LAB 3
Lab 3 – User and Group Management in a Domain
In this lab you will be configuring Domain user and group accounts using the desktop experience and
PowerShell.
Approximate completion time: 90 minutes.
You will need to work on Server1, AdminClient and Client1 during this lab.
1.0 Creating Organizational Units
1. On Server1, create the following Organizational Units using Active Directory Users and
Computers:
• Toronto
• Montreal
• Vancouver
2.0 Creating Global Groups in the Domain
2. On Server 1, under the Toronto Organizational Unit, create the following Global Security Groups
using Active Directory Users and Computers:
• T_SalesReps
• T_Marketing
• T_HRSupport
• T_Executives
3. Create similar groups in the Montreal and Vancouver OUs, substituting M for Montreal and V
for Vancouver for the T in each name.
3.0 Creating Domain Local Groups
It is challenging to create accounts from the command line, but it is a necessary skill to learn. We will
only create a couple of groups using PowerShell and then switch to Remote Administration from our
AdminClient.
You are going to create Domain Local Groups on your Server1 in Sections 3.1 and 3.2 below using a
couple of different methods.
3.1 Using PowerShell on Server1 to create Domain Local Groups
1. Open PowerShell on Server1.
2. Use the link HERE to get help about the New-ADGroup cmdlet. Use the examples from the help
to determine the command you need to use to create the 2 Marketing Groups (Marketing_Read
and Marketing_FC) on your domain using PowerShell.
SENECA COLLEGE
1
LAB 3
Use some of the following options with your PowerShell command:
• -SamAccountName
• -GroupCategory
• -GroupScope
• -Path
• -Description
•
What do you need to add to the command to put the Domain Local Group into an OU
when using PowerShell? _______________
You can create the Domain Local Groups in the Toronto OU or just in the Domain. If you do not specify
at path, the group will go into the Users container.
3. While the PowerShell commands and their output are still on the screen, save a screenshot.
3.2 Using RSAT on AdminClient to Create Domain Local Groups on Server1
4. Create the following Domain Local groups from your AdminClient computer using the Remote
Server Administration Tools:
• HR_Read
• HR_FC
• SalesFiles_FC
You can use Active Directory Users and Computers or PowerShell.
3.3 Using RSAT on AdminClient to Add Global Groups to the Domain Local Groups
1.
2.
3.
4.
5.
6.
7.
8.
Open Windows Administrative Tools on your AdminClient.
Open Active Directory Users and Computers.
Find your SalesFiles_FC Domain Local Group and double-click to open the Properties.
To add a Global Group to the Domain Local group, click Add. Click Advanced on the next screen
and then Find Now to see the list of available objects you can add to the group.
Select the Global Groups that you created for the Sales Reps from the Toronto, Montreal and
Vancouver OUs, then click OK. Then click OK again on the next screen.
You should now see all the groups you added to the Local Group displayed under Members.
Take a Screenshot of this screen.
Add T_Marketing, M_Marketing and V_Marketing global groups to the Marketing_FC Domain
Local Group.
Add T_Executives, M_Executives and V_Executives global groups to the SalesFiles_FC Domain
Local Group.
SENECA COLLEGE
2
LAB 3
4.0 Creating Domain User Accounts
Decide on a Naming Convention for the user accounts you will create in your domain. Make sure you
account for duplicate names.
•
What is the naming convention you decided on? ______________________________
4.1 Create Users One at a Time with Active Directory Users and Computers
1. Create the following user accounts (and their properties) under the Toronto OU using Active
Directory Users and Computers:
• Fred Flintstone – Member Of: T_SalesReps
• Barney Rubble – Member Of: T_SalesReps
• Bam-Bam Rubble – Member Of: T_Marketing
• Wilma Flintstone – Member Of: T_HRSupport
• Mr. Slate – Member Of: T_SalesReps and T_Executives
Use the default password for all users and select the User must change password at next login:
option.
Create job titles, phone numbers and addresses for all users in the Toronto OU.
(Configure at least 2 users so you can see how much work it is to fill in all the fields manually.)
4.2 Creating Users Accounts with PowerShell
1. Create the following 2 user accounts in the Toronto OU using PowerShell. Link to PowerShell
command and examples HERE. Keep the command simple. You do not have to add all the
additional properties to these user accounts. Just user settings.
• Pebbles Flintstone
• Great Gazoo
2. While your PowerShell commands are still on the screen, take a screenshot of the PowerShell
window.
3. To view the properties of your user accounts using PowerShell, use the following command:
PS > Get-ADUser -Identity username
4.3 Creating User Account Templates
1. On Server1, create a new user account using Active Directory Users and Computers, that will be
a template account for the Executives in the Vancouver OU. Name this template
_Executives_Template. Set the password field to the default password and disable the account.
2. Go into the properties of the template account and configure properties on at least 2 Tabs as
well as the Member Of: tab, making the template a member of the V_Executives, and the
V_SalesReps Global Groups.
3. Once the template account has been created, it will show at the top of the OU list because it
begins with the underscore character “_”.
SENECA COLLEGE
3
LAB 3
4.4 Using Templates to Create User Accounts
1. Using the template you created in the previous section (copy the template user), create 3 new
Executive user accounts in the Vancouver OU. Use the following names:
• Luke Perry
• Jason Priestly
• Shannon Doherty
2. Verify that the properties you built into the template were copied to the new user accounts.
5.0 Using the Built-In Groups to Assign User Rights
User rights determine what users can “DO” on a particular computer/domain. By default, regular users
can only login to client computers, not server computers. If you need a regular user to be able to
perform some administrative tasks, and login to a server, you will need to give them the rights to do so.
The best way to give user rights is to add user accounts to the Built-In Local Groups on a particular
server. User Rights are LOCAL to the server they are configured on. There are built-in Domain Local
Groups that give user rights on the domain also.
1. Create the following 5 user accounts on your domain:
• Joe Admin in the Toronto OU
• Jane Admin in the Montreal OU
• Bob Admin in the Vancouver OU
• Hani Admin in your domain, but not in an OU.
• Marg Admin in your domain, but not in an OU.
2. Add Joe, Jane and Bob to the Account Operators group and the Backup Operators group.
3. Add Hani and Marg to the Domain Admins group.
5.1 Testing User Rights
1. Test the following and record whether the login worked or did not work and if it works as you
expected:
Task
Successful or
Unsuccessful?
Works as expected or not? Notes.
Login to Client1 as Fred Flintstone.
Login to Server1 as Fred Flintstone.
Login to Client1 as Bob Admin.
Login to Server1 as Bob Admin.
Login to Server1 as Hani Admin.
To prove you have completed this lab:
•
•
Create a Microsoft Word document (or use Google docs), with a name of YourSenecaIDLab3.docx.
Take a screenshot of Server 1 Active Directory Users and Computers, showing the
Organizational Units created.
SENECA COLLEGE
4
LAB 3
•
•
•
•
•
•
•
Open the Toronto OU and take a screenshot showing the objects created.
Open the Montreal OU and take a screenshot showing the objects created.
Open the Vancouver OU and take a screenshot showing the objects created.
Display the Properties of the Mr. Slate user account, showing the Member Of tab and take a
screenshot.
From Section 3.3, display the members of the SalesFiles_FC Domain Local Group and take a
screenshot.
Paste each screenshot from above, plus the 2 PowerShell screenshots (3.1 #3 and 4.2 #2) into
the document, and label them clearly. You should have 8 images.
Save the document as a PDF file using the same name as the document file, and upload it to
Learn@Seneca, under Graded Items>Labs>Lab3 before the due date.
SENECA COLLEGE
5