Exercise 1: Creating AD DS Groups
Task 1: Start the virtual machines, and then log on 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.
2. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch.
3. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd.
4. Minimize the Lab Launcher window.
Task 2: Create three groups using Active Directory Users and Computers
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console pane, expand WoodgroveBank.com, right-click Users, point to New, and then click Group.
3. In the New Object – Group dialog box, add the following information into the appropriate fields:
• Group name: VAN_BranchManagersGG
• Scope: Global
• Type: Security 4. Click OK.
5. Repeat the previous two steps to create two more groups that have the same scope and type named:
• VAN_CustomerServiceGG
• VAN_InvestmentsGG
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L3-20 Module 3: Creating Groups and Organizational Units
Task 3: Create a group using the Dsadd command-line tool 1. On NYC-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type dsadd group
“cn=VAN_MarketingGG,cn=Users,dc=WoodgroveBank,dc=com” –samid VAN_MarketingGG –secgrp yes –scope g and then press ENTER.
3. The command line will display either of the following messages:
a. “dsadd failed…” :
If you receive this error, carefully type the command again.
b. “dsadd succeeded…”:
If you receive this message, type exit, and then press ENTER to close the command line window.
4. Click the Users OU.
5. In Active Directory Users and Computers, under WoodgroveBank.com, right-click Users, and then right-click Refresh.
6. Note the presence of the VAN_MarketingGG as well as the other Vancouver groups inside the Users container.
Task 4: Add members to the new groups
1. In Active Directory Users and Computers, right-click WoodgroveBank.com, and then click Find.
2. In the Find Users, Contacts, and Groups dialog box, type Neville and then click Find Now.
3. In the Search results pane, right-click Neville Burdan, and then click Add to a group.
4. In the Select Groups dialog box, type VAN_BranchManagersGG, and then click OK twice.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Creating an Organizational Unit Infrastructure L3-21
5. Repeat the previous three steps, adding the users found in the following table to their corresponding groups:
Find Add to group
Suchitra Mohan VAN_BranchManagersGG Anton Kirilov VAN_CustomerServiceGG Shelley Dyck VAN_CustomerServiceGG Barbara Moreland VAN_InvestmentsGG
Nate Sun VAN_InvestmentsGG
Yvonne McKay VAN_MarketingGG Monika Buschmann VAN_MarketingGG Bernard Duerr VAN_MarketingGG
Task 5: Inspect the contents of the Vancouver groups
1. In Active Directory Users and Computers, in the Users container, right-click VAN_BranchManagersGG, and then click Properties.
2. In the VAN_BranchManagersGG Properties dialog box, click the Members tab, and verify that Neville Burdan and Suchitra Mohan are now members.
3. Click Cancel, and then close Active Directory Users and Computers.
Results: At the end of this exercise you will have created three new groups by using Active Directory Users and Computers and you will have created one group by using Dsadd. You also will have added users to the groups and inspected the results.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L3-22 Module 3: Creating Groups and Organizational Units
Exercise 2: Planning an OU Hierarchy (Discussion)
Here are possible answers for the discussion questions.
Scenario
A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have the following departments:
• Management
• Customer Service
• Marketing
• Investments
The organizational unit (OU) hierarchy has to support delegation of administrative tasks to users within that organizational unit.
Discussion questions:
1. Which approach to extending the organizational hierarchy of WoodgroveBank.com is most likely to be applied in creating the new subsidiary’s resources: Geographic, Organizational, or Functional? Why?
Answer: The Geographical approach to naming top level OUs (those that already exist within the domain hierarchy) should be extended in order to keep that logic. Geographic naming and organization is permanent, allows for future expansion, and its name easily identifies its functionality.
2. What would be the most logical way to further subdivide the subsidiary’s organizational unit: Geographic, Organizational, or Functional?
