MCT USE ONLY.

STUDENT USE PROHIBITED

 MCT USE ONLY. STUDENT USE PROHIBITED
2-1

Module 2
Managing objects in AD DS
Contents:
Module Overview 2-1 

Lesson 1: Managing user accounts 2-2 

Lesson 2: Managing groups in AD DS 2-11 

Lesson 3: Managing computer objects in AD DS 2-21 

Lab A: Managing AD DS objects 2-28 

Lesson 4: Using Windows PowerShell for AD DS administration 2-33 

Lesson 5: Implementing and managing OUs 2-48 

Lab B: Administering AD DS 2-56 

Module Review and Takeaways 2-61 

Module Overview
Active Directory Domain Services (AD DS) can help you manage your network more effectively. For
instance, you can use it to manage user and computer accounts in groups instead of managing one
account at a time. It also provides ways to group objects together in containers called organizational units
(OUs) and to delegate administrative tasks to help you distribute workload efficiently.

Managing device identities is becoming increasingly complex as more employees bring their own devices
into the workplace. As Bring Your Own Device (BYOD) programs expand, you will be managing device
identities for many types of personal devices and the various operating systems that they run. AD DS has
many features that can make this easier.
This module describes how to use both graphical tools and Windows PowerShell to manage user and
computer accounts and groups. It covers how to manage an enterprise network by performing bulk
operations to modify object attributes.

Objectives
After completing this module, students will be able to:

 Manage user accounts in AD DS.

 Manage groups in AD DS.

 Manage computer objects in AD DS.

 Use Windows PowerShell for AD DS administration.

 Implement and manage OUs.

 Administer AD DS.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-2 Managing objects in AD DS

Lesson 1
Managing user accounts
A user object in AD DS is far more than just properties related to the user’s security identity or account. It is
the cornerstone of identity and access in AD DS. Therefore, consistent, efficient, and secure processes
regarding the administration of user accounts are integral to enterprise security management.

In this lesson, you will learn about managing users’ accounts, which is more complex than just creating and
deleting them. User accounts have attributes that you can use for purposes such as storing additional user
contact information or application-specific information for Active Directory–aware applications.
Additionally, there are user-specific files and settings that are not stored in AD DS but in the user profile.
Lastly, you will learn about using user templates to help you create user accounts more easily.

Lesson Objectives
After completing this lesson, you will be able to:

 Create user accounts.

 Configure user account attributes.

 Manage user accounts.

 Create user profiles.

 Manage inactive and disabled user accounts.

 Explain user account templates.

 Use user account templates to manage accounts.

Creating user accounts

In AD DS, you must configure all users who require
access to network resources with a user account.
With this user account, users can authenticate to
the AD DS domain and access network resources.

In Windows Server 2016, a user account is an

object that contains all the information that
defines a user. A user account includes the user
name, user password, and group memberships.
A user account also contains many other
settings that you can configure based on your
organizational requirements. With a user account,
you can:

 Allow or deny users permission to sign in to a computer based on their user account identity.

 Grant users access to processes and services for a specific security context.

 Manage users’ access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.

A user account enables a user to sign in to computers and domains with an identity that the domain can
authenticate. When you create a user account, you must provide a user logon name, which must be unique
in the domain and forest in which you create the user account.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-3

To maximize security, you should avoid multiple users sharing a single account and instead ensure that
each user who signs in to the network has a unique user account and password.

Note: This course focuses on AD DS accounts. You can also store user accounts in the local
Security Accounts Manager database of each computer, enabling local sign in and access to
local resources. Local user accounts are, for the most part, beyond the scope of this course.

Creating user accounts

A user account includes the user name and password, which serve as the user’s sign-in credentials. A user
object also includes several other attributes that describe and manage the user. You can use Active
Directory Users and Computers, Active Directory Administrative Center, Windows PowerShell, or the dsadd
command-line tool to create a user object.

Considerations for naming users

Your naming convention is an important consideration. A formalized naming convention will allow you to
deal with duplicate user names and name changes in a standardized way. When you create user accounts,
consider the following elements:

 Full Name attribute. Full Name is used to create several attributes of a user object, most notably, the
common name and display name attributes. The common name of a user is the name displayed in the
details pane of the snap in, and it must be unique within the container or OU. If you create a user
object for a person with the same name as an existing user in the same container or OU, you need to
give the new user object a unique Full Name.

 UPN logon. User principal name (UPN) logons follow the format user logon name@ (UPN suffix). User
names in AD DS can contain special characters, including periods, hyphens, and apostrophes. These
special characters enable you to generate accurate user names such as O’Hare and Smith Bates.
However, certain programs and applications might have other restrictions. Therefore, we recommend
that you use only standard letters and numbers until you test the applications in your enterprise
environment for compatibility with special characters.

You can manage the list of available UPN suffixes by using the Active Directory Domains and Trusts
snap-in. Right-click the root of the snap-in, click Properties, and then use the UPN Suffixes tab to add
or remove suffixes. The Domain Name System (DNS) name of your AD DS domain is always available as
a suffix, and you cannot remove it. In a multidomain environment, you can assign different UPN
suffixes to users for purposes such as email domain suffixes.

Note: It is important that you implement a user account naming strategy, especially in large
networks in which users might have the same full name. A combination of last name and first
name, and where necessary, additional characters, should yield a unique user account name.
Specifically, it is only the UPN name that must be unique within your AD DS forest. The Full Name
attribute needs to be unique only within the OU where it resides. The User SAMAccountName
name must be unique within that domain.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Managing objects in AD DS

Configuring user account attributes

When you create a user account in AD DS, you also
configure all the associated account properties.
You must define the attributes that allow the user
to sign in by using the account, in addition to a few
other attributes. Because you can associate a user
object with many attributes, it is important that
you understand what these attributes are and how
you can use them in your organization.

You can configure user attributes by using Active

Directory Administrative Center, Active Directory
Users and Computers, Windows PowerShell, or the
dsmod tool.

Note: The attributes associated with a user account are defined as part of the AD DS schema,
which members of the Schema Admins security group can modify. The schema does not often
change. However, introducing an enterprise-level program (such as Microsoft Exchange Server)
requires many schema changes. These changes enable objects, including user objects, to have
additional attributes.

Attribute categories
The attributes of a user object fall into several broad categories. These categories appear in the navigation
pane of the User Properties dialog box in Active Directory Administrative Center:

 Account. In addition to the user’s user name properties (First name, Middle initial, Last name, Full
name) and the user’s various logon names (User UPN logon, User SAMAccountName logon), you
can configure the following additional properties:

o Log on hours. This property defines when the user can use the account access domain computers.
You can use the weekly calendar style view to define Logon permitted hours and Logon denied
hours.

o Log on to. Use this property to define which computers a user can use to sign in to the domain.
Specify the computer’s name and add it to a list of allowed computers.
o Account expires. This value is useful when you want to create temporary user accounts. For
example, you might want to create user accounts for interns who will be at your organization for
just one year. You can set the account expiration date in advance. No one can use the account
after the expiration date until an administrator reconfigures it manually.

o User must change password at next log on. This property enables you to force users to reset
their own password the next time they sign in. This is something you might enable after you reset a
user’s password.

o Smart card is required for interactive log on. This value resets the user’s password to a complex,
random sequence of characters and sets a property that requires that the user use a smart card to
authenticate during logon.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-5

o Password never expires. This is a property that you normally use with service accounts; that is,
those accounts that services use, and not regular users. By setting this value, you must remember
to update the password manually on a periodic basis. However, the system does not force you to
do this at a predetermined interval. Consequently, the account can never be locked out due to
password expiration—a feature that is particularly important for service accounts.
o User cannot change password. You use this option generally for service accounts.

o Store password by using reversible encryption. This policy provides support for programs that
use protocols that require knowledge of the user's password for authentication purposes. Storing
passwords by using reversible encryption is essentially the same as storing plain-text versions of
the passwords. For this reason, you should never enable this policy unless program requirements
outweigh the need to protect password information. This policy is mandatory when you use
Challenge Handshake Authentication Protocol (CHAP) authentication through remote access or
Internet Authentication Service (IAS). It is also mandatory when using Digest authentication in
Internet Information Services (IIS).

o Account is trusted for delegation. You can use this property to allow a service account to
impersonate a standard user to access network resources on behalf of a user.

 Organization. This includes properties such as the user’s Display name, Office, Email Address,
various contact telephone numbers, managerial structure, department and organization names,
addresses, and other properties.

 Member of. Use this section to define group memberships for the user.

 Password Settings. This section includes password settings that apply directly to the user.

 Profile. Use this section to configure a location for the user’s personal data and to define a location in
which to save the user’s desktop profile when he or she logs out.
 Policy. Use authentication policies to control Kerberos ticket-granting ticket (TGT) lifetimes and the
authentication access control for a specific account, such as high-level administrative accounts.

 Silo. Authentication policy silos are containers to which you can assign a user account. You can assign
authentication policies to these silos.

 Extensions. This section exposes many additional user properties, most of which do not normally
require manual configuration.

Demonstration: Managing user accounts

In this demonstration, you will see how to use Active Directory Administrative Center to:

 Create a new user account.

 Delete a user account.

 Move a user account.

 Configure user attributes:

o Change department

o Change group membership

 MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Managing objects in AD DS

Demonstration Steps

Create a new user account

 Use Active Directory Administrative Center to create a new user with following settings:

o First name: Sales

o Last name: Manager

o User UPN logon: SalesManager

o Password: Pa55w.rd

Delete a user account

 Delete the Art Odum account.

Move a user account

1. Move the Burton Bartels account from the Managers OU to the Development OU.

2. Open the Development OU to verify that the Burton Bartels account is present.

Configure user attributes

 Modify the Burton Bartels account as follows:

o Change the Department field from Managers to Development.

o Remove the account from the Managers group.

o Add the account to the Development group.

Creating user profiles

When users sign out, their desktop and app
settings are saved to a subfolder that matches their
user name in the C:\Users folder on the local hard
disk. This folder contains their user profile. Within
this folder, subfolders contain documents and
settings that represent the user’s profile, including
Documents, Videos, Pictures Downloads, and
application data. If a user is likely to sign in
interactively at more than one client workstation,
these settings and documents should be available
on those other client workstations. You can ensure
that users can access their profiles from multiple
workstations in several ways.

Configuring user account properties to manage profiles

You can configure the following properties of a user’s desktop profile by using the user account settings in
Active Directory Administrative Center:

 Profile path. This path is either a local or, more commonly, a Universal Naming Convention (UNC)
path. The profile stores the user’s desktop settings. If users’ profiles have a UNC path, then the users will
have access to their desktop settings regardless of the domain computer they use to sign in. We refer
to this as a roaming profile.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-7

 Logon script. This is a batch file that contains commands that execute when the user signs in. Typically,
you use these commands to create drive mappings. If you use a login script, the name of the script
should be a file name (with extension) only. Scripts should be stored in the C:\Windows\SYSVOL
\domain\scripts folder on all domain controllers. Rather than use a logon script batch file, you will
typically implement logon scripts by using Group Policy Objects (GPOs) or Group Policy preferences.

 Home folder. This is a storage area in which users can save their personal documents. You can specify
either a local path or typically a UNC path to the user’s folder. You also must specify a drive letter for
mapping a network drive to the specified UNC path. You can then configure a user’s personal
documents to this redirected home folder.

Note: When you create user accounts to use as templates and use a common location for the
profile path and home folder, you should use the %username% variable in the path. This means
that AD DS can create these folders automatically when the account is used as a template. For
example, you can use the following paths, where the file server is named LON-FS and you have
created shares for the profiles and home folders, profile$ and home$, respectively:

 Profile Path: \\LON-FS\profile$\%username%

 Home folder Connect H: to \\LON-FS\home$\%username%

Using Group Policy to manage profiles

As an alternative to using the individual user account settings, you can use GPOs to manage these settings.
You can configure Folder Redirection settings by using the Group Policy Management Editor to open a
GPO for editing, expand User Configuration, expand Policies, and then expand Windows Settings.
Windows Settings contains the subnodes listed in the following table.

