In this lesson, I'll discuss managing enterprise users. Now in the last few lessons, we've talked about the tools necessary to start managing users but we really haven't discussed why, in much detail, why we want to manage users. In this video, I hope to show you why we want to do that. Managing users is much easier from an enterprise perspective if we use the tools that are built into the domain. If we allow ACLs enroll based access control to go unchecked, we're going to have a security disaster at one point or another. Let's go into Active Directory Users and Computers. I've added a few different accounts: Curly, Larry and Moe. Let's add these users to a group. In order to do this we'll go up to our right click, go up to New and go to Group. Group name we'll call Stooges. The global group scope in the group type of security are defaults in that way. That's what we want to select. Press OK and now we have our Stooges group. Let's add the three users: Curly; Larry; and Moe. All separated with a semi colon. Press Check Names so they auto populate and press OK. Now they're there and we can press OK. Let's look at some information on our hard drive. Let's say these two folders were shared out, Secured Documents and Poorly Secured Documents. Let's add our security group to them. So in order to do this, I'm going to right click on the folder, click Properties and go to Security. Going to press Edit and Add. Then add the Stooges group and press OK. By default, they get Read & Execute, List Folder Contents, and Read. Now press Apply and OK. Let's do the same thing to Poorly Secured Documents, going to Edit, Add, and I'm going to, this time, add Curly plus Stooges. So now I have two new accounts there. Both of them have Read & Execute, List Folder Contents, and Read permissions. Now press OK. Now here's what happens in an enterprise. Let's say that Curly leaves, and I go back to my Active Directory Users and Computers, I go into members, and let's remove Curly. "Do I want to move the selected members from the group?" Yes. Press OK. Curly no longer has access to the folders underneath the Stooges security group. However, if I go back into Poorly Secured Documents, and I go to Properties, and Security, notice that Curly is still there because I added him separately. If we manage enterprise users with Groups in mind and with role-based access control in mind, we not only can remove access easier but we can also add access easier. Imagine if this folder, the Poorly Secured folder or Secured Documents folder, were multiplied by hundreds or thousands maybe there's financial data for years of a company that a new employee needed access to. What if we had to add individual users, the Curly user here to every single folder, that would be a lot of work. However, if we just add them to the Stooges group, then one click and one add into the Stooges group, and now we've given the user access to all the financial data that they need. So it's not only a benefit when users come on board but it's also a benefit when they leave. If we remove them or we remove their group access from the groups that they're a part of, we can now manage the users much much easier. Additionally, if we add users into certain groups, then we can apply different permissions on them with group policy. Again, let's say that users need printer permissions, for example, or they need their firewall changed, for example. We can add them to a group that allows them access into whatever that they need instead of adding individual users. This is done again through Active Directory. In here we can add organizational units that allow us to manage users differently. This means that we can apply different policies on those users instead of individually or with role-based access. In order to do this, we would right click on the domain, go to New, and go to Organizational Unit. This is a way that we separate users and apply different policies or group policies to a set of users so that they are treated differently than the whole group. So in conclusion, using the tools that we have inside of our domain allow us to streamline the on-boarding process and streamline off-boarding as well.