Managing objects in AD DS 2-1

Module 2
Managing objects in AD DS
Contents:
Lesson 1: Managing user accounts 2

Lesson 2: Managing groups in AD DS 6

Lesson 3: Managing computer objects in AD DS 8

Lesson 4: Using Windows PowerShell for AD DS administration 10

Lesson 5: Implementing and managing OUs 13

Module Review and Takeaways 15

Lab Review Questions and Answers 16

2-2 Identity with Windows Server 2016

Lesson 1
Managing user accounts
Contents:
Question and Answers 3
Demonstration: Managing user accounts 3
Demonstration: Using templates to manage accounts 4
 Managing objects in AD DS 2-3

Question and Answers

Question: What is the purpose of a roaming profile?

Answer: It stores and synchronizes the user profile to a network share. This allows the user to
roam between computers and still receive the same profile when they sign on to a new
computer.
Question: What is the difference between disabling an account and an account being locked out?

Answer: Disabling an account is an intentional act by an administrator to prevent the use of an

account. An account lockout can only be the result of too many bad logon attempts (assuming
that the password policy is configured enforce that).

Demonstration: Managing user accounts

Demonstration Steps
Create a new user account
1. On LON‑ DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, click Adatum (local), and then double-click Managers.
3. In the Tasks pane, click New, and then click User.
4. In the Create User dialog box, in the First name field, type Sales.

5. In the Last name field, type Manager.

6. In the User UPN logon text box, type SalesManager.

7. In the Password and Confirm password fields, type Pa55w.rd, and then click OK.

Delete a user account

1. Click the Art Odum account.
2. In the Tasks pane, under Art Odum, click Delete.

3. In the Delete Confirmation box, click Yes.

Move a user account

1. Click the Burton Bartels account.
2. In the Tasks pane, under Burton Bartels, click Move…

3. Click the Development OU, and then click OK.

4. In the left pane, click Adatum (local).

5. In the right pane, double-click the Development OU, and then ensure that the Burton Bartels
account is present.

Configure user attributes

1. Double-click the Burton Bartels account.

2. In the left pane, click Organization, and then change the Department field from Managers to
Development.
3. In the left pane, click Member Of.

4. In the Member Of section, click Managers, and then click Remove.

5. Click Add. In the Select Groups dialog box, in the Enter the object names to select (example): window,
type Development, and then click OK.
2-4 Identity with Windows Server 2016

6. Click OK to close the Burton Bartels properties.

7. Close Active Directory Administrative Center. Leave Server Manager open for the next
demonstration.

Demonstration: Using templates to manage accounts

Demonstration Steps
Create a user template
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and
Computers.

2. Expand Adatum.com, and then click the Sales OU.

3. Click the new user icon on the toolbar.

4. In the New Object – User dialog box, enter the following information, and then click Next:
o First name: _sales

o Last name: template

o User logon name: salestemplate

5. In the Password and Confirm password fields, type Pa55w.rd.

6. Clear the User must change password at next logon check box, select the Password never
expires check box, select the Account is disabled check box, and then click Next.

7. Click Finish.

Configure template properties

1. Double-click the _sales template account.
2. In the _sales template properties dialog box, click the Member Of tab, and then click Add.

3. In the Select Groups dialog box, type Sales, and then click OK.

4. Click the Organization tab. In the Department field, type Sales.

5. In the Manager section, click Change. In the Select User or Contact dialog box, type Erin, and then
click Check Names. Click OK.

6. Click the Profile tab. In the User profile section, in the Logon script field, type \\lon-
dc1\netlogon\logon.bat, and then click OK.

Create a new user by copying the template

1. Right-click the _sales template account, and then click Copy.

2. In the Copy Object – User dialog box, type Sales in the First name field. Type User in the Last
name field.

3. Type salesuser in the User logon name field, and then click Next.

4. In the Password and Confirm password fields, type Pa55w.rd.

5. Clear the Password never expires check box, clear the Account is disabled check box, select the
User must change password at next logon check box, and then click Next.

6. Click Finish.

7. Double-click the Sales User account, and then click the Member Of tab. Ensure that the user is a
member of the Sales group.
 Managing objects in AD DS 2-5

8. Click the Organization tab. Ensure that the Department is Sales and the Manager is Erin Bull.

9. Click the Profile tab. Ensure that the Logon script path is \\lon-dc1\netlogon\logon.bat. Click OK
to close the dialog box.
10. Close Active Directory Users and Computers.
2-6 Identity with Windows Server 2016

Lesson 2
Managing groups in AD DS
Contents:
Demonstration: Managing groups in Windows Server 7
 Managing objects in AD DS 2-7

Demonstration: Managing groups in Windows Server

Demonstration Steps
Create a new group and add members
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. Expand Adatum (Local), and then double-click IT.

3. In the Tasks list, under IT, point to New, and then click Group.

4. In the Create Group dialog box, in the Group name field, type IT Managers. Notice that the default
is a global security group.

5. In the left pane, click Members, and then click Add.

6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in Enter the
object names to select (examples), type Beth; Logan, click Check Names, and then click OK.

7. Click OK to close the Create Group: IT Managers dialog box.

Add a user to the group

1. Right-click the user named Maj Hojski, and then click Add to group.
2. In the Select Groups dialog box, in Enter the object names to select (examples), type IT
Managers.

3. Click Check Names, and then click OK.

Change the group type and scope

1. Double-click the IT Managers group.
2. In the IT Managers window, under Group type, click Distribution. Read the highlighted message.
Under Group scope, click Universal, and then click OK.

Configure a manager for the group

1. Double-click the IT Managers group.
2. In the Managed By section, click Edit.

3. In the Select User, Contact or Groups dialog box, in Enter the object names to select (examples),
type Parsa, click Check Names, and then click OK.
4. Select the check box beside the Manager can update membership list dialog box.

5. Click OK to close the IT Managers Properties dialog box.

6. Close Active Directory Administrative Center.

2-8 Identity with Windows Server 2016

Lesson 3
Managing computer objects in AD DS
Contents:
Question and Answers 9
 Managing objects in AD DS 2-9

Question and Answers

Question: What causes a computer to lose its trust relationship with the domain?

Answer: Typically, it is the result of a password mismatch between the local computer and what
is stored in AD DS.
2-10 Identity with Windows Server 2016

Lesson 4
Using Windows PowerShell for AD DS administration
Contents:
Question and Answers 11
Resources 11
Demonstration: Using graphical tools to perform bulk operations 11
Demonstration: Performing bulk operations with Windows PowerShell 11
 Managing objects in AD DS 2-11

Question and Answers

Question: What is Windows PowerShell Integrated Scripting Environment?

Answer: Windows PowerShell Integrated Scripting Environment provides an environment to

write, run, and test Windows PowerShell scripts. It provides syntax coloring, tab completion, visual
debugging, and context-sensitive Help that is not available in the standard Windows PowerShell
window.