Subnodes in the Windows Settings node

AppData (Roaming) Pictures Downloads

Desktop Music Links
Start Menu Videos Searches
Document Favorites Saved Games
Contacts

You can use these subnodes to configure all aspects of a user’s desktop profile and app settings. For a given
subnode, such as Documents, you can choose between Basic and Advanced redirection. In Basic
redirection, all users that the GPO affects have their Documents folder redirected to an individually named
subfolder off a common root folder defined by a UNC name, such as \\LON-SVR1\Users\. In Advanced
redirection, you can use security group membership to specify where to store a user’s settings and
documents. For example, you might store a Research and Development user’s documents on a highly
secured server.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-8 Managing objects in AD DS

Managing inactive and disabled user accounts

User accounts can become inactive for different
reasons. Users leave the organization, go on
maternity or paternity leave, and take sabbaticals.
In these cases, if a user does not need access to his
or her account for a period, you should disable the
account rather than deleting it. Even if a user has
left the organization, it is a best practice to disable
the user account until you are sure that no one will
need it. This is particularly true if a user has a
mailbox on your Exchange Server. If you delete the
user from AD DS, then you also delete the user’s
mailbox. You might need to retain the user’s mail,
and restoring a user account and the associated mailbox is time consuming.

To disable a user account, locate and select the account in Active Directory Administrative Center, and then
in the Tasks pane, click Disable. To enable an account, click Enable in the Tasks pane.

User account templates

Creating new users usually involves setting
multiple attributes for the user. This can be time
consuming and tedious, especially if you are
creating multiple users. User templates can reduce
the effort required to create new user accounts.
They also reduce the chance of errors when setting
properties for users.

Most users in a department, business unit, or OU

will share many common attributes, such as group
memberships and home directory locations. In
AD DS, a user template is simply an account that
you configure with all the properties that are
common to that job role or department. For example, you might create a user account named
Sales_Template that has all the attributes that apply to your salespeople. Then, when your organization
hires a new salesperson, you can copy the template to create the new account.

Note: Best practices include disabling the template account so that no one can use it to sign
in, and putting an underscore at the beginning of the name so that the template account is always
at the top of the user list and easy to locate.

Only the most commonly used attributes are copied from the template over to the new user account. These
include:

 Group memberships

 Home directories
 Profile settings

 Logon scripts

 Logon hours
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-9

 Password settings

 Department name

 Manager

When you copy an account, you must provide the following information for the new account:

 First name

 Last name

 Full name

 User logon name

 Password

Attribute fields that are not copied from the template include:

 Office

 Phone numbers

 Street address

 Job title

Demonstration: Using templates to manage accounts

In this demonstration, you will see how to create a template account and create a new user based on that
template account.

Demonstration Steps

Create a user template

1. Use Active Directory Users and Computers to create a new user with the following settings:

o First name: _sales

o Last name: template

o User logon name: salestemplate

o Password: Pa55w.rd

2. Clear the User must change password at next logon check box.

3. Set the password to never expire.

4. Disable the account.

Configure template properties

 Double-click the _sales template account, and then set the following attributes:

o Member Of: Sales

o Department: Sales
o Manager: Erin Bull

o Logon Script: \\lon-dc1\netlogon\logon.bat

 MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Managing objects in AD DS

Create a new user by copying the template

1. Right-click the _sales template account, and then click Copy.

2. Create a new user named Sales User with the password Pa55w.rd.

3. Enable the account and clear the Password never expires attribute.

4. Require the account to change the password the next time the user signs in.

5. View the properties of the newly created Sales User account and ensure that the template properties
are present.

6. Close Active Directory Users and Computers.

Question: What is the purpose of a roaming profile?

Question: What is the difference between disabling an account and an account being
locked out?
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-11

Lesson 2
Managing groups in AD DS
Although it might be practical to assign permissions and abilities to individual user accounts in small
networks, this becomes impractical and inefficient in large enterprise networks. For example, if many users
need the same level of access to a folder, it is more efficient to create a group that contains the required
user accounts and then assign the required permissions to the group. As an added benefit, you can change
users’ file permissions by adding or removing them from groups rather than editing the file permissions
directly. Before you implement groups in your organization, you must understand the scope of various
Windows Server group types. In addition, you must understand how to use group types to manage access
to resources or to assign management rights and abilities.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe group types.

 Describe group scopes.

 Explain how to implement group management.

 Manage group membership by using Group Policy.

 Describe default groups.

 Describe special identities.

 Manage groups in Windows Server.

Group types
In a Windows Server 2016 enterprise network,
there are two types of groups: security and
distribution. When you create a group, you choose
the group type and scope. Group type determines
the capabilities of the group.

Email applications mainly use distribution groups,

which are not security enabled. Security groups are
security enabled and you use them to assign
permissions to various resources. You can use
security groups in permission entries in access
control lists (ACLs) to control security for resource
access. You also can use security groups as a
means of distribution for email applications. If you want to use a group to manage security, it must be a
security group.

Note: The default group type for newly created groups is security.

Because you can use security groups for both resource access and email distribution, many organizations
use only security groups. However, we recommend that if you use a group for email distribution only, you
should create the group as a distribution group. Otherwise, the group is assigned a security identifier (SID),
and the SID is added to the user’s security access token, which can make the token unnecessarily large.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-12 Managing objects in AD DS

You can convert a security group to a distribution group at any time. When you do this, the groupType
attribute changes. A security group that you have converted to a distribution group therefore loses all
permissions assigned to it, even though the ACLs still contain the SID. If you convert a distribution group to
a security group, the reverse occurs—the groupType attribute changes, and you can now assign
permissions to resources to the group.

Note: Consider that when you add a user to a security group, the user’s access token—which
authenticates user processes—updates only when the user signs in. Therefore, if the user is
currently signed in, the user must sign out and sign back in to update his or her access token with
any changed group memberships.

Note: The benefit of using distribution groups becomes more evident in large-scale
Exchange Server deployments, especially when you need to nest these distribution groups across
the enterprise.

Group scopes
Windows Server 2016 supports group scoping. The
scope of a group determines both the range of a
group’s abilities or permissions and the group
membership. There are four group scopes:

 Local. You use this type of group for

standalone servers or workstations, on
domain-member servers that are not domain
controllers, or on domain-member
workstations. Local groups are truly local,
which means that they are available only on
the computer where they exist. The important
characteristics of a local group are:

o You can assign abilities and permissions on local resources only, meaning on the local computer.

o Members can be from anywhere in the AD DS forest, and can include:

 Any security principals from the domain: users, computers, global groups, or domain-local
groups.
 Users, computers, and global groups from any domain in the forest.
 Users, computers, and global groups from any trusted domain.
 Universal groups defined in any domain in the forest.
 Domain-local. You use this type of group primarily to manage access to resources or to assign
management responsibilities (rights). Domain-local groups exist on domain controllers in an AD DS
forest, and consequently, the group’s scope is local to the domain in which they reside. The important
characteristics of domain-local groups are:

o You can assign abilities and permissions on domain-local resources only, which means on all
computers in the local domain.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-13

o Members can be from anywhere in the AD DS forest and can include:

 Any security principals from the domain: users, computers, global groups, or domain-local
groups.
 Users, computers, and global groups from any domain in the forest.
 Users, computers, and global groups from any trusted domain.
 Universal groups defined in any domain in the forest.
 Global. You use this type of group primarily to consolidate users who have similar characteristics. For
example, you might use global groups to consolidate users who are part of a department or
geographic location. The important characteristics of global groups are:

o You can assign abilities and permissions anywhere in the forest.

o Members can be from the local domain only and can include users, computers, and global groups
from the local domain.

 Universal. You use this type of group most often in multidomain networks because it combines the
characteristics of both domain-local groups and global groups. Specifically, the important
characteristics of universal groups are:

o You can assign abilities and permissions anywhere in the forest, as with global groups.

o Members can be from anywhere in the AD DS forest, and can include:

 Users, computers, and global groups from any domain in the forest.
 Universal groups defined in any domain in the forest.
o Properties of universal groups propagate to the global catalog and are available across the
enterprise network on all domain controllers that host the global catalog role. This makes universal
groups’ membership lists more accessible, which is useful in multidomain scenarios. For example, if
you use a universal group for email distribution purposes, you can determine the membership list
more quickly in distributed multidomain networks.
The following table summarizes and compares the basic properties of the four group scopes.

Can be assigned
Group scope Can include members from Can be converted to
permissions to

Local Domain users, domain computers, Local computer N/A

global groups, and universal resources only
groups from any domain in the
forest
Domain-local groups from the
same domain
Local Users from the computer

Domain-local Domain users, domain computers, Local domain Universal groups (if no
global groups, and universal resources only other domain-local
groups from any domain in the groups exist as members)
forest
Domain-local groups from the
same domain

Global Domain users, domain computers, Any domain Universal groups (if it is
and global groups from the same resource in the not a member of any
domain forest other global groups)
 MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Managing objects in AD DS

Can be assigned
Group scope Can include members from Can be converted to
permissions to

Universal Domain users, domain computers, Any domain Domain-local groups and
global groups, and universal resource in the global groups (if no other
groups from any domain in the forest universal groups exist as
forest members)

Implementing group management

Adding groups to other groups is a process called
nesting. Nesting creates a hierarchy of groups that
supports your business roles and management
rules.

A best practice for group nesting is known as

IGDLA, which is an acronym for the following:

 Identities

 Global groups

 Domain-local groups

 Access

The parts of IGDLA are related in the following way:

 Identities (user and computer accounts) are members of global groups, which represent business roles.

 Global groups (also known as role groups) are members of domain-local groups, which represent
management rules; for example, determining who has Read permission to a specific collection of
folders.

 Domain-local groups (also known as rule groups) are granted access to resources. In the case of a
shared folder, you grant access by adding the domain-local group to the folder’s ACL, with a
permission that provides the appropriate level of access.

In a multidomain forest, the best practice for group nesting is known as IGUDLA. The additional letter U
stands for universal groups:
 Identities

 Global groups

 Universal groups
 Domain-local groups

 Access

In this case, global groups from multiple domains are members of a single universal group. That universal
group is a member of domain-local groups in multiple domains.

IGDLA example
The figure on the slide represents a group implementation that reflects the technical view of group
management best practices (IGDLA) and the business view of role-based, rule-based management.
Consider the following scenario.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-15

The sales force at Contoso, Ltd. has just completed its fiscal year. Sales files from the previous year are in a
folder called Sales. The sales force needs Read access to the Sales folder. Additionally, a team of auditors
from Woodgrove Bank, a potential investor, require Read access to the Sales folder to perform the audit.
You can implement the security for this scenario by following these steps:

1. Assign users with common job responsibilities or other business characteristics to role groups, which
are implemented as global security groups. Do this separately in each domain. Add salespeople at
Contoso Ltd. to a Sales role group; add auditors at Woodgrove Bank to an Auditors role group.

2. Create a group to manage access to the Sales folders with Read permission. You implement this in the
domain that contains the resource that is being managed. In this case, the Sales folder is in the
Contoso domain. Therefore, you create the resource access management rule group as a domain-local
group named ACL_Sales _Read.

3. Add the role groups to the resource access management rule group to represent the management
rule. These groups can come from any domain in the forest or from a trusted domain, such as
Woodgrove Bank. Global groups from trusted external domains, or from any domain in the same
forest, can be members of a domain-local group.

4. Assign the permission that implements the required level of access. In this case, grant the Allow Read
permission to the domain-local group.

This strategy results in two single points of management, thereby reducing the management burden. One
point of management defines who is in Sales, and the other point of management defines who is an
Auditor. Because these roles are likely to have access to a variety of resources beyond the Sales folder, you
have another single point of management to determine who has Read access to the Sales folder.
Furthermore, the Sales folder might not be a single folder on a single server; it could be a collection of
folders across multiple servers, each of which assigns the Allow Read permission to the single domain-local
group.

Configuring a group manager

The properties page of a group has a Managed By tab. Use this to provide information about which
manager is responsible for this group. When you add a user or group to the Name field, AD DS will provide
information about that user, such as office, address, and telephone number. There is also a check box called
Manager can update membership list that allows the manager of the group to manage group
membership. This is useful in distributed administrative environments in which managers are responsible
for controlling their own departmental groups.

Managing group membership by using Group Policy

Managing group membership can be a time-
consuming task, especially if you must modify the
membership of groups on workstations or servers
distributed throughout the enterprise. For
example, you might need to add a user or global
group to the local Administrators group on client
computers, or add a global group to the Backup
Operators group on servers.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-16 Managing objects in AD DS

Group Policy provides a setting called Restricted Groups that enables you to control the membership of
local groups on domain-joined computers. This setting also enables you to control the membership of
AD DS groups by configuring a GPO and assigning that GPO to the OU holding those computer accounts.

You can find the Restricted Groups setting in the Computer Configuration policy under Windows
Settings, and then under Security Settings. It contains no groups by default.

Note: To configure membership in AD DS groups, you must assign the GPO to the OU that
holds the Domain Controllers computer accounts.

You can also configure group nesting by using the Restricted Groups setting. For example, you could use
Restricted Groups to nest global groups into universal groups. All the rules governing group nesting still
apply when using Restricted Groups.

Note: The Restricted Groups setting is only available in domain-level group policies. It does
not exist in local group policies on Windows client and server operating systems.

