Phase 2

Active Directory
OU, Users, Groups
& Delegation

Build a real-world AD structure with proper roles, groups, and least-privilege delegation.

CF

IT

HT

Finance

TH

Sales

JD

HR

TM

HR

Domain: TeamD.hello | Server: DC-TeamD

Press → or click Next

Your Team — The Big Picture

Each person gets 2 accounts, 1 department, 1 role, and group memberships

CF

Cory Farris

IT

Domain Admin

Employee: cfarrisD
Admin: cfarrisD.admin
Group: IT-Users-D
Admin Group: Domain Admins

HT

Hak Tang

Finance

Helpdesk Admin

Employee: htangD
Admin: htangD.admin
Group: Finance-Users-D
Admin Group: IT-Helpdesk-D

TH

Tony Hall

Sales

Standard User

Employee: thallD
Admin: thallD.admin
Group: Sales-Users-D
Admin Group: —

JD

Johny D

HR

Standard User

Employee: jdD
Admin: jdD.admin
Group: HR-Users-D
Admin Group: —

TM

Tiffany M

HR

Standard User

Employee: tmD
Admin: tmD.admin
Group: HR-Users-D
Admin Group: —

Visual Map — Where Everything Goes

Every object has a specific home in the OU tree

TeamD Corp

Finance htangD

Sales thallD

HR jdD, tmD

IT cfarrisD

Admin Accounts cfarrisD.admin, htangD.admin, thallD.admin, jdD.admin, tmD.admin

Groups Finance-Users-D, Sales-Users-D, HR-Users-D, IT-Users-D, IT-Helpdesk-D

Computers D-PC-Fin01, etc.

Service Accounts svc-backup, etc.

❌

NEVER place users at the domain root. Employee accounts go in department OUs. Admin accounts go in Admin Accounts OU.

Part 1

Create the OU Structure

# Create parent OU
New-ADOrganizationalUnit -Name "TeamD Corp" -Path "DC=TeamD,DC=hello"

# Create all 8 child OUs
$p = "OU=TeamD Corp,DC=TeamD,DC=hello"

New-ADOrganizationalUnit -Name "Finance"          -Path $p
New-ADOrganizationalUnit -Name "Sales"            -Path $p
New-ADOrganizationalUnit -Name "HR"               -Path $p
New-ADOrganizationalUnit -Name "IT"               -Path $p
New-ADOrganizationalUnit -Name "Admin Accounts"   -Path $p
New-ADOrganizationalUnit -Name "Groups"           -Path $p
New-ADOrganizationalUnit -Name "Computers"        -Path $p
New-ADOrganizationalUnit -Name "Service Accounts" -Path $p
    

1

Press Win+R → type dsa.msc → Enter

2

Right-click TeamD.hello → New → Organizational Unit → name: TeamD Corp → OK

3

Expand TeamD.hello so you see TeamD Corp

4

Right-click TeamD Corp → New → Organizational Unit → name: Finance → OK

5

Repeat step 4 seven more times for:
Sales • HR • IT • Admin Accounts • Groups • Computers • Service Accounts

6

Verify: Click + next to TeamD Corp — all 8 OUs should appear.

Part 2

Naming Convention

Copy this into your report

Employee Usernames

cfarrisD

first initial + lastname + D

Admin Usernames

cfarrisD.admin

employee username + .admin

Group Names

Finance-Users-D

Department-Users-D

Computer Names

D-PC-Fin01

D-PC-DeptCode##

Part 3 — Employee Accounts

Create Employee Accounts

Each person goes into their department OU

CF

Cory Farris

→

cfarrisD

→

OU=IT

HT

Hak Tang

→

htangD

→

OU=Finance

TH

Tony Hall

→

thallD

→

OU=Sales

JD

Johny D

→

jdD

→

OU=HR

TM

Tiffany M

→

tmD

→

OU=HR

$empPass = ConvertTo-SecureString "TempPass123!" -AsPlainText -Force
$p = "OU=TeamD Corp,DC=TeamD,DC=hello"

# Cory Farris → IT
New-ADUser -Name "Cory Farris" -GivenName "Cory" -Surname "Farris" -SamAccountName "cfarrisD" -UserPrincipalName "[email protected]" -Path "OU=IT,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true

# Hak Tang → Finance
New-ADUser -Name "Hak Tang" -GivenName "Hak" -Surname "Tang" -SamAccountName "htangD" -UserPrincipalName "[email protected]" -Path "OU=Finance,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true

# Tony Hall → Sales
New-ADUser -Name "Tony Hall" -GivenName "Tony" -Surname "Hall" -SamAccountName "thallD" -UserPrincipalName "[email protected]" -Path "OU=Sales,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true