Resources

Querying objects with Windows PowerShell

Additional Reading: For more information, refer to about_ActiveDirectory_Filter:

http://aka.ms/Kv5dy3
Additional Reading: For more information, refer to How to use the UserAccountControl
flags to manipulate user account properties: http://aka.ms/Mxt8a1

Modifying objects with Windows PowerShell

Additional Reading: For more information, refer to Set-ADUser: http://aka.ms/K34c8d

Demonstration: Using graphical tools to perform bulk operations

Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and
Computers.

2. Expand Adatum.com, and then click the Research OU.

3. In the details pane, click the top of the Type column to sort the object by type.
4. Click the first user object in the list (this should be Arturs Priede).

5. Scroll to the bottom of the list, hold the Shift key, and then click the last User object in the list (this
should be Vera Pace).

6. Right-click the block of selected objects, and then click Properties.

7. In the Properties for Multiple Items dialog box, select the check box beside Office, type Winnipeg
in the field, and then click OK.

8. Double-click any of the user objects and note that the Office field is now set to Winnipeg.

9. Click Cancel, and then close Active Directory Users and Computers.

Demonstration: Performing bulk operations with Windows PowerShell

Demonstration Steps
Create a new global group in the IT department
1. On LON-DC1, right-click the Start button, click Run, type PowerShell, and then press Enter.

2. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter:
2-12 Identity with Windows Server 2016

New-ADGroup -Name Helpdesk -Path "ou=IT,dc=Adatum,dc=com" –GroupScope Global

Add all users in the IT department to the Helpdesk group

• In the Administrator: Windows PowerShell window, type the following command, and then press
Enter:

Get-ADUser -Filter "Department -eq 'IT'" | Foreach {Add-ADGroupMember "Helpdesk" -

members $_}

Set the address for all users in the Research department

• In the Administrator: Windows PowerShell window, type the following command, and then press
Enter:

Get-ADuser -Filter {Department -eq "Research"} | Set-ADuser -StreetAddress "1530

Nowhere Ave." -City "Winnipeg" -State "Manitoba" -Country "CA"

Note: Notice that this command filters by using brackets rather than quotes and uses the
Set-ADUser cmdlet rather than a foreach loop.

Create a new OU
• In the Administrator: Windows PowerShell window, type the following command, and then press
Enter:

New-ADOrganizationalUnit London -Path "dc=Adatum,dc=com”

Run a script to create new users from a .csv file

1. Open File Explorer, type E:\Labfiles\Mod02 in the address bar, and then press Enter.
2. Right-click DemoUsers.csv, click Open with, and then click Notepad. Explain the structure of the file
to students.

3. Close Notepad.
4. Switch back to the Windows PowerShell window, and then type cd E:\Labfiles\Mod02.

5. To run the script, type .\DemoUsers.ps1, and then press Enter.

Verify that the user accounts were created and that the accounts were modified
1. In Server Manager, click Tools, and then click Active Directory Users and Computers.

2. Ensure that the London OU exists.

3. Click the London OU. See that there are three users as defined in the .csv file. Notice that the users’
accounts are disabled. This is because there were no passwords provided.

4. Click the IT OU. Ensure that the Helpdesk group exists.

5. Double-click the Helpdesk group, and then in Helpdesk Properties, click the Members tab. Ensure
that the members are populated with the IT department users, and then click Cancel.

6. Click the Research OU, and then double-click one of the user accounts.

7. In the user’s properties page, click the Address tab. Ensure that the address fields are populated as
expected, and then click Cancel.
 Managing objects in AD DS 2-13

Lesson 5
Implementing and managing OUs
Contents:
Question and Answers 14
Demonstration: Delegating administrative permissions on an OU 14
2-14 Identity with Windows Server 2016

Question and Answers

Question: What is the advantage of using the Delegation of Control Wizard?

Answer: The Delegation of Control Wizard can simplify the delegation of administration by
assigning permissions based on the selected task.

Demonstration: Delegating administrative permissions on an OU

Demonstration Steps

Create a new OU
1. On LON-DC1, in Active Directory Users and Computers, click Adatum.com.

2. Click the New OU icon on the toolbar.

3. In the New Object – Organizational Unit dialog box, type Human Resources in the Name field,
and then click OK.

Use the Delegation of Control Wizard to assign a task

1. Right-click the Adatum.com domain object, and then click Delegate Control.
2. In the Delegation of Control Wizard, click Next.

3. On the Users or Groups page, click Add.

4. In the Select Users, Computers, or Groups dialog box, in Enter the object names to select
(examples), type Helpdesk, click Check Names, click OK, and then click Next.
5. On the Tasks to Delegate page, select the check boxes beside Reset user passwords and force
password change at next logon and Join a computer to the domain, and then click Next.
6. Click Finish.

Assign the Research group the right to modify user addresses and job titles in the
Research OU
1. In Active Directory Users and Computers, click View, and then click Advanced Features.
2. Right-click the Research OU, and then click Properties.

3. Click the Security tab, click Advanced, and then click Add.

4. In the Permission Entry for Research window, click Select a principal.

5. In the Select Users, Computers, or Groups dialog box, in Enter the object names to select
(examples), type Research. Click Check Names, and then click OK.

6. In the Applies to drop-down list box, select Descendant User objects. (Hint: it is at the bottom of
the list.)

7. In the Properties section, scroll down, and then select the check box beside Write Home Address.

8. Scroll down further, select the check box beside Write Job Title, and then click OK twice.

9. Click OK to close the Research Properties dialog box.

 Managing objects in AD DS 2-15

Module Review and Takeaways

Best Practices
Consider the following best practices for AD DS administration:

• Avoid using the built-in groups to delegate administrative access unless you understand all the
permissions that the group membership grants.
• Create specialized administrative groups and assign them only the rights and permissions required to
complete the tasks assigned.

• Develop Windows PowerShell scripts to perform repetitive tasks.

• Do not sign in with your administrative account for day-to-day activities. Only use it when you need
to perform an administrative task.

Real-world Issues and Scenarios

Many organizations will create some user accounts based on job role rather than the user filling the role.
For example, the organization will always have a receptionist. To provide continuity, the person filling that
role uses a generic account named reception. That way, when a new person fills the position, the only
required task is to change the password of the reception user. Apps, settings, documents, and emails will
stay consistent.

Tools
The following table lists the tools that this module references.

Tool Used for Where to find it

Windows PowerShell Command-line and scripting of Native to the operating system.

all administrative tasks.

Active Directory Performing day-to-day In Server Manager, under the Tools

Administrative Center administrative tasks in AD DS. menu, or in Control Panel in
Administrative Tools.

Active Directory Users Performing day-to-day In Server Manager, under the Tools
and Computers administrative tasks in AD DS. menu, or in Control Panel in
Administrative Tools.

Delegation of Control Assigning permissions to Right-click on an OU in Active Directory

Wizard perform administrative tasks. Users and Computers.

Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

Users are unable to access network resources. Check group memberships. Look for nested groups
that are causing conflicts.

You have assigned a user some administrative You must download and install Remote Server
rights in AD DS, but he says that he has no tool Administration Tools for Windows 10 and then
to perform the task. install it on the user’s workstation to provide him
with the administrative tools that he requires.
2-16 Identity with Windows Server 2016

Lab Review Questions and Answers

Lab A: Managing AD DS objects
Question and Answers
Question: What types of objects can be members of global groups?

Answer: Users and other roles (global groups) from the same domain can be members of global
groups.
Question: What credentials are necessary for any computer to join a domain?

Answer: You must provide the credentials of a user who has permission to join computers to the
domain. Typically, these would be the credentials of a domain administrator.

Lab B: Administering AD DS

Question and Answers

Question: Why are the users that this script created enabled?

Answer: The script assigns a password to the users when creating them.
Question: What is the status of accounts that the New-ADUser cmdlet creates?

Answer: By default, those accounts will be disabled if you do not assign them passwords when
you create them.
 Advanced AD DS infrastructure management 3-1

Module 3
Advanced AD DS infrastructure management
Contents:
Lesson 1: Overview of advanced AD DS deployments 2

Lesson 2: Deploying a distributed AD DS environment 5

Lesson 3: Configuring AD DS trusts 9

Module Review and Takeaways 13

Lab Review Questions and Answers 15

 Implementing Group Policy 5-1

Module 5
Implementing Group Policy
Contents:
Lesson 1: Introducing Group Policy 2

Lesson 2: Implementing and administering GPOs 5

Lesson 3: Group Policy scope and Group Policy processing 9

Lesson 4: Troubleshooting the application of GPOs 14

Module Review and Takeaways 17

Lab Review Questions and Answers 18
5-2 Identity with Windows Server 2016

Lesson 1
Introducing Group Policy
Contents:
Question and Answers 3
Demonstration: Exploring Group Policy tools and consoles 4
 Implementing Group Policy 5-3

Question and Answers

Categorize Activity

Question: Categorize each item into the appropriate category. Indicate your answer by writing the
category number to the right of each item.

Items

1 Domain

2 User

3 Organizational unit

4 Computer

5 Site

6 Group

7 Users container

8 Computers container

Category 1 Category 2

Can link GPOs to Cannot link GPOs to

Answer:

Category 1 Category 2

Can link GPOs to Cannot link GPOs to

Domain User
Organizational unit Computer
Site Group
Users container
Computers container
5-4 Identity with Windows Server 2016

Demonstration: Exploring Group Policy tools and consoles

Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. If necessary, switch to the Group Policy Management window.

3. In Group Policy Management Console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, and then click Group Policy Objects.

4. Right-click Group Policy Objects, and then click New.

5. In the New GPO dialog box, type Disable Control Panel, and then click OK.
6. In the details pane, right-click Disable Control Panel, and then click Edit.

7. In Group Policy Management Editor, in the navigation pane, under User Configuration, expand
Policies, expand Administrative Templates, and then click Control Panel.

8. In the details pane, double-click Prohibit access to Control Panel and PC Settings.
9. In the Prohibit access to Control Panel and PC Settings dialog box, show the three possible values
for a setting in Administrative Templates, show the Supported on text, and then show the Help
text.
10. Click Enabled. In the Comment text box, type Enabled <date> by <your name>, where you replace
<date> with today’s date and <your name> with your name, and then click OK.

11. In the navigation pane, under User Configuration, expand Preferences, and show the different
categories under both Policies and Preferences.

12. Close the Group Policy Management Editor window.

13. In the Group Policy Management window, in the navigation pane, expand Group Policy Objects,
and then click Disable Control Panel.

14. In the details pane, show the Scope, Details, and Settings tabs.
15. In the navigation pane, click and then right-click Adatum.com, and then click Link an Existing GPO.
16. In the Select GPO dialog box, click Disable Control Panel, and then click OK.

17. In the navigation pane, click Adatum.com.

18. In the details pane, show the Linked Group Policy Objects and Group Policy Inheritance tabs.
19. Click Start, and then click Windows PowerShell.

20. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter:

gpupdate

21. Verify that both the computer and user settings updated successfully.

22. At the Windows PowerShell command prompt, type the following command, and then press Enter:

gpresult /r

23. In the output from the command, in the User Settings section, in the Applied GPOs list, verify that
the Disable Control Panel GPO is listed.

24. Close the Windows PowerShell window.

 Implementing Group Policy 5-5

Lesson 2
Implementing and administering GPOs
Contents:
Question and Answers 6
Demonstration: Delegating administration of Group Policy 6
5-6 Identity with Windows Server 2016

Question and Answers

Question: Members of which built-in AD DS groups can create GPOs by default? (Select three.)

( ) Domain Admins
( ) Account Operators

( ) Enterprise Admins

( ) GPO Admins
( ) Group Policy Creator Owners

Answer:

(√) Domain Admins

( ) Account Operators

(√) Enterprise Admins

( ) GPO Admins
(√) Group Policy Creator Owners

Feedback:
The GPO Admins group does not exist. The Domain Admins and Enterprise Admins groups can
perform all administrative tasks in the domain including create GPOs. Group Policy Creator
Owners is the only group that you can add users to if you want them to be able to create GPOs
without getting administrative rights on the domain or forest. Account Operators do not have
any permissions regarding Group Policy. Only administering users, computers and groups in AD
DS.

Demonstration: Delegating administration of Group Policy

Demonstration Steps
Make Beth a local administrator on LON-SVR1
1. Switch to LON-DC1.

2. On the taskbar, click the File Explorer icon.

3. In the File Explorer window, in the navigation pane, expand Allfiles (E:), expand Labfiles, and then
click Mod05.

4. In the details pane, right-click the Set-LocalAdmin.ps1 file, and then click Run with Powershell.
Type Y, if prompted, and then press Enter.

Check user permissions before delegation

1. Switch to LON-SVR1.

2. Sign in as Adatum\Beth with the password Pa55w.rd.

3. In Server Manager, click Add roles and features.

4. In Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select installation type page, click Next.

6. On the Select destination server page, click Next.

7. On the Select server roles page, click Next.

8. On the Select features page, select the Group Policy Management check box, and then click Next.
 Implementing Group Policy 5-7

9. On the Confirm installation selections page, click Install.

10. When the installation completes, click Close.

11. In Server Manager, click Tools, and then click Group Policy Management.

12. If necessary, switch to the Group Policy Management window.

13. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand
Adatum,com, and then click Group Policy Objects.
14. Right-click Group Policy Objects, and then notice that the New item is dimmed because Beth does
not have permissions to create GPOs.

15. In the navigation pane, right-click the Adatum.com domain, and then notice that menu item Link an
Existing GPO is dimmed because Beth does not have permissions to link GPOs to the domain.