Answer: Four new OUs inside the Vancouver OU that are based on the organizations departments would best support the operations of the new subsidiary. Organizations can use these OUs to handle groupings of similar user, computer, and other AD DS resources, according to their similarities.
This also supports the need to delegate administrative roles over those resources, as somebody within each group will be able to respond to most needs in a timely manner.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Creating an Organizational Unit Infrastructure L3-23
3. What does the pattern of naming second level OUs in other centers suggest for the new Vancouver OU?
Answer: The naming convention being applied consistently to upper level OUs across the AD DS recognizes the company’s geographic divisions. Second level OUs at each location match the organizational divisions in those
locations. Therefore, the new subsidiary should name its second level OUs as:
Managers, Customer Support, Marketing, and Investment.
4. What would be a simple but effective way of delegating administrative tasks—
including adding users and computers to the domain, and changing user properties such as password resets, and employee contact details-- to certain users within a department?
Answer: You can use the “Delegation of control” wizard to delegate
administrative rights at the OU level. Both users and groups can be added to the delegation list. Additionally, you can use a list of rights to customize administrative capabilities.
Results: At the end of this exercise you will have discussed and determined how to plan an OU hierarchy.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L3-24 Module 3: Creating Groups and Organizational Units
Exercise 3: Creating an OU Hierarchy
Task 1: Create OUs using Active Directory Users and Computers 1. On NYC-DC1, click Start, click Administrative Tools, and then click Active
Directory Users and Computers.
2. In the console pane, right-click WoodgroveBank.com, point to New, and then click Organizational Unit.
3. In the New Object – Organizational Unit dialog box, type Vancouver.
4. Verify that the Protect container from accidental deletion check box is selected, and then click OK.
5. Right-click Vancouver OU, point to New, and then click Organizational Unit.
6. In the New Object – Organizational Unit dialog box, type BranchManagers, and then click OK.
7. Repeat the previous two steps to create two more OUs named:
• CustomerService
• Marketing
Task 2: Create an OU using Dsadd
1. On NYC-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type dsadd ou
“ou=Investments,dc=WoodgroveBank,dc=com” -desc “Investment department” -d WoodgroveBank.com -u Administrator -p Pa$$w0rd and then press ENTER.
3. In Active Directory Users and Computers, right-click WoodgroveBank.com, and then click Refresh.
4. Note the presence of the new Investments OU.
Task 3: Nest an OU inside another OU
1. In Active Directory Users and Computers, right-click Investments, and then click Move.
2. In the Move dialog box, click Vancouver, and then click OK.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Creating an Organizational Unit Infrastructure L3-25
Task 4: Move groups that you created in Exercise 1 into the appropriate OUs
1. In Active Directory Users and Groups, click Users, and note the groups that you created in Exercise 1.
2. Move the following groups into the following Vancouver OUs (see methods later in this section):
• VAN_BranchManagersGG group to Vancouver\BranchManagers OU
• VAN_CustomerServiceGG group to Vancouver\CustomerService OU
• VAN_InvestmentsGG group to Vancouver\Investments OU
• VAN_MarketingGG group to Vancouver\Marketing OU
• You may select any of the following methods to move these groups:
a. Drag the group into the appropriate Vancouver OU object. When the AD DS warning appears, click Yes.
b. Use Cut and Paste to move the group into the appropriate Vancouver OU:
i. Right-click the group, and then click Cut.
ii. Locate and expand the Vancouver OU.
iii. Right-click the appropriate subordinate OU, and then click Paste.
iv. When the AD DS warning appears, click Yes.
c. Use the Move command to move the group into the appropriate Vancouver OU:
i. Right-click the group, and then click Move.
ii. In the Move object into container dialog box, expand the Vancouver OU.
