Module Review and Takeaways - NotesReview
QuestionsConsiderations for Managing AD DS User and Computer
Accounts
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*Presentation: 60 minutesLab: 45
minutes
After completing this module, students will be able to Configure
AD DS user accounts, Configure AD DS computer accounts, and use
queries to search AD DS.Required materialsTo teach this module, you
need the Microsoft Office PowerPoint file 6419A_02.ppt.
Important: It is recommended that you use PowerPoint 2002 or a
later version to display the slides for this course. If you use
PowerPoint Viewer or an earlier version of PowerPoint, all the
features of the slides might not be displayed correctly.
Preparation tasksTo prepare for this module: Read all of the
materials for this module. Practice performing the demonstrations
and the lab exercises. Work through the Module Review and Takeaways
section, and determine how you will use this section to reinforce
student learning and promote knowledge transfer to on-the-job
performance. Make sure that students are aware that there are
additional information and resources for the module on the Course
Companion CD.
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6424A*Course 6419A*Module 2: Creating Active
Directory Domain Services User and Computer ObjectsCourse
6419A*Review the concept of directory services, as needed. Define
Security ID (SID), which is a unique number that identifies user,
group, and computer accounts. Note that internal processes in
Microsoft Windows refer to an accounts SID rather than user or
group name.Use the following to describe some comparisons between a
local account and an AD DS account.Should distinguish between
standard user accounts and service accounts. Service user accounts
also need to be managed the same way as standard user accounts.
Local user accountsAccess to single My DocumentsAttached
printersFile sharing with other workgroup membersAccess to shared
Internet
AD DS user accountsLog-in from any workstation in forest, with
access to shared network resourcesPrinting on any network
printerAccess to all network resources-- centrally
administered.Mention tools for creating user accounts: Users and
Groups control panel (local) and Active Directory Users and
Computers to manage domain user accounts.
Question: List at least one advantage of creating local
accounts. List at least one advantage of creating domain accounts?
Answers: Answers may vary. An example of a possible answer is:
Advantages of local accounts include no requirement for a network
and no requirement for a domain controller. Advantages of domain
accounts include centralized administration of the network.
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*Mention how a UPN is derived, and
explain how it differs from user logon name.Explain how LDAP
distinguished name becomes globally unique by using the relative
distinguished name for the object, plus the names of container
objects and domains that contain the object. The distinguished name
identifies the object and its location in a tree.Discuss
appropriate naming conventions and suggestions on how to name
temporary employees or users with the same name.
Question: Provide at least one example of good scalable unique
domain user name.Answer: Answers may vary. Possible answers
include: jsmith, smithj, joe.smith.
References Object Names:
http://go.microsoft.com/fwlink/?LinkID=139916 Module 2: Creating
Active Directory Domain Services User and Computer ObjectsCourse
6419A*Mention how password security is protected by each of these
options: password history, password reuse, maximum age, and minimum
age, and note the reasons for minimum length considerations.Explore
password complexity, as this is an area which will impact all users
when trying to create passwords--especially for Windows Server 2008
(default complexity settings). Give an example of a weak password,
and then show how it could be hardened by adding additional
characters from three of the four categories.Highlight that users
can use spaces in their passwords, thus creating pass phrases.
Question: Provide at least one example of a strong
password.Answer: Answers may vary. Possible answers include:
P@ssw0rd, PassWord!!, PaSsWord! Additionally, any combination of
eight or more upper and lower case along with alphanumeric
characters constitutes a strong password.
ReferencesMicrosoft Windows Server 2008 HelpModule 2: Creating
Active Directory Domain Services User and Computer ObjectsCourse
6419A*Mention how administrators also manage standard user
activities such as updating group membership, resetting user
passwords, user expiration, and setting logon hours as basic user
tasks required when a new user is added into Active Directory.Also
discuss the importance of assigning profiles and setting home
folders to restrict access to computer resources and control user
environments.
Follow these steps to assign a home directory to a user
account:On the server, open Active Directory Users And Computers.
Locate the user account for which you want to add a home directory,
right-click the account, and choose Properties. In the Properties
dialog box, click the Profile tab. Using the Home Folder section of
the dialog page, specify if the users home directory should be a
local folder on their computer (this can be useful for laptop
users), or you can connect a network drive and use it as the home
directory.
