
All links with "*" are affiliate links.
@bradleydiggs Жыл бұрын
I've gone headfirst into Linux, DevOps, Docker, Cloud, and am learning Kubernetes and Python. My networking is still sharp but my AD skills that I started out with 20 years ago were getting rusty. And of course I find that Christian, whom is one of the ones I follow for the other things, has an entire series on this too! Gold.
@Xl4t3 Жыл бұрын
It's a great guide, easy to understand and has interesting examples. Keep up the good work Chris! Love you videos!
@ragequilt_ Жыл бұрын
The quality of practical content on your channel is priceless! Looking forward to a video on Hashicorp Nomad and Waypoint.
@christianlempa Жыл бұрын
Thank you! :)
@Alex-zd3sz Жыл бұрын
This is an awesome series windows AD servers and Domain controllers are always complicated so this is awesome to watch!
@christianlempa Жыл бұрын
Thank you! I’m glad you’re enjoying it :)
@Steve3dot1416 Жыл бұрын
By the way, fantastic video. Excelant level of detail and well explained. Good video content. You won me : subscribed!
@christianlempa Жыл бұрын
Thank you so much :)
@crzr5 Жыл бұрын
Great Video!!! I like the way you explain about AD with simplicity, please keep this series, I am looking forward for the next video about granular setup of an AD, specially about GPO to enhance security policies!
@christianlempa Жыл бұрын
Thank you so much! :)
@drbyte2009 Жыл бұрын
Another great video Christian. I really like the serie. Ca'nt wait to see the next one 🙂
@christianlempa Жыл бұрын
Thank you 🙏
Жыл бұрын
Great job! Please continue this series.
@christianlempa Жыл бұрын
Thank you! And sure, I will :)
@Sevbh12 7 ай бұрын
As usual, brilliant video. Thank you
@christianlempa 7 ай бұрын
Thanks!
@xcaptz Жыл бұрын
Nice to see you man! ❤
@christianlempa Жыл бұрын
Thanks! You too ;)
@abdulr4279 Жыл бұрын
Nice video Christian!
@persellmach Жыл бұрын
Thank you for your videos, they are always so informative and helpful for a sysadmin like me :)
@christianlempa Жыл бұрын
Thank you! :)
@r3m0dul8 Жыл бұрын
Love this video walk-through playlist type, just getting into ADDC myself so following along since your install. Love to know more about GP in a home-lab env
@core-computinglab Жыл бұрын
Great videos I always check out the channel when you upload.
@christianlempa Жыл бұрын
Awesome! Thank you! :)
@rachitjain5489 Жыл бұрын
good work king, love you
@christianlempa Жыл бұрын
Appreciate it!
@eduardo13355 Жыл бұрын
Still working as of today! Thank you!
@christianlempa Жыл бұрын
You're welcome ;)
@daniellejacoba.domingo8809 Жыл бұрын
thanks, it actually let me through so i could download it.
@vellingirigiri1632 Жыл бұрын
This was so helpful!! Thank you
@christianlempa Жыл бұрын
I'm so glad!
@ThePoorInvestor Жыл бұрын
You've taught me so much about AD. I'd love to learn how to connect it to TrueNAS as well as allowing users to save/share/admin folder files to/from TrueNAS. Again thanks for another great video!
@christianlempa Жыл бұрын
You’re welcome! Yeah the idea with truenas is great :)
@techripper703 Жыл бұрын
Great video I enjoyed it please keep this series up maybe do another video on shared drives and folders . Thank you for your great work :)
@christianlempa Жыл бұрын
Thanks! I’ll do :)
@danielmuthini7347 Жыл бұрын
This is the best free software Ive seen. Respect.
@narutoghoul9672 Жыл бұрын
BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY MUCH!
@christianlempa Жыл бұрын
haha thx :D
@stupidhead7881 Жыл бұрын
I like the series. Thank you
@christianlempa Жыл бұрын
Amazing! Thank you :)
@ra7en250 Жыл бұрын
So informative, thanks a lot!
