`

Configuring, Managing and Maintaining Windows Server 2008Based Servers

Brillo, Julius Rafael L. Bautista, Raphael Binuya, Kim Paulo Borja, Kevin Calivara, Jerico ACT2C

10/3/2011

Table of Contents
Module 1: Creating AD DS User and Computer Accounts Module 2: Creating AD DS Groups and Organizational Units Module 3: Implementing a Shared Folder Implementation Module 5: Configuring Active Directory Objects and Trusts Module 6: Creating and Configuring GPOs Module 7: Configure User and Computer Environment by Using Group Policy Module 8: Implementing Security Using Group Policy

MODULE 1 Lab: Creating AD DS User and Computer Accounts

Exercise 1: Creating and Configuring User Accounts Task 2: Create a new user account

1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In the console pane, ensure WoodgroveBank.com is expanded, right-click the ITAdmins OU, point to New, and then click User. 3. In the New Object User dialog box, enter the following information: First name: YOUR FIRST NAME (e.g. Kevin Dave) Last name: YOUR LAST NAME (e.g. Borja) Full name: (e.g. Kevin Dave Borja) User logon name: kdborja Password: Pa$$w0rd 4. Click Next. 5. Verify that the User must change password at next log on check box is selected. Click Next, and then click Finish

6. On NYC-CL1, test the user account that you just created by loggin on to NYC-CL1 as WOODGROVEBANK\kdborja with the password of Pa$$w0rd.

7. When prompted, click OK, type Pa$$w0rd1 as the new password, type Pa$$w0rd1 in the Confirm password field, click the right arrow button, and then click OK.

8. Log off from NYC-CL1.

Task 3: Modify Kevin Dave Borjas user account properties 1. On NYC-DC1, in Active Directory Users and Computers, in the details pane, right-click Kevin Dave Borja, and then click Properties.

2. Modify the user properties as follows: a. On the General tab, enter the following information: Telephone number: 63-927-3333331 Office: Manila E-mail: Borja@WoodgroveBank.com b. On the Dial-in tab, under Network Access Permission, click Allow access.

c. On the Account tab, click Logon Hours. Configure logon hours to be permitted Monday through Saturday between 8:00 A.M. to 5:00 P.M and then click OK.

d. On the Member Of tab, click Add. In the Select Groups dialog box, type ITAdmins_WoodgroveGG, and then click OK twice.

Task 4: Create a template for the New York Customer Service department 1. On NYC-DC1, in Active Directory Users and Computers, click on the NYC OU, and then expand the Customer Service OU. Click Customer Service OU 2. Right click the Customer Service OU, click New and click Users

3. In the New Object User dialog box enter the following information First name: Customer Service Last name: Template Full name: CustomerService Template User logon name: _CustomerServiceTemplate

4. Click Next and Enter the following details and click Finish. Password: Pa$$w0rd Confirm Password: Pa$$w0rd Account is disabled: Selected User must change password at next log on: Selected

5. In the Detail pane right-click _CustomerServiceTemplate and then click Properties and enter the following details in general tab. Office: New York Main Office

6. In the Member Of Tab type the following details. Member of: NYC_CustomerServiceGG

7. In the Organization Tab type the following details. Department: Customer Service 8. In the Account Tab enter the following Details and click Ok. Logon Hours: 6:00 A.M 6:00 P.M. Monday to Friday

Task 6: Modify the user account properties for all customer service representatives in New York 1. Select the top user in the details pane, hold SHIFT, and then click the last user in the details pane. 2. Hold CTRL, and then click NYC_CustomerServiceGG. 3. Right-click the highlighted user accounts, and then clicks Properties

4. On the General tab, select the appropriate check boxes, and enter the following information: Description: Customer Service Representative Office: New York Main Office

5. On the Organization tab, select the Department checkbox, enter CustomerService, and then click OK

6. Double-click Eli Bowen, and verify that the Description, Office, and Department attributes has been updated. Click OK.

Task 7: Modify the user account properties for all Branch Managers 1. On NYC-DC1, in Active directory Users and Computers, right-click WoodgroveBank.com, and then click Find.

2. In the Find Users, Contacts and Groups dialog box, click the Advanced tab.

3. Click Field, point to User, and then clicks Job Title.

4. In the Condition list, click ls (exactly), and in the Value field, type Branch Manager. 5. Click Add, and then click Find Now.

