OUs, GP, Join a PC to a Domain, Pinging IP Address

Fourth Installment
Fourth Installment

Introduction



Today, I will be demonstrating how to create Organizational Units (OUs) and then create users within those OUs. I also plan to log into the new user account I created and run some command-line (CMD) commands on that PC. Additionally, I will explore Group Policy and review its various settings.



Creating a new Organization Unit(OU)



Organizational Units (OUs) are directories (folders) within Active Directory designed to keep it organized. For example, you can create an IT OU or an HR OU to group related resources.



  1. To create a new OU, right-click on your domain controller, then click New > Organizational Unit.




  1. Fill out the "Name:" text field with the desired name for the OU.






Creating user accounts to put into OUs



  1. Right-click on the directory you want to create the user in, thenn click "New".




  1. Fill the text fields with the appropriate information




  1. Give the user a password




  1. Click "Finish".




  1. Drag the user in the OU that you created.




  1. An error message will pop up. In this case, it is fine. Just click "Yes".




  1. I will drag my helpdesk user account in the "IT" OU.




Seeing a user's information through CMD



To view a user's information, such as their user account details, group memberships, password expiration date, and more, you can use the command net user [domain name] /domain. For example, let's check the account information for the user "maddy" that we just created.





Seeing user information through Active Directory Users and Computers



To find Maddy's information using an alternative method, we can locate her profile through Active Directory Users and Computers. To view the full details of the account, we need to access the "Attribute Editor" settings. To do this, you must navigate to the Organizational Unit (OU) that the user belongs to.



  1. Click on "View" in the navbar and click on "Advanced settings".




  1. If you're unsure which OU a user is located in, right-click on the domain controller and select "Find."




  1. Type in the user you want to find in the text field and search "Entire Directory".




  1. Double-click on the user you found in the search results.




  1. Click on the "Object" tab.




  1. Here you will see the organizational unit the User is a part of. In my case, the user Maddy is in the HR OU.




  1. Navigate to the OU where the user is located, and double-click on their name.




  1. The "Attribute Editor" tab will now be visible in the user properties. Click on it to proceed.




  1. In the Attribute Editor, you can view additional information about the user. For example, it shows that Maddy's password was set on January 12, 2025.




Group Policy



  1. The Group Policy can be accessed in Server Manager through the "Tools" menu in the navigation bar.




  1. Next, navigate to the domain controller and double-click on the "Default Domain Policy." Within this policy, you can modify various Windows settings, such as the duration before a user's password expires, the number of login attempts allowed, and more.




  1. Click on the "Settings" tab.




  1. This section provides information about the Domain Policy of your domain controller. Under "Account Policies/Account Lockout Policy," I noticed that the account lockout threshold is set to 0 invalid logon attempts. I will change this setting in the following steps.




Setting account lockout threshold



  1. Right-click on "Default Domain" and click on "Edit".




  1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings, and then double-click on Account Policies.




  1. Double-click on "Account Lockout Policy".




  1. Double-click on "Account Lockout Duration." By default, it is set to "Not Defined." We need to change this setting in order to modify any other options.




  1. Click the checkbox labeled "Define this policy setting." This will set the value for "Account is locked out for:" to 30 minutes. I chose to leave it at 30 minutes. After setting your desired values, click "Apply" and then "OK."




  1. When setting the "account lockout threshold," suggested value changes will be provided.



  1. I will change my account lockout threshold setting from 5 invalid login attempts. To do this, double-click on "Account lockout threshold."




  1. Set the number of invalid logon attempts to your desired value.



  1. By navigating to Security Settings > Account Policies > Password Policy, you can view and modify the settings under "Policy."



  1. I decided to change my maximum password age to 90 days.




  1. Once you have finished changing the settings in the Domain Policy, right-click on "Default Domain Policy" and select "Enforced."




  1. Navigate to "Account Policies" > "Password Policy" under the "Settings" tab in the Default Domain Policy, and you should see the changes you made.




Summary



In this lab, I explored how Organizational Units (OUs) are used to organize directories within Active Directory. I created some OUs and added users to them. I logged into one of the newly created user accounts, '"Maddy", and used command-line tools like net user maddy /domain to view her information. Additionally, I reviewed the Group Policy, including how to access it and set an account lockout threshold. The account lockout threshold specifies the number of failed login attempts allowed before an account is locked. This process also allowed me to modify several Group Policy settings, such as password expiration policies, minimum password length, and more.