\\192.168.1.2\Data\%username%
A custom default user profile is useful if several people use
the same computer but each user wants both a separate profile and
access to shared resources. When multiple users log on locally to
the same computer, Windows uses the built-in default user profile
as a template to assign a profile to each new user. You can replace
this built-in profile with a custom default user profile so that
each new user receives a custom version of the profile. Because
this change is permanent, Microsoft recommends that you create a
backup copy of the default user profile, in case you ever want to
use it again. The default user profile is located in the
drive:\Documents and Settings\Default User folder, where drive is
the drive on which Windows is installed. Question: How many times
can users attempt to login before they are locked out (by
default)?Answer: By default, they can attempt as many times as they
want. Administrators must change the account lockout threshold in
the Local Security Policy.
ReferencesUser Management
http://go.microsoft.com/fwlink/?LinkID=139924
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*Administration of user accounts under
either local or domain settings have graphic user interface (GUI)
tools that allow application of permission levels from guest to
administrator. Describe some of the things administrators could
expect to do in Active Directory Users and Computers, and some of
the additional tasks that could be delegated to
individuals.Describe bulk tools like Windows PowerShell, CSVDE, and
LDIFDE as relates to creating, editing or deleting domain
objects.
Question: List at least two criteria required when selecting
from among the available methods for automating user creation.
Answer: Answers may vary. Student answers should demonstrate an
understanding of the relative benefits of each automation method
and an ability to map those benefits to the students particular
needs.
ReferencesLocal accounts:
http://go.microsoft.com/fwlink/?LinkID=139921 Dsadd:
http://go.microsoft.com/fwlink/?LinkID=139920 Module 2: Creating
Active Directory Domain Services User and Computer ObjectsCourse
6419A*The following steps required NYC-DC1 to be running.Add a User
in Active Directory Users and ComputersStart NYC-DC1 and logon as
WOODGROVEBANK\Administrator with the password Pa$$w0rd. Click
Start, point to Administrative Tools, and then click Active
Directory Users and Computers. In the console pane, expand
Woodgrovebank.com. Right-click ITAdmins, point to New, and then
click User. In the New Object - User dialog box, in the First Name
field, type Robert. In the Last Name field, type Miller. In the
User logon name field, type rmiller and then click Next. In the
Password and Confirm Password fields, type Pa$$w0rd, and then click
Next. Click Finish. Add a User through the dsaddClick Start and
then click Command Prompt. In the Administrator: Command Prompt
window, type dsadd user "cn=Keith
Harris,cn=users,dc=WoodgroveBank,dc=com" samid Keith fn Keith ln
Harris display "Keith Harris" pwd Pa$$w0rd and then press ENTER.
Review User Account and PropertiesIn Active Directory Users and
Computers window and click Users. ; Double-click Keith Harris. In
the Description field, type Standard User. In the Office field,
type Main. Click OK. Rename Account in Active Directory Users and
ComputersRight-click Keith Harris and then click Rename. In the
Name field, type Jeff Harris and then press ENTER. In the First
Name field, type Jeff. In the User logon name field, type jharris.
In the User logon name list, click @WoodgroveBank.com Click OK.
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419AModule 2: Creating Active Directory
Domain Services User and Computer Objects
Rename Account using dsmodFrom the Command Prompt, type dsmod
user "cn=Jeff Harris, cn=users, dc=WoodgroveBank, dc=com" -fn Keith
-ln Harris -display "Keith Harris" -pwd Pa$$w0rd and then press
ENTER Review Password Complexity SettingsClick Start, point to
Administrative Tools, and then click Group Policy Management.
Expand Forest: WoodgroveBank.com, expand Domains, expand
WoodgroveBank.com, and then expand Group Policy Objects.
Right-click Default Domain Policy and then click Edit. In the Group
Policy Editor, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Account
Policies, and then click Password Policy. In the details pane,
review the password complexity settings.
Question: How would you create several user objects with the
same settings for attributes, such as department and office
location?Answer: Create a user template with the appropriate
attributes, and then copy the template to create the new user
account.Question: Under what circumstances would you disable a user
account rather than delete it?Answer: If a user is on temporary
leave, but will be returning, you would disable the account. Also,
many organizations have a policy of disabling user accounts when
users leave the organization, and then deleting the account at a
later date.
Question: Why are you prompted to change the additional names
when you change the user name?Answer: Answers may vary. Possible
answers might include: the additional names are typically
associated to the user name.
Question: Why would you rename a user name in AD DS when a user
changes their name rather than deleting the account and creating a
new account with the new name? Answer: Answers may vary. Possible
answers might include: Its easier to modify an account than
re-creating an account including all the user information and group
memberships.
