Vous êtes sur la page 1sur 576

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6425C
Configuring and Troubleshooting
Windows Server

2008 Active
Directory

Domain Services
Volume 1
Be sure to access the extended learning content on your
Course Companion CD enclosed on the back cover of the book.

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2011 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveX, Convergence, Excel, Forefront, Hyper-V,
Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, Segoe, SharePoint, SQL Server, Visio,
Visual Basic, Visual Studio, Windows, Windows Live, Windows Mobile, Windows NT, Windows
PowerShell, Windows Server and Windows Vista. are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.




Product Number: 6425C
Part Number:
Released:



MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.

i. Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2010 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;

transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,
de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.

Microsoft Certied Trainers and InstructorsYour instructor is a technical and


instructional expert who meets ongoing certication requirements. And, if instructors
are delivering training at one of our Certied Partners for Learning Solutions, they are
also evaluated throughout the year by students and by Microsoft.

Certication Exam BenetsAfter training, consider taking a Microsoft Certication
exam. Microsoft Certications validate your skills on Microsoft technologies and can help
differentiate you when finding a job or boosting your career. In fact, independent
research by IDC concluded that 75% of managers believe certications are important to
team performance
1
. Ask your instructor about Microsoft Certication exam promotions
and discounts that may be available to you.

Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer
a satisfaction guarantee and we hold them accountable for it. At the end of class, please
complete an evaluation of todays experience. We value your feedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
1
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
Welcome!
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
x Configuring and Troubleshooting Windows Server

2008 Active Directory

Domain Services

Acknowledgement
Microsoft

Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Damir Dizdarevic Subject Matter Expert
Damir Dizdarevic, a MCT, MCSE, MCTS, and MCITP, is a manager of the Learning
Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir specializes
in Windows Server and Exchange Server. He has worked as a subject matter
expert and technical reviewer on several Microsoft Official Curriculum (MOC)
courses, and has published more than 350 articles in various Information
Technology (IT) magazines, including Windows ITPro. Additionally, he is a
Microsoft Most Valuable Professional for Windows Server Infrastructure
Management.
Conan Kezema Subject Matter Expert
Conan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems
architect, and author who specializes in Microsoft technologies. As an associate of
S.R. Technical Services, Conan has been a subject matter expert, instructional
designer, and author on numerous Microsoft courseware development projects.
Nelson Ruest Technical Reviewer
Nelson Ruest is an IT expert focused on virtualization, continuous service
availability and infrastructure optimization. As an enterprise architect, he has
designed and implemented Active Directory structures that manage over one
million users. He is the co-author of multiple books, including Virtualization: A
Beginners Guide for McGraw-Hill Osborne, MCTS Self-Paced Training Kit (Exam 70-
652): Configuring Windows Server Virtualization with Hyper-V, the best-selling
MCTS Self-Paced Training Kit (Exam 70-640): and Configuring Windows Server 2008
Active Directory for Microsoft Press.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configuring and Troubleshooting Windows Server

2008 Active Directory

Domain Services xi

Contents
Module 1: Introducing Active Directory Domain Services (AD DS)
Lesson 1: Overview of Active Directory, Identity, and Access 1-4
Lesson 2: Active Directory Components and Concepts 1-21
Lesson 3: Install Active Directory Domain Services 1-46
Lab: Install an AD DS DC to Create a Single Domain Forest 1-56

Module 2: Administering Active Directory Securely and Efficiently
Lesson 1: Work with Active Directory Administration Tools 2-4
Lesson 2: Custom Consoles and Least Privilege 2-14
Lab A: Administering Active Directory Using Administrative Tools 2-25
Lesson 3: Find Objects in Active Directory 2-36
Lab B: Find Objects in Active Directory 2-53
Lesson 4: Use Windows PowerShell to Administer Active Directory 2-62
Lab C: Use Windows PowerShell to Administer Active Directory 2-81
Module 3: Managing Users
Lesson 1: Create and Administer User Accounts 3-4
Lab A: Create and Administer User Accounts 3-29
Lesson 2: Configure User Object Attributes 3-35
Lab B: Configure User Object Attributes 3-51
Lesson 3: Automate User Account Creation 3-61
Lab C: Automate User Account Creation 3-70
Lesson 4: Create and Configure Managed Service Accounts 3-61
Lab D: Create and Configure Managed Service Accounts 3-70
Module 4: Managing Groups
Lesson 1: Overview of Groups 4-4
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
xii Configuring and Troubleshooting Windows Server

2008 Active Directory

Domain Services

Lesson 2: Administer Groups 4-45
Lab A: Administer Groups 4-66
Lesson 3: Best Practices for Group Management 4-74
Lab B: Best Practices for Group Management 4-88
Module 5: Managing Computer Accounts
Lesson 1: Create Computers and Join the Domain 5-4
Lab A: Create Computers and Join the Domain 5-34
Lesson 2: Administer Computer Objects and Accounts 5-42
Lab B: Administer Computer Objects and Accounts 5-62
Lesson 3: Offline Domain Join 5-71
Lab C: Offline Domain Join 5-78
Module 6: Implementing a Group Policy Infrastructure
Lesson 1: Understand Group Policy 6-4
Lesson 2: Implement Group Policy Objects 6-21
Lab A: Implement Group Policy 6-38
Lesson 3: A Deeper Look at Settings and GPOs 6-42
Lab B: Manage Settings and GPOs 6-64
Lesson 4: Group Policy Preferences 6-71
Lab C: Manage Group Policy Preferences 6-79
Lesson 5: Manage Group Policy Scope 6-85
Lab D: Manage Group Policy Scope 6-111
Lesson 6: Group Policy Processing 6-120
Lesson 7: Troubleshoot Policy Application 6-131
Lab E: Troubleshoot Policy Application 6-145
Module 7: Managing Enterprise Security and Configuration with Group Policy
Settings
Lesson 1: Delegate the Support of Computers 7-4
Lab A: Delegate the Support of Computers 7-16
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configuring and Troubleshooting Windows Server

2008 Active Directory

Domain Services xiii



Lesson 2: Manage Security Settings 7-20
Lab B: Manage Security Settings 7-48
Lesson 3: Manage Software with GPSI 7-61
Lab C: Manage Software with GPSI 7-80
Lesson 4: Auditing 7-88
Lab D: Audit File System Access 7-101
Lesson 5: Software Restriction Policy and AppLocker 7-107
Lab E: Configure Application Control Policies 7-121
Module 8: Securing Administration
Lesson 1: Delegate Administrative Permissions 8-4
Lab A: Delegate Administration 8-25
Lesson 2: Audit Active Directory Changes 8-33
Lab B: Audit Active Directory Changes 8-39
Module 9: Improving the Security of Authentication in an AD DS Domain
Lesson 1: Configure Password and Lockout Policies 9-4
Lab A: Configure Password and Account Lockout Policies 9-24
Lesson 2: Audit Authentication 9-30
Lab B: Audit Authentication 9-39
Lesson 3: Configure Read-Only Domain Controllers 9-43
Lab C: Configure Read-Only Domain Controllers 9-63
Module 10: Configuring Domain Name System
Lesson 1: Review of DNS Concepts, Components, and Processes 10-4
Lesson 2: Install and Configure DNS Server in an AD DS Domain 10-25
Lab A: Install the DNS Service 10-38
Lesson 3: AD DS, DNS, and Windows 10-43
Lesson 4: Advanced DNS Configuration and Administration 10-68
Lab B: Advanced Configuration of DNS 10-81
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
xiv Configuring and Troubleshooting Windows Server

2008 Active Directory

Domain Services

Module 11: Administering AD DS Domain Controllers
Lesson 1: Domain Controller Installation Options 11-4
Lab A: Install Domain Controllers 11-31
Lesson 2: Install a Server Core Domain Controller 11-39
Lab B: Install a Server Core Domain Controller 11-47
Lesson 3: Manage Operations Masters 11-52
Lab C: Transfer Operations Master Roles 11-71
Lesson 4: Configure DFS-R Replication of SYSVOL 11-76
Lab D: Configure DFS-R Replication of SYSVOL 11-84
Module 12: Managing Sites and Active Directory Replication
Lesson 1: Configure Sites and Subnets 12-4
Lab A: Configure Sites and Subnets 12-22
Lesson 2: Configure the Global Catalog and Application Partitions 12-26
Lab B: Configure the Global Catalog and Application Partitions 12-41
Lesson 3: Configure Replication 12-46
Lab C: Configure Replication 12-73
Module 13: Directory Service Continuity
Lesson 1: Monitor Active Directory 13-4
Lab A: Monitor Active Directory Events and Performance 13-35
Lesson 2: Manage the Active Directory Database 13-51
Lab B: Manage the Active Directory Database 13-64
Lesson 3: Active Directory Recycle Bin 13-77
Lab C: Using Active Directory Recycle Bin 13-81
Lesson 4: Back Up and Restore AD DS and Domain Controllers 13-84
Lab D: Back Up and Restore Active Directory 13-97
Module 14: Managing Multiple Domains and Forests
Lesson 1: Configure Domain and Forest Functional Levels 14-3
Lesson 2: Manage Multiple Domains and Trust Relationships 14-15
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configuring and Troubleshooting Windows Server

2008 Active Directory

Domain Services xv

Lab: Administer a Trust Relationship 14-54
Lesson 3: Move Objects Between Domains and Forests 14-60

Lab Answer Keys




B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course i

About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
The purpose of this 5-day course is to teach Active Directory Technology
Specialists how to configure Active Directory Domain Services (AD DS) in a
distributed environment, implement Group Policy, perform backup and restore,
and monitor and troubleshoot Active Directoryrelated issues.After completing
this course, students will be able to implement and configure Active Directory
Domain Services in their enterprise environment.
Audience
The primary audience for this course includes Active Directory Technology
Specialists, Server Administrators, and Enterprise Administrators who want to
learn how to implement Active Directory in a distributed environment; secure
domains using Group Policy; perform backup and restore; and monitor and
troubleshoot Active Directory configuration to ensure trouble-free operation.
Student Prerequisites
This course requires that you meet the following prerequisites:
Basic understanding of networking. You should understand how TCP/IP
functions and have a basic understanding of addressing, name resolution
(Domain Name System [DNS]/Windows Internet Name Service [WINS]),
connection methods (wired, wireless, virtual private network [VPN]), and
NET+ or equivalent knowledge.
Intermediate understanding of network operating systems. You should
have an intermediate understanding ofoperating systems such as Windows
2000, Windows XP, or Windows Server 2003.An understanding ofthe
Windows Vista operating system client is nice to have.
An awareness of security best practices.You should understand file system
permissions, authentication methods, workstation, and server hardening
methods, and so forth.
Basic knowledge of server hardware.You should have an A+ or equivalent
knowledge.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course ii

Some experience creating objects in Active Directory.
Basic concepts of backup and recovery in a Windows Server
Environment.You should have basic knowledge of backup types, backup
methods, backup topologies, and so forth.

Course Objectives
After completing this course, students will be able to:
Describe the features and functionality of Active Directory Domain Services.
Perform secure and efficient administration of Active Directory.
Manage users and service accounts.
Manage groups.
Manage computer accounts.
Implement a Group Policy infrastructure.
Manage enterprise security and configuration by using Group Policy settings.
Secure administration.
Improve the security of authentication in an AD DS Domain.
Configure Domain Name System.
Administer AD DS domain controllers.
Manage sites and Active Directory.
Monitor, maintain, and back up directory Service to ensure continuity.
Manage multiple domains and forests.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course iii

Course Outline
This section provides an outline of the course:
Module 1: This module explains how to install and configure Active Directory
Domain Services and install and configure a read-only domain controller.
Module 2: This module explains how to work securely and efficiently in Active
Directory.
Module 3: This module explains how to manage and support user accounts in
Active Directory.
Module 4: This module explains how to create, modify, delete, and support group
objects in Active Directory.
Module 5: This module explains how to create and configure computer accounts.
Module 6: This module explains what Group Policy is, how it works, and howbest
to implement Group Policy in your organization.
Module 7: This module explains how to manage security and software installation
and how to audit files and folders.
Module 8: This module explains how toadminister Active Directory Domain
Services securely.
Module 9: This module explains the domain-side components of authentication,
including the policies that specify password requirements and the auditing of
authentication-related activities.
Module 10: This module explains how to implement DNS to support name
resolution both within your AD DS domain and outside your domain and your
intranet.
Module 11: This module explains how to administer domain controllers in a
forest.
Module 12: This module explains how tocreate a distributed directory service that
supports domain controllers in portions of your network that are separated by
expensive, slow, or unreliable links.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course iv

Module 13:This module explains about the technologies and tools that are
available to help ensure the health and longevity of the directory service. You will
explore tools that help you monitor performance in real time, and you will learn to
log performance over time so that you can keep an eye on performance trends in
order to spot potential problems.
Module 14:This module explains how toraise the domain and forest functionality
levels within your environment, how to design the optimal AD DS infrastructure
for your enterprise, how to migrate objects between domains and forests, and how
to enable authentication and resources access across multiple domains and forests.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course v

Course Materials
The following materials are included with your kit:
Course Handbook. The Course Handbook contains the material covered in
class. It is meant to be used in conjunction with the Course Companion CD.
Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic page, full lab exercises and
answer keys, and topical and categorized resources and Web links. It is meant
to be used both inside and outside the class.
Note: To access the full course content, insert the Course Companion CD into the CD-ROM
drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
Virtual Machine Environment
This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration
In this course, you will use Hyper-Vdeployed on Windows Server 2008 to perform
the labs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course vi

The following table shows the role of each virtual machine that this course uses:
Virtual machine Role
6425C-NYC-DC1 Windows Server 2008 DC in Contoso domain
6425C-NYC-DC2 Windows Server 2008 DC in Contoso domain
6425C-NYC-CL1 Windows 7 Client in Contoso domain
6425C-NYC-CL2 Windows 7 Client in Contoso domain
6425C-BRANCHDC01 Windows Server 2008 WorkGroup member
6425C-BRANCHDC02
Windows Server 2008 Server Core DC in Contoso
domain
6425C-NYC-SVR1 Windows Server 2008 WorkGroup member
6425C-NYC-SVR2 Windows Server 2008 WorkGroup member
6425C-NYC-SVR-D Windows Server 2008 WorkGroup member
6425C-TST-DC1 Windows Server 2008 DC in Tailspintoys domain

Software Configuration
The following software is installed on the virtual machines:
Windows Server 2008 R2 Enterprise
Windows 7 Enterprise

Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way. To log on to a virtual machine as a different user while performing the
labs in this course, perform the following steps.
Run an application with administrative credentials.
1. Right-click the application, and then click Run as administrator.
A User Account Control (UAC) dialog box appears.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course vii

2. The User Account Control dialog box will display one of three options. Do
the steps based on the option you see:
If the User Account Control dialog box prompts you to continue or cancel:
Click Continue.
If the User Account Control dialog box gives you the option to Use another
account:
1. Click Use another account.
2. In the User Name box, type the user name.
3. In the Password box, type the password.
4. Press Enter or click OK.
If the User Account Control dialog box does not give you the option to use
another account, and prompts you for a user name and password:
1. In the User Name box, type the user name.
2. In the Password box, type the password.
3. Press Enter or click OK.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course viii

Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V)
processor
Dual 120 GB hard disks 7200 RM SATA or better*
4 GB RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-1
Module 1
Introducing Active Directory Domain Services
Contents:
Lesson 1: Overview of Active Directory, Identity, and Access 1-4
Lesson 2: Active Directory Components and Concepts 1-21
Lesson 3: Install Active Directory Domain Services 1-46
Lab: Install an AD DS DC to Create a Single Domain Forest 1-56
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-2 Configuring
Module
Active D
network
comput
mechan
this mo
installin
controll
R2 cont
and feat
This mo
domain
of a dom
later mo
multido
advance
g and Troubleshooting W
Overview
Directory and its
ks running Wind
ters, and services
nism for the user
dule, you will exp
ng the Active Dire
ler in a new Activ
tinues the evoluti
tures with which
odule focuses on
n in a single DC. T
main named conto
odules, you will l
omain forests, up
ed installation op
indows Server 2008 Ac
w
s related services
dows as they stor
; authenticate a u
or the computer
plore Windows S
ectory Domain Se
ve Directory fores
ion of Active Dire
you are already f
the creation of a
The lab in this mo
oso.com that you
earn to implemen
grades of existing
ptions.
ctive Directory Domain
form the founda
re information on
user or a compute
to access resourc
Server 2008 R2 A
ervices role and c
st. You will find th
ectory by enhanci
familiar.
new Active Direc
odule will guide y
will use for all ot
nt AD DS in othe
g forests to Wind
Services
tion for enterpris
n user identity,
er; and provide a
ces from the ente
Active Directory
creating a domain
hat Windows Ser
ing many of the c
ctory forest with
you through the
ther labs in this c
er scenarios, inclu
dows Server 2008

se
erprise. In
by
n
rver 2008
concepts
a single
creation
ourse. In
uding
8 R2, and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-3
Most importantly, this module sets the stage for the entire course by presenting a
big picture view of Active Directory. You will review key concepts of
authentication, authorization, and directory services, and you will take a high-level
look at the major components of Active Directory and how they fit together.
Whether you are highly experienced with Active Directory or new to the platform,
this module will help you understand where you are heading in this course.
Objectives
After completing this module, you will be able to:
Describe the functionality of AD DS in an enterprise in relation to identity and
access.
Describe the major components of AD DS.
Install AD DS and configure it as a domain controller.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-4 Configuring
Lesson 1
Overview
Access
AD DS p
enterpri
Object
After co
Exp
and
Pos
iden

g and Troubleshooting W
w of Activ
provides the func
ise networks. The
tives
ompleting this les
plain authenticati
d technologies.
sition the strategi
ntity and access.
indows Server 2008 Ac
ve Direct
ctionality of an id
e lesson reviews k
sson, you will be a
ion and authoriza
c role of a directo
ctive Directory Domain
ory, Iden
dentity and access
key concepts of I
able to:
ation concepts, te
ory service in an e
Services
ntity, and
s (IDA) solution
IDA and Active D
erminologies pro
enterprise in rela

for
Directory.
cesses,
ation to

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Inform
Key Po
If you b
to conn
would b
Because
we need
protecti
The ind
of these
problem
Ide
incl
"acc
syst
mation Prote
oints
boil it all down, th
nect users with th
be pretty easy, if w
e users require di
d to associate the
ion.
dustry defines sev
e "alphabet soup"
m:
ntity and Access
lude computers,
counts") that are
tems.
ection
he job of an inform
e information the
we didn't have to
ifferent levels of a
e correct users wit
veral approaches
frameworks is si
(IDA). Users and
services, and gro
given access (per
Introducing Active D
mation technolog
ey require to get t
o worry about a li
access to differen
th the correct lev
to achieving info
imply a different
d other security p
ups, are named a
rmissions) to info
irectory Domain Service
gy professional (I
their jobs done. T
ttle thing called "
t classes of inform
vels of accessinfo
rmation protectio
perspective on th
principals, which
as identities (also
ormation, resourc
es 1-5

IT pro) is
That
security."
mation,
ormation
on. Each
he same
may
o called
ces, or
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Authentication, Authorization, and Accounting (AAA). Users provide user
name and password that are authenticated when their credentials are
validated. Users are given permissions to resources (access control) that are
used to authorize access requests. Access is monitored, providing accounting
and auditing. In some documentation, auditing is split out as a separate "A"
from accounting, leading to the acronym, "AAAA."
Confidentiality, Integrity, and Availability (CIA). Information is protected to
ensure that it is not disclosed to unauthorized individuals (confidentiality), is
not modified incorrectly (integrity) intentionally or accidentally, and is
available when needed (availability).
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Ident
Key Po
At the c
Let's sp
and tech
most of
for the r
process
In a sec
the iden
in an id
called a
identifie
ity and Acce
oints
core of informatio
end a few minute
hnologies involve
f this information
role of Active Dir
ses associated wit
ured system, each
ntity is the user ac
dentity store, whic
security principa
ed by an attribute
ess
on protection are
es reviewing the f
ed with identity a
n should be famili
ectory and to clar
th IDA.
h user is represen
ccount. The acco
ch is also known
al in Windows sy
e called the secur
Introducing Active D
two critical conc
fundamentals, co
and access on Wi
iar to you, it is im
rify the terminolo
nted by an identi
unts for one or m
as a directory da
ystems. Security p
rity identifier (SID
irectory Domain Service
cepts: identity and
omponents, proce
indows systems. A
mportant to set th
ogy, components
ity. In Windows s
more users are ma
atabase. An identi
principals are uni
D).
es 1-7

d access.
esses,
Although
he stage
s, and
systems,
aintained
ity is
iquely
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
On the other end of the system is the resource to which the user requires access.
The resource is secured with permissions, and each permission specifies a pairing
of a specific level of access with an identity. Many Windows resources, including
significant files and folders on NTFS volumes, are secured by a security descriptor
that contains a discretionary access control list (DACL) in which each permission
takes the form of an access control entry (ACE).
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Authe
Key Po
There a
resourc
system,
a user S
The nex

entication an
oints
re a few concepts
e access. When a
several procedur
SID to the approp
xt four slides will
nd Authoriza
s and process tha
a user tries to acce
res are initiated. A
priate ACE on a re
detail this proce
Introducing Active D
ation
at you must unde
ess a resource on
As discussed earl
esource.
ess.
irectory Domain Service
erstand about use
n a local or a remo
lier, its all about
es 1-9

ers and
ote
mapping
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-10 Configuring
Authe
Key Po
Authent
credent
only to
accurac
There a
occurs w
your lap
to anoth
resourc
g and Troubleshooting W
entication
oints
tication is the pro
tials that contain
the user and the
cy of the credentia
re two types of au
when a user logs
ptop in the morn
her computer suc
es.
indows Server 2008 Ac
ocess of verifying
at least two comp
system, such as a
als against those
uthentication: loc
on to a compute
ing. Remote, or n
ch as a file server
ctive Directory Domain
a user's identity.
ponents: a logon
a password. The
stored as part of
cal and remote. L
er directly, such a
network, logon oc
, mail server, to g
Services
The user provid
name and a secre
system validates
the identity.
Local, or interactiv
as when you log o
ccurs when you c
get files or other t

des
et known
the
ve, logon
on to
connect
type of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Acces
Key Po
After us
access to
to the sy
user bel
held by
on to th
It is imp
the com
desktop
user has
Window
ss Tokens
oints
ser authentication
oken (also called a
ystem by collectin
longs. The access
the user on the s
he system interact
portant to remem
mputer that authe
p (local or interac
s the right to log
ws Explorer proc
n, the Local Secur
a security token or
ng the user's SID
s token also repre
system, such as th
tively (locally).
mber that the acce
nticated the user
ctive logon), the d
on to the system
cess, which create
Introducing Active D
rity Authority (LS
r an access token)
D and the SIDs of
esents privileges
he right to shut d
ess token is gener
r. When a user log
desktop creates a
m interactively, pro
es the desktop.
irectory Domain Service
SA) generates a se
that represents th
all groups to whi
(also called user r
down the system
rated and held lo
gs on to his or he
a security token an
oceeds to invoke
es 1-11

ecurity
he user
ich the
rights)
or to log
cally on
er
nd, if the
the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
When the user connects to a server to access a shared file (remote or network
logon), the server authenticates the user and generates an access token on the
server that represents the user with the user's SID and the SIDs of all groups to
which that user belongs. The access token on the server is distinct from the access
token on the user's desktop. An access token is never transmitted over the
network, and the LSA of a Windows system would never accept the access token
generated by another LSA.
Of course, this should be the case because a user probably belongs to different
local groups on the server than on the user's desktop, and almost certainly holds
different privileges (user rights) on the server than on the desktop.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Secur
Key Po
The sec
volume
descript
permiss
ACE; a T
of acces
or can't
The sec
contain
DACL is
the nam
list (ACL
docume

rity Descripto
oints
curity descriptor o
, fully describes t
tor contains the D
sion is made up o
Trustee (the SID
ss. Therefore, the
do what (represe
curity descriptor a
s auditing setting
s the focus of mo
me and acronym i
L), while technic
entation (includin
ors, ACLs, an
of a secured resou
the security chara
DACL, which con
of a flag that indic
of a user or a gro
ACE defines who
ented by the acce
also contains the
gs and attributes
ost day-to-day sec
is often shortened
ally inaccurate, is
ng this course) to
Introducing Active D
nd ACEs
urce, such as a fil
acteristics of the r
ntains ACEs or "p
cates whether the
oup); and an acce
o (the trustee rep
ess mask).
system access co
such as the objec
curity managemen
d. Therefore, the
s used by many a
o refer to the DAC
irectory Domain Service
le or folder on an
resource. The sec
permissions." Each
e ACE is an Allow
ess mask specifyin
presented by the S
ontrol list (SACL)
ct's owner. Becau
nt activities for a
shortened access
administrators an
CL.
es 1-13

n NTFS
curity
h
w or Deny
ng a level
SID) can
), which
se the
resource,
control
d much
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-14 Configuring
Autho
Key Po
Authoriz
request
resourc
Then, th
SIDs in
both a S
is allow
access t

g and Troubleshooting W
orization
oints
zation is the proc
ed level of access
e, the level of acc
he security subsy
the ACEs with th
SID in the token a
wed (if the ACE is
to the resource. If
indows Server 2008 Ac
cess that determin
s to a resource. An
cess, and the secu
ystem examines th
he SIDs in the sec
and the desired t
an Allow ACE) o
f no match is foun
ctive Directory Domain
nes whether to gr
n access request
urity token repres
he ACL of the res
curity token. The
type of access det
or denied (if the A
nd, access is deni
Services
rant or deny a use
that indicates the
senting the user i
source, comparin
first ACE that m
termines whether
ACE is a Deny AC
ied.

er a
e
s made.
ng the
atches
r the user
CE)
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Stand
Key Po
In a stan
comput
and gro
databas
there is
SAM.
Because
without
against
authoriz
generat
If the us
problem
has bee
only its
to the se
d-Alone (Wo
oints
nd-alone configur
ter maintains one
oups stored in the
se. Unlike authen
a distributed aut
e Windows system
t a user account. T
the identities in t
zed for local logo
es the familiar W
ser wishes to acce
m: the server does
n authenticated b
own identity sto
erver, the server m
rkgroup) Au
ration of Window
e and only one tru
e registry called th
ntication in domai
thentication syste
ms are secure, a u
The user must pr
the SAM. After a u
on, the Windows
Windows desktop.
ess a shared folde
s not trust an ide
by an unknown a
reits own SAM.
must have an ide
Introducing Active D
uthentication
ws systems, also c
usted identity sto
he Security Accou
in, which is centr
em because each
user cannot even
resent credentials
user has been aut
Explorer process
.
er on a server, the
ntity presented to
and untrusted sys
Therefore, for th
entity (user accou
irectory Domain Service
n
called a workgrou
ore: a local list of
unts Manager (SA
ralized, in workgr
computer has its
log on to a comp
s that are validate
thenticated and
s is launched, wh
ere is an immedia
o it, because the i
stem. The server
he user to remote
unt) for the user i
es 1-15

up, each
users
AM)
roup,
s own
puter
ed
hich
ate
identity
trusts
ly log on
in its
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
SAM. If the logon name and password for the identity are identical to the
credentials of the identity on the workstation, the authentication process that
occurs is transparent to the user. This type of authentication is called pass-through
authentication. If, however, the logon names or passwords do not match, the user
will be prompted to enter credentials that are valid for the server when the user
attempts to connect to a shared resource.
The ACL on a secured resource on the server cannot contain permissions that refer
to untrusted identities. Therefore, all users who require access to the resource must
have accounts on the server.
This presents obvious management challenges. If the user changes his or her
password on the desktop, the two accounts are no longer in sync, and the user will
be prompted for credentials when connecting to the server. The problem only gets
worse as you add more users, resources, and Windows systems to the
environment. The management challenges of maintaining multiple identities for
each user become quickly untenable.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Active
Key Po
The ma
centraliz
required
unit of t
and fore
An Activ
domain
provide
Director
compon
controll
e Directory D
oints
nagement and se
zing the identity
d for any one use
trusted identity is
est infrastructure
ve Directory dom
n membersall co
es a centralized au
ry database) and
nents and service
ler.
Domains: Tru
ecurity challenges
store so that ther
eran identity sto
s created by the in
e.
main provides a ce
omputers that hav
uthentication serv
the authenticatio
es, are hosted on
Introducing Active D
usted Identit
s of a workgroup
re is only one ide
ore that is trusted
ntroduction of an
entralized identit
ve accounts in th
vice. Both the ide
on service, along
a server performi
irectory Domain Service
ty Store
are solved by
entity (user accou
d by all computer
n Active Directory
ty store trusted by
e domain. A dom
entity store (the A
with a number o
ing the role of a d
es 1-17

unt)
s. This
y domain
y all
main also
Active
of other
domain
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-18 Configuring
Active
Key Po
As men
provide
necessa
applicat

g and Troubleshooting W
e Directory,
oints
tioned in the intr
es the IDA solutio
ary to maintain th
tions, and databa
indows Server 2008 Ac
Identity, and
roductions to the
on for enterprise n
he security of ente
ases.

ctive Directory Domain
d Access
module and this
networks runnin
erprise resources
Services
s lesson, Active D
g Windows. IDA
such as files, em

