Phase 2

Active Directory
OU, Users, Groups
& Delegation

Build a real-world AD structure with proper roles, groups, and least-privilege delegation.

CF
IT
HT
Finance
TH
Sales
JD
HR
TM
HR

Domain: TeamD.hello  |  Server: DC-TeamD

Press or click Next

Your Team — The Big Picture

Each person gets 2 accounts, 1 department, 1 role, and group memberships

CF
Cory Farris
IT
Domain Admin
Employee: cfarrisD
Admin: cfarrisD.admin
Group: IT-Users-D
Admin Group: Domain Admins
HT
Hak Tang
Finance
Helpdesk Admin
Employee: htangD
Admin: htangD.admin
Group: Finance-Users-D
Admin Group: IT-Helpdesk-D
TH
Tony Hall
Sales
Standard User
Employee: thallD
Admin: thallD.admin
Group: Sales-Users-D
Admin Group:
JD
Johny D
HR
Standard User
Employee: jdD
Admin: jdD.admin
Group: HR-Users-D
Admin Group:
TM
Tiffany M
HR
Standard User
Employee: tmD
Admin: tmD.admin
Group: HR-Users-D
Admin Group:

Visual Map — Where Everything Goes

Every object has a specific home in the OU tree

TeamD Corp
Finance htangD
Sales thallD
HR jdD, tmD
IT cfarrisD
Admin Accounts cfarrisD.admin, htangD.admin, thallD.admin, jdD.admin, tmD.admin
Groups Finance-Users-D, Sales-Users-D, HR-Users-D, IT-Users-D, IT-Helpdesk-D
Computers D-PC-Fin01, etc.
Service Accounts svc-backup, etc.

NEVER place users at the domain root. Employee accounts go in department OUs. Admin accounts go in Admin Accounts OU.

Part 1

Create the OU Structure

# Create parent OU New-ADOrganizationalUnit -Name "TeamD Corp" -Path "DC=TeamD,DC=hello" # Create all 8 child OUs $p = "OU=TeamD Corp,DC=TeamD,DC=hello" New-ADOrganizationalUnit -Name "Finance" -Path $p New-ADOrganizationalUnit -Name "Sales" -Path $p New-ADOrganizationalUnit -Name "HR" -Path $p New-ADOrganizationalUnit -Name "IT" -Path $p New-ADOrganizationalUnit -Name "Admin Accounts" -Path $p New-ADOrganizationalUnit -Name "Groups" -Path $p New-ADOrganizationalUnit -Name "Computers" -Path $p New-ADOrganizationalUnit -Name "Service Accounts" -Path $p
1

Press Win+R → type dsa.msc → Enter

2

Right-click TeamD.hello → New → Organizational Unit → name: TeamD Corp → OK

3

Expand TeamD.hello so you see TeamD Corp

4

Right-click TeamD Corp → New → Organizational Unit → name: Finance → OK

5

Repeat step 4 seven more times for:
Sales • HR • IT • Admin Accounts • Groups • Computers • Service Accounts

6

Verify: Click + next to TeamD Corp — all 8 OUs should appear.

Part 2

Naming Convention

Copy this into your report

Employee Usernames

cfarrisD

first initial + lastname + D

Admin Usernames

cfarrisD.admin

employee username + .admin

Group Names

Finance-Users-D

Department-Users-D

Computer Names

D-PC-Fin01

D-PC-DeptCode##

Part 3 — Employee Accounts

Create Employee Accounts

Each person goes into their department OU

CF
Cory Farris
cfarrisD
OU=IT
HT
Hak Tang
htangD
OU=Finance
TH
Tony Hall
thallD
OU=Sales
JD
Johny D
jdD
OU=HR
TM
Tiffany M
tmD
OU=HR
$empPass = ConvertTo-SecureString "TempPass123!" -AsPlainText -Force $p = "OU=TeamD Corp,DC=TeamD,DC=hello" # Cory Farris → IT New-ADUser -Name "Cory Farris" -GivenName "Cory" -Surname "Farris" -SamAccountName "cfarrisD" -UserPrincipalName "cfarrisD@TeamD.hello" -Path "OU=IT,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true # Hak Tang → Finance New-ADUser -Name "Hak Tang" -GivenName "Hak" -Surname "Tang" -SamAccountName "htangD" -UserPrincipalName "htangD@TeamD.hello" -Path "OU=Finance,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true # Tony Hall → Sales New-ADUser -Name "Tony Hall" -GivenName "Tony" -Surname "Hall" -SamAccountName "thallD" -UserPrincipalName "thallD@TeamD.hello" -Path "OU=Sales,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true # Johny D → HR New-ADUser -Name "Johny D" -GivenName "Johny" -Surname "D" -SamAccountName "jdD" -UserPrincipalName "jdD@TeamD.hello" -Path "OU=HR,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true # Tiffany M → HR New-ADUser -Name "Tiffany M" -GivenName "Tiffany" -Surname "M" -SamAccountName "tmD" -UserPrincipalName "tmD@TeamD.hello" -Path "OU=HR,$p" -AccountPassword $empPass -ChangePasswordAtLogon $true -Enabled $true
1

