Lab 3 – User and Group Management in a Domain

In this lab you will be configuring Domain user and group accounts using the desktop experience and PowerShell. Approximate completion time: 90 minutes. You will need to work on Server1 and Client1 during this lab.

1.0 Creating Organizational Units

  1. On Server1, create the following Organizational Units using Active Directory Users and Computers:
    • Toronto
    • Montreal
    • Vancouver

2.0 Creating Global Groups in the Domain

  1. On Server 1, under the Toronto Organizational Unit, create the following Global Security Groups using Active Directory Users and Computers:
    • T_SalesReps
    • T_Marketing
    • T_HRSupport
    • T_Executives
  2. Create similar groups in the Montreal and Vancouver OUs, substituting M for Montreal and V for Vancouver for the T in each name.

3.0 Creating Domain Local Groups

It is challenging to create accounts from the command line, but it is a necessary skill to learn. We will only create a couple of groups using PowerShell and then switch to Remote Administration from our AdminClient. You are going to create Domain Local Groups on your Server1 in Sections 3.1 and 3.2 below using a couple of different methods.

3.1 Using PowerShell on Server1 to create Domain Local Groups

  1. Open PowerShell on Server1.
  2. Use the link HERE to get help about the New-ADGroup cmdlet. Use the examples from the help to determine the command you need to use to create the 2 Marketing Groups (Marketing_Read and Marketing_FC) on your domain using PowerShell.
  3. While the commands and their output are still on the screen, save a screenshot of your PowerShell commands.
Use some of the following options with your PowerShell command:
  • -SamAccountName
  • -GroupCategory
  • -GroupScope
  • -Path
  • -Description
What do you need to add to the command to put the Domain Local Group into an OU when using PowerShell? You can create the Domain Local Groups in the Toronto OU or just in the Domain.

3.2 Using RSAT on AdminClient to Create Domain Local Groups on Server1

Create the following Domain Local groups from your AdminClient computer using the Remote Server Administration Tools:
  • HR_Read
  • HR_FC
  • SalesFiles_FC
You can use Active Directory Users and Computers or PowerShell.

3.3 Using RSAT on AdminClient to Add Global Groups to the Domain Local Groups

  1. Open Windows Administrative Tools on your AdminClient.
  2. Open Active Directory Users and Computers.
  3. Find your SalesFiles_FC Domain Local Group and double-click to open the Properties.
  4. To add a Global Group to the Domain Local group, click Add. Click Advanced on the next screen and then Find Now to see the list of available objects you can add to the group.
  5. Select the Global Groups that you created for the Sales Reps from the Toronto, Montreal and Vancouver OUs, then click OK. Then click OK again on the next screen.
  6. You should now see all of the groups you added to the Local Group displayed under Members. Screenshot
  7. Add T_Marketing, M_Marketing and V_Marketing global groups to the Marketing_FC Domain Local Group.
  8. Add T_Executives, M_Executives and V_Executives global groups to the SalesFiles_FC Domain Local Group.

4.0 Creating Domain User Accounts

Decide on a Naming Convention for the user accounts you will create in your domain. Make sure you account for duplicate names. Use the default password for all users and select the User must change password at next login: option. Create job titles, phone numbers and addresses for all users in the Toronto OU. (Configure at least 2 users so you can see how much work it is to fill in all of the fields manually.)

4.1 One at a Time with Active Directory Users and Computers

  1. Create the following user accounts (and their properties) under the Toronto OU using Active Directory Users and Computers:
    • Fred Flintstone – Member Of: T_SalesReps
    • Barney Rubble – Member Of: T_SalesReps
    • Bamm-Bamm Rubble – Member Of: T_Marketing
    • Wilma Flintstone – Member Of: T_HRSupport
    • Mr. Slate – Member Of: T_SalesReps and T_Executives

4.2 Creating Users Accounts with PowerShell

  1. Create the following 2 user accounts in the Toronto OU using PowerShell.  Link to PowerShell command and examples HERE. Keep the command simple. You do not have to add all the additional properties to these user accounts. Just user settings.
    • Pebbles Flintstone
    • Great Gazoo
  2. While your PowerShell commands are still on the screen, take a screenshot of the PowerShell window.
  3. To view the properties of your user accounts using PowerShell, use the following command:
PS > Get-ADUser -Identity username

4.3 Creating User Account Templates

  1. On Server1, create a new user account using Active Directory Users and Computers, that will be a template account for the Executives in the Vancouver OU. Name this template _Executives_Template. Set the password field to the default password, and disable the account.
  2. Go into the properties of the template account and configure properties on at least 2 Tabs as well as the Member Of: tab, making the template a member of the V_Executives, and the V_SalesReps Global Groups.
  3. Once the template account has been created, it will show at the top of the OU list because it begins with the underscore character “_”.

4.4 Using Templates to Create User Accounts

  1. Using the template  you created in the previous section (copy the template user), create 3 new Executive user accounts in the Vancouver OU. Use the following names:
    • Luke Perry
    • Jason Priestly
    • Shannon Doherty
  2. Verify that the properties you built into the template were copied to the new user accounts.

5.0 Using the Built-In Groups to Assign User Rights

User rights determine what users are allowed to “DO” on a particular computer/domain. By default, regular users can only login to client computers, not server computers. If you need a regular user to be able to perform some administrative tasks, and login to a server, you will need to give them the rights to do so. The best way to give user rights is to add user accounts to the Built-In Local Groups on a particular server. User Rights are LOCAL to the server they are configured on. There are built-in Domain Local Groups that give user rights on the domain also.
  1. Create the following 5 user accounts on your domain:
    • Joe Admin in the Toronto OU
    • Jane Admin in the Montreal OU
    • Bob Admin in the Vancouver OU
    • Hani Admin in your domain, but not in an OU.
    • Marg Admin in your domain, but not in an OU.
  2. Add Joe, Jane and Bob to the Account Operators group and the Backup Operators group.
  3. Add Hani and Marg to the Domain Admins group.

5.1 Testing User Rights

  1. Test the following and record whether the login worked or did not work and if it works as you expected:
    • Login to Client1 as Fred Flintstone.
    • Login to Server1 as Fred Flintstone.
    • Login to Client1 as Bob Admin.
    • Login to Server1 as Bob Admin.
    • Login to Server1 as Hani Admin.
To prove you have completed this lab:
  • Create a Microsoft Word document (or use Google docs), with a name of YourSenecaID-Lab3.docx.
  • Take a screenshot of Server 1 Active Directory Users and Computers, showing the Organizational Units created.
  • Open the Toronto OU and take a screenshot showing the objects created.
  • Open the Montreal OU and take a screenshot showing the objects created.
  • Open the Vancouver OU and take a screenshot showing the objects created.
  • Display the Properties of the Mr. Slate user account, showing the Member Of tab and take a screen shot.
  • From Section 3.3, display the members of the SalesFiles_FC Domain Local Group and take a screen shot.
  • Paste each screen shot from above, plus the 2 PowerShell screenshots into the document, and label them clearly. You should have 8 images. 
  • Save the document as a PDF file using the same name as the document file, and upload it to MySeneca, under Course Documents>Labs>Lab3 before the due date.
Design a site like this with WordPress.com
Get started