ReferencesDSMOD:http://go.microsoft.com/fwlink/?LinkID=139914
*Course 6419AModule 2: Creating Active Directory Domain Services
User and Computer ObjectsCourse 6419A*Draw attention to the
similarities that the user accounts of people working in similar
parts of an organization might have: group memberships, department
attributes, or URL for homepage. Making representative user
accounts for various departments, and then copying them and
modifying the necessary attributes, can save time later and help
avoid error. Copying a user account is a commonly delegated
permission for department leaders to have. This aids in
streamlining domain administration.Highlight the user account
template settings that are not copied when you create a user
account using a template. Any attributes which are expected to be
unique or security settings such as passwords are not
copied.Information such as logon hours, groups are retained when a
new user is created from a template, but the Description and Office
attributes are not replicated. To perform this procedure, you must
be a member of the Account Operators group, Domain Admins group, or
the Enterprise Admins group in Active Directory, or you must have
been delegated the appropriate authority. To open Active Directory
Users and Computers, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Active Directory Users
and Computers.To prevent a particular user from logging on for
security reasons, you can disable user accounts rather than
deleting user accounts.By creating disabled user accounts with
common group memberships, you can use disabled user accounts as
account templates to simplify user account creation.
Question: List at least one example of how your company uses
account templates.Answer: Answers may vary. Possible answers might
include: Replicate logon hours for users in a department.
ReferencesCopying User Accounts:
http://go.microsoft.com/fwlink/?LinkID=139923
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*The following steps required NYC-DC1
to running.Create a User Account TemplateClick Start, point to
Administrative Tools and then click Active Directory Users and
Computers. Right-click Users, point to New, and then click User. In
the New Object - User dialog box, in the First name field, type
Sales. In the Last name field, type Template. In the User logon
name field, type stemplate and then click Next. In the Password and
Confirm Password fields, type Pa$$w0rd. Select Account is disabled.
Click Next and then click Finish. In the Users OU, double-click
Sales Template. In the Sales Template Properties dialog box, in the
Description field, type Sales and Marketing Team. In the Office
field, type Main Sales. Click OK. Copy the Sales TemplateIn the
Users detail pane, right-click Sales Template and then click Copy.
In the Copy Object - User dialog box, in the First name field, type
Michael. In the Last name field, type Miller. In the User logon
name, type mmiller. In the Password and Confirm Password fields,
type Pa$$w0rd. Click Next. Clear the Account is disabled check box.
Click Next and then Finish. In the Active Directory Users and
Computers window, double-click Michael Miller. Review the
Description and Office fields.
Module 2: Creating Active Directory Domain Services User and
Computer Objects
Question: What are some fields not populated when you create a
new user from a template?Answer: Answers may vary. Possible answers
include Office and Description.
Question: How could you make a template account easy to find in
AD DS?Answer: Answers may vary. Possible answers may include:
Giving it a name that ends with the _Template.
ReferencesCopying User Accounts:
http://go.microsoft.com/fwlink/?LinkID=139923
*Course 6419AModule 2: Creating Active Directory Domain Services
User and Computer ObjectsCourse 6419A*Module 2: Creating Active
Directory Domain Services User and Computer ObjectsCourse
6419A*Mention that workstation computer accounts typically do not
require much ongoing administrative attention. Domain controllers,
on the other hand, should be monitored regularly. Mention the types
of tasks that group policies can be used to do with groups of
workstations, such as software installations and updates, and
securing desktops.
Question: List at least one way your company manages their
computer accounts.Answer: Answers may vary. Possible answers
include: Using Group Policies to restrict access for users. Allow
users to gain access to network resources or domain access.
ReferencesManage computers:
http://go.microsoft.com/fwlink/?LinkID=139918Module 2: Creating
Active Directory Domain Services User and Computer ObjectsCourse
6419A*Computer accounts can be pre-created using Active Directory
Users and Computers or created by adding a computer to the
domain.Reasons for pre-creating computer accounts include software
or operating-system deployment. Accounts also can be added using
command-line tools: dsadd computer. Mention that by default,
computer accounts are created in the Computers container for
security purposes. Those accounts can be moved manually to other
OUs that have special Group Policies attached. Department-specific
OUs for computers would allow specific software and
operating-system configurations to be applied. A computer account
allows the workstation to be authenticated for various network
activities.Pre-staging the account is simply creating the computer
account in AD before joining the computer to the domain. Mention
that if you need to secure the pre-staged account, then you can
provide a staging GUID that will then be used only by the computer
that matches the GUID.
