Skip to main content
Windows Server – Complete Beginner to Advanced Guide
CHAPTER 05 Intermediate

User and Group Management

Updated: May 16, 2026
30 min read

# CHAPTER 5

User and Group Management

1. Introduction

An empty Active Directory database is useless. The primary daily responsibility of an IT Helpdesk Engineer is the lifecycle management of human identities—creating accounts for new hires, unlocking passwords for forgetful employees, and disabling accounts the exact moment an employee is terminated. However, granting access to corporate data must be handled methodically. If you grant permissions to individual users one by one, your network will quickly descend into an unmanageable administrative nightmare. In this chapter, we will master the Active Directory Users and Computers (ADUC) console. We will learn to create user objects, enforce password security policies, and implement the enterprise gold-standard methodology of Role-Based Access Control (RBAC) using Security Groups.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Navigate the Active Directory Users and Computers (ADUC) MMC snap-in.
  • Create, modify, disable, and delete Active Directory User accounts.
  • Understand and enforce Active Directory password complexity policies.
  • Differentiate between Security Groups and Distribution Groups.
  • Implement Role-Based Access Control (RBAC) to manage permissions efficiently.

3. Active Directory Users and Computers (ADUC)

Once a Windows Server is promoted to a Domain Controller, a new tool appears in the Administrative Tools menu: Active Directory Users and Computers (ADUC). This is the graphical interface used to manage the AD database. Inside ADUC, you will see your Domain name at the top (e.g., corp.local), and beneath it, a folder structure representing your Organizational Units (OUs).

4. User Account Lifecycle

A User Object in AD represents a human being. It contains their login name, password, email, and metadata (like their manager's name or office number).

1. Creating a User: When creating a user, you must define the User Principal Name (UPN). This looks like an email address (e.g., jsmith@corp.local) and is what the user actually types into the Windows login screen. *Best Practice:* Always check the box: User must change password at next logon. This ensures the IT administrator never knows the user's permanent password.

2. Disabling a User: When an employee leaves the company, NEVER delete their account immediately. Deleting an account strips the unique Security Identifier (SID) from the database, permanently breaking any historical ownership tags on files they created. Always right-click and select Disable Account. The user can no longer log in, but their historical data remains intact for auditing.

5. Group Management and RBAC

Imagine a company with 50 HR employees. If a new HR folder is created on the file server, adding all 50 names manually to the permissions list takes an hour. If a user transfers to another department, you have to hunt down and remove their individual name.

The Solution: Security Groups. Instead of assigning permissions to *people*, you assign permissions to *groups*. This is known as Role-Based Access Control (RBAC).

  1. 1. You create a Security Group named SG-HR-Department.
  1. 2. You grant that Group access to the HR folder.
  1. 3. You add the 50 employees into the Group.
When a new employee is hired, you simply drop them into the group, and they instantly inherit access to the folder.

6. Security vs. Distribution Groups

When creating a group in ADUC, you must select a Group Type:
  • Security Group: Used to assign permissions to network resources (files, printers, VPNs). *This is what you will use 99% of the time.*
  • Distribution Group: Used exclusively by Microsoft Exchange for email distribution lists (e.g., sending an email to all-staff@corp.com). You cannot assign file permissions to a Distribution Group.

7. Diagrams/Visual Suggestions

*Visual Concept: Role-Based Access Control (RBAC)* Draw a diagram with three columns.
  • Left Column (Users): Icons of three employees (Alice, Bob, Charlie).
  • Middle Column (Group): A large shield icon labeled SG-Accounting-Read.
  • Right Column (Resource): A folder icon labeled Finance Spreadsheets.
Draw arrows showing the three Users flowing INTO the Group, and a single thick arrow flowing from the Group INTO the Folder. This explicitly illustrates that permissions are mapped to the Group, acting as a centralized administrative bottleneck.

8. Best Practices

  • Standardized Naming Conventions: A massive domain will have thousands of groups. If you name a group "Marketing," no one knows what it does. Always use a strict naming convention. For example: SG-Marketing-ReadOnly. (SG = Security Group, Marketing = Department, ReadOnly = The exact permission level). This makes auditing infinitely easier.

9. Common Mistakes

  • Unlocking instead of Resetting: If a user types their password wrong 5 times, AD will automatically lock their account. An IT admin can right-click the user and select "Unlock". However, if the user actually *forgot* their password, unlocking it does no good; they will just lock it again. You must right-click and select Reset Password.

10. Mini Project: Automating User Creation with PowerShell

Using the GUI to create 100 users takes hours. Let's do it in 2 seconds using PowerShell.
  1. 1. Open PowerShell as Administrator on your Domain Controller.
  1. 2. We will use the New-ADUser cmdlet.
powershell
12 
# Create a new user named John Doe
New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@corp.local" -Path "OU=Users,OU=Sales,DC=corp,DC=local" -AccountPassword (ConvertTo-SecureString "TempPass123!" -AsPlainText -Force) -ChangePasswordAtLogon $true -Enabled $true
  1. 3. Open ADUC and verify the user was instantly generated in the Sales OU!

11. Practice Exercises

  1. 1. Explain the architectural principle of Role-Based Access Control (RBAC). Why is it considered an industry standard over explicitly assigning permissions to individual user accounts?
  1. 2. Contrast the functional difference between a Security Group and a Distribution Group in Active Directory.

12. MCQs with Answers

Question 1

When an employee abruptly resigns from a corporation, what is the mandatory immediate action an IT administrator should perform regarding the employee's Active Directory user account to maintain forensic data integrity?

Question 2

During the creation of a new user account via ADUC, an administrator checks the box labeled "User must change password at next logon." What specific security vulnerability does this action mitigate?

13. Interview Questions

  • Q: A department manager asks you to grant a newly hired employee access to five different highly secure financial folders on the network. Walk me through the exact, best-practice methodology you would utilize in Active Directory to grant this access efficiently and sustainably.
  • Q: Explain the catastrophic loss of metadata that occurs if a systems administrator decides to physically "Delete" an Active Directory user account the moment an employee leaves the company, rather than disabling it.
  • Q: You are utilizing PowerShell to automate bulk user creation. You attempt to execute New-ADUser, but the command immediately fails, stating that the password does not meet the domain requirements. Explain what the Active Directory password complexity requirements are by default in Windows Server.

14. FAQs

Q: Can a user belong to more than one group at the same time? A: Yes! A user can (and usually does) belong to dozens of groups simultaneously. A user named Sarah might belong to SG-All-Employees, SG-HR-Dept, and SG-VPN-Access all at the exact same time, inheriting the cumulative permissions of all those groups combined.

15. Summary

In Chapter 5, we mastered the human element of Windows Server infrastructure. We navigated the Active Directory Users and Computers (ADUC) console, establishing strict lifecycle management protocols by emphasizing account disablement over deletion to preserve forensic integrity. We abandoned the chaotic methodology of individual permission assignment, wholeheartedly adopting the enterprise standard of Role-Based Access Control (RBAC). By leveraging Security Groups, we created scalable, highly organized administrative bottlenecks, allowing us to grant and revoke access to hundreds of employees with a single click.

16. Next Chapter Recommendation

You can now manage who the users are. Now, we must manage what their computers are allowed to do. Proceed to Chapter 6: Group Policy Management.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Active Directory Fundamentals
Next Chapter Group Policy Management

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5

🎥 Related Videos 1