MIT 403– Network Administration Lab 6


MIT 403– Network Administration I
User Accounts and Group Policies

Revision Date: 2017-10-21
Lab 6

In this project you will:
This Lab will advance your of Accounts in the context of Groups and Organizational Units. As you have learned, OU’s are often created to reflect the organizational structure of a corporation. In this lab you will create a variety of OU’s, and accounts, then modify the privileges of such accounts using Group Policy.

Before You Begin…
Ensure your Server and Workstation have full connectivity, and that the systems show up in the Active Directory. (Open some shares on the Server, starting from My Network Places on your Workstation).

Step 1 - Check for Proper Connectivity – On Server
1.Open the Active Directory Users and Computers, you can find Active Directory from the Tools menu in Server Manger then click Administrative Tools.

MIT 403课程作业代写、Python,Java编程作业调试、代写c/c++实验作业、代做Network课程作业
2.Expand your Domain to show the subfolders Computers and Controllers.
3.Open the Computers sub-folder and you must see your W1111XXX Workstation listed.
4.Open the Domain Controllers folder and you should see the S1111xxx NetBIOS name of your DC.
5.If you don’t see either your server, or Workstation listed, you need to re-establish you domain membership.
Step 2 - Creating Organizational Units – On Server
1.While still in Active Directory Users and Computers, click on the domain (top) to expand and show the sub-folders, if not at this point already.
2.Right click on the top-level folder (your domain), select New, then Organizational Unit.
a.Notice that the New Object - Organizational Unit dialog appears.
b.Note that the only information required is the name of the OU.
c.The dialog also indicates the domain the OU will be created in
3.Create three new OU’s called; Managers, Sales, Production. Create them using the following nomenclature.
i.Managers
ii.Sales
iii.Production
4.Continue now by creating new user accounts in each of the 3 OU’s (next steps).

Step 3: Create user accounts and OUs by using the GUI and command line – On Server
1.Now still within the Console Tree of Active Directory Users and Computers, right click on the Managers domain and select New then User.
a.Notice that once again the New Object dialog appears, specifically the User dialog.
b.Again note the domain the account is being created in.
2.Create a new account for each member of your group in each of the 3 OU’s (note step 3).
a.Use the first initial of your first name, followed by the first 7 characters of your last name. The same method used for the accounts recently created for the Scripts labs.
b.Please Note: When creating accounts in the Managers OU (and others), prefix each section of each account with the letter “M”. Example; mBill mGates mbgates. In following this format, actual user accounts can be 9 characters in length, or less, depending upon the length of your last name.
c.When creating accounts in the Sales OU, prefix each account with the letter “S”. Follow this method for the other two OU’s just created.
3.When creating the accounts, use 80A$tudent as the password for all accounts.
4.Select the password never expires option.
5.Select finish at the summary dialog.
6.Close all windows and consoles.

7.Open a PowerShell prompt. Type New-ADOrganizationalUnit Advertising and press Enter.

8. Type New-ADUser "Abill Agates1" -SamAccountName "Abgates1" -Path
"ou=Advertising,dc=DomainName,dc=extension" -PasswordNeverExpires $True and press Enter.

(DomainName = Your domain name, dc = the extension on your server .com or .ca etc)

9.Repeat the previous command, replacing the 1 with 2 to create Bill Gates2. These user accounts are disabled because no password is set. For now, you don’t need these accounts to be enabled.

10.Now you create a group and add members to it. You use this group in a later activity
when you work with password settings objects. Type New-ADGroup PSO-Group –Path
"ou=Advertising,dc=DomainName,dc=extension" -GroupScope Global and press Enter.

11.Add members to the group by using dsquery and dsmod in a piped command. Type
dsquery.exe user "ou=Advertising,dc=DomainName,dc=extension" | dsmod group
"cn=pso-group,ou=Advertising,dc=DomainName,dc=extension" -addmbr and press Enter.


Step 3 - Moving Accounts Within Organizational Units – On Server
Members within corporations often change departments and job roles/responsibilities. This would require considerable account modification in any such move, to properly address the users’ new requirements or privileges. With Server 2012 you simply move the account from one OU to the other. Complete the following steps to move accounts within your OU’s
1.Again, open Active Directory Users and Computers.
2.Highlight the Sales OU and maximize it to see the new members. Select one account of choice, right click on it then select Move.
3.In the Move dialog box, expand your domain if necessary, click/select the Managers OU and then click OK.
a.Notice the account no longer appears in the Sales OU.
b.Check the Managers OU and see if the new account now appears here.

