70-742 Identity with Windows Server 2016

LAB 2
CREATING AND
MANAGING ACTIVE
DIRECTORY USERS
AND COMPUTERS

THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:

Exercise 2.1 Creating a Single User in Active Directory User and Computers

Exercise 2.2 Creating and Using User Templates

Exercise 2.3 Creating Computer Objects

Exercise 2.4 Using Active Directory Administrative Center

Exercise 2.5 Configuring User Rights

Lab Challenge Creating Users with Windows PowerShell

Lab Challenge Creating Multiple Users Using LDIFDE

BEFORE YOU BEGIN

The lab environment consists of student workstations connected to a local area

network, along with a server that functions as the domain controller for a domain
called adatum.com. The computers required for this lab are listed in Table 2-1.
70-742 Identity with Windows Server 2016

Table 2-1
Computers required for Lab 2
Computer Operating System Computer Name
Server (VM 1) Windows Server 2016 LON-DC1

In addition to the computers, you will also require the software listed in Table 2-2 to
complete Lab 2.

Table 2-2
Software required for Lab 2
Software Location
Lab 2 student worksheet Lab02_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, shoot screen shots, and
perform other activities that you will document in a worksheet named for the lab, such
as Lab02_worksheet.docx. You will find these worksheets on the book companion
site. It is recommended that you use a USB flash drive to store your worksheets, so
you can submit them to your instructor for review. As you perform the exercises in
each lab, open the appropriate worksheet file using Word, fill in the required
information, and then save the file to your flash drive.

SCENARIO

After completing this lab, you will be able to:

 Create a single user in Active Directory

 Create and use user templates

 Create computer objects

 Use Active Directory Administrative Center

 Configure user rights

 Create users with Windows PowerShell

 Create multiple users using LDIFDE

Estimated lab time: 120 minutes

70-742 Identity with Windows Server 2016

Creating a Single User in Active Directory User and

Exercise 2.1 Computers
Overview In this exercise, you will use the Active Directory Users and
Computers console to create and manage a domain user account.
Mindset A user account is used by Windows to determine which changes can be
made on the computer, which files and folders you have access to, and
which user preferences you might have (such as your choice of desktop
wallpaper, color schemes, drive mappings, and/or screen savers). There
are standard accounts used to perform daily tasks on the computer that
are limited in what they can do as well as administrative accounts that
provide full control over the computer.
Completion time 20 minutes

1. On LON-DC1, log on to adatum\administrator with the password of Pa$

$w0rd. Server Manager opens.

2. In Server Manager, click Tools > Active Directory Users and Computers.

3. In the Active Directory Users and Computers console, expand the Adatum.com
node and then click the Sales organizational unit, as shown in Figure 2-1.

Figure 2-1
70-742 Identity with Windows Server 2016

The Active Directory Users and Computers showing the Sales organizational unit.

4. Right-click the Sales OU and choose New > User.

5. In the New Object – User Wizard dialog box, in the First name text box, type
Lori. In the Last name text box, type Kane.

6. In the User logon name text box, type [email protected].

What is the user logon name (pre-Windows 2000) value set

Question to?
1
ADATUM\ Lkane

7. In the user logon name (pre-Windows 2000) text box, type adatum\lkane.

8. Click Next.

9. In the Password text box and the Confirm password text box, type Pa$$w0rd.

10. Clear the User must change password at next logon check box and then select
the Password never expires. Click Next.

11. Click Finish.

12. Take a screen shot of the User OU in the Active Directory Users and Computers
console, showing the user object the wizard created, by pressing Alt+PrtScr, and
then paste the resulting image into the Lab02_worksheet file in the page provided
by pressing Ctrl+V.
70-742 Identity with Windows Server 2016