@christianlempa Жыл бұрын
You're welcome
@ChethanNN-fl9qc Жыл бұрын
OMG THANKS SO SO MUCH THIS HELPED!!!
@christianlempa Жыл бұрын
Glad it helped!
@bennettste 10 ай бұрын
Little trick when logging in as a local User, you can type .\ instead of the pc name in front of the local user account.
@user-rl3du7gt2g Жыл бұрын
Very helpful
@christianlempa Жыл бұрын
Glad you think so!
@sialeehwi6211 Жыл бұрын
Works well!! DANKEEE
@christianlempa Жыл бұрын
Bitte ;)
@mjenkins74 5 ай бұрын
Hi Christian. I really love your videos and your channel. I was wondering are you thinking of doing a windows deployment services tutorial at some stage? This would be a great addition to these active directory videos
@christianlempa 5 ай бұрын
Thank you so much :) I'm still trying to figure out how I can make more Windows videos, maybe an Azure AD / Entra ID video at some point would be great
@musicworld8652 Жыл бұрын
it work on my pc thx bro vеry much
@cybergreenlab1738 Жыл бұрын
Great video. Do more of AD use case in a professional environment. Well done
@christianlempa Жыл бұрын
Thx :)
@mariamtsitsagi6655 Жыл бұрын
thanks helpful vid
@christianlempa Жыл бұрын
Tx!
@ariannemaeo.moratalla8062 Жыл бұрын
U BEST!!!
@bennettste 10 ай бұрын
Also always setup a local user for yourself as the admin. This gives you a backdoor into a PC if you have domain trust issue.
@berndeckenfels Жыл бұрын
On deeper folder hierarchies it’s very painful to make ACL changes like adding groups or worse users. It is much better to have a type specific group assigned to files and folders and then only change its membership (as soon as you want to add more than one security group to it)
@leerussell6536 Жыл бұрын
I would like to see a video about integrating Active Directory users into other pieces of software like MediaWiki or SnipeIT. Keep up the great work.
@christianlempa Жыл бұрын
Oh that seems like a great suggestion, however you will need to wait until second half of the year until I come back to that :(
@oklang3537 Жыл бұрын
GOD!!!My broo
@HetKaasKanaal Жыл бұрын
I also have an Active Directory server in my homelab. I have a LDAP connection with Nextcloud to authenticate with my AD accounts. Also I have a free Azure Tenant and it supports SSO. So some of my applications use Azure SSO. It's very nice :)
@christianlempa Жыл бұрын
Sounds like a great set up! I haven’t look into Azure AD but I will :)
@iOXiNG Жыл бұрын
I wonder if the windows updates gets downloaded ONCE to the server then gets pushed locally to the client computers instead of each PC downloading it on its own, because that would consume a lot of data and slow down the internet especially if the company has a low speed or metered internet connection.
@Lauch-Melder Жыл бұрын
I'm running Windows Server 2019 as my main DC in my homelab. Got the free key for education at my school a few years ago. But for now I'll add some Zentyal DCs to switch completely to Linux because I don't want to pay for the licenses in a few years when Win2k19 is eol. Still some problems with the DNS replication with samba but pretty stable at the moment. :D
@posalab Жыл бұрын
Great video for introduction on GCP and AD. Maybe I can ask you to go in deep about integration also of OsX client to AD. It will be interesting in my opinion. Bye.
@christianlempa Жыл бұрын
Thank you! Yeah maybe... I'm thinking about it ;)
@Ata5ll 10 ай бұрын
You remind me of someone I once knew on Quakenet...
@tariktahaozdogan7459 3 ай бұрын
Great explanation! Is there anyone who can recommend a video that also tells how to control authorizations for applications from a DC?
@christianlempa 3 ай бұрын
Thanks! I've not done a video on this topic yet unfortunately
@officialszcz Жыл бұрын
🔥🔥🔥🔥
@christianlempa Жыл бұрын
:D
Жыл бұрын
Computer Setting are update in a reboot, User setting are update at login or after a gpupdate.
@christianlempa Жыл бұрын
Yep, that's right! In addition to the background update
@DJRhinofart Жыл бұрын
Just to let you know that when you log into the system if you put a .\LOCALUSERNAME for instance .\Mark in the username, it will log you in as an existing local user who's login is Mark with Mark's password.