# Johny D → HR
New-ADUser -Name "Johny D" -GivenName "Johny" -Surname "D" -SamAccountName "jdD" -UserPrincipalName "[email protected]" -Path "OU=HR,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true

# Tiffany M → HR
New-ADUser -Name "Tiffany M" -GivenName "Tiffany" -Surname "M" -SamAccountName "tmD" -UserPrincipalName "[email protected]" -Path "OU=HR,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true
    

1

Open dsa.msc → expand TeamD Corp → click IT

2

Right-click IT → New → User

New Object - User (in IT OU)

First name:Cory

Last name:Farris

User logon name:cfarrisD@TeamD.hello

3

Click Next → password: TempPass123!

☑️ User must change password at next logon

4

Next → Finish

5

Repeat for each person — right-click their department OU:

Hak Tang	htangD	Right-click Finance
Tony Hall	thallD	Right-click Sales
Johny D	jdD	Right-click HR
Tiffany M	tmD	Right-click HR

Part 3 — Admin Accounts

Create Admin Accounts

ALL admin accounts go into Admin Accounts OU

CF

Cory Farris

→

cfarrisD.admin

→

OU=Admin Accounts

HT

Hak Tang

→

htangD.admin

→

OU=Admin Accounts

TH

Tony Hall

→

thallD.admin

→

OU=Admin Accounts

JD

Johny D

→

jdD.admin

→

OU=Admin Accounts

TM

Tiffany M

→

tmD.admin

→

OU=Admin Accounts

$admPass = ConvertTo-SecureString "AdminPass456!" -AsPlainText -Force
$a = "OU=Admin Accounts,OU=TeamD Corp,DC=TeamD,DC=hello"

New-ADUser -Name "Cory Farris (Admin)" -GivenName "Cory" -Surname "Farris" -SamAccountName "cfarrisD.admin" -UserPrincipalName "[email protected]" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true

New-ADUser -Name "Hak Tang (Admin)" -GivenName "Hak" -Surname "Tang" -SamAccountName "htangD.admin" -UserPrincipalName "[email protected]" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true

New-ADUser -Name "Tony Hall (Admin)" -GivenName "Tony" -Surname "Hall" -SamAccountName "thallD.admin" -UserPrincipalName "[email protected]" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true

New-ADUser -Name "Johny D (Admin)" -GivenName "Johny" -Surname "D" -SamAccountName "jdD.admin" -UserPrincipalName "[email protected]" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true

New-ADUser -Name "Tiffany M (Admin)" -GivenName "Tiffany" -Surname "M" -SamAccountName "tmD.admin" -UserPrincipalName "[email protected]" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true

1

In ADUC, click on Admin Accounts OU (inside TeamD Corp)

2

Right-click Admin Accounts → New → User

New Object - User (in Admin Accounts OU)

First name:Cory

Last name:Farris

Full name:Cory Farris (Admin)

User logon name:cfarrisD.admin@TeamD.hello

3

Click Next → password: AdminPass456! (DIFFERENT from employee)

☐ User must change password (leave UNCHECKED)

4

Next → Finish. Repeat for: htangD.admin, thallD.admin, jdD.admin, tmD.admin

Parts 4 & 5

Roles, Groups & Membership

Who belongs to what — the complete picture

Department Groups (in Groups OU)

Finance-Users-D

htangD

Sales-Users-D

thallD

HR-Users-D

jdD tmD

IT-Users-D

cfarrisD

Admin Groups

Domain Admins (built-in)

cfarrisD.admin

IT-Helpdesk-D

htangD.admin

# Create groups
$g = "OU=Groups,OU=TeamD Corp,DC=TeamD,DC=hello"
New-ADGroup -Name "Finance-Users-D" -GroupScope Global -GroupCategory Security -Path $g
New-ADGroup -Name "Sales-Users-D"   -GroupScope Global -GroupCategory Security -Path $g
New-ADGroup -Name "HR-Users-D"      -GroupScope Global -GroupCategory Security -Path $g
New-ADGroup -Name "IT-Users-D"      -GroupScope Global -GroupCategory Security -Path $g
New-ADGroup -Name "IT-Helpdesk-D"   -GroupScope Global -GroupCategory Security -Path $g

# Add employees to department groups
Add-ADGroupMember -Identity "Finance-Users-D" -Members "htangD"
Add-ADGroupMember -Identity "Sales-Users-D"   -Members "thallD"
Add-ADGroupMember -Identity "HR-Users-D"      -Members "jdD","tmD"
Add-ADGroupMember -Identity "IT-Users-D"      -Members "cfarrisD"