Question: List at least one advantage of pre-staging when
deploying.Answer: Answers may vary. Possible answers include:
automate the creation of new users in an organizational unit.
Reduce minor deployment issues thereby reducing live account
changes.
ReferencesJoin a computer to a domain:
http://go.microsoft.com/fwlink/?LinkID=139917Manage computers:
http://go.microsoft.com/fwlink/?LinkID=139918
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*Mention configuration options for
computer accounts. Reasons to disable or delete a computer account
include: the machine is no longer in use or has been disposed of. A
reset may be necessary for a computer account if a valid user
account cannot logon at that computer.Give several examples of
policies that might be applied to computer-account OUs such as
security settings and software restrictions.
Question: How can the Location and Managed by properties be used
to automate computer account management?Answer: Answers may vary.
Possible answers include: Using the Location property can help
administrators find the physical location of a computer and the
Managed by property can help determine which user handles the
machine. These two properties help administrators manage computers
much easier.
ReferencesManage computers:
http://go.microsoft.com/fwlink/?LinkID=139918Computer Policies:
http://go.microsoft.com/fwlink/?LinkID=139922
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*The following steps require NYC-DC1 to
be running.Create a normal user account in Active Directory Users
and ComputersClick Start, then point to Administrative Tools and
then click Active Directory Users and Computers. Right-click the
Users OU, point to New, and then click User. In the New Object -
User dialog box, in the First name field, type Standard. In the
Last name field, type User. In User logon name field, type suser
and then click Next. In the Password and Confirm password fields,
type Pa$$w0rd and then click Next. Click Finish. Configure the
Computer Account SettingsIn the Active Directory Users and
Computers window, double-click Standard User. In the Standard User
Properties dialog box, click the Account tab. Click Logon Hours.
Click Sunday and then click Logon denied. Click OK. Disable and
Reset an AccountIn the Active Directory Users and Computers window,
right-click Standard User and then click Disable Account. In the
Active Directory Domain Services dialog box, click OK. Note the
icon next to the Standard User account. Right-click Standard User
and then click Enable Account. In the Active Directory Domain
Services dialog box, click OK. Right-click Standard User and then
click Reset Password. Review the settings and then click
Cancel.
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsQuestion: A user is taking a two month leave from
work. No one else will be using the users computer, and you want to
ensure that no one can log on to the computer while she is gone.
However, you want to minimize the amount of effort required for the
user to start using the computer when she comes back. How should
you configure the computer account?Answer: Answers may vary.
Possible answers include: Administrators might disable an account
for when an employee is terminated or no longer associated with the
company. Accounts are also disabled for temporary or contract
workers that are only part of the organization for a defined period
of time. Administrators might also disable an account for a user
that takes an extended leave of absence.
Question: You are pre-staging 100 computer accounts for
workstations that will be added to the domain over the next few
weeks. You want to ensure that only members of the desktop support
team can add the computers to the domain. What should you
do?Answer: Answers may vary. Possible answers include:
Administrators might want to configure the desktop support team to
a group that allows them to add computers to the domain if they are
within their organizational unit.
*Course 6419AModule 2: Creating Active Directory Domain Services
User and Computer ObjectsModule 2: Creating Active Directory Domain
Services User and Computer ObjectsCourse 6419A*
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419ABriefly describe the concept of
automating AD DS object management. The goal of automating object
management is to be able to perform repetitive management tasks,
like creating and managing user accounts, more quickly. Automating
object management also decreases the chances of making
mistakes.Provide examples of how you can use each of the tools on
the slide to automate object management. Mention that, with Active
Directory Users and Computers, you can select a large number of
users and modify some attributes for all of those users.
Demonstrate the settings that you can configure.Mention that
administrators can still use Microsoft Visual Basic Scripting
Edition (VBScript) to manage Active Directory objects. If students
already have VB scripts developed, they should be able to reuse
those scripts with very little modification.
Question: List at least one way your organization has employed
these tools to automate AD DS Objects.Answer: Answers may vary.
Possible answers include: PowerShell can automate listing and
modifying users. CSDVE and LDIFDE can also create and modify
accounts. AD Users and Computers is the GUI to create and modify
users. DS Tools can also automate user create and modification.
