Lab A: Implementing an Account Strategy Answer Key

This Answer Key provides the detailed steps for completing Lab A: Implementing an Account Strategy in Module 4, Implementing User, Group, and Computer Accounts.

Exercise 1 Planning an Account and Audit Strategy

In this exercise, you will use the guidelines that the Engineering and Design team gave you to plan an account strategy for Northwind Traders. Task 1

! Plan a user account naming strategy for the nwtraders.msft forest

What will user account names consist of? Answers will vary. One option is to use the users first name and the first initial of the users last name. What strategy will you use to resolve user account naming conflicts? Answers will vary. You can add one or more characters from the users last name to resolve the naming conflict. What will you use for a UPN suffix for user accounts? Answers will vary. You can use nwtraders.msft as the UPN suffix. This UPN suffix will allow all users to log on using the same account name they use to receive their e-mail.

Task 2

! Plan a computer account naming strategy for the nwtraders.msft forest

What naming convention will you use for server computers? Answers will vary. You can use the first three letters of the city that the server is located in, followed by a three-character designation for the type of server, such as EXC for an Exchange Server, or SHR for a file server with shared files, followed by a two-digit number to distinguish between multiple servers of the same type in one location. For example, VANSHR01 would be the name of the first file server in Vancouver. What naming convention will you use for client computers? Answers will vary. One option is use the users user account name, followed by a single digit number to distinguish between multiple computers assigned to the same user, such as a desktop computer and a portable computer.

Lab A: Implementing an Account Strategy Answer Key

Task 3

! Plan a password policy for the nwtraders.msft forest

What password policy settings will you apply to the nwtraders.msft domain? Answers may vary. Policy settings should include at a minimum: Enforce password history remembered Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store password using reversible encryption 24 passwords 30 days 7 days 14 characters Enabled Disabled

What password policy settings will you apply to the corp.nwtraders.msft domain? Answers may vary. Policy settings should include at a minimum: Enforce password history remembered Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store password using reversible encryption 24 passwords 42 days 2 days 8 characters Enabled Disabled

Note: It is not necessary for password restrictions to be as strict for user accounts as they are for Administrative accounts in the root domain of the forest. Task 4

! Plan an audit strategy for the nwtraders.msft forest.

Which success audit settings will you include in your plan? Answers may vary. The plan should include success auditing of account management, policy change, and system events. Which failure audit settings will you include in your plan? Answers may vary. The plan should include failure auditing of account management, policy change, and system events.

Lab A: Implementing an Account Strategy Answer Key

Exercise 2 Creating Accounts Using the Csvde Tool

In this exercise, you will use the Csvde command-line tool to import multiple accounts into Active Directory from a .csv import file. Task 1

! Import the .csv file into Active Directory

1. Log on as Nwtradersx\ComputerNameUser with a password of P@ssw0rd 2. Use Run as to start a command prompt as YourDomain\Administrator with a password of P@ssw0rd 3. At the command prompt, type cd C:\MOC\2279\Labfiles\Lab4 and then press ENTER. 4. At the command prompt, type csvde -i -k -f YourDomainName.csv and then press ENTER. 5. At the command prompt, type exit and then press ENTER.

Task 2

! Determine which new organizational units, users, and groups were

created 1. Start Active Directory Users and Computers. 2. Expand your domain and then examine the contents of the new organizational units. Which new organizational units were created? The IT Admin organizational unit was created with two suborganizational units: IT Groups and IT Users. The IT Test organizational unit was created with that contains an organizational unit named IT Test Move. Also, the NWTraders Groups organizational unit was created and contains three organizational units named Domain Local, Global, and Universal. Which of the new organizational units contain user and group accounts? IT Groups organizational unit contains 26 domain local administrator groups (one for each city), and 1 global admins group. The IT Users organizational unit contains 26 administrator accounts, one for each city.

