In the previous chapter, we learned about Active Directory (AD) object types and how we can add, edit, and remove them. We also learned about the different management tools that help us to do these tasks. Last but not least, we learned how we can locate Active Directory objects or the value of an attribute when required. In this chapter, we are going to further explore Active Directory objects and attributes.

The characteristics of an Active Directory object are described using attributes. Some of these attributes are common across different types of objects and some are unique. If required, we can also add our own attributes to an object. In this chapter, you will learn about object attributes and how we can manage them. You will also learn how to add custom attributes. If an organization is using custom attributes in a hybrid environment, it is possible that custom attributes will also need to sync to Azure AD. In this chapter, I will demonstrate...

My daughter, Selena, loved Julia Donaldson's books. I usually read her a story every night. Some time ago, I was reading her one of the Gruffalo series books called The Gruffalo's Child. In that book, the Gruffalo's child asks about the big bad mouse who lives in the snowy forest. The Gruffalo describes the mouse, saying he is strong, his eyes are big, his tail is very long, and he has got whiskers thicker than wires. Then, the Gruffalo's child goes out to find this mouse on a snowy night.

During his journey, he finds animals that match one or a few of the characteristics that his father had described, but none matches all of them. In the end, only a shadow of a small mouse matches the characteristics of the animal he was looking for, not a real living creature. Transposing this idea to the world of objects, we can say the mouse is an object. The Gruffalo describes it to his kid using characteristics, which are similar to the attributes of...

The Active Directory schema accepts custom attributes. Based on business requirements, sometimes organizations will have to introduce custom attributes to object classes. Most of the time, it is related to application integration requirements with Active Directory. Some applications have their own way of handling their user accounts and privileges. These applications can also have their own attributes defined by their database systems to store data. Sometimes, these application attributes may not match the attributes on Active Directory.

Some time ago, I was helping a pharmaceutical company on an Active Directory project. The customer already had an Active Directory environment in place. They were also maintaining an HR system that was not integrated with Active Directory. They had a new requirement for an employee collaboration application, which required data to be input in a specific way. It had defined fields in the database and we needed to match the data...

In the previous section, I explained how we can create custom Active Directory attributes. When we sync users from on-prem Active Directory to Azure AD by using Azure AD Connect, some of the attributes will also sync but not all. The complete list of attributes that will sync with Azure AD Connect is available at https://bit.ly/32lpFNn.

But sometimes, there can be business requirements to sync these custom Active Directory attributes to Azure AD. It could be to use them with cloud applications (SaaS) or to use them with a legacy Line-of-Business (LOB) application that is migrated to Azure. We can sync these custom attributes to Azure AD by using the Azure AD Connect "Directory extension attribute sync" feature.

In my demo environment, I am going to demonstrate how to sync a newly created custom Active Directory attribute (user class) to Azure AD. To simplify the process, I have already installed Azure AD Connect and configured...

In an Active Directory environment, what is the most common administrative task? Obviously, it's creating and managing user accounts. A user account does not only hold a username and password; it also holds data such as group memberships, the roaming profile path, the home folder path, login script information, remote dial-in permissions, and much more. Every time we set up a new account, we need to define values for these attributes. When the number of attributes increases, the number of mistakes that can happen during the account creation process also increases. An organization's identity is at stake here; even a small mistake can cost an organization a lot. As an example, if you add a user to the wrong user group accidentally, they will have access to some resources that they are not supposed to have access to.

When I create a Statement of Work (SoW) or implementation plan for a customer, I always start with a template. This template contains sections...

In general, a group is a collection of users or resources that share the same characteristics and responsibilities. In an organization, individual identities get added and deleted, but roles and responsibilities do not change much. Therefore, the best way to manage privileges in organizations is based on roles and responsibilities rather than individuals. For example, in a sales department, salespersons will change quite often but their operational requirements will not change frequently. They all will access the same file shares, have the same permissions for the sales application, and have the same privileges to access each other's calendars. Active Directory groups allow you to isolate identities based on privilege requirements.

In an Active Directory environment, there are two categories of groups:

• Security groups are the type used to assign permissions to the resources. As an example, Rebeladmin Corp. has a team of 10 salespersons. They use a shared...

Apart from computers, Active Directory supports a few other devices and object types as well. In this section, we will look into these different object types:

• Printers: Printers are one of the most commonly shared resources in office networks. We can use several methods to configure shared printers on user computers. We can set them up using the printer setup wizard in Windows and connect to a printer via an IP address. We can also use logon scripts to map and install printers on workstations. If an organization uses printer servers, we can connect to them and install the printers, too. In an Active Directory environment, we can register a printer as an object in Active Directory. This will allow users to browse Active Directory, find the relevant printer, and then install it on the workstation.

  To register a printer with AD, go to Printer properties and then to the Sharing tab. There, you can check the List in the directory checkbox to list the...

Here, we will look into some of the best practices that can be used to manage Active Directory objects:

• Housekeeping: It is important to review the validity of Active Directory objects from time to time. There can be objects that are no longer active in operations. There are several ways to handle these objects:
  • If it's possible to confirm that objects are not in use 100% of the time, objects can be completely deleted from Active Directory.
  • If it's not possible to confirm, the object can be disabled and monitored for events. If there are no events, the object can be removed from Active Directory.

  To manage disabled objects, it is advisable to create a different OU and move the disabled objects to that. This will allow you to keep track of them and allow easy access when required.

  In Active Directory, there can be objects that are only used for a limited time. As an example, there can be contractors who...

In this chapter, we learned about Active Directory objects and attributes, and how they are defined in the Active Directory schema. We also learned how to add custom attributes to the Active Directory schema. After, we learned how we can sync custom attributes to Azure AD. We also looked into creating user account templates and the different types of service accounts. In an Active Directory environment, sometimes we need to manage permissions for groups of users who have similar operation requirements (with their department, job role, and so on). This is done using Active Directory groups. There are different group categories to choose from. In this chapter, we also looked into these group types and learned how to use them appropriately. We also went through object management best practices to help improve our Active Directory object management experience.

In the next chapter, we will be learning about designing and managing the OU.