@core-computinglab Жыл бұрын
Have you tried Zentel server, the Linux Alternative? Just wanted to let you know about it.
@christianlempa Жыл бұрын
I haven't, yet. But I guess I won't, because I'm fine with running Windows for that.
@piotr5256 Жыл бұрын
About GPO auto update by computer - It can be set also via GPO, by default it is 90min for computers and servers, and 5min for Domain Controllers - This setting u can find in GPO path: Computer Configuration > Administrative Templates > System > Group Policy > Set Group Policy refresh interval for computer. Ofc there are dependensis with example GPO which is applicable for AD group, so if u will add user or computer asset to AD group then u need to relog after this, to let computer/user see that he have now new membership. Ofc u can avoid situation that restart is required when u will play with klist.
@christianlempa Жыл бұрын
Thx for letting me know!
@Vera150607 Жыл бұрын
With more than 20 years, AD DS still being the angular stone for so many corporations, Open LDAP and similar doesn’t come even close of it. Sure, nowadays with Azure AD connect and Azure AD you can free yourself from AD FS and AD CS in order to integrate your users to authentication with 3rd party app using always their same credentials adding features as MFA to it.
@LampJustin Жыл бұрын
It's true FreeIPA and such are good options but nothing can beat the behemoth thats MS Active Directory... The only thing that comes close is Samba AD.... That works surprisingly well for smaller tenants that don't require the really advanced features. You can even to a secondary domain controller with replication and all. The only thing that kinda sucks is that it's limited to a forest lvl of 2008R2. But since not a lot changed to 2016 it's mostly fine...
@PlaidMagic Жыл бұрын
Same here, 19 years in IT, I desperately wish there was an open source parallel to MS AD, but nothing comes close
@LampJustin Жыл бұрын
@@PlaidMagic have you tried Samba AD? ;)
@christianlempa Жыл бұрын
💯
@donalddrunk9882 25 күн бұрын
Do all corporation use VM to run both windows and window servers for their employees?
@ThePoorInvestor Жыл бұрын
Hi friend. Would you know how I’d go about setting what you did with Sophos for DNS request route but in a Pihole? I kinda got it to work by using cname and and DNS records. I got the pc to join the domain but it won’t fully work as GP aren’t fully transferred. So then I just put the dns of the active directory in the network adapter settings and it works. But I lose the advantage of a pihole. What do you suggest for pihole?
@christianlempa Жыл бұрын
I haven't done it for pihole, I'm not sure if pihole does provide a DNS setup like that. If not you might just continue running the windows as primary DNS and set up a forwarding to pihole on the windows DNS server config.
@berndeckenfels Жыл бұрын
Using a procedure which does not require domain admin credentials on the new clients should be preferred or at least a limited join user
@homemedia4325 Жыл бұрын
Roaming Profiles!!! ... haha... I have done various setups... I am unsure how the newer replacement works!!
@christianlempa Жыл бұрын
?
@surisurendrababu Жыл бұрын
do you have any video sync users between azure ad and Sophos xg firewall?
@christianlempa Жыл бұрын
Not yet, maybe I’ll do that somewhere next year
@surisurendrababu Жыл бұрын
@@christianlempa Thanks for the reply Christian if possible can you make in this week ?
@adfjasjhf Жыл бұрын
While I do agree with the point that having password expiration creates another way to reveal the password however even if the password would be leaked, the attacked wouldn't have access to the account any amount of time but only for let's say 2 months as the password would have to be reset (Yes, it's still a lot but better than having unlimited access, right?) In our work I personally use password manager. I only know 2 passwords. My main account and my password manager password. All passwords have 3 months of expiry date but I still only need to remember 2 passwords instead of let's say 10.
@christianlempa Жыл бұрын
While this might be true for an individual, you need to have a look at the bigger picture here. We’re talking about normal users who don’t understand IT, who aren’t in security, do you really trust all your users to use a password manager and follow company guidelines? I don’t xD
@bytecorner123 Жыл бұрын
Maybe you could do azure Active Directory. You can get a free e5 developer account to do it.