Removal of nondesignated members

One of the benefits of Restricted Groups is that it will also remove any user (or group) from the targeted
group if they are not on the list of users or groups that the setting assigns. This is useful for controlling the
membership of high-level administrative groups, such as Enterprise Admins, Domain Admins, and local
Administrators groups on servers and client computers. If you manually add users to a controlled group,
the Restricted Groups setting will remove them the next time Group Policy refreshes.

Note: The only exception to this rule is that the local default Administrator account can
never be removed from the local Administrators group.

Policy removal
If the group policy object that you used to configure the restricted group membership is unlinked from the
container holding the computer accounts, or if you delete the restricted group entry from the GPO, then
the group memberships that it assigned are not removed. You must modify those group memberships
manually.

Default groups
Windows Server 2016 creates several groups
automatically. These are called default local groups,
and they include well-known groups such as
Administrators, Backup Operators, and Remote
Desktop Users. Windows Servers 2016 creates
additional groups automatically in a domain, both
in the Built-in container and the Users container,
including Domain Admins, Enterprise Admins,
and Schema Admins.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-17

Default groups that provide administrative privileges

A subset of default groups has significant permissions and user rights related to the management of AD DS.
Because of their rights, they are protected groups. Protected groups are described later in this topic. The
following list summarizes the capabilities of these groups:

 Enterprise Admins (in the Users container of the forest root domain). This group is a member of the
Administrators group in every domain in the forest, which gives it complete access to the
configuration of all domain controllers. It also owns the Configuration partition of the directory and
has full control of the domain-naming context in all forest domains.
 Schema Admins (Users container of the forest root domain). This group owns and has full control of
the Active Directory schema.

 Administrators (Built-in container of each domain). Members of this group have complete control
over all domain controllers and data in the domain-naming context. They can change the membership
of all other administrative groups in the domain, and the Administrators group in the forest root
domain can change the membership of Enterprise Admins, Schema Admins, and Domain Admins.
The Administrators group in the forest root domain is the most powerful service administration group
in the forest.

 Domain Admins (Users container of each domain). This group is added to the Administrators group
of its domain. It therefore inherits all the capabilities of the Administrators group. It is also, by default,
added to the local Administrators group of each domain member computer, thus giving Domain
Admins ownership of all domain computers.

 Server Operators (Built-in container of each domain). Members of this group can perform
maintenance tasks on domain controllers. They have the right to sign in locally, start and stop services,
perform backup and restore operations, format disks, create or delete shares, and shut down domain
controllers. By default, this group has no members.

 Account Operators (Built-in container of each domain). Members of this group can create, modify,
and delete accounts for users, groups, and computers located in any OU in the domain (except the
Domain Controllers OU) and in the Users and Computers containers. Account Operators group
members cannot modify accounts that are members of the Administrators or Domain Admins
groups, nor can they modify those groups. Account Operators group members also can sign in locally
to domain controllers. By default, this group has no members.

 Backup Operators (Built-in container of each domain). Members of this group can perform backup
and restore operations on domain controllers and can sign in locally and shut down domain
controllers. By default, this group has no members.

 Print Operators (Built-in container of each domain). Members of this group can maintain print queues
on domain controllers. They also can sign in locally and shut down domain controllers. By default, this
group has no members.

 Cert Publishers (Users container of each domain). Members of this group can publish certificates to
the directory. By default, this group has no members.

Managing groups that provide administrative privileges

You need to carefully manage the default groups that provide administrative privileges, because they
typically have broader privileges than are necessary for most delegated environments, and because they
often apply protection to their members.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-18 Managing objects in AD DS

The Account Operators group is a good example of this. If you examine the capabilities of the Account
Operators group in the preceding list, you can see that members of this group have very broad rights—
they can even sign in locally to a domain controller. In very small networks, you might assign such rights to
one or two individuals who are typically domain administrators anyway. However, in large enterprises, the
rights and permissions granted to Account Operators are usually far too broad. Additionally, the Account
Operators group is, like the other administrative groups, a protected group.

Protected groups
The operating system defines protected groups, which cannot be unprotected. Members of a protected
group become protected by association and no longer inherit permissions (ACLs) from their OU, but
instead receive a copy of an ACL from the protected group. This protected group ACL offers considerable
protection to the members. For example, if you add Jeff Ford to the Account Operators group, his account
becomes protected. The help desk, which has rights to reset all other user passwords in the Employees OU,
cannot reset Jeff Ford’s password. Protected groups include:

 Account Operators
 Administrators

 Backup Operators

 Cert Publishers

 Domain Admins

 Enterprise Admins

 Krbtgt
 Print Operators

 Read-only Domain Controllers

 Replicator

 Server Operators

Custom groups
You should avoid adding users to the groups that do not have members by default (Account Operators,
Backup Operators, Server Operators, and Print Operators). Instead, create custom groups to which you
assign permissions and user rights that achieve your business and administrative requirements.

For example, Scott Mitchell should be able to perform backup operations on a domain controller but
should not be able to perform restore operations that could lead to database rollback or corruption. In
addition, Scott should not be able to shut down a domain controller, so do not put Scott in the Backup
Operators group. Instead, create a local group and assign it only the Back up files and directories user
right, and then create a global group and add Scott as a member. Then add that global group to the local
group.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-19

Special identities
Windows and AD DS also support special
identities, which are groups in which the operating
system controls membership. You cannot view the
groups in any list (in Active Directory Users and
Computers, for example), view or modify the
membership of these special identities, and or add
them to other groups. You can, however, use these
groups to assign rights and permissions.

The following list describes the most important

special identities—often called groups (for
convenience):

 Anonymous Logon. This identity represents

connections to a computer and its resources that do not require a user name and password. Before
Windows Server 2003, this group was a member of the Everyone group. Beginning with Windows
Server 2003, this group is no longer a default member of the Everyone group.

 Authenticated Users. This identity represents authenticated identities. This group does not include the
Guest account, even if it has a password.

 Everyone. This identity includes Authenticated Users and the Guest account.
 Interactive. This identity represents users who access a resource while signed in locally to the computer
that is hosting the resource, as opposed to accessing the resource over the network. When a user
accesses any resource on a computer on which the user has signed in locally, the user is added
automatically to the Interactive group for that resource. The Interactive identity also includes users who
sign in through a Remote Desktop Connection (RDC).

 Network. This identity represents users who access a resource over the network, as opposed to users
who sign in locally at the computer that is hosting the resource. When a user accesses any resource
over the network, the user is added automatically to the Network group for that resource.

 Creator Owner. This identity represents the security principal that created an object. The Creator
Owner automatically has full control permission on the object by virtue of being the entity that created
the object.

The importance of these special identities is that you can use them to provide access to resources based on
the type of authentication or connection, rather than the user account. For example, you could create a
folder on a system that allows users to view its contents when they sign in locally to the system but that
does not allow the same users to view the contents from a mapped drive over the network. You could
achieve this by assigning permissions to the Interactive special identity.

A common scenario for the Creator Owner group is when you set NTFS permissions on a root folder to
allow users to create subfolders, such as home directories. The Creator Owner group grants users full
control permission on those home directories because the user created the subfolder.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Managing objects in AD DS

Demonstration: Managing groups in Windows Server

In this demonstration, you will see how to create a new group and add members to a group. In addition,
you will learn to add users to the group, change the group type and scope, and configure a manager for
the group.

Demonstration Steps

Create a new group and add members

1. Use Active Directory Administrative Center to create a new global security group named IT
Managers in the IT OU of Adatum.com.

2. Add the following members to the group:

o Beth Burke

o Logan Boyle

Add a user to the group

 Locate the user Maj Hojski and then add the user to the IT Managers group.

Change the group type and scope

 Access the IT Managers group properties, change the Group type to Distribution, and then change
the Group scope to Universal.

Configure a manager for the group

1. Edit the Managed By section to add Parsa Schoonen as a manager of the group.

2. Allow Parsa to update the group membership list.

3. Close the IT Managers Properties dialog box.

4. Close Active Directory Administrative Center.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-21

Lesson 3
Managing computer objects in AD DS
Computers, like users, are security principals, in that:

 They have an account with a logon name and password that Windows Server changes automatically on
a periodic basis.

 They authenticate with the domain.

 They can belong to groups and have access to resources, and you can configure them by using Group
Policy.

A computer account begins its lifecycle when you create it and join it to your domain. Thereafter,
day-to-day administrative tasks include:

 Configuring computer properties.

 Moving the computer between OUs.

 Managing the computer itself.

 Renaming, resetting, disabling, enabling, and eventually deleting the computer object.

If you know how to perform these computer-management tasks, then you can configure and maintain the
computer objects within your organization.

Lesson Objectives
After completing this lesson, you will be able to:

 Explain the purpose of the Computers container.

 Describe how to configure the location of computer accounts.

 Explain how to control who has permission to create computer accounts.

 Explain how to join a computer to a domain.

 Describe computer accounts and secure channels.

 Explain how to reset the secure channel.

 Explain how to perform an offline domain join.

What is the Computers container?

Before you create a computer object in AD DS, you
must have a place to put it. When you create a
domain, the Computers container is created by
default. This container is the default location for
the computer accounts when a computer joins the
domain.
This container is not an OU; instead, it is an object
of the container class. Its common name is
CN=Computers. There are subtle but important
differences between a container and an OU. You
cannot create an OU within a container, so you
cannot subdivide the Computers container. You
 MCT USE ONLY. STUDENT USE PROHIBITED
2-22 Managing objects in AD DS

also cannot link a GPO to a container. Therefore, we recommend that you create custom OUs to host
computer objects, instead of using the Computers container.

Specifying the location of computer accounts

Most organizations create at least two OUs for
computer objects: one for servers and another to
host computer accounts for client computers, such
as desktops, laptops, and other user devices. These
two OUs are in addition to the domain controllers
OU that is created by default during the AD DS
installation.

You can create computer objects in any OU in your

domain. There is no technical difference between a
computer object in a client OU, a computer object
in a server OU, a computer object in the domain
controllers OU, and even a computer object in an
OU intended for users. However, administrators typically create separate OUs to provide unique scopes of
management, so that they can delegate management of client objects to one team and management of
server objects to another.

Your administrative model might require you to divide your client and server OUs into smaller groups.
Many organizations create sub-OUs beneath a server OU to classify and manage specific types of servers.
For example, you might create an OU for file and print servers, an OU for database servers, or any number
of OUs that categorize the server types in your organization. By doing so, you can delegate permissions to
manage computer objects in the appropriate OU to the team of administrators for each type of server.
Similarly, geographically distributed organizations with local desktop support teams often divide a parent
OU for clients into sub-OUs for each site. This approach enables each site’s support team to create
computer objects in the site for client computers and then use those computer objects to join computers to
the domain. Your OU structure should reflect your administrative model, so that your OUs can provide
single points of management for delegating administration.

Additionally, by using separate OUs, you can create various baseline configurations by using different GPOs
that are linked to the client and the server OUs. With Group Policy, you can specify configuration for
collections of computers by linking GPOs that contain configuration instructions to OUs. It is common for
organizations to separate clients into desktop and laptop OUs. You then can link GPOs that specify desktop
or laptop configuration to the appropriate OUs.

Note: You can use the redircmp command-line tool to reconfigure the default container for
computers. For example, if you want to change the default container for computers to an OU
called mycomputers, use the following syntax:
redircmp ou=mycomputers,DC=contoso,dc=com
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-23

Controlling permissions to create computer accounts

Before you join a computer to a domain, you
should first create a computer object in the
appropriate OU. To join a computer to an AD DS
domain, you must meet three conditions:

 You must have appropriate permissions on

the computer object that allow you to join a
physical computer with the same name to the
domain.

 You must be a member of the local

Administrators group on the computer. This
allows you to change the computer’s domain
or workgroup membership.

 You must not have exceeded the maximum number of computer accounts that you can add to the
domain. By default, users can add a maximum of 10 computers to the domain; this value is known as
the machine account quota and is controlled by the MS DS MachineQuota value. You can modify this
value by using the Active Directory Services Interfaces Editor (ADSI Edit) snap-in.

Note: We recommend that you pre-create the computer account in the correct OU prior to
joining the computer to the domain. This allows the computer to receive the appropriate group
policies immediately. If you do not pre-create the computer account, the computer account will be
created in the Computers container.

Delegating permissions
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups
have permission to create computer objects in any new OU. However, as discussed earlier, we recommend
that you tightly restrict membership in the first three groups. In addition, we recommend that you not add
users who are members of the Enterprise Admins, Domain Admins, or Administrators groups to the
Account Operators group. Instead, you should delegate the permission to create computer objects to
appropriate administrators or support personnel. This permission, which you assign to the group to which
you are delegating administration, allows group members to create computer objects in a specified OU. For
example, you might allow your desktop support team to create computer objects in the clients OU and
allow your file server administrators to create computer objects in the file servers OU.