16. In the navigation pane, right-click the IT OU, and then notice that menu item Link an Existing GPO
is dimmed because Beth also does not have permissions to link GPOs to the IT OU.
17. Click Start, and then click Windows PowerShell.

18. In the Windows PowerShell window, type the following command, and then press Enter:

GPResult /r

19. In the output from the command, notice that only the User settings is displayed because Beth is not
assigned the permissions view Group Policy results for computer settings.

Delegate permissions
1. On LON-DC1, switch to the Group Policy Management window.
2. In Group Policy Management, in the navigation pane, click the Group Policy Objects container,
and then in the details pane, click the Delegation tab.

3. Click Add. In the Select User, Computer, or Group dialog box, type Beth, click Check Names, and
then click OK.
4. In the navigation pane, click the IT OU, and then in the details pane, click the Delegation tab.

5. In the Permission dropdown list, ensure that Link GPOs is selected, and then click Add.
6. In the Select User, Computer, or Group dialog box, type Beth, click Check Names, and then click
OK.

7. In the Add Group or User dialog box, click OK.

8. In the navigation pane, click the Adatum.com domain, and then in the details pane, click the
Delegation tab.

9. In the Permission drop-down list, select Read Group Policy Results data, and then click Add.
10. In the Select User, Computer, or Group dialog box, type Authenticated Users, click Check Names,
and then click OK.

11. In the Add Group or User dialog box, click OK.

Check permissions after delegation

1. Switch to LON-SVR1.

2. Switch to Group Policy Management.

3. In the Group Policy Management window, click and then right-click the Adatum.com domain, and
then click Refresh.
5-8 Identity with Windows Server 2016

4. In the navigation pane, right-click Group Policy Objects, and then click New.

5. In the New GPO dialog box, in the Name text box, type Beth’s GPO, and then click OK.

6. In the navigation pane, right-click Adatum.com, and then notice that Link an Existing GPO is still
dimmed.

7. In the navigation pane, right-click IT, and then click Link an Existing GPO.

8. In the Select GPO dialog box, click Beth’s GPO, and then click OK.
9. Switch to the Windows PowerShell window.

10. In the Windows PowerShell window, type the following command and then press Enter:

GPResult /r

11. In the output from the command, notice that both the Computer and the User settings are
displayed.
 Implementing Group Policy 5-9

Lesson 3
Group Policy scope and Group Policy processing
Contents:
Question and Answers 10
Demonstration: Linking GPOs 10
Demonstration: Filtering Group Policy application 12
5-10 Identity with Windows Server 2016

Question and Answers

Question: It is possible to link more than one WMI filter to a GPO.

( ) True
( ) False

Answer:

( ) True
(√) False

Feedback:

Although you cannot link more than one WMI filter to a GPO, you can create advanced WMI
filters that include more than one WMI query.

Question: Which of the following options can you configure in the GPMC to change the default Group
Policy processing order? (Select all that apply.)

( ) WMI filters

( ) Security filtering
( ) Block inheritance
( ) Enforce

( ) Loopback processing
Answer:

(√) WMI filters

(√) Security filtering

(√) Block inheritance
(√) Enforce

(√) Loopback processing

Feedback:

All the options are viable options to change the way Group Policy normally applies. You should
use the different options sparingly because troubleshooting becomes increasingly difficult when
you use these options.

Demonstration: Linking GPOs

Demonstration Steps
Create and edit two GPOs
1. On LON-DC1, if necessary, open Server Manager.

2. In Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management window, expand Forest: Adatum.com, Domains, and
Adatum.com, right-click the Group Policy Objects container, and then click New.

4. In the New GPO dialog box, type Remove Run Command in the Name text box, and then click OK.
5. In the Group Policy Management window, right-click the Group Policy Objects container, and
then click New.
 Implementing Group Policy 5-11

6. In the New GPO dialog box, type Do Not Remove Run Command in the Name text box, and then
click OK.

7. Expand Group Policy Objects, right-click the Remove Run Command GPO, and then click Edit.
8. In the Group Policy Management Editor window, under User Configuration, expand Policies,
expand Administrative Templates, click Start Menu and Taskbar, and then double-click Remove
Run menu from Start Menu.

9. In the Remove Run menu from Start Menu window, click Enabled, and then click OK.

10. Close the Group Policy Management Editor window.

11. In Group Policy Management, right-click the Do Not Remove Run Command GPO, and then click
Edit.
12. In the Group Policy Management Editor window, under User Configuration, expand Policies,
expand Administrative Templates, click Start Menu and Taskbar, and then double-click Remove
Run menu from Start Menu.

13. In the Remove Run menu from Start Menu window, click Disabled, and then click OK. Close the
Group Policy Management Editor window.

Link the GPOs to different locations

1. In the Group Policy Management window, right-click the Adatum.com domain node in the
navigation pane, and then click Link an Existing GPO.
2. In the Select GPO window, click Remove Run Command, and then click OK. Now the Remove Run
Command GPO is attached to the Adatum.com domain.

3. Click and drag the Do Not Remove Run Command GPO on top of the IT OU.

4. In the Group Policy Management window, click OK to link the GPO.

5. Click the IT OU in the navigation pane, and then click the Group Policy Inheritance tab in the details
pane. The Group Policy Inheritance tab shows the order of precedence for the GPOs.

Disable a GPO link

• In the left pane, right-click the Remove Run Command link that is listed under Adatum.com, and
then click Link Enabled to clear the check mark. Refresh the Group Policy Inheritance pane for the
information technology (IT) OU, and then notice the results in the details pane. The Remove Run
Command GPO is no longer listed.

Delete a GPO link

1. In the left pane, expand the IT OU, right-click the Do Not Remove Run Command link, and then
click Delete. Click OK in the pop-up window.

2. Click the IT OU in the left pane, and then click the Group Policy Inheritance tab in the details pane.
Verify the removal of Do Not Remove Run Command and the absence of the Remove Run
Command GPOs.

3. In the left pane, right-click the Remove Run Command GPO that is listed under Adatum.com, and
then click Link Enabled to re-enable the link. Refresh the Group Policy Inheritance window for the
IT OU, and then notice the results in the right pane.

4. Close Group Policy Management.

5-12 Identity with Windows Server 2016

Demonstration: Filtering Group Policy application

Demonstration Steps
Create a new GPO and link it to the IT OU
1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management window, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click the IT OU.
3. Right-click IT, and then click Create a GPO in this domain, and Link it here.

4. In the New GPO window, type Remove Help menu in the Name text box, and then click OK.

5. In the Group Policy Management window, expand Group Policy Objects, right-click the Remove
Help menu GPO, and then click Edit.

6. In the Group Policy Management Editor window, under User Configuration, expand Policies,
expand Administrative Templates, click Start Menu and Taskbar, and then double-click Remove
Help menu from Start Menu.