13. Right-click the Lori Kane user account and choose Properties.

14. In the Lori Kane Properties dialog box, on the General tab, in the Telephone
number text box, type 123-123-1234.

15. Click the Address tab.

16. In the Street Address text box, type 1234 Main St

17. In the City text box, type London.

18. In the State/province text box, type CA.

19. For the Zip/Postal Code, type 44234.

20. For the Country/region, select United States.

21. Click the Organization tab.

22. In the Job Title, type Sales Assistant. In the Department, type Sales. In the
Company Name, type Adatum Corporation.

23. Click the Change button.

24. In the Select User or Contact dialog box, in the enter the object name to select
text box, type Lakisha Dennis, and then click OK.
70-742 Identity with Windows Server 2016

25. Take a screen shot of the Lori Kane Properties dialog box by pressing
Alt+PrtScr and then paste the resulting image into the Lab02_worksheet file in
the page provided by pressing Ctrl+V.

26. Click OK to close the Lori Kane Properties dialog box, then right-click the Lori
Kane user account and choose Reset Password.

27. In the Reset Password dialog box, in the New password text box and the Confirm
password text box, type Password01 and then click OK.

28. When the password has been changed, click OK.

Leave Active Directory Users and Computers open for the next exercise.

Exercise 2.2 Creating and Using User Templates

Overview In this exercise, you will create a user template from an existing user
account. You will then use the user template to create an additional
user account.
Mindset In some cases, you need to create single users on a regular basis, but the
user accounts contain so many attributes that creating them individually
becomes time-consuming. To speed up the process of creating complex
user objects, you can use templates.
Completion time 15 minutes

1. On LON-DC1, in Active Directory Users and Computers, right-click the Lori Kane
user account and choose Copy.
70-742 Identity with Windows Server 2016

2. In the Copy Object – User dialog box, in the First name text box type Sales. In the Last
Name text box, type Template.

3. In the User login name text box, type SalesTemplate. Click Next.

4. In the Password text box and the Confirm password text box, type Pa$$w0rd.

5. Deselect the Password never expires option and then select the User must change
password at next logon option. Click Next.

6. Click Finish.

7. Double-click the Sales Template user account and then click the Account tab.

8. Under account options, scroll down and select the Account is disabled option, as shown
in Figure 2-2.

Figure 2-2
Disabling an account

9. Click the Member Of tab.

10. Click the Add button.

70-742 Identity with Windows Server 2016

11. In the Select Groups dialog box, in the Enter the object names to select text box, type
Sales and then click OK.

12. Close the Sales Template Properties dialog box by clicking OK.

13. Right-click the Sales Template user account and choose Copy.

14. In the Copy Object – User dialog box, type the following information and then click
Next:

First name: James

Last Name: Tomas

User logon name: [email protected]

User logon name (pre-Windows 2000): JTomas

15. In the Password text box and the Confirm password text box, type Pa$$w0rd.

16. Deselect the Account is disabled option and then click Next.

17. Take a screen shot of the Active Directory Users and Computers console with the Copy
Object – User dialog box by pressing Alt+PrtScr and then paste the resulting image into
the Lab02_worksheet file in the page provided by pressing Ctrl+V.
70-742 Identity with Windows Server 2016

18. Click Finish.

19. Double-click the James Tomas account and then click the Member Of tab.

Which group is James Tomas a member of?

Question
2
Domain users and sales

20. Close the James Tomas Properties dialog box by clicking OK.

Leave Active Directory Users and Computers open for the next exercise.

Exercise 2.3 Creating Computer Objects

Overview In this exercise, you will use the Active Directory Users and
Computers console to create a computer object.

Mindset Like user accounts, Windows computer accounts provide a means for
authenticating and auditing the computer’s access to a Windows network
and its access to domain resources. Each Windows computer to which
you want to grant access to resources must have a unique computer
account. It can also be used for auditing purposes, specifying which
system was used when something was accessed.
Completion time 10 minutes

1. On LON-DC1, in Active Directory Users and Computers, click the Computers OU.

2. Double-click LON-CL1.

3. Click the Operating System tab.

Which operating system and version does LON-CL1 have?