Directory
is
mail,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-19
An IDA infrastructure should do the following:
Store information about users, groups, computers and other identities. An
identity is, as you've learned, a representation of an entity that will perform
actions on the enterprise network. For example, a user will open documents
from a shared folder on a server. You know that the document will be secured
with permissions on an ACL. Access to the document is managed by the
security subsystem of the server, which compares the identity of the user with
the identities on ACL to determine whether the user's request for access will be
granted or denied. Computers, groups, services, and other objects also
perform actions on the network; they must be represented by identities.
Among the information stored about an identity are properties that uniquely
identify the object, such as a user name or an SID, and the password for the
identity. The identity store is therefore one component of an IDA
infrastructure. The Active Directory data store, also known as the directory, is
an identity store. The directory itself is hosted on and managed by a domain
controllera server performing the AD DS role.
Authenticate an identity. The server will not grant access to the user unless the
server verifies that the identity presented in the access request is valid. To
validate the identity, the user provides secrets known only to the user and the
IDA infrastructure. Those secrets are compared with the information in the
identity store in a process called authentication.
In an Active Directory domain, a protocol called Kerberos is used to
authenticate identities. When a user or a computer logs on to the domain,
Kerberos authenticates the credentials and issues an information package
called a ticket granting ticket (TGT). Before the user connects to the server to
request the document, a Kerberos request is sent to a domain controller along
with the TGT that serves to identify the authenticated user. The domain
controller issues the user another information package called a service ticket
that identifies the authenticated user to the server. The user presents the
service ticket to the server, which accepts the service ticket as proof that the
user has been authenticated.
These Kerberos transactions result in a single network logon or single sign-on.
After the user or computer has initially logged on and has been granted a TGT,
the user is authenticated within the entire domain and can be granted service
tickets that identify the user to any service. All of this ticket activity is managed
by the Kerberos clients and services built into Windows, and is transparent to
the user.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Control access. The IDA infrastructure is responsible for protecting
confidential information such as the information stored in the document.
Access to confidential information must be managed according to the
enterprise policies. The ACL on the document reflects a security policy that
contains permissions that specify access levels for particular identities. The
security subsystem of the server in this example is performing the access
control functionality in the IDA infrastructure.
Provide an audit trail. An enterprise may want to monitor changes to and
activities within the IDA infrastructure, so it must provide a mechanism to
manage auditing.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Active
Key Po
AD DS i
only com
release
previou
are:
Act
Act
Act
Act
Each of
configu
e Directory I
oints
is the most prom
mponent of IDA
of Windows Serv
usly separate com
ive Directory Ligh
ive Directory Cer
ive Directory Rig
ive Directory Fed
f these services pl
rations and scena
DA Services
minent componen
that is supported
ver 2008, Microso
mponents into an i
htweight Directo
rtificate Services (
hts Management
deration Services
lays a role in exte
arios.
Introducing Active D
nt of an IDA infras
d by Windows Se
oft has consolida
integrated IDA pl
ry Services (AD L
(AD CS)
t Services (AD RM
(AD FS)
ending IDA to sup
irectory Domain Service
structure, but it is
erver 2008 R2. W
ted a number of
latform. These se
LDS)
MS)
pport more comp
es 1-21

s not the
With the
ervices

plex
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
AD LDS
AD LDS is essentially a stand-alone version of Active Directory that applications
access by using Lightweight Directory Access Protocol (LDAP).
AD LDS is the replacement for Active Directory Application Mode (ADAM). The
name of the previous version of the tool indicates its purpose: AD LDS is designed
to provide support for directory-enabled applications. It can be used for
applications that require a directory store, but do not require the type of
infrastructure provided by an Active Directory domain.
Each instance of AD LDS can have its own schema, configuration, and application
partitions. This allows you to create a highly customized directory store without
affecting your production IDA infrastructure, based on AD DS. Although AD LDS is
not dependent on AD DS, in a domain environment, AD LDS can use AD DS
authentication of Windows security principals, such as users, computers, and
groups.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-23
AD LDS can be configured in a domain or non-domain environment, and it is even
possible to run multiple instances on a single system, each with its own unique
LDAP and Secure Sockets Layer (SSL) ports to ensure secure connection with each
instance.
AD CS
AD CS extends the concept of trust so that a user, computer, organization, or
service can prove its identity outside or inside the border of your Active Directory
forest.
Certificates are issued from a certificate authority (CA). When a user, computer, or
service uses a certificate to prove its identity, the client in the transaction must trust
the issuing CA. A list of trusted root CAs, which includes VeriSign and Thawte, is
maintained by Windows and updated as part of Windows Update.
The certificates can be used for numerous purposes in an enterprise network,
including the creation of secure channels such as the SSL example mentioned in
the AD LDS section. Additionally, the certificates can be used for virtual private
networks (VPNs), wireless security, and authentication, such as smart card logon.
AD CS provides technologies and tools that help create and manage a public key
infrastructure (PKI). Although AD CS can be run on a stand-alone server, it is much
more common and much more powerful to run AD CS integrated with AD DS,
which can act as a certificate store and provide a framework to manage the lifetime
of certificateshow they are obtained, renewed, and revoked.
AD RMS
AD RMS creates a framework with which you can ensure the integrity of
information, both within and outside your organization.
In a traditional model of information protection, ACLs are used to define how
information can be accessed. For example, a user may be given the Read
permission to a document. However, there is nothing to prevent that user from
performing any number of actions after that document is opened. The user can
make changes to the document and save it in any location, print the document, or
forward the document by email to a user who otherwise does not have Read
permission to the document.
AD RMS addresses these and other such scenarios by enforcing information use
policies. AD RMS accomplishes this by using licenses and encryption to protect
information and by having rights managementenabled applications that can
consume the licenses, create usage policies, open protected content, and enforce
usage policies.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
AD FS
AD FS allows an organization to extend the authority of the directory service for
authenticating users across multiple organizations, platforms, and network
environments.
The traditional Windows domains-trust relationship creates a trust in which the
trusting domain allows the trusted domain to authenticate users, but the result is
that all users in the trusted domain are trusted. Moreover, to maintain a trust,
several firewall exceptions must be made that are not agreeable to many
organizations and certainly not suitable for supporting Web-facing applications. To
overcome this problem, AD FS can be configured to maintain trusts by using
common ports such as 80 and 443.
AD FS is extremely useful for extending a directory's authority in business-to-
business and partnership scenarios, as well as for supporting single sign-on web
applications.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Active D
Module
and trou
compon
Object
After co
Ide
irectory C
es 214 of this co
ubleshooting of A
nents, technologi
tives
ompleting this les
ntify the major co
Compone
urse describe the
AD DS. It is worth
ies, and concepts
sson, you will be a
omponents of AD
Introducing Active D
ents and
e installation, con
hwhile to first gai
related to Active
able to:
D DS.
irectory Domain Service
Concept
nfiguration, mana
in an overview of
e Directory.
es 1-25
ts

agement,
f the

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-26 Configuring
Active
Key Po
Active D
A suite o
enterpri
Director
comput
include
Security
Security
the SID
access t
g and Troubleshooting W
e Directory a
oints
Directory is ultim
of services suppo
ise identity and a
ry database is an
ter. Each field is a
the object's nam
y principals, also
y principals have
. The SID is used
to the account.
indows Server 2008 Ac
as a Database
ately a database o
ort the database a
access. In databas
Active Directory
an attribute, also
me, password, des
called accounts a
several unique a
d, as you learned i
ctive Directory Domain
e
of enterprise reso
and use the inform
se terminology, ea
object, such as a
called a property
cription, member
are specific types
ttributes, the mo
in the previous le
Services
ources and config
mation in it to pr
ach record in the
a user, group, or
y of an object. Att
rship, or SID.
of objects in AD
st important of th
esson, to assign r

guration.
ovide
e Active
ributes
DS.
hem is
esource
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-27
In the previous lesson, you focused on only one security principalusers. However,
it is easier to manage resource access when you assign permissions to a group.
There is a class of group object called a security group, which is also a security
principal. Computers in a domain are also security principals. In fact, the computer
object is very similar to a user object: it has a logon name and password that the
computer uses to authenticate with the domain at startup.
Finally, there is a class of objects called inetOrgPerson. This object class is used in
very specific situations to support interoperability with a handful of third-party
directory services. inetOrgPerson is also a security principal and is similar to a
user account.
The Active Directory database is supported and used by a number of services,
including Kerberos (responsible for authentication), DNS (responsible for name
resolution), and the directory replication agent (DRA), which is responsible for
replicating the database between domain controllers.
The Active Directory database can be accessed in a number of ways. To do this, you
can use various Windows components, tools, and interfaces; application
programming interfaces (APIs); or LDAP.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-28 Configuring
Demo
Key Po
In this d
of the sc
The sch
attribut
schema
user obj
you nee
must ex
good re
that you
procedu
Server.
The sch
definitio
attribut
g and Troubleshooting W
onstration: A
oints
demonstration, y
chema by giving
hema is often com
es and types of o
determines the f
jects are required
ed to create some
xtend the schema
eason because thi
u do not edit the
ures initiated by a
hema has two prim
ons of every attrib
es for properties
indows Server 2008 Ac
Active Directo
our instructor wi
you a tour of the
mpared with a blu
bjects that can be
fact that Active D
d to have a logon
e additional attrib
a. However, you s
is operation is no
schema manually
applications that
mary containers.
bute supported b
with which you a
ctive Directory Domain
ory Schema
ill introduce you
Active Directory
ueprint for Active
e stored in the di
irectory can have
name and option
butes or propertie
should not extend
t reversible. Also
y, but edit it only
need schema ext
The Attributes c
by Active Director
are already famili
Services
to the role and st
y schema.
Directory. It defi
irectory. For exam
e user objects, an
nally an email ad
es for the user obj
d the schema wit
, we highly recom
y through automa
tension, such as E
container holds
ry. You can open
iar:

tructure
ines the
mple, the
d that
dress. If
ject, you
thout a
mmend
ated
Exchange
the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-29
objectSID: Security identifier.
sAMAccountName: The pre-Windows 2000 Server logon name, which most
administrators refer to as the "user name."
unicodePwd: This attribute stores a password as a hash code that results from
a one-way function.
You cannot read or derive the actual password from this attribute without
performing some kind of brute force dictionary attack (hacking).
member: The attribute that stores the membership list for a group object.

The Classes container defines the types of objects that can be instantiated
(created) in the directory, including user and group. Object classes are associated
with attributes defined in the Attributes container. These associations determine
what object classes have which attributes and which of those attributes are
mandatory for a particular object class.
Demonstration Steps
1. On the virtual machine 6425C-NYC-DC1, open
D:\AdminTools\ADConsole.msc. Expand the Active Directory node, and
then expand the Active Directory Schema [NYC-DC1.contoso.com] node.
2. Look at the Attributes container. Open the Properties of the following.
objectSID
sAMAccountName (what most admins call the user name)
unicodePwd
member
description
3. Open the Classes container. While scrolling through, notice familiar object
classes, including user, computer, and group.



B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-30 Configuring
Organ
Key Po
Active D
in conta
types of
default
Active D
organiz
An OU
organiz
are usef
delegati
of objec
You can
Org
com
AD
g and Troubleshooting W
nizational Un
oints
Directory is a hier
ainers. One type o
f containers inclu
containers, inclu
Directory Users an
ational unit (OU
is an AD DS obje
e hundreds of th
ful for grouping a
ing administrativ
cts as a single uni
n use OUs to perf
ganize objects in
mputer accounts
DS also are foun
indows Server 2008 Ac
nits
rarchical database
of container is th
ude forests, doma
ding Users, Com
nd Computers sn
).
ect that is contain
ousands of direc
and organizing ob
ve rights and assig
it.
form the followin
a domain. OUs c
and groups. File
nd in OUs.
ctive Directory Domain
e. Objects in the d
he object class call
ains, sites, and so
mputers, and Buil
nap-in. Another ty
ned in a domain. Y
tory objects into
bjects for admini
gning Group Poli
ng tasks:
contain domain o
and printer share
Services
data store can be
led Container. O
on. You have see
ltin, when you op
ype of container i
You can use OUs
manageable unit
strative purposes
icy settings to a c
objects, such as u
es that are publis

e grouped
Other
en the
pen the
is the
s to
ts. OUs
s, such as
collection
ser and
shed to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-31
Delegate administrative control. You can assign either complete administrative
control, such as the Full Control permission, over all objects in the OU or
limited administrative control, such as the ability to modify email information,
over user objects in the OU. To delegate administrative control, you assign
specific permissions on the OU and the objects that the OU contains for one
or more users and groups.
Simplify the management of commonly grouped resources. Using OUs, you
can create containers in a domain that represent the hierarchical or logical
structures in your organization. Then, you can use Group Policy settings to
manage the configuration of user and computer settings based on your
organizational model.
An organizational hierarchy should represent an organizational structure logically.
The organization could be based on geographic, functional, resource, or user
classifications. Whatever the order, the hierarchy should make it possible to
administer AD DS resources as effectively and with as much flexibility as possible.
For example, if all computers that IT administrators use must be configured in a
certain way, you can group all computers in an OU and assign a policy to manage
its computers.
You also can create OUs inside other OUs to simplify administration. For example,
your organization may have multiple offices, and each office might have a set of
administrators responsible for managing user and computer accounts in the office.
Also, each office may have different departments with different computer
configuration requirements. In this situation, you could create an OU for that office
that is used to delegate administration and a department OU inside the office OU
to assign desktop configurations.
Although there is no technical limit to the number of levels in your OU structure,
for the purpose of manageability, limit your OU structure to a depth of no more
than 10 levels, while most organizations use 5 or less levels in order to simplify
administration. Note that Active Directory-enabled applications might have
restrictions on the number of characters used in the distinguished name (the full
LDAP path to the object in the directory) or on the OU depth within the hierarchy.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-32 Configuring
Policy
Key Po
Policy-b
most co
then de
Group P
configu
exampl
domain
policy. G
folders
Active D
configu
group o
The imp
that Gro
Policy o
comput
g and Troubleshooting W
y-Based Man
oints
based administrat
omplex networks
ployed to multip
Policy allows you
ration settings fo
e, it is Group Pol
n, which specify th
Group Policy can
on the server or t
Directory, such as
ration, such as sp
of users or preven
portant concept o
oup Policy allows
object (GPO). A G
ters.
indows Server 2008 Ac
nagement
tion eases the ma
by providing a s
ple systems.
u to define securit
or one or more us
licy that defines th
he minimum pas
n specify auditing
to watch for chan
s Domain Admins
pecifying a Micro
nting users from a
of Group Policy t
s you to define co
GPO can then be
ctive Directory Domain
anagement burde
single point to con
ty settings as wel
sers or computers
he password and
sword length and
g settings, such as
nges to security se
s. Group Policy c
soft Internet Ex
accessing registry
o understand at t
onfiguration in an
scoped (applied)
Services
en of even the larg
nfigure settings t
l as thousands of
s in your enterpri
d lockout policies
d password expir
s to monitor acce
ensitive groups in
can also manage
xplorer home pa
y editing tools.
this point in the c
n object called a G
) to one or more

gest,
that are
f
ise. For
s for a
ration
ss to
n the
age for a
course is
Group
users or
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-33
Another example of policy-based management is fine-grained password and
lockout policies, which is a new feature of Windows Server 2008. You can now
specify different password and lockout policies for different groups of users in
your environment. For example, you can configure a longer minimum password
length and a more frequent password change policy for members of Domain
Admins than for normal users.
It is important to note that these technologies enable Active Directory to go beyond
simple identity and access management and to make a significant contribution to
the broader management of your enterprise network.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-34 Configuring
Activ
Key Po
As men
data sto
ntds.dit
controll
The dat
module
Sch
dire
Dom
adm
the
by u
the
Con
g and Troubleshooting W
ve Directory
oints
tioned in the prev
ore hosted on dom
t, and it is located
ler.
tabase is divided
es. The partitions
hema: Defines the
ectory.
main naming co
ministration, beca
users, groups, an
using the Active D
contents of the D
nfiguration: Con
indows Server 2008 Ac
Data Store
vious lesson, AD
main controllers.
d by default in the
into several parti
include:
e attributes and t
ontext (Domain N
ause it contains th
nd computers. W
Directory Users a
Domain NC.
ntains information
ctive Directory Domain
DS stores its ide
The directory is
e %systemroot%\
itions, which will
types of objects th
NC): An importa
he data about obj
When you make ch
and Computers s
n about domains
Services
ntities in the dire
a single file name
\ntds folder on a
be detailed in lat
hat can be stored
ant partition for d
jects within a dom
hanges to Active D
nap in, you are m
s, services, and to

ectorya
ed
a domain
ter
d in the
day-to-day
main
Directory
modifying
pology.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-35
DNS: If you use Active Directory-integrated DNS, the DNS zones and resource
records are stored in a partition.
Partial Attribute Set (PAS): This partition is used by the Global Catalog,
which is detailed in a later topic in this lesson, and in Module 12.

Active Directory also stores information in a folder structure called SYSVOL. By
default, this folder is located in the %systemroot% folder (c:\windows). SYSVOL
contains items such as logon scripts and files related to GPOs.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-36 Configuring
Doma
Key Po
Domain
role. As
(NTDS.
DCs als
authent
Because
least tw
they hav
In addit
addition
datacen
Sev
inst
200
g and Troubleshooting W
ain Controlle
oints
n controllers, also
part of that role,
DIT) and SYSVO
so run the Kerber
tication and other
e authentication i
wo available doma
ve access to anoth
tion to availability
n to physical secu
nters), there are tw
ver Core: You can
tallation option. T
08 R2 that feature
indows Server 2008 Ac
ers
o referred to as D
they host and re
OL.
ros Key Distributi
r Active Directory
is critical to an en
ain controllers so
her.
y, you must ensu
urity (such as pla
wo options to imp
n install Windows
This installs a mi
es a Command P
ctive Directory Domain
Cs, are servers th
eplicate the Active
ion Center (KDC
y services.
nterprise, the best
that if clients are
ure that domain c
acing domain con
prove security:
s Server 2008 R2
nimal configurati
rompt user interf
Services
hat perform the A
e Directory datab
C) service, which p
t practice is to ha
e unable to access
controllers are sec
ntrollers in secure
by using the Serv
ion of Windows
face, rather than

AD DS
base
performs
ave at
s one,
cure. In
e
ver Core
Server
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-37
Windows Explorer. You will install a Server Core DC in the Lab for Module
11.
Read-Only Domain Controllers (RODCs): RODCs facilitates user
authentication in less secure environments, such as branch offices, by caching
credentials only for those users. Passwords for other users are not replicated to
the RODC. Additionally, the RODC does not allow changes to be made to
Active Directory, reducing the vulnerability of the AD DS domain to accidental
or intentional damage at a less secure site. RODCs are detailed in Module 9.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-38 Configuring
Doma
Key Po
One or
A doma
characte
partition
the dom
identity
In addit
complex
domain
domain
Change
controll
network
support
replicati
g and Troubleshooting W
ain
oints
more domain con
ain is an administ
eristics are shared
n of the data stor
mains users, grou
y store, any DC ca
tion, a domain is
xity and account
n affect all accoun
ns.
es can be made to
ler, and that will
ks where replicat
ted, it may be nec
ion of subsets of
indows Server 2008 Ac
ntrollers are requ
trative unit within
d. First, all domai
re, which contain
ups, and compute
an authenticate an
a scope of admin
lockout policies.
nts in the domain
o objects in the Ac
be replicated to a
ion of all data be
cessary to implem
identities.
ctive Directory Domain
uired to create an
n which certain c
in controllers rep
s, among other th
ers. Because all D
ny identity in a d
nistrative policies
. Such policies th
and do not affec
ctive Directory da
all other domain
tween domain co
ment more than o
Services
n Active Directory
apabilities and
plicate the domain
hings, the identity
DCs maintain the
domain.
s such as passwor
hat are configured
ct accounts in oth
atabase by any do
controllers. Ther
ontrollers cannot
one domain to ma

y domain.
ns
y data for
same
rd
d in one
her
omain
refore, in
be
anage the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Replic
Key Po
Replicat
data sto
includin
replicati
Active D
Configu
topolog

cation
oints
tion services distr
ore as well as data
ng logon scripts.
ion is both efficie
Directory maintai
uration, which ma
gy, and services.
ribute directory d
a required to imp
As you will learn
ent and robust.
ns a separate par
aintains informat
Introducing Active D
data across a netw
plement policies a
n in Module 12, A
rtition of the data
tion about netwo
irectory Domain Service
work. This includ
and configuration
Active Directory
a store named
rk configuration,
es 1-39

des both
n,
,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-40 Configuring
Sites
Key Po
When y
certainly
specific
An Activ
within w
and serv
physica
Domain
replicat
connect
By defin
on vario
perform
In addit
or the c
g and Troubleshooting W
oints
you consider the n
y discuss the netw
meaning becaus
ve Directory site i
which network co
vice utilization. Y
al network.
n controllers with
ed between sites
tions are slow, ex
ning sites, you are
ous physical locat
med over slower li
tion, clients will p
closest site. For ex
indows Server 2008 Ac
network topology
works sites. Sites
e there is a specif
is an object that r
onnectivity is goo
You can also treat
hin a site replicate
on a controlled b
xpensive, or unrel
e telling Active D
tions, and that re
inks.
prefer to use distr
xample, when a u
ctive Directory Domain
y of a distributed
s in Active Direct
fic object class ca
represents a port
od. A site creates
t a site as a logica
e changes within
basis with the ass
liable than the co
irectory that you
eplication betwee
ributed services f
user logs on to th
Services
d enterprise, you w
tory, however, hav
alled site.
tion of the enterp
a boundary of re
l interpretation o
seconds. Change
sumption that int
onnections within
have domain con
n these locations
from servers in th
he domain, the W

will
ve a very
rise
plication
of your
es are
tersite
n a site.
ntrollers
s is
heir site
Windows
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-41
client first attempts to authenticate with a domain controller in its site. Only if no
domain controller is available in the site will the client attempt to authenticate with
a DC in another site.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-42 Configuring
Forest
Key Po
A forest
installed
definitio
In other
Schema
forest. I
a forest.
as Enter
privileg
adding/
A forest
Director
replicati

g and Troubleshooting W
t
oints
is a collection of
d in a forest is cal
on of network co
r words, each dom
a partitions, and t
n other words, yo
. Forest root dom
rprise Admin and
es in every doma
/removing domai
t is a single instan
ry outside the bo
ion and a security
indows Server 2008 Ac
one or more Acti
lled the forest roo
nfiguration and a
main controller in
these two partitio
ou cannot have m
main also contains
d Schema Admin.
ain in forest, and
ins, extending sch
nce of the directo
oundaries of the f
y boundary.
ctive Directory Domain
ive Directory dom
ot domain. A fore
a single instance
n a forest replicat
ons are the same f
more than one sch
s forest-wide adm
. Enterprise Adm
can also edit fore
hema, and so on.
ryno data is rep
forest. Therefore,
Services
mains. The first d
est contains a sing
of the directory s
tes the Configura
for each domain
hema or configur
ministrative accou
min has administra
est structure such
.
plicated by Active
the forest defines

domain
gle
schema.
ation and
in the
ration in
unts such
ative
h as
e
s both a
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Tree
Key Po
The Dom
the fore
conside
treyrese
contigu
hand, th
contigu
are the d
The slid
small op
the head
separate
domain
is consi
The pro
namesp
oints
main Name Syste
est. If a domain is
ered a tree. For ex
earch.net and ant
ous portion of th
he two domains a
ous in the DNS n
direct result of D
de illustrates an A
peration at a field
dquarters is expe
e domain. The DN
n is a child domai
dered a child dom
oseware.com dom
pace, is another tr
em namespace of
a subdomain of
xample, if the trey
tarctica.treyresear
he DNS namespac
are treyresearch.n
namespace, the fo
DNS names chose
Active Directory fo
d station in Antar
ensive, slow, and
NS name of the f
n in the DNS nam
main in the doma
main, because it d
ree in the same fo
Introducing Active D
f domains in a for
another domain,
yresearch.net fore
rch.net, the doma
ce, so they are a s
net and prosewar
orest is considere
n for domains in
orest for Trey Res
ctica. Because the
unreliable, Antar
forest is treyresea
mespace, antarcti
ain tree.
does not share a c
orest.
irectory Domain Service
rest create trees w
, the two domain
est contains two d
ains constitute a
single tree. If, on
re.com, which are
ed to have two tre
n the forest.
search, which ma
e link from Antar
rctica is configure
rch.net. The Anta
ica.treyresearch.n
contiguous DNS
es 1-43

within
s are
domains,
the other
e not
ees. Trees
aintains a
rctica to
ed as a
arctica
net, so it
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-44 Configuring

Globa
Key Po
Several
locate o
Catalog,
the dire
The Glo
server is
its host
the fore
are desc
required
in user
objects
domain
on the g
other do
g and Troubleshooting W
al Catalog
oints
components and
objects in the data
, which is also kn
ectory. It is a type
obal Catalog is th
s a domain contr
domain and a pa
est. The partial, re
cribed as "partial"
d by the schema
search operation
in another doma
n will not contain
global catalog, wh
omains.
indows Server 2008 Ac
d technologies en
a store. A partitio
nown as the PAS c
e of index that can
he set of all object
oller that stores a
artial, read-only c
ead-only copies o
" because they inc
in addition to the
ns. This is particul
ain within a forest
information abo
hich has the inde
ctive Directory Domain
nable you to query
n of the data stor
contains informa
n be used to locat
ts in an AD DS fo
a full copy of all o
copy of all objects
f objects that mak
clude a limited se
e attributes that a
larly important if
t. Because the do
ut objects in othe
exed, partial attrib
Services
y Active Directory
re called the Glob
ation about every
te objects in the d
rest. A Global Ca
objects in the dire
s for all other dom
ke up the global
et of attributes th
are most common
f you are searchin
main controllers
er domains, you m
bute set for all ob

y and
bal
object in
directory.
atalog
ectory for
mains in
catalog
at are
nly used
ng for
in your
must rely
bjects in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1


Funct
Key Po
The fun
function
domain
levels: W
Window
2003, W
function
Window
the dom
become
comput
logon a
Window
which p
thing to
tional Levels
oints
nctionality availab
nal level. The fun
n-wide or forest-w
Windows 2000 n
ws Server 2008 R
Windows Server 2
nal level of a dom
ws (and Active Di
main functional le
es available that r
ter, the computer
ttempts since the
ws Server 2008 R
provides the abilit
o know about fun
ble in an Active D
nctional level is an
wide AD DS featur
ative, Windows S
R2, and three fore
2008, and Windo
main or forest, fea
irectory) become
evel is raised to W
eveals the last tim
r to which the use
e last logon. If you
R2, you will get th
ty to restore dele
nctional levels is t
Introducing Active D
Directory domain
n AD DS setting t
res. There are fou
Server 2003, Win
est functional leve
ows Server 2008 R
atures provided b
e available to AD D
Windows Server 2
me a user success
er last logged on,
u raise the forest
he Active Director
ted objects from
that they determi
irectory Domain Service
or forest depend
that enables adva
ur domain functio
ndows Server 200
els: Windows Ser
R2. As you raise t
y that version of
DS. For example,
2008, a new attrib
sfully logged on to
and the number
functional level t
ry Recycle Bin fea
AD DS. The imp
ne the versions o
es 1-45

ds on its
anced
onal
08, and
rver
the
, when
bute
o a
r of failed
to
ature,
ortant
of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-46 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Windows permitted on domain controllers. Before you raise the domain functional
level to Windows Server 2008 R2, all domain controllers must be running
Windows Server 2008 R2. Also, to raise forest functional level to Windows Server
2008 R2, all domains in a forest must be in the Windows Server 2008 R2
functional level.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

DNS a
Key Po
Active D
relation
is a com
Third, it
servers.
Active D
The Act
services
can stor
on a Wi
Active D
AD DS a
and Applicat
oints
Directory and DN
nship between a D
mplete reliance on
t is very common
When you do th
Directory itself.
tive Directory dat
s not directly rela
re data to suppor
indows Server 20
Directory integrat
and replicated by
tion Partition
NS are closely inte
DNS name and an
n DNS to locate c
n to configure dom
his, you have the o
ta store can also b
ated to AD DS. W
rt applications tha
008 server can sto
ted zone, which is
y using Active Dir
Introducing Active D
ns
egrated. First, the
n Active Directory
computers and se
main controllers
option to store D
be used to suppo
ithin the databas
at require replica
ore its informatio
s maintained as a
rectory replication
irectory Domain Service
ere is a one-to-one
y domain. Second
ervices within the
to also serve as D
DNS data, called a
rt applications an
e, application par
ated data. The DN
on in a database c
an application pa
n services.
es 1-47

e
d, there
e domain.
DNS
a zone, in
nd
rtitions
NS service
called an
artition in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-48 Configuring
Trust
Key Po
At the b
workgro
comput
and aut
stored i
user acc
comput
The sam
users fr
resourc
In a trus
trusts th
account
account
g and Troubleshooting W
Relationship
oints
beginning of this m
oup, configuratio
ter joins a domain
thentication servi
n the domain to
count access to re
ters to a domain i
me concept can b
om another dom
es in the domain
st relationship, th
he identity store a
ts in the trusting
ts in the trusted d
indows Server 2008 Ac
ps
module, you con
on of Windows Se
n, the LSA of the
ices provided by t
be authenticated
esources on the c
is the simplest wa
e extended to oth
main and can allow
n. This is done by
he trusting doma
and authenticatio
domain can be a
domain can be ad
ctive Directory Domain
nsidered the defau
erver. You then le
system begins to
the domain. That
by the computer
computers joined
ay of establishing
her domains. A d
w those users to b
establishing a do
in extends its rea
on services of the
uthenticated, and
dded to ACLs in t
Services
ult, stand-alone,
earned that, when
o trust the identity
t allows a user ac
r. This also provid
d to the domain. J
g a trust relations
domain can authe
be assigned acces
omain trust relati
alm of trust so tha
trusting domain
d the SIDs of user
the trusting doma

n a
y store
ccount
des the
Joining
ship.
enticate
ss to
ionship.
at it
n. User
r
ain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-49
Within a forest, each domain trusts every other domain. You must manually
establish trust relationships between the domains that are in different forests and
between forests themselves.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-50 Configuring
Lesson 3
Install Ac
This les
controll
Object
After co
Un
fore
Con
inte
g and Troubleshooting W
ctive Dire
sson discusses ho
ler.
tives
ompleting this les
derstand the requ
est.
nfigure a domain
erface.
indows Server 2008 Ac
ectory Do
ow to install AD D
sson, you will be a
uirements for ins
n controller with t
ctive Directory Domain
omain Se
DS and how to co
able to:
stalling a domain
the AD DS role by
Services
rvices
onfigure a domain
controller to cre
y using the Wind

n
ate a new
dows

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Instal
Key Po
Installin
followin

1. Tur
2. Inse
If th
ther
from
If th
BIO
syst
l Windows S
oints
ng Windows Serv
ng steps:
rn on the system.
ert the Windows
he systems hard
re is information
m the DVD.
he system does n
OS settings of the
tem boots from t
Server 2008 R
ver 2008 R2 is a s
.
Server 2008 R2
disk is empty, th
on the disk, you
not boot from the
machine and con
the DVD.
Introducing Active D
R2
straightforward p
installation DVD
he system should
u may be prompte
DVD or offer you
nfigure the boot
irectory Domain Service
process. It consist
D.
boot from the DV
ed to press a key
u a boot menu, g
order to ensure t
es 1-51

ts of the
VD. If
to boot
go to the
that the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Install Windows wizard appears, as shown in the following screen shot:

3. Select the language, regional setting, and keyboard layout that are correct for
your system, and then click Next.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-53
4. Click Install Now.
You are presented with a list of versions to install, as shown in the following
screen shot.

5. Select the appropriate operating system, and then click Next.
6. Click I Accept The License Terms, and then click Next.
7. Click Custom (Advanced).
8. On the Where Do You Want to Install Windows? page, select the disk on
which you want to install Windows Server 2008 R2.
If you need to create, delete, extend, or format partitions, or if you need to load
a custom mass storage driver to access the disk subsystem, click Drive options
(advanced).
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-54 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
9. Click Next.
The Installing Windows dialog box appears, as shown in the following screen
shot. The window keeps you apprised of the progress of Windows installation.

Installation of Windows Server 2008 R2, like Windows Vista or Windows 7,
is image-based. Therefore, the installation is significantly faster than for the
earlier versions of Windows even though the operating systems are much
larger than the earlier versions. The computer will reboot one or more times
during installation.
When the installation has completed, you will be informed that the users
password must be changed before logging on the first time.
10. Click OK.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-55
11. Type a password for the Administrator account in both the New Password
and Confirm Password boxes, and then press ENTER.
The password must be at least seven characters long and must have at least
three or four character types:
Uppercase: AZ
Lowercase: az
Numeric: 09
Nonalphanumeric: symbols such as $, #, @, and !
12. Click OK.