Lab A: Implementing an Account Strategy Answer Key

Exercise 3 Creating a UPN Suffix

In this exercise, you will create a UPN suffix and then troubleshoot a UPN suffix routing conflict between two forests. Task 1

! Create a new UPN suffix in your forest

1. Log on as Nwtradersx\ComputerNameUser with a password of P@ssw0rd 2. Use Run as to start Active Directory Domains and Trusts as nwtradersx\Administrator with a password of P@ssw0rd 3. Right-click Active Directory Domains and Trusts, and then click Properties. 4. On the UPN Suffixes tab, type a UPN suffix of YourCityName in the Alternative UPN suffixes box, click Add, and then click OK.

Task 2

! Enable routing of the new UPN suffix

1. In the console tree, right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller. 2. In the Connect to Domain Controller dialog box, in the Domain text box, type nwtraders.msft click OK, and then click Yes. 3. In the console tree, right-click nwtraders.msft, and then click Properties. 4. On the Trusts tab, under Domains that trust this domain (incoming trusts), click nwtradersx.msft, click Properties, and then click the Name Suffix Routing tab. 5. In the Active Directory dialog box, type a user name of Administrator and a password of P@ssw0rd and then click OK. 6. On the Name Suffix Routing tab, under Name suffixes in the nwtradersx forest, click YourCityName, and then click Enable. What is the status of the YourCityName UPN suffix after you attempt to enable it? Routing is still disabled, and the status is listed as Conflict in nwtraders.msft. What can you do to resolve this UPN suffix routing conflict? Delete the UPN suffix in the nwtraders.msft forest. 7. Close all dialog boxes, and then close Active Directory Domains and Trusts.

Lab A: Implementing an Account Strategy Answer Key

Exercise 4 Moving a Group of Users

In this exercise, you will grant global group permissions to a shared folder on your server. You will then move the group and its members to an organizational unit in the other domain in your forest. Finally, you will verify that the moved group still has permissions to the shared folder on your server. Task 1

! Create and share a folder named ITAdmin on your server

1. Log on as nwtradersx\ComputerNameUser with a password of P@ssw0rd 2. Use Run as to start Computer Management as nwtradersx\Administrator with a password of P@ssw0rd 3. In the console tree, expand Shared Folders, right-click Shares, and then click New Share. 4. On the Welcome to the Share a Folder Wizard page, click Next. 5. On the Folder Path page, type C:\ITAdmin 6. Click Next and then click Yes. 7. On the Name, Description, and Settings page, click Next. 8. On the Permissions page, click Use custom share and folder permissions, and then click Customize. 9. In the Customize Permissions dialog box, click Add. 10. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type G IT Admins and then click OK. 11. In the Customize Permissions dialog box, in the Permissions for G IT Admins list, select the Allow Full Control check box, and then on the Security tab, click Add. 12. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type G IT Admins and then click OK. 13. In the Customize Permissions dialog box, in the Permissions for G IT Admins list, select the Allow Full Control check box, and then click OK. 14. On the Permissions page, click Finish. 15. On the Sharing was Successful page, click Close. 16. Close Computer Management.

Task 2

! Examine the SID, SID history, and GUID of the G IT Admins global
group object 1. Use Run as to start a command prompt as YourDomain\Administrator with a password of P@ssw0rd 2. At the command prompt, type ldp and then press ENTER. 3. In Ldp dialog box, on the Connection menu, click Connect. 4. In the Connect dialog box, in the Server box, type your servers name, and then click OK. 5. In the Ldp dialog box, on the Connection menu, click Bind.

Lab A: Implementing an Account Strategy Answer Key

6. In the Bind dialog box, type a user name of Administrator, a password of P@ssw0rd and the name of the domain hosted by your server, and then click OK. 7. On the View menu, click Tree. 8. In the Tree View dialog box, in the BaseDN list, select your domain, and then click OK. 9. In the console tree, expand your domain, double-click IT Admin, doubleclick IT Groups, and then double-click G IT Admins. 10. In the details pane, view the properties of G IT Admins. 11. After you answer the question below, on the Connection menu, click Exit. What is listed for the objectGUID, objectSID, and sIDHistory entries for the G IT Admins global group? Answers will vary. There will be no entry for SIDHistory. Task 3

