Microsoft Active Directory
Overview of Microsoft Active Directory, a directory service for Windows domains, including its features and configuration steps.
Microsoft Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management, but it has since grown to include a wide range of directory-based identity-related services. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or a normal user. It also allows management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Federation Services, Lightweight Directory Services, and Rights Management Services.
About
Table | Key | Read | Create | Update | Delete |
|---|---|---|---|---|---|
Computers | objectGUID |  | | | |
Users | objectGUID | | | | |
Groups | objectGUID | | | | |
Memberships | --- | | |  | |
OrganizationalUnits | objectGUID | | | | |
Referencing Table | Foreign Key | Parent table | Primary Key |
|---|---|---|---|
Memberships | group | Groups | objectGUID |
Memberships | member | Users | objectGUID |
In Windows, Click Start > Run > Enter
Services.msc
Find NIM Service, Double-Click
Go to Log On Tab
Select This Account:, click Browse
Click Locations, Select Entire Directory
Type in name of the GMSA you created, Click Ok
Clear Password and Confirm Password fields, Click Ok
Troubleshooting
ACCESS DENIED Errors
If Active Directory objects that NIM attempts to modify are returning an ACCESS DENIED error, first verify that the NIM service is not running in the context of the "Local Service" or "Local System" account on the server. NIM must be run as a domain account, such as a group managed service account, and that account must have rights to manage users, groups, computers, and OUs.
If the NIM service is running as a domain account with proper privileges, the next step is to check that account's effective permissions, as there may be an explicit denial somewhere in the access control list.
Launch Active Directory Users and Computers.
Ensure that advanced features are turned on by enabling View > Advanced Features.
Find the target object that is returning the ACCESS DENIED error. Right click on it and select Properties.
Go to the Security tab and click Advanced.
Go to the Effective Access tab.
Click Select a user and find the NIM service account.
Click View Effective Access.
If the resulting list shows a red X next to the operation being attempted (e.g., Delete, Write all properties, etc.), then examine the access control lists on that object and the containers in its hierarchy. There may be an explicit denial somewhere in the hierarchy, or a missing permission on the service account itself.
Cannot change password flags
In cases where the NIM service account has full control but cannot change password flags for accounts, it is possible that the Enable computer and user accounts to be trusted for delegation group policy setting is the cause. Ensure that the NIM service account is a part of this group policy, if it exists. If it does not exist, then the problem lies elsewhere.
To add the NIM service account to this group policy setting, follow these steps:
Open Group Policy Management.
Edit the group policy object that assigns this setting.
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Double click on Enable computer and user accounts to be trusted for delegation.
Add the NIM service account (or one of its group memberships) to the list of accounts in this setting.
Click OK to apply your changes.