This Answer Key provides the detailed steps for completing Lab A: Implementing an Account Strategy in Module 4, Implementing User, Group, and Computer Accounts.
Task 2
Task 3
What password policy settings will you apply to the corp.nwtraders.msft domain? Answers may vary. Policy settings should include at a minimum: Enforce password history remembered Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store password using reversible encryption 24 passwords 42 days 2 days 8 characters Enabled Disabled
Note: It is not necessary for password restrictions to be as strict for user accounts as they are for Administrative accounts in the root domain of the forest. Task 4
Task 2
Task 2
Task 2
! Examine the SID, SID history, and GUID of the G IT Admins global
group object 1. Use Run as to start a command prompt as YourDomain\Administrator with a password of P@ssw0rd 2. At the command prompt, type ldp and then press ENTER. 3. In Ldp dialog box, on the Connection menu, click Connect. 4. In the Connect dialog box, in the Server box, type your servers name, and then click OK. 5. In the Ldp dialog box, on the Connection menu, click Bind.
6. In the Bind dialog box, type a user name of Administrator, a password of P@ssw0rd and the name of the domain hosted by your server, and then click OK. 7. On the View menu, click Tree. 8. In the Tree View dialog box, in the BaseDN list, select your domain, and then click OK. 9. In the console tree, expand your domain, double-click IT Admin, doubleclick IT Groups, and then double-click G IT Admins. 10. In the details pane, view the properties of G IT Admins. 11. After you answer the question below, on the Connection menu, click Exit. What is listed for the objectGUID, objectSID, and sIDHistory entries for the G IT Admins global group? Answers will vary. There will be no entry for SIDHistory. Task 3
\\London\OS\i386\ADMT\ADMIGRATION.MSI
1. Use Run as to start a command prompt as YourDomain\Administrator with a password of P@ssw0rd 2. At the command prompt, type \\London\OS\i386\ADMT\ADMIGRATION.MSI and then press ENTER. 3. In the File Download dialog box, click Open. 4. On the Welcome to the Active Directory Migration Tool Setup Wizard page, click Next. 5. On the License Agreement page, click I accept the License Agreement, and then click Next. 6. On the Installation Folder page, click Next. 7. On the Start Installation page, click Next. 8. On the Completing the Active Directory Migration Tool Setup Wizard page, click Finish. 9. Close the command prompt. Task 4
! Move the G IT Admins global group and its members into the IT
1. Use Run as to open the Active Directory Migration Tool as nwtradersx\Administrator with a password of P@ssw0rd
Test\IT Test Move organizational unit in the other domain in your forest
2. In the console tree, right-click Active Directory Migration Tool, and then click Group Account Migration Wizard. 3. On the Welcome to the Group Account Migration Wizard page, click Next. 4. On the Test or Make Changes page, click Migrate now, and then click Next. 5. On the Domain Selections page, select your domain as the source domain, and your partners domain as the target domain, and then click Next. 6. On the Group Selection page, click Add.
7. In the Select Groups dialog box, type G IT Admins 8. Click OK, and then click Next. 9. On the Organizational Unit Selection page, click Browse. 10. In the Browse for Container dialog box, select the IT Test\IT Test Move organizational unit from the other domain in your forest, click OK, and then click Next. 11. On the Group Options page, select the Copy group members check box, and then click Next. 12. In the Warning dialog box, click OK. 13. On the Naming Conflicts page, click Rename conflicting accounts by adding the following, click Suffix, type moved and then click Next. 14. Click Finish. 15. When the migration is completed, click Close. 16. On the File menu, click Exit. Task 5
10. In the details pane, view the properties of the object. 11. After you answer the questions below, on the Connection menu, click Exit. What is listed for the objectGUID, objectSID, and sIDHistory entries for the G IT Admins global group? Answers will vary. There will be an entry for sIDHistory. Did the objectGUID, ObjectSID, or sIDHistory entries change as a result of the move? The value for the objectGUID entry did not change, but the value for the ObjectSID entry did. The sIDHistory entry now contains the SID value that the object was assigned before the move. Task 6
! View the permissions assigned to the ITAdmin folder that you created
and shared in task 1 1. Start Windows Explorer. 2. Right-click C:\ITAdmin, and then click Properties. 3. On the Security tab, view the users and groups that are assigned permissions to this folder. Does the group to which you assigned permissions for this folder in step 1 still have full control permissions to the folder? Why or why not? Yes, because when the object was moved, its sIDHistory attribute was populated with the SID that was granted permissions to the folder.