! Install the Active Directory Migration Tool from

\\London\OS\i386\ADMT\ADMIGRATION.MSI

1. Use Run as to start a command prompt as YourDomain\Administrator with a password of P@ssw0rd 2. At the command prompt, type \\London\OS\i386\ADMT\ADMIGRATION.MSI and then press ENTER. 3. In the File Download dialog box, click Open. 4. On the Welcome to the Active Directory Migration Tool Setup Wizard page, click Next. 5. On the License Agreement page, click I accept the License Agreement, and then click Next. 6. On the Installation Folder page, click Next. 7. On the Start Installation page, click Next. 8. On the Completing the Active Directory Migration Tool Setup Wizard page, click Finish. 9. Close the command prompt. Task 4

! Move the G IT Admins global group and its members into the IT
1. Use Run as to open the Active Directory Migration Tool as nwtradersx\Administrator with a password of P@ssw0rd

Test\IT Test Move organizational unit in the other domain in your forest

2. In the console tree, right-click Active Directory Migration Tool, and then click Group Account Migration Wizard. 3. On the Welcome to the Group Account Migration Wizard page, click Next. 4. On the Test or Make Changes page, click Migrate now, and then click Next. 5. On the Domain Selections page, select your domain as the source domain, and your partners domain as the target domain, and then click Next. 6. On the Group Selection page, click Add.

Lab A: Implementing an Account Strategy Answer Key

7. In the Select Groups dialog box, type G IT Admins 8. Click OK, and then click Next. 9. On the Organizational Unit Selection page, click Browse. 10. In the Browse for Container dialog box, select the IT Test\IT Test Move organizational unit from the other domain in your forest, click OK, and then click Next. 11. On the Group Options page, select the Copy group members check box, and then click Next. 12. In the Warning dialog box, click OK. 13. On the Naming Conflicts page, click Rename conflicting accounts by adding the following, click Suffix, type moved and then click Next. 14. Click Finish. 15. When the migration is completed, click Close. 16. On the File menu, click Exit. Task 5

! Examine the SID, SIDHistory, and GUID of the G IT Admins global

group object 1. Use Run as to start a command prompt as YourDomain\Administrator with a password of P@ssw0rd 2. At the command prompt, type ldp and then press ENTER. 3. In Ldp dialog box, on the Connection menu, click Connect. 4. In the Connect dialog box, in the Server box, type the name of the other server in your forest, and then click OK. 5. In the Ldp dialog box, on the Connection menu, click Bind. 6. In the Bind dialog box, type a user name of Administrator, a password of P@ssw0rd, the name of the other domain in your forest, and then click OK. 7. On the View menu, click Tree. 8. In the Tree View dialog box, in the BaseDN list, select the other domain in your forest, and then click OK. 9. In the console tree, in the expand the domain, double-click IT Test, doubleclick IT Test Move, and then double-click G IT Admins. Important The G IT Admins group may have been renamed G IT Adminsmoved as a part of the move process.

Lab A: Implementing an Account Strategy Answer Key

10. In the details pane, view the properties of the object. 11. After you answer the questions below, on the Connection menu, click Exit. What is listed for the objectGUID, objectSID, and sIDHistory entries for the G IT Admins global group? Answers will vary. There will be an entry for sIDHistory. Did the objectGUID, ObjectSID, or sIDHistory entries change as a result of the move? The value for the objectGUID entry did not change, but the value for the ObjectSID entry did. The sIDHistory entry now contains the SID value that the object was assigned before the move. Task 6

! View the permissions assigned to the ITAdmin folder that you created
and shared in task 1 1. Start Windows Explorer. 2. Right-click C:\ITAdmin, and then click Properties. 3. On the Security tab, view the users and groups that are assigned permissions to this folder. Does the group to which you assigned permissions for this folder in step 1 still have full control permissions to the folder? Why or why not? Yes, because when the object was moved, its sIDHistory attribute was populated with the SID that was granted permissions to the folder.