If you selected the Full Installation option, the desktop for the Administrator
account appears. If you installed Server Core, a command prompt appears.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-56 Configuring
Serve
Serve
Key Po
To redu
Window
compon
installat
operatin
the role
added a
add and
based o

g and Troubleshooting W
r Manager a
r 2008 R2
oints
uce management
ws Server 2008 R
nents. Unlike pre
tion rather than a
ng system, you m
e it will play in yo
as roles and featu
d remove roles. It
on the server's rol
indows Server 2008 Ac
and Role-Bas
costs and to redu
R2 setup installs o
evious versions of
an all-in-one serve
must add the comp
ur enterprise. Wi
ures. The Server M
t also exposes the
le.
ctive Directory Domain
sed Configur
uce exposure to s
only the core ope
f Windows, howe
er. Therefore, afte
ponents required
indows Server 20
Manager console g
e most common a
Services
ration of Win
security vulnerab
rating system
ever, the result is
er installation of t
d for the server ba
008 R2 functiona
gives you the abi
administrative sn
ndows

ilities,
minimal
the
ased on
ality is
lity to
nap-ins
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Prepa
R2
Key Po
Before y
controll
followin
The
nam
whi
use
app
Wh
pre
you
Win
acc
of W
are to Create
oints
you install the AD
ler, you should p
ng information to
e domain name a
me, such as conto
ich is also called
e since the first ve
plications.
hether the domain
evious versions of
u will configure th
ndows Server 200
ordingly to benef
Windows.
e a New Fore
D DS role on a ser
lan your Active D
o create a domain
and the DNS nam
oso.com, as well a
a NetBIOS name
ersions of Window
n will need to sup
f Windows. When
he functional leve
08 R2 domain co
fit from the enhan
Introducing Active D
est with Wind
rver and promote
Directory infrastru
n controller:
me. A domain mus
as a short name, s
e. NetBIOS is a ne
ws NT. It is still
pport domain con
n you create a ne
el. If the domain w
ontrollers, you can
nced features int
irectory Domain Service
dows Server
e it to act as a dom
ucture. You will n
st have a unique D
such as CONTOS
etwork protocol t
l used by some le
ntrollers running
ew Active Director
will include only
n set the function
roduced by this v
es 1-57
2008

main
need the
DNS
SO,
that is in
egacy
g
ry forest,
y
nal level
version
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-58 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Details for how DNS will be implemented to support Active Directory. It is a
best practice to implement DNS for your Windows domain zones by using
Windows DNS Service, as you will learn in Module 9. However, it is possible
to support a Windows domain on a third-party DNS service.
IP configuration for the domain controller. Domain controllers require static IP
addresses and subnet mask values. Additionally, the domain controller must
be configured with a DNS server address to perform name resolution. If you
create a new forest and run Windows DNS Service on the domain controller,
you can configure the DNS address to point to the servers own IP address.
After DNS is installed, the server can check within itself to resolve DNS names.
The user name and password of an account in the servers administrator
group. The account must have a password; the password cannot be blank.
The location in which the data store (including ntds.dit) and system volume
(SYSVOL) should be installed. By default, these stores are created in
%systemroot%, such as c:\windows, in the NTDS and SYSVOL folders,
respectively. When creating a domain controller, you can redirect these stores
to other drives.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Instal
Key Po
To insta
first ins
compon
adding
controll
Installat
launche
Services
deploym
the DNS
Director
restorin

l and Config
oints
all and configure
tall the AD DS ro
nents necessary fo
the role does not
ler. That step is p
tion Wizard, whi
ed by using the d
s Installation Wiz
ment configuratio
S role, specifying
ry Services Resto
ng Active Director
gure a Doma
a Windows Serv
ole by using Serve
for the server to la
t actually configu
performed by run
ch is also known
cpromo.exe com
zard takes you thr
on, adding additio
g the location for A
re Mode Adminis
ry from a backup
Introducing Active D
in Controlle
er 2008 R2 doma
er Manager. This
ater become a do
ure and enable the
nning the Active D
n as DCPromo, be
mmand. The Active
rough the proces
onal domain con
Active Directory
strator Password
, as you'll learn in
irectory Domain Service
r
ain controller, yo
adds the files and
omain controller.
e server as a dom
Directory Domain
ecause the wizard
e Directory Doma
ss of selecting the
ntroller features, s
files, and configu
, which is used w
n Module 13.
es 1-59

ou must
d registry
But,
main
n Services
d can be
ain
e
such as
uring the
when
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-60 Configuring
Lab: Inst
Create a
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log


g and Troubleshooting W
all an AD
Single D
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Adm
Password: Pa$$
indows Server 2008 Ac
D DS Dom
Domain Fo
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
ministrator
$w0rd
ctive Directory Domain
main Cont
orest
rtual machine env
lowing steps:
oint to Administr
NYC-SVR-D, and
Wait until the virt
ntials:
Services
troller to
vironment. Before
rative Tools, and
d in the Actions p
tual machine star

e you
d then
ane,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-61
Lab Scenario
You have been hired to improve identity and access at Contoso, Ltd. The company
currently has one server in a workgroup configuration. Employees connect to the
server from their personal client computers. In anticipation of near-term growth,
you need to improve the manageability and security of the companys resources.
You decide to implement an AD DS domain and forest by promoting the server to
a domain controller. You have just finished installing Windows Server 2008 R2
from the installation DVD.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-62 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Perform Post-Installation Configuration Tasks
In this exercise, you will prepare the server by performing post-installation
configuration tasks.
The main tasks for this exercise are as follows:
1. Configure the time zone.
2. Change the IP configuration.
3. Rename the server HQDC01.
4. Restart the server.



Task 1: Configure the time zone
In the Initial Configuration Tasks window, change the time zone so that it is
appropriate for your location.

Task 2: Change the IP configuration
In the Initial Configuration Tasks window, change the IP (IPv4) configuration
to the following:
IP address: 10.0.0.11
Subnet mask: 255.255.255.0
Default gateway: 10.0.0.1
Preferred DNS server: 10.0.0.11

Task 3: Rename the server to HQDC01
In the Initial Configuration Tasks window, rename the server to HQDC01. Do
not restart the server now.

Task 4: Restart the server
1. In the Initial Configuration Tasks window, review the Add roles and Add
features links.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-63
In the next exercise, you will use Server Manager to add roles and features to
HQDC01. These links help you perform the same tasks. By default, the Initial
Configuration Tasks window will appear each time you log on to the server.
2. To prevent the window from appearing, select the Do not show this window
at logon check box. Note that if you need to open the Initial Configuration
Tasks window in the future, run the Oobe.exe command.
3. Click the Close button.
Server Manager appears.
Server Manager enables you to configure and administer the roles and features
of a server running Windows Server 2008. You will use Server Manager in the
next exercise.
At the lower part of the Server Manager window, the following status message
is displayed:
Console cannot refresh until computer is restarted.
4. Click the Restart link.
Now, you are prompted with the following message:
Do you want to restart now?
5. Click Yes.
The computer restarts.

Results: In this exercise, you configured a server named HQDC01 in the correct time
zone, and with the IP configuration specified in Task 4.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-64 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Install a New Windows Server 2008 R2 Forest
with the Windows Interface
Now that you have prepared the server with an appropriate name and IP
configuration, you are ready to configure HQDC01 as a domain controller. In this
exercise, you will add the AD DS role and create the forest and domain by
promoting HQDC01 to be the first domain controller in the contoso.com forest.
The main tasks for this exercise are as follows:
1. Add the Active Directory Domain Services role to HQDC01.
2. Configure a new Windows Server 2008 forest named contoso.com with
HQDC01 as the first domain controller.
3. Examine the default configuration of the contoso.com forest and domain.
(Optional)


Task 1: Add the Active Directory Domain Services role to HQDC01
1. Log on to HQDC01 as Administrator with the password Pa$$w0rd.
2. Using Server Manager, add the Active Directory Domain Services role, and
then accept all defaults.

Task 2: Configure a new Windows Server 2008 R2 forest named
contoso.com with HQDC01 as the first domain controller
1. In Server Manager, expand the Roles node in the tree pane, and then select
Active Directory Domain Services.
2. Click the Run the Active Directory Domain Services Installation Wizard
(dcpromo.exe) link.
The Active Directory Domain Services Installation Wizard appears.
3. On the Welcome page, click Next.
4. On the Operating System Compatibility page, review the warning about the
default security settings for Windows Server 2008 domain controllers, and
then click Next.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-65
5. On the Choose a Deployment Configuration page, select Create a new
domain in a new forest, and then click Next.
6. On the Name the Forest Root Domain page, type contoso.com, and then
click Next.
The system checks to ensure that the DNS and NetBIOS names are not already
in use on the network.
7. On the Set Forest Functional Level page, click Windows Server 2008, and
then click Next.
Each of the functional levels is described in the Details box. Choosing
Windows Server 2008 forest functional level ensures that all domains in the
forest operate at the Windows Server 2008 domain functional level, which
enables several new features provided by Windows Server 2008.
In a production environment, you would choose Windows Server 2008 R2
forest functional level, if you require the features of the Windows Server 2008
R2 functional level and if you do not add any domain controllers running
operating systems prior to Windows Server 2008 R2.
8. On the Set Domain Functional Level page, click Windows Server 2008, and
then click Next. The Additional Domain Controller Options page appears.
9. DNS Server is selected by default. The Active Directory Domain Services
Installation Wizard will create a DNS infrastructure during the AD DS
installation.
The first domain controller in a forest must be a global catalog server and
cannot be a read-only domain controller (RODC). Click Next.
A warning message states that a delegation for the DNS server cannot be
created.
In this exercise, you can ignore the error. Delegations of DNS domains will be
discussed later in this course.. Click Yes to close the Active Directory Domain
Services Installation Wizard warning message.
10. On the Location for Database, Log Files, and SYSVOL page, accept the
default locations for the database file, the directory service log files, and the
SYSVOL files, and then click Next.
The best practice in a production environment is to store these files on three
separate volumes that do not contain applications or other files not related to
AD DS. This best-practice design improves performance and increases the
efficiency of backup and restore.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-66 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
11. On the Directory Services Restore Mode Administrator Password page, type
Pa$$w0rd in both Password and Confirm Password boxes. Click Next.
In a production environment, you should use a strong password for the
Directory Services Restore Mode Administrator Password. Do not forget the
password you assign to the Directory Services Restore Mode Administrator.
12. On the Summary page, review your selections.
If any settings are incorrect, click Back to make modifications.
13. Click Next.
Configuration of AD DS begins. After several minutes of configuration, the
Completing the Active Directory Domain Services Installation Wizard page
appears.
14. Click Finish.
15. Click Restart Now.
The computer restarts.
16. Continue with Task 3 (Optional) or skip to Task 4.

Task 3: Examine the default configuration of the contoso.com forest
and domain (Optional)
1. Log on to HQDC01 as Contoso\Administrator with the password Pa$$w0rd.
The Windows desktop appears and, after a moment, Server Manager opens.
2. Expand the Roles node in the tree pane, and expand the Active Directory
Domain Services node.
3. Expand Active Directory Users and Computers and the contoso.com
domain node.
4. Click the Users container.
The users and groups you see are available to any computer in the domain. For
example, the domain's Administrator account can be used to log on to any
computer in the domain, by default, and the Domain Users group is a member
of the local Users group on each computer in the domain.
5. Click the Builtin container.
The groups you see are shared by and available to domain controllers, but not
to member servers or workstations. For example, members of the Backup
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-67
Operators group can perform backup and restore tasks on domain controllers
only, and the Administrators group in the Builtin container represents the
administrators of all domain controllers.
6. Click the Computers container.
Notice that it is empty. This is the default container for member servers and
workstations.
7. Click the Domain Controllers organizational unit (OU).
This is the OU into which domain controllers are placed. The computer object
for HQDC01 appears in this OU.


Results: In this exercise, you configured a single-domain forest named contoso.com
with a single domain controller named HQDC01.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-68 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 3: Raise Domain and Forest Functional Levels
In this exercise, you will raise the domain functional level to Windows Server 2008
R2 level.
The main tasks for this exercise are as follows:
1. Raise the domain functional level to Windows Server 2008 R2.
2. Raise the forest functional level to Windows Server 2008 R2.

Task 1: Raise the domain functional level to Windows Server 2008 R2
1. If necessary, log on to HQDC01 as Contoso\Administrator with the
password of Pa$$w0rd.
2. Open the Active Directory Domains and Trusts console.
2. Confirm that the current domain functional level is Windows Server 2008.
3. Raise the Domain functional level to Windows Server 2008 R2.
Task 2: Raise the forest functional level to Windows Server 2008 R2
1. In the Active Directory Domains and Trusts console, raise the forest
functional level to Windows Server 2008 R2.
2. Close Active Directory Domains and Trusts.


Results: In this exercise, you raised the domain and forest functional levels to Windows
Server 2008 R2.

To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this,
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6425C-NYC-SVR-D in the Virtual Machines list, and then
click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-69
Lab Review
Question: What can you do with the Initial Configuration Tasks console?
Question: What must you do before starting the dcpromo wizard?
Question: Which tool is used to raise the domain functional level?


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
1-70 Configuring
Module
Review
1. Wh
2. Wh
3. Wh
Comm
Issue
Dcpro
install
You ca
You ca
Windo
level
g and Troubleshooting W
Review a
w Questions
hat is the main dif
hy is global catalo
hich tools can you
mon Issues Rela
omo wizard cannot
ation of AD DS
annot start dcprom
annot raise forest t
ows Server 2008 R
indows Server 2008 Ac
and Takea
fference between
og important in a
u use to install AD
ated to AD DS In
Tro
t perform
mo.exe
to the
2functional

ctive Directory Domain
aways
n authentication a
multidomain env
D DS?
nstallation
oubleshooting Tip
Services
and authorization
vironment?
p

n?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Introducing Active Directory Domain Services 1-71


Best Practices Related to AD DS
Use a strong password for Directory Service Restore Mode.
Make all domain controllers Global Catalog servers.
Use static IP addresses for domain controllers.

Tools
Tool Use for Where to find it
Server Manager Add AD DS role Administrative Tools
Initial Configuration
Tasks
Perform post-installation tasks
on Windows Server 2008 R2
Type Oobe.exe in the
Run window
Dcpromo.exe Installation of Active Directory
Domain Services and making
server domain controller
Type dcromo.exe in
the Run window or use
Server Manager to run
the tool

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-1
Module 2
Administering Active Directory Securely and
Efficiently
Contents:
Lesson 1: Work with Active Directory Administration Tools 2-4
Lesson 2: Custom Consoles and Least Privilege 2-14
Lab A: Administering Active Directory Using Administrative Tools 2-25
Lesson 3: Find Objects in Active Directory 2-36
Lab B: Find Objects in Active Directory 2-53
Lesson 4: Use Windows PowerShell to Administer Active Directory 2-62
Lab C: Use Windows PowerShell to Administer Active Directory 2-81

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-2 Configuring
Module
Most ad
Users an
organiz
take the
tools. W
work se
effective
experien

g and Troubleshooting W
Overview
dministrators first
nd Computers an
ational units (OU
e time to elevate t
Whether you are a
ecurely and efficie
e administration
nce.
indows Server 2008 Activ
w
t experience Activ
nd creating user,
Us) of a domain. U
their skill sets wit
a new administrat
ently. Therefore,
that are often lea

ve Directory Domain Serv
ve Directory by
computer, or gro
Unfortunately, m
th the Active Dire
tor or a seasoned
this module will
arned only after m
ices
opening Active D
oup objects within
many administrato
ectory administra
d veteran, you nee
share the secrets
months or years o

Directory
n the
ors never
ative
ed to
of
of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-3
Objectives
After completing this module, you will be able to:
Describe and work with Active Directory administration tools.
Describe the purpose and functionality of custom consoles and least privilege.
Locate objects in Active Directory.
Administer Active Directory by using Windows PowerShell.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-4 Configuring
Lesson 1
Work wi
Tools
Active D
support
importa
Object
After co
Ide
adm
Per
Cen
Inst
Per
g and Troubleshooting W
th Active
Directory adminis
t the directory ser
ant Active Directo
tives
ompleting this les
ntify the snap-ins
minister Active Di
form administrat
nter.
tall the Remote S
form administrat
indows Server 2008 Activ
e Director
strative tools exp
rvice. In this lesso
ory tools.
sson, you will be a
s within Server M
irectory Domain
tive tasks by usin
Server Administra
tive tasks by usin
ve Directory Domain Serv
ry Admin
ose the functiona
on, you will iden
able to:
Manager and the n
Services (AD DS)
ng the Active Dire
ation Tools (RSAT
ng Active Director
ices
nistration
ality you require t
tify and locate th
native consoles u
).
ctory Administra
T).
ry administrative

to
he most
sed to
ative
tools.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

MMC
Key Po
Many o
framew
adminis
that disp
pane th
actions b
The slid
The
sco
The
Sna
The
C Console
oints
f the traditional W
ork called Micros
strative tools, call
plays the console
hat displays detail
by the MMC.
de above shows th
e console tree. Th
pe pane
e Show/Hide Con
ap-ins. Tools that
e details pane. Di
Admi
Windows admin
soft Managemen
led snap-ins, in a
e tree (similar to t
ls. An Actions pan
he major compon
he left pane that d
nsole Tree button
provide adminis
isplays the details
nistering Active Directo
nistrative tools sh
nt Console (MMC
customizable win
the Windows Exp
ne on the right ex
nents of MMC:
displays the cons
n. Turns the cons
strative functiona
s of the scope sele
ory Securely and Efficientl
hare a common
C). MMC display
ndow with a left
plorer tree) and a
xposes command
ole tree; also calle
sole tree pane on
ality
ected in the cons
ly 2-5

s
pane
a center
ds, called
ed the
and off
sole tree
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Actions pane. Displays commands that can be performed on the scope
selected in the console tree, or the item(s) selected in the details pane
The Action menu. Also displays commands that can be performed on the
selected scope or items
The context menu (not shown). Appears when you right-click an item in the
scope or details pane; a third location from which actions can be initiated
The Show/Hide Action Pane button. Turns the actions pane on and off

Question: What administrative consoles have you used that have one snap-in?
Question: What administrative consoles have you used that feature more than one
snap-in?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Active
Key Po
Most Ac
console
Act
day
fold
Dir
Act
top
Act
rela
Act
Act
Dir
Act
e Directory A
oints
ctive Directory ad
es:
ive Directory Use
y-to-day resources
ders. This is likely
ectory administra
ive Directory Site
pology, and relate
ive Directory Dom
ationships and th
ive Directory Sch
ive Directory attr
ectory. It is rarely
ive Directory Sch
Admi
Administratio
dministration is p
ers and Compute
s, including users
y to be the most h
ator.
es and Services. T
ed services.
mains and Trusts
he domain and for
hema. This schem
ributes and objec
y viewed and eve
hema snap-in is n
nistering Active Directo
on Snap-ins
performed with th
ers. This snap-in m
s, groups, compu
heavily used snap
This manages rep
s. This configures
rest functional le
ma examines and
t classes. It is the
n more rarely cha
ot installed by de
ory Securely and Efficientl
he following snap
manages most co
uters, printers, and
p-in for an Active
lication, network
s and maintains t
evel.
modifies the defi
e blueprint for Ac
anged. Therefore
efault.
ly 2-7

p-ins and
ommon
d shared
k
trust
inition of
tive
e, the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-8 Configuring
What
Key Po
Note:
Window
Domain
provide
enhance
using ta
Director
Cre
Cre
g and Troubleshooting W
Is the Active
oints
: The content in th
ws Server 2008 R
n Services (AD DS
es a graphical use
ed interface allow
ask-oriented navig
ry Administrative
eate and manage
eate and manage
indows Server 2008 Activ
e Directory A
his topic only appli
R2 provides anoth
S) objects. The Ac
er interface (GUI)
ws you to perform
gation. Tasks tha
e Center include:
user, computer, a
organizational un
ve Directory Domain Serv
Administrativ
es to Windows Ser
her option for ma
ctive Directory Ad
) built upon Wind
m Active Directory
at can be perform
and group accoun
nits.
ices
ve Center?
rver 2008 R2.
anaging Active Di
dministrative Cen
dows PowerShell
y object managem
med by using the A
nts.

irectory
nter
l. This
ment by
Active
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-9
Connect to and manage multiple domains within a single instance of the
Active Directory Administrative Center.
Search and filter Active Directory data by building queries.

Installation Requirements
The Active Directory Administrative Center can only be installed on computers
running Windows Server 2008 R2 and Windows 7. You can install the Active
Directory Administrative Center by using the following methods:
Install the Active Directory Domain Services (Ad DS) server role through
Server Manager.
Promote a server to a domain controller by using Dcpromo.exe.
Install the Remote Server Administration Tools (RSAT) on a Windows Serer
2008 R2 server or Windows 7.

Note: The Active Directory Administrative Center relies on the Active Directory Web Services
(ADWS) service, which must be installed on at least one domain controller in the domain.
The service also requires port 9389 to be open on the domain controller where ADWS is
running.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-10 Configuring
Find A
Key Po
Active D
to a serv
Server M
Compu
To adm
must in
Server M
RSAT ca
Pack 1 (
www.m
installat
you wis
comman
g and Troubleshooting W
Active Direct
oints
Directory snap-ins
ver. Two common
Manager when yo
ters snap-in and
minister Active Dir
nstall RSAT. RSAT
Manager on Wind
an also be installe
(or later) and Wi
microsoft.com/dow
tion. After you ha
sh to have visible.
nd in the Program
indows Server 2008 Activ
tory Adminis
s and consoles ar
nly used Active D
ou install the AD
the Active Direct
rectory from a sys
T is a feature that
dows Server 2008
ed on Windows c
indows 7. Simply
wnloads. The Set
ave installed RSAT
. To do this, use t
ms And Features
ve Directory Domain Serv
stration Too
re installed when
Directory adminis
DS role: the Activ
ory Sites and Ser
stem that is not a
can be installed f
8.
clients, including
y download the R
tup Wizard will s
T, you must also
the Turn Window
application in Co
ices
ls
n you add the AD
strative tools are a
ve Directory User
vices snap-in.
a domain controll
from the Feature
g Windows Vista
RSAT installation f
tep you through
turn on the tool
ws Features On o
ontrol Panel.

DS role
added to
rs and
ler, you
s node of
Service
files from
the
or tools
or Off
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-11
After it is installed and turned on, all Active Directory administrative consoles can
be found in the Administrative Tools folder, which itself is found in Control Panel.
In the classic view of Control Panel, you will see the Administrative Tools folder. In
the Control Panel Home view, administrative tools are found in System and
Maintenance.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-12 Configuring
Demo
Active
Key Po
Active D
Center c
provide
Active
Viewing
The Act
contain
Refresh
The view
view of
Refresh
g and Troubleshooting W
onstration: P
e Directory A
oints
Directory Users an
can both be used
e information on p
Directory User
g Objects
tive Directory Use
er (domain, OU,
hing the View
w is not refreshed
objects, select th
h button on the sn
indows Server 2008 Activ
Perform Adm
Administratio
nd Computers an
d to perform adm
performing tasks
rs and Comput
ers and Compute
or container) sel
d automatically. I
e container in the
nap-in toolbar or
ve Directory Domain Serv
ministrative T
on Tools
nd the Active Dire
ministrative tasks.
s by using each to
ters
ers snap-in displa
lected in the cons
If you want to see
e console tree an
r press F5.
ices
Tasks by Usin
ectory Administr
The following se
ool.
ays the objects in
sole tree.
e the latest chang
d then either clic
ng

ative
ections
the
ges to the
ck the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-13
You must select the container in the console tree before clicking Refresh (or
pressing F5)clicking in an empty area of the details pane is not sufficient. This is a
quirk of the Active Directory Users and Computers snap-in.
Creating Objects
To create an object in Active Directory Users and Computers, right-click either the
domain, a container (such as Users or Computers), or an OU. Then, point to New
and click the type of object you want to create.
When you create an object, you are prompted to configure a few of the most basic
properties of the object, including the properties that are required for that type of
object.
Configuring Object Attributes
After an object has been created, you can access its properties. Right-click the
object, and then click Properties.
The Properties dialog that appears displays many of the most common properties
of the object. Properties are grouped on tabs, to make it easier to locate a specific
property.
You can configure as many properties as you want, on as many tabs as you want,
then click Apply or OK once to save all the changes. The difference between Apply
and OK is that the OK button closes the Properties dialog box, whereas Apply
saves the changes and keeps the dialog box open so that you can make additional
changes.
Viewing All Object Attributes
A user object has even more properties than are visible in its Properties dialog box.
Some of the so-called hidden properties can be quite useful to your enterprise. To
view these hidden user attributes, you must turn on the Attribute Editor, a new
feature in Windows Server 2008.
To turn on the Attribute Editor in the Active Directory Users and Computers snap-
in, click the View menu, and then select the Advanced Features option.

To open the Attribute Editor for a specific Active Directory object:
1. Right-click the object, and then click Properties.
2. Click the Attribute Editor tab.
The Attribute Editor tab of the Properties dialog box appears.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-14 Configuring
As you c
quite us
employ
user obj
To chan
The attr
Window
Active
Naviga
The Act
set as a
Overvie
the dom
Perform
g and Troubleshooting W
can see in the scr
seful, including d
eeType. Although
ject, they are now
nge the value of a
ributes can also b
ws Visual Basic S
Directory Adm
ation
tive Directory Adm
List View and a T
ew node, a domai
main node to prov
ming Administra
indows Server 2008 Activ
reen shot above, s
division, employe
h the attributes ar
w available throug
an attribute, doub
be accessed progr
Scripting Edition
ministrative Cen
ministrative Cent
Tree View. The Li
in node, and a Gl
vide a view of the
ative Tasks
ve Directory Domain Serv
some attributes o
eID, employeeNu
re not shown on
gh the Attribute E
ble-click the value
rammatically with
n, or Microsoft .N
nter
ter provides a nav
ist View displays
lobal Search node
e entire domain s
ices

of a user object ca
umber, and
the standard tab
Editor.
e.
h Windows Powe
ET Framework.
vigation pane tha
three main node
e. The Tree View
structure.

an be
s of a
erShell,
at can be
es: an
w changes
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-15
When the Overview node is selected, you can perform specific tasks such as Reset
Password, and Global Search. Reset Password provides the ability to enter a known
user name and reset the password, unlock the account, and configure the user to
change the password at the next logon. Global Search provides the ability to search
for objects based upon a domain scope or a Global Catalog scope.
Depending upon the object selected, you will be able to perform many related
tasks. For example, if a user object is selected, you can perform tasks such as reset
the password, add to a group, disable the account, move the account, delete the
account, locate the account, or open the Properties dialog box of the account.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-16 Configuring
Lesson 2
Custom
In this l
securely
console
logged o
adminis
Object
After co
Cre
Per
g and Troubleshooting W
Consoles
lesson, you will g
y and efficiently. Y
es and how to wo
on as a non-admi
strator.
tives
ompleting this les
eate a custom MM
form administrat
indows Server 2008 Activ
s and Lea
go beyond the Ad
You will learn ho
ork in a least privi
inistrative user, b
sson, you will be a
MC console for ad
tive tasks while lo
ve Directory Domain Serv
st Privileg
dministrative Tool
ow to build custo
ilege environmen
but perform admi
able to:
dministration.
ogged on as a use
ices
ge
ls folder to work
mized administra
nt, in which you a
inistrative tasks a
er.

more
ative
are
as an

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Admi
Key Po
Its easie
can be c
MMC ad
adminis
Add
per
of y
Sav
Dis
Sav
cus
onstration: C
nistering Ac
oints
er to administer W
customized to me
dministrative con
strative tasks. Wh
d multiple snap-in
rform your job tas
your administrativ
ve the console so
tribute the conso
ve the console, an
stomized adminis
Admi
Create a Cust
tive Director
Windows when t
eet your needs. T
nsole that contain
hen you create a c
ns so that you do
sks, and you only
ve tasks.
it can be used reg
ole to other admin
nd other consoles
stration.
nistering Active Directo
tom MMC Co
ry
the tools you nee
This is achieved by
ns the snap-ins yo
customized MMC
o not have to swit
y have to run one
gularly.
nistrators.
s, to a shared loca
ory Securely and Efficientl
onsole for
d are in one plac
y creating a custo
ou need to perfor
C console, you ca
tch between cons
e console to perfo
ation for unified,
ly 2-17

ce and
omized
rm your
an:
soles to
orm any

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To create a customized MMC console:
1. Click Start. Then, in the Start Search box, type mmc.exe , and then press
ENTER.
2. Click the File menu, and then click Add/Remove Snap-ins.

The Add/Remove Snap-ins dialog box allows you to add, remove, reorder, and
manage the consoles snap-ins.
After you have installed RSAT, all four Active Directory management snap-ins are
installed; however, the Active Directory Schema snap-in will not appear in the
Add/Remove Snap-ins dialog box until after you have registered the snap-in.
To register Active Directory Schema:
1. Open a command prompt by clicking Start, typing cmd.exe, and pressing
ENTER.
2. Type regsvr32.exe schmmgmt.dll , and then press ENTER.

Question: Have you built a custom MMC console?
Question: What snap-ins have you found useful?
Question: Why did you build your own console?


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Secur
Run A
Key Po
Many ad
account
privileg
Therefo
damage
To avoid
standar
tools in
1. Rig
con
not
The
adm
re Administra
As Administr
oints
dministrators log
ts. This practice i
es and access to m
ore, malware that
e.
d this problem, d
d user and use th
the security cont
ht-click the short
nsole that you wa
t see the comman
e User Account C
ministrative crede
Admi
ation with Le
rator, and Us
g on to their comp
s dangerous beca
more of the netw
is run with admi
do not log on as a
he Run As Admin
text of an admini
tcut for an execut
ant to run, and th
nd, try holding do
Control (UAC) d
entials.
nistering Active Directo
east Privilege
ser Account C
puter by using th
ause an administr
work than a stand
inistrative creden
an administrator.
nistrator feature to
istrative account.
table, Control Pan
en click Run as a
own the SHIFT k
dialog box appear
ory Securely and Efficientl
e,
Control
heir administrativ
rative account ha
dard user account
ntials can cause si
Instead, log on a
o start administra
nel applet, or MM
administrator. If
ey and right-click
rs, prompting for
ly 2-19

ve
as more
t.
ignificant
as a
ative
MC
f you do
king.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
2. Click Use another account.
3. Enter the user name and password of your administrative account.
4. Click OK.

Tip: If you will be running an application regularly as an administrator, you should create a new
shortcut that preconfigures Run As Administrator. Create a shortcut and open the
Properties dialog box for the shortcut. Click the Advanced button and select Run As
Administrator. When you run the shortcut, the User Account Control dialog box will
appear.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Contr
Key Po
When y
have acc
recomm
your us
To run
1. Rig
con
not
The
cred
2. Clic
3. Ent
4. Clic
onstration: S
rol and Run A
oints
you run a process
cess to the same
mend that you sav
er and your adm
as an administrat
ht-click the short
nsole that you wa
t see the comman
e User Account C
dentials.
ck Use another a
ter the user name
ck Yes.
Admi
ecure Admin
As Administr
s as an administra
locations that yo
ve custom consol
ministrative accoun
tor:
tcut for an execut
ant to run, and th
nd, try holding do
Control dialog bo
account.
e and password o
nistering Active Directo
nistration wi
rator
ator, the adminis
ur user account d
les in a location th
nts.
table, Control Pan
en click Run as a
own the SHIFT k
ox appears, prom
of your administra
ory Securely and Efficientl
th User Acco
trative account m
does. Therefore, w
hat is accessible t
nel applet, or MM
administrator. If
ey and right-click
mpting for admini
ative account.
ly 2-21
ount

may not
we
to both
MC
f you do
king.
istrative
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-22 Configuring
Lab A: Ad
Administ
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log


g and Troubleshooting W
dministe
trative To
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
indows Server 2008 Activ
ring Activ
ools
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman_Admi
$w0rd
ve Directory Domain Serv
ve Direct
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
in
ices
tory Using
vironment. Before
rative Tools, and
n the Actions pan
tual machine star


g

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-23
Domain: Contoso
5. Open Windows Explorer and browse to D:\Labfiles\Lab02a.
6. Right-click Lab02a_Setup.bat, and then click Run as administrator.
A User Account Control dialog box appears.
7. Click Yes.
8. The lab setup script runs. When it is complete, press any key to continue.
9. Close the Windows Explorer window.

Lab Scenario
In this lab, you are Pat Coleman, an Active Directory administrator at Contoso, Ltd.
You are responsible for a variety of Active Directory support tasks, and you have
found yourself constantly opening multiple consoles from the Administrative Tools
folder in Control Panel. You have decided to build a single console that contains all
the snap-ins you require to do your work. Additionally, the Contoso, Ltd. IT
security policy is changing, and you will no longer be permitted to log on to a
system with credentials that have administrative privileges, unless there is an
emergency. Instead, you are required to log on with nonprivileged credentials.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Perform Basic Administrative Tasks Using
Administrative Tools
In this exercise, you will perform basic administrative tasks in the Active Directory
Users and Computers snap-in.
The main tasks for this exercise are as follows:
1. View and create objects by using Active Directory Users and Computers.
2. Perform tasks by using Active Directory Administrative Center.