iii. Click the appropriate subordinate OU, and then click OK.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L3-26 Module 3: Creating Groups and Organizational Units
Task 5: Find and move users into Vancouver OUs
Use Active Directory Users and Computers to find and move the following users into the OUs noted next to their names:
Find Move to Vancouver OU
Neville Burdan BranchManagers Suchitra Mohan BranchManagers Anton Kirilov CustomerService Shelley Dyck CustomerService Barbara Moreland Investments
Nate Sun Investments
Yvonne McKay Marketing
Monika Buschmann Marketing
Bernard Duerr Marketing
1. Right-click WoodgroveBank domain, and then click Find.
2. In the Find Users, Contacts, and Groups dialog box, type Neville, and then click Find Now.
3. In the Search results pane, right-click Neville Burdan, and then click Move.
4. In the Move dialog box, expand Vancouver, click BranchManagers, and then click OK.
5. Repeat the previous three steps for each name in the chart and then close the Find Users, Contacts, and Groups dialog box.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Creating an Organizational Unit Infrastructure L3-27
Task 6: Delegate control over an OU
1. In Active Directory Users and Computers, in the Vancouver OU, right-click Marketing, and then click Delegate control.
2. In the Delegation of Control Wizard, click Next.
3. On the Users or Groups page, click Add.
4. In the Select Users, Computers, or Groups dialog box, type Yvonne, and then click OK.
5. Click Next.
6. On the Tasks to Delegate page, select the check boxes next to the following common tasks:
• Create, delete, and manage user accounts
• Reset user passwords and force password change at next logon
• Create, delete and manage groups
• Modify the membership of a group 7. Click Next.
8. On the Completing the Delegation of Control Wizard page, click Finish.
Task 7: Test delegated user rights
1. Log on to NYC-SVR1 as WOODGROVEBANK\Yvonne with the password Pa$$w0rd.
2. Click Start, right-click Server Manager, and then click Run as administrator.
3. In the User Account Control dialog box, in the User name field, type
Administrator, and in the Password field, type Pa$$w0rd, and then click OK.
4. In the console tree, right-click Features, and then click Add Features.
5. In the Add Features Wizard, expand Remote Server Administration Tools, expand Role Administration Tools, and then select the Active Directory Domain Services Tools check box.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L3-28 Module 3: Creating Groups and Organizational Units
6. Click Next, and then click Install.
7. When the installation is complete, click Close, and then click Yes to restart the computer.
8. Log on to NYC-SVR1 as WOODGROVEBANK\Yvonne with the password Pa$$w0rd.
9. Click Start, right-click Server Manager and then click Run as administrator.
10. In the User Account Control dialog box, in the User name field, type
Administrator, and in the Password field, type Pa$$w0rd, and then click OK.
11. Wait for the installation to finish, and then click Close.
12. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
13. In the console pane, right-click WoodgroveBank.com, and then click Find.
14. In the Find Users, Contacts, and Groups dialog box, type Monika, and then click Find Now.
15. In the Search results pane, right-click Monika Buschmann, and then click Reset Password.
16. In the Reset Password dialog box, in the New password and Confirm password fields, type Pa$$w0rd and then click OK.
17. In the Active Directory Domain Services dialog box, click OK.
Note: This message indicates that Yvonne McKay’s account has the authorization to reset passwords of fellow users in the Marketing OU.
18. Close the Find Users, Contacts, and Groups dialog box.
19. In the console pane, expand WoodgroveBank.com, expand Miami, and then click BranchManagers.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Creating an Organizational Unit Infrastructure L3-29
20. In the details pane, right-click William Vong, and then click Move.
21. In the Move dialog box, expand Vancouver.
22. Click Marketing, and then click OK.
23. In the Active Directory Domain Services dialog box, click OK.
Note: This warning appears because user Yvonne McKay does not have delegated control over the Miami OU.
Task 8: Close all virtual machines, and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote Control window.
2. In the Close box, select Turn off machine and discard changes. Click OK.
3. Close the 6419A Lab Launcher.
Results: At the end of this exercise you will have created OUs by using Active Directory Users and Computers and Dsadd. You also will have delegated and tested administrative permissions.