# Add admins to admin groups
Add-ADGroupMember -Identity "Domain Admins"   -Members "cfarrisD.admin"
Add-ADGroupMember -Identity "IT-Helpdesk-D"   -Members "htangD.admin"
    

Create Groups:

1

Click Groups OU → Right-click → New → Group

New Object - Group

Group name:Finance-Users-D

Group scope:Global

Group type:Security

2

Repeat for: Sales-Users-D, HR-Users-D, IT-Users-D, IT-Helpdesk-D

Add Members:

3

Double-click Finance-Users-D → Members tab → Add... → type htangD → Check Names → OK → Apply

4

Repeat for each group:

Sales-Users-D	Add thallD
HR-Users-D	Add jdD and tmD
IT-Users-D	Add cfarrisD
Domain Admins	Add cfarrisD.admin (find in Users container)
IT-Helpdesk-D	Add htangD.admin

Part 6

Delegation of Control

Give IT-Helpdesk-D (Hak's admin account) specific powers (GUI wizard only)

Helpdesk CAN do:

✅ Reset user passwords

✅ Unlock locked accounts

✅ Read user information

Helpdesk CANNOT do:

❌ Create users

❌ Delete users

❌ Modify groups

❌ Change GPO

Step A — Delegate Password Reset

1

Right-click "TeamD Corp" → Delegate Control... → Next

2

Click Add... → type IT-Helpdesk-D → Check Names → OK → Next

3

Check: ☑ Reset user passwords and force password change at next logon

4

Next → Finish

Step B — Delegate Unlock Accounts

5

Right-click "TeamD Corp" again → Delegate Control... → Next

6

Add IT-Helpdesk-D → Next

7

Select "Create a custom task to delegate" → Next

8

Select "Only the following objects..." → check User objects → Next

9

Check Property-specific → find and check: ☑ Read lockoutTime and ☑ Write lockoutTime

10

Next → Finish

📸

Screenshot the wizard summary before clicking Finish — required for your report!

Part 7

Verification & Testing

Prove each role works correctly — screenshot everything

Test	Log in as	What to do	Expected
1	TeamD\cfarrisD	Log into Win10 VM	✅ Success (change password prompt)
2	TeamD\cfarrisD.admin	Log into Win10 VM	✅ Success
3	TeamD\htangD.admin	Reset thallD's password	✅ Success (Helpdesk perm)
4	TeamD\htangD.admin	Unlock thallD's account	✅ Success (Helpdesk perm)
5	TeamD\cfarrisD	Try to reset a password	❌ Access Denied (correct!)
6	TeamD\htangD.admin	Try to create a new user	❌ Access Denied (correct!)

# Run as htangD.admin (Helpdesk)

# Should SUCCEED — reset password
Set-ADAccountPassword -Identity "thallD" -Reset -NewPassword (ConvertTo-SecureString "NewTemp789!" -AsPlainText -Force)

# Should SUCCEED — unlock account
Unlock-ADAccount -Identity "thallD"

# Should FAIL — create user (Access Denied = correct!)
New-ADUser -Name "Test" -Path "OU=IT,OU=TeamD Corp,DC=TeamD,DC=hello"
    

Test 3 — Reset Password:

1

Log into Win10 as TeamD\htangD.admin

2

Open dsa.msc → find Tony Hall in Sales OU

3

Right-click Tony Hall → Reset Password... → enter new password → OK

Test 4 — Unlock Account:

1

On a Win10 VM, try logging as thallD with WRONG password 5+ times to lock it

2

Back as htangD.admin in ADUC, double-click Tony Hall → Account tab

3

Check ☑ Unlock account → Apply → OK

Test 5 — Verify Least Privilege:

1

Log into Win10 as TeamD\cfarrisD (regular employee)

2

Open dsa.msc → try to reset someone's password → should get Access Denied

Part 8

Report Submission

What your team must submit

1. OU Diagram

Draw.io / PowerPoint / Visio showing your full tree

2. Naming Convention

Your 5-10 line standard (see slide 5)

3. Screenshots

OU structure in ADUC
All employee accounts
All admin accounts
Groups OU
Delegation wizard summary
Successful login

4. Summary Paragraph

Why OU structure matters
Why separate admin accounts
Why least privilege is critical

Sample Summary (rewrite in your own words)

OU structure organizes users, computers, and resources logically — making it easy to apply Group Policies and manage permissions as the network grows.

Separating admin and employee accounts limits damage if a daily-use account is compromised — attackers only get standard access, not domain control.