Task 1: View and create objects by using Active Directory Users and
Computers.
1. Open Active Directory Users and Computers from the Administrative Tools
folder.
2. Look at the objects in the User Accounts\Employees OU.
3. Create a new OU in the Employees OU called FullTime.
5. Select the Employees OU and then open the properties of Pat Coleman.
6. Configure the Office attribute on the General tab to Redmond.
7. Confirm that the Attribute Editor tab is not visible in the Properties dialog
box of Pat Coleman, and that there is no input control for the division
property on any of the tabs.
8 Turn on the view of Advanced Features for the Active Directory Users and
Computers snap-in.
9 View the Attribute Editor for Pat Coleman.
10. Change Pat Colemans division attribute to 6425C.
11. Close Active Directory Users and Computers.

Task 2: Perform tasks by using Active Directory Administrative Center.
1. Open the Active Directory Administrative Center from the Administrative
Tools folder.
2. Navigate to the User Accounts\Contractors OU and move Adam Carter to
the User Accounts\Employees OU.
3. In the Contractors OU, disable the Aaron Con user account.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-25
4. In the User Accounts\Employees OU, open the Properties of Adam Carter
and configure Job Title to be Manager.
5. Close the Active Directory Administrative Center.

Results: After completing this exercise, you will have experienced the fundamentals of
administration by using the Active Directory Users and Computers snap-in and the
Active Directory Administrative Center.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Create a Custom Active Directory Administrative
Console
In this exercise, you will create a single, custom administrative console that
contains all the snap-ins you need to do your work.
The main tasks for this exercise are as follows:
1. Create a custom MMC console with the Active Directory Users and Computers
snap-in.
2. Add other Active Directory snap-ins to the console.
3. Add the Active Directory Schema snap-in to a custom MMC console.
4. Manage snap-ins in a custom MMC console (optional).

Task 1: Create a custom MMC console with the Active Directory Users
and Computers snap-in.
1. On NYC-DC1, open an empty MMC console and maximize it.
2. Add the Active Directory Users and Computers snap-in.
3. Save the console. Create a new folder called C:\AdminTools and save the
console in that folder as MyConsole.msc.

Task 2: Add other Active Directory snap-ins to the console.
1. Add the Active Directory Sites and Services and Active Directory Domains
and Trusts snap-ins list to your console.
2. Rename the console root Active Directory Administrative Tools.
3. Save the console.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-27
Task 3: Add the Active Directory Schema snap-in to a custom MMC
console.
1. Confirm that Active Directory Schema is not listed as an available snap-in in
the Add or Remove Snap-ins dialog box.
The Active Directory Schema snap-in is installed with the Active Directory
Domain Services role, and with the RSAT, but it is not registered, so it does not
appear.
2. In the Start menu, browse to the Accessories group, right-click Command
Prompt, and then click Run as administrator.
3. In the command prompt, type the command, regsvr32.exe schmmgmt.dll.
This command registers the dynamic link library (DLL) for the Active
Directory Schema snap-in. You must perform this step at least once on a
system before you can add the snap-in to a console..
4. Close the Command Prompt window.
5. Add the Active Directory Schema snap-in to the console.
6. Save the console.

Results: After completing this exercise, you will have a custom MMC console with the
Active Directory Users and Computers, Active Directory Sites and Services, Active
Directory Domains and Trusts, and Active Directory Schema snap-ins.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 3: Perform Administrative Tasks with Least
Privilege, Run As Administrator, and User Account Control
In this exercise, you will perform administrative tasks while logged on with
standard user credentials.
The main tasks for this exercise are as follows:
1. Log on with credentials that do not have administrative privileges.
2. Run Server Manager as an administrator.
3. Examine the credentials used by running processes.
4. Run the command prompt as an administrator.
5. Run Administrative Tools as an administrator.
6. Run a custom administrative console as an administrator.

Task 1: Log on with credentials that do not have administrative
privileges.
1. Log off from NYC-DC1.
2. Log on to NYC-DC1 as Pat.Coleman, with the password, Pa$$w0rd.
Pat.Coleman is a member of Domain Users and has no administrative
privileges.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-29
Task 2: Run Server Manager as an administrator.
1. Click the Server Manager icon in the Quick Launch, next to the Start button.
A User Account Control dialog box appears.
Because your user account is not a member of Administrators, the dialog box
requires you to enter administrative credentials: a user name and a password.
If you do not see the User Name and Password boxes, make sure that you are
logged on as Pat.Coleman, and not as Pat.Coleman_Admin.
2. Click Use another account, and then, in the User name box, type
Pat.Coleman_Admin.
3. In the Password box, type Pa$$w0rd, and then press ENTER.
Server Manager opens.

Task 3: Examine the credentials used by running processes.
1. Right-click the taskbar and click Start Task Manager.
2. Click the Processes tab.
3. Click Show processes from all users. Then, in the User Account Control
dialog box, authenticate as Pat.Coleman_Admin, with the password,
Pa$$w0rd
Task Manager can run without administrative credentials, but it will show only
those processes running under the current user account. Therefore, the User
Account Control dialog box includes an option to authenticate by using the
same credentials with which you are logged on: Pat.Coleman.
4. Click the Processes tab and sort by User Name.
5. Locate the processes being run as Pat.Coleman and Pat.Coleman_Admin.

Question: Which processes are running as Pat.Coleman_Admin? What
applications do the processes represent?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Task 4: Run the command prompt as an administrator.
1. Click Start, click All Programs, click Accessories, right-click Command
Prompt, and then click Run as administrator.
2. In the User Account Control dialog box, authenticate as
Pat.Coleman_Admin, with the password, Pa$$w0rd.
The Administrator: Command Prompt window appears.
3. Close the Command Prompt window.
4. Click Start, and in the Start Search box, type cmd.exe, and then press
CTRL+SHIFT+ENTER.
In the Start Search box, the keyboard shortcut CTRL+SHIFT+ENTER runs the
specified command as an administrator.
5. In the User Account Control dialog box, authenticate as
Pat.Coleman_Admin, with the password, Pa$$w0rd.
The Administrator: Command Prompt window appears.

Task 5: Run administrative tools as an administrator.
1. Click the Show desktop icon in the notification area.
2. Click Start, point to Administrative Tools, right-click Active Directory
Administrative Center, and then click Run as administrator.
3. In the User Account Control dialog box, authenticate as
Pat.Coleman_Admin, with the password, Pa$$w0rd.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-31
Task 6: Run a custom administrative console as an administrator.
You are beginning to see that it can become tedious to run as an administrator
each and every administrative tool that you require. One advantage of a custom
administrative console is that you can run the console, containing multiple snap-
ins, with a single Run As Administrator command.
1. Close all open windows on your desktop.
2. Run C:\AdminTools\MyConsole with administrative credentials. In the User
Account Control dialog box, authenticate as Pat.Coleman_Admin, with the
password, Pa$$w0rd.
3. Log off from NYC-DC1. Do not shut down or reset the virtual machine.

Results: After completing this exercise, you will have learned that by having a single,
custom administrative console, you make it easier for yourself to work securely. You
can log on to your computer with user (nonadministrative) credentials and run that
single console as an administrator.
Note: Do not shut down the virtual machines after you are finished with this lab
because the settings you have configured here will be used in Lab B.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Review Questions
Question: Which snap-in are you most likely to use on a day-to-day basis to
administer Active Directory?
Question: When you build a custom MMC console for administration in your
enterprise, what snap-ins will you add?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 3
Find Obj
As the A
and oth
you wan
Active D
Object
After co
Con
in.
Loc
Wo
jects in A
Active Directory d
her objects, it may
nt to modify. In t
Directory.
tives
ompleting this les
ntrol the view of
cate objects in Ac
ork with saved qu
Admi
Active Dire
database becomes
y become difficul
this lesson, you w
sson, you will be a
objects in the Act
ctive Directory.
ueries.
nistering Active Directo
ectory
s populated with
t to find a specifi
will learn several w
able to:
tive Directory Us
ory Securely and Efficientl
user, group, com
c object or object
ways to locate obj
sers and Compute
ly 2-33

mputer,
ts that
bjects in
ers snap-

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-34 Configuring
Scena
You hav
informa
many o
Gra
mu
Add
com
as a
Cre
ano
oth
Wh
or g
Loo
dom
g and Troubleshooting W
arios for Find
ve learned how to
ation in a director
ccasions on whic
anting permission
ust select the grou
ding members to
mputers, groups,
a member of a gro
eating links. Link
other object. Grou
her linked propert
hen you specify th
group.
oking up an objec
main.
indows Server 2008 Activ
ding Objects
o create objects in
ry service if you c
ch you will need t
ns. When you con
up (or user) to wh
groups. A group
or any combinati
oup, you must se
ed properties are
up membership i
ties, such as the M
he Managed By n
ct. You can search
ve Directory Domain Serv
in Active Di
n Active Directory
cant get it out of
to locate objects i
nfigure permissio
hich permissions
ps membership c
ion of the three. W
elect the object.
e properties of on
is, in fact, a linked
Managed By attrib
name, you must se
h for any object i
ices
irectory
y. However, what
the directory? Th
in Active Director
ons for a file or fo
should be assign
an consist of user
When you add an
ne object that refe
d property. There
bute, that are also
elect the appropr
n your Active Dir

t good is
here are
ry:
older, you
ned.
rs,
n object
er to
e are
o links.
riate user
rectory
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-35
There are many other situations that will require searching Active Directory. There
are several user interfaces that you will encounter. In this lesson, youll learn some
tricks for working with each.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-36 Configuring
Demo
Servic
When y
propert
Accoun
g and Troubleshooting W
onstration: U
ce Accounts,
you add a membe
ty, you are presen
nts, or Groups di
indows Server 2008 Activ
Use the Selec
or Groups D
er to a group, assi
nted with the Sele
ialog box shown
ve Directory Domain Serv
ct Users, Con
Dialog Box
ign a permission,
ect Users, Conta
here.
ices
tacts, Comp
, or create a linke
cts, Computers,

uters,

ed
Service
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

If you k
large tex
above.
When y
link to t
convert
You do
or last n
Check N
object. I
If there
the Mul
OK.
know the names o
xt box. Multiple n
you click OK, Win
the object, then c
ts each name to a
not need to ente
name, or even jus
Names, Window
If there is only on
are multiple mat
ltiple Names Fou
Admi
of the objects you
names can be ent
ndows looks up e
closes the dialog b
link, but leaves t
r the full namey
st part of the first
ws will attempt to
ne matching obje
tches, such as the
und box shown b
nistering Active Directo
u need, you can ty
tered, separated b
each item in the l
box. The Check N
the dialog box op
you can enter eith
or last name. Wh
convert your par
ct, the names wil
e name, Tony, you
below. Select the
ory Securely and Efficientl
ype them directly
by semicolons, as
list and converts
Names button al
pen.

her the user's firs
hen you click OK
rtial name to the
ll be resolved.
u will be presente
correct name(s)
ly 2-37
y into the
s shown
it into a
so
t name
K or
correct
ed with
and click
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-38 Configuring
By defau
many re
search a
Locatio
Addition
Compu
when yo
enter a
name on
ensure t
to selec
shown b
g and Troubleshooting W
ult, the Select dia
esults and wish to
another domain o
ons.
nally, the Select d
ters, Services, or
ou add members
computer name,
n the Managed B
that the Select di
t. Click the Objec
below to select th
indows Server 2008 Activ
alog box searches
o narrow down th
or the local users
dialog boxdesp
Groupsrarely se
to a group, comp
it will not be reso
By tab, groups are
ialog box is scope
ct Types button a
he correct types, a
ve Directory Domain Serv
s the entire doma
he scope of your
and groups on a
ite its full name,
earches all object
puters are not sea
olved correctly. W
e not searched by
ed to resolve the
and use the Obje
and then click OK
ices
ain. If you are get
search, or if you
a domain membe
Select Users, Con
t types. For exam
arched by default
When you specify
y default. You mu
types of objects y
ect Types dialog b
K.


ting too
need to
er, click
ntacts,
mple,
t. If you
y the
ust
you want
box
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

If you ar
on the S
both na
and sta
Some o
the obje
exactly
re having trouble
Select dialog box
ame and descripti
ale accounts tha
f the fields on the
ect type you are s
the type of objec
Admi
e locating the obj
x. The advanced v
ion fields, and dis
t have not logged
e Common Quer
searching for. Clic
t you want.
nistering Active Directo
ects you want, cli
view, shown below
sabled accounts,
d on for a specific
ries tab may be d
ck the Object Typ
ory Securely and Efficientl
ick the Advanced
w, allows you to
non-expiring pas
c period of time.

disabled, dependi
pes button to spe
ly 2-39
d button
search
sswords,
ing on
ecify

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-40 Configuring
Optio
Key Po
Althoug
will ofte
use both
Adminis
an objec
g and Troubleshooting W
ons for Locat
oints
gh you can naviga
en locate the obje
h the Active Direc
strative Center to
ct more quickly.
indows Server 2008 Activ
ting Objects
ate through Activ
ect you need mor
ctory Users and C
o sort and search.
ve Directory Domain Serv

ve Directory and b
re quickly by sort
Computers and t
. Each of these op
ices
browse for an obj
ting or searching.
the Active Directo
ptions can help y

ject, you
You can
ory
you locate

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Direct
Key Po
The det
Active D
effective
comman
Select C
column
column
might a
object (
When a
column
by click
descend
onstration: C
tory Adminis
oints
tails pane of the A
Directory Adminis
ely with the objec
nd on the View m
Columns comma
ns to the details p
n, but you are cert
also find columns
for example, user
a column is visibl
n headings to the
king the column
ding order, just li
Admi
Control the V
strative Tool
Active Directory U
strative Center ca
cts in your directo
menu(in Active D
and (in Active Dir
ane. Not every at
tain to find colum
s that are unneces
r or computer), t
e, you can chang
left or right. You
the first click wil
ike in Windows E
nistering Active Directo
View of Obje
ls
Users and Compu
an be customized
ory. Use the Add
Directory Users an
rectory Administr
ttribute is availab
mns that will be u
ssary. If your OU
he Type column
ge the order of col
can also sort the
ll sort in ascendin
Explorer.
ory Securely and Efficientl
cts in Active
uters snap-in and
d to help you wor
d/Remove Colum
nd Computers) o
rative Center) to a
le to be displayed
useful to display. Y
Us have only one t
may not be helpf
lumns by draggin
e view in the detai
ng order, the seco
ly 2-41
e

d the
rk
mns
or the
add
d as a
You
type of
ful.
ng the
ils pane
ond in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
A common customization is to add the Last Name column to a view of users, so
that they can be sorted by last name. It is generally easier to find users by last name
than by the Name column, which is the common name (CN) and is generally first
name-last name.
To add the Last Name column to the details pane in the Active Directory Users and
Computers console:
1. Click the View menu, and then click Add/Remove Columns.
2. In the Available columns list, click Last Name.
3. Click the Add button.
4. In the Displayed columns list, click Last Name, and then click Move Up two
times.
5. In the Displayed columns list, click Type, and then click Remove.
6. Click OK.
7. In the details pane, click the Last Name column header to sort alphabetically
by last name.

To add the Last Name column to the details pane in the Active Directory
Administrative Center:
1. In the details pane, right-click a column heading, and then click Select
Columns.
2. In the Available Columns list, click Last Name.
3. Click the >> button.
4. In the Selected columns list, click Last Name, and then click Move Up two
times.
5. In the Selected columns list, click Type, and then click <<.
6. Click OK.
7. In the details pane, click the Last Name column header to sort alphabetically
by last name.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Window
the Find
Directo
snap-in.
onstration: U
ws systems also p
d box. One way t
ory Domain Serv
. The button and
Admi
Use the Find
provide the Active
to start the Find b
ices button in th
the resulting Fin
nistering Active Directo
Command
e Directory query
box is to click the
e Active Directory
nd box are shown
ory Securely and Efficientl
y tool, which is kn
e Find Objects In
y Users and Com
n in the following
ly 2-43

nown as
n Active
mputers
g image.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-44 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Use the Find drop-down list to specify the type(s) of objects you want to query, or
select Common Queries or Custom Search. The In drop-down list specifies the
scope of the search. We recommend that whenever possible, you narrow the scope
of the search to avoid the performance impacts of a large, domain-wide search.
Together, the Find and the In lists define the scope of the search.
Next, configure the search criteria. Commonly used fields are available as criteria
based on the type of query you are performing. When you have specified your
search scope and criteria, click Find Now. The results will appear.
You can then right-click any item in the results list and choose administrative
commands such as Move, Delete, and Properties.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Deter
Key Po
Sometim
you don
To dete
1. In A
Adv
2. Clic
3. Rig
4. The
the

rmine Where
oints
mes, you may wan
n't actually know
rmine where an o
Active directory U
vanced Features
ck the Find butto
ht-click the objec
e Canonical nam
domain.
Admi
e an Object I
nt to find an obje
where the object
object is located:
Users and Compu
.
on, and then perf
ct, click Propertie
me of object show

nistering Active Directo
s Located
ect by using the F
t is.
uters, click the Vi
form a search for
es, and then click
ws you the path to
ory Securely and Efficientl
Find command, b
iew menu, and th
the object.
k the Object tab.
o the object, start
ly 2-45

because
hen select
ting at

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-46 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Alternatively, in the Find dialog box, you can display the Published At column.
1. In the Find dialog box, click the View menu, and then click Choose Columns.
2. In the Columns Available list, click Published At, and then click Add.
3. Click OK.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
Window
Users an
driven v
To creat
1. Op
Sav
sna
and
2. Rig
3. Ent
4. Op
onstration: U
oints
ws Server 2003 in
nd Computers sn
views of your dom
te a saved query:
en the Active Dir
ved queries are no
ap-in that is part o
d Computers con
ht-click Saved Qu
ter a name for the
tionally, enter a d
Admi
Use Saved Qu
ntroduced the Sav
nap-in. This powe
main, displaying
rectory Users an
ot available in the
of Server Manage
nsole or a custom
ueries, point to N
e query.
description.
nistering Active Directo
ueries
ved Queries nod
erful function allo
objects across on
nd Computers sn
e Active Directory
er. You must use t
console with the
New, and then cli
ory Securely and Efficientl
e of the Active Di
ows you to create
ne or more OUs.
nap-in.
y Users and Com
the Active Directo
e snap-in.
ick Query.
ly 2-47

irectory
e rule-
mputers
ory Users
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-48 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
5. Click Browse to locate the root for the query.
The search will be limited to the domain or OU you select. We recommend
that you narrow your search as much as possible, to improve search
performance.
6. Click Define Query to define your query.
7. In the Find dialog box, select the type of object you want to query.
The tabs in the dialog box and the input controls on each tab change to
provide options that are appropriate for the selected query.
8. Configure the criteria for your query.
9. Click OK..



After your query is created, it is saved within the instance of the Active Directory
Users and Computers snap-in. So, if you opened the Active Directory Users and
Computers console (dsa.msc), your query will be available the next time you open
the console. If you created the saved query in a custom console, it will be available
in that custom console. To transfer saved queries to other consoles or users, you
can export the saved query as an XML file, and then import it to the target snap-in.
The view of the saved query in the details pane can be customized as described
earlier, with specific columns and sorting. A very important benefit of saved
queries is that the customized view is specific to each saved query. When you add
the Last Name column to the normal view of an OU, the Last Name column is
actually added to the view of every OU, so you will see an empty Last Name
column even for an OU of computers or groups. With saved queries, you can add
the Last Name column to a query for user objects, and other columns for other
saved queries.
Saved queries are a powerful way to virtualize the view of your directory and to
monitor for issues such as disabled or locked accounts. Learning to create and
manage saved queries is a worthwhile use of your time.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Admi
Key Po
The Act
perform
To perfo
1. Op
2. In t
3. Ent
4. Clic
You ma
your sea
onstration: F
nistrative Ce
oints
tive Directory Adm
ming searches thro
orm a search by u
en the Active Dir
the navigation pa
ter the search crit
ck Search.
ay also choose to
arch criteria at an
Admi
ind Objects
enter
ministrative Cent
oughout the infra
using the Active D
rectory Adminis
ane, click Global
teria and scope.
save your query,
ny time.
nistering Active Directo
by Using Ac
ter provides enha
astructure.
Directory Admini
trative Center.
Search.
which allows you
ory Securely and Efficientl
tive Director
anced features for
istrative Center:
u to quickly reev
ly 2-49
ry

r

aluate
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Detailed Demonstration Steps
If not already started, start 6425C-NYC-DC1 and log on to NYC-DC1 as
Pat.Coleman_Admin, with the password, Pa$$w0rd.
Create a saved query called Global Catalog servers that returns all Global
Catalog Servers in the domain.
1. In Active Directory Administrative Center, in the left-hand pane, click Global
Search.
2. In the Global Search pane, click Add criteria.
3. Select the check box next to Computers running as a given domain controller
type.
4. Click Add.
5. Click the Any domain controllers link and then choose Global catalogs.
6. Click Search.
Note that NYC-DC1 and BRANCHDC01 are the only Global Catalogs in the
Contoso domain.
7. Click the Save button.
8. In the text box, type Global Catalog Servers, and then click OK.
9. Click the Queries button to view the saved query.
10. Log off of NYC-DC1 when you are finished the demonstration.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab B: Fi
Lab Se
The virt
A. Howe
in Lab A
Log
Lab Sc
Contoso
employ
has bec
defining
team of
account
nd Objec
etup
tual machine sho
ever, if it is not, y
A, and then start
g on to NYC-DC1
enario
o,Ltd. now spans
ees. Because you
ome more difficu
g the best practic
f administrators. Y
ts.
Admi
cts in Act
uld already be st
you should start t
Lab B.
1 as Pat.Coleman
s five geographic
r domain has bec
ult to locate objec
es for locating ob
You are also aske
nistering Active Directo
ive Direc
arted and availab
the virtual machin
n, with the passw
sites around the
come populated w
cts by browsing. Y
bjects in Active D
ed to monitor the
ory Securely and Efficientl
tory
ble after completi
ne, complete the
word, Pa$$w0rd.
world, with over
with so many obj
You are tasked wi
irectory for the re
e health of certain
ly 2-51

ing Lab
exercises

1,000
jects, it
ith
est of the
n types of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Find Objects in Active Directory
In this exercise, you will use several tools and interfaces that make it easier for you
to find an object in Active Directory.
The main tasks for this exercise are as follows:
1. Explore the behavior of the Select dialog box.
2. Control the view of objects in the Active Directory Users and Computers snap-
in.
3. Use the Find command.
4. Determine where an object is located.

Task 1: Explore the behavior of the Select dialog box.
The virtual machine should already be started and available after completing Lab
A. However, if it is not, you should start the virtual machine, complete the exercises
in Lab A, and then start Lab B.
1. On NYC-DC1, run your custom console, C:\AdminTools\MyConsole.msc as
an administrator with user name, Pat.Coleman_Admin, and the password,
Pa$$w0rd.
2. In the console tree, expand the Active Directory Users and Computers snap-
in, the Contoso.com domain, and the User Accounts OU, and then click the
Employees OU.
3. Right-click Pat Coleman, and then click Properties.
4. Click the Member Of tab.
5. Click Add.
6. In the Select Groups dialog box, type the name, Special.
7. Click OK. The name is resolved to Special Project.
8. Click OK again to close the Properties dialog box.
9. In the console tree, expand the Groups OU, and then click the Role OU.
10. In the details pane, right-click the Special Project group, and then click
Properties.
11. Click the Members tab.
12. Click Add.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-53
The Select Users, Contacts, Computers, Service Accounts, or Groups dialog
box appears.
13. Type linda;joan, and then click the Check Names button.
The Select dialog box resolves the names to Linda Mitchell and Joanna Rybka,
and underlines the names to indicate visually that the names are resolved.
14. Click OK.
15. Click Add.
16. Type carole, and then click OK.
The Select dialog box resolves the name to Carole Poland and closes. You see
Carole Poland on the Members list.
When you click the OK button, a Check Names operation is performed prior
to closing the dialog box. It is not necessary to click the Check Names button
unless you want to check names and remain in the Select dialog box.
17. Click Add.
18. Type tony;jeff, and then click OK.
Because there are multiple users matching tony, the Multiple Names Found
box appears.
19. Click Tony Krijnen, and then click OK.
Because there are multiple users matching jeff, the Multiple Names Found
box appears.
20. Click Jeff Ford, and then click OK. Click OK to close the Special Project
Properties dialog box.
Whenever there is more than one object that matches the information you
enter, the check names operation will give you the opportunity to choose the
correct object.
21. In the console tree, click the Application OU under the Groups OU.
22. In the details pane, right-click the APP_Office group, and then click
Properties.
23. Click the Members tab.
24. Click Add.
25. In the Select dialog box, type NYC-CL1.
26. Click Check Names.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-54 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
A Name Not Found dialog box appears, indicating that the object you
specified could not be resolved.
27. Click Cancel to close the Name Not Found box.
28. In the Select box, click Object Types.
29. Select the check box next to Computers, and then click OK.
30. Click Check Names.
The name will resolve now that the Select box is including computers in its
resolution.
31. Click OK.
32. Click OK to close the APP_Office Properties dialog box.

Task 2: Control the view of objects in the Active Directory Users and
Computers snap-in.
1. In the console tree, expand the contoso.com domain and the User Accounts
OU, and then click the Employees OU.
2. Click the View menu, and then click Add/Remove Columns.
3. In the Available Columns list, click Last Name.
4. Click the Add button.
5. In the Displayed columns list, click Last Name and click Move Up two times.
6. In the Displayed columns list, click Type, and then click Remove.
7. Click OK.
8. In the console tree, expand the contoso.com domain and the User Accounts
OU, and then click the Employees OU.
9. In the details pane, click the Last Name column header to sort alphabetically
by last name.
10. Click the View menu, and then click Add/Remove Columns.
11. In the Available Columns list, click Pre-Windows 2000 Logon.
12. Click the Add button.
13. In the Displayed columns list, click Pre-Windows 2000 Logo and click Move
Up.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-55
14. Click OK.
15. In the console tree, expand the contoso.com domain and the User Accounts
OU, and then click the Employees OU.

Task 3: Use the Find command.
1. In the console tree, expand the contoso.com domain and the User Accounts
OU, and then click the Employees OU.
2. Click the Find button in the toolbar.
3. In the Name box, type Dan, and then click Find Now.
4. How many items were found? Look at the status bar, at the lower part of the
Find Users, Contacts, and Groups window.
5. Click the In drop-down list, and then click Entire Directory.
6. Click Find Now.
7. How many items were found? Look at the status bar, at the lower part of the
Find Users, Contacts, and Groups window.
8. Close the Find Users, Contacts, and Groups dialog box.

Task 4: Determine where an object is located.
1. Turn on the view of Advanced Features for the Active Directory Users and
Computers snap-in.
2. Use the Find command to locate users in domain whose names begin with
Pat.Coleman. You should see two results.
3. Use the properties of Pat Coleman (Admin) to determine where the user is
located in Active Directory.

Results: After completing this exercise, you will have learned that there are several
interfaces with which you perform searches against Active Directory, and you know
how to control the view in the Active Directory Users and Computers snap-in.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-56 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Use Saved Queries
In this exercise, you will create saved queries with which administrative tasks can
be more efficiently performed.
The main tasks for this exercise are as follows:
1. Create a saved query that displays all domain user accounts.
2. Create a saved query that shows all user accounts with non-expiring
passwords.
3. Transfer a query to another computer.

Task 1: Create a saved query that displays all domain user accounts.
Create a saved query called All User Objects that shows all users in the
domain.

Task 2: Create a saved query that shows all user accounts with non-
expiring passwords.
Create a saved query called Non-Expiring Passwords that shows all users in
the domain whose passwords do not expire.
Note that for the purposes of maintaining a simple, single password for all
users in this course, all user accounts are configured so that passwords do not
expire. In a production environment, user accounts should not be configured
with non-expiring passwords.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-57
Task 3: Transfer a query to another computer.
1. Export the Non-Expiring Passwords query to
C:\AdminTools\Query_NonExpPW.xml.
2. Delete the Non-Expiring Passwords query.
3. Import the C:\AdminTools\Query_NonExpPW.xml query.
4. Log off from NYC-DC1.

Results: After completing this exercise, you will have two saved queries. The first
query, All User Objects, demonstrates that a saved query can create a virtualized view
of your domain, allowing you to see objects that meet a set of criteria, regardless of
which OU those objects are in. The second query, Non-Expiring Passwords,
demonstrates that you can use saved queries to monitor the health of your
environment.

Note: Do not shut down the virtual machine after you are finished with this lab because the
settings you have configured here will be used in Lab C.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-58 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Review Questions
Question: In your work, what scenarios require you to search Active Directory?