Open dsa.msc → expand TeamD Corp → click IT

2

Right-click IT → New → User

New Object - User (in IT OU)
First name:Cory
Last name:Farris
User logon name:cfarrisD@TeamD.hello
3

Click Next → password: TempPass123!

☑️ User must change password at next logon
4

NextFinish

5

Repeat for each person — right-click their department OU:

Hak TanghtangDRight-click Finance
Tony HallthallDRight-click Sales
Johny DjdDRight-click HR
Tiffany MtmDRight-click HR

Part 3 — Admin Accounts

Create Admin Accounts

ALL admin accounts go into Admin Accounts OU

CF
Cory Farris
cfarrisD.admin
OU=Admin Accounts
HT
Hak Tang
htangD.admin
OU=Admin Accounts
TH
Tony Hall
thallD.admin
OU=Admin Accounts
JD
Johny D
jdD.admin
OU=Admin Accounts
TM
Tiffany M
tmD.admin
OU=Admin Accounts
$admPass = ConvertTo-SecureString "AdminPass456!" -AsPlainText -Force $a = "OU=Admin Accounts,OU=TeamD Corp,DC=TeamD,DC=hello" New-ADUser -Name "Cory Farris (Admin)" -GivenName "Cory" -Surname "Farris" -SamAccountName "cfarrisD.admin" -UserPrincipalName "cfarrisD.admin@TeamD.hello" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Hak Tang (Admin)" -GivenName "Hak" -Surname "Tang" -SamAccountName "htangD.admin" -UserPrincipalName "htangD.admin@TeamD.hello" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Tony Hall (Admin)" -GivenName "Tony" -Surname "Hall" -SamAccountName "thallD.admin" -UserPrincipalName "thallD.admin@TeamD.hello" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Johny D (Admin)" -GivenName "Johny" -Surname "D" -SamAccountName "jdD.admin" -UserPrincipalName "jdD.admin@TeamD.hello" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Tiffany M (Admin)" -GivenName "Tiffany" -Surname "M" -SamAccountName "tmD.admin" -UserPrincipalName "tmD.admin@TeamD.hello" -Path $a -AccountPassword $admPass -ChangePasswordAtLogon $false -Enabled $true
1

In ADUC, click on Admin Accounts OU (inside TeamD Corp)

2

Right-click Admin Accounts → New → User

New Object - User (in Admin Accounts OU)
First name:Cory
Last name:Farris
Full name:Cory Farris (Admin)
User logon name:cfarrisD.admin@TeamD.hello
3

Click Next → password: AdminPass456! (DIFFERENT from employee)

☐ User must change password (leave UNCHECKED)
4

Next → Finish. Repeat for: htangD.admin, thallD.admin, jdD.admin, tmD.admin

Parts 4 & 5

Roles, Groups & Membership

Who belongs to what — the complete picture

Department Groups (in Groups OU)

Finance-Users-D
htangD
Sales-Users-D
thallD
HR-Users-D
jdD tmD
IT-Users-D
cfarrisD

Admin Groups

Domain Admins (built-in)
cfarrisD.admin
IT-Helpdesk-D
htangD.admin
# Create groups $g = "OU=Groups,OU=TeamD Corp,DC=TeamD,DC=hello" New-ADGroup -Name "Finance-Users-D" -GroupScope Global -GroupCategory Security -Path $g New-ADGroup -Name "Sales-Users-D" -GroupScope Global -GroupCategory Security -Path $g New-ADGroup -Name "HR-Users-D" -GroupScope Global -GroupCategory Security -Path $g New-ADGroup -Name "IT-Users-D" -GroupScope Global -GroupCategory Security -Path $g New-ADGroup -Name "IT-Helpdesk-D" -GroupScope Global -GroupCategory Security -Path $g # Add employees to department groups Add-ADGroupMember -Identity "Finance-Users-D" -Members "htangD" Add-ADGroupMember -Identity "Sales-Users-D" -Members "thallD" Add-ADGroupMember -Identity "HR-Users-D" -Members "jdD","tmD" Add-ADGroupMember -Identity "IT-Users-D" -Members "cfarrisD" # Add admins to admin groups Add-ADGroupMember -Identity "Domain Admins" -Members "cfarrisD.admin" Add-ADGroupMember -Identity "IT-Helpdesk-D" -Members "htangD.admin"

