Apply Your Knowledge
Exercises
3.1 Creating User Accounts via Automation
Imagine that our fictional company, Lantrainers, has a class starting next week, and the students registered for the class will need user accounts. Each account will need to be a member of the Students group, and we'll need the student's title, company name, and business phone number in the user account information.
We will use dsadd, csvde, and dsmod to make an OU called LanStudents, create user accounts, set passwords, and make the user accounts members of the Students global group.
Here is the data we'll be using:
Amell |
Bernie |
Trainer |
555-7179 |
Prairie Sky Consulting |
Blanchard |
Verna |
Systems Analyst |
555-4296 |
Housing Associates |
Bond |
Dorothy |
Trainer |
555-7096 |
Prairie Sky Consulting |
Clark |
Cathie |
Trainer |
555-7028 |
Prairie Sky Consulting |
Ducharme |
Lydia |
Network Administrator |
555-7220 |
Goldenrod Developments |
Emmett |
Matt |
Network Administrator |
555-6057 |
Goldenrod Developments |
Guyn |
Karen |
Network Administrator |
555-1544 |
Goldenrod Developments |
Guyn |
Pat |
Systems Analyst |
555-6669 |
Goldenrod Developments |
James |
Robert |
Systems Analyst |
555-8729 |
Housing Associates |
Jensen |
Nicole |
Systems Analyst |
555-8849 |
Goldenrod Developments |
Kyle |
Ann |
Trainer |
555-8849 |
Prairie Sky Consulting |
Magnus |
Holly |
Trainer |
555-5295 |
Prairie Sky Consulting |
Michell |
Christine |
Network Administrator |
555-4755 |
Prairie Sky Consulting |
Myers |
Leslie |
Network Administrator |
555-1479 |
Goldenrod |
Nowlin |
Patty |
Systems Analyst |
555-4296 |
Housing Associates |
Poulin |
Paule |
Systems Analyst |
555-8606 |
Housing Associates |
Rutherford |
Donna |
Trainer |
555-7612 |
Prairie Sky Consulting |
Ryan |
Kathleen |
Network Administrator |
555-5467 |
Goldenrod Developments |
Sept |
Rick |
Systems Analyst |
555-6057 |
Housing Associates |
Stratton |
Susan |
Systems Analyst |
555-6669 |
Housing Associates |
Swenson |
Kathi |
Network Administrator |
555-5487 |
Goldenrod Developments |
Estimated Time: 45 minutes
-
Open a command prompt and change to the root directory of the C: drive.
-
Use dsadd to create an OU called "OU=LanStudents,OU=Vancouver,OU=LTI, DC=lantrainers,DC=local".
-
Type a csvde command to create a list of the user accounts in the OU=Users,OU=Vancouver,OU=LTI,DC=lantrainers,DC=local OU. Use the parameter -l l,company,objectclass,name,title,company,l,telephoneNumber,userAccountControl,samaccountname to limit the number of fields displayed. Send the output to csvde-out.txt. Copy the file to csvde-in.txt.
-
Use a spreadsheet program, a database program, or Notepad to modify csvde-in.txt. Retain the first record (it has the field names we'll need), but replace the data lines with data from the preceding table. Ensure that the fields are in the proper columns.
-
Use csvde to input the data in csvde-in.txt into Active Directory. Confirm that the records were created with Active Directory Users and Computers (csvde -i -f csvde-in.csv -j c:\).
-
Use dsquery to display all the users in the LanTrainers OU, and pipe the result as input to a dsmod command that sets the password for all users to Security and enables the account (dsquery user "OU=LanStudents,OU=Vancouver, OU=LTI,DC=lantrainers,DC=local" | dsmod user -pwd Secur1ty -mustchpwd yes -disabled no).
-
Open Active Directory Users and Computers and navigate to the LanStudents OU to see the user accounts.
3.2 Creating Users and Groups
In this exercise we will create three groups and add members to them. Then we will make the three groups members of a universal group. Because there aren't many groups to work with, we'll use Active Directory Users and Computers.
Estimated Time: 5 minutes
-
Open Active Directory Users and Computers, and navigate to the LanStudents OU.
-
Create a global security group object called AdminStudents. Add the user accounts for those users whose title is Network Administrator to the member list of the group.
-
Create a global security group object called AnalystStudents. Add the user accounts for those users whose title is Systems Analyst to the member list of the group.
-
Create a global security group object called TrainerStudents. Add the user accounts for those users whose title is Trainer to the member list of the group.
-
Create a universal security group object called AllStudents. Add the three group accounts we just created to the member list of the group.
Review Questions
-
Because you can do everything you need to do, in terms of creating and managing accounts, with Active Directory Users and Computers, why is it worthwhile to learn the command-line and automation methods?
-
What are the similarities and differences between csvde and ldifde?
-
What would be the impact of using groups of Universal scope exclusively, rather than using groups of Domain Local, Global, and Universal scope?
-
You are planning to implement Remote Installation Services. How can you ensure that the computer accounts the users create go in the right Organizational Units?
-
You are setting up instructions for help desk analysts, and you're writing a list of items for them to check when users cannot log on. What should go on that list?