6. Select all of the user accounts in the Search Results, right-click the highlighted user accounts, and then click Add to a group.

7. In the Select Groups dialog box, type BranchManagersGG, and then click OK twice. 8. Close the Find Users, Contacts, and Groups dialog box.

Task 8: Create a saved query to find all investment users 1. In Active Directory Users and Computers, right-click the Saved Queries folder, point to New, and then click Query.

2. In the New Query dialog box, in the Name field, type Find Investment Users. 3. Click Define Query. 4. In the Find list, click Users, Contacts and Groups.

5. Click the Advanced tab. 6. Click Field, point to User and then click Department. 7. In the Condition list, verify that Starts with is selected, and in the Value field, type Investments.

8. Click Add, and then click OK twice.

9. Under Saved Queries, click Find Investment Users.

10. The query should display all the users in the Investment departments in each city.

Exercise 2: Creating and Configuring Computer Accounts In this exercise, you will create and configure computer accounts, delete a computer account and join a computer to an AD DS domain. The main tasks are as follows: 1. Create a computer account by using Active Directory Users and Computers. 2. Delete a computer account in AD DS. 3. Join a computer to an AD DS domain.

Task 1: Create a computer account by using Active Directory Users and Computers 1. On NYC-DC1, in Active Directory Users and Computers, right-click Computers, point to New, and then click Computer. 2. In the New Object Computer dialog box, in the Computer Name field, type Windows Vista1.

3. Click Change.

4. In the Select User or Group dialog box, type Doris, click Check Names, and then click OK twice.

Task 2: Delete a computer account in AD DS 1. On NYC-DC1, in Active Directory Users and Computers, click Computers. 2. Right-click NYC-CL1, and then click Delete.

3. In the Active Directory Domain Services dialog box, click Yes.

4. On NYC-CL1, press the right ALT key and DELETE. Click Switch User. 5. Click Other User, then log on as Axel with the password of Pa$$w0rd.

6. Press ENTER, read the error message, and then click OK.

Task 3: Join a computer to an AD DS domain 1. Log in as NYC-CL1\LocalAdmin with a password of Pa$$w0rd.

2. Click Start, right-click Computer, and then click Properties.

3. In the System control panel, click Change settings. In the User Account Control dialog box, click Continue.

4. On the Computer Name tab, click Change. 5. In the Computer Name/Domain Changes dialog box, for Computer name, type NYC-CL5. 6. Under Member Of, click Workgroup, and then type WORKGROUP. Click OK.

7. In the Windows Security dialog box, in the Username field, type Administrator and in the Password field, type Pa$$w0rd. 8. Click OK twice.

9. In Computer Name/Domain Changes dialog box, click OK twice, and then click Close.

10. Click Restart Now.

11. After the computer restarts, log in as LocalAdmin with a password of Pa$$w0rd. 14. In the User Account Control dialog box, click Continue.

12. Click Start, right-click Computer, and then click Properties.

15. On the Computer Name tab, click Change.

13. In the System control panel, click Change settings.

16. In the Computer Name/Domain Changes dialog box, under Member Of, click Domain, and then type Woodgrovebank.com. Click OK.

17. In the Windows Security dialog box, in the User name field, type Administrator and in the Password field, type Pa$$w0rd.

22. After NYC-CL3 restarts, verify that you can log on as WoodgroveBank\Axel with a password of Pa$$w0rd.

18. Click OK twice.

19. In the Computer Name/Domain Changes dialog box, click OK twice, and then click Close. 20. Click Restart Now.

21. On NYC-DC1, in Active Directory Users and Computers, click Computers or press F5 to refresh the view.

Verify that the NYC-CL5 account has been added to the container object.

Module 2 Creating AD DS Groups and Organizational Units Exercise 1: Creating AD DS Groups In this exercise, you will create three new groups by using Active Directory Users and Computers. You will create one group by using Dsadd. You will add users to the groups and inspect the results. Task 1: Start the virtual machines, and then log on 1. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. 2. In the Lab Launcher, next to 6419A NYC-DC1, click Launch. 3. In the Lab Launcher, next to 6419A NYC-SVR1, click Launch. 4. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 5. Minimize the Lab Launcher window. Task 2: Create three groups using Active Directory Users and Computers 1. On NYC-DC1, open Active Directory Users and Computers. 2. In the WoodgroveBank.com domain, create a new group in the Users container using the following parameters: Group Name: VAN_BranchManagersGG Scope: Global Type: Security 3. Repeat step 2 to create two more groups that have the same scope and type. The two group names are as follows: VAN_CustomerServiceGG VAN_InvestmentGG Task 3: Create a group using Dsadd command-line tool 1. At a command prompt, enter the following command: dsadd group cn=VAN_MarketingGG,cn=Users,dc =WoodgroveBank,dc=com samid VAN_MarketingGG secgrp yes scope g 2. Press ENTER.