Create Groups:

1

Click Groups OU → Right-click → New → Group

New Object - Group
Group name:Finance-Users-D
Group scope:Global
Group type:Security
2

Repeat for: Sales-Users-D, HR-Users-D, IT-Users-D, IT-Helpdesk-D

Add Members:

3

Double-click Finance-Users-DMembers tab → Add... → type htangD → Check Names → OK → Apply

4

Repeat for each group:

Sales-Users-DAdd thallD
HR-Users-DAdd jdD and tmD
IT-Users-DAdd cfarrisD
Domain AdminsAdd cfarrisD.admin (find in Users container)
IT-Helpdesk-DAdd htangD.admin

Part 6

Delegation of Control

Give IT-Helpdesk-D (Hak's admin account) specific powers (GUI wizard only)

Helpdesk CAN do:

✅ Reset user passwords
✅ Unlock locked accounts
✅ Read user information

Helpdesk CANNOT do:

❌ Create users
❌ Delete users
❌ Modify groups
❌ Change GPO

Step A — Delegate Password Reset

1

Right-click "TeamD Corp"Delegate Control... → Next

2

Click Add... → type IT-Helpdesk-D → Check Names → OK → Next

3

Check: ☑ Reset user passwords and force password change at next logon

4

Next → Finish

Step B — Delegate Unlock Accounts

5

Right-click "TeamD Corp" again → Delegate Control... → Next

6

Add IT-Helpdesk-D → Next

7

Select "Create a custom task to delegate" → Next

8

Select "Only the following objects..." → check User objects → Next

9

Check Property-specific → find and check: ☑ Read lockoutTime and ☑ Write lockoutTime

10

Next → Finish

📸

Screenshot the wizard summary before clicking Finish — required for your report!

Part 7

Verification & Testing

Prove each role works correctly — screenshot everything

TestLog in asWhat to doExpected
1TeamD\cfarrisDLog into Win10 VM✅ Success (change password prompt)
2TeamD\cfarrisD.adminLog into Win10 VM✅ Success
3TeamD\htangD.adminReset thallD's password✅ Success (Helpdesk perm)
4TeamD\htangD.adminUnlock thallD's account✅ Success (Helpdesk perm)
5TeamD\cfarrisDTry to reset a password❌ Access Denied (correct!)
6TeamD\htangD.adminTry to create a new user❌ Access Denied (correct!)
# Run as htangD.admin (Helpdesk) # Should SUCCEED — reset password Set-ADAccountPassword -Identity "thallD" -Reset -NewPassword (ConvertTo-SecureString "NewTemp789!" -AsPlainText -Force) # Should SUCCEED — unlock account Unlock-ADAccount -Identity "thallD" # Should FAIL — create user (Access Denied = correct!) New-ADUser -Name "Test" -Path "OU=IT,OU=TeamD Corp,DC=TeamD,DC=hello"

Test 3 — Reset Password:

1

Log into Win10 as TeamD\htangD.admin

2

Open dsa.msc → find Tony Hall in Sales OU

3

Right-click Tony HallReset Password... → enter new password → OK

Test 4 — Unlock Account:

1

On a Win10 VM, try logging as thallD with WRONG password 5+ times to lock it

2

Back as htangD.admin in ADUC, double-click Tony HallAccount tab

3

Check ☑ Unlock account → Apply → OK

Test 5 — Verify Least Privilege:

1

Log into Win10 as TeamD\cfarrisD (regular employee)

2

Open dsa.msc → try to reset someone's password → should get Access Denied

Part 8

Report Submission

What your team must submit

1. OU Diagram

Draw.io / PowerPoint / Visio showing your full tree

2. Naming Convention

Your 5-10 line standard (see slide 5)

3. Screenshots

  • OU structure in ADUC
  • All employee accounts
  • All admin accounts
  • Groups OU
  • Delegation wizard summary
  • Successful login

4. Summary Paragraph

  • Why OU structure matters
  • Why separate admin accounts
  • Why least privilege is critical

Sample Summary (rewrite in your own words)

OU structure organizes users, computers, and resources logically — making it easy to apply Group Policies and manage permissions as the network grows.