Question: What types of saved queries can you create to help you perform your
administrative tasks more efficiently?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 4
Use Win
Directory
Window
adminis
as Micro
PowerS
Window
can adm
After co
Des
Des
Des
Des
Use
dows Pow
y
ws PowerShell is
stering a number
osoft Exchange 2
hell for most, if n
ws Server 2008 R
minister Active Di
ompleting this les
scribe Windows P
scribe the require
scribe how Wind
scribe Active Dire
e PowerShell cmd
Admi
werShell
quickly becomin
of Microsoft serv
2010 and Microso
not all, of the con
R2 provides a num
irectory.
sson, you will be a
PowerShell.
ements for using
dows PowerShell
ectory PowerShel
dlets to perform a
nistering Active Directo
to Admin
ng the primary fou
ver products. For
oft SQL Server 2
nfiguration and m
mber of enhancem
able to:
Windows Power
syntax works.
ll cmdlets.
administrative tas
ory Securely and Efficientl
nister Act
undation for
r example, produ
2008 use Window
management tasks
ments to how Pow
rShell.
sks in Active Dire
ly 2-59
tive

ucts such
ws
s.
werShell
ectory.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-60 Configuring
What
Key Po
Window
engine d
creating
Window
comman
comman
scriptin
environ
allowing
icons. Y
to run t
In an id
adminis
with bu
PowerS
accomp
g and Troubleshooting W
Is Windows
oints
ws PowerShell is
designed to run c
g new user accoun
ws PowerShell pr
nds to run. You c
nd-line console w
ng environment (I
nment. Windows
g commands to r
You can also type
the commands in
deal world, Windo
strative functiona
uttons, icons, dial
hell commands i
plish a task in exa
indows Server 2008 Activ
s PowerShell?
not just a scriptin
commands that p
nts, configuring s
rovides many way
can, for example,
window. You can
ISE) that offers a
PowerShell can a
run in response to
a series of comm
n that file.
ows PowerShell i
ality. Ideally, you
og boxes, and oth
in the backgroun
actly the way you
ve Directory Domain Serv
?
ng language. Win
perform administ
services, deleting
ys in which you c
manually type co
also type comma
more graphically
also be integrated
o user actions su
mands into a text
is a single, centra
may use a graphi
her elements that
d. If the GUI doe
want, you may c
ices
ndows PowerShel
trative tasks, such
g mailboxes, and s
can specify which
ommand names i
ands in an integr
y-rich command-l
d within an applic
ch as clicking bu
file, and instruct
l source for
ical user interface
t run Windows
es not allow you t
choose to run tho

ll is an
h as
so on.
h
in a
ated
line
cation,
uttons or
the shell
e (GUI)
to
ose same
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-61
commands in the order and way you prefer, directly in the command-line console,
bypassing the GUI. Many Microsoft products are built in that exact way, including
Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010. The Active
Directory Administrative Center in Windows Server 2008 R2 is also built in this
ideal way. Thus, you can choose to use a GUI that runs Windows PowerShell
commands in the background, or you can choose to run the commands directly in
the Windows PowerShell console or ISE.
This choice, to use commands directly or to have commands run for you as part of
a GUI, is part of what makes Windows PowerShell so compelling. With this shell,
Microsoft recognizes and acknowledges that some tasks are easier to do in a GUI,
especially tasks that you dont perform very often. A GUI can guide you through
complex operations, and can help you understand your choices and options more
easily. However, Microsoft also recognizes that a GUI can be inefficient for tasks
that you need to perform repeatedly, such as creating new user accounts. By
building as much administrative functionality as possible in the form of Windows
PowerShell commands, you can choose whats right for any given task: The ease-of-
use of a GUI, or the power and customization of a command-line shell.
Over time, Windows PowerShell may replace other low-level administrative tools
that you may have used. For example, Windows PowerShell can already supplant
Visual Basic Script Edition (VBScript), because the shell has access to the same
features that VBScript does, although, in many cases, the shell provides easier ways
to accomplish the same tasks. Windows PowerShell may also replace your use of
Windows Management Instrumentation (WMI). Although WMI remains very
useful, it can also be complex to use. Windows PowerShell can wrap task-specific
commands around underlying WMI functionality. You are technically still using
WMI, but doing so becomes easier because you can run an easier-to-use, task-based
command.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-62 Configuring
Instal
Key Po
Window
and Win
Window
Window
Window
PowerS
also inc
at http:/
availabl
downlo
comman
Window
Win
Win
g and Troubleshooting W
lation Requi
oints
ws PowerShell 2.0
ndows 7. In Win
ws PowerShell IS
ws PowerShell 2.0
ws Server 2003, W
hell v2 is include
cludes other relate
//go.microsoft.co
le for different op
oad includes the W
nd-line console.
ws PowerShell v2
ndows Server 200
ndows Server 200
indows Server 2008 Activ
rements for
0 is pre-installed
dows Server 200
E, a graphically-o
0 is also available
Windows Vista, a
ed in the Window
ed management t
om/fwlink/?LinkI
perating systems a
Windows PowerS
2 can be installed
08 with Service P
08 with Service P
ve Directory Domain Serv
Windows Po
by default in Win
08 R2, you can op
oriented shell env
e as a Web downl
and Windows Ser
ws Management F
technologies. The
Id=193574; and s
and architectures
Shell ISE and the
on the following
Pack 1
Pack 2
ices
owerShell 2.
ndows Server 20
ptionally install th
vironment.
load for Window
rver 2008. Windo
Framework Core,
e download can b
separate versions
s (32-bit and 64-b
more traditional
g operating system
0

08 R2
he
ws XP,
ows
, which
be found
s are
bit). The

ms:
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-63
Windows Server 2003 with Service Pack 2
Windows Vista with Service Pack 2
Windows Vista with Service Pack 1
Windows XP with Service Pack 3
Windows Embedded POSReady 2009
Windows Embedded for Point of Service 1.1
Windows PowerShell 2.0 requires Microsoft .NET Framework 2.0 with Service
Pack 1; and Windows PowerShell ISE requires Microsoft .NET Framework 3.5 with
Service Pack 1.
Note: The content in the following section only applies to Windows Server 2008 R2.
Active Directory Module for Windows PowerShell
Windows Server 2008 R2 includes the Active Directory Module for Windows
PowerShell. This module consolidates a group of cmdlets that are used to manage
AD DS domains, Active Directory Lightweight Directory Services (AD LDS)
configuration sets, and the Active Directory Database Mounting Tool.
The Active Directory module is installed when:
You install the AD DS or AD LDS server roles.
You run Dcpromo.exe.
You install Remote Server Administration Tools (RSAT) on Windows Server
2008 R2 or Windows 7.
Note: To use the Active Directory module to manage AD DS, the Windows Server 2008 R2
Active Directory Web Services (ADWS) service must be installed on at least one domain
controller in the domain.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-64 Configuring
Overv
Key Po
All Win
without
singular
on whic
verb is G
share th
Using
Cmdlet
the cmd
You spe
want to
position
rather th
Most of
verb com
g and Troubleshooting W
view of the W
oints
ndows PowerShel
t spaces separate
r. Verbs refer to t
ch the cmdlet tak
Get, and the noun
he same noun.
Cmdlets
s also have name
dlet to modify its
ecify named param
set, and you defi
nal parameters to
han on a parame
f the Active Direct
mponent of the c
indows Server 2008 Activ
Windows Pow
l cmdlets are use
the verb-noun pa
the action that the
kes action. For exa
n is ADUser. All c
ed, positional, and
behavior or to pr
meters with addi
ine these values b
o supply values to
ter name.
tory cmdlets that
cmdlet name) hav
ve Directory Domain Serv
werShell Syn
ed as verb-noun p
air, and the cmdl
e cmdlet takes. N
ample, in the Get
cmdlets that man
d switch paramet
rovide additional
itional informatio
by using a specifi
o the cmdlet base
t retrieve objects
ve defined a man
ices
ntax
pairs. A hyphen (-
et nouns are alwa
Nouns refer to the
t-ADUser cmdlet
nage a particular f
ters that you spec
l information to c
on, such as the va
ic name. You can
ed on the values l
(those that use G
ndatory filter par

-)
ays
e object
t, the
feature
cify with
control it.
alue you
use
location,
Get as the
rameter.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-65
You can specify * for this parameter, but you should generally specify more precise
criteria so that you are querying only those objects that you absolutely need.
The filter parameter of the Active Directory cmdlets accepts Windows
PowerShell-style criteria.
Get-ADUser -Filter 'Name -like "*SvcAccount"'
Get-ADUser -Filter {Name -eq "Adam Carter"}
Using Cmdlets Together
Pipelining is the process of using multiple cmdlets simultaneously to gather
information, which you can then pass to other cmdlets for additional processing.
Pipelining allows you to chain one cmdlet to another so that the results of the
previous cmdlet act as input to the next cmdlet. To pipeline information from one
cmdlet to another, specify the pipe character between the cmdlets. The pipe
character is a vertical bar (|). You can pipeline more than two cmdlets. In fact, you
can use as many as necessary to achieve the results you desire.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-66 Configuring
Wind
Key Po
The foll
Director
Management Cat
User Manageme
Computer Manag
g and Troubleshooting W
ows PowerS
oints
lowing table lists
ry for Windows P
tegory Task
nt Crea
Mod
Setti
Rena
Find
Enab
gement Join
Add
Rese
Mod
indows Server 2008 Activ
hell Cmdlets
various tasks tha
PowerShell modu
ating a user
difying an attribute
ing profile attribut
aming a user
ing and unlocking
bling or disabling u
ing a computer to
ing or removing a
etting a computer
difying attributes o
ve Directory Domain Serv
s for Active D
at can be perform
ule.
e for multiple user
tes
g user accounts
user accounts
o a domain
computer accoun
account
of computer accou
ices
Directory
med by using the A
s
nt
unts

Active
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-67
Management Category Task
Group Management Creating a group
Adding and removing members of a group
Viewing the members of a group
Changing the group scope or type
Organizational Unit
Management
Creating or deleting an OU
Listing objects in an OU
Assigning or removing a manager of an OU
Moving the objects in an OU
Password Policy
Management
Creating and managing fine-grained password policies
Modifying the default domain password policy
Get resultant password policy for a user
Searching and modifying
objects
Searching the global catalog
Importing objects by using a CSV file
Exporting objects to a CSV file
Searching for and restoring deleted objects
Forest and Domain
Management
Finding the domains in a forest
Raising the functional level of the domain or forest
Viewing the trusts for a domain
Domain Controller and
Operations Master
Management
Finding the domain controllers for a domain
Moving the domain controller to a different site
Enabling and disabling the Global Catalog
Managing operations master roles
Managed Service
Account Management
Creating or removing a managed service account
Associating a managed service account with a computer
Resetting the password of a managed service account

Note: The preceding table is only a subset of the full functionality that can be performed with
Windows PowerShell. For a full list, see http://technet.microsoft.com/en-
us/library/dd378937(WS.10).aspx
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-68 Configuring
Demo
Wind
Key Po
In this d
perform
Demon
1. Op
2. Per






g and Troubleshooting W
onstration: M
ows PowerS
oints
demonstration, y
med by using Win
nstration Steps
en the Active Dir
form the followin
Create a new OU
Create a new us
Move a user to a
View group mem
Add members to
Set the passwor
indows Server 2008 Activ
Manage User
hell
our instructor wi
ndows PowerShel
s
ectory Module fo
ng tasks:
U.
ser.
a new OU.
mbership.
o a group.
rd for a new user
ve Directory Domain Serv
rs and Group
ill show you vario
ll.
or Windows Pow
and enable the u
ices
ps by Using
ous tasks that can
erShell.
user account.

n be
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab C: Us
Active D
Lab Se
The virt
B. Howe
in Lab B
Log
Pa$
Lab Sc
Contoso
Director
view, cr
se Windo
irectory
etup
tual machine sho
ever, if it is not, y
B, and then start L
g on to NYC-DC1
$$w0rd.
enario
o, Ltd. is growing
ry. You are an ad
reate, delete, and
Admi
ows Powe
uld already be st
you should start t
Lab C.
1 as Contoso\Ad
g, and changes ne
dministrator of AD
modify objects b
nistering Active Directo
erShell to
arted and availab
the virtual machin
ministrator, with
eed to be made to
D DS, and you kn
by using Window
ory Securely and Efficientl
o Adminis
ble after completi
ne, complete the
h the password,
o objects in Activ
now that it is easie
ws PowerShell.
ly 2-69
ster

ing Lab
exercises
e
er to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-70 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Use Windows PowerShell to Administer Active
Directory
In this exercise, you will use Windows PowerShell to perform basic administrative
tasks.
The main tasks for this exercise are as follows:
1. List all commands in the Active Directory module.
2. Retrieve all users matching a specific department and office by using server-
side filtering.
3. Reset user passwords and address information.
4. Disable users who belong to a specific group.
5. Discover any OUs that are not protected against accidental deletion.
6. Create a report showing all Windows Server 2008 R2 servers.

Note: Because of the complexity of the command-line requirements, the
workbook steps match the lab answer keys for this lab.
Task 1: List all commands in the Active Directory module.
1. On the Start menu of NYC-DC1, click All Programs, click Administrative
Tools, and then click Active Directory Module for Windows PowerShell.
2. In the PowerShell window, type the following command, and then press
ENTER.
Get-Command -Module ActiveDirectory

Task 2: Retrieve all users matching a specific department and office by
using server-side filtering.
1. In the PowerShell window, type the following command, , and then press
ENTER.
Get-Help Get-ADUser -Full
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-71
2. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADUser
3. When you are prompted to enter a value for the Filter parameter, type the
following, and then press ENTER.
!?
4. After reviewing the help documentation for the Filter parameter, type the
following, and then press ENTER.
department -eq "Marketing"
5. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADUser -Filter 'department -eq "Marketing"'
6. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADUser -Filter '(department -eq "Marketing") -and (office -eq
"London")'

Task 3: Reset user passwords and address information.
1. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADUser -Filter 'office -eq "New York"'
2. In the PowerShell window, type the following command, and then press
ENTER after each line.
Get-Help Read-Host -Full
Get-Help Set-ADAccountPassword -Full
3. In the PowerShell window, type the following command, and then press
ENTER.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-72 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Get-ADUser -Filter 'office -eq "New York"' | Set-ADAccountPassword
-Reset -NewPassword (Read-Host -AsSecureString 'New password')
4. When prompted, enter the password, Pa$$w0rd1, and then press ENTER.
Pa$$w0rd1
5. In the PowerShell window, type the following command, and then press
ENTER.
Get-Help Get-ADUser -Parameter Properties
6. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADUser -Filter 'office -eq "New York"' -Properties
Office,StreetAddress,City,State,Country,PostalCode | Format-Table
SamAccountName,Office,StreetAddress,City,State,Country,PostalCode
7. In the PowerShell window, type the following command, and then press
ENTER.
Get-Help Set-ADUser -Full
8. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADUser -Filter 'office -eq "New York"' -Properties
Office,StreetAddress,City,State,Country,PostalCode | Set-ADUser -
Office Main -StreetAddress '2345 Main St.' -City Bellevue -
State WA -Country US -PostalCode '95102'

Task 4: Disable users who belong to a specific group.
1. In the PowerShell window, type the following command, and then press
ENTER.
Get-Help Get-ADGroup -Full
2. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADGroup -Filter *
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-73

3. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADGroup -Identity Sales

4. In the PowerShell window, type the following command, and then press
ENTER.
Get-Help Get-ADGroupMember -Full
5. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADGroup -Identity Sales | Get-ADGroupMember
6. In the PowerShell window, type the following command, and then press
ENTER.
Get-Help Disable-ADAccount -Full
7. In the PowerShell window, type the following command, and then press
ENTER. Note that the error message referring to the Sales Managers group is
expected.
Get-ADGroup -Identity Sales | Get-ADGroupMember | Disable-
ADAccount -WhatIf
8. In the PowerShell window, type the following command, and then press
ENTER. Note that the error message referring to the Sales Managers group is
expected.
Get-ADGroup -Identity Sales | Get-ADGroupMember | Disable-
ADAccount

Task 5: Discover any OUs that are not protected against accidental
deletion.
1. In the PowerShell window, type the following command, and then press
ENTER.
Get-Help Get-ADOrganizationalUnit -Full
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-74 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
2. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADOrganizationalUnit -Filter * -Properties
ProtectedFromAccidentalDeletion

3. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADOrganizationalUnit -Filter * -Properties
ProtectedFromAccidentalDeletion | Where-Object {-not
$_.ProtectedFromAccidentalDeletion}

Task 6: Create a report showing all Windows Server 2008 R2 servers.
1. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008
R2*"' -Properties
OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,O
peratingSystemVersion

2. In the PowerShell window, type the following commands, and then press
ENTER at the end of each line.
Get-Help ConvertTo-Html Full
Get-Help Out-File -Full
3. In the PowerShell window, type the following command, and then press
ENTER.
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008
R2*"' -Properties
OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,O
peratingSystemVersion | ConvertTo-Html -Property
Name,SID,OperatingSystem* -Fragment
4. In the PowerShell window, type the following command, and then press
ENTER.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-75
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008
R2*"' -Properties
OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,O
peratingSystemVersion | ConvertTo-Html -Property
Name,SID,OperatingSystem* | Out-File C:\OSList.htm
5. In the PowerShell window, type the following command, and then press
ENTER.
C:\OSlist.htm

Results: After completing this exercise you should have successfully performed
administrative tasks using Windows PowerShell.

To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this,
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6425C-NYC-DC1 in the Virtual Machines list, and then
click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2-76 Configuring
Module
Review
1. Wh
2. Is th
3. List
Tools
Tool
Active Directory
Users and
Computers
Active Directory
Administrative
Center
g and Troubleshooting W
Review a
w Questions
hat are the four m
he Active Directo
t some of the task
Use for
Managing
Directory
Managing
Directory
indows Server 2008 Activ
and Takea
main snap-ins used
ory Administrative
ks that can be per
g an Active
domain
g an Active
domain
ve Directory Domain Serv
aways
d for Active Direc
e Center based u
rformed with Win
Where to find it
Administrative
Administrative
ices
ctory administrat
pon an MMC?
ndows PowerShe
Tools
Tools

tion?
ell.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering Active Directory Securely and Efficiently 2-77
Tool Use for Where to find it
Windows
PowerShell
Managing an Active
Directory domain
Administrative Tools

Content Specific to Windows Server 2008 R2
Windows Server 2008 R2 feature Description
Active Directory Administrative
Center
Used to manage Active Directory Domain
Services
Active Directory Module for
Windows PowerShell
Used to manage Active Directory Domain
Services by using Windows PowerShell

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-1
Module 3
Managing Users and Service Accounts
Contents:
Lesson 1: Create and Administer User Accounts 3-4
Lab A: Create and Administer User Accounts 3-29
Lesson 2: Configure User Object Attributes 3-35
Lab B: Configure User Object Attributes 3-51
Lesson 3: Automate User Account Creation 3-61
Lab C: Automate User Account Creation 3-70
Lesson 4: Create and Configure Managed Service Accounts 3-61
Lab D: Create and Configure Managed Service Accounts 3-70
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-2 Configuring
Module
In this m
stored i
compon
and the
account
Managin
user ma
eventua
lock ou
Adminis
effective
product
account
Window
automa
g and Troubleshooting W
Overview
module, you will
n Active Director
nents of identity.
e tasks related to s
ts successfully in
ng an enterprise
anagement. Empl
ally leave the orga
t their accounts b
strators must res
ely with user acco
tivity. This modu
ts by using the Ac
ws PowerShell. T
ting the creation
indows Server 2008 Ac
w
learn to create an
ry Domain Servi
Because of their
supporting them
a Windows ent
network brings w
loyees are hired, m
anization. At time
by logging on inc
pond to all these
ounts can make a
ule begins with a d
ctive Directory U
This module also
of users.
ctive Directory Domain
nd support user a
ices (AD DS) are
importance, know
are critical aspec
terprise.
with it a unique s
moved, married,
es, employees for
correctly.
e events, and your
a big difference in
discussion of opt
sers and Compu
o introduces sever
Services
accounts. User ac
the fundamental
wledge of user ac
cts in administeri
et of challenges r
and divorced, an
get their passwor
r ability to work
n your overall
tions for creating
ters snap-in and
ral options for

ccounts
ccounts
ing the
related to
nd many
rds or
user
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-3
Of course, creating a user is only the first step in the life cycle of a user in a
domain. After creating the user, you must configure attributes that define both the
properties of the security principal (the account) and properties that define and
manage the user. You must also know how and when to administer the accountto
perform password resets and to unlock the account, for example. You must be able
to move the user between organizational units (OUs), and eventually, deprovision
the account by disabling or deleting it. This module will cover the procedures used
to support a user object through its life cycleprocedures you can perform by
using both the Windows interface and the command-line or automation tools.
Objectives
After completing this module, you will be able to:
Create and administer user accounts.
Configure the account-related properties of a user object.
Automate the creation of user accounts.
Create and administer managed service accounts.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-4 Configuring
Lesson 1
Create a
A user a
Consist
account
Object
After co
Cre
Ide
Per
pas
Ena
Del
g and Troubleshooting W
nd Admi
account is the cor
tent, efficient, and
ts are therefore th
tives
ompleting this les
eate and configur
ntify the purpose
form common ad
ssword reset and
able and disable u
lete, move, and re
indows Server 2008 Ac
nister Us
rnerstone of iden
d secure processe
he cornerstone of
sson, you will be a
e the account-rel
e and requiremen
dministrative task
account unlock.
user accounts.
ename user accou
ctive Directory Domain
er Accou
ntity and access (I
es regarding the a
f enterprise secur
able to:
ated properties o
nts of user accoun
ks to support use
unts.
Services
nts
IDA) in AD DS.
administration of
rity management.
of a user object.
nt attributes.
er accounts, inclu

f user
.
uding

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

User A
Key Po
User ob
closely,
the secu
Director
related
human
number
User ac
authent
validate
logs on,
attempt

Account
oints
bjects are often re
what you think o
urity identifier (SI
ry user objects in
to the account (s
being whom the
r, and manager p
countsthe actua
tication, which is
ed by comparing
, the account SID
ts to access.
eferred to as user
of as an account
ID)) is just a subs
nclude numerous
such as the profile
account represen
roperties).
al account attrib
the logon proces
the users logon n
D is compared wit

Managing U
accounts. Howev
t (the user name
set of attributes o
attributes that ar
e path property),
nts (such as the e
butes of the user
ss during which t
name and passw
th permissions on
Users and Service Account
ver, when you loo
e, password, and p
of a user object. A
re either only ind
or are attributes
email address, ph
objectenable
the identity of the
ord. Then, after t
n resources that t
ts 3-5

ok
perhaps
Active
directly
of the
hone
e user is
the user
the user
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note: Module 1 described the logon process, the generation of the security token that includes
the users SID, and the mechanism through which permissions in an access control list
(ACL) are compared to the SIDs in the token to determine the level of access to a
resource.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-7
A user account can be created and stored in Active Directory. A domain user
account enables logon to any computer in the domain, and access to resources
throughout the domain. Of course, both sets of activities are subject to the logon
rights, privileges, and permissions assigned to the account.
Although Active Directory accounts are the focus of this course, accounts can also
be stored in the local security accounts manager (SAM) database, enabling local
logon and access to local resources. Local user accounts are, for the most part,
beyond the scope of this course.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-8 Configuring
Create
Key Po
Use the
Active D
parame
basic pa
New-AD
name>
Enabl
The -Acc
Read-Ho
passwor
The -Ch
passwor
New-AD
object.
g and Troubleshooting W
e Users with
oints
e Active Directory
Directory. The Ne
ters that specify p
arameters require
DUser Name <st
-AccountPasswo
led $true Chan
countPassword pa
ost AsSecurestri
rd.
hangePasswordAtL
rd at next logon.
DUser accepts a n
indows Server 2008 Ac
Windows P
y Module for Win
ew-ADUser comm
properties of the
ed to create a use
tring> SamAccou
ord (Read-Host
ngePasswordAtLog
arameter specifies
ing AccountPass
Logon parameter s
number of param
ctive Directory Domain
owerShell
ndows PowerShel
mand creates a us
user. The followi
r account.
untName <pre-Wi
AsSecurestring
gon $true
s the password. If
sword, you are p
specifies that the
meters that specify
Services
ll to create object
ser object and acc
ing command sho
indows 2000 logo
g AccountPasswo
f it is set to
prompted for a us
user must chang
y properties of the

s in
cepts
ows the
on
ord)
ser
ge the
e user
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-9
The following command creates a user with some of the more important fields
populated.

New-ADUser Name Amy Strande SamAccountName "AmyS -GivenName Amy
Surname Strande
DisplayName Amy Strande AccountPassword (ConvertTo-SecureString
AsPlainText Pa$$w0rd Force) Enabled $true Path OU=IT,
DC=Contoso, DC=Com -Description "Vice President, IT"
ChangePasswordAtLogon $true
Most parameter names are self-explanatory: -EmailAddress, -ProfilePath, and
-Company, for example. Type Get-Help New-ADuser -detailed or search the
Windows Server 2008 Help And Support Center for comprehensive
documentation of the New-ADUser parameters.
Additional Reading
Creating a user with Windows PowerShell:
http://technet.microsoft.com/en-us/library/dd378958(WS.10).aspx
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-10 Configuring
Demo
Key Po
A user o
passwor
include
You can
Director
To creat
followin
1. Rig
New
2. In t
3. In t
Not
nam
g and Troubleshooting W
onstration: C
oints
object, often refer
rd, which serve a
s several other at
n use either the A
ry Administrative
te a user object b
ng steps:
ht-click the OU o
w, and then click
the First name bo
the Initials box, t
te that this prope
me, not the initial
indows Server 2008 Ac
Create a User
rred to as a user a
as the logon crede
ttributes that desc
Active Directory U
e Center to create
by using Active Di
or container in wh
k User.
ox, type the user
type the users m
erty is, in fact, me
ls of the users fir
ctive Directory Domain
r Object
account, includes t
entials for a user.
cribe and manage
Users or Compute
e a user object.
irectory Users or
hich you want to
s first name.
middle initial(s).
eant for the initial
rst and last name.
Services
the user name an
A user object als
e the user.
ers console, or Ac
Computers, perf
create the user, p
ls of a users midd
.

nd
so
ctive
form the
point to
dle
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-11
4. In the Last name box, type the users last name.
5. The Full name field is populated automatically. Make modifications to it if
necessary.
The Full name field is used to create several attributes of a user object, most
notably, the common name (CN) and display name properties. The CN of a
user is the name displayed in the details pane of the snap-in. It must be unique
within the container or OU. Therefore, if you are creating a user object for a
person with the same name as an existing user in the same OU or container,
you will need to enter a unique name in the Full name field.
6. In the User logon name box, type the name that the user will log on with, and
from the drop-down list, select the UPN Suffix that will be appended to the
user logon name following the @ symbol.
User names in Active Directory can contain some special characters (including
periods, hyphens, and apostrophes), which let you generate accurate user
names such as OHare and Smith-Bates. However, certain applications may
have other restrictions, so we recommend that you use only standard letters
and numerals until you have fully tested the applications in your enterprise for
compatibility with special characters in logon names.
The list of available UPN suffixes can be managed by using the Active
Directory Domains and Trusts snap-in. Right-click the root of the snap-in,
Active Directory Domains and Trusts, click Properties, and use the UPN
Suffixes tab to add or remove suffixes. The DNS name of your Active Directory
domain will always be available as a suffix and cannot be removed.
7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows
2000 logon name, often called the "downlevel" logon name. In the Active
Directory database, the name for this attribute is sAMAccountName.
8. Click Next.
9. Enter an initial password for the user in the Password and Confirm password
boxes.
10. Select User must change password at next logon.
We recommend that you always select this option so that the user can create a
new password unknown to the IT staff. Appropriate support staff can always
reset the users password at a future date if they need to log on as the user or
access the users resources. But only users should know their passwords on a
day-to-day basis.
11. Click Next.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
12. Review the summary and then click Finish.
The New Object User interface allows you to configure a limited number of
account-related properties, such as name and password settings. However, a user
object in Active Directory supports dozens of additional properties. These can be
configured after the object has been created.
1. Right-click the user object you created, and then click Properties.
2. Configure user properties.
3. Click OK.



B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Name
Key Po
There a
is impor
A u
sAM
uni
The
con
of t
enti
cert
you
nam
this
of t
e Attributes
oints
re several attribu
rtant to understa
users User logon
MAccountName a
ique for the entire
e User logon nam
nsists of a logon n
the domain in wh
ire forest. Email a
tainly meet that r
ur Active Director
me, you must add
s, open the Active
the snap-in, and t
utes related to the
and the distinctio
n name (pre-Win
attribute. It is also
e domain.
me is the userPrin
name and a UPN
hich you create th
addresses, which
requirement. Con
ry domain name i
d the email doma
e Directory Doma
then click Proper
Managing U
e name of a user o
ns between them
dows 2000) is, b
o sometimes calle
ncipalName (UPN
suffix which is, b
he object. The UP
h must be unique
nsider using emai
is not the same a
ain name as an av
ains and Trusts sn
rties.
Users and Service Account
object and an acc
m.
behind the scenes
ed the samid. It m
N) attribute. The
by default, the DN
PN must be uniqu
for the whole wo
il addresses as UP
s your email dom
vailable UPN suffi
nap-in, right-click
ts 3-13

count. It
s, the
must be
UPN
NS name
ue for the
orld,
PNs. If
main
ix. To do
k the root
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Name of a user, which is shown in the first column in the details pane of
the Active Directory Users and Computers snap-in. This name is also
presented as Full Name in some interfaces, including the New ObjectUser
dialog box. It must be unique in the OU. The Name field is actually the
common name (CN), stored as the cn attribute. The cn must be unique in the
OU because it is the first element of the distinguished name (DN), the
distinguishedName attribute, which must be unique within the forest.
The display name is the displayName attribute that appears in the Microsoft
Exchange global address list (GAL). It can be easier to locate users in the GAL
if they are sorted by last name. Therefore, you can create a naming convention
for your organization that specifies that the displayName attribute takes the
LastName, FirstName syntax. There is no requirement for uniqueness of the
displayName attribute, although it is certainly easier to locate users in the GAL
if each has a unique display name.

Question: What do you do in your organization to ensure the uniqueness of name
attributes, and what naming conventions do you use?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Accou
Key Po
On the
that are
is an ide
unt Attribute
oints
Account tab of a
directly related t
entity to which p
es
a users Propertie
to the fact that a u
ermissions and r
Managing U
es dialog box, you
user is a security
rights can be assig
Users and Service Account
u can find the attr
principal, meanin
gned.
ts 3-15

ributes
ng that it
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The following table summarizes the account attributes.
Property Description
Logon Hours Click Logon Hours to configure the hours during
which a user is allowed to log on to the network.
Log On To Click Log On To if you want to limit the
workstations to which the user can log on. This is
called Computer Restrictions in other parts of the
user interface and corresponds to the
userWorkstations attribute. You must have NetBIOS
over TCP/IP enabled to use this feature, because it
uses the computer name rather than the Media
Access Control (MAC) address of its network card to
restrict logon.
User Must Change Password At
Next Logon
Select this check box if you want the user to change
the password you have entered the first time he or
she logs on. You cannot select this option if you
have selected Password Never Expires. Selecting
this option will automatically clear the mutually
exclusive User Cannot Change Password option.
User Cannot Change Password Select this check box if you have more than one
person using the same domain user account (such
as Guest) or to maintain control over user account
passwords. This option is commonly used to
manage service account passwords. You cannot
select this option if you have selected User Must
Change Password At Next Logon.
Password Never Expires Select this check box if you never want the
password to expire. This option will automatically
clear the User Must Change Password At Next
Logon setting, because the two are mutually
exclusive. This option is commonly used to manage
service account passwords.
Account Is Disabled Select this check box to disable the user
accountfor example, when creating an object for
a newly hired employee who does not yet need
access to the network.
Store Password Using Reversible
Encryption
This option, which stores the password in Active
Directory without using its powerful, nonreversible
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-17
Property Description
encryption hashing algorithm, exists to support
applications that require knowledge of the user
password. If it is not absolutely required, do not
enable this option because it weakens password
security significantly. Passwords stored by using
reversible encryption are similar to those stored as
plaintext.
Smart Card Is Required For
Interactive Logon
Smart cards are portable, tamper-resistant
hardware devices that store unique identification
information for a user. They are attached to, or
inserted into, a system, and they provide an
additional, physical identification component to the
authentication process.
Account Is Trusted For
Delegation
This option enables a service account to
impersonate a user to access network resources on
behalf of a user. This option is not typically
selected, certainly not for a user object representing
a human being. It is used more often for service
accounts in three-tier (or multitier) application
infrastructures.
Account Expires Use the Account Expires controls to specify when
an account expires.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-18 Configuring
User A
Key Po
After yo
that are
followin
Ren
Res
Unl
Dis
Mo
Del
g and Troubleshooting W
Account Ma
oints
ou have created a
considered Acc
ng:
naming a user acc
setting a user pas
locking a user ac
abling or enablin
ving a user accou
leting a user acco
indows Server 2008 Ac
nagement
user account, the
count Managemen
count
sword
ccount
ng a user account
unt
ount
ctive Directory Domain
ere are a number
nt tasks. These t
t
Services
r of tasks that you
tasks may include

u perform
e the

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-19
Renaming a User Account
When a user account needs to be renamed, there can be one or more attributes you
must change.
To rename a user in the Active Directory Users and Computers snap-in, perform
the following steps:
1. Right-click the user, and then click Rename.
2. Type the new common name (CN) for the user, and press Enter.
The Rename User dialog box appears and prompts you to enter additional
name attributes.
3. Type the Full name (which corresponds to the cn and name attributes)
4. Type the First name and Last name.
5. Type the Display name.
6. Type the User logon name and User logon name (pre-Windows 2000).

If the user forgets his or her password and attempts to log on, he or she will receive
a logon message.
Before the user can log on successfully, you will have to reset the password. You do
not need to know the users old password to do so.
To reset a user's password in the Active Directory Users and Computers snap-in:
1. Right-click the user object, and then click Reset Password.
The Reset Password dialog box appears.
2. Enter the new password in both the New Password and Confirm Password
boxes.
It is a best practice to assign a temporary, unique, strong password for the
user.
3. Select the User Must Change Password At Next Logon check box.
It is a best practice to force the user to change the password at the next logon,
so that the user creates a password known only by the user.
4. Click OK.
5. Communicate the temporary password to the user in a secure manner.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
You can also use the Set-ADAccountPassword PowerShell command to reset a
users password. For example, the following command will reset Amy Strandes
password.
Set-ADAccountPassword identity cn=amy strand, ou=IT, dc=contoso,
dc=com Reset NewPassword (ConvertTo-SecureString AsPlainText
Pa$$w0rd2 Force)

Unlocking a User Account
An Active Directory domain supports account lockout policies. A lockout policy is
designed to prevent an intruder from attempting to penetrate the enterprise
network by logging on repeatedly with various passwords until he or she finds a
correct password. When a user attempts to log on with an incorrect password, a
logon failure is generated. When too many logon failures occur within a specified
period of time, defined by the lockout policy, the account is locked out. The next
time the user attempts to log on, a notification clearly states the account lockout.
Note: You will learn to configure account lockout policies in Module 9.
Your lockout policy can define a period of time after which a lockout account is
automatically unlocked. But when a user is trying to log on and discovers that he
or she is locked out, it is likely he or she will contact the help desk for support.
To unlock a user account in the Active Directory Users and Computers snap-in,
perform the following steps:
1. Right-click the user object, and then click Properties.
2. Click the Account tab.
3. Select the Unlock Account check box.

