Exercise 1: Delegating Control of AD DS Objects
Task 1: Start the virtual machine, and then log on 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.
2. Log on to NYC-DC1 as WOODGROVEBANK \Administrator with the password Pa$$w0rd.
3. Minimize the Lab Launcher window.
Task 2: Assign full control of users and groups in the Toronto OU 1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. In the console pane, right-click Toronto, and then click Delegate Control.
3. In the Delegation of Control Wizard, click Next.
4. On the Users or Groups page, click Add.
5. In the Select Users, Computers, or Groups dialog box, type TOR_BranchManagersGG, and then click OK.
6. Click Next.
7. On the Tasks to Delegate page, select the Create, delete, and manage user accounts and the Create, delete and manage groups check boxes.
8. Click Next, and then click Finish.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L5-40 Module 5: Configuring Active Directory Objects and Trusts
Task 3: Assign rights to reset passwords and configure private user information in the Toronto OU
1. On NYC-DC1, in Active Directory Users and Computers, right-click Toronto, and then click Delegate Control.
2. In the Delegation of Control Wizard, click Next.
3. On the Users or Groups page, click Add.
4. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, click OK.
5. Click Next.
6. On the Tasks to Delegate page, select the Reset user passwords and force password change at next logon check box.
7. Click Next, and then click Finish.
8. Right-click Toronto, and then click Delegate Control.
9. In the Delegation of Control Wizard, click Next.
10. On the Users or Groups page, click Add.
11. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, click OK.
12. Click Next.
13. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
14. On the Active Directory Object Type page, click Only the following objects in the folder, and then select the User objects check box.
15. Click Next.
16. On the Permissions page, ensure that the General check box is selected.
17. Under Permissions, select the Read and write personal information check box, and then click Next.
18. Click Finish.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Configuring Active Directory Delegation L5-41
Task 4: Verify the effective permissions assigned for the Toronto OU 1. On NYC-DC1, in Active Directory Users and Computers, on the View menu,
click Advanced Features.
2. In the console pane, right-click the Toronto OU, and then click Properties.
3. In the Toronto Properties dialog box, on the Security tab, click Advanced.
4. In the Advanced Security Settings for Toronto dialog box, on the Effective Permissions tab, click Select.
5. In the Select User, Computer, and Group dialog box, type Sven, and then click OK. Sven Buck is a member of the TOR_BranchManagersGG group.
6. Review Sven’s effective permissions. Verify that Sven has permissions to create and delete user and group objects.
7. Click Cancel twice.
8. Expand the Toronto OU, and then click the Customer Service OU.
9. In the details pane, right-click Matt Berg, and then click Properties.
10. In the Matt Berg Properties dialog box, on the Security tab, click Advanced.
11. In the Advanced Security Settings for Matt Berg dialog box, on the Effective Permissions tab, click Select.
12. In the Select User, Computer, and Group dialog box, type Helge, and then click OK. Helge Hoeing is a member of the TOR_CustomerServiceGG group.
13. Review Helge’s effective permissions. Verify that Helge has permissions to reset passwords and to write personal information.
14. Click Cancel twice.
15. Close Active Directory Users and Computers.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L5-42 Module 5: Configuring Active Directory Objects and Trusts
Task 5: Test the delegated permissions for the Toronto OU
1. Log on to NYC-DC1 as WOODGROVEBANK\Sven with the password of Pa$$w0rd.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.
4. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and then point to New, and then click User.
5. Create a new user with the following properties:
a. First name: Test1 b. User logon name: Test1 c. Password: Pa$$w0rd
6. This task will succeed because Sven Buck was delegated the authority to perform that task.
7. Right-click the Toronto OU, and then point to New, and then click Group.
8. Create a new global security group named Group1. This task will succeed because Sven Buck was delegated the authority to perform that task.
9. Right-click the ITAdmins OU, and review the menu options. Verify that Sven does not have permissions to create any new objects in the ITAdmins OU.
10. Log off and then log on to NYC-DC1 as WOODGROVEBANK\Helge with the password of Pa$$w0rd.
11. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
12. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.
13. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and review the menu options. Verify that Helge does not have
permissions to create any new objects in the Toronto OU.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Configuring Active Directory Delegation L5-43
14. Expand Toronto, click CustomerService, right-click Matt Berg, and then click Reset Password.
15. In the Reset Password dialog box, in the New password and Confirm password fields, type Pa$$w0rd, and then click OK twice.
16. Right-click Matt Berg, and then click Properties.
17. In the Matt Berg Properties dialog box, verify that Helge has permission to set some user properties such as Office and Telephone number, but not settings such as Description and E-mail.
18. Click Cancel.
19. Close Active Directory Users and Computers, and then log off.
Result: At the end of this exercise you will have delegated the administrative tasks for the Toronto office.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L5-44 Module 5: Configuring Active Directory Objects and Trusts