7. In the Remove Help menu from Start menu window, click Enabled, and then click OK.

8. Close the Group Policy Management Editor window.

Filter Group Policy application by using security group filtering

1. Expand IT, and then click the Remove Help menu GPO link.
2. In the GPMC message box, click OK.

3. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.

4. In the confirmation dialog box, click OK.

5. In the details pane, under Security Filtering, click Add.

6. In the Select User, Computer, or Group dialog box, in the Enter Object Names to select
(Examples) text box, type Beth Burke, and then click OK.
7. In the details pane, under Security Filtering, click Add.

8. In the Select User, Computer, or Group dialog box, click Object Types.

9. In the Object Types dialog box, select the Computers check box, and then click OK.

10. In the Select User, Computer, or Group dialog box, in the Enter Object Names to select
(Examples) text box, type LON-SVR1, and then click OK.

Note: LON-SVR1 is added to the security-filtering list because the computers where users
sign in also need the Read permission to the GPO.

Filter the Group Policy application by using WMI filtering

1. In the Group Policy Management window, right-click WMI Filters, and then click New.
2. In the New WMI Filter dialog box, in the Name text box, type OS Version Filter.

3. In the Queries pane, click Add.

4. In the WMI Query dialog box, in the Query text box, type the following query, and then click OK:

select * from Win32_OperatingSystem where Version like "10.%"

 Implementing Group Policy 5-13

5. If a Warning dialog box appears, click OK.

6. In the New WMI Filter dialog box, click Save.

7. Right-click the Group Policy Objects folder, and then click New.

8. In the New GPO window, type Software Updates in the Name text box, and then click OK.

9. Expand Group Policy Objects, and then click the Software Updates GPO.

10. In the details pane, on the Scope tab, under WMI Filtering, in the This GPO is linked to the
following WMI filter list, select OS Version Filter.

11. In the confirmation dialog box, click Yes.

12. Close Group Policy Management.

5-14 Identity with Windows Server 2016

Lesson 4
Troubleshooting the application of GPOs
Contents:
Resources 15
Demonstration: Performing a what-if analysis with Group Policy Modeling Wizard 15
 Implementing Group Policy 5-15

Resources

Examining Group Policy event logs

Additional Reading: To download Group Policy Log View, go to: http://aka.ms/E8oi7g

Demonstration: Performing a what-if analysis with Group Policy Modeling

Wizard
Demonstration Steps
Use GPResult.exe to create a report
1. On LON-DC1, click Start, type cmd, and then press Enter.

2. In the Administrator: Command Prompt window, type cd \, and then press Enter.
3. Type the following command, and then press Enter:

GPResult /r

4. Review the output in the Command Prompt window.

5. Type the following command, and then press Enter:

GPResult /h results.html

6. Close the Command Prompt window.

7. Click Start, click Windows Accessories, and then click Internet Explorer.

8. In the Internet Explorer window, press the Alt key, click File, and then click Open.

9. In the Open dialog box, in the Open text box, type C:\results.html, and then click OK.
10. In the warning message, click Allow blocked content.

11. View the results of the report.

12. Close Microsoft Internet Explorer.

Use Group Policy Reporting Wizard to create a report

1. Open Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management window, in the navigation pane, right-click Group Policy Results,
and then click Group Policy Results Wizard.

3. In Group Policy Results Wizard, click Next.

4. On the Computer Selection page, click Next.

5. On the User Selection page, click Next.

6. On the Summary of Selections page, click Next.

7. On the Completing the Group Policy Results Wizard page, click Finish.

8. Review the Group Policy results.

9. Expand Group Policy Results, right-click Administrator on LON-DC1, and then click Save Report.
10. In the Save GPO Report dialog box, click Desktop, and then click Save.
5-16 Identity with Windows Server 2016

Use Group Policy Modeling Wizard to create a report

1. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.

2. In Group Policy Modeling Wizard, click Next.

3. On the Domain Controller Selection page, click Next.

4. On the User and Computer Selection page, under User information, click User, and then click
Browse.

5. In the Select User dialog box, in the Enter object names to select (Examples) text box, type Beth,
and then click OK.

6. Under Computer information, verify that the Container option is selected, and then click Browse.

7. In the Choose Computer Container dialog box, expand Adatum, click IT, and then click OK.

8. On the User and Computer Selection page, click Next.

9. On the Advanced Simulation Options page, click Next.

10. On the Alternate Active Directory Paths page, click Next.

11. On the User Security Groups page, click Next.

12. On the Computer Security Groups page, click Next.

13. On the WMI Filters for Users page, click Next.

14. On the WMI Filters for Computers page, click Next.

15. On the Summary of Selections page, click Next.

16. On the Completing Group Policy Modeling Wizard page, click Finish.

17. Review the report.

18. Close all open windows.

 Implementing Group Policy 5-17

Module Review and Takeaways

Review Questions
Question: You have assigned a logon script to an OU via Group Policy. The script is located in a shared
network folder named Scripts. Some users in the OU receive the script and others do not. What might be
the possible causes?

Answer: Security permissions might be a problem. If some users do not have Read access to the
Scripts folder, they will not be able to apply policy. Also, security filtering on a GPO might be the
cause of this problem.
Question: What GPO settings apply across slow links by default?

Answer: Registry policy processing and security policy apply even when a slow link is detected.
You cannot change this setting.

Question: You must ensure that a domain-level policy is enforced, but the Managers group must be
exempt from the policy. How would you accomplish this?
Answer: Set the link to be enforced at the domain level and use security group filtering to deny
the Apply Group Policy permission to the Managers group.

Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

Group Policy settings are not applied to all users • Check security filtering on the GPO.
or computers in an OU where a GPO is applied. • Check WMI filters on the GPO.

Group Policy settings sometimes require two Enable the Always Wait For Network At Startup
restarts to apply. and Logon policy setting.
5-18 Identity with Windows Server 2016

Lab Review Questions and Answers

Lab A: Implementing a Group Policy infrastructure
Question and Answers
Question: Many organizations rely heavily on security group filtering to scope GPOs, rather than linking
GPOs to specific OUs. In these organizations, GPOs typically are linked very high in the Active Directory
logical structure—to the domain itself or to a first-level OU. What advantages do you gain by using
security group filtering rather than GPO links to manage a GPO’s scope?

Answer: The fundamental problem of relying on OUs to scope the application of GPOs is that an
OU is a fixed, inflexible structure within AD DS; a single user or computer can exist within only
one OU. As organizations get larger and more complex, configuration requirements become
difficult to match in a one-to-one relationship with any container structure. With security groups,
a user or computer can exist in as many groups as necessary, and you can add or remove them
easily without impacting the security or management of the user or computer account.
Question: Why might it be useful to create an exemption group—a group that is denied the Apply Group
Policy permission—for every GPO that you create?

Answer: There are very few scenarios in which you can guarantee that all of the settings in a GPO
will always need to apply to all users and computers within its scope. By having an exemption
group, you will always be able to respond to situations in which you must exclude a user or
computer. This also can help in troubleshooting compatibility and functionality problems.
Sometimes, specific GPO settings can interfere with the functionality of an application. To test
whether the application works on a clean installation of the Windows operating system, you
might need to exclude the user or computer temporarily from the scope of GPOs.