To delegate permissions to create computer accounts, you can use the Delegation of Control Wizard to
choose a custom task to delegate. When you delegate permissions to manage computer accounts, you
might consider granting additional permissions beyond those required to create computer accounts. For
example, you might decide to allow a delegated administrator to manage the properties of existing
computer accounts, to delete the computer account, or to move the computer account.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-24 Managing objects in AD DS

Joining a computer to a domain

When you join a computer to a domain, you do so
on the client computer. In Windows operating
systems, you use the Computer Name tab of
Advanced system settings in the System applet
in Control Panel.

Any user can access the Computer Name tab.

However, to join the domain, you must know
the name of the domain and provide the
credentials of a domain user who has the required
permissions to join a computer to the domain.

Leaving a domain is a similar process. Enter the

name of the workgroup or other domain that you
wish to join, and provide the proper credentials.

Note: If you move a computer from the domain to a workgroup, ensure that you know the
credentials of a local account that has admin rights on the local computer.

The computer requires a restart when joining or leaving a domain.

Computer accounts and secure channels

Every member computer in an AD DS domain
maintains a computer account with a user name
(SAMAccountName) and password, just like a user
account does. The computer stores its password in
the form of a local security authority (LSA) secret
and changes its password with the domain
approximately every 30 days. The Net Logon
service uses the credentials to sign in to the
domain, which establishes the secure channel with
a domain controller.

Computer accounts, and the relationships between

computers and their domain, are generally robust.
Nevertheless, there are certain scenarios in which a computer cannot authenticate with the domain. When
this happens, users are unable to sign in and the computer cannot access resources, such as Group Policy.
Examples of scenarios where this can happen include:

 After reinstalling the operating system on a workstation, the workstation cannot authenticate, even
though the technician used the same computer name used in the previous installation. Because the
new installation generated a new SID, and because the new computer does not know the original
computer account password in the domain, it does not belong to the domain and cannot authenticate
to the domain.
 A computer has not been in use for an extended period, perhaps because the user was working away
from the office or the computer was prebuilt as a spare. During this period, an administrator might
have reset or deleted the computer account.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-25

 A computer’s LSA secret gets out of synchronization with the password that the domain knows. You
can think of this as the computer forgetting its password. The computer and the domain do not agree
on the correct password. When this happens, the computer cannot authenticate and the secure
channel cannot be created.

The next topic discusses the steps that you should take in these scenarios.

Resetting the secure channel

Occasionally, the security relationship between a
computer account and its domain is broken. This
results in numerous potential symptoms and
errors. The most common signs of computer
account problems are:

 Messages at sign in indicate that a domain

controller cannot be contacted, that the
computer account might be missing, that the
password on the computer account is
incorrect, or that the trust relationship (also
called the secure relationship) between the
computer and the domain has been lost.

 Error messages or events in the event log indicate similar problems or suggest that passwords, trusts,
secure channels, or relationships with the domain or a domain controller have failed. One such error is
NETLOGON Event ID 3210: Failed To Authenticate, which appears in the computer’s event log.

When the secure channel fails, you must reset it. Many administrators do this by removing the computer
from the domain, putting it in a workgroup, and then rejoining the computer to the domain. Removing the
computer from the domain disables the computer account in AD DS. When you rejoin the computer to the
domain, it reuses the same computer account, but loses its group memberships. Do not rename the
computer when you rejoin it to the domain.

You also can reset the secure channel between a domain member and the domain by using:

 Active Directory Users and Computers

 Active Directory Administrative Center

 The dsmod command-line tool

 The netdom command-line tool

 The nltest command-line tool

If you reset the account, the computer’s SID remains the same, and the computer maintains its group
memberships.
To reset the secure channel by using Active Directory Users and Computers or Active Directory
Administrative Center, follow this procedure:

1. Right-click the computer, and then click Reset Account.

2. Click Yes to confirm your choice.

3. Rejoin the computer to the domain, and then restart the computer.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-26 Managing objects in AD DS

To reset the secure channel by using dsmod, follow this procedure:

1. At a command prompt, type the following command:

dsmod computer “ComputerDN” ‐reset

2. Rejoin the computer to the domain, and then restart the computer.

To reset the secure channel by using netdom, type the following command at a command prompt, where
the credentials belong to the local Administrators group of the computer:

netdom reset <MachineName> /domain <DomainName> /UserO UserName /PasswordO {Password | *}

This command resets the secure channel by attempting to reset the password on both the computer and
the domain, so it does not require rejoining or rebooting.

To reset the secure channel by using nltest, on the computer that has lost its trust, type the following
command at a command prompt:

nltest /server:<servername> /sc_reset:<domain\domaincontroller>

You also can use the Active Directory module for Windows PowerShell to reset a computer account. To
reset the secure channel between the local computer and its domain, run this command on the local
computer:

Test‐ComputerSecureChannel ‐Repair

You can use this command also:

invoke‐command ‐computername <MachineName> ‐scriptblock {reset‐computermachinepassword}

Performing an offline domain join

Typically, when you want to join a computer to a
domain, the computer must be able to
communicate with an online domain controller.
Beginning with the Windows Server 2008 R2
operating system, Microsoft introduced offline
domain join, a feature that allows you to join a
computer to a domain without communicating
directly with an online domain controller. Offline
domain join works with client computers that run
Windows 7 and later and Windows Server 2008 R2
and later. This feature is useful in situations when
connectivity is intermittent, such as when you are
deploying a server to a remote site that is connected via satellite uplink.

Use the command-line tool djoin to perform an offline domain join. This generates a domain-join file and
then imports it to the client computer. When you perform an offline domain join, you need to specify the
following information:

 The domain to which you are joining the computer.

 The name of the computer that you are joining to the domain.

 The name of the savefile that you are transferring to the target of the offline domain join.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-27

To perform an offline domain join, follow this procedure:

1. To provision a computer account in the domain and create the domain-join file, open an elevated
command prompt and use the djoin command with the /provision option. The format for this
command is:

djoin.exe /Provision /Domain <DomainName> /Machine <MachineName> /SaveFile <filepath>

For example, to join the computer Canberra to the domain adatum.com by using the savefile
Canberra‐join.txt, type the following command:

djoin.exe /provision /domain adatum.com /machine canberra /savefile

c:\canberra‐join.txt

If the computer account is not prestaged, it will be created in the Computers container. If the computer
account is prestaged, then you must include the /reuse option in the djoin command.

2. To transfer the savefile to the provisioned computer, use the djoin command with the /requestODJ
option. The format for this command is:

djoin.exe /requestODJ /LoadFile <filepath> /WindowsPath <path to the Windows

directory of the offline image>

Optionally, you can perform the import on an online operating system by using the /localOS option. If
you are using the /localOS option, then set the /WindowsPath option to %systemroot% or
%windir%. For example, to transfer the savefile Canberra-join.txt to the computer Canberra, type
the following command on Canberra:

djoin.exe /requestODJ /loadfile canberra‐join.txt /windowspath %systemroot% /localos

3. Start or restart the computer to complete the domain-join operation.

Question: What causes a computer to lose its trust relationship with the domain?
 MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Managing objects in AD DS

Lab A: Managing AD DS objects

Scenario
You have been working for A. Datum Corporation as a desktop support specialist and have visited desktop
computers to troubleshoot app and network problems. You recently accepted a promotion to the server
support team. One of your first assignments is to configure the infrastructure service for a new branch
office.

To begin deployment of the new branch office, you are preparing AD DS objects. As part of this
preparation, you need to create users and groups for the new branch office that will house the Research
department. Finally, you need to reset the secure channel for a computer account that has lost connectivity
to the domain in the branch office.

Objectives
After completing this lab, you will have:

 Created and configured groups in AD DS.

 Created and configured user accounts in AD DS.

 Managed computer objects in AD DS.

Lab Setup
Estimated Time: 45 minutes

Virtual machines: 20742B-LON-DC1 and 20742B-LON-CL1

User name: Adatum\Administrator

Password: Pa55w.rd

For this lab, you need to use the available VM environment. Before you begin the lab, you must complete
the following steps:
1. On the host computer, start Hyper-V Manager.

2. In Hyper-V Manager, click 20742B-LON-DC1, and then in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the VM starts.

4. Sign in by using the following credentials:

o User name: Administrator

o Password: Pa55w.rd

o Domain: Adatum

5. Repeat steps 1 through 3 for 20742B-LON-CL1. Do not sign in to LON-CL1 until instructed to do so in
the lab steps.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-29

Exercise 1: Creating and managing groups in AD DS

Scenario
You need to create groups for the Research department. You require a distribution global group to
facilitate email delivery to the Research users. Cai Chu will manage this group. You will also create a
Research Managers group and add Cai Chu and Vera Pace as members of the group. You also need to
create a universal group in the Managers OU that will contain all the departmental managers’ global
groups. After creating the research distribution group, you realize that the group needs access to network
resources, so you must convert the group to a security group.

The main tasks for this exercise are as follows:

1. Create groups and add members.

2. Configure group nesting.

3. Convert a group type from distribution to security.

 Task 1: Create groups and add members

1. On LON-DC1, use Active Directory Administrative Center to create the following groups:
o In the Managers OU, create a universal group named Enterprise Managers.

o In the Research OU, create a global distribution group named Research Mail.

2. Configure the email address of the Research Mail group to be [email protected].

3. Configure Cai Chu as the manager of the Research Mail group.

4. Provide Cai Chu with the right to update the group membership list.

5. In the Research OU, create a new global security group named Research Managers.

6. Add Cai Chu and Vera Pace as members.

 Task 2: Configure group nesting

 Browse to the Managers OU, and then add the Managers global group and the Research Managers
global group as members of the Enterprise Managers universal group.

 Task 3: Convert a group type from distribution to security

 In the Research OU, change the group type of the Research Mail group to be a Security group.

Results: After completing this exercise, you will have:

 Created groups and added members.

 Configured group nesting.

 Converted a group type.

 MCT USE ONLY. STUDENT USE PROHIBITED
2-30 Managing objects in AD DS

Exercise 2: Creating and configuring user accounts in AD DS

Scenario
You have a list of new users that you must create for the branch office. You have decided to create a
template to facilitate the quick creation of users for the branch. You will validate that template by creating a
new test user and checking the properties.

The main tasks for this exercise are as follows:

1. Create and configure a user template for the Research department.

2. Create new users for the Research branch office based on the template.

3. Validate the template.

 Task 1: Create and configure a user template for the Research department
1. Create a new user in the Research OU with the following properties:
o Name: _Research Template

o User UPN Logon: ResearchTemplate

o Password: Pa55w.rd
o Department: Research

o Company: Adatum

o Manager: Cai Chu

o Member of: Research

o Logon script: \\LON-DC1\Netlogon\Logon.bat

2. Disable the account.

3. Close Active Directory Administrative Center.

 Task 2: Create new users for the Research branch office based on the template
1. Use Active Directory Users and Computers to copy the _Research Template account.

2. Create the new user from the template with the following properties:

o First name: Research

o Last name: User

o Password: Pa55w.rd
o Account status: Enabled

 Task 3: Validate the template

 Inspect the properties of the Research User and ensure that the properties are:

o Logon script: \\LON-DC1\Netlogon\Logon.bat

o Department: Research

o Company: Adatum

o Member Of: Research

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-31

Results: After completing this exercise, you will have:

 Created and configured a user template for Research users.

 Created three new users based on the template.

 Signed in to test that the accounts are functioning as expected.

Exercise 3: Managing computer objects in AD DS

Scenario
A user is unable to sign in, and a workstation has lost its connectivity to the domain and cannot
authenticate users properly. When users attempt to access resources from this workstation, access is denied.
You need to repair the trust relationship between the computer and the domain.

The main tasks for this exercise are as follows:

1. Reset a computer account.

2. Observe the behavior when a client attempts to sign in.

3. Resolve the computer issue.

 Task 1: Reset a computer account

 Right-click LON-CL1 in the computers container and reset the account.

 Task 2: Observe the behavior when a client attempts to sign in

 Restart LON-CL1, and then attempt to sign in as Adatum\Adam with the password Pa55w.rd.

Question: What is the message displayed?

Answer: The trust relationship between this workstation and the primary domain failed.

 Task 3: Resolve the computer issue

1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa55w.rd.