Windows Server 2008 also provides the option to unlock a users account when
you choose the Reset Password command.
To unlock a user account while resetting the user's password, perform the
following step:
In the Reset Password dialog box, select the Unlock the users account check
box.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-21
This method is particularly handy when a users account is locked out because the
user did, in fact, forget the password. You can now assign a new password, specify
that the user must change the password at next logon, and unlock the users
account in one dialog box.
Watch for drives mapped with alternate credentials: A common cause of account
lockout is a drive mapped with alternate credentials. If the password is changed,
and the Windows client attempts repeatedly to connect to the drive, that account
will be locked out.
To unlock a user account by using Windows PowerShell, you can use the following
command.
Unlock-ADAccount identity cn=amy strand, ou=IT, dc=contoso, dc=com

Disabling and Enabling User Accounts
User accounts are security principals that can be given access to network
resources. Each user is a member of Domain Users and of the Authenticated Users
special identity. By default, each user account has at least read access to the
information stored in Active Directory. Therefore, it is important not to leave user
accounts open. That means you should configure password policies and auditing
both discussed in other modules--and procedures to ensure that accounts are being
used appropriately.
If a user account is provisioned before it is needed, or if an employee will be absent
for an extended period of time, disable the account.
To disable an account in the Active Directory Users and Computers snap-in:
Right-click a user and then click Disable Account.
If an account is already disabled, the Enable Account command will appear when
you right-click the user.
To disable or enable a user account with Windows PowerShell, use the following
cmdlets.
Enable-ADAccount identity <name>
Disable-ADAccount identity <name>
Moving a User Account
To move a user object in the Active Directory Users and Computers snap-in,
perform the following steps:
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
1. Right-click the user, and then click Move.
2. Click the folder to which you want to move the user account, and then click
OK.

Alternatively, you can drag the user object to the destination OU.

Deleting a User Account
When an account is no longer necessary, you can delete it from your directory.
To delete a user account in Active Directory Users and Computers, perform the
following steps:
1. Select the user and press Delete; or right-click the user, and then click Delete.
You are prompted to confirm your choice because of the significant
implications of deleting a security principal.
2. Confirm the prompt.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab A: Cr
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



5. Op
reate and
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
en Windows Exp
d Admini
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
plorer and then b
Managing U
ster User
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
browse to D:\Lab
Users and Service Account
r Account
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
bfiles\Lab03a.
ts 3-23
ts

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6. Run Lab03a_Setup.bat with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
7. The lab setup script runs. When it is complete, press any key to continue.
8. Close the Windows Explorer window, Lab03a.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-25
Lab Scenario
You are the administrator of Contoso, Ltd., an online university for adult
education. Two new employees have been hired: Chris Mayo and Amy Strande.
You must create accounts for these users. After some time, Chris Mayo leaves the
organization, and his account must be administered according to the company
policy for user account life-cycle management.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Create User Accounts
In this exercise, you will create user accounts with both the Active Directory Users
and Computers snap-in and Windows PowerShell.
The main tasks for this exercise are as follows:
1. Create a user account with Active Directory Users and Computers.
2. Create a user account with Windows PowerShell.

Task 1: Create a user account with Active Directory Users and
Computers.
Run Active Directory Users and Computers with administrative credentials.
Use the account, Pat.Coleman_Admin, with the password, Pa$$w0rd.
Create a user account for Chris Mayo in the Employees OU.
First Name: Chris
Last Name: Mayo
User Logon Name: Chris.Mayo
User Logon Name (Pre-Windows 2000): Chris.Mayo
Password: Pa$$w0rd
Specify that the user must change the password at the next logon
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-27
Task 2: Create a user account with Windows PowerShell.
Run the Active Directory Module for Windows PowerShell with administrative
credentials. Use the account, Pat.Coleman_Admin, with the password,
Pa$$w0rd.
At the PS prompt, create a user account for Amy Strande in the Employees
OU.
SamAccountName: Amy.Strande
First Name: Amy
Last Name: Strande
User Principal Name: Amy.Strande@contoso.com
Display Name: Strande, Amy
Description: Research Assistant
In Active Directory Users and Computers, open the properties of the user
account you just created and confirm that the attributes were set correctly.

Results: In this exercise, you created user accounts named, Chris Mayo and Amy
Strande, in the Employees OU.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Administer User Accounts
In this exercise, you will perform common tasks that support user accounts
through their life cycle in Active Directory.
The main tasks for this exercise are as follows:
1. Administer a user account.
2. Administer the life cycle of a user account.

Task 1: Administer a user account.
The user account for Amy Strande is currently disabled because no password was
specified by using the PowerShell command.
1. What parameter should you have used with PowerShell to specify a password?
2. In Active Directory Users and Computers, reset the password for Amy
Strande to Pa$$w0rd, and specify that she must change the password at the
next logon.
3. In Active Directory Users and Computers, enable Amy Strande's user
account.
4. Which commands can you use in Windows PowerShell to reset the password,
specify that the password must be changed at the next logon, and enable the
account?
Task 2: Administer the life cycle of a user account.
The Contoso, Ltd. policy for the life cycle management of a user account states the
following:
When a user leaves the organization for any reason, including leave of
absence, the user's account must be disabled immediately and moved to
the Disabled Accounts OU.
Sixty days after the termination of a user, the user's account must be
deleted.
1. Chris Mayo has left Contoso, Ltd. Disable his account and move it to the
Disabled Accounts OU.
2. It has been 60 days since you disabled Chris Mayo and company procedures
specify that after 60 days, a disabled user account must be deleted. Delete the
user account for Chris Mayo.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-29
3. Log off from NYC-DC1.

Results: In this exercise, you enabled Amy Strande's account and deleted Chris Mayo's
account.
Note: Do not shut down the virtual machine after you are finished with this lab because the
settings you have configured here will be used in Lab B.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Review Questions
Question: In this lab, which attribute can be modified to prompt for the password
when you are creating a user account with Windows PowerShell?
Question: What happens when you create a user account that has a password that
does not meet the requirements of the domain?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Configur
Key Po
A user o
related
that des
the con
comput
user obj
users.
Object
After co
View
Ide
re User O
oints
object in Active D
to the user's secu
scribe the individ
tact information
ter. In this lesson
jects, and you wi
tives
ompleting this les
w and modify hid
ntify the purpose
Object Att
Directory is far mo
urity identity, or a
dual and his or he
and configuratio
n, you will explore
ill learn how to ad
sson, you will be a
dden attributes o
e and requiremen
Managing U
tributes
ore than just a ha
account. A user ob
er relationship wi
n of the user's ex
e many of the mo
dminister these a
able to:
of user objects.
nts of user object
Users and Service Account
andful of properti
bject includes att
ith the organizati
xperience on his o
ore useful attribut
attributes for one
attributes.
ts 3-31

ies
tributes
on, and
or her
tes of
or more
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Modify the attributes of multiple users, simultaneously.
Manage user attributes from Windows PowerShell.
Create users from user account templates.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

A Tou
Key Po
When y
Users an
includin
object in
you can
snap-in.
ur of User At
oints
you create a user w
nd Computers sn
ng logon names,
n Active Director
n configure at any
.
ttributes
with the New Ob
nap-in, you are pr
passwords, and t
y, however, supp
y time with the Ac
Managing U
bject User Wiza
rompted for som
the users first na
ports dozens of ad
ctive Directory U
Users and Service Account
ard of the Active D
e common prope
ame and last nam
dditional propert
sers and Compu
ts 3-33

Directory
erties,
e. A user
ties that
ters
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-34 Configuring
To read
click Pr
The attr
of the d
Acc
pas
whe
sna
g and Troubleshooting W
d and modify the
roperties.
ributes of a user o
dialog box.
count attributes:
sswords, and acco
en you create a n
ap-in. The Accoun
indows Server 2008 Ac
attributes of a us
object fall into sev
: The Account ta
ount flags. Many
new user with the
nt Properties sec
ctive Directory Domain
er object, right-cl
veral broad categ
b. These propert
of these attribute
e Active Directory
ction details the a
Services
lick the user, and

gories that appear
ties include logon
es can be configu
y Users and Comp
account attributes
d then
r on tabs
n names,
red
puters
s.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-35
Personal information: The General, Address, Telephones, and
Organization tabs. The General tab contains the name properties that are
configured when you create a user object, along with the basic description and
contact information. The Address and Telephones tabs provide detailed
contact information. The Telephones tab is also where Microsoft chose to put
the Notes field, which corresponds to the info attribute and is a very useful
general-purpose text field that is underused by many enterprises. The
Organization tab shows the job title, department, company, and
organizational relationships.
User configuration management: The Profile tab. Here, you can configure
the users profile path, logon script, and home folder.
Group membership: The Member Of tab. You can add the user to, and
remove the user from, groups and change the users primary group. Group
memberships and the primary group will be discussed in another module.
Remote Desktop Services: The Remote Desktop Services Profile,
Environment, Remote control, Sessions, and Personal Virtual Desktop
tabs. These tabs enable you to configure and manage the users experience
when the user is connected to a Remote Desktop Services session.
Remote access: The Dial-in tab. You can enable and configure remote access
permission for a user on the Dial-in tab.
Applications: The COM+ tab. This tab enables you to assign the user to an
Active Directory COM+ partition set. This feature facilitates the management of
distributed applications.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-36 Configuring
View
Key Po
The Att
The Att
the View
The Att
Filter b
backlink
Backlink
The eas
attribut
is chang
attribut
attribut
when th
directly
Director
g and Troubleshooting W
All Attribute
oints
tribute Editor tab
tribute Editor tab
w menu of the Mi
tribute Editor dis
utton enables yo
ks and construct
ks are attributes
iest way to under
e. When a user is
ged: The distingu
e. Therefore, the
e. A users memb
he user is referred
to the users mem
ry.
indows Server 2008 Ac
es
b allows you to vi
b is not visible un
icrosoft Managem
splays all the syst
u to choose to se
ed attributes.
that result from r
rstand backlinks
s added to a grou
uished name of th
member attribut
berOf attribute is
d to by a groups
mberOf attribute
ctive Directory Domain
iew and edit all a
ntil you enable Ad
ment Console (M
tem attributes of
ee even more attri
references to the
is to look at an e
up, it is the group
he user is added t
e of a group is ca
updated automa
member attribut
eit is dynamicall
Services
ttributes of a use
dvanced Features
MMC).
the selected obje
ibutes, including
object from other
example: the mem
s member attribu
to this multivalue
alled a forward lin
atically by Active
e. You do not eve
ly maintained by

r object.
s from
ct. The
r objects.
mberOf
ute that
ed
nk
Directory
er write
y Active
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-37
A constructed attribute is one of the results from a calculation performed by Active
Directory. An example is the tokenGroups attribute. This attribute is a list of the
security identifiers (SIDs) of all the groups to which the user belongs, including
nested groups. To determine the value of tokenGroups, Active Directory must
calculate the effective membership of the user, which takes a few processor cycles.
Therefore, the attribute is not stored as part of the user object or dynamically
maintained. Instead, it is calculated when needed. Because of the processing
required to produce constructed attributes, the Attribute Editor tab does not
display them by default. They also cannot be used in Lightweight Directory Access
Protocol (LDAP) queries.
Question: Are you using any of the hidden attributes in your organization? If so,
how do you read and modify those attributes?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-38 Configuring
Modif
Key Po
The Act
propert
To mod
Compu
1. Sele
by u
Be c
2. Afte
clic

g and Troubleshooting W
fy Attributes
oints
tive Directory Use
ties of multiple us
dify attributes of m
ters snap-in:
ect several user o
using any other m
certain that you s
er you have multi
ck Properties.
indows Server 2008 Ac
s of Multiple
ers and Compute
ser objects simult
multiple users in
objects by holding
multiselection tec
select only object
iselected the obje
ctive Directory Domain
e Users
ers snap-in enable
taneously.
the Active Direct
g the CTRL key a
chnique.
ts of one class, su
ects, right-click an
Services
es you to modify
tory Users and
as you click each u
uch as users.
ny one of them, a

the
user, or
and then

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-39
When you have multiselected the user objects, a subset of properties is available
for modification:
General: Description, Office, Telephone Number, Fax, Web page, and E-mail
Account: UPN suffix, Logon hours, Computer restrictions (logon
workstations), all Account options, and Account expires
Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, and
Country/region
Profile: Profile path, Logon script, and Home folder
Organization: Job Title, Department, Company, and Manager

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-40 Configuring
Modif
Key Po
The Get
more us
For exa
multiple
attribut
Get-AD
The Use
modifie
new val
Tony Kr
Get-AD
g and Troubleshooting W
fy User Attri
oints
t-ADUser and th
ser objects.
mple, you can us
e users) and then
es. The syntax is
DUser UserName
erName placehold
ed. The Set-ADUs
lues. For example
rijnen.
DUser Tony.Krij
indows Server 2008 Ac
butes by Us
e Set-ADuser cm
se the Get-ADUse
n pipe the results
shown as follow
| Set-ADUser [-
der specifies the d
ser parameters in
e, the following c
nen | Set-ADUse
ctive Directory Domain
ing Window
mdlets can both be
er cmdlet to spec
to the Set-ADuse
s.
-parameter valu
distinguished nam
ndicate the attribu
ommand change
er office "Sto
Services
ws PowerShel
e used to modify
cify an existing us
er cmdlet to mod
ue]
me of the user th
utes to change an
es the office attrib
ockholm"
ll

one or
ser (or
dify
at will be
nd the
bute of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-41
Modifying attributes for Several Users at Once
You can use the Get-ADUser cmdlet to view several users, based upon specific
criteria. To perform this task, you need to provide a filter parameter as follows.
Get-ADUser Filter Name like * SearchBase OU=Production,
DC=Contoso, DC=Com
This command displays all users (indicated as an asterisk *) in the Production OU.
You can then pipe this information to the Set-ADUser cmdlet to modify the
attributes as follows.
Get-ADUser Filter Name like * SearchBase OU=Production,
DC=Contoso, DC=Com|Set-ADuser Department Production Company
Contoso, Ltd
This command modifies the department and company attributes for all users
located in the Production OU.
For a list of parameters that you can set by using the Set-ADuser cmdlet, refer to
the additional reading links in the student companion content.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-42 Configuring
Demo
Key Po
Users in
represen
during s
same se
account
Since th
account
with com
represen
home fo
g and Troubleshooting W
onstration: C
oints
n a domain often
ntatives can belo
similar hours, an
erver. When you c
t, rather than crea
he days of Windo
t templates. A use
mmon properties
ntatives, which is
older, and roamin
indows Server 2008 Ac
Create Users w
share many simi
ng to the same se
nd have home fold
create a new user
ate a blank accou
ows NT 4.0, Wind
er account templa
s. For example, y
s preconfigured w
ng profile path.
ctive Directory Domain
with Templa
ilar properties. Fo
ecurity groups, lo
ders and roaming
r, you can simply
unt and populate
dows has support
ate is a generic us
you can create a te
with group memb
Services
ates
or example, all sa
og on to the netw
g profiles stored o
y copy an existing
each property.
ted the concept o
ser account prepo
emplate account
berships, logon h

ales
work
on the
g user
of user
opulated
for sales
ours, a
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-43
To create a user account template, perform the following steps:
1. Create a user account and prepopulate appropriate attributes.
Tip: Use a naming standard that makes templates easy to find. For example, set the full name to
begin with an underscore (_), as in _Sales User. The underscore will cause all templates to
appear at the top of the list of users in an OU.
2. Disable the template user account.
The template account itself should not be used to log on to the network, so
ensure that you disable the account.

To create a user based on the template, perform the following steps:
1. Right-click the template user account, and then click Copy.
The Copy Object User Wizard appears.
2. In the First name box, type the user's first name.
3. In the Last name box, type the user's last name.
4. Modify the Full name value if necessary.
5. In the User logon name box, type the user logon name, and then select the
appropriate user principal name (UPN) suffix in the drop-down list.
6. In the User logon name (pre-Windows 2000) box, type the user's pre-
Windows 2000 user name.
7. Click Next.
8. In Password and Confirm password, type the user's password.
9. Select the appropriate password options.
10. If the user account from which the new user account was copied was disabled,
clear Account is disabled to enable the new account.



B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-44 Configuring
Create
Key Po
It is imp
summar
attribut
Gen
Add
or r
Acc
exp
Pro
cop
Org
Mem
g and Troubleshooting W
e Users with
oints
portant to realize
rizes the attribute
es in the templat
neral tab. No pro
dress tab. P.O. b
region are copied
count tab. Logon
piration are copie
ofile tab. Profile p
pied.
ganization tab. D
mber Of tab. Gro
indows Server 2008 Ac
Templates
that not all attrib
es that are copied
e, because they w
operties are copie
ox, city, state or p
d. Note that the st
n hours, logon wo
d.
path, logon script
Department, com
oup membership
ctive Directory Domain
butes are copied.
d. It is not useful
will not be copied
ed from the Gene
province, ZIP or p
treet address itsel
orkstations, accou
t, home drive, an
mpany, and manag
p and primary gro
Services
The following lis
to configure any
d.
eral tab.
postal code, and
lf is not copied.
unt options, and
d home folder pa
ger are copied.
oup are copied.

st
other
country
account
ath are

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-45
Note: There are other attributes that are copied that are not even visible in the user Properties
dialog box. These attributes include assistant, division, and employee type.
Question: What other methods do you use to create new user accounts with
common attributes?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-46 Configuring
Lab B: Co
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



5. Op
g and Troubleshooting W
onfigure
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
en Windows Exp
indows Server 2008 Ac
User Obj
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
plorer and then b
ctive Directory Domain
ject Attri
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
browse to D:\Lab
Services
butes
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
bfiles\Lab03b.

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-47
6. Run Lab03b_Setup.bat with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
7. The lab setup script runs. When it is complete, press any key to continue.
8. Close the Windows Explorer window, Lab03b.

Lab Scenario
You are the administrator of Contoso, Ltd., an online university for adult
education. Changes in the Sales department require you to modify the attributes of
Sales users. Additionally, you decide to make it easier to create new accounts for
sales people by preparing a user account template.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-48 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Examine User Object Attributes
In this exercise, you will examine the attributes of a user object.
The main tasks for this exercise are as follows:
1. Explore the properties of an Active Directory user object.
2. Explore all attributes of an Active Directory user object.
3. Analyze the naming and display of user object attributes.

Task 1: Explore the properties of an Active Directory user object.
Run Active Directory Users and Computers with administrative credentials.
Use the account, Pat.Coleman_Admin, with the password, Pa$$w0rd.
Open the properties of Tony Krijnen in the Employees OU.
In this sample contoso.com domain, attributes have been configured on the
General, Address, Account and Organization tabs. Examine each of these
tabs, and then close the Properties dialog box.

Task 2: Explore all attributes of an Active Directory user object.
Enable the Advanced Features view of the Active Directory Users and
Computers snap-in.
Examine the Attribute Editor tab of Tony Krijnen's Properties dialog box.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-49
Task 3: Analyze the naming and display of user object attributes.
For each of the following attributes in the Tony Krijnen Properties dialog
box, identify the corresponding attribute name on the Attribute Editor tab.
Properties dialog box tab Property name
Attribute name as shown on
the Attribute Editor tab
General First name
General Last name
General Display name
General Description
General Office
General Telephone number
General E-mail
Address Street
Address City
Address ZIP/Postal Code
Address Country
Organization Job Title
Organization Department
Organization Company


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
1. Use the Attribute Editor tab to answer the following questions.
Does the employeeID attribute, shown on the Attribute Editor tab, show
up on a normal tab of the Properties dialog box? If so, which one? What
about carLicense?
What is the distinguished name (DN) of Tony Krijnen's object?
What is Tony's UPN? On which other tab does the attribute appear, and
how is it labeled and displayed?
2. Why might the sn attribute be named sn?
3. What is the use of the c attribute?

Results: in this exercise, you examined user object attributes.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-51
Exercise 2: Manage User Object Attributes
In this exercise, you will manage the attributes of user objects.
The main tasks for this exercise are as follows:
1. Modify the attributes of multiple user objects.
2. Manage user attributes from the command prompt.

Task 1: Modify the attributes of multiple user objects.
A special Marketing task force has been established by Ariane Berthier, the Vice
President of Marketing. Members of the task force are being relocated to
Headquarters and will report directly to Ariane.
Select the following users in the Employees OU: Adam Barr, Adrian Lannin,
Ajay Manchepalli, Ajay Solanki, Allan Guinot, Anav Silverman, and Andrs
Tth.
Configure the following properties for the users:
Office: Headquarters.
Description: Marketing Task Force.
Manager: Ariane Berthier.
After changing the attributes, open the properties of Adam Barr and examine
the attributes you just changed.
The Manager attribute is a linked attribute. The other side of the link is the
Direct Reports attribute. Open the properties of Ariane Berthier and examine
the Direct Reports.

Task 2: Manage user attributes by using Windows PowerShell.
Open the Active Directory Module for Windows PowerShell with
administrative credentials. Use the account, Pat.Coleman_Admin, with the
password, Pa$$w0rd.
Use Windows PowerShell to list the e-mail addresses and description of all
users in the Marketing Task Force.
Tip: Users in the Marketing Task Force share a common Description property.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Use Windows PowerShell to configure all Marketing Task Force members to
have a homedrive mapped to U: and a home directory mapped to \\NYC-
DC1\Taskforceusers\%UserName%.
In Active Directory Users and Computers, confirm that the changes you
made were applied correctly by examining the properties of Adam Barr.

Results: In this exercise, you managed user objects by using Active Directory Users and
Computers and Windows PowerShell.

Exercise 3: Create Users from a Template
In this exercise, you will create a user account template and then generate a new
user account based on that template.
The main tasks for this exercise are as follows:
1. Create a user account template for Sales.
2. Create a new user account based on a template.

Task 1: Create a user account template for Sales.
In the Employees OU, create a template account for new sales people with the
following properties:
First Name and Last Name: blank
Full Name: _Sales User (note the underscore at the beginning of the
name)
User Logon Name: Template.Sales
Password: Pa$$w0rd
User must change password at next logon
Account is disabled
Member of: Sales
Department: Sales
Company: Contoso, Ltd.
Manager: Anibal Sousa
Account Expires: Last day of the current year
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-53

Task 2: Create a new user account based on a template.
In the Employees OU, create an account for a new sales person, based on the
_Sales User template. The account should have the following properties:
First Name: Rob
Last Name: Young
User logon name: Rob.Young
Password: Pa$$w0rd
Account is enabled

Results: In this exercise, you created a user account named, Rob Young, in the
Employees OU. The account has all the attributes you configured for the _Sales User
template.

Lab Review Questions
Question: What methods have you learned for modifying attributes of new and
existing users?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-54 Configuring
Lesson 3
Automat
Althoug
small nu
creation
domain
After co
Exp
Imp
Imp
Imp
g and Troubleshooting W
te User A
gh the procedures
umber of users, y
n of user account
n. In this lesson, y
ompleting this les
port user attribut
port users with C
port users with L
port users with W
indows Server 2008 Ac
Account C
s discussed in Le
you will need mo
s when a large nu
you will learn sev
sson, you will be a
es with CSVDE.
CSVDE.
DIFDE.
Windows PowerSh
ctive Directory Domain
Creation
essons 1 and 2 ca
re advanced tech
umber of users m
eral of these tech
able to:
hell.
Services
an be applied to c
hniques to autom
must be added to
hniques.

create a
mate the
the

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Expor
Key Po
CSVDE
or from
file, or .
familiar
The foll
csvde
Howeve
You wil
four par
-d R
exp
rt Users with
oints
is a command-lin
m a comma-delimi
csv file). Comma
r tools such as No
lowing is the basi
-f filename
er, this command
l want to limit th
rameters:
RootDN. Specifies
port will begin. Th
h CSVDE
ne tool that expo
ted text file (also
a-delimited files ca
otepad and Micro
ic syntax of the C
d will export all o
he scope of the ex
s the distinguishe
he default is the d
Managing U
orts or imports Ac
known as a com
an be created, mo
osoft Office Excel
CSVDE command
bjects in your Ac
xport, which you
ed name of the co
domain itself.
Users and Service Account
ctive Directory ob
mma-separated val
odified, and open
l.
d for export.
ctive Directory do
can do with the f
ontainer from wh
ts 3-55

bjects to
lue text
ned with
omain.
following
hich the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-56 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
-p SearchScope. Specifies the scope of the search relative to the container
specified by -d. SearchScope can be either base (this object only), onelevel
(objects within this container), or subtree (this container and all
subcontainers). The default is subtree.
-r Filter. Filters the objects returned within the scope configured by -d and -p.
Filter is an LDAP query syntax. You will work with a filter in the lab for this
lesson. The LDAP query syntax is beyond the scope of this course. For more
information, see http://go.microsoft.com/fwlink/?LinkId=168752.
-l ListOfAttributes. Specifies the attributes that will be exported. Use the LDAP
name for each attribute, separated by a comma, as in
-l DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName

The output of a CSVDE export lists the LDAP attribute names on the first line.
Each object follows, one per line, and must contain exactly the attributes listed on
the first line, as illustrated in the following example.
DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName

"CN=David Jones,OU=Employees,OU=User
Accounts,DC=contoso,DC=com",user,Jones,David,david.jones,david.jones@c
ontoso.com

"CN=Lisa Andrews,OU=Employees,OU=User
Accounts,DC=contoso,DC=com",user,Andrews,Lisa,lisa.andrews,lisa.andrew
s@contoso.com
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Impo
Key Po
CSVDE
informa
find tha
automa
The foll
csvde
The -i p
export.
parame
errors, i
rt Users with
oints
can also create u
ation in existing O
at CSVDE is a pow
te user account c
lowing is the basi
-i -f filename
arameter specifie
The -f parameter
ter is useful durin
including Object
h CSVDE
user accounts by i
Office Excel or M
werful way to tak
creation.
ic syntax of the C
e -k
es import mode; w
r identifies the file
ng import operat
Already Exists
Managing U
importing a .csv
Microsoft Office Ac
ke advantage of th
CSVDE command
without it, the de
e name to import
tions because it in
Users and Service Account
file. If you have u
ccess databases,
hat information to
d for import.
fault mode of CS
t from or export t
nstructs CSVDE t
ts 3-57

user
, you will
o
SVDE is
to. The -k
to ignore
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-58 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The import file itself is a comma-delimited text file (.csv or .txt) in which the first
line defines the imported attributes by their LDAP attribute names. Each object
follows, one per line, and must contain exactly the attributes listed on the first line,
for example, a sample file will be as follows.
DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName

"CN=David Jones,OU=Employees,OU=User
Accounts,DC=contoso,DC=com",user,Jones,David,david.jones,david.jones@c
ontoso.com

"CN=Lisa Andrews,OU=Employees,OU=User
Accounts,DC=contoso,DC=com",user,Andrews,Lisa,lisa.andrews,lisa.andrew
s@contoso.com
This file, when imported by the CSVDE command, will create a user object for Lisa
Andrews in the Employees OU. The user logon names, last name and first name,
are configured by the file. You cannot use the CSVDE to import passwords, and
without a password, the user account will be disabled initially. After you have reset
the password, you can enable the object.
For more information about CSVDE, including details regarding its parameters and
usage to export directory objects, type csvde /? or search the Windows Server
2008 Help and Support Center.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Impo
Key Po
You can
includin
perform
LDIF su
modify
operatio
rt Users with
oints
n also use LDIFD
ng users. LDIF is
m batch operation
upports both imp
objects in the dir
ons by using LDI
h LDIFDE
E.exe to import o
a draft Internet s
ns against directo
port and export o
rectory. The LDIF
IF files.
Managing U
or export Active D
standard for file f
ries that conform
operations, and ba
FDE command im
Users and Service Account
Directory objects,
format that can b
m to the LDAP sta
atch operations t
mplements these
ts 3-59

,
e used to
andards.
hat
batch
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-60 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The LDIF file format consists of a block of lines that together constitute a single
operation. Multiple operations in a single file are separated by a blank line. Each
line, comprising an operation, consists of an attribute name followed by a colon
and the value of the attribute. For example, suppose you wanted to import user
objects for two sales representatives named Bonnie Kearney and Bobby Moore.
The contents of the LDIF file would look similar to the following example.
dn: CN=Bonnie Kearney,OU=Employees,OU=User Accounts,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Bonnie Kearney
sn: Kearney
title: Operations
description: Operations (London)
givenName: Bonnie
displayName: Kearney, Bonnie
company: Contoso, Ltd.
sAMAccountName: bonnie.kearney
userPrincipalName: bonnie.kearney@contoso.com
mail: bonnie.kearney@contoso.com

dn: CN=Bobby Moore,OU=Employees,OU=User Accounts,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Bobby Moore
sn: Moore
title: Legal
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-61
description: Legal (New York)
givenName: Bobby
displayName: Moore, Bobby
company: Contoso, Ltd.
sAMAccountName: bobby.moore
userPrincipalName: bobby.moore@contoso.com
mail: bobby.moore@contoso.com
Each operation begins with the DN attribute of the object that is the target of the
operation. The next line, changeType, specifies the type of operation: add, modify,
or delete.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-62 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
As you can see, the LDIF file format is not as intuitive or familiar as the comma-
separated text format. However, because the LDIF format is also a standard, many
directory services and databases can export LDIF files.
After creating or obtaining an LDIF file, you can perform the operations specified
by the file, by using the LDIFDE command. From a command prompt, type ldifde
/? for usage information. The two most important switches for the LDIFDE
command are:
-i. Turns on import mode. Without this parameter, LDIFDE exports
information.
-f filename. The file from which to import, or to which to export.

For example, the following command will import objects from the file named
Newusers.ldf.
ldifde i f newusers.ldf
The command accepts a variety of modifications by using parameters. The most
useful parameters are summarized in the following table.
Command Usage
General parameters
-i Import mode (Default is export mode)
-f filename Import or export filename
-s servername The domain controller to bind to for the query
-c FromDN ToDN Convert occurrences of FromDN to ToDN. For example, this is
useful when importing objects from another domain.
-v Turn on verbose mode
-j path Log file location
-? Help
Export-specific parameters
-d RootDN The root of the LDAP search. The default is the root of the
domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-63
Command Usage
-r Filter LDAP search filter. The default is (objectClass=*), meaning all
objects.
-p SearchScope The scope, or depth, of the search. Can be subtree (the
container and all child containers), base (the immediate child
objects of the container only), or onelevel (the container and its
immediate child containers).
-l list Comma-separated list of attributes to include in export for
resulting objects. Useful if you want to export a limited number
of attributes.
-o list List of attributes (comma-separated) to omit from export for
resulting objects. Useful if you want to export all but a few
attributes.
Import-specific parameters
-k Ignore errors and continue processing if Constraint Violation or
Object Already Exists errors appear.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-64 Configuring
Impo
Key Po
The Act
content
Two cm
Imp
into
New
imp
The foll
number
Import
$_.Sam
$_.Giv
g and Troubleshooting W
rt Users with
oints
tive Directory M
ts of a CSV file to
mdlets are used to
port-CSV. This cm
o other PowerShe
w-ADUser. This c
ported from the I
lowing example s
r of users with sp
t-CSV Users.csv
mAccountName -N
venName -Path "
indows Server 2008 Ac
h Windows P
odule for Windo
import objects in
o perform this tas
mdlet creates obje
ell cmdlets.
cmdlet is used to
mport-CSV cmdl
shows how to use
pecific attributes i
v | foreach {New
Name $_.Name -Su
OU=Finance,OU=U
ctive Directory Domain
PowerShell
ows PowerShell c
nto Active Directo
sk:
ects from CSV file
create the object
let.
e these two cmdl
in AD DS.
w-ADUser -SamAc
urname $_.Surna
UserAccounts,DC
Services
can also utilize th
ory Domain Servi
es that can then b
ts that have been
ets to create a lar
ccountName
ame -GivenName
C=FABRIKAM,DC=CO

he
ices.
be piped
rge
OM" -
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-65
AccountPassword (ConvertTo-SecureString -AsPlainText $_.SamAccountName
-Force) -Enabled $true}
In the example, the Users.csv file is imported by using the Import-CSV cmdlet.
Each entry within the Users.csv file is then passed to the New-ADUser cmdlet.
Attributes are listed and are provided by the matching attribute values in the CSV
file.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-66 Configuring
Lab C: Au
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



5. Op
g and Troubleshooting W
utomate
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
en Windows Exp
indows Server 2008 Ac
User Acc
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
plorer and then b
ctive Directory Domain
count Cre
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
browse to D:\Lab
Services
eation
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
bfiles\Lab03c.