-
Your manager has asked you to investigate Terminal Services and report on how you can control the Terminal Services sessions. What do you report?
-
Every month your manager wants you to produce a list of all accounts that have passwords that do not expire and all accounts that are disabled. How will you do this?
-
Explain how to ensure that the order-entry clerks will all see the same desktop environment each time they log on.
Exam Questions
-
You want to create a user account for Joan Myles using a command from the command prompt. The account is to be a member of the Engineers group in the Vancouver container, disabled when created, have Secur1ty as its password, and be placed in the "ou=Users,ou=Vancouver,ou=LTI, dc=Lantrainers,dc=local" container. Which of the following tools or combination of tools can do the job?
-
A. Net User followed by dsmove
-
ldifde followed by dsmod
-
dsadd
-
csvde followed by dsmove
-
dsquery followed by dsmod
-
A manager tells you one of his staff has taken a job in another company. The manager wants to ensure that the user cannot access his computer or his files on the network file server. What is your best course of action?
-
A. Delete the user account.
-
Rename the user account to "Departed User."
-
Select the Account Is Disabled check box.
-
Change the value in the Account Expires field.
-
You are planning for resource access in a multidomain forest. Some users from all domains will need access to three continental headquarters domains. What is the recommended strategy for providing access to these resources?
-
Users -> universal groups -> global groups -> domain local groups -> permissions to resources
-
Users -> global groups -> universal groups -> domain local groups -> permissions to resources
-
Users -> domain local groups -> universal groups -> global groups -> permissions to resources
-
Users -> universal groups -> permissions to resources
-
You need to explain profiles to your management, and you realize that you need to start your presentation with definitions of the three profile types. Choose the three profile types.
-
Active Directory user profile
-
Local user profile
-
Group profile
-
Group policy user profile
-
Roaming user profile
-
Mandatory user profile
-
You are the network administrator for a small company that provides customer service operators for other companies. One of your users calls to complain that the photograph of her grandson that she added to her desktop yesterday wasn't there when she logged on this morning. What is the most likely cause of her problem?
-
Her user profile is corrupted.
-
She logged in to a different computer.
-
She is logged on locally.
-
She was assigned a mandatory profile.
-
Due to economic circumstances, your company had to lay off 200 people. The Human Resources department has provided you with a list of names in a text file. Which command can be used to delete these user accounts?
-
A. dsmod
-
dsadd delete
-
csvde
-
dsrm
-
Your company has recently purchased a small company. The other company runs Unix with an LDAP-compatible directory. Your job is to create user accounts in Active Directory for the employees from this company. What is the best tool to use for this task?
-
dsadd
-
ldifde
-
csvde
-
dsrm
-
You are the administrator for a small university. As usual for this type of environment, bored students try to hack into the university billing system every night between 10 p.m. and 2 a.m. What two steps can you take to ensure that a dictionary attack will fail, while still allowing your user to log on at 8 a.m.?
-
Set Account Lockout Threshold to 0.
-
Set Account Lockout Duration to 60.
-
Set Account Lockout Duration to 0.
-
Set Account Lockout Threshold to 3.
-
You are the network administrator for a small company that provides customer service operators for other companies. One of your users calls to complain that she can't see any files in her My Documents folder. She was able to get to them with no problem yesterday. Group Policy is not in use. What is the most likely cause of her problem?
-
Her user profile is corrupted.
-
She logged in to a different computer.
-
She is logged on locally.
-
She was assigned a mandatory profile.
-
You are the junior administrator for a large engineering firm with several locations. You read in a magazine that the best way to assign resources in a multidomain environment is to assign permissions to a Domain Local group, then add the Global groups to the Domain Local group, and then add the Global groups to a Universal group. However, the server won't let you create a Universal group. What is the most likely problem?
-
You don't have the proper authority.
-
The domain function level is at Windows 2000 mixed.
-
The domain functional level is at Windows 2000 native.
-
The domain functional level is not at Windows 2003 native.
-
You are the administrator for a small, family-owned firm. Because of the firm's size and informality, it has been tough to get users to understand the need for security. You want to change the password policy so that the users will be required to change their passwords every 30 days and can't reuse a password more than every 2 years. Which of the following choices will accomplish this?
-
Set the password history to 730 and the maximum password age to 30.
-
Set the password history to 365 and the maximum password age to 30.
-
Set the password history to 25 and the maximum password age to 28.
-
Set the password history to 24 and the maximum password age to 30.
-
A manager tells you that his administrative assistant has left the company. The manager wants to ensure that her replacement has access to her computer and her files on the network file server. What is your best course of action?
-
Create a new user account for the replacement and grant the replacement access to the necessary files.
-
Rename the old user account for the new user.
-
Create a new user account for the replacement and copy the necessary files to her home directory.
-
Give the new user the user ID and password of the departed administrative assistant.
Answers to Review Questions
-
Using Active Directory Users and Computers for creating and managing accounts is fine if you're dealing with just a few accounts. But it's time consuming and error prone if you are dealing with dozens or hundreds of accounts. The command-line and automation tools are much more efficient for dealing with large numbers of users. See "Creating and Modifying User Accounts with Command-line Tools."