ReferenceCommand-line help type the commandname /?LDIFDE:
http://go.microsoft.com/fwlink/?LinkId=99439Csvde:
http://go.microsoft.com/fwlink/?LinkId=99440Windows PowerShell 1.0
Documentation Pack:
http://go.microsoft.com/fwlink/?LinkId=99441
*C:\Users\Administrator>dsadd user "cn=Hoang Vo
Minh,ou=users,ou=it,ou=hn,dc=bkacad,dc=com" -upn hoang.vm -samid
hoang.vm -pwd P@ssw0rd -fn Hoang -ln "Vo Minh" -display "Vo Minh
Hoang"dsadd succeeded:cn=Hoang Vo
Minh,ou=users,ou=it,ou=hn,dc=bkacad,dc=com
C:\Users\Administrator>dsmod user "cn=Hoang Vo
Minh,ou=users,ou=it,ou=hn,dc=bkacad,dc=com" -email
[email protected] succeeded:cn=Hoang Vo
Minh,ou=users,ou=it,ou=hn,dc=bkacad,dc=com
C:\Users\Administrator>dsget user "CN=Huy Le
Quang,OU=Users,OU=IT,OU=HN,DC=bkacad,DC=com
C:\Users\Administrator>dsquery user -name H*"CN=Huy Le
Quang,OU=Users,OU=IT,OU=HN,DC=bkacad,DC=com""CN=Hung Bui
Viet,OU=Users,OU=IT,OU=HN,DC=bkacad,DC=com""CN=Hoang Vo
Minh,OU=Users,OU=IT,OU=HN,DC=bkacad,DC=com"
C:\Users\Administrator>net user test P@ssw0rd /add /domainThe
command completed successfully.
C:\Users\Administrator>net group bkacad /addThe command
completed successfully.
C:\Users\Administrator>net computer \\bkacad /addThe command
completed successfully.
Mention that if the dsadd or net user command does not specify a
password, and the domain policy requires a password, the account
will be created but will be disabled until the password
requirements are met.Demonstrate how to get detailed help on each
of the commands by typing the command followed by /?Discuss
scenarios where these commands can be used to automate Active
Directory commands. Typing these individual commands may be more
cumbersome than using Active Directory Users and Computers for some
people, but these commands can be combined into batch files to
complete complex tasks using a single batch file.
Question: List at least one example of why an administrator
would want to use command line tools.Answer: Answers may vary.
Possible answers include batch files.
ReferenceCommand-line help type the commandname /? Module 2:
Creating Active Directory Domain Services User and Computer
ObjectsCourse 6419A*- Export all User in bkacad.com domain:csvde -d
"dc=bkacad,dc=com" -f C:\Data\acc.csv
Comma Separated Value Directory Exchange (CSVDE) uses a Comma
Separated Value (CSV) file as input to make changes to the
directory. CSV files are written in text format and can be edited
by using any text editor. For best viewing and editing of CSV
files, use Microsoft Office Excel.Mention that one of the best ways
to view the format for the CSVDE and LDIFDE files is to export data
from AD DS using these tools. Because of the large amount of data
that is exported with these commands, suggest that students start
by exporting an OU with only a few users.
Question: List at least one advantage of using CSVDE over LDIFDE
when managing user objects.Answer: Answers may vary. CSVDE takes
advantage of using CSV files which is a common file format and can
be read and updated using applications such as Microsoft Excel.
ReferenceCsvde: http://go.microsoft.com/fwlink/?LinkId=99440
Course 6419AModule 2: Creating Active Directory Domain Services
User and Computer Objects*S dng LDIFDE hon ton tng t nh CSVCE. Tuy
nhin, LDIFDE c th add, delete hay modify cc object trong khi CSVDE
li khng lm c. export database dng lnh: ldifde -d
"OU=IT,dc=bkacad,dc=com" -f C:\Data\account.ldf -l "DN, ojectclass,
sAMAccountName, userPrincipalName" import database dng lnh: ldifde
-i k v -f C:\Data\account.ldf
You can use the following two tools to import or export data
from Active Directory: LDAP Data Interchange Format Directory
Exchange (LDIFDE) uses an LDAP Data Interchange Format (LDIF) file
as input to make changes to the directory. LDIF files are written
in text format, and you can edit them using any text
editor.Consider opening the files provided for the student on the
student CD, and describing the format for each.
Question: List at least one way that LDIFDE makes user
management more scalable and reliable.Answer: Answers may vary.
