Active Directory - Dedicated User Account

In this guide, we will create a dedicated user account for managing Active Directory. This account will be used to perform administrative tasks within the Active Directory environment. By creating a dedicated user account, you can ensure that the account has the necessary permissions to perform administrative tasks without granting unnecessary privileges to other users.

Create a Dedicated User Account

Step 1: Open Active Directory Users and Computers

1. Click the Start button and select Windows Administrative Tools.

2. Select Active Directory Users and Computers from the list of administrative tools.

3. The Active Directory Users and Computers console will open - this is where you can manage user accounts, groups, and other Active Directory objects. It looks like this:

   

You'll notice that the Domain Controller we created is listed here - mydomain.com.

Step 2: Creating Our First Organizational Unit (OU)

1. Right-click on the mydomain.com domain and select New > Organizational Unit.

2. Enter a name for the new OU - we'll call it _ADMINS for our administrative users.

3. Click to expand the mydomain.com domain and you'll see the new _ADMINS OU listed.

   

Step 3: Create the Dedicated User Account

1. Right-click on the _ADMINS OU and select New > User.

2. Fill in the fields with a fake name or your name or whatever you'd like. For the 'user logon name', there are a few conventions you can follow. Here I'll use a-bgoertz where the a signifies that this is an administrative account and the bgoertz is my name. You can use whatever you like, but it's a good idea to have some sort of convention in place for naming your accounts. You can also set a password for the account here.

   

3. Click Next and then add in a password. For this guide I'll simply use Password1. I will also uncheck the box that says User must change password at next logon as I am creating a simple demonstration account - however, when creating accounts for users in an organization, it would be a security best practice to have users change their password on first logon.

4. Also, check the box that says Password never expires as we are in a lab environment and don't want to have to reset the password every 90 days. Of course, I recommend that you do not check this box in a production environment.

5. Click Next and then Finish. You'll see a new user account listed in the _ADMINS OU.

   

Step 4: Add the User to the Administrators Group

1. Right-click on the user account you just created and select Properties.

2. Click on the Member Of tab and then click Add.

3. In the Enter the object names to select field, type domain admins and click Check Names. The name should resolve to domain admins and then click OK.

warning

Ensure there is no whitespace before or after the name domain admins when you type it in. If there is, the name will not resolve correctly.

Once resolved (clicked on Check Names), it will look like this

4. Click OK and then Apply and OK again to close the properties window.

Step 5: Test the Account

1. Log out of your current account

2. When you press Ctrl + Alt + Del you'll see the option Other user. Click on this.

3. You'll now see the login fields ask for Username and Password. Enter the username you created in the format mydomain\a-bgoertz and the password you set for the account.

4. Click Sign in and you should be logged in with the new account.

Conclusion

Great. We have ourselves a shiny new admin account separated into a dedicated OU. This account is a member of the domain admins group and has the necessary permissions to perform administrative tasks within the Active Directory environment. You can now use this account to manage Active Directory without granting unnecessary privileges to other users.

Next up we will work on RAS and NAT - Remote Access Services and Network Address Translation. See you there!