domain: managed group of usrs/computers, active directory (ad) - win mgmt system, domain controller (dc) - ad server

benefits: centralized id mgmt (manage all usrs), managing sec policies: apply to all usrs/machines

ad domain service (ad ds) - db of network objects:

1. users: primary object type
   1. security principals: authenticated usrs with assigned privs
   2. 2 user types: people: employee accts services: accts for services with limited privs
2. machines: computer objects in domain, have sec principal accts, limited rights, local admin access, naming convention: machine name + $
3. sec groups: control resource access - can contain usrs/machines
4. several default domain groups:

	security group     description
	==============     ===========
	domain admin       full domain admin access, including all computers/dc's 
	server operators   can manage dcs but not change admin groups
	backup operators   can access any file regardless of perms for backup purposes
	account operators  can create/modify domain accounts
	
	domain users       all user accounts in domain 
	domain computers   all computers in domain
	domain controllers all dc-s in domain

how to access/manage usrs in ad: sign in to dc (main server) > ad users/computers

• organizational units (OUs) - folders that organize usrs/computers into groups sharing common settings/rules

========================
default containers in ad
========================
built-in                  default groups for any windows host
computers                 default location for new machines
domain controllers        ou containing network dc's 
users                     default domain-wide users/groups
managed service accounts  service accounts for domain

organizational units (OUs): allow admins to apply policies to usr/computer groups (users can belong to only 1 OU)

security groups: control resource access (example: managing folder perms)

delegation: grants specific users ad group mgmt capabilities w/out full admin access

• limited control over specific areas > setup: right-click group > delegate control

Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose

3 main types of computers in ad:

1. workstations: employee computers for daily tasks, not admin use
2. servers: computers providing network services, support infra ops