Question: Do you use loopback policy processing in your organization? In which scenarios and for which
policy settings can loopback policy processing add value?

Answer: Answers will vary. Scenarios could include: in conference rooms and kiosks, on Virtual
Desktop Infrastructure computers, and in other standard environments.

Lab B: Troubleshooting Group Policy infrastructure

Question and Answers

Question: In what situations have you used RSoP reports to troubleshoot Group Policy application in your
organization?

Answer: Answers will vary based on students’ experiences and situations. Possible answers might
include:

• Solved a Group Policy issue where one GPO did not apply because of security filtering.

• Solved a Group Policy issue where one client-side extension took 20 seconds to apply
because of a Domain Name System (DNS) issue.
• Located a GPO setting that was configured in the wrong GPO.

• Located a Group Policy issue where the incorrect user settings were applied because of
loopback processing.
Question: In what situations have you used Group Policy modeling? If you have not done this yet, in what
situations can you anticipate using Group Policy modeling?

Answer: Answers will vary based on students’ experiences and situations. Possible answers might
include:
 Implementing Group Policy 5-19

• Managed to configure Group Policy correctly based on Group Policy modeling simulations.

• Tested the result of adding a user to a security group.

• Tested the result of moving a user to another OU.

• Tested the result of configuring loopback processing for a computer.

 Managing user settings with Group Policy 6-1

Module 6
Managing user settings with Group Policy
Contents:
Lesson 1: Implementing administrative templates 2

Lesson 2: Configuring Folder Redirection, Software Installation, and Scripts 7

Lesson 3: Configuring Group Policy preferences 12

Module Review and Takeaways 16

Lab Review Questions and Answers 17

 Deploying and managing certificates 9-1

Module 9
Deploying and managing certificates
Contents:
Lesson 1: Deploying and managing certificate templates 2

Lesson 2: Managing certificate deployment, revocation, and recovery 5

Lesson 3: Using certificates in a business environment 8

Lesson 4: Implementing and managing smart cards 12

Module Review and Takeaways 14

Lab Review Questions and Answers 16
9-2 Identity with Windows Server 2016

Lesson 1
Deploying and managing certificate templates
Contents:
Question and Answers 3
Demonstration: Modifying and enabling a certificate template 4
 Deploying and managing certificates 9-3

Question and Answers

Question: Which of the following statements are true regarding version 2 certificate templates in AD CS?
(Choose all that apply.)

( ) Version 2 templates support autoenrollment.

( ) You can only modify the Security tab on a version 2 template.

( ) You can upgrade to a version 2 template by duplicating a version 1 template.

( ) Only Windows Server 2008, Windows Vista, and later operating systems support version 2 templates.

( ) Only Windows Server 2012, Windows 8, and later operating systems support version 2 templates.

Answer:
(√) Version 2 templates support autoenrollment.

( ) You can only modify the Security tab on a version 2 template.

(√) You can upgrade to a version 2 template by duplicating a version 1 template.

( ) Only Windows Server 2008, Windows Vista, and later operating systems support version 2
templates.
( ) Only Windows Server 2012, Windows 8, and later operating systems support version 2
templates.

Feedback:

One important aspect of version 2 templates is that they support autoenrollment by Active
Directory Domain Services (AD DS) users and computers. Unlike version 1 templates, you can
modify all aspects of a version 2 template. To upgrade to a version 2 template, you can duplicate
a version 1 template. Version 2 templates are supported on Windows Server 2003 Enterprise
Edition, Windows Server 2008 Enterprise, and Windows Server 2008 R2 and later.

Question: You are the AD CS administrator for A. Datum Corporation. Several users in your AD DS
environment have autoenrolled for a user certificate. You want to shorten the validity period of the user
certificate and need to ensure that users get a new certificate immediately without experiencing any break
in validity of the existing certificate. Which of the following actions should you take? (Choose all that
apply.)
( ) Duplicate the existing template and provide a new template name. Modify the validity period of the
new template.
( ) Modify the validity period of the existing template.

( ) Modify the autoenrollment settings of the existing template.

( ) Revoke all user certificates issued from the existing template.

( ) Modify the new template so that it supersedes the existing template. Publish the new template.

Answer:

(√) Duplicate the existing template and provide a new template name. Modify the validity period
of the new template.

( ) Modify the validity period of the existing template.

( ) Modify the autoenrollment settings of the existing template.

(√) Revoke all user certificates issued from the existing template.
9-4 Identity with Windows Server 2016

(√) Modify the new template so that it supersedes the existing template. Publish the new
template.

Feedback:
In this situation, you should duplicate the existing template, providing a new template name and
validity period. In addition, you should update the new template so that it supersedes the
previous template. After you publish the new template to an enterprise CA, users who had
autoenrolled against the previous template will autoenroll again for the new template. Once new
certificates with the correct validity period have replaced the previously issued certificates, you
should revoke all user certificates from the existing template so users cannot use them.

If you modify the validity period of the existing template, new enrollments against the template
will have the correct settings, but previously issued certificates will still contain the undesired
validity period. Modifying the autoenrollment settings on the existing template is not necessary
and would not achieve the desired effect.

Demonstration: Modifying and enabling a certificate template

Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.

2. In the Certification Authority console, expand AdatumCA, right-click Certificate Templates, and
then click Manage.

3. Review the list of default templates. Examine the templates and their properties.

4. In the details pane, double-click IPsec.

5. In the IPsec Properties dialog box, click through the tabs, and then note what you can modify on
each. Notice that on the Security tab, you can define permissions for enrollment. Click Cancel to
close the template.
6. In the Certificate Templates Console, in the details pane, right-click the Exchange User certificate
template, and then click Duplicate Template.

7. In the Properties of New Template dialog box, review options on the Compatibility tab.

8. Click the General tab, and then in the Template display name text box, type Exchange User Test1.
9. Click the Superseded Templates tab, and then click Add.

10. Click the Exchange User template, and then click OK.

11. Click the Security tab, and then click Authenticated Users.
12. Under the Permissions for Authenticated Users node, select the Allow check boxes for both Enroll
and Autoenroll, and then click OK.

13. Close the Certificate Templates Console.

14. In the Certification Authority console, right-click Certificate Templates, point to New, and then
click Certificate Template to Issue.
15. In the Enable Certificate Templates dialog box, select the Exchange User Test1 certificate, and
then click OK.
 Deploying and managing certificates 9-5

Lesson 2
Managing certificate deployment, revocation, and
recovery
Contents:
Question and Answers 6
Demonstration: Configuring a CA for key archival 7
9-6 Identity with Windows Server 2016

Question and Answers

Question: When you revoke a certificate, where is the thumbprint of the certificate published?