3. Use the Find command to locate the new group in the WoodgroveBank.com OU.

Task 4: Add members to the new groups

1. In Active Directory Users and Computers, search the WoodgroveBank.com domain by using the standard Find box to find each of the user accounts listed in the table in Step 2. 2. Add each worker to the groups indicated in the following table:

Task 5: Create a new user account based on the customer service template 1. In Active Directory Users and Computers, click the Users container in WoodgroveBank.com. In the contents view area, right-click VAN_BranchManagersGG, and view its properties. 2. Open the Members tab and observe that Neville Burdan and Suchitra Mohan are now members
Result: At the end of this exercise, you will have created three new groups by using Active Directory Users and Computers, and one new groups by using Dsadd. You also will have added users to the groups and inspected the results.

Module 3 Implementing a Shared Folder Implementation Exercise 2: Implementing a Shared Folder Implementation Task 2: Create four new folders by using Windows Explorer 1. On NYC-DC1, open Windows Explorer. 2. On drive C, create folders named: Marketing Managers Investments CustomerService Task 4: Create another shared folder by using Share and Storage Management MMC. 1. On the Start menu, in Administrative Tools, click Share and Storage Management. 2. Start Provision Share Wizard. 3. Click the Browse button. In the Browse Folder window, create a new folder named CompanyNews on the C drive. 4. Do not change any other settings, but click Next all the way through to the Create button. Click Create, and then click Close. 5. In the Shares list of the Share and Storage Management MMC, right-click CompanyNews, and then click Properties. 6. In the Permissions tab, click Share Permissions. Add the Domain Users group, and notice that their permission is set as Read. 7. Add the TOR_BranchManagersGG group, and give them Full Control permissions. 8. Finish the Permissions settings, and exit Share and Storage Management MMC.

Task 3: Set share properties for the folder 1. Right-click the Marketing folder, and then click Share. 2. In File Sharing dialog box, type TOR_MarketingGG, and then click Add. 3. Change the permission level to Contributor, and then click Share. 4. Repeat creating shares for each of the remaining folders, assigning the groups and permissions. TOR_BranchManagersGG (Managers Folder) TOR_InvestmentsGG (Investments Folder) TOR_CustomerServiceGG (CustomerService Folder)

Task 5: Create a new group and shared folder for an interdepartmental project 1. Open Active Directory Users and Computers MMC. 2. Click the Toronto OU, and add a new global security group named TOR_SpecialProjectGG.

3. Expand the following Toronto OUs, and use the Add to group command to add the users listed in the table: Toronto OUs Names Investment Aaron Con Marketing Aidan Delaney Branch Managers Sven Buck Customer Service Dorena Pashke 4. Close Active Directory Users and Computers. 5. Create a new folder in drive C, and name it SpecialProjects. 6. Share the folder, adding the TOR_SpecialProjectGG group that has Contribute permission levels. 7. Click Share.

Task 6: Block inheritance of a folder in a shared folder 1. Open the SpecialProjects folder. 2. Create a new folder called Unshared. 3. Change Unshared Properties by removing the inheritable permissions. 4. Give permissions back the Administrator.

Task 3: Check permissions of interdepartmental share Special Project 1. Log on as Dorena with the password Pa$$w0rd. 2. Open the Special Project volume and create a text document. 3. Try to open Company News. Open the News.txt file inside the News folder. 4. Log off as Dorena.

Exercise 2: Evaluating the Shared Folder Implementation Task 2: Check the permissions for Company News 1. After you are logged on as Sven, open the Company News folder and create a text file. Name it News.txt. 2. Create a folder named News, and drag News.txt into it. 3. Close the Company News window and log off.

Module 5 Configuring Active Directory Objects and Trusts

Lab A: Configuring Active Directory Delegation Exercise 1: Delegating Control of AD DS Objects Task 1: Start each virtual machine and log on 1. In the lab launcher, next to 6419A NYC-DC1, click Launch. 2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 3. Minimize the Lab Launcher window. 2. In the console pane, right-click Toronto, and then click Delegate Control. 3. In the Delegation of Control Wizard, click Next.