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-67
6. Run Lab03c_Setup.bat with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
7. The lab setup script runs. When it is complete, press any key to continue.
8. Close the Windows Explorer window, Lab03c.

Lab Scenario
You are the administrator of Contoso, Ltd., an online university for adult
education. You are hiring several new employees. The Human Resources
department has provided you with extracts from their database, in both comma-
delimited text format and in LDIF format. You want to import those data files to
create user accounts for the new hires.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-68 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Export and Import Users with CSVDE
In this exercise, you will use the CSVDE command to export user attributes and to
create new user accounts from a comma-delimited text file.
The main tasks for this exercise are as follows:
1. Export users with CSVDE.
3. Import users with CSVDE.


Task 1: Export users with CSVDE.
Open the Command Prompt with administrative credentials. Use the account,
Pat.Coleman_Admin, with the password, Pa$$w0rd.
Type the following command, and then press Enter.
csvde -f D:\LABFILES\LAB03C\UsersNamedApril.csv -r "(name=April*)"
-l DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
Open D:\LABFILES\LAB03C\UsersNamedApril.csv in Notepad.
Examine the file, and then close it.

Task 2: Import users with CSVDE.
Open D:\LABFILES\LAB03C\NewUsers.csv with Notepad. Examine the
information about the users listed in the file.
In the command prompt, type the following command and then press Enter.
csvde -i -f D:\Labfiles\LAB03C\NewUsers.csv -k
The two users are imported.
Run Active Directory Users and Computers with administrative credentials.
Use the account, Pat.Coleman_Admin, with the password, Pa$$w0rd.
Confirm that the users were created successfully.
If you have had the Active Directory Users and Computers snap-in open
during this exercise, you might have to refresh your view to see the newly
created accounts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-69
Examine the accounts to confirm that first name, last name, user principal
name, and pre-Windows 2000 logon name are populated according to the
instructions in NewUsers.csv.
Reset the passwords of the two accounts to Pa$$w0rd.
Enable the two accounts.
Close NewUsers.csv.

Results: In this exercise, you exported and imported accounts by using csvde.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-70 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Import Users with LDIFDE
Similar to CSVDE, LDIFDE can be used to import users. The LDIF file format,
however, is not a typical delimited text file. In this exercise, you will use LDIFDE to
import two users.
The main task for this exercise is as follows:
Import users with LDIFDE.

Task 1: Import users with LDIFDE.
Open D:\LABFILES\LAB03C\NewUsers.ldf with Notepad. Examine the
information about the users that is listed in the file.
Type the following command, and then press Enter.
ldifde -i -f D:\Labfiles\LAB03C\NewUsers.ldf -k
The two users are imported.
In Active Directory Users and Computers, confirm that the users were
created successfully.
If you have had the Active Directory Users and Computers snap-in open
during this exercise, you might have to refresh your view to see the newly
created accounts.
Examine the accounts to confirm that user properties are populated according
to the instructions in NewUsers.ldf.
Reset the passwords of the two accounts to Pa$$w0rd.
Enable the two accounts.
Close NewUsers.ldf.

Results: In this exercise, you imported the accounts for Bobby Moore, and Bonnie
Kearney.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-71
Lab Review Question
Question: What scenarios lend themselves to importing users with CSVDE and
LDIFDE?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-72 Configuring
Lesson 4
Create a
Account
Note: The cont
One com
account
account
service
reliabili
After co
Des
Des
Con
g and Troubleshooting W
nd Config
s
tent in this lesson o
mmon issue that
ts used for netwo
t for service startu
accounts also nee
ty.
ompleting this les
scribe the challen
scribe what a man
nfigure and admi
indows Server 2008 Ac
gure Man
only applies to Wi
most organizatio
ork services. Many
up and authentic
ed to be managed
sson, you will be a
nges of using stan
naged service acc
inister managed s
ctive Directory Domain
naged Se
ndows Server 200
ons face is how to
y applications us
cation. Just like no
d effectively to en
able to:
ndard user accoun
count is.
service accounts.
Services
ervice
8 R2.
o securely manag
se services that re
ormal user accou
nsure security and
nts for services.

ge
equire an
unts,
d
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Challe
Key Po
Many ap
contain
services
often ru
For a se
account
Service,
configu
To help
based a
using a
as the fo
Ext
Thi
tha
enges of Usi
oints
pplications such
services that are
s typically run at s
un in the backgro
ervice to start up
t may be an accou
Network Service
red to use a dom
p centralize admin
ccount to run ap
local account; ho
ollowing:
tra administration
is includes tasks s
t cause an accoun
ng Standard
as Microsoft SQL
installed on the
server startup or
ound and do not r
and authenticate
unt that is local to
e, or Local System
main-based accoun
nistration, many o
plication services
owever, there are
n effort to securel
such as changing
nt lockout. Servic
Managing U
d User Accou
L Server or Micr
server that hosts
are triggered by
require any user
, a service accoun
o the computer, s
m accounts. A serv
nt located in AD D
organizations cho
s. This does prov
a number of asso
ly manage the ser
g the password an
ce accounts are al
Users and Service Account
nts for Servi
rosoft Exchange S
the application. T
other events. Serv
interaction.
nt is used. A servi
such as the built-
vice account may
DS.
oose to use a dom
ide some benefit
ociated challenge
rvice account pas
nd resolving situa
lso typically conf
ts 3-73
ices

Server
These
vices
ice
-in Local
y also be
main-
over
es, such
ssword.
ations
figured to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-74 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
have passwords do not expire, which may go against the security policy of
your organization.
Difficult to determine where a domain-based account is being used as a service
account. A standard user account may be used for multiple services on various
servers throughout the environment. A simple task such as changing the
password may cause authentication issues for some applications. It is
important to know where and how a standard user account is being used
when it is associated with an application service.
Extra administration effort to manage the service principal name (SPN). Using
a standard user account may require manual administration of the service
principal name (SPN). If the logon account of the service changes, the
computer name is changed, or if a DNS host name property is modified, the
SPN registrations may need to be manually modified to reflect the change. A
misconfigured SPN causes authentication problems with the application
service.
To address these challenges, Windows Server 2008 R2 and Windows 7 introduces
a new object called a managed service account (also called virtual service accounts
in Windows 7). The following topics provide information on the requirements and
use of managed service accounts in Windows Server 2008 R2.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

What
Key Po
A mana
account
the cred
Manage
adminis
Aut
mai
Sim
be a
Serv
sam
pro
cha
on
Is a Manage
oints
aged service accou
t, while eliminatin
dentials for this a
ed service accoun
stration:
tomatic password
intains its own pa
mplified Service Pr
automatically ma
ver 2008 R2 dom
maccountproperty
operty is modified
anged from the ol
the computer.
ed Service Ac
unt can provide a
ng the need for a
ccount.
nts provide the fo
d management. A
assword includin
rincipal Name (S
anaged if your AD
main functional le
y of the computer
d, the managed se
ld name to the ne
Managing U
ccount?
an application wi
n administrator t
llowing benefits t
A managed service
ng password chan
SPN) managemen
D DS domain is co
evel. For example
r is changed, or i
ervice account SP
ew name for all m
Users and Service Account
th its own unique
to manually admi
to simplify
e account automa
nges.
nt. SPN managem
onfigured at the W
e, if the
f the DNS host n
PN will automatic
managed service a
ts 3-75

e
inister
atically
ment can
Windows
name
cally be
accounts
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-76 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Requirements for Using Managed Service Accounts
To use a managed service account, the server that runs the service or application
must be running Windows Server 2008 R2. You also must ensure that the .NET
Framework 3.5.x, and the Active Directory Module for Windows Powershell are
both installed on the server.
Note: A managed service account cannot be shared between multiple computers or be used in
server clusters where the service is replicated between nodes.
To simplify and provide full automatic password and SPN management, it is highly
recommended that the AD DS domain be at the Windows Server 2008 R2
functional level. However, if you have a domain controller running Windows
Server 2008 or Windows Server 2003, you can update the Active Directory schema
to Windows Server 2008 R2, to support this feature. The only disadvantage is that
the domain administrator must manually configure SPN data for the managed
service accounts.
To update the schema in Windows Server 2008, Windows Server 2003, or mixed-
mode environments, you must perform the following tasks:
1. Run adprep/forestprep at the forest level and run adprep/domainprep at the
domain level.
2. Deploy a domain controller running Windows Server 2008 R2, Windows
Server 2008 with the Active Directory Management Gateway Service, or
Windows Server 2003 with the Active Directory Management Gateway Service.
Note: The Active Directory Management Gateway Service allows administrators with domain
controllers running Windows Server 2003 or Windows Server 2008 to use Windows
PowerShell cmdlets to manage managed service accounts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Confi
Key Po
After th
process
1. On
Pow
can
New-AD
2. Inst
app
Instal
3. Con
Window
manage
gure and Ad
oints
e domain and ser
s to create a mana
the domain cont
werShell to create
n be used as an ex
DServiceAccount
tall the managed
plication. The foll
ll-ADServiceAcc
nfigure the servic
ws PowerShell pr
ed service accoun
dminister Ma
rver prerequisites
aged service accou
troller, use the Ac
e a new managed
xample of the bas
t [-SAMAccountNa
service account o
lowing command
count -Identity
ce or application t
rovides a number
nts. Management
Managing U
anaged Servi
s have been set, y
unt:
ctive Directory M
d service account.
se command.
ame <String>] [
on the server tha
d is run on the loc
<ADServiceAcco
to use the manag
r of cmdlets that c
tasks include:
Users and Service Account
ice Accounts
you can use the fo
Module for Windo
The following co
[-Path <String>]
t contains the ser
cal server.
ount>
ged service accou
can be used to ad
ts 3-77
s

ollowing
ows
ommand
]
rvice or
nt.
dminister
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-78 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Finding managed service accounts.
Associating or removing management service accounts on a computer.
Installing a managed service account on a computer.
Deleting a managed service account.
Resetting the password of a managed service account.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab D: C
Account
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t

reate and
s
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
d Admini
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W

Managing U
ster Man
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
Users and Service Account
naged Ser
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
ts 3-79
rvice

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-80 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. Log on by using the following credentials:
User name: Pat.Coleman
Password: Pa$$w0rd
Domain: Contoso
5. Start 6425C-NYC-SVR1. Do not log on until directed to do so.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-81
Lab Scenario
You are a network administrator for Contoso, Ltd. You have been asked to
implement a managed service account for an application that will be installed on
NYC-SVR1. For this project, you must complete the following tasks:
1. Create a managed service account called, App1_SVR1, and assign it to NYC-
SVR1.
2. Install the App1_SRV1 service account on NYC-SVR1.

Exercise 1: Create and Associate a Managed Service
Account
You have been asked to create a managed service account called, App1_SVR1, to be
used by an application located on NYC-SVR1.
The main tasks for this exercise are as follows:
1. Use Windows PowerShell to create and associate a managed service account.
2. Install a managed service account on a server.
Note: Because the complexity of the PowerShell commands, these steps are the same as the
Lab Answer key.

Task 1: Use Windows PowerShell to create and associate a managed
service account.
1. On NYC-DC1, open the Active Directory Module for Windows Powershell
console with administrative credentials. Use the account,
Pat.Coleman_Admin, with the password, Pa$$w0rd.
2. At the prompt, type the following command, and then press Enter.
New-ADServiceAccount Name App1_SVR1
3. At the prompt, type the following command, and then press Enter.
Add-ADComputerServiceAccount identity NYC-SVR1 ServiceAccount
App1_SVR1
4. At the prompt, type the following command, and then press Enter.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-82 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name,HostComputers
A
5. Verify that the App1_SVR1 service account is associated with NYC-SVR1.
6. Close all open windows on NYC-DC1.

Task 2: Install a managed service account on a server.
1. Switch to the NYC-SVR1 virtual machine.
2. Log on to NYC-SVR1 as Contoso\Administrator, with the password,
Pa$$w0rd.
3. Click Start, point to Administrative Tools, and then click Active Directory
Module for Windows PowerShell. The Administrator: Active Directory
Module for Windows Powershell console opens.
4. At the prompt, type the following command, and then press Enter.
Install-ADServiceAccount -Identity App1_SVR1
5. Click Start, point to Administrative Tools, and then click Services.
6. In the Services console, right-click Disk Defragmenter, and then click
Properties.
Note: The Disk Defragmenter service is just used as an example for this lab. In a production
environment, you would use the actual service that should be assigned the managed
service account.
7. In the Disk Defragmenter Properties dialog box, click the Log On tab.
8. On the Log On tab, click This account, and then type Contoso\App1_SVR1$.
9. Clear the password for both the Password and Confirm password boxes.
Click OK.
10. Click OK at all prompts.
11. Close the Services console.
12. Close all open windows on NYC-SVR1.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Users and Service Accounts 3-83
Results: In this exercise, you created and installed a managed service account.

To prepare for the next lab
When you finish the lab, revert the virtual machines to their initial state. To do this,
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6425C-NYC-DC1 in the Virtual Machines list, and then
click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6425C-NYC-SVR1.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3-84 Configuring
Module
Review
1. Wh
with
2. Wh
env
Windo
Window
Active
Windo
Manag

g and Troubleshooting W
Review a
w Questions
hich administratio
hin your organiza
hich user account
vironment?
ows Server 2008
ws Server 2008 R2
Directory Module
ows PowerShell
ged Service Accoun
indows Server 2008 Ac
and Takea
on tool should yo
ation?
t attributes will be
8 R2 Features I
2 feature Desc
e for Use
adm
nts Use
ma
app
ctive Directory Domain
aways
ou use to create a
e important to us
Introduced in t
cription
ed to run Active Di
ministering various
ed to automate pa
nagement for serv
plications and serv
Services
and manage user
se within your ne
this Module
irectory cmdlets fo
s AD DS tasks
ssword and SPN
vice accounts used
ices

accounts
etwork

or
by
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-1
Module 4
Managing Groups
Contents:
Lesson 1: Overview of Groups 4-4
Lesson 2: Administer Groups 4-45
Lab A: Administer Groups 4-66
Lesson 3: Best Practices for Group Management 4-74
Lab B: Best Practices for Group Management 4-88
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-2 Configuring
Module
Althoug
and rule
which r
that role
manage
comput
groups.
roles, to
and per
learn ho
Director

g and Troubleshooting W
Overview
gh users and com
es tend to remain
requires certain ca
e will change, bu
e an enterprise by
ters, or service ide
In this course, y
o filter Group Pol
rmissions, and m
ow to create, mod
ry domain.
indows Server 2008 Activ
w
mputers, and even
n more stable. Yo
apabilities in the
t the role will rem
y assigning rights
entities. Managem
ou will use group
licy, to assign uni
ore. To prepare f
dify, delete, and s

ve Directory Domain Serv
n services, change
ur business prob
enterprise. The u
main. For that rea
s and permissions
ment tasks should
ps to identify adm
ique password po
for those tasks, in
support group ob
ices
e over time, busin
bably has a financ
user or users who
ason, it is not pra
s to individual us
d be associated w
ministrative and u
olicies, to assign r
n this module, you
bjects in an Active

ness roles
ce role,
o perform
ctical to
sers,
with
user
rights
u will
e
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-3
Objectives
After completing this module, you will be able to:
Describe the role of groups in managing an enterprise.
Administer groups by using the built-in tools in Windows Server 2008.
Describe the best practices for managing groups.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-4 Configuring
Lesson 1
Overview
You are
them as
Director
environ
groups
learn th
busines
provide
Object
After co
Un
Def
Un
g and Troubleshooting W
w of Grou
e certainly familia
s a single entity. T
ry is not intuitive
nments, so it inclu
with three scope
he purpose that ea
ss requirements w
es.
tives
ompleting this les
derstand the role
fine group namin
derstand group t
indows Server 2008 Activ
ups
r with the purpos
The implementati
e; Active Directory
udes seven differe
s each, plus local
ach of these grou
with the potential
sson, you will be a
e of groups in ma
ng conventions.
types.
ve Directory Domain Serv
se of groups: to c
ion of group man
y is designed to s
ent types of group
l security groups.
ups plays, and you
lly complex optio
able to:
anaging an enterp
ices
collect items and
nagement in Activ
support large, dis
ps: two types of d
. In this lesson, yo
u will learn to alig
ons that Active Di
prise.

manage
ve
stributed
domain
ou will
gn your
irectory
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-5
Understand group scope.
Identify group membership and nesting possibilities.
Understand how to manage and administer groups
Understand the best practice for group nesting to achieve role-based
management.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-6 Configuring
Acces
Key Po
To bette
one exa
users in
Sales, on
assignin
you will
When a
ACL, or
followin
to an ac

g and Troubleshooting W
ss Manageme
oints
er understand gro
ample of access m
n the Sales depart
n a file server. It i
ng permissions to
l have to add the
accounts are delet
r you will be left w
ng image. This re
ccount that canno
indows Server 2008 Activ
ent Without
oups, their purpo
management with
tment require Rea
is very time-consu
o each user indivi
new accounts to
ted, you will have
with a missing ac
sults from a secu
ot be resolved.

ve Directory Domain Serv
t Groups
ose, and their ben
hout using groups
ad-level access to
uming and hard
idually. When ne
o the access contr
e to remove the p
ccount entry on th
urity identifier (SI
ices
nefits, let us first l
s. Imagine that all
a shared folder c
to manage the ta
ew sales people ar
ol list (ACL) of th
permissions from
he ACL, as shown
D) on the ACL th

look at
l 100
called,
ask of
re hired,
he folder.
m the
n in the
hat refers
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-7

Imagine now that all the 100 users in the Sales department require Read access to
three shared folders on three different servers. This can cause significant
management issues. How many permissions would you have to apply just to
configure access to three folders on three different servers for 100 users? You
would need to apply 300 permissions.
When you manage permissions by adding and removing identities to and from an
ACL, it becomes difficult to answer the question, Who can read the Sales folder?
To answer this question, you must reverse engineer the ACL. In the broader
example, if the Sales folders are distributed across three servers, you would have to
evaluate three separate ACLs to answer the question.
This example clearly shows that managing access to resources by providing
permissions explicitly to identities (in this case, user accounts) is very inefficient.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-8 Configuring
Benef
Key Poi
The exa
assignin
possible
manage
Group
To cont
Allow R
manage
can add
folder. W
you will
It is also
simply e
The Sale
g and Troubleshooting W
fits of Using
ints
ample presented i
ng permissions to
e, the best practic
e access to the res
s Add Managea
tinue the example
Read permission o
ement. The Sales
d new sales users
When you delete
l not have unreso
o easier to answer
enumerate the m
es group has bec
indows Server 2008 Activ
Groups
in the previous to
o a resource for an
ce is to assign a si
source simply by
ability
e, you can create
on the Sales folde
group effectively
to the group, and
an account, it is
olvable SIDs on y
r the question, "W
membership of the
ome the focus of
ve Directory Domain Serv
opic may seem ex
n individual iden
ingle permission
changing the me
a group called Sa
er. You now have
manages access
d they will gain a
automatically de
your ACL.
Who can read the
e Sales group.
f access managem
ices
xtreme. Although
ntityuser or com
to a group. Then
embership of the
ales and assign th
e a single point of
to the shared fold
access to the shar
eleted from the gr
e Sales folder?" Yo
ment tasks.

h
mputeris
n, you
group.
he group
f
der. You
ed
roup, so
ou can
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-9
Theres an extra benefit. Because your ACL will remain stable, with the Sales group
having Allow Read permission, your backups will be easier. When you change the
ACL of a folder, the ACL propagates to all child files and folders, setting the
Archive flag and thereby requiring a backup of all files, even if the contents of the
files have not changed.
Groups Add Scalability
If the sales users require Read access to three folders on three separate servers, you
could assign the Sales group Allow Read permission on each of the three folders.
After you assign the three permissions, the Sales group provides a single point of
management for resource access. The Sales group effectively manages access to all
three shared folders. You can add new sales users to the group, and they will gain
access to the three shared folders on the three servers. When you delete an
account, it is automatically deleted from the group, so you will not have
unresolvable SIDs on your ACLs.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-10 Configuring
Role-
Key Po
Imagine
Executiv
your org
commo
You cou
Read pe
permiss
instead
three fo
next gro
permiss
What if
have a b
individu
manage
g and Troubleshooting W
Based Mana
oints
e next that it is no
ves, Marketing d
ganization also re
n that various gr
uld add those gro
ermission, but so
sions, this time as
of multiple users
olders on the thre
oup that requires
sions to the ACLs
f eight users who
business need for
ual user accounts
e!
indows Server 2008 Activ
gement: Rol
ot only sales peop
epartment emplo
equire Read perm
oups of users req
oups to the ACL o
on you will end u
ssigning the Allow
s. To give the thre
ee servers, you wi
s access will requi
s of the three shar
are not sales peo
r Read access to t
s to the ACLs? If s
ve Directory Domain Serv
le Groups an
ple who require R
oyees, and the sal
mission to the sam
quire access to sam
of the folders, gra
up with an ACL w
w Read permissio
ee groups and on
ill have to add tw
ire three more ch
red folders.
ople, marketing em
the three folders?
so, that is 24 mor
ices
nd Rule Grou
Read access to th
les consultant hir
me folders. It is ve
me resources.
anting each of the
with multiple
on to multiple gro
ne user permissio
welve permissions
hanges to grant
mployees, or exe
Do you add thei
re permissions to
ups

e folders.
red by
ery
em Allow
oups,
on to the
s! The
ecutives,
ir
o add and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-11
You can see that using only one type of groupa role group that defines the
business roles of usersquickly becomes an ineffective way of enabling
management of access to the three folders. If the management rule suggests that
three roles and nine additional users require access to the resource, you are
assigning a total of 36 permissions on ACLs. It becomes very difficult to maintain
compliance and to audit. Even simple questions such as, "Can you tell me every
user who can read the Sales folders?" become difficult to answer.
The solution is to recognize that there are two types of management that must take
place to effectively manage this scenario. You must manage the users as collections,
based upon their business roles; and, separately, you must manage access to the
three folders.
The three folders are also a collection of items. They are a single resourcea
collection of Sales foldersthat just happens to be distributed across three folders
on three servers. You are trying to manage Read access to that resource. You need a
single point of management with which to manage access to the resource.
This requires another groupa group that represents Read access to the three
folders on the three servers. We call that type of group a rule group (sometimes,
also resource groups). Imagine that you create a group called ACL_Sales
Folders_Read. This group will be assigned the Allow Read permission on the three
folders. The Sales, Marketing, and Executives groups, along with the individual
users, will all be members of the ACL_Sales Folders_Read group. You assign only
three permissions: one on each folder, granting Read access to the ACL_Sales
Folders_Read group.
The ACL_Sales Folders_Read group becomes the focus of access management. As
additional groups or users require access to the folders, they will be added to that
group. It also becomes easier to report who has access to the folders. Instead of
having to examine the ACLs on each of the ten folders, you simply examine the
membership of the ACL_Sales Folders_Read group.
To effectively manage even a slightly complex enterprise, you will need two "types"
of groups that perform two distinct purposes:
Groups that define roles. These groups, referred to as role groups, contain
users, computers, and other role groups based on common business
characteristics such as location, job type, and so on.
Groups that define management rules. These groups, referred to as rule groups,
define how an enterprise resource is being managed.

This approach to managing the enterprise with groups is called role-based
management. You define roles of users based on business characteristicsfor
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
example, department or division affiliation such as sales, marketing, and
executives, and you define management rulesfor example, the rule that manages
which roles and individuals can access the three folders.
You can achieve both management tasks by using groups in a directory. Roles are
represented by groups that contain users, computers, and other roles. Roles can
include other roles, for example, a Manager role might include Sales Managers,
Finance Managers, and Production Managers roles. Management rules, such as the
rule that defines and manages Read access to the three folders, are represented by
groups also. Rule groups contain roles, and occasionally, individual users or
computers such as the sales consultant and eight other users in the example.
The key takeaway is that there are two "types" of groups: one that defines the role,
and the other that defines how a resource is managed.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Defin
Key Po
To creat
should
group, p
shown i
new gro

e Group Nam
oints
te a group by usin
right-click the org
point to New, and
in the following i
oup.
ming Conven
ng the Active Dir
ganizational unit
d then click Grou
image, allows you

ntions
rectory Users and
t (OU) in which y
up. The New Obj
u to specify funda
Managing Group
d Computers snap
you want to creat
ject - Group dialo
amental propertie
ps 4-13

p-in, you
te a
og box,
es of the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

The following name properties can be configured in this dialog box:
Group name. The cn and name of group object must be unique only within
the OU
Group name (pre-Windows 2000). sAMAccountName of group, unique in
domain

Important best practice: Use the same name (unique in the domain) for both properties.
The first property you must configure are the groups names. A group, like a user
or computer, has several names. The first, shown in the Group Name box above, is
used by Windows 2000 and later systems to identify the objectit becomes the cn,
and name attributes of the object. The second, the pre-Windows 2000 name, is the
sAMAccountName attribute, used to identify the group to computers running
Windows NT 4.0 and to some devices, such as network attached storage (NAS)
devices running non-Microsoft operating systems. The cn and name attributes
must be unique only within the containerthe OUin which the group exists. The
sAMAccountName must be unique in the entire domain. Technically, the
sAMAccountName could be a different value than the cn and name, but it is highly
discouraged to make these different. Pick a name that is unique in the domain, and
use it in both name fields in the New Object Group dialog box.
The following naming conventions are recommended:
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-15
Role groups. Simple, unique name, such as Sales or Consultants
Management groups. For example, ACL_Sales Folders_Read
Prefix. This identifies the management purpose of group, such as ACL for
groups managing access permissions to shared resources.
Resource identifier. This is a unique identifier for what is being managed.
Suffix. For resource access groups, this is the type of access the group
manages.
Delimiter. This should be a consistently used marker separating prefix,
identifier, and suffix, such as an underscore (_). Do not use the delimiter
elsewhere in the nameuse it only as a delimiter.

The name you choose should help you manage the group and manage your
enterprise on a day-to-day basis. We recommend that you follow a naming
convention that identifies the type of group and the purpose of the group.
The example in the previous topic used a group name, ACL_Sales Folders_Read.
Prefix. The prefix identifies the management purpose of the group. In this case,
it is a group used to manage access permissions to a folder. It is used on access
control lists, so the prefix ACL is used.
Resource identifier. The main part of the name uniquely identifies the resource
that is being managed with the group, in this example, Sales Folders.
Suffix. The suffix further defines what is being managed by the group. In the
case of resource access management groups, the suffix defines the level of
access provided to members of the group. In our example, that is Read.
Delimiter. A delimiterin this case, an underscoreis used to separate parts of
the name. Note that the delimiter is not used between the words Sales and
Folder. Spaces are acceptable in group namesyou will just need to enclose
group names in quotes when you refer to them in commands or in scripts. You
can create scripts that use the delimiter to deconstruct group names to
facilitate auditing and reporting.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Keep in mind that role groups that define user roles will often be used by non-
technical users. For example, you might email enable the Sales group so that it can
be used as an email distribution list. Therefore, we recommend that you keep your
naming convention for role groups simple and straightforward. In other words,
your naming convention for role groups is not to use prefixes or suffixes or
delimitersjust a user-friendly, descriptive name.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Group
Key Po
There a
you mak
Distribu
security
resourc
member
Security
used in
groups
will be u
p Type
oints
re two types of gr
ke the selection o
ution groups are u
y enabledthey d
es. Sending a me
rs of the group.
y groups are secu
permission entri
can also be used
used to manage s
roups: security an
of the group type
used primarily by
o not have SIDs
essage to a distrib
urity principals wi
ies in ACLs to con
as distribution g
security, it must b
nd distribution. W
e in the New Obje
y email applicatio
so they cannot b
bution group send
ith SIDs. These g
ntrol security for
groups by email a
be a security grou
Managing Group
When you create
ect Group dialo
ons. These group
be given permissi
ds the message to
roups can therefo
resource access.
applications. If a g
up.
ps 4-17

a group,
og box.
ps are not
ion to
o all
ore be
Security
group
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Because security groups can be used for both resource access and email
distribution, many organizations use only security groups. However, we
recommend that if a group will be used only for email distribution, you should
create the group as a distribution group. Otherwise, the group is assigned a SID,
and the SID is added to the users security access token, which can lead to
unnecessary size increase of the security token.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Group
Key Po
Groups
member
object (
each of
and wh
and uni
The cha
Rep
rep
p Scope
oints
have members: u
rs of other group
GPO) filters, and
these characteris
ere it can be used
iversal.
aracteristics that d
plication. Where i
licated?
users, computer,
ps; and groups can
d other managem
stics of a group: w
d. There are four
define each scope
is the group defin
and other group
n be referred to b
ment components.
what it can contai
group scopes: glo
e fall into these ca
ned, and to what
Managing Group
s; groups can be
by ACLs, Group P
. Group scope im
in, what it can bel
obal, domain loc
ategories:
systems is the gr
ps 4-19

Policy
mpacts
long to,
al, local,
roup
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Membership. What types of security principals can the group contain as
members? Can the group include security principals from trusted domains?
In Module 14, you will learn about trust relationships, or trusts. A trust allows
a domain to refer to another domain for user authentication, to include
security principals from the other domain as group members, and to assign
permissions to security principals in the other domain. The terminology used
can be confusing. If Domain A trusts Domain B, Domain A is the trusting
domain and Domain B is the trusted domain. Domain A accepts the
credentials of users in Domain B. It forwards requests by Domain B users to
authenticate to a domain controller in Domain B, because it trusts the identity
store and authentication service of Domain B. Domain A can add Domain Bs
security principals to groups and ACLs in Domain A.
Availability. Where can the group be used? Is the group available to add to
another group? Is the group available to add to an ACL?

Keep these broad characteristics in mind as you explore the details of each group
scope.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Local
Key Po
Local gr
groups
member
have the
Rep
dom
oth
Mem




Groups
oints
roups are truly lo
are created in the
r computerboth
e following chara
plication. A local g
main member. Th
her system.
mbership. A loca
Any security pri
or domain local
Users, compute
Users, compute
Universal group
ocaldefined on a
e security accoun
h workstations an
acteristics:
group is defined
he group and its m
al group can inclu
incipals from the
l groups.
ers, and global gro
ers, and global gro
ps defined in any
and available to a
nts manager (SAM
nd servers have lo
only in the local
membership are
ude as members:
domainusers, c
oups from any do
oups from any tru
domain in the fo
Managing Group
a single computer
M) database of a d
ocal groups. Loca
SAM database of
not replicated to
computers, globa
omain in the fore
usted domain.
orest.
ps 4-21

r. Local
domain
al groups
f a
any
al groups,
est.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Availability. A local group has only machine-wide scope. It can be used in ACLs
on the local machine only. A local group cannot be a member of any other
group.