2. Start an elevated session of Windows PowerShell, and then run the following command:

Test-ComputerSecureChannel –Repair

3. Sign out of LON-CL1, and then attempt to sign in as Adatum\Adam. The sign in will succeed now.

4. Sign out of LON-CL1.

5. Leave the VMs running for the next lab.

 MCT USE ONLY. STUDENT USE PROHIBITED
2-32 Managing objects in AD DS

Results: After completing this exercise, you will have:

 Reset a computer account.

 Observed the behavior when a client signs in.

 Resolved the computer issue.

Question: What types of objects can be members of global groups?

Question: What credentials are necessary for any computer to join a domain?
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-33

Lesson 4
Using Windows PowerShell for AD DS administration
You can use Windows PowerShell to automate AD DS administration. Automating administration speeds
up processes that you might otherwise perform manually. Windows PowerShell includes cmdlets for
performing AD DS administration and for performing bulk operations. You can use bulk operations to
change many AD DS objects in a single step, rather than updating each object manually.

Lesson Objectives
After completing this lesson, you will be able to:

 Use Windows PowerShell to manage user accounts.

 Use Windows PowerShell to manage groups.

 Use Windows PowerShell to manage computer accounts.

 Use Windows PowerShell to manage OUs.

 Describe bulk operations.

 Use graphical tools to perform bulk operations.

 Use Windows PowerShell to query objects.

 Use Windows PowerShell to modify objects.

 Work with comma-separated value files (.csv files).

 Use Windows PowerShell to perform bulk operations.

Using Windows PowerShell cmdlets to manage user accounts

You can use Windows PowerShell cmdlets to
create, modify, and delete user accounts. You can
use these cmdlets for individual operations or as
part of a script to perform bulk operations. The
following table lists some of the commonly used
cmdlets for managing user accounts.

Cmdlet Description

New-ADUser Creates user accounts.

Set-ADUser Modifies properties of user accounts.

Remove-ADUser Deletes user accounts.

Set-ADAccountPassword Resets the password of a user account.

 MCT USE ONLY. STUDENT USE PROHIBITED
2-34 Managing objects in AD DS

Cmdlet Description

Set-ADAccountExpiration Modifies the expiration date of a user account.

Unlock-ADAccount Unlocks a user account when it is locked after exceeding the

accepted number of incorrect sign-in attempts.

Enable-ADAccount Enables a user account.

Disable-ADAccount Disables a user account.

Create new user accounts

When you use the New-ADUser cmdlet to create new user accounts, you can set most user properties,
including a password. For example:

 If you do not use the -AccountPassword parameter, then no password is set and the user account is
disabled. You cannot set the Enabled parameter as $true when no password is set.

 If you use the -AccountPassword parameter to specify a password, then you must specify a variable
that contains the password as a secure string or choose to receive a prompt for the password. A secure
string is encrypted in memory. If you set a password, then you can enable the user account by setting
the -Enabled parameter as $true.

The following table lists commonly used parameters for the New ADUser cmdlet.

Parameter Description

AccountExpirationDate Defines the expiration date for the user account.

AccountPassword Defines the password for the user account.

ChangePasswordAtLogon Requires the user account to change passwords at the next

sign in.

Department Defines the department for the user account.

HomeDirectory Defines the location of the home directory for a user account.

HomeDrive Defines the drive letters that map to the home directory for a user
account.

GivenName Defines the first name for a user.

Surname Defines the last name for a user.

Path Defines the OU or container where the user account is created.

The following command is an example of a command that you could use to create a user account with a
prompt for a password:

New‐ADUser "Sten Faerch" ‐AccountPassword (Read‐Host ‐AsSecureString "Enter password")

‐Department IT
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-35

Using Windows PowerShell cmdlets to manage groups

You can use Windows PowerShell to create,
modify, and delete groups in much the same way
that you do for users. You can use these cmdlets
for individual operations or as part of a script to
perform bulk operations. The following table lists
some of the cmdlets for managing groups.

Cmdlet Description

New-ADGroup Creates new groups.

Set-ADGroup Modifies properties of groups.

Get-ADGroup Displays properties of groups.

Remove-ADGroup Deletes groups.

Add-ADGroupMember Adds members to groups.

Get-ADGroupMember Displays members of groups.

Remove-ADGroupMember Removes members from a group.

Add-ADPrincipalGroupMembership Adds group membership to objects.

Get-ADPrincipalGroupMembership Displays group membership of objects.

Remove-ADPrincipalGroupMembership Removes group membership from an object.

Create new groups

You can use the New-ADGroup cmdlet to create groups. However, when you create groups by using the
New-ADGroup cmdlet, you must use the GroupScope parameter in addition to the group name. This is
the only required parameter. The following table lists commonly used parameters for New-ADGroup.

Parameter Description

Name Defines the name of the group.

GroupScope Defines the scope of the group as DomainLocal, Global, or Universal. You
must provide this parameter.

DisplayName Defines the Lightweight Directory Access Protocol (LDAP) display name for
the object.

GroupCategory Defines whether it is a security group or a distribution group. If you do not

specify either, a security group is created.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-36 Managing objects in AD DS

Parameter Description

ManagedBy Defines a user or group that can manage the group.

Path Defines the OU or container in which the group is created.

SamAccountName Defines a name that is backward-compatible with older operating systems.

The following command is an example of what you could type at a Windows PowerShell prompt to create a
new group:

New‐ADGroup ‐Name "CustomerManagement" ‐Path "ou=managers,dc=adatum,dc=com" ‐GroupScope

Global ‐GroupCategory Security

Manage group membership

There are two sets of cmdlets that you can use to manage group membership: *-ADGroupMember and *-
ADPrincipalGroupMembership. The distinction between these two sets of cmdlets is the perspective used
when modifying group membership:

 The *-ADGroupMember cmdlets modify the membership of a group. For example, you add or
remove members of a group.

o You cannot pipe a list of members to these cmdlets.

o You can pass a list of groups to these cmdlets.

 The *-ADPrincipalGroupMembership cmdlets modify the group membership of an object such as a

user. For example, you can modify a user account to add it as a member of a group.

o You can pipe a list of members to these cmdlets.

o You cannot provide a list of groups to these cmdlets.

Note: Piping is a common process in scripting languages that allows you to use the output of
one cmdlet as input for the next cmdlet in the command. For example, this command creates a
user account and then enables the account:

New‐ADUser –Name "Sten Faerch" -AccountPassword (Read-Host -AsSecureString "Enter

password") | Enable-Account
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-37

Using Windows PowerShell cmdlets to manage computer accounts

You can use Windows PowerShell to create,
modify, and delete computer accounts. You can
use these cmdlets for individual operations or as
part of a script to perform bulk operations. The
following table lists cmdlets that you can use to
manage computer accounts.

Cmdlet Description

New-ADComputer Creates a new computer account.

Set-ADComputer Modifies properties of a computer account.

Get-ADComputer Displays properties of a computer account.

Remove-ADComputer Deletes a computer account.

Test-ComputerSecureChannel Verifies or repairs the trust relationship between a

computer and the domain.

Reset-ComputerMachinePassword Resets the password for a computer account.

Create new computer accounts

You can use the New-ADComputer cmdlet to create a new computer account before you join the
computer to the domain. You do this so that you can create the computer account in the correct OU before
deploying the computer.
The following table lists commonly used parameters for New-ADComputer.

Parameter Description

Name Defines the name of the computer account.

Path Defines the OU or container where the computer account is created.

Enabled Defines whether the computer account is enabled or disabled. By default, the
computer account is enabled and a random password is generated.

The following is an example of a command that you can use to create a computer account:

New‐ADComputer ‐Name LON‐SVR8 ‐Path "ou=marketing,dc=adatum,dc=com" ‐Enabled $true

Repair the trust relationship for a computer account

You can use the Test-ComputerSecureChannel cmdlet with the -Repair parameter to repair a lost trust
relationship between a computer and the domain. You must run the cmdlet on the computer with the lost
trust relationship.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-38 Managing objects in AD DS

Using Windows PowerShell cmdlets to manage OUs

You can use Windows PowerShell cmdlets to
create, modify, and delete OUs. You can use these
cmdlets for individual operations or as part of a
script to perform bulk operations. The following
table lists cmdlets that you can use to manage
OUs.

Cmdlet Description

New-ADOrganizationalUnit Creates OUs.

Set-ADOrganizationalUnit Modifies properties of OUs.

Get-ADOrganizationalUnit Displays properties of OUs.

Remove-ADOrganizationalUnit Deletes OUs.

Create new OUs

You can use New-ADOrganizationalUnit cmdlet to create a new OU to represent departments or physical
locations within in your organization. The following table shows commonly used parameters for the
New-ADOrganizationalUnit cmdlet.

Parameters Description

Name Defines the name of the new OU.

Path Defines the location of the new OU.

ProtectedFromAccidentalDeletion Prevents anyone from accidentally deleting the OU. The

default value is $true.

The following is an example of a command that you can use when you want to create a new OU:

New‐ADOrganizationalUnit ‐Name Sales ‐Path "ou=marketing,dc=adatum,dc=com"

‐ProtectedFromAccidentalDeletion $true
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-39

What are bulk operations?

A bulk operation is a single action that changes
multiple objects. Performing a bulk operation is
much faster than changing many objects
individually. It might also be more accurate,
because performing many individual actions
increases the likelihood of making a typographical
mistake. However, due to the nature of bulk
operations, if you introduce a mistake, it will apply
to every single object that you are changing.
Therefore, ensure that you test your bulk
operation on a smaller object set before executing
it on all the elements that you want to modify.
Common bulk operations in a Windows Server environment include:

 Create new user accounts based on information from a spreadsheet.

 Disable all user accounts that no one has used in the past six months.
 Change the department name for all users belonging to a given department.

You can perform bulk operations with graphical tools, at a command prompt, or by using scripts. Each
method for performing bulk operations has different capabilities. Consider that:

 There are limits to the properties that graphical tools can modify.

 Command-line tools are more flexible than graphical tools when defining queries, and they have more
options for modifying object properties.

 Scripts can combine multiple command-line actions for the most complexity and flexibility.

Demonstration: Using graphical tools to perform bulk operations

In this demonstration, you will see how to use Active Directory Users and Computers to change the Office
attribute for users in the Research OU as a bulk operation.

Demonstration Steps
1. Open Active Directory Users and Computers, and then select the Research OU.

2. Sort the object by Type, and then select all the User objects.

3. Modify the properties to set the Office attribute to Winnipeg.

4. Check the General tab in the properties of one of the users to ensure the update has occurred.

5. Close Active Directory Users and Computers.

 MCT USE ONLY. STUDENT USE PROHIBITED
2-40 Managing objects in AD DS

Querying objects with Windows PowerShell

In Windows PowerShell, you use the Get-* cmdlets
to obtain lists of objects, such as user accounts.
You can also use these cmdlets to generate queries
for objects on which you can perform bulk
operations. The following table lists parameters
that are commonly used with the Get-AD*
cmdlets.

Parameter Description

SearchBase Defines the AD DS path to begin searching; for example, the domain or an
OU.

SearchScope Defines at what level below SearchBase to perform the search. You can
choose to search in the base only, one level down, or in the entire subtree.

ResultSetSize Defines how many objects to return in response to a query. To ensure that
all objects are returned, set this to $null.

Properties Defines which object properties to return and display. To return all
properties, type an asterisk (*). You do not need to use this parameter to
use a property for filtering.

Create a query
You can use the Filter parameter or the LDAPFilter parameter to create queries for objects with the
Get-AD* cmdlets. Use the Filter parameter for queries that you write in Windows PowerShell, and use the
LDAPFilter parameter for queries that you write as LDAP query strings.
Windows PowerShell is preferable because:

 It is easier to write queries in Windows PowerShell.

 You can use variables inside the queries.

 There is automatic conversion of variable types when required.

The following table lists commonly used operators in Windows PowerShell.