-
csvde and ldifde can both be used to import or export large numbers of accounts. csvde uses CVS-formatted files for input and output, whereas ldifde uses files in the LDAP Directory Interchange Format (LDIF). Only ldifde can be used to modify or delete existing accounts. See "Importing and Exporting User Accounts."
-
If you used universal groups exclusively, you would lose the structure and manageability of domain local and global groups. Also, you would increase the replication traffic on your network, as the member lists of universal groups are stored in the global catalog. See "Universal Groups."
-
In the properties of Remote Installation Services (accessible on a tab of the properties of the computer running Windows Server 2003 where RIS is installed), create a default naming policy with the desired location defined. See "Creating and Managing Computer Accounts in an Active Directory Environment."
-
Here are the items to check if users cannot log on:
-
Is the account locked out due to too many logon failures?
-
Is the account disabled?
-
If the user is trying to connect via VPN or dial-up, is Remote Access Permission set to Deny Access, or is access controlled through a Remote Access Policy that denies access?
-
Has the account expired?
-
See "Troubleshooting Issues Related to User Account Properties."
-
First, a Terminal Services session can be controlled. An administrator can view a user's session and control it if necessary. Second, you can specify a profile and home folder location that are different from the values set up in the user's normal profile. Third, you can configure a program to start automatically at logon and for the session to end when the program is exited. Also, you can control whether drives and printers on the client computer are available from the session.
-
You will define a saved query with the required fields selected. When the report is due, you return to Active Directory Users and Computers, select Saved Queries, and select the query you need.
-
Set up a mandatory user profile, by creating a user profile with the desired desktop environment, convert it to a roaming user profile stored on a server, and then rename the profile to NTUser.man. See "Creating and Enforcing Mandatory User Profiles."
Answers to Exam Questions
-
B, C. ldifde (with the appropriate data file as input) followed by dsmod (to change the password) does the job, as does dsadd by itself. Net User cannot create a group membership. csvde cannot create group memberships, and dsmove is unnecessary because csvde can create the user account in any container. dsquery cannot create a user account.
-
C. It is best to disable the account immediately and then reset the password and enable the account again when someone is ready to review the files held by the account. Deleting the user account makes the review of files very difficult. Renaming the account without changing the logon name or password does not stop the user from accessing the account. Changing the value in the Account Expires field would work, but it is inappropriate to the situation and hence would confuse other administrators.
-
B. This is the recommended method for providing access to resources through group membership.
-
B, E, F. These are the profile types.
-
D. Although all the other choices are possibilities, in a customer service environment, it's most likely that mandatory profiles are in use. A manda- tory profile allows you to make changes; however, those changes are not saved when you log off.
-
D. The dsrm command can be used to delete Active Directory objects, using a text file as input. The csvde command can only be used to import or export accounts, the dsmod command can be used only to change the properties of accounts, and the dsadd command doesn't have a delete option.
-
B. ldifde is the best tool to use for this task. It allows you to extract the user list from the LDAP-compatible directory on the Unix server. Next, it allows you to change the distinguished name in the exported file to match your AD structure. Then it imports the new users into AD.
-
B, D. Setting the lockout threshold to 3 locks the account after three failed attempts to log on. Setting the lockout duration to 60 reenables the account after 60 minutes. Setting the lockout threshold to 0 allows an indefinite number of logon attemptsdefinitely not what you want. Setting the lockout duration to 0 will keep the account locked until the administrator manually reenables it.
-
B. The most likely problem is that she logged on to a different computer, and roaming profiles are not in use.
-
B. Universal groups are available only at the Windows 2000 native and Windows Server 2003 functional levels. The Windows 2000 mixed and Windows Server 2003 interim levels are used to support Windows NT 4.0 domain controllers, so Global group nesting and Universal groups cannot be used.
-
D. With the maximum age set to 30 days, users are prompted to change their passwords every 30 days. The history setting will retain 24 passwords, approximately 2 years worth.
-
B. The easiest way to give the new user the proper access is to just rename the old account with the new user's name because they will be performing the same duties and need access to the same files.
Suggested Readings and Resources
-
For information about LDAP, see RFCs 22512256. For information on LDIF, see RFC 2849.
-
Windows Server 2003 Deployment Guide (not yet published). Microsoft Corporation.
-
Windows Server 2003 Resource Kit (not yet published). Microsoft Corporation.
-
Boswell, William. Inside Windows Server 2003. New Riders, 2003. ISBN 0735711585.
-
Matthews, Marty. Windows Server 2003: A Beginners Guide. McGraw-Hill, 2003. ISBN 0072193093.
-
Minasi, Mark, et al. Mark Minasi's Windows XP and Server 2003 Resource Kit. Sybex, 2003. ISBN 0782140807.
-
Minasi, Mark, et al. Mastering Windows Server 2003. Sybex, 2003. ISBN 0782141307.
-
Shapiro, Jeffrey, et al. Windows Server 2003 Bible. John Wiley & Sons, 2003. ISBN 0764549375.