Possible answers include: User information can be easily imported
creating new users, groups and organizational units including all
the appropriate properties without having to configure each account
individually.
ReferenceLDIFDE:
http://go.microsoft.com/fwlink/?LinkId=99439Course 6419AModule 2:
Creating Active Directory Domain Services User and Computer
Objects*PS C:\Users\Administrator> New-Item test.txtType: filePS
C:\Users\Administrator> lsPS C:\Users\Administrator> echo
hehe > test.txtPS C:\Users\Administrator> more test.txtPS
C:\Users\Administrator> alias
A cmdlet is a lightweight command that is used in the Windows
PowerShell environment. The Windows PowerShell runtime invokes
these cmdlets within the context of automation scripts that are
provided at the command line
Pipelining:PS C:\Users\Administrator> ls > list.txtPS
C:\Users\Administrator> more list.txt
Stress that Windows PowerShell is the new command-line
technology for administering Windows servers and workstations.
Windows PowerShell is designed to replace both the commands and
batch files that use the cmd.exe program, and VBScript scripts.
Question: What is the difference between the command prompt and
Windows PowerShell?Answer: Answers may vary. Possible answers
include: cmdlets, custom cmdlets, and third-party cmdlets.
ReferenceWindows PowerShell 1.0 Documentation Pack:
http://go.microsoft.com/fwlink/?LinkId=99441
Course 6419AModule 2: Creating Active Directory Domain Services
User and Computer Objects*
Get-Cmd (or gcm)
Stress that Windows PowerShell is quite easy to learn because
the syntax for all cmdlets is consistent. All cmdlets include a
verb and a noun separated by a dash (-).Mention that one of the
powerful features of Windows PowerShell is the option to pipeline
cmdlet from one command to another. This makes it easy to take the
output from one cmdlet and pipe it to another. The examples on the
slide provide samples of how to format the output of one command,
but you can just as easily use a cmdlet to sort objects, and then
pipeline the result of that cmdlet to another cmdlet to make
changes to the sorted objects.
Get-Service W3SVC - If you want to display the properties for
the Web serviceGet-Service W3SVC | format-list - If you want to get
a list of all services running on a computer, and format the list
alphabetically by service name, use the cmdlet: Get-Service |
sort-object nameYou can also add more complicated sorting to the
cmdlet. For example, if you wanted to list all running services on
a computer and sort the output by service name, you would enter the
cmdlet: Get-Service |where-object {$_.status eq running} |
sort-object name
Question: List at least one important management cmdlets.Answer:
Answers may vary. Possible answers include: Get-QADUser,
Disable-QADUser, Get-QADComputer
ReferenceWindows PowerShell 1.0 Documentation Pack:
http://go.microsoft.com/fwlink/?LinkId=99441
Course 6419AModule 2: Creating Active Directory Domain Services
User and Computer Objects*Course 6419A*To complete this
demonstration, you must have the 6419A-NYC-DC1 virtual machine
running.Examine built in cmdlet commandsClick Start, point to All
Programs, point to Windows PowerShell 1.0 and then click Windows
PowerShell. In the Windows PowerShell window, type Get-Command and
then press ENTER. Review the results. Build Complex Commands using
Pipelines and Auto-CompleteType Get-Command | Get-Help and then
press ENTER Review the results Type Get- and then press TAB two
times. Press ENTER Review the results Examine and run a
pre-existing scriptBrowse to E:\Mod02\Democode. Right-click
CreateUser.ps1 and then click Edit. Review the script and then
close Notepad. Type Set-ExecutionPolicy AllSigned and then press
ENTER Type E:\Mod02\Democode\CreateUser.ps1 and then press ENTER.
When the prompt appears, press R and then press ENTER. Click Start,
point to Administrative Tools and then click Active Directory Users
and Computers. Click ITAdmins and note that Jesper is there. Close
all windows.
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsQuestion: What are the advantages and disadvantages
of modifying Active Directory objects by using Windows PowerShell
scripts? How can you address the disadvantages?Answer: The biggest
advantage is that you can apply changes to multiple accounts at one
time. By running a script that uses a file for input, you can
easily create or modify the attributes for thousands of users. The
biggest disadvantage is that it can take a significant amount of
time to create the scripts, and even longer to create the input
files that provide the script data. One way to minimize the time
needed to create the input files is to export the data from
existing applications, or to use tools like Microsoft Office Excel
to edit the files.