Operator Description

-eq Equal to

-ne Not equal to

-lt Less than

-le Less than or equal to

-gt Greater than

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-41

Operator Description

-ge Greater than or equal to

-like Uses wildcards and pattern matches

Filter
As previously mentioned, you can use the Filter parameter to filter data that a Get-* cmdlet retrieves. The
Filter parameter uses the same syntax as the Where-Object cmdlet in Windows PowerShell. As an
example, the following is a command that retrieves all user accounts with Smith as their last name, followed
by the output of the command:

Get-ADUser -Filter {sn -eq "Smith"}

DistinguishedName : CN=Denise Smith,OU=Marketing,DC=Adatum,DC=com
Enabled : True
GivenName : Denise
Name : Denise Smith
ObjectClass : user
ObjectGUID : 1ff1b2cb-38c1-4bc7-bda7-511e19744d2a
SamAccountName : Denise
SID : S-1-5-21-322346712-1256085132-1900709958-1407
Surname : Smith
UserPrincipalName : [email protected]
DistinguishedName : CN=Tony Smith,OU=IT,DC=Adatum,DC=com
Enabled : True
GivenName : Tony
Name : Tony Smith
ObjectClass : user
ObjectGUID : ac7eb8db-3cf1-4e6d-91d3-7527e540c284
SamAccountName : Tony
SID : S-1-5-21-322346712-1256085132-1900709958-1408
Surname : Smith
UserPrincipalName : [email protected]

The Get-* cmdlets that you use to retrieve data from AD DS do not always return all properties for the
objects that they retrieve. For instance, looking at the output above you see only some of the properties
that a user account has in AD DS. You do not see the mail property, for instance. You can use the
-Properties parameters to retrieve properties not returned by default when you run Get-* cmdlets. For
example, the code below returns the same list of users, but with the mail and PasswordLastSet properties:

Get-ADUser -Filter {sn -eq "Smith"} -Properties mail,passwordlastset

DistinguishedName : CN=Denise Smith,OU=Marketing,DC=Adatum,DC=com
Enabled : True
GivenName : Denise
Name : Denise Smith
ObjectClass : user
ObjectGUID : 1ff1b2cb-38c1-4bc7-bda7-511e19744d2a
PasswordLastSet : 7/9/201612:51:30 PM
SamAccountName : Denise
SID : S-1-5-21-322346712-1256085132-1900709958-1407
Surname : Smith
UserPrincipalName : [email protected]
DistinguishedName : CN=Tony Smith,OU=IT,DC=Adatum,DC=com
Enabled : True
GivenName : Tony
Name : Tony Smith
ObjectClass : user
ObjectGUID : ac7eb8db-3cf1-4e6d-91d3-7527e540c284
PasswordLastSet : 7/9/2016 12:51:30 PM
SamAccountName : Tony
 MCT USE ONLY. STUDENT USE PROHIBITED
2-42 Managing objects in AD DS

SID : S-1-5-21-322346712-1256085132-1900709958-1408
Surname : Smith
UserPrincipalName : [email protected]

Use the following command to display all the properties for a user account:

Get‐ADUser ‐Name “Administrator” ‐Properties *

Use the following command to return all the user accounts in the Marketing OU and all its child OUs:

Get‐ADUser ‐Filter * ‐SearchBase "ou=Marketing,dc=adatum,dc=com" ‐SearchScope subtree

Use the following command to show all the user accounts with a last sign-in date before a specific date:

Get‐ADUser ‐Filter {lastlogondate ‐lt "January 1, 2016"}

Use the following command to show all the user accounts in the Marketing department that have a last
sign-in date before a specific date:

Get‐ADUser ‐Filter {(lastlogondate ‐lt "January 1, 2016") ‐and (department ‐eq "Marketing")}

Additional Reading: For more information, refer to: “about_ActiveDirectory_Filter” at:

http://aka.ms/Kv5dy3

LDAPFilter
You can also use the LDAPFilter parameter to filter data that a Get-* cmdlet retrieves. The LDAPFilter
parameter takes a string value that uses the same syntax that you use to build an LDAP query. For example,
this command retrieves all users whose last name is Smith:

Get-ADUser -LDAPFilter "(sn=Smith)"

Search-ADAccount
One of the disadvantages of the Get-AD* cmdlets is how they deal with the UserAccountControl
property. This property is a 4-byte bitmap, where each bit corresponds to a different property linked to an
Active Directory account. The table below shows some of the bits in the bit map.

Hexadecimal value Decimal value Identifier Description

0x00000001 1 ADS_UF_SCRIPT Logon script is executed.

0x00000002 2 ADS_UF_ACCOUNTDISABLE User account is disabled.

0x00000008 8 ADS_UF_HOMEDIR_REQUIRED A home folder is

required.

0x00000010 16 ADS_UF_LOCKOUT User account is locked

out.

Additional Reading: For more information, refer to: “How to use the UserAccountControl
flags to manipulate user account properties” at: http://aka.ms/Mxt8a1
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-43

When you read the UserAccountControl property, you receive a numerical value, not a group of true/false
values per individual flag. For example, the following code shows the UserAccountControl property for all
users whose last name begins with Sm:

Get-ADUser -Filter {sn -like "Sm*"} -Properties userAccountControl|Select Name,

userAccountControl|FT –AutoSize
Name userAccountControl
---- ------------------
Denise Smith 66048
Tony Smith 66048

Imagine that you need to retrieve a list of all disabled accounts in AD DS. To do that, you need to retrieve all
accounts in which the UserAccountControl property has the second-to-last bit enabled. You can do this
by using this code:

Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"|Select Name

Memorizing, or even looking up, flags in the UserAccountControl property is a time-consuming job. Of
course, you can create scripts that already have the code built in and just reuse them. However, it would be
better to have a command that abstracts all that work for you, which is what the Search-ADAccount
cmdlet does. You can retrieve a list of disabled accounts by using the Search-ADAccount cmdlet as
follows:

Search-ADAccount -AccountDisabled | Select name

That is much easier than using Get-ADUser. The following table lists the parameters that the
Search-ADAccount cmdlet uses.

Parameter Description

AccountDisabled Retrieves a list of disabled accounts.

AuthType Specifies the authentication type used when running this command.

AccountExpired Retrieves a list of accounts that have expired.

AccountExpiring Retrieves a list of accounts that expire within a given time span.

AccountInactive Retrieves a list of accounts that will become inactive within a given
time span.

LockedOut Retrieves a list of accounts that are locked out.

PasswordExpired Retrieves a list of accounts that have expired passwords.

PasswordExpiring Retrieves a list of accounts that have passwords that will expire within
a period.

PasswordNeverExpires Retrieves a list of accounts that have passwords that never expire.

ComputersOnly Retrieves computer accounts.

UsersOnly Retrieves user accounts.

TimeSpan Used in conjunction with PasswordExpiring, AccountExpiring, and

AccountInactive to specify the time span for those parameters.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-44 Managing objects in AD DS

Parameter Description

DateTime Used in conjunction with PasswordExpiring, AccountExpiring, and

AccountInactive to specify the expiration date for those
parameters.

SearchBase Specifies the base LDAP container for the search.

SearchScope Specifies the scope for the search.

Server Specifies the server to which to connect.

Here are some examples of the Search-ADAccount cmdlet:

# Retrieve all disabled user accounts

Search-ADAccount -AccountDisabled -UsersOnly
# Retrieve all user accounts inactive for the last 5 days
Search-ADAccount -AccountInactive -TimeSpan -5 -UsersOnly
# Retrieve all user accounts whose password will expire on 7/4/2016
Search-ADAccount -AccountExpiring -DateTime "4/7/2016" -UsersOnly
# Retrieve all computer accounts that are locked out
Search-ADAccount -ComputersOnly -LockedOut

Modifying objects with Windows PowerShell

To perform a bulk operation, you need to pass the
list of objects that you have queried to another
cmdlet to modify the objects. In most cases, you
use the Set-AD* cmdlets to modify the objects.

To pass the list of queried objects to another

cmdlet for further processing, you use the pipe ( | )
character. The pipe character passes each object
from the query to a second cmdlet, which then
performs a specified operation on each object.

You can use the following command for those

accounts that do not have the Company attribute
set. It generates a list of user accounts and sets the
Company attribute to A. Datum.

Get‐ADUser ‐Filter {company ‐notlike "*"} | Set‐ADUser ‐Company "A. Datum"

Additional Reading: For more information, refer to: “Set-ADUser” at: http://aka.ms/K34c8d

As another example, to generate a list of user accounts that have not signed in since a specific date, and
then disable those accounts, you could use the following command:

Get‐ADUser ‐Filter {lastlogondate ‑lt "January 1, 2012"} | Disable‑ADAccount

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-45

Use objects from a text file

Instead of using a list of objects from a query to perform a bulk operation, you can use a list of objects in a
text file. This is useful when you have a list of objects to modify or remove, and it is not possible to generate
that list by using a query. For example, the Human Resources department might generate a list of user
accounts to disable. There is no query that can identify a list of users that have left the organization.
When you use a text file to specify a list of objects, the text file needs to have the name of each object on a
single line.

This is a possible command that you could use to disable the user accounts listed in a text file:

Get‐Content C:\users.txt | Disable‐ADAccount

Working with CSV files

A .csv file can contain much more information than
a simple list. Similar to a spreadsheet, a .csv file can
have multiple rows and columns of information.
Each row in the .csv file represents a single object,
and each column in the .csv file represents a
property of the object. This is useful for bulk
operations, such as creating user accounts, which
require multiple pieces of information.

You can use the Import-Csv cmdlet to read the

contents of a .csv file into a variable and then work
with the data. After importing the data into the
variable, you can refer to each individual row and
column of data. Each column of data has a name that is based on the header row (the first row) of the .csv
file, and you can refer to each column by its name.

Here is an example of a .csv file with a header row:

FirstName,LastName,Department
Greg,Guzik,IT
Robin,Young,Research
Qiong,Wu,Marketing

In many cases, you will create scripts that you will reuse for multiple .csv files, and you will not know how
many rows there are in each .csv file. In these cases, you can use a foreach loop to process each row in a
.csv file. You do not need to know how many rows there are. During each iteration of the foreach loop, a
row from the .csv is imported into a variable that is then processed.
Use this command to import a .csv file into a variable, and use a foreach loop to display the first name from
each row in a .csv file:

$users=Import-CSV –LiteralPath “C:\users.csv”

foreach ($user in $users)
{
Write-Host "The first name is:" $user.FirstName"
}
 MCT USE ONLY. STUDENT USE PROHIBITED
2-46 Managing objects in AD DS

Demonstration: Performing bulk operations with Windows PowerShell

You can use a script to combine multiple Windows PowerShell commands to perform more complex tasks.
Within a script, you often use variables and loops to process data. Windows PowerShell scripts have a .ps1
extension.

The execution policy on a server determines whether scripts can run. The default execution policy on
Windows Server 2016 is RemoteSigned. This means that local scripts can run without being signed
digitally. You can control the execution policy by using the Set-ExecutionPolicy cmdlet.

Demonstration Steps

Create a new global group in the IT department

1. On LON-DC1, start a Windows PowerShell session with elevated permissions.
2. Run the following command:

New-ADGroup -Name Helpdesk -Path "ou=IT,dc=Adatum,dc=com" –GroupScope Global

Add all users in the IT department to the Helpdesk group

 In the Administrator: Windows PowerShell window, run the following command:

Get-ADUser -Filter "Department -eq 'IT'" | foreach {Add-ADGroupMember "Helpdesk" -

members $_}

Set the address for all users in the Research department

 In the Administrator: Windows PowerShell window, run the following command:

Get-ADuser -Filter {Department -eq "Research"} | Set-ADuser -StreetAddress "1530

Nowhere Ave." -City "Winnipeg" -State "Manitoba" -Country "CA"

Note: Notice that this command filters by using brackets rather than quotes and uses the
Set-ADUser cmdlet rather than a foreach loop.

Create a new OU
 In the Administrator: Windows PowerShell window, run the following command:

New-ADOrganizationalUnit London -Path "dc=Adatum,dc=com”

Run a script to create new users from a .csv file

1. Open E:\Labfiles\Mod02, and then use Notepad to open DemoUsers.csv. Describe the makeup of
the .csv file.
2. Close the file.

3. In Windows PowerShell, change to the root directory E:\Labfiles\Mod02.

4. Run the DemoUsers.ps1 script.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-47

Verify that the user accounts were created and that the accounts were modified
 In Active Directory Users and Computers, confirm that:

o The London OU exists.

o There are three users in the London OU.

o The Helpdesk group exists in the IT OU and it is populated with IT users.

o The users in the Research OU have their address fields populated.

Question: What is Windows PowerShell Integrated Scripting Environment?

 MCT USE ONLY. STUDENT USE PROHIBITED
2-48 Managing objects in AD DS

Lesson 5
Implementing and managing OUs
When you design your OU structure, planning the Active Directory administrative tasks delegation model is
essential. Although you can use OUs to apply group policies, partition objects, or represent your
organization’s business structure, this model is the most important design consideration for the OU
structure. The administrative tasks delegation model depends on the processes and administrative
requirements in your organization. In this lesson, you will learn about planning and considerations for OU
structure, how permissions work for OUs, and how to delegate permissions for administrative tasks.

Lesson Objectives
After completing this lesson, you will be able to:

 Plan OUs.

 Describe OU hierarchy considerations.

 Describe considerations for using OUs.

 Explain AD DS permissions.

 Delegate AD DS permissions.

 Delegate administrative permissions on an OU.