Step 4 – Creating a Password Settings Object – On Server
You have a group of users who would benefit from a less stringent password policy than what’s defined for the domain. You create a PSO, define the settings, and link it to the group. Last, you test the settings.
1.Open Active Directory Administrative Center from the Tools menu in Server Manager
2.Click YourDomainName.local to see the folders and OUs in the middle pane. Double-click System and then Password Settings Container. In the Tasks pane, click New, and then click Password Settings.
3. In the Create Password Settings dialog box, type PSO1 in the Name text box and 5 in the Precedence text box. The Precedence value doesn’t mean much until you have more than one PSO defined.
4.In the “Minimum password length (characters)” text box, type 4, and in the “Number of passwords remembered” text box, type 5. Click to clear the Password must meet complexity requirements, Enforce minimum password age, and Enforce maximum password age check boxes. Leave the Enforce account lockout policy at the default so that accounts are never locked out. Leave the Protect from accidental deletion.
5.Click the Add button, and type pso-group. Click Check Names and then OK. The settings should look like the figure below. Click OK.

6. In Active Directory Administrative Center, expand the Advertising OU, and then click one of the users. In the Tasks pane, click Reset password. Type pass1 in the Password and Confirm password text boxes, and then click OK. The new password is accepted.

Step 5 - Modifying OU Properties – On Server
1.In Server Manager Go to Tools-> Group Policy Management
2.Expand the Forest: then expand Domains and finally expand your DomainName.
3.Right click on the Managers OU, then select Create a GPO in this domain and Link it here….
4.Notice the default name of New Group Policy Object is highlighted ready to be named.
5.Name it Managers Group Policy and then press enter.
6.Select the Managers Group Policy console which was created which opens the MMC and shows the contents of the Managers Group Policy.
7.Right click the Managers Group Policy then select Edit…
8.Select the Standard display tab on the bottom of the contents pane.
9.Carefully open the Computer Configuration Templates. Note their hierarchical (and you thought it was bad trying to say it), structure and contents.
10.Expand the Policies->Administrative Templates->System templates.
11.Select Disk Quotas. Notice the available policy features, (may have to re-select standard view).
12.Double click Disk Quotas and then double click on Enable Disk Quotas. The Enable disk quotas Properties dialog appears.
13.Notice the three configuration Radio Buttons. Do Not Modify any settings… just take note.
14.Click on the Next Setting button just above the OK button and see how the properties dialog reflects/illustrates the available policy options. Click through all Quotas, noting the options.
15.Select cancel to close the properties dialog, and minimize “-“ the 3 Computer Configuration templates.
16.Now under the User Configuration->Policy, (expand if necessary), note the same three Configuration Templates, (by name).
17.Expand Administrative Templates.
18.Double click on the Start Menu & Taskbar selection.
19.Scroll down to the Remove frequent programs list from the Start Menu, double click, then select the Enable Radio button.
20.Click the Next Setting button until the Change Start Menu power button appears. Enable it and select Log off.
21.Find and enable Prevent changes to Taskbar and Start Menu Settings option (what a surprise eh!).
22.Open the Personalization subfolder found under Control Panel, (need to “+” expand both, and double click display).
23.Note the Prevent changing desktop background and Prevent Changing screen saver policy option. Open and enable both.
24.Note: At any time, you can select a Setting a Description appears at the side of a specific configuration feature for information about what exactly it does.
25.Before exiting the Group Policy console, explore the remaining configuration options. This is simply for your own good, as Group Policies are often set in corporations of any size.
26.Now close all dialogs but leave the Group Policy Management console still open, your Policy will automatically be saved, but needs to be activated. As usual, from the Run command line, type in GPUPDATE and hit enter, (Group Policy Update)

Step 6 - Delegating Control of OU – On Server
For this step you will simply add groups or individuals to this Active Directory object (OU), in such a way and reason, so that you are specifying who you wish to have administrative privileges, or the ability to manage this OU. If you are the loan administrator of a decent sized company, you don’t want to be playing with many different Group Policies throughout the day/week/whatever. Instead, you allow an individual or two from the department in question to manage their own OU…… makes sense also…
1.In Server Manager go to Tools->Group Policy Management
2.Click on the Managers OU.
3.Select the Delegation tab, (the groups and users who have permission now appears).
4.Now select Add.
5.Like adding accounts to shares or file security settings, add the name of one group member and give them Edit settings permissions.
6.Now select OK and you should notice your name in the selected users and groups list. .
7.You have now specified which user(s) can control/administer that OU.

Step 7 – Testing Group Policy –On Workstation Windows 10
Let’s see if it works….

1.Test your screen saver option modification by logging on to the Workstation, using one of the recently created user accounts that reside in the Managers OU. Check the display properties to see if the background option is available by right clicking the desktop and selecting personalize. If so, log off then log on again and re-test.

Make sure I check your work and your mark sheet is completed and handed in.

St Clair College of Applied Arts & Technology
MIT 403 – Network Administration I
User Accounts and Group Policies

因为专业,所以值得信赖。如有需要,请加QQ:99515681 或邮箱:99515681@qq.com

微信:codehelp

上一篇:leetcode181 超过经理收入的员工 Employees Earning More Than Their Managers


下一篇:(十九)设计模式-原型模式