ReferencesWindows PowerShell Blog:
http://go.microsoft.com/fwlink/?LinkId=99442Scripting with Windows
PowerShell: http://go.microsoft.com/fwlink/?LinkId=99443
*Course 6419AModule 2: Creating Active Directory Domain Services
User and Computer ObjectsCourse 6419A*Module 2: Creating Active
Directory Domain Services User and Computer ObjectsCourse
6419A*Dsquery user name Huy*
Mention various uses for sorting column views. For example, you
can search by user name or last name. Mention that you also can add
additional attributes to the default list of columns, and then sort
those columns, as well.To locate objects that meet specified
criteria in AD DS, the best option is to use a search. When using a
search, you can locate AD DS objects based on any attribute across
multiple OUs.Note the searchable attributes available in Advanced
Search. Note command-line tools, such as dsquery contact /?.
Question: If an administrator were searching for a number of
disparate users, would it be more efficient to use the graphic user
interface or the command-line tool?Answer: Answers may vary.
ReferencesSearch Active Directory:
http://go.microsoft.com/fwlink/?LinkID=139918Module 2: Creating
Active Directory Domain Services User and Computer ObjectsCourse
6419A*Create a Saved QueryClick Start, point to Administrative
Tools and then click Active Directory Users And Computers.
Right-click Saved Queries, point to New and then click Query. In
the Name field, type Saved Query 1. Click Define Query. In the Find
Common Queries dialog box, in the Find field, click Users,
Contacts, And Groups. Click the Advanced tab. Click Field, point to
User, and then click Last Name. In the Condition field, click
Starts with. In the Value field, type C and click Add. Click OK
twice. Expand Saved Queries and then review Saved Query 1. Export a
query to an .xml fileRight-click Saved Query 1, point to All Tasks,
and then click Export Query Definition. In the Save As dialog box,
notice the Save as type option.. Click Cancel.
Question: You need to update the phone number for a user. You
have only been given the users first name and last name and you do
not know which OU contains the object. What is the quickest way to
locate the user account?Answer: Answers may vary. Possible answers
include using the Find User/Computer dialog.
Question: You need to create a new user account and want to
check if a user name is already in use in the domain. How could you
do this?Answer: Answers may vary. Possible answers include using
the Find User/Computer dialog.
ReferencesSearch Active Directory:
http://go.microsoft.com/fwlink/?LinkID=139915DSquery:
http://go.microsoft.com/fwlink/?LinkID=139919Module 2: Creating
Active Directory Domain Services User and Computer ObjectsCourse
6419A*Mention various types of saved queries that might be useful,
such as location-based operating systems, software versions, and
printer brands.Mention administrative tasks that might require
frequent searches. Note saved query search features that are not
available in other searches.
Question: List at least one way saved queries help with the long
term maintainability of your organization.Answer: Answers may vary.
Possible answers include: Administrators can easily search for
users again based on the same search criteria as the organization
grows.
ReferencesActive Directory Users and Computers Help
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*Create a Saved QueryClick Start, point
to Administrative Tools and then click Active Directory Users And
Computers. Right-click Saved Queries, point to New and then click
Query. In the Name field, type Saved Query 1. Click Define Query.
In the Find Common Queries dialog box, in the Find field, click
Users, Contacts, And Groups. Click the Advanced tab. Click Field,
point to User, and then click Last Name. In the Condition field,
click Starts with. In the Value field, type C and click Add. Click
OK twice. Expand Saved Queries and then review Saved Query 1.
Export a query to an .xml fileRight-click Saved Query 1, point to
All Tasks, and then click Export Query Definition. In the Save As
dialog box, notice the Save as type option.. Click Cancel.
Question: You need to find all user accounts in your AD DS
domain that are no longer active. How would you do this? Answer:
Answers may vary. Possible answers include: creating a saved query
that searches for all disabled accounts.Module 2: Creating Active
Directory Domain Services User and Computer ObjectsCourse 6419A*In
this lab, students will create AD DS user and computer
accounts.Exercise 1The student will receive a document that
describes the user accounts that they need to create in the
organization. Students will create the user accounts using Active
Directory User and Computers and DSAdd. Students will also
configure password settings, rename existing accounts, and use a
template to create user accounts. Students will verify that at
least one of the newly created user accounts can log on to Active
Directory.Exercise 2The student will receive a document that
describes the computer accounts that need to be created. The
students will pre-create the computer accounts and also will add a
computer account by joining a computer to the WoodgroveBank.com
domain.Exercise 3The student will use the Windows Server 2008 tools
to automate the AD DS object management tasks. These tools include
CSVDE to create new user accounts, LDIFDE to modify existing user
accounts, and Windows PowerShell. The students will modify files or
scripts that the enterprise administrator provides to perform the
bulk administration tasks.