Least privilege gives users only the minimum permissions for their role. A helpdesk tech can reset passwords but not create users — limiting risk from mistakes or compromised accounts.

Full PowerShell Cheat Sheet

Everything in one copy-paste block

# ======= PHASE 2 COMPLETE SCRIPT — DC-TeamD ======= # PART 1: OUs New-ADOrganizationalUnit -Name "TeamD Corp" -Path "DC=TeamD,DC=hello" $p = "OU=TeamD Corp,DC=TeamD,DC=hello" "Finance","Sales","HR","IT","Admin Accounts","Groups","Computers","Service Accounts" | % { New-ADOrganizationalUnit -Name $_ -Path $p } # PART 3: Employee Accounts $e = ConvertTo-SecureString "TempPass123!" -AsPlainText -Force New-ADUser -Name "Cory Farris" -GivenName Cory -Surname Farris -SamAccountName cfarrisD -UserPrincipalName [email protected] -Path "OU=IT,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Hak Tang" -GivenName Hak -Surname Tang -SamAccountName htangD -UserPrincipalName [email protected] -Path "OU=Finance,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Tony Hall" -GivenName Tony -Surname Hall -SamAccountName thallD -UserPrincipalName [email protected] -Path "OU=Sales,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Johny D" -GivenName Johny -Surname D -SamAccountName jdD -UserPrincipalName [email protected] -Path "OU=HR,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Tiffany M" -GivenName Tiffany -Surname M -SamAccountName tmD -UserPrincipalName [email protected] -Path "OU=HR,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true # PART 3: Admin Accounts $a = ConvertTo-SecureString "AdminPass456!" -AsPlainText -Force $ao = "OU=Admin Accounts,$p" New-ADUser -Name "Cory Farris (Admin)" -GivenName Cory -Surname Farris -SamAccountName cfarrisD.admin -UserPrincipalName [email protected] -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Hak Tang (Admin)" -GivenName Hak -Surname Tang -SamAccountName htangD.admin -UserPrincipalName [email protected] -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Tony Hall (Admin)" -GivenName Tony -Surname Hall -SamAccountName thallD.admin -UserPrincipalName [email protected] -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Johny D (Admin)" -GivenName Johny -Surname D -SamAccountName jdD.admin -UserPrincipalName [email protected] -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Tiffany M (Admin)" -GivenName Tiffany -Surname M -SamAccountName tmD.admin -UserPrincipalName [email protected] -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true # PART 5: Groups $g = "OU=Groups,$p" "Finance-Users-D","Sales-Users-D","HR-Users-D","IT-Users-D","IT-Helpdesk-D" | % { New-ADGroup -Name $_ -GroupScope Global -GroupCategory Security -Path $g } # PART 5: Memberships Add-ADGroupMember -Identity "Finance-Users-D" -Members "htangD" Add-ADGroupMember -Identity "Sales-Users-D" -Members "thallD" Add-ADGroupMember -Identity "HR-Users-D" -Members "jdD","tmD" Add-ADGroupMember -Identity "IT-Users-D" -Members "cfarrisD" Add-ADGroupMember -Identity "Domain Admins" -Members "cfarrisD.admin" Add-ADGroupMember -Identity "IT-Helpdesk-D" -Members "htangD.admin" # PART 6: Delegation = GUI wizard (see slides)

🎉

Phase 2 Complete!

Your domain has a real-world AD structure with proper roles, groups, and least-privilege delegation.

CF

Cory Farris

IT

Domain Admin

HT

Hak Tang

Finance

Helpdesk

TH

Tony Hall

Sales

Standard

JD

Johny D

HR

Standard

TM

Tiffany M

HR

Standard

Active DirectoryOU, Users, Groups& Delegation

Your Team — The Big Picture

Visual Map — Where Everything Goes

Create the OU Structure

Naming Convention

Employee Usernames

Admin Usernames

Group Names

Computer Names

Create Employee Accounts

Create Admin Accounts

Roles, Groups & Membership

Department Groups (in Groups OU)

Admin Groups

Create Groups:

Add Members:

Delegation of Control

Helpdesk CAN do:

Helpdesk CANNOT do:

Step A — Delegate Password Reset

Step B — Delegate Unlock Accounts

Verification & Testing

Test 3 — Reset Password:

Test 4 — Unlock Account:

Test 5 — Verify Least Privilege:

Report Submission

1. OU Diagram

2. Naming Convention

3. Screenshots

4. Summary Paragraph

Sample Summary (rewrite in your own words)

Full PowerShell Cheat Sheet

Phase 2 Complete!

Active Directory
OU, Users, Groups
& Delegation