Active Directory Domain Services (AD DS) is the directory service that underpins authentication, authorisation, and policy management in Windows environments. If you work in a Microsoft shop, understanding AD is not optional — it controls who can log in, what they can access, and what their machines can do.
Domain, Tree, and Forest — The Hierarchy
AD is organised in a logical hierarchy. A domain is the basic administrative unit — think corp.local or sysroot.internal. Multiple domains with a trust relationship form a tree. Multiple trees form a forest. For most organisations, a single domain is all that's needed. The forest is the security boundary; domains within the same forest trust each other by default.
Organisational Units
Organisational Units (OUs) are containers within a domain. You use them to organise objects (users, computers, groups) and, critically, to apply Group Policy selectively. A common OU structure looks like this:
- corp.local
- Users
- IT
- Finance
- HR
- Computers
- Workstations
- Servers
- Groups
- Service Accounts
- Users
Create OUs in Active Directory Users and Computers (ADUC) — accessible from Server Manager under Tools, or by running dsa.msc. Right-click your domain and choose New > Organizational Unit.
Creating User Accounts
In ADUC, navigate to the appropriate OU, right-click and choose New > User. Fill in the first name, last name, and logon name (UPN). Set a temporary password and tick User must change password at next logon.
PowerShell is faster when creating multiple accounts:
New-ADUser `
-Name "Jane Smith" `
-GivenName "Jane" `
-Surname "Smith" `
-SamAccountName "jsmith" `
-UserPrincipalName "jsmith@corp.local" `
-Path "OU=IT,OU=Users,DC=corp,DC=local" `
-AccountPassword (ConvertTo-SecureString "TempP@ss1!" -AsPlainText -Force) `
-ChangePasswordAtLogon $true `
-Enabled $trueGroups: Security vs Distribution
AD has two group types. Security groups control access to resources — you add users to a security group and assign permissions to the group, never to individual users. Distribution groups are for email distribution lists and have no security function.
Groups also have a scope:
- Domain Local — used to assign permissions to resources in the same domain; can contain users from any domain
- Global — used to organise users from the same domain; can be assigned permissions across domains
- Universal — spans the entire forest; useful in multi-domain environments
The recommended best practice is the AGDLP model: Accounts go into Global groups, Global groups go into Domain Local groups, and Domain Local groups get Permissions assigned.
# Create a security group
New-ADGroup -Name "Finance-ReadOnly" -GroupScope DomainLocal -GroupCategory Security -Path "OU=Groups,DC=corp,DC=local"
# Add a user to the group
Add-ADGroupMember -Identity "Finance-ReadOnly" -Members "jsmith"Understanding Group Policy Basics
Group Policy Objects (GPOs) are linked to sites, domains, or OUs to push settings to users and computers. GPOs are processed in order: Local > Site > Domain > OU (LSDOU), with later policies overriding earlier ones unless blocked or enforced.
Open Group Policy Management Console (GPMC) from Server Manager > Tools. Right-click an OU and choose Create a GPO in this domain and link it here. Name it descriptively — IT-PasswordPolicy or Workstations-ScreenLock.
Edit your GPO and navigate the settings tree: Computer Configuration applies to the machine regardless of who logs in; User Configuration follows the user account. A common first GPO sets the account lockout policy under:
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
Verifying Replication and Health
In multi-DC environments, replication issues cause authentication failures. Check replication status regularly:
# Check replication status
repadmin /replsummary
# Force replication
repadmin /syncall /AdeP
# Test DC health
dcdiag /test:replications /vThese three commands should be part of every AD admin's weekly health check routine.