Separating admin and employee accounts limits damage if a daily-use account is compromised — attackers only get standard access, not domain control.

Least privilege gives users only the minimum permissions for their role. A helpdesk tech can reset passwords but not create users — limiting risk from mistakes or compromised accounts.

Full PowerShell Cheat Sheet

Everything in one copy-paste block

# ======= PHASE 2 COMPLETE SCRIPT — DC-TeamD ======= # PART 1: OUs New-ADOrganizationalUnit -Name "TeamD Corp" -Path "DC=TeamD,DC=hello" $p = "OU=TeamD Corp,DC=TeamD,DC=hello" "Finance","Sales","HR","IT","Admin Accounts","Groups","Computers","Service Accounts" | % { New-ADOrganizationalUnit -Name $_ -Path $p } # PART 3: Employee Accounts $e = ConvertTo-SecureString "TempPass123!" -AsPlainText -Force New-ADUser -Name "Cory Farris" -GivenName Cory -Surname Farris -SamAccountName cfarrisD -UserPrincipalName cfarrisD@TeamD.hello -Path "OU=IT,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Hak Tang" -GivenName Hak -Surname Tang -SamAccountName htangD -UserPrincipalName htangD@TeamD.hello -Path "OU=Finance,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Tony Hall" -GivenName Tony -Surname Hall -SamAccountName thallD -UserPrincipalName thallD@TeamD.hello -Path "OU=Sales,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Johny D" -GivenName Johny -Surname D -SamAccountName jdD -UserPrincipalName jdD@TeamD.hello -Path "OU=HR,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true New-ADUser -Name "Tiffany M" -GivenName Tiffany -Surname M -SamAccountName tmD -UserPrincipalName tmD@TeamD.hello -Path "OU=HR,$p" -AccountPassword $e -ChangePasswordAtLogon $true -Enabled $true # PART 3: Admin Accounts $a = ConvertTo-SecureString "AdminPass456!" -AsPlainText -Force $ao = "OU=Admin Accounts,$p" New-ADUser -Name "Cory Farris (Admin)" -GivenName Cory -Surname Farris -SamAccountName cfarrisD.admin -UserPrincipalName cfarrisD.admin@TeamD.hello -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Hak Tang (Admin)" -GivenName Hak -Surname Tang -SamAccountName htangD.admin -UserPrincipalName htangD.admin@TeamD.hello -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Tony Hall (Admin)" -GivenName Tony -Surname Hall -SamAccountName thallD.admin -UserPrincipalName thallD.admin@TeamD.hello -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Johny D (Admin)" -GivenName Johny -Surname D -SamAccountName jdD.admin -UserPrincipalName jdD.admin@TeamD.hello -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true New-ADUser -Name "Tiffany M (Admin)" -GivenName Tiffany -Surname M -SamAccountName tmD.admin -UserPrincipalName tmD.admin@TeamD.hello -Path $ao -AccountPassword $a -ChangePasswordAtLogon $false -Enabled $true # PART 5: Groups $g = "OU=Groups,$p" "Finance-Users-D","Sales-Users-D","HR-Users-D","IT-Users-D","IT-Helpdesk-D" | % { New-ADGroup -Name $_ -GroupScope Global -GroupCategory Security -Path $g } # PART 5: Memberships Add-ADGroupMember -Identity "Finance-Users-D" -Members "htangD" Add-ADGroupMember -Identity "Sales-Users-D" -Members "thallD" Add-ADGroupMember -Identity "HR-Users-D" -Members "jdD","tmD" Add-ADGroupMember -Identity "IT-Users-D" -Members "cfarrisD" Add-ADGroupMember -Identity "Domain Admins" -Members "cfarrisD.admin" Add-ADGroupMember -Identity "IT-Helpdesk-D" -Members "htangD.admin" # PART 6: Delegation = GUI wizard (see slides)
🎉

Phase 2 Complete!

Your domain has a real-world AD structure with proper roles, groups, and least-privilege delegation.

CF
Cory Farris
IT
Domain Admin
HT
Hak Tang
Finance
Helpdesk
TH
Tony Hall
Sales
Standard
JD
Johny D
HR
Standard
TM
Tiffany M
HR
Standard