Before the students begin the lab, read the scenario associated
with each exercise to the class. This will reinforce the broad
issue that the students are troubleshooting and will help to
facilitate the lab discussion at the end of the module. Remind the
students to complete the discussion questions after the last lab
exercise.Note: The lab exercise answer keys are provided on the
Course Companion CD. To access the answer key, click the link
located at the bottom of the relevant lab exercise page.
Module 2: Creating Active Directory Domain Services User and
Computer Objects*Course 6419AModule 2: Creating Active Directory
Domain Services User and Computer ObjectsCourse 6419A*Use the
questions on the slide to guide the debriefing after students have
completed the lab exercises.
Question: In order for the searches like the ones used in this
lab to return accurate results, what do you have to do when
creating the user accounts? Answer: You have to make sure that all
user account properties that you will need to perform the search
are filled in and that the values are formatted consistently. For
example, if the company attribute is filled in as WoodgroveBank for
some users and Woodgrove Bank for other users, you will get
inconsistent results if you search for the exact name.
Question: Your organization has a group of desktop support
technicians who need to be able to add all computers to the AD DS
domain. How can you ensure that these technicians can add more than
10 computers to the domain without granting them more permissions
than required?Answer: The best way to configure this level of
permission is to grant the desktop technicians permission to add
computer accounts to the domain. If they have been granted this
permission explicitly, they will be able to add as many computer
accounts as required. You also could have a domain administrator
pre-stage the computer accounts and assign the permission to add
the account to the domain to desktop support technician group.
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*Review QuestionsPoint the students to
the appropriate section in the course so that they are able to
answer the questions presented in this section.
Question: You are responsible for managing accounts and access
to resources for members of your group. A user in your group leaves
the company, and you expect a replacement for that employee in a
few days. What should you do with the previous users account?
Answer: The best solution is to delete the old user account, and
create a new account for the new user. For security purposes, you
always should create a new account for each new user.
Question: A user in your group must create a test lab with 24
computers that will be joined to the domain, but the account must
be created in a separate OU. What is the best way to do this?
Answer: Have a domain administrator pre-stage the computer accounts
in the AD DS OU.
Question: You are responsible for maintaining the servers in
your organization. You want to enable other administrators in the
organization to determine the physical location of each server
without adding any additional administrative tasks or creating any
additional documents. How can you do this? Answer: Modify the
Location property for the computer account of each server to
display the servers address information.
Question: To accelerate the process of creating new accounts
when new employees enter your group, you create a series of account
templates that you use to create new user accounts and groups. You
are notified that a user with an account that was created by using
one of the non-manager account templates has been accessing files
that are restricted to the Managers group. What should you do?
Answer: Ensure that you gave the correct group membership to each
account created from your template.
Question: You are responsible for managing computer accounts for
your group. A user reports that they cannot log on to the domain
from a specific computer but can log on from other computers. What
should you do? Answer: You should reset the computer account for
the computer and then rejoin the computer to the domain.
Module 2: Creating Active Directory Domain Services User and
Computer ObjectsCourse 6419A*Question: You have determined the best
ways to search for Active Directory objects and documented your
recommended search criteria. However, the administrators tell you
that it is taking too long to create and then run the search. After
further research, you determine that most of the systems
administrators are searching for the same information. What can you
do to accelerate the search process? Answer: Create saved queries
for common searches performed by the systems administrators.
Real-World Issues and Scenarios When managing AD DS user and
computer accounts, consider the following: If your organization
typically creates large numbers of user accounts at the same time,
explore using of LDIFDE, CSVDE, or Windows PowerShell scripts to
automate the process of creating the accounts. These tools can save
a great deal of time when you are adding or modifying multiple
accounts. Consider delegating permissions to create and manage user
accounts in your AD DS domain. You can delegate permissions at the
domain or OU level. At a minimum, you should retain the password
complexity requirements in a Windows Server 2008 domain. Complex
passwords are more difficult for users to remember, but they also
are the most important first step in maintaining AD DS
security.Module 2: Creating Active Directory Domain Services User
and Computer Objects