Planning OUs
As an important administrative component in your
Active Directory domain, OUs enable you to
partition and organize domain objects into a
hierarchical structure. OUs can help you to:

 Delegate rights to administrative groups,

enabling them to administer certain objects or
attributes of objects below that OU.

 Apply group policies to users and computer

objects below that OU.

 Create a hierarchy that enables you to

administer the objects in the domain quickly.

There are several strategies for designing OU structures. The following OU design strategies are the most
common.

Location-based strategy
This strategy uses locations for each top-level OU in the root of the domain. These location-based OUs are
the main organizational element of the OU structure. For example, A. Datum Corporation might use a
location-based strategy to create OUs for each of its physical locations—in London, Toronto, and Sydney—
and then create additional OUs for their branch distribution centers. Each AD DS resource (such as users,
groups, and computers) is located in the OU that corresponds to the location where the resource resides.

The location-based strategy is common when each location operates relatively independently or when
many tasks are delegated to decentralized administrators. For example, the administrative staff in London
can perform the main administrative duties. Administrators in Sydney or Toronto who have some delegated
rights can access their users, groups, and computers quickly. It is advantageous for the local staff to fulfill
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-49

some administrative duties across different types of objects in the same branch. In addition, you do not
have to move objects frequently between the top-level OUs, unless the objects move to another physical
location. Moving objects to another physical location likely requires moving home folders or Microsoft
Exchange Server mailboxes. The location-based strategy also works well for organizations that expect to
expand into new locations, because you can add new locations easily to the OU structure.

Resource-based strategy
This strategy relates to the functions of resources that are in the OU structure. Typically, you separate
resources by function (or objects by type), and you create OUs to represent these functions. For example,
some common top-level OUs are Servers, Workstations, Groups, and Users. The resource-based strategy is
common in smaller organizations, in organizations that administrative staff maintain centrally, and where
administrative delegation is based on the object type, rather than on the location or department. Examples
of these administrative groups include User Helpdesk, Client Support, Virtualization Administration,
and Application-Specific Support. In large organizations, it is likely that those top-level OUs are more
defined in the next subordinate level. For example, the Servers OU might contain child OUs named after
their applications, such as Microsoft Exchange Server or Microsoft SQL Server.

Organization-based strategy
This strategy reflects the structure of an organization’s business logic. Top-level OUs represent departments
within the organization, such as Sales, Research, or Finance. This strategy works well if resources move
frequently or if they are not affiliated with a physical location, and if there are few employee changes
between departments. You should consider this strategy when administrative tasks are delegated on a per-
department basis rather than a per-location basis. For example, an organization with traveling sales teams
and other units that are not location-bound would benefit from an organization-based strategy. However,
this strategy is not a good choice for organizations that frequently realign their business model or that
encourage employees to shift between roles.

Multitenancy-based strategy
This strategy is suitable for organizations that provide the Active Directory infrastructure as a service (IaaS)
to other organizations. This might be a group of affiliated organizations that share the same domain, a
hosted environment, an outsourced environment, or even a private or public cloud provider. This strategy is
appropriate when one organization maintains the Active Directory infrastructure while another
organization manages certain Active Directory objects, or if the first organization relies completely on the
administration of the hosting organization. For example, A. Datum might maintain AD DS for Trey Research
and Contoso, Ltd. Trey Research might want to administer their Users, Groups, and Computers OUs
independently, but might not want to manage Active Directory replication and DNS. Contoso, Ltd. relies
fully on the IT staff from A. Datum for all these tasks. In this scenario, A. Datum would create a top-level OU
for ITServices, where they maintain all administrative accounts and groups, and top-level OUs named
ADatum, Contoso, Ltd., and TreyResearch for each of the managed organizations. Under these OUs, regular
user, group, workstations, and perhaps server accounts are represented as deeper levels. The IT staff of Trey
Research would maintain their own accounts as designed. In the multitenancy-based strategy, it is possible
to allow different tenants to work together or to create privacy settings so that each organization sees its
own resources only. In this strategy, including or separating new organizations can be a straightforward
process.

Hybrid strategy
This strategy uses a combination of OUs based on location, organization, and resources. The multitenancy-
based strategy is also a hybrid strategy. Other hybrid strategies might assign the location at the top level
and separate object types on the next level. The structure of the hybrid strategy depends on the
organizational requirements. For example, the Servers OU could contain OUs for FileServers, IIS, SQL Server,
Exchange Server, and other application servers. The Users OU might contain location or departmental OUs,
 MCT USE ONLY. STUDENT USE PROHIBITED
2-50 Managing objects in AD DS

the Workstations OU might distinguish between Desktops and Laptops, and the Groups OU could
incorporate departmental, location, project, or application-specific groups.
Regardless of which strategy you use to design your OU structure, always remember that the main purpose
is to enable the implementation of an Active Directory administrative tasks model. A second priority might
be Group Policy. We also recommend separating administrative accounts and groups from regular user
accounts and groups that delegated administrators might administer.

OU hierarchy considerations
When planning Active Directory functionality, you
should consider the following high-level aspects of
OU design:

 Administrative purpose. The OU structure

should align primarily to administrative
purposes, such as your Active Directory tasks
delegation model and your GPOs. Avoid
mimicking your organizational chart, unless it
benefits the administrative model.
Organization charts change frequently, and it
is not practical to change your OU structure
that often. If you have requests for
department-specific GPOs, it might be preferable to reflect those departments in a lower level of the
OU structure. However, it is also likely that you have a security and distribution group to reflect the
users in this department, and you can instead use security filtering for that purpose. Users and
managers usually do not see the OU structure, so there is no benefit in listing corporate hierarchies
there. If you want to enable users to browse the organizational structure, ensure that you fill in the
Manager attribute of the user objects. This enables users to use current and previous versions of
Microsoft Outlook in combination with an Exchange Server messaging infrastructure, Microsoft Office
365, or Microsoft SharePoint Server to navigate through the organizational structure. The OU is for
administrative purposes only.

 Inheritance. Inheritance is an important aspect of OU functionality, both for delegation of control and
GPO application. You should design the OU structure to include objects that require the same
administrative control or Group Policy settings within the same OU structure. This way, you can assign
the delegation of control or the GPO setting only once at a higher level in the OU structure, rather than
individually at each child level. Remember that you can block inheritance for certain child OUs if you
do not want AD DS to apply the settings for a higher OU level to certain child OUs.

 Change. Design your OU structure to accommodate change. After you implement an OU structure, it
can be difficult to change, especially if you also change design strategies, such as changing from an
organization-based strategy to a resource-based strategy. Ensure that your OU structure leaves room
for organizational growth and a reasonable level of structural change.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-51

Considerations for using OUs

When you first implement AD DS, there is only one
OU: the Domain Controllers OU. You must create
any other OUs.

OU creation
You can create OUs by using graphical tools such
as Active Directory Users and Computers or Active
Directory Administrative Center. You can also
create OUs by using command-line tools such as
Windows PowerShell.

Note: You must create all new OUs by using

an administrative tool. There is no mechanism to copy existing OUs to create new ones.

Preventing accidental deletion

Accidental deletion is one of the major causes of Active Directory recoveries. Therefore, Windows Server
2016 supports the Protect OUs from Accidental Deletion feature of AD DS. OUs that have protection
from accidental deletion share the following benefits:

 Administrators cannot accidentally delete OUs. If they want to delete an OU intentionally, they must
remove the protection prior to deleting the OU.

 Administrators cannot accidentally move OUs.

 OUs that you have newly created by using Active Directory Administrative Center or Active Directory
Users and Computers in Windows Server 2008 or newer have automatic protection against accidental
deletion.

You can enable or disable the protection from accidental deletion in the Active Directory Administrative
Center in the properties dialog box of the OU. You can also use Active Directory Users and Computers
to enable or disable the protection from accidental deletion on the Object tab in the OU Properties
dialog box.

Note: You must enable the advanced view in Active Directory Users and Computers before
you can see the Object tab in the OU properties dialog box.

You can also use Windows PowerShell to enable or disable protection. For example, you can search for OUs
that are not protected and enable protection with the following command:

Get-ADOrganizationalUnit –filter * -properties ProtectedFromAccidentalDeletion | where

{$_.ProtectedFromAccidentalDeletion –eq $false} | Set-ADOrganizationalUnit –
protectedFromAccidentalDeletion $true
 MCT USE ONLY. STUDENT USE PROHIBITED
2-52 Managing objects in AD DS

Moving objects between OUs

As job roles change or computers are reassigned, you will need to move objects in AD DS to different OUs.
Moving objects between OUs in the same domain is a simple task. You can right-click the object and select
Move and then select the new location, or you can click and drag the object to the new OU. Moving
objects has the following effects on the objects’ permissions:
 Permissions assigned directly to the object remain in place after the object moves.

 The object will inherit new permissions from its new OU and will lose any inherited permissions from
the previous OU.

Permissions required to move objects

The following permissions are required to move AD DS objects:

 Delete_Child permission on the source OU (or Delete permission on the object that you are moving).
 Write_Prop permission on the object for the relative distinguished name (RDN), distinguished name
(DN), and common name (CN) properties.

 Create_child permission on the target OU.

AD DS permissions
You implement the Active Directory administrative
delegation model by merging the OU design with
the permissions on the OUs. This enables
delegated administrators to fulfil administrative
tasks. To create the administrative task model and
design the OU structure to support it, you must
understand how Active Directory administrative
delegation works. You must also understand the
options for delegating administrative control.

How do users get permissions?

When users sign in to an Active Directory domain,
they receive a token. A token is a list of the SIDs of
their individual account, historical accounts (if they have been migrated), and every group they belong to
(even recursively). If any group was migrated from another domain, it is likely that they also received the
historical SIDs of those groups in the former domain.

In Windows operating systems, many objects (such as files, folders, registry keys, processes, and Active
Directory objects) contain a security descriptor. Based on the SID, the security descriptor defines which
rights are granted or denied and to whom.

When a user browses files and folders or registry keys, or navigates through the Active Directory domain
structure, the system compares the list of SIDs in the token with the list of SIDs in the security descriptor. If
there are any matching SIDs, the system validates the type of access and allows or prohibits the current
operation.

Active Directory OU permissions

In Active Directory, the permission model is more complex than in most other Windows operating system
services. Security settings on the Active Directory domain are inherited hierarchically in the OU structure of
that domain. At any point in the structure, you can configure additional security settings that could be
inherited throughout the hierarchy—depending on the scope of inheritance that the security setting
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-53

defines and whether inheritance is blocked at a lower level. New objects obtain default security settings
(which the schema class defines) and inherit security settings from their parents. For example, in the OU
schema definition, Account Operators has full rights to create and delete objects for computer accounts,
user accounts, group objects, and inetOrgPerson objects. Therefore, if you remove the default Account
Operators group from the security permissions of an OU, and then create a child OU, the child OU retains
the explicit security settings of the Account Operators.

Active Directory object security descriptors

A security descriptor of an Active Directory object contains the following parts:
 The owner of the object. The owner can reset security settings even when he or she accidentally
configured them to have no permissions on the object.

 The primary group of the owner.

 A control field that specifies whether the discretionary access control list (DACL) or system access
control list (SACL) is present or is blocking inheritance.

 An optional DACL. The optional DACL contains permissions for granting or denying access.

 An optional SACL. The optional SACL contains the auditing permissions when you have enabled
Success or Failure auditing.

The DACL and SACL are containers that contain one or more access control entries (ACEs). An ACE stores
the following information:

 Who (which security principal, such as a user or group) is allowed or denied access.

 What permissions are granted to the security principal— Read, Write, Create, or Delete.

 On which objects, or object attributes, can an action be performed.

 At what sublevels can an action be performed (on the OU level only, on objects only in the OU, or
objects in any sub-OU).

In the OU properties dialog box, you use the Security tab—in particular, the Advanced Security dialog
box—to verify or adjust security settings. The Security Delegation Wizard assists with some common
tasks, but you cannot use it to review the security settings.

Delegating AD DS permissions
Domain administrators have full rights to all
objects in the domain. Other default built-in
groups have limited rights to objects in the
domain. For example, the Account Operators
group has full rights over Users, Computers, and
Group objects, but not other types of objects. If
you want certain users or groups to have
permission to perform only specific tasks in
specific areas of the directory, then you must
delegate those tasks.

Delegation control methods

When you delegate control of objects in your
Active Directory OU, you must consider two factors: to whom and where in the directory hierarchy you are
granting permissions. In AD DS, you can grant specific rights on resources. You can allow the creation or
deletion of only certain object types, or you can select the individuals who have rights on a particular
 MCT USE ONLY. STUDENT USE PROHIBITED
2-54 Managing objects in AD DS

attribute of a specific object type, such as group account descriptions or their members. Except in rare cases
(such as service accounts), you should always grant administrative control to groups rather than users. Even
if the group contains only one user, this individual might leave the organization, and determining where
that individual had permissions is harder than changing the appropriate group memberships.