( ) CRL distribution point (CDP)

( ) Authority information access (AIA)

( ) Certificate revocation list (CRL)

( ) AD DS
( ) The Online Responder service

Answer:

( ) CRL distribution point (CDP)

( ) Authority information access (AIA)

(√) Certificate revocation list (CRL)

( ) AD DS
( ) The Online Responder service

Feedback:
When you revoke a certificate, the thumbprint of the certificate publishes to the certificate
revocation list (CRL). A CRL distribution point (CDP) is the URL location where the CRL is stored.
The authority information access (AIA) is the URL where the CA certificate is located. AD DS is a
valid location for a CDP, but revoked certificates do not publish directly to AD DS. An Online
Responder service validates the status of a specific certificate by using a local copy of the CRL,
but revoked certificates do not publish directly to an Online Responder service.
Question: Which of the following actions must you take to configure key archival on an AD CS CA?
(Choose all that apply.)

( ) Configure the KRA certificate template.

( ) Enroll a designated user for a KRA certificate.
( ) Publish the KRA public key by using Group Policy.

( ) Configure a recovery agent on the CA.

( ) Configure desired certificate templates for key archival.

Answer:

(√) Configure the KRA certificate template.

(√) Enroll a designated user for a KRA certificate.

( ) Publish the KRA public key by using Group Policy.

(√) Configure a recovery agent on the CA.

(√) Configure desired certificate templates for key archival.

Feedback:

To configure key archival, you should:

1. Configure the KRA certificate so that only trusted users can enroll for a certificate.
2. Enroll a trusted user for the KRA certificate.
3. Configure a recovery agent on the CA by using the KRA certificate.
4. Configure the desired certificate templates for key archival.
 Deploying and managing certificates 9-7

You do not need to publish the KRA public key by using Group Policy.

Demonstration: Configuring a CA for key archival

Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority. In the
Certification Authority console, expand the AdatumCA node, right-click the Certificates
Templates folder, and then click Manage.

2. In the details pane, right-click the Key Recovery Agent certificate, and then click Properties.

3. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab, clear the
CA certificate manager approval check box, and then click the Security tab. Notice that the
Domain Admins and Enterprise Admins groups are the only groups that have the Enroll permission,
and then click OK.

4. Close the Certificate Templates Console.

5. In the Certification Authority Console, right-click Certificate Templates, point to New, and then
click Certificate Template to Issue.
6. In the Enable Certificate Templates dialog box, click the Key Recovery Agent template, and then
click OK.

7. Click Start, and then click the Windows PowerShell icon.

8. At the Windows PowerShell command prompt, type mmc.exe, and then press Enter.
9. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.

10. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
11. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK.
12. Expand the Certificates - Current User node, right-click Personal, point to All Tasks, and then click
Request New Certificate.
13. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
14. On the Select Certificate Enrollment Policy page, click Next.

15. On the Request Certificates page, select the Key Recovery Agent check box, click Enroll, and then
click Finish.
16. Refresh the console, and then view the KRA in the personal store; that is, scroll across the certificate
properties and verify that the certificate template with the intended purpose Key Recovery Agent is
present.

17. Close Console1 without saving changes.

18. Return to the Certification Authority console, right-click AdatumCA, and then click Properties.

19. In the AdatumCA Properties dialog box, click the Recovery Agents tab, and then select Archive
the key.

20. Under Key recovery agent certificates, click Add.

21. In the Key Recovery Agent Selection dialog box, click More Choices and click the certificate with
the KRA purpose (it most likely will be last on the list issued to Administrator), and then click OK
twice.

22. When prompted to restart the CA, click Yes.

9-8 Identity with Windows Server 2016

Lesson 3
Using certificates in a business environment
Contents:
Question and Answers 9
Demonstration: Signing a document digitally 10
Demonstration: Encrypting a file with EFS 11
 Deploying and managing certificates 9-9

Question and Answers

Question: Which of the following are true statements regarding the use of certificates in a business
environment? (Choose all that apply.)

( ) Certificates can be used to encrypt HTTP traffic between a web server and browser.

( ) Users can use certificates to digitally sign documents.

( ) Digitally signed documents are invalid if someone modifies the contents.

( ) To send encrypted email to an external recipient who is not part of your internal PKI, you must use an
encryption certificate that a public CA issued.
( ) Files encrypted by using EFS can only be read by the individual who first encrypted the file.

Answer:

(√) Certificates can be used to encrypt HTTP traffic between a web server and browser.

(√) Users can use certificates to digitally sign documents.

(√) Digitally signed documents are invalid if someone modifies the contents.

( ) To send encrypted email to an external recipient who is not part of your internal PKI, you
must use an encryption certificate that a public CA issued.
( ) Files encrypted by using EFS can only be read by the individual who first encrypted the file.

Feedback:

Certificates can be used for encrypting HTTP traffic, to digitally sign and encrypt documents and
emails, and for client/server authentication. Digitally signed documents are invalid if someone
modifies the contents. To send encrypted email to an external recipient, you can use either an
internal or publicly issued certificate, if you have access to the recipient’s public key. Files
encrypted by using EFS can be read by the individual who encrypted the file and by any users
explicitly designated for EFS sharing. If the private key of the encrypting individual is lost or
deleted, a Data Recovery Agent can access the file or a Key Recovery Agent can be retrieve the
private key, if you configured key archival on the EFS certificate template and issuing CA.

Question: You are the AD CS administrator for A. Datum. You want to enable your AD DS users to
perform digital signature and encryption by using certificates from your internal PKI. Which of the
following steps are necessary?

( ) Enable a Key Recovery Agent.

( ) Enable a Data Recovery Agent.

( ) Publish the User certificate template and configure the desired groups of users for autoenrollment.

( ) Enable EFS on AD DS domain computers by using Group Policy.

( ) Upgrade all AD DS domain computers to Windows Server 2016 or Windows 10.

Answer:

( ) Enable a Key Recovery Agent.

( ) Enable a Data Recovery Agent.

(√) Publish the User certificate template and configure the desired groups of users for
autoenrollment.

( ) Enable EFS on AD DS domain computers by using Group Policy.

( ) Upgrade all AD DS domain computers to Windows Server 2016 or Windows 10.

9-10 Identity with Windows Server 2016

Feedback:

To enable digital signature and encryption, you should only need to publish the User certificate
template and configure it for autoenrollment. Although using a Key Recovery Agent and Data
Recovery Agent are best practices, they are not necessary to enable digital signatures and
encryption. You do not need to enable EFS on AD DS domain computers, nor do you need to
upgrade all AD DS domain computers to Windows Server 2016 or Windows 10.

Demonstration: Signing a document digitally

Demonstration Steps
1. On LON-CL1, open the Windows PowerShell command-line interface.

