The Protected Users security group was introduced in Windows Server 2012 R2 domain controllers and was designed to help protect against credential theft attacks. By default, members of the Protected Users security group are nonconfigurable and the only way to modify the protections for an account is to remove the account from the security group. You should never add accounts for services and computers to the Protected Users group; if you do, then authentication will fail and you will receive the error “the user name or password is incorrect.”.
To add users to the Protected Users group, you can use Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC), or Windows PowerShell. In Active Directory, this group is located in the default Users container. Using PowerShell, you can review the Protected Users security group by using the cmdlet Get- ADGroup – Identity “Protected Users”. To add, use the Add- ADGroupMember cmdlet.
It’s important to note that if members of the Enterprise Admins group or the Domain Admins group are added to the Protected Users group, it is possible for those accounts to be locked out. You should never add all highly privileged accounts to the Protected Users group.
Publishing Active Directory Objects
One of the main goals of Active Directory is to make resources easy to find. Two of the most commonly used resources in a networked environment are server file shares and printers. These are so common, in fact, that most organizations have dedicated file and print servers. When it comes to managing these types of resources, Active Directory makes it easy to determine which files and printers are available to users.
With that being said, let’s take a look at how Active Directory manages to publish shared folders and printers.
Publishing Active Directory Objects
Making Active Directory Objects Available to Users
An important aspect of managing Active Directory objects is that a system administrator can control which objects users can see. The act of making an Active Directory object available is known as publishing. The two main types of publishable objects are Printer objects and Shared Folder objects.
The general process for creating server shares and shared printers has remained unchanged from previous versions of Windows: you create the various objects (a printer or a filesystem folder) and then enable them for sharing. To make these resources available via Active Directory, however, there’s an additional step: you must publish the resources. Once an object has been published in Active Directory, clients will be able to use it.
When you publish objects in Active Directory, you should know the server name and share name of the resource. When you use Active Directory objects, you can change the resource to which the object points, without having to reconfigure or even notify clients. For example, if you move a share from one server to another, all you need to do is to update the Shared Folder object’s properties to point to the new location. Active Directory clients still refer to the resource with the same path and name that they used before.
Publishing Printers
Printers can be published easily within Active Directory. This makes them available to users in your domain.
Exercise 7.17 walks you through the steps you need to take to share and publish a Printer object by having you create and share a printer. To complete the printer installation, you need access to the Windows Server 2022 installation media (via the hard disk, a network share, or the CD ROM drive).
EXERCISE 7.17
Creating and Publishing a Printer
- Click the Windows Key on the keyboard and select Control Panel.
- Click Devices And Printers ➢ Add A Printer. This starts the Add Printer Wizard. Then click the Next button.
- On the Choose A Local Or Network Printer page, select Add A Local Printer. This should automatically take you to the next page. If it doesn’t, click Next.
- On the Choose A Printer Port page, select Use An Existing Port. From the drop-d own list beside that option, make sure LPT1: (Printer Port) is selected. Click Next.
- On the Install The Printer Driver page, select Generic for the manufacturer. For the printer, highlight Generic/Text Only. Click Next.
- On the Type A Printer Name page, type Text Printer. Deselect the Set As The Default Printer option and then click Next.
EXERCISE 7.17 (continued)
- The Installing Printer screen appears. After the system is finished, the Printer Sharing page appears. Make sure the option “Share this printer so that others on your network can find and use it” is selected, and accept the default share name of Text Printer.
- In the Location section, type Building 203, and in the Comment section, add the following comment: This is a text- only Printer. Click Next.
- On the You’ve Successfully Added Text Printer page, click Finish.
- Next you need to verify that the printer will be listed in Active Directory. Right-c lick the Text Printer icon and select Printer Properties.
- Select the Sharing tab and make sure that the List In The Directory option is selected. Note that you can also add additional printer drivers for other operating systems using this tab. Click OK to accept the settings.
Note that when you create and share a printer this way, an Active Directory Printer object is not displayed within the Active Directory Users and Computers tool. The printer is actually associated with the Computer object to which it is connected.
Publishing Shared Folders
Now that you’ve created and published a printer, you’ll see how the same thing can be done to shared folders.
Exercise 7.18 walks through the steps required to create a folder, share it, and then publish it in Active Directory. This exercise assumes you are using the C: partition; however, you may want to change this based on your server configuration. This exercise assumes you have completed Exercise 7.12.
EXERCISE 7.18
Creating and Publishing a Shared Folder
- Create a new folder in the root directory of your C: partition and name it Test Share. To do this, click the File Explorer link on the toolbar.
- Right- click the Test Share folder. Choose Share With ➢ Specific People.
PowerShell for Active Directory
- In the File Sharing dialog box, enter the names of users with whom you want to share this folder. In the upper box, enter Everyone and then click Add. Note that Everyone appears in the lower box. Click in the Permission Level column next to Everyone and choose Read/Write from the pop- up menu. Then click Share.
- You’ll see a message that your folder has been shared. Click Done.
- Click the Windows Key on the keyboard and choose Administrative Tools.
- Open the Active Directory Users and Computers tool. Expand the current domain and right- click the RD OU. Select New ➢ Shared Folder.
- In the New Object – Shared Folder dialog box, type Shared Folder Test for the name of the folder. Then type the UNC path to the share (for example, \server1\Test Share). Click OK to create the share.