Question
3 Windows Server 2016 Standard Evaluation. Version 10.0
(14393)

4. Click the Member Of tab.

Which group is LON-CL1 a member of?

Question
4
Domain computers
70-742 Identity with Windows Server 2016

5. Close the LON-CL1 Properties dialog box by clicking OK.

6. Right-click the Computers OU and choose New > Computer.

7. In the New Object – Computer dialog box, in the Computer name text box, type
Wkstn1.

8. Under User or group, click Change. The Select User or Group dialog box
appears.

9. In the Enter the object name to select text box, type Domain Computers and
then click OK. The group appears in the User or group text box.

10. Close the New Object – Computer dialog box by clicking OK.

11. Take a screen shot of the Computers container in the Active Directory Users and
Computers console, showing the computer object the wizard created, by pressing
Alt+PrtScr and then paste the resulting image into the Lab02_worksheet file in
the page provided by pressing Ctrl+V.

Close Active Directory Users and Computers.

Exercise 2.4 Using Active Directory Administrative Center

Overview In this exercise, you will use the Active Directory Administrative
70-742 Identity with Windows Server 2016

Center console to create user and computer objects.

Mindset Beginning with Windows Server 2008 R2, in addition to using Active
Directory Users and Computers, administrators can manage their
directory service objects by using the new Active Directory
Administrative Center. The Active Directory Administrative Center has a
built-in Windows PowerShell command-line interface and a rich
graphical user interface.
Completion time 15 minutes

1. On LON-DC1, in Server Manager, click Tools > Active Directory Administrative

Center.

2. In the Active Directory Administrative Center console (as shown in Figure 2-3), in the
left pane, select the Adatum (local) node and, in the center pane, double-click the
Computers OU.

Figure 2-3
The Active Directory Administrative Center

Question How many computer accounts are shown?

70-742 Identity with Windows Server 2016

5 3 computers

3. Right-click Wkstn1 and choose Delete. When you are prompted to confirm you want to
perform this action, click Yes.

4. Right-click the white area of the Computers pane and choose New > Computer.

5. In the Create Computer dialog box, in the Computer name text box, type Wkstn10 and
then OK.

6. Take a screen shot of the Computers container by pressing Alt+PrtScr and then paste
the resulting image into the Lab02_worksheet file in the page provided by pressing
Ctrl+V.

7. In the left pane, select Adatum (local). Then in the right pane, double-click the Sales
OU.

8. In the Tasks pane, under Sales, select New > User. The Create User dialog box
appears (see Figure 2-4).
70-742 Identity with Windows Server 2016

Figure 2-4
The Create User dialog box

9. In the First name text box, type Monica, and in the Last name text box, type
Brink.

10. In the User UPN logon text box, specify [email protected].

11. In the User SamAccountName Logon text box, type mbrink. In the Password
and Confirm password fields, type Pa$$w0rd.

12. Scroll down and, in the Member Of section, click Add. The Select Groups dialog
box appears.

13. In the Enter the object names to select text box, type Sales and then click OK.
The group appears in the Member Of text box.

14. Click OK. The new user object appears in the Sales OU.

15. Double-click the Monica Brink user account. In the Monica Brink dialog box,
and scroll down to the Member Of section.

16. Take a screen shot of the Active Directory Administrative Center showing
Monica Brink Member Of section by pressing Alt+PrtScr and then paste the
70-742 Identity with Windows Server 2016

resulting image into the Lab02_worksheet file in the page provided by pressing
Ctrl+V.

Besides the Sales group, which other group was the user
Question added to?
6
Domain users

17. Close the Monica Brink dialog box by clicking Cancel.

Close any open windows before you begin the next exercise.