There are two methods for delegating administrative control over Active Directory domain resources:

 Object-type delegation. In this delegation model, you can delegate various levels of control to groups
based on the objects that the groups control. An example of an object-type delegation would be if you
delegated control to the Toronto Admins group for objects within the Toronto OU. In this case, the
Toronto Admins group is likely responsible for most administrative tasks within the Toronto OU.

You typically use object-type delegation if there are only a few administrators or if minor delegation is
required. This type of delegation also works well if many administrators require the same level of
control, typically over most of the domain structure.

We do not recommend object-type delegation in an environment where different users require various
levels of control over different objects, because it can be difficult to determine which level of control to
grant to which users for a specific object.

 Role-based delegation. This delegation model involves creating several specific groups to which you
delegate administrative control. These groups usually relate to a specific resource (or resources), and
you can name groups for the level of control that you assign to them. Unlike object-based delegation,
role-based delegation involves granting permissions to modify only some of the attributes of an
object. For example, you could create the role-based group Change Finance User Password, and
then assign permissions to that group to change passwords for any users in the Finance OU.

To ensure that your role-based delegation is effective, all functions or roles within the Active Directory
domain structure should have an associated group. This level of specificity can help you to determine
which level of control you have assigned to an individual user, because you simply examine the role-
based groups to which the user belongs.

Role-based delegation can take longer to implement than object-type delegation. However, if you
design the OU and group structure properly, role-based delegation saves administrative effort and
frustration, especially for larger organizations.

The Delegation of Control Wizard

This tool can be very useful in delegating administrative rights to objects in AD DS to groups or individuals.
It helps to simplify what permissions are required to perform everyday administrative tasks such as resetting
passwords or modifying group memberships. The wizard provides a list of common tasks that you can
assign or allows you to create a custom task based on the type of object you want to delegate control of.

To start the Delegation of Control Wizard, right-click the container, and then click Delegate Control.
Select the user or group that you wish to assign rights to, and then select the tasks that you want them to
perform.

Note: Running the Delegation of Control Wizard at the domain level provides a common
task to Join a computer to the domain. This task only appears when the wizard runs at the
domain level.

Assigning permissions manually

The advanced security properties of an OU allow you to be very granular about what permissions you grant
to users and groups. For example, you might wish to grant the ability to modify only certain user attributes,
such as home address and job title, to Human Resources employees.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-55

Demonstration: Delegating administrative permissions on an OU

In this demonstration, you will see how to create a new OU, use the Delegation of Control Wizard to
assign a task, and use advanced OU security to assign granular permissions to the Research group.

Demonstration Steps

Create a new OU
 Use Active Directory Users and Computers to create a new OU named Human Resources in
Adatum.com.

Use the Delegation of Control Wizard to assign a task

1. Start the Delegation of Control Wizard at the Adatum.com level.

2. Select the Helpdesk group, and then assign the following tasks:

o Reset user passwords and force password change at next logon

o Join a computer to the domain

Assign the Research group the right to modify user addresses and job titles in the
Research OU
1. Turn on Advanced Features.

2. Open the Research OU properties.

3. In the advanced security section, select the Research group, and then assign the following permissions
on the Descendant User objects:

o Write Home Address

o Write Job Title

Question: What is the advantage of using the Delegation of Control Wizard?

 MCT USE ONLY. STUDENT USE PROHIBITED
2-56 Managing objects in AD DS

Lab B: Administering AD DS
Scenario
You have been working for the A. Datum Corporation as a desktop support specialist and have performed
troubleshooting tasks on desktop computers to resolve application and network problems. You recently
accepted a promotion to the server support team. One of your first assignments is to configure the
infrastructure service for a new branch office.

To begin the deployment of the new branch office, you are preparing AD DS objects. As part of this
preparation, you need to create an OU for the branch office and delegate permission to manage it. Also,
you need to evaluate Windows PowerShell to manage AD DS more efficiently.

Objectives
After completing this lab, you will have:

 Delegated administration for OUs.

 Used Windows PowerShell to manage AD DS objects.

Lab Setup
Estimated Time: 45 minutes

Virtual machines: 20742B-LON-DC1, 20742B-LON-SVR1, and 20742B-LON-CL1

User name: Adatum\Administrator

Password: Pa55w.rd

For this lab, you need to use the available VM environment. Before you begin the lab, you must complete
the following steps:

1. On the host computer, start Hyper-V Manager.

2. In Hyper-V Manager, click 20742B-LON-DC1, and then in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the VM starts.

4. Sign in by using the following credentials:

o User name: Administrator

o Password: Pa55w.rd

o Domain: Adatum

5. Repeat steps 1 through 4 for 20742B-LON-SVR1.

6. Repeat steps 1 through 3 for 20742B-LON-CL1. Do not sign in to LON-CL1 until instructed to do so in
the lab steps.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-57

Exercise 1: Delegating administration for OUs

Scenario
A. Datum Corporation delegates management of each branch office to a specific group. This allows IT
employees who work onsite to be administrators for the branch. Each branch office has a branch
administrators group that can perform full administration within the branch office OU. There is also a
branch office helpdesk group that can manage users in the branch office OU, but not other objects. You
need to create the OU and these groups for the new branch office and delegate permissions to the groups.
You will also validate the permissions.

The main tasks for this exercise are as follows:

1. Create a new OU for the branch office.

2. Create groups for branch administrators and branch help-desk personnel.

3. Add members to the group.

4. Delegate permissions to the group.

5. Test permissions.

 Task 1: Create a new OU for the branch office

 On LON-DC1, use Active Directory Users and Computers to create a new OU named London.

 Task 2: Create groups for branch administrators and branch help-desk personnel
 In the London OU, create the following global security groups:
o London Admins

o London Helpdesk

 Task 3: Add members to the group

1. Select the IT OU.
2. Add Beth Burke to the London Admins group.

3. Add Dante Dabney to the London Helpdesk group.

 Task 4: Delegate permissions to the group

1. In Active Directory Users and Computers, enable the Advanced Features view.

2. Set permissions on the Security tab of the London OU properties to give the London Admins group
Full Control.

3. Use the Delegation of Control Wizard to grant Full Control over User objects in the London OU to
the London Helpdesk group.

 Task 5: Test permissions

 On LON-SVR1, use the Add Roles and Features Wizard in Server Manager to install the AD DS
Tools feature. When this task is complete, sign out of LON-SVR1.

Test permissions for London Admins

1. Sign in to LON-SVR1 as Beth with the password Pa55w.rd.

2. Open Active Directory Users and Computers.

3. Click the Research OU. Notice that the icons on the toolbar for creating users, groups, or OUs are
dimmed.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-58 Managing objects in AD DS

4. Click the London OU, and then notice that those icons are available now.

5. Create a sub-OU in the London OU named Laptops.

6. Sign out of LON-SVR1.

Test permissions for London Helpdesk

1. Sign in to LON-SVR1 as Dante with the password Pa55w.rd.

2. Open Active Directory Users and Computers.

3. Select the London OU. Notice that the only available icon is the create user icon.

Results: After completing this exercise, you will have:

 Created a new OU for the branch office.

 Created groups for branch administrators and branch help-desk personnel.

 Added members to the group.

 Delegated permission to the groups.

 Installed Active Directory Domain Services (AD DS) tools and tested permissions.

Exercise 2: Creating and modifying AD DS objects with Windows PowerShell

Scenario
A. Datum Corporation has several scripts that administrators have used in the past to create user accounts
by using command-line tools. However, an enterprise-wide mandate specifies that administrators will use
Windows PowerShell to perform all future scripting. As the first step in creating scripts, you need to identify
the syntax required to manage AD DS objects in Windows PowerShell.
You have a .csv file that contains a large list of new users for the branch office. It is inefficient to create these
users individually with graphical tools, so you will use a Windows PowerShell script instead. A colleague
who has experience with scripting has given you a script that she created. You need to sign in as branch
administrator and modify the script to match the format of your .csv file.

The main tasks for this exercise are as follows:

1. Create a user account by using Windows PowerShell.

2. Create a new group by using Windows PowerShell.

3. Add a member to the group by using Windows PowerShell.

4. Modify the .csv file.

5. Modify the script.

6. Run the script.

7. Prepare for the next module.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-59

 Task 1: Create a user account by using Windows PowerShell

1. Switch to LON-DC1.

2. Start an elevated session of Windows PowerShell.

3. Create a user account for Ty Carlson in the London OU by running the following command:

New‐ADUser ‐Name Ty ‐DisplayName "Ty Carlson" ‐GivenName Ty ‐Surname Carlson ‐Path

"ou=London,dc=adatum,dc=com"

4. Run the following command to set the password as Pa55w.rd:

Set-ADAccountPassword Ty

The current password is blank.

5. Run the following command to enable the account:

Enable-ADAccount Ty

6. Test the account by switching to LON-CL1, and then sign in as Ty with the password Pa55w.rd.

 Task 2: Create a new group by using Windows PowerShell

 On LON-DC1, in the Administrator: Windows PowerShell window, run the following command:

New‐ADGroup LondonBranchUsers ‐Path "ou=London,dc=adatum,dc=com" ‐GroupScope Global

‐GroupCategory Security

 Task 3: Add a member to the group by using Windows PowerShell

1. In the Administrator: Windows PowerShell window, run the following command:

Add‐ADGroupMember LondonBranchUsers ‐Members Ty

2. Confirm that the user is in the group by running the following command:

Get‐ADGroupMember LondonBranchUsers

 Task 4: Modify the .csv file

1. Use Notepad to modify the .csv file by adding the following header:

FirstName,LastName,Department,DefaultPassword

2. Save and close the file.

 Task 5: Modify the script

1. In the Administrator: Windows PowerShell (ISE) window, replace these variables:

C:\path\file.csv with E:\Labfiles\Mod02\LabUsers.csv

"ou=orgunit,dc=domain,dc=com" with "ou=London,dc=adatum,dc=com"

2. Save the file, and then close the Administrator: Windows PowerShell (ISE) window.
 MCT USE ONLY. STUDENT USE PROHIBITED
2-60 Managing objects in AD DS

 Task 6: Run the script

1. Switch to the Administrator: Windows PowerShell window.

2. Change the root directory to E:\Labfiles\Mod02.

3. Type .\LabUsers.ps1 to run the script.

4. Run the following command to ensure that you created the users:

Get‐ADUser ‐Filter * ‐SearchBase "ou=London,dc=adatum,dc=com"

 Task 7: Prepare for the next module

When you are finished with the lab, revert all VMs to their initial state:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-SVR1 and 20742B-LON-CL1.

Results: After completing this lab, you will have:

 Created a user account by using Windows PowerShell.

 Created a group by using Windows PowerShell.

 Added a user to a group by using Windows PowerShell.

 Modified the .csv file.

 Modified the script.

 Run the script.

Question: Why are the users that this script created enabled?
Question: What is the status of accounts that the New-ADUser cmdlet creates?
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 2-61

Module Review and Takeaways

Real-world Issues and Scenarios
Many organizations will create some user accounts based on job role rather than the user filling the role.
For example, the organization will always have a receptionist. To provide continuity, the person filling that
role uses a generic account named reception. That way, when a new person fills the position, the only
required task is to change the password of the reception user. Apps, settings, documents, and emails will
stay consistent.

Tools
The following table lists the tools that this module references.

Tool Used for Where to find it

Windows PowerShell Command-line and scripting of Native to the operating

all administrative tasks. system.

Active Directory Administrative Performing day-to-day In Server Manager, under the

Center administrative tasks in AD DS. Tools menu, or in Control
Panel in Administrative
Tools.

Active Directory Users and Performing day-to-day In Server Manager, under the
Computers administrative tasks in AD DS. Tools menu, or in Control
Panel in Administrative
Tools.

Delegation of Control Wizard Assigning permissions to Right-click on an OU in Active

perform administrative tasks. Directory Users and
Computers.

Best Practice
Consider the following best practices for AD DS administration:
 Avoid using the built-in groups to delegate administrative access unless you understand all the
permissions that the group membership grants.

 Create specialized administrative groups and assign them only the rights and permissions required to
complete the tasks assigned.

 Develop Windows PowerShell scripts to perform repetitive tasks.

 Do not sign in with your administrative account for day-to-day activities. Only use it when you need to
perform an administrative task.

Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

Users are unable to access network resources.

You have assigned a user some administrative

rights in AD DS, but he says that he has no tool to
perform the task.
MCT USE ONLY. STUDENT USE PROHIBITED