@christianlempa Жыл бұрын
I like the idea!
@treslobos5164 Жыл бұрын
thx for soft mate
@streamx2 Жыл бұрын
Do you mean both the domain controller and the others needs to be pro versions
@christianlempa Жыл бұрын
The Domain Controller needs to be a Windows Server, Essentials, Standard and Datacenter will work fine.
@DJRhinofart Жыл бұрын
The client OSs can be Pro, Ultimate, or Enterprise in order to join the actual Domain.
@Thomate1375 Жыл бұрын
Nice video :D Would be nice if you can show us how to do this with a linux server^^
@christianlempa Жыл бұрын
Thx ;) Well about the Linux Server, I'm not sure if I'm going to do that.
@Lauch-Melder Жыл бұрын
Would be a great tutorial. I'm switching completely to Linux at the moment. Zentyal seems to be a great solution. Joined a Zentyal DC to my Windows DC using samba. The only problem I'm struggling with at the moment is that I can't access my forward zone in the Windows RSAT DNS settings on my secondary DC running zentyal-samba.
@ronald0122 Жыл бұрын
what do you think about the best naming convention for a domain? tld or subdomain of tld or non tld?
@christianlempa Жыл бұрын
Either subdomain of tld or non routable tld
@obsolete21 Жыл бұрын
IIRC, GP is updated every 15 minutes.
@senx3824 12 күн бұрын
At home, disable the change password is fine. In a business, this will lock out anybody with access they shouldnt have... Sticky note is safer than allowing improper access indefinately.
@Steve3dot1416 Жыл бұрын
The problem is : if you join a domain with an existing PC, you should reinstall all your applications who are not installed "for all users". Many applications don't give this option. Also, you must move your profile files. This is, I think, a crutial piece who is missing in Windows : A way to easily migrate an account from a workground to a domain or vice-versa... Anyone have an easy tool/way to do this?
@christianlempa Жыл бұрын
In the past, we've used the tool "profwiz", but I'm not sure if it's still a viable option. My days being a win admin are long ago :D
@niklasandersson7594 Жыл бұрын
@@christianlempa profwiz is still a useful tool to migrate profiles between AD and Workgroup :)
@jeanfiedler7374 Жыл бұрын
/force braucht man in 99,9 Prozent der Fälle nicht. Die Zeit bis ein gpupdate erfolgt ist einstellbar via gpo.😉 Computer und User würde ich nicht in die gleiche ou packen.
@christianlempa Жыл бұрын
Danke ;)
@matthijsleenhouts4827 Жыл бұрын
Active Directory is only needed if you have more than 1 users end more pc en servers if you the only user then Active Directory is overkill
@berndeckenfels Жыл бұрын
You normally use it in a home lab to learn the technology since it’s an asset in the work place (at least it was, I guess nowadays starting with AzureAD is better)
@ariahoogame269 Жыл бұрын
hahsdhahah good
@Steve3dot1416 Жыл бұрын
You sould be careful when you give the "Full Control" permission. This gives the users the permission to change the security access for everyone. Personally, I give it only to domain admins.
@christianlempa Жыл бұрын
Thanks for sharing! Yeah you need to be careful in production with these settings
@chris23tr Жыл бұрын
Kanalname geändert
@cindyayuamelita868 Жыл бұрын
Mlk, se pá que o canal foi hackeado
@josephballos8053 Жыл бұрын
This is the best free software Ive seen. Respect.
@abdulrahmanayman5221 Жыл бұрын
Very helpful
@christianlempa Жыл бұрын
Ty!
@emadnaser3501 Жыл бұрын
Very helpful
@christianlempa Жыл бұрын
Glad you think so!
Bon Bon Media
Рет қаралды 6 МЛН
Eli the Computer Guy
Рет қаралды 1,7 МЛН
How to create Home Folders for users - Active Directory (AD) Quick Tips | Windows Server 2022 / 2019
NetITGeeks
Рет қаралды 23 М.
Bon Bon Media
Рет қаралды 6 МЛН