2. At the Windows PowerShell command prompt, type mmc.exe, and then press Enter.

3. In the Console1 – [Console Root] window, click the File menu, and then select Add/Remove Snap-
in.

4. Select Certificates, click Add, select My user account, click Finish, and then click OK.

5. Expand Certificates - Current User, right-click Personal, select All Tasks, and then click Request
New Certificate.
6. In the Certificate Enrollment Wizard, click Next twice.

7. On the Certificate Enrollment page, in the list of available templates, select User, click Enroll, and
then click Finish.

8. Close the Console1 – [Console Root] window without saving changes.

9. Open Word 2016.

Note: If the Microsoft Office Activation Wizard appears, click Close. Click Ask me later,
and then click Accept.

10. In a blank document, type some text, and then save the file to the desktop.
11. On the toolbar, click Insert, and then in the Text pane, in the Signature Line drop-down list, click
Microsoft Office Signature Line.

12. In the Signature Setup window, type your name in the Suggested signer text box, type
Administrator in the Suggested signer’s title text box, type [email protected] in the
Suggested signer’s email address text box, and then click OK.

13. Right-click the signature line in the document, and then click Sign.

14. In the Sign window, click Change.

15. In the Windows Security window under Select a certificate, select the Administrator certificate
with today’s date, and then click OK.

16. In the text box to the right of the X, type your name, click Sign, and then click OK.

Note: Explain to students that you can select an image instead of typing your name. This
image can be your scanned, handwritten signature.

17. Ensure that you cannot edit the document further.

18. Close Word 2016, and then save the changes when prompted.
 Deploying and managing certificates 9-11

19. Stay signed in for the next demonstration.

Demonstration: Encrypting a file with EFS

Demonstration Steps
1. On LON-CL1, right-click the Microsoft Word document that you saved to the desktop in the previous
demonstration, and then click Properties.

2. On the General tab of the Properties dialog box, click Advanced, click Encrypt contents to secure
data, and then click OK twice.

3. In the prompt window, select Encrypt the file only, and then click OK.

4. Move the document that you encrypted to the C:\Users\Public\Public Documents folder.

5. Sign out of LON-CL1.

6. Sign in as Adatum\Aidan with the password Pa55w.rd.

7. Open File Explorer, and then go to C:\Users\Public\Public Documents.

8. Try to open the encrypted document.

9. Verify that you cannot open the document.

10. Sign out of LON-CL1.

9-12 Identity with Windows Server 2016

Lesson 4
Implementing and managing smart cards
Contents:
Question and Answers 13
 Deploying and managing certificates 9-13

Question and Answers

Question: Which of the following statements about smart cards are true?

( ) Smart cards provide an option for multifactor authentication.

( ) You cannot use smart cards for interactive sign in.

( ) Smart cards contain a certificate and private key that you can only access by using a PIN.

( ) Smart cards provide enhanced security beyond a password.

( ) You can use smart cards only for digital signature and encryption.

Answer:

(√) Smart cards provide an option for multifactor authentication.

( ) You cannot use smart cards for interactive sign in.

(√) Smart cards contain a certificate and private key that you can only access by using a PIN.

(√) Smart cards provide enhanced security beyond a password.

( ) You can use smart cards only for digital signature and encryption.

Feedback:
Smart cards provide an option for multifactor authentication: users must have the smart card in
their physical possession and must additionally know their PIN. By entering the PIN, certificates
and private keys stored on the smart card become available for authentication, digital signature,
and encryption. Using smart cards for interactive sign in provides enhanced security beyond a
password.

Question: When implementing a smart card infrastructure, which of the following processes should be
part of your certificate management framework?
( ) Issuance

( ) Revocation

( ) Renewal
( ) Blocking and unblocking

( ) Suspension

Answer:

(√) Issuance

(√) Revocation

(√) Renewal
(√) Blocking and unblocking

(√) Suspension
Feedback:

All of the above are correct processes that you should include in your certificate management
plan. You can perform some of the processes with built-in tools. However, because of the
complexity involved, we recommend that you implement a dedicated solution for smart card and
certificate management, such as MIM.
9-14 Identity with Windows Server 2016

Module Review and Takeaways

Best Practices
• When replacing old certificate templates, use superseding templates.

• Always archive certificates that serve encryption purposes.

• Use autoenrollment for mass deployment of certificates.

• If you are using smart cards, make sure that users change their PINs regularly.

• If you are using smart cards, implement a smart card management solution.

Review Questions
Question: List the requirements to use autoenrollment for certificates.

Answer: To use autoenrollment for certificates, you must have an enterprise CA, and you must
configure Group Policy options. In addition, you must enable autoenrollment for the desired
certificate templates, and you must configure Group Policy Objects.

Question: How do virtual smart cards work?

Answer: Virtual smart cards emulate the functionality of traditional smart cards, but instead of
requiring the purchase of additional hardware, they utilize technology that users already own.

Real-world Issues and Scenarios

Contoso, Ltd. wants to deploy a PKI to support and secure several services. It has decided to use Windows
Server 2016 AD CS as a platform for PKI. Contoso will use certificates primarily for EFS, digital signing, and
web servers. Because encrypted documents are important, it is crucial to have a disaster recovery strategy
in case of key loss. In addition, clients that will access secure parts of the company website must not
receive any warning in their browsers. Consider the following questions:

• What kind of deployment should Contoso choose?

• What kind of certificates should Contoso use for EFS and digital signing?

• What kind of certificates should Contoso use for a website?

• How will Contoso ensure that EFS-encrypted data is not lost if a user loses a certificate?

Tools
• The Certification Authority console

• The Certificate Templates Console

• The Certificates console

• Certutil.exe

Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

The certificate template is not visible during Make sure that you configured the Read and
enrollment. Enroll permissions on the template correctly.

Autoenrollment does not work. Ensure that you configured the autoenrollment
options in Group Policy and that you assigned the
 Deploying and managing certificates 9-15

Common Issue Troubleshooting Tip

Read, Enroll, and Autoenroll permissions to the
appropriate group of users or computers.

The user who encrypted a file cannot decrypt it. Ensure that the user possesses the private key from
the key pair. Also, ensure that the certificate has
not expired. If a private key is lost or a certificate
has expired, use KRA or DRA.
9-16 Identity with Windows Server 2016

Lab Review Questions and Answers

Lab: Deploying and using certificates
Question and Answers
Question: What must you do to recover private keys?

Answer: To recover private keys, you must configure a CA to archive private keys for specific
templates, and you must issue a KRA certificate.
Question: What is the benefit of using a restricted Enrollment Agent?

Answer: Enrollment Agent allows you to limit the permissions for users who are designated as
Enrollment Agents to enroll for smart card certificates on behalf of other users.
 Implementing and administering AD FS 10-1

Module 10
Implementing and administering AD FS
Contents:
Lesson 1: Overview of AD FS 2

Lesson 2: AD FS requirements and planning 4

Lesson 3: Deploying and configuring AD FS 7

Lesson 4: Web Application Proxy overview 11

Module Review and Takeaways 15

Lab Review Questions and Answers 16