Task 2: Assign full control of users and groups in the Toronto OU 1. On NYC-DC1, click Start, point to Administration Tools, and then click Active Directory Users and Computers.

4. On the Users or Groups page, click Add. 5. In the Select Users, Computers, or Groups dialog box, type TOR_BranchManagersGG, and then click OK.

6. Click Next.

7. On the Tasks to Delegate page, select the Create, delete, and manage user accounts and the Create, delete and manage groups check boxes.

Task 3: Assign rights to reset passwords and configure private user information in the Toronto OU 1. On NYC-DC1, in Active Directory Users and Computers, right-click Toronto, and then click Delegate Control.

8. Click Next, and then click Finish.

2. In the Delegation of Control Wizard, click Next. 3. On the Users and Groups page, click Add. 4. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, and then click OK.

5. Click Next.

9. In the Delegation of Control Wizard, click Next. 10. On the Users or Groups page, click Add. 11. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, click OK.

6. On the Tasks to Delegate page, select the Reset user passwords and force password change at next logon check box. 12. Click Next. 13. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

7. Click Next, and then click Finish. 8. Right-click Toronto, and then click Delegate Control.

14. On the Active Directory Object Type page, click Only the following objects in the folder, and then select the User objects check box.

Task 4: Verify the effective permissions assigned for the Toronto OU 1. On NYC-DC1, in Active Directory Users and Computers, on the View menu, click Advanced Features.

15. Click Next. 2. In the console pane, right-click the Toronto OU, and then click Properties.

16. On the Permissions page, ensure that the General check box is selected. 17. Under Permissions, select the Read and Write personal information check box, and then click Next.

18. Click Finish.

3. In the Toronto Properties dialog box, on the Security tab, click Advanced.

5. In the Select Users, Computers, or Group dialog box, type Sven, and then click OK. Sven Buck is a member of the TOR_BranchManagersGG group.

6. Review Svens effective permissions. Verify that Sven has permissions to create and delete user and group objects.

4. In the Advanced Security Settings for Toronto dialog box, on the Effective Permissions tab, click Select.

7. Click Cancel twice.

8. Expand the Toronto OU, and then click the Customer Service OU.

9. In the details pane, right-click Matt Berg, and then click Properties.

11. In the Advanced Security Settings for Matt Berg dialog box, on the Effective Permissions tab, click Select.

10. In the Matt Berg Properties dialog box, on the Security tab, click Advanced.

12. In the Select Users, Computers, or Groups dialog box, type Helge, and then click OK. Helge Hoeing is a member of the TOR_CustomerServiceGG group.

Task 5: Test the delegated permissions for the Toronto OU 1. Log on to NYC-DC1 as WOODGROVEBNK\Sven with the password of Pa$$w0rd.

13. Review Helges effective permissions. Verify that Helge has permissions to reset passwords and to write personal information. 2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.

14. Click Cancel twice. 15. Close Active Directory Users and Computers.

5. Create a new user with the following properties: a. First name: Test1 b. User logon name: Test1 c. Password: Pa$$w0rd

4. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and then point to New, and then click User.

6. Click Next. This task will succeed because Sven Buck was delegated the authority to perform that task. 7. Right-click the Toronto OU, and then point to New, and then click Group.

8. Create a new global security group named Group1. This task will succeed because Sven Buck was delegated the authority to perform that task.

11. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers

12. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.

9. Right-click the ITAdmins OU, and review the menu options. Verify that Sven does not have permissions to create any new objects in the ITAdmins OU. Close Active Directory Users and Computers.

13. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and review the menu options. Verify that Helge does not have permissions to create any new objects in the Toronto OU. 10. Log off and then log on to NYC-DC1 as WOODGROVEBANK\Helge with the password of Pa$$w0rd.

14. Expand Toronto, click CustomerService, rightclick Matt Berg, and then click Reset Password.

17. In the Matt Berg Properties dialog box, verify that Helge has permission to set some user properties such as Office and Telephone number, but not settings such as Description and E-mail.

15. In the Reset Password dialog box, in the New password and Confirm password fields, type Pa$$w0rd, and then click OK twice.

18. Click Cancel. 19. Close Active Directory Users and Computers, and then log off.

16. Right-click Matt Berg, and then click Properties.