Exercise 2.5 Configuring User Rights

Overview In this exercise, you will use the Group Policy Editor to manage user
right assignments for the Default Domain Controller policy.
Mindset A user right authorizes a user to perform certain actions on a computer,
such as logging on to a system interactively or backing up files and
directories on a system. User rights are assigned through local policies or
Active Directory group policies.
Completion time 15 minutes

1. On LON-DC1, in Server Manager, click Tools > Group Policy Management.

70-742 Identity with Windows Server 2016

2. In the Group Policy Management console, expand Forest: Adatum.com, expand

Domains, expand Adatum.com, and expand Group Policy Objects. Right-click Default
Domain Controllers Policy and choose Edit.

3. In the Group Policy Management Editor, under Computer Configuration, expand

Policies, expand Windows Settings, expand Security Settings, expand Local Policies,
and then click User Rights Management. Click User Rights Assignment (see Figure 2-
5).

Figure 2-5
Managing user rights

4. Scroll down through the list and view how many user rights are assigned to the
administrators group (as shown in the Policy Setting column).

5. Double-click Allow log on locally.

Which groups are assigned the Allow log on locally user

right?
Question
7 Account operators, administrators, backup operators,
ENTERPRIES DOMAIN CONTROLLERS, print operators,
and server operators
70-742 Identity with Windows Server 2016

6. Click Cancel to close the Allow log on locally Properties dialog box.

Which user or groups have the Deny log on locally right?

Question
8
none

Which user or groups have the Force shutdown from a

Question remote system right?
9
Administrators and server operators

7. Double-click the Back up files and directories right.

Which user or groups have the Back up files and directories

Question right?
10
Administrators, backup operators, server operators.

8. Click Add User or Group.

9. In the Add User or Group dialog box, type Key Admins and then click OK.

10. Take a screen shot of the Back up files and directories Properties dialog box by pressing
Alt+PrtScr, and then paste the resulting image into the Lab02_worksheet file in the page
provided by pressing Ctrl+V.
70-742 Identity with Windows Server 2016

11. Close the Back up files and directories Properties dialog box by clicking OK.

Which user or groups have the Restore files and directories

Question right?
12
Administrators, server operators, backup operators,

12. Double-click Shut down the system right.

Which user or groups have the Shut down the system right?
Question
13 Administrators, backup operators, print operators and server
operators.

13. Close the Shut down the system Properties dialog box by clicking OK.

Close all windows.

Lab
Challenge Creating Users with Windows PowerShell
Overview In this lab challenge, you will create Active Directory user objects
on a domain controller using Windows PowerShell commands.
Mindset Microsoft places emphasis on Windows PowerShell as a server
management tool and provides a cmdlet called New-ADUser, which you
can use to create a user account and configure any or all of the attributes
associated with it. New-ADUser provides several parameters that enable
you to access to all the user object’s attributes.
Completion time 30 minutes

To complete this challenge, you must use Windows PowerShell only, on LON-
DC1, to create user objects in the adatum.com domain, in the Sales container, for
the following users:

 Syed Abbas

 Brenda Diaz

 Steve Masters
70-742 Identity with Windows Server 2016

For each user, form the user logon name with the user's first initial and surname.
Disable the User must change password at next logon option and enable the
Password never expires option. Type Pa$$w0rd whenever prompted by
AccountPassword and then press Enter.

Close any open windows before you begin the next exercise.

Lab
Challenge Creating Multiple Users Using LDIFDE
Overview In this lab challenge, you will create batches of users in one
operation by using the LDIFDE.exe program from the command
prompt.
Mindset LDIFDE.exe is a utility that provides the same basic functionality as
CSVDE.exe and provides you with the capability of modifying existing
records in Active Directory. For this reason, LDIFDE.exe is a more
flexible option.
Completion time 15 minutes

To complete this challenge, you will create a correctly formatted LDIF input data
file to create the following domain user accounts in the Sales OU of the
adatum.com domain. For each user, form the user logon name with the user's first
initial and surname. For the user principal name, use an email address formed
from the user logon name and the domain name.

 Oliver Kiel

 Marie Dubois

 Maurice Taylor

 Esther Valle

 Raffaella Bonaldi

End of lab.