Creating a Domain User (Active Directory)
This page covers the process of locating a domain controller and using Active Directory Users & Computers to create a new user. We'll also show how to add a user to a group, set other profile values, and explain RSAT. You can add users via PowerShell but that's not covered in this guide. For now, you can refer to Microsoft's PowerShell docs for creating a user via PowerShell New-ADUser (ActiveDirectory) | Microsoft Docs.
Getting Started
Locating a Domain Controller/Active Directory
Most domain controllers have Active Directory on them, Active Directory is the tool/service that keeps the records for all your networks domain users. There are several ways to locate a domain controller.
Finding a Domain Controller
- Use an RMM - Your RRM (Kaseya, Datto RMM, Connectwise, Solarwinds etc...) will generally tell you somewhere which servers are domain controllers.
- Running a command on a server or workstation joined to the same domain.
set L
- Command Promptecho %logonserver%
- Command Prompt$env:logonserver
- PowerShellsysteminfo
- Command Prompt or PowerShell
Using RSAT (Remote Server Administration Tools)
As long as the device you're on can access the active directory domain you want to create the user on, you can install RSAT and use that to manage your domain/users. RSAT allows you to install server tools like Active Directory Users & Computers onto another Windows device. However, the tools only work if you're on the same network you're trying to manage.
Open Active Directory Users & Computers
Locate Primary OU (Organizational Unit)
In this step you'll want to find the OU (Organizational Unit) where your users are kept. Best practice (usually) is to have an OU named after the company. You may have to do a little digging to find where all the users are kept. In this example the only OU that really stands out is LAB and Users. Users is a default Container (not OU) that is automatically created when setting up AD. LAB is an OU and where all my users are.
Inside LAB, there are several OUs that further organize the organization. Here you might see OUs for department, team, building, etc... This varies between domains and is generally organized however the IT administrator setting up the domain/AD decided to structure it. OU structure is important because Windows allows you to apply certain permissions or policies onto an OU. For example, maybe everyone in the IT Admins OU has more freedom to change Windows settings than users in the Accounting OU. Without having separate OUs it would be harder to target the right users/computers when making the policies.
OU's might contain more than just users, they could contain groups, computers, and more!
Creating the User
Right click on the OU where you want the user to be created, go to New and pick User.
Fill out the appropriate information. Be sure to take note that the User logon name is the actual username the user will use to login with.
Be sure to follow the same naming convention used for other accounts in AD. Not required, but important to keep things clean and organized. This example is first initial + last name.
Set a password for the user, if this is a service account (an account used for integrating devices or software into your domain) you may want to consider setting the password to never expires.
For security best practices, it's recommended to have the first checkbox selected, forcing the user to change their password when logging in. This ensures only the end user knows their password.
Review information and click finish.
That's it! You've created a user!
Setting User Properties
Double clicking the user in AD will open a window where you can see and change many properties for the user.
General
Here you can change their name, set an office, telephone number, email, etc...
Address
Here you can set their address information.
Account
Here you can change their username, set Logon Hours, limit what computers they can logon to, set an account expiration date, and set certain password options. Here you can also unlock their account if they've tried to login too many times with the incorrect password.
Changing their username can generally cause issues if they've already been using the account.
Profile
Here you can set a profile path, logon script or home folder.
Telephones
Here you can set the users phone numbers.
Organization
Here you can set their Job Title, Department, Company, Manager, etc...
Member Of
Here you can add the user to groups.
These are the most common properties that are edited, there are other, but they won't be covered at this time.
Adding a User to a Group
In the Properties of the user, go to Member Of.
Click Add
Click Advanced, enter the name of the group, hit Find Now, and select the group from the results, then press OK.
Instead of clicking advanced, you could add the group in the "Enter object names to select" box and then hit Check Names. I found hitting advanced and being sure you have the right group is the best/easiest way.
Press OK again.
Lastly, Press OK/Apply once the Group is shown in the Member Of list.
Copying an Existing User
If you have a user that already has all the groups you want another user to have, then right click that user and hit copy. It will let you create a user with the same groups.
Moving a User
If you need to move a user, you can just right click the user and hit move or drag and drop it into the correct OU/location.