Best Practice
In a workgroup, you use local groups to manage security of resources on a system.
In a domain, however, managing the local groups of individual machines becomes
unwieldy, and is for the most part unnecessary. We do not recommend creating
custom local groups on domain members. There are very few scenarios in a
domain environment that are addressed by using local groups. In most cases, the
Users and Administrators local groups are the only local groups that you should be
concerned with managing, in a domain environment.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Doma
Key Po
Domain
which m
Folders
local gro
Rep
The
eve
Mem




ain Local Gro
oints
n local groups are
means they mostl
_Read group disc
oup. Domain loc
plication. A doma
e group object an
ry domain contro
mbership. A dom
Any security pri
or other domain
Users, compute
Users, compute
Universal group
oups
e used primarily t
ly serve as rule gr
cussed earlier in
al groups have th
ain local group is
nd its membership
oller in the doma
main local group c
incipals from the
n local groups.
ers, and global gro
ers, and global gro
ps defined in any
to manage permi
roups. For examp
the lesson would
he following char
defined in the do
p (the member a
ain.
can include as me
domainusers, c
oups from any do
oups from any tru
domain in the fo
Managing Group
ssions to resourc
ple, the ACL_Sale
d be created as a d
racteristics:
omain naming co
ttribute) are repli
embers:
computers, globa
omain in the fore
usted domain.
orest.
ps 4-23

ces,
es
domain
ontext.
icated to
al groups,
est.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Availability. A domain local group can be added to ACLs on any resource on
any domain member. Additionally, a domain local group can be a member of
other domain local groups, or even machine local groups.

The membership capabilities of a domain local group (the groups to which a
domain local group can belong) are identical to those of local groups, but the
replication and availability of the domain local group make it useful across the
entire domain.
Best Practice
Domain local groups are well suited for defining business management rules, such
as resource access rules, because the group can be applied anywhere in the
domain, and it can include members of any type within the domain, and members
from trusted domains.
For example, a domain local security group named ACL_Sales Folders_Read might
be used to manage Read access to a collection of folders that contain sales
information on one or more servers.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Globa
Key Po
Global g
busines
such as
such as
the follo
Rep
gro
con
Mem
com
Ava
all o
gro
or i
al Groups
oints
groups are used p
ss roles, which me
the Sales and Ma
a Sales Laptops g
owing characteris
plication. A globa
up object, includ
ntrollers in the do
mbership. A glob
mputers, and othe
ailability. A global
other domains in
up can be a mem
in the forest. It ca
primarily to defin
eans that they mo
arketing groups m
group, are create
stics:
al group is defined
ding the member
omain.
bal group can incl
er global groups
l group is availab
n the forest and al
mber of any doma
an also be a memb
ne collections of d
ostly serve as role
mentioned earlier
d as global group
d in the domain n
attribute, is repli
lude as members
in the same dom
ble for use by all d
ll trusting extern
ain local or univer
ber of any domai
Managing Group
domain objects b
e groups. Role gr
r, and roles of com
ps. Global groups
naming context. T
cated to all doma
s only those users
main.
domain members
al domains. A glo
rsal group in the
in local group in
ps 4-25

based on
oups,
mputers
s have
The
ain
s,
s, and by
obal
domain
a
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
trusting domain. Finally, a global group can be added to ACLs in the domain,
in the forest, or in trusting domains.
As you can see, global groups have the most limited membership (only users,
computers, and global groups from the same domain) but the broadest availability
across the domain, the forest, and trusting domains.
Best Practice
Global groups are well suited to defining roles, because roles are generally
collections of objects from the same directory.
For example, global security groups named Consultants and Sales might be used
to define users who are consultants and sales people, respectively.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Unive
Key Po
Unlike G
to role o
on the s
Univers
Rep
rep
Mo
fore
Mem
and
Ava
dom
be u
the
ersal Groups
oints
Global and Dom
or rule type of gro
scenario.
sal groups have th
plication. A unive
licated to the glo
dule 12. Objects
est.
mbership. A univ
d other universal
ailability. A univer
main local group
used to manage r
forest.
ain local groups,
oups; they can be
he following char
ersal group is defi
bal catalog. You w
in the global cata
versal group can i
groups from any
rsal group can be
anywhere in the
resources, for exa
the use of Unive
e used in both typ
racteristics:
ined in a single d
will learn more a
alog will be readi
include as memb
y domain in the fo
e a member of a u
forest. Additiona
ample, to assign p
Managing Group
ersal Groups is no
pes of groups dep
domain in the fore
about the global c
ily accessible acro
bers users, global
orest.
universal group o
ally, a universal gr
permissions, anyw
ps 4-27

ot limited
pending
est but is
catalog in
oss the
groups,
or
roup can
where in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Universal groups are useful in multidomain forests. They allow you to define
roles or to manage resources that span more than one domain. The best way to
understand universal groups is through an example: Trey Research has a forest
with three domains: Americas, Asia, and Europe. Each domain has user
accounts and a global group called, Regional Managers, which includes the
managers of that region. Remember that global groups can contain only users
from the same domain. A universal group called, Trey Research Regional
Managers, is created, and the three Regional Managers groups are added as
members. The Trey Research Regional Managers group therefore defines a role
for the entire forest. As users are added to any one of the Regional Managers
groups, they will, through group nesting, be members of the Trey Research
Regional Managers.
Trey Research is planning to release a new product that requires collaboration
across its regions. Resources related to the project are stored on file servers in each
domain. To define who has the ability to modify files related to the new product, a
universal group is created called ACL_New Product_Modify. That group is
assigned the Allow Modify permission to the shared folders on each of the file
servers in each of the domains. The Trey Research Regional Managers group is
made a member of the ACL_New Product_Modify group, as are various global
groups and a handful of users from each of the regions.
As you can see from this example, universal groups can help you to represent and
consolidate roles that span domains in a forest, and to define rules that can be
applied across the forest.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Summ
Key Po
In day-t
the mem
mary of Grou
oints
to-day administra
mbership charact
up Scope Pos
ation, it is importa
teristics of each g
ssibilities
ant that you be co
roup scope.
Managing Group
ompletely familia
ps 4-29

ar with
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The following table summarizes the objects that can be members of each group
scope.

Group
Scope

Members from the
Same Domain
Members from
Another Domain in
the Same Forest
Members from a
Trusted External
Domain
Local Users
Computers
Global groups
Universal groups
Domain local
groups
Also, local users
defined on the
same computer
as the local group
Users
Computers
Global groups
Universal groups
Users
Computers
Global groups
Domain
Local
Users
Computers
Global groups
Domain local
groups
Universal groups
Users
Computers
Global groups
Universal groups
Users
Computers
Global groups
Universal Users
Computers
Global groups
Universal groups
Users
Computers
Global groups
Universal groups
N/A
Global Users
Global groups
N/A N/A

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Devel
Key Po
Adding
groups
have lea
time to
Earlier i
group s
each gro
IGDLA.
Access:
Ide
Glo
are
lop a Group
oints
groups to other g
that support you
arned the busines
align the two in a
in this lesson, you
cope. Now it is ti
oup scope. This l
IGDLA stands fo
ntities (user and
obal groups that r
members of:
Managemen
groupsa proces
ur business roles a
ss purposes and t
a strategy for gro
u learned what ty
ime to identify wh
leads to the best p
or Identities, Glob
computer accoun
represent busines
nt Strategy
ss called nesting
and management
technical charact
up management.
ypes of objects ca
hat types of objec
practice for group
bal groups, Dom
nts) are members
ss roles. Those ro
Managing Group
can create a hier
t rules. Now that
teristics of groups

an be members of
cts should be me
p nesting, known
ain local groups,
s of:
ole groups (globa
ps 4-31

archy of
you
s, it is
f each
embers of
n as
and
al groups)
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-32 Configuring
Dom
Rea
gro
Acc
the
per
Note: This app
Groups,
course, I
standard
In a mu
global a
member
local gro
This bes
multido
This figu
view of
role-bas
g and Troubleshooting W
main Local group
ad permission to
ups (domain loc
cess to resources.
domain local gro
rmission that prov
roach of groups n
Domain Local Gro
GDLA, has more g
d terminology.
ultidomain forest,
and domain local
rs of a single univ
oups in multiple
st practice for im
omain scenarios.
ure represents a g
group managem
sed, rule-based m
indows Server 2008 Activ
ps that represent
a specific collecti
al groups) are gra
In the case of a s
oup to the folder'
vides the approp
esting was earlier
oups, Permissions.
general scope of ap
there are univers
groups. Global g
versal group. Tha
domains. You ca
mplementing grou
Consider the figu
group implemen
ent best practices
management.
ve Directory Domain Serv
management rul
ion of folders, for
anted:
shared folder, acc
's access control l
riate level of acce
known as AGDLP,
However, the term
ppliance and it als
sal groups also, w
groups from mult
at universal group
an remember the
up nesting transla
ure below:
ntation that reflect
s (IGDLA), but al
ices
lesdetermining
r example. These
cess is granted by
list (ACL), with a
ess.
that is, Accounts,
minology used in t
o aligns with indu
which fit in betwe
tiple domains are
p is a member of
nesting as IGUD
ates well even in
ts not only the te
lso the business v
who has
rule
y adding
a

Global
his
stry-
een
e
f domain
DLA.

echnical
view of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-33
Consider the following scenario:
The sales force at Contoso, Ltd. has just completed its fiscal year. Sales files from
the previous year are in a folder called, Sales. The sales force needs Read access to
the Sales folders. Additionally, a team of auditors from Woodgrove Bank, a
potential investor, require Read access to the Sales folders to perform the audit.
The following steps are required to implement the security required by this
scenario:
1. Assign users with common job responsibilities or other business
characteristics to role groups implemented as global security groups. This
happens separately in each domain. Sales people at Contoso are added to a
Sales role group. Auditors at Woodgrove Bank are added to an Auditors role
group.
2. Create a group to manage access to the Sales folders with Read permission.
This is implemented in the domain containing the resource that is being
managed. In this case, it is the Contoso domain in which the Sales folders
reside. The resource access management rule group is created as a domain
local group, ACL_Sales Folders_Read.
3. Add the role groups to the resource access management rule group to
represent the management rule. These groups can come from any domain in
the forest or from a trusted domain such as Woodgrove Bank. Global groups
from trusted external domains, or from any domain in the same forest, can be
members of a domain local group.
4. Assign the permission that implements the required level of access. In this
case, grant the Allow Read permission to the domain local group.

This strategy results in single points of management, reducing the management
burden. There is one point of management that defines who is in Sales, or who is
an Auditor. Those roles, of course, are likely to have access to a variety of resources
beyond simply the Sales folders. There is another single point of management to
determine who has Read access to the Sales folders; and the Sales folders may not
just be a single folder on a single server. It could be a collection of folders across
multiple servers, each of which assigns the Allow Read permission to the single
domain local group.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-34 Configuring
Defau
Key Po
There a
2008 se
groups
There a
Users co
Admins
default
manage
Enterp
This gro
giving it
owns th
domain
g and Troubleshooting W
ult Groups
oints
re a number of gr
erver. These are c
such as Administ
re additional gro
ontainers, includ
s. The following li
groups that have
ement of Active D
prise Admins (U
oup is a member
t complete access
he Configuration
n naming context
indows Server 2008 Activ
roups that are cre
called default local
trators, Backup O
ups that are crea
ding Domain Adm
ist provides a sum
e significant perm
Directory.
Users Containe
of the Administr
s to the configura
partition of the d
in all forest dom
ve Directory Domain Serv

eated automatica
l groups, and they
Operators, and Re
ted in a domain,
mins, Enterprise A
mmary of capabil
missions and user
er of the Forest
ators group in ev
ation of all domai
directory and has
mains.
ices
ally on a Window
y include well-kno
emote Desktop U
both in the Builti
Admins, and Sche
lities of the subse
rights related to
t Root Domain)
very domain in th
in controllers. It a
full control of th

ws Server
own
Users.
in and
ema
et of
the
)
he forest,
also
he
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-35
Schema Admins (Users Container of the Forest Root Domain)
This group owns and has full control of the Active Directory schema.
Administrators (Builtin Container of Each Domain)
This group has complete control over all domain controllers and data in the
domain naming context. It can change the membership of all other administrative
groups in the domain, and the Administrators group in the forest root domain can
change the membership of Enterprise Admins, Schema Admins, and Domain
Admins. The Administrators group in the forest root domain is arguably the most
powerful service administration group in the forest.
Domain Admins (Users Container of Each Domain)
This group is added to the Administrators group of its domain. It therefore inherits
all of the capabilities of the Administrators group. It is also, by default, added to the
local Administrators group of each domain member computer, giving Domain
Admins ownership of all domain computers.
Server Operators (Builtin Container of Each Domain)
This group can perform maintenance tasks on domain controllers. It has the right
to log on locally, start and stop services, perform backup and restore operations,
format disks, create or delete shares, and shut down domain controllers. By
default, this group has no members.
Account Operators (Builtin Container of Each Domain)
This group can create, modify, and delete accounts for users, groups, and
computers located in any OU in the domain (except the Domain Controllers OU),
and in the Users and Computers container. Account Operators cannot modify
accounts that are members of the Administrators or Domain Admins groups, nor
can they modify those groups. Account Operators can also log on locally to
domain controllers. By default, this group has no members.
Backup Operators (Builtin Container of Each Domain)
This group can perform backup and restore operations on domain controllers, and
log on locally and shut down domain controllers. By default, this group has no
members.
Print Operators (Builtin Container of Each Domain)
This group can maintain print queues on domain controllers. It can also log on
locally and shut down domain controllers.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-36 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The default groups that provide administrative privileges should be managed
carefully, because they typically have broader privileges than are necessary for
most delegated environments; and because they often apply protection to their
members.
The Account Operators group is a perfect example. If you examine its capabilities
in the preceding list, you will see that its rights are very broad indeed. It can even
log on locally to a domain controller. In very small enterprises, such rights would
probably be appropriate for one or two individuals who would probably be
domain administrators anyway. In larger enterprises, the rights and permissions
granted to Account Operators are usually far too broad.
Additionally, the Account Operators group is, like the other administrative groups,
a protected group.
Protected groups are defined by the operating system and cannot be unprotected.
Members of a protected group become protected. The result of protection is that
the permissions (ACLs) of members are modified so that they no longer inherit
permissions from their OU, but rather receive a copy of an ACL that is quite
restrictive. For example, if Jeff Ford is added to the Account Operators group, his
account becomes protected, and the help desk, which can reset all other user
passwords in the Employees OU, cannot reset Jeff Fords password.
For these reasons of overdelegation and protection, you should strive to avoid
adding users to the groups listed above that do not have members by default:
Account Operators, Backup Operators, Server Operators, and Print Operators.
Instead, create custom groups to which you assign permissions and user rights that
achieve your business and administrative requirements.
For example, if Scott Mitchell should be able to perform backup operations on a
domain controller, but should not be able to perform restore operations that could
lead to database rollback or corruption, and should not be able to shut down a
domain controller, do not put Scott in the Backup Operators group. Instead, create
a group and assign it only the Backup Files And Directories user right, then add
Scott as a member.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Specia
Key Po
Window
member
any list
cannot v
add the
permiss
conveni
Ano
reso
Win
Beg
mem
Aut
Thi
al Identities
oints
ws and Active Dir
rship is controlle
(in the Active Dir
view or modify th
m to other group
sions. The most im
ience, are describ
onymous Logon.
ources that are m
ndows Server 200
ginning with Win
mber of the Every
thenticated Users
is group does not
rectory also supp
ed by the operatin
rectory Users and
he membership o
ps. You can, howe
mportant special
bed in the followi
This identity rep
made without sup
03, this group wa
ndows Server 200
yone group.
s. This represents
t include Guest, e
port special identi
ng system. You ca
d Computers sna
of these special id
ever, use these gr
identities, often
ing list:
presents connecti
plying a user nam
as a member of th
03, this group is n
s identities that h
even if the Guest
Managing Group
ities, groups for w
annot view the gr
ap-in, for example
dentities, and you
roups to assign ri
referred to as gro
ions to a compute
me and password
he Everyone grou
no longer a defau
ave been authent
account has a pa
ps 4-37

which
roups in
e), you
u cannot
ights and
oups, for
er and its
d. Prior to
up.
ult
ticated.
assword.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-38 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Everyone. This identity includes Authenticated Users and the Guest account.
On computers running versions of Windows earlier than Windows Server
2003, this group includes Anonymous Logon.
Interactive. This represents users accessing a resource while logged on locally
to the computer that is hosting the resource, as opposed to accessing the
resource over the network. When a user accesses any given resource on a
computer to which the user is logged on locally, the user is automatically
added to the Interactive group for that resource. Interactive also includes users
logged on through a Remote Desktop connection.
Network. This represents users accessing a resource over the network, as
opposed to users who are logged on locally at the computer that is hosting the
resource. When a user accesses any given resource over the network, the user
is automatically added to the Network group for that resource.

The importance of these special identities is that they allow you to provide access
to resources based on the type of authentication or connection, rather than the
user account. For example, you could create a folder on a system that allows users
to view its contents when they are logged on locally to the system, but that does
not allow the same users to view the contents from a mapped drive over the
network. This would be achieved by assigning permissions to the Interactive
special identity.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Administ
Object
After co
Cre
Man
Man
Enu
Del
Cop
ter Group
tives
ompleting this les
eate groups with D
nage and convert
nage group mem
umerate group m
lete a group with
py group membe
ps
sson, you will be a
DSADD, CSVDE,
t group type and
mbership with DSM
membership with
DSRM.
ership.
able to:
, and LDIFDE.
scope.
MOD and LDIFD
DSGET.
Managing Group
DE.
ps 4-39


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-40 Configuring
Tools
Key Po
You can
groups
function
In this t
Active
The Act
manage
earlier v
or insta
console
one typ
delete g
user-frie
number
g and Troubleshooting W
for Group M
oints
n use several GUI
in Active Directo
nality, but the usa
topic, we will revi
Directory User
tive Directory Use
ement on a day-to
versions of Windo
lled on another s
e, you can create g
e to another, and
groups, modify gr
endly and conven
r of group objects
indows Server 2008 Activ
Management
I-based and comm
ry Domain Servic
age scenario will
iew the available
rs and Comput
ers and Compute
o-day basis. It is a
ows Server. It can
server or worksta
groups, manage g
d change group sc
roup properties, a
nient for simple t
s.
ve Directory Domain Serv
t
mand-line tools to
ces (AD DS). Each
determine which
tools for creating
ters
ers console is prim
a GUI-based cons
n be used locally
ation, and then us
group membersh
cope. Using this c
and rename grou
asks performed o
ices
o create and man
h tool provides s
h tool is most app
g and managing g
marily used for gr
ole and is availab
on a domain con
sed remotely. In t
hip, convert a grou
console, you can
ups. This console
on a relatively sm

nage
imilar
propriate.
groups.
roup
ble in
ntroller
this
up from
also
is very
mall
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-41
Note: The content in the following section Active Directory Administrative Center only applies
to Windows Server 2008 R2.
Active Directory Administrative Center
In Windows Server 2008 R2, in addition to using Active Directory Users and
Computers, administrators can manage their directory service objects by using the
new Active Directory Administrative Center.
Built on Windows PowerShell command-line interface technology, Active
Directory Administrative Center provides network administrators with an
enhanced Active Directory data management experience and a rich GUI.
Administrators can use Active Directory Administrative Center to perform common
Active Directory object management tasks through both data-driven navigation and
task-oriented navigation.
Although this console provides almost the same functionality as Active Directory
Users and Groups when it comes to groups, it is not based on the same
technology. In this console, you can use the enhanced GUI to customize Active
Directory Administrative Center to meet your particular directory service
administering requirements. This can help improve your productivity and
efficiency as you perform common Active Directory object management tasks.
Windows PowerShell with Active Directory Module
Windows PowerShell is a command-line shell and scripting language that can
help information technology (IT) professionals to control system administration
more easily and achieve greater productivity.
The Active Directory module for Windows PowerShell in Windows Server 2008 R2
is a Windows PowerShell module named Active Directory that consolidates a
group of cmdlets. You can use these cmdlets to manage your Active Directory
domains, Active Directory Lightweight Directory Services (AD LDS) configuration
sets, and Active Directory Database Mounting Tool instances in a single, self-
contained package.
Using Windows PowerShell, you can manage groups, and perform the following
tasks:
View the permissions of a group by using the Get-ACL cmdlet.
Create a group by using the New-ADGroup cmdlet.
View the nested members of a group by using the Get-ADGroupMember
cmdlet.
Move a group within a domain by using the Move-ADObject cmdlet.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Enable Universal group membership caching by using the Set-ADObject
cmdlet.
View the direct members of a group by using the Get-ADGroupMember
cmdlet.
Modify group attributes by using the Set-ADGroup cmdlet.
Resolve a primary group ID by using the Get-ADUser cmdlet.
Add and remove members of a group by using the Add-ADGroupMember or
Remove-ADGroupMember cmdlets.
Change the scope or type of a group by using the Set-ADGroup cmdlet.
Restore a deleted group by using the Restore-ADObject cmdlet.

For example, if you want to create a global group named, ITAdmins, in the
contoso.com domain by using Windows PowerShell, you need to use the following
command.
New-ADGroup -Name "ITAdmins" -SamAccountName ITAdmins -GroupCategory
Security -GroupScope Global -DisplayName "IT Administrators" -Path
"CN=Users,DC=Contoso,DC=Com"
If you want to view the direct members of the group, ITAdmins, in the
contoso.com domain, you can use following syntax.
Get-ADGroupMember ITAdmins | FT Name,ObjectClass -A
The following example demonstrates how to move the group SvcAccPSOGroup
from the OU Managed to the OU ManagedGroups in the contoso.com domain.
Move-ADObject "CN= SvcAccPSOGroup,OU=Managed,DC=Contoso,DC=Com" -
TargetPath "OU=ManagedGroups,DC=Contoso,DC=Com"
The following example demonstrates how to add the user, SaraDavis, to the group,
SvcAccPSOGroup.
Add-ADGroupMember -Identity SvcAccPSOGroup -Member SaraDavis

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-43
Note: For a full explanation of the parameters that you can pass to any cmdlet in Windows
PowerShell, at the Active Directory module command prompt, type Get-Help
cmdletname detailed and then press Enter.
DS commands
In previous versions of Windows Server, such as Windows Server 2003, where
PowerShell was not included, other type of command-line utilities were used to
manage Active Directory objects.
These command-line tools were provided with server operating systems to allow
better and more productive management of the directory service. These tools are
called DS commands.
The following is a list of DS commands and their functionality:
DSGet. Returns the current value of the specified directory object property
DSQuery. Allows the directory service to be searched for an object or all
objects with like properties
DSMod. Helps an administrator change properties for existing directory
objects
DSrm. Removes objects from the directory
DSAdd. Allows administrators to add new directory objects
DSMove. Allows objects to be moved from one OU to another

These commands can be also used in Windows Server 2008 R2 to manage groups.
However, because Windows Server 2008 R2 includes a newer and more powerful
command-line based environment, these tools are used to support legacy scripts.
For example, to create a new global security group named, Marketing, the
following command would be used.
dsadd group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com"
samid Marketing secgrp yes scope g

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-44 Configuring
Demo
Key Po
Groups
comput
straight
folder. F
the grou
access d
simply b
Demon
Cre
Con
Cha
Mo
g and Troubleshooting W
onstration: C
oints
are an importan
ters, and other gr
tforward and com
For example, if a
ups members wi
directly to each in
by adding and re
nstration steps
eate a group by u
nfigure group pro
ange group scope
dule.
indows Server 2008 Activ
Create a Grou
nt class of object, b
roups to create a s
mmon use of a gro
group has been g
ill be able to read
ndividual membe
emoving member
:
sing Active Direc
operties.
e by using Windo
ve Directory Domain Serv
up Object
because they are
single point of m
oup is to grant pe
given the Read ac
the folder. You d
eryou can manag
s of the group.
ctory Users and C
ows PowerShell w
ices
used to collect u
management. The
ermissions to a sh
ccess to a folder,
do not have to gr
ge access to the f
Computers.
with Active Direct

users,
most
hared
any of
ant Read
folder
tory
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Mana
Key Po
You can
include
and the
The Me
To man
1. Op
2. Clic
3. To
age Group M
oints
n add or remove m
using the Memb
e Member and Me
embers Tab
nage group memb
en the groups Pr
ck the Members
remove a membe
Membership
members of a gro
bers tab, the Mem
emberOf Attribu
bership by using
roperties dialog b
tab.
er, simply select t
oup by using seve
mber of tab, the A
utes.
the group's Mem
box.
the member and
Managing Group
eral methods. Th
Add to a group co
mbers tab:
click Remove.
ps 4-45

ese
ommand,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-46 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. To add a member, click the Add button. The Select Users, Computers,
Service Accounts, or Groups dialog box appears, as follows:


There are several tips worth mentioning about this process:
In the Select dialog box, in the Enter The Object Names box, you can type
multiple accounts separated by semicolons. For example, in the screenshot
shown above, both sales and finance were entered. They are separated by a
semicolon.
You can type partial names of accountsyou do not need to type the full name.
Windows searches Active Directory for accounts that begin with the name you
entered. If there is only one match, Windows selects it automatically. If there
are multiple accounts that match, the Multiple Names Found dialog box
appears, allowing you to select the specific object you want. This shortcut
typing partial namescan save time when you are adding members to groups
and can help when you dont remember the exact name of a member.
By default, Windows searches only for users and groups that match the names
you enter in the Select dialog box. If you want to add computers to a group,
you must click the Options button and select Computers.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-47
By default, Windows searches only domain groups. If you want to add local
accounts, click the Locations button on the Select dialog box.
If you cannot find the member you want to add, click the Advanced button on
the Select dialog box. A more powerful query window will appear, giving you
more options for searching Active Directory.

The Member Of Tab
To manage group membership by using the member object's Member Of tab:
1. Open the properties of the member object, and then click its Member Of tab.
2. To remove the object from a group, select the group and then click the
Remove button.
3. To add the object to a group, click the Add button, and then select the group.

The Add to a group Command
To manage group membership by using the Add to a group command:
1. Right-click one or more selected objects in the Active Directory Users and
Computers details pane.
2. Click the Add to a group command.
3. Use the Select dialog box to specify the group.

The Member and MemberOf Attributes
When you add a member to a group, you change the groups member attribute.
The member attribute is a multivalued attribute. Each member is a value
represented by the distinguished name of the member. If the member is moved or
renamed, Active Directory automatically updates the member attributes of groups
that include the member.
When you add a member to a group, the members memberOf attribute is also
updated, indirectly. The memberOf attribute is a special type of attribute called a
backlink. It is updated by Active Directory when a forward link attribute, such as
member, refers to the object. When you add a member to a group, you are always
changing the member attribute. Therefore, when you use the Member Of tab of an
object to add to a group, you are actually changing the groups member attribute.
Active Directory updates the memberOf attribute automatically.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-48 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Helping Membership Changes Take Effect Quickly
When you add a user to a group, the membership does not take effect immediately.
Group membership is evaluated at logon for a user (at startup for a computer).
Therefore, a user will have to log off and log on before the membership change
becomes a part of the users token.
Additionally, there may be a delay while the group membership change replicates.
(Replication will be discussed in Module 12.) This is particularly true if your
enterprise has more than one Active Directory site. You can facilitate the speed
with which a change impacts a user by making the change on a domain controller
in the users site. Right-click the domain in the Active Directory Users and
Computers snap-in, and then click Change Domain Controller.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Impo
Key Po
CSVDE
data to
Marketi
Mitchel
object
group
D
O
C
D
The obj
service.
column
rt Groups wi
oints
imports data fro
a .csv file. The fol
ing, and populate
l.
tClass,sAMAccou
,Marketing,"CN=
C=contoso,DC=co
U=User Accounts
N=Scott Mitchel
C=contoso,DC=co
ects listed in the
Their domain na
n.
ith CSVDE
m comma-separa
llowing example
e the group with
untName,DN,membe
=Marketing,OU=Ro
om","CN=Linda M
s,DC=contoso,DC
ll,OU=Employees
om"
member attribut
ames are separate
ated values (.csv)
shows a .csv file
two members: Li
er
ole,OU=Groups,
itchell,OU=Empl
=com;
,OU=User Accoun
te must already ex
ed by semicolons
Managing Group
files. It can also
that will create a
inda Mitchell and
loyees,
nts,
xist in the directo
s within the memb
ps 4-49

export
a group,
d Scott
ory
ber
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Take note of the quotation marks used in the above example. Quotation marks are
required when an attribute includes a comma; otherwise, the comma would be
interpreted as a delimiter. The distinguished name of the group includes commas,
and so must be surrounded by a comma. In the case of a multivalued attribute
such as member, each value is separated by a semicolonthere are two values in
member in the above example. The entire member attribute is surrounded by
quotation marks, not each individual value of the member attribute.
You can import this file into Active Directory by using the command.
csvde -i -f "filename" [-k]
The i parameter specifies import mode. Without it, CSVDE uses export mode.
The f parameter precedes the file name, and the k parameter ensures that
processing continues even if errors are encountered, such as the object already
exists, or the member cannot be found.
CSVDE can be used to create objects, not to modify existing objects. You cannot
use CSVDE to import members to existing groups.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Impo
Key Po
LDIFDE
Protoco
which o
operatio
target o
add, mo
rt Groups wi
oints
E is a tool that im
ol Data Interchang
operations are spe
on begins with th
f the operation. T
odify, or delete.
ith LDIFDE
mports and export
ge Format (LDIF
ecified by a block
he distinguished n
The next line, cha
ts files in the Ligh
F) format. LDIF fil
k of lines separate
name attribute of
angeType, specifi
Managing Group
htweight Director
les are text files w
ed by a blank line
f the object that is
fies the type of op
ps 4-51

ry Access
within
e. Each
s the
peration:
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The following LDIF file creates two groups, Finance and Research.
DN: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com
changeType: add
CN: Finance
description: Finance Users
objectClass: group
sAMAccountName: Finance

DN: CN=Research,OU=Role,OU=Groups,DC=contoso,DC=com
changeType: add
CN: Research
description: Research Users
objectClass: group
sAMAccountName: Research
Convention would suggest saving the file with an .ldf extension, for example,
groups.ldf.
To import the groups into the directory, type the ldifde.exe command as shown in
the following example.
ldifde i f groups.ldf
The i parameter specifies import mode. Without it, LDIFDE uses export mode.
The f parameter precedes the file name, and the k parameter ensures that
processing continues even if errors are encountered, such as the object already
exists.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Conve
Key Po
If, after
or type,
Genera
type. At

ert Group Ty
oints
creating a group,
you can do so. O
al tab, shown in th
t least one more s
ype and Scop
, you determine t
Open the Propert
he following imag
scope and type ar

pe
that you need to m
ties of an existing
ge, you will see th
re available to be
Managing Group
modify the group
g group, and on t
he existing scope
selected.
ps 4-53

p's scope
the
e and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-54 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

You can convert the group type at any time by changing the selection in the Group
Type section of the General tab. Be cautious, however; when you convert a group
from security to distribution, any resources to which the group had been assigned
permission will no longer be accessible in the same way. After the group becomes a
distribution group, users who log on to the domain will no longer include the
groups SID in their security access tokens.
You can change the group scope in one of the following ways:
Global to Universal
Domain local to Universal
Universal to Global
Universal to Domain local

The only scope changes that you cannot make directly are from global to domain
local or domain local to global. However, you can make these changes indirectly by
first converting to universal scope, then converting to the desired scope. So, all
scope changes are possible.
Remember, however, that a groups scope determines the types of objects that can
be members of the group. If a group already contains members, or is a member of
another group, you will be prevented from changing the scope. For example, if a
global group is a member of another global group, you cannot change the first
group to universal scope, because a universal group cannot be a member of a
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-55
global group. You will be given an explanatory error message, such as that shown
below. You must correct the membership conflicts before you can change the
groups scope.

The DSMod command can be used to change group type and scope by using the
following syntax.
dsmod group GroupDN secgrp { yes | no } scope { l | g | u }
The GroupDN is the distinguished name of the group to modify. The following two
parameters affect group scope and type.
-secgrp { yes | no }. Specifies group type: security (yes) or distribution (no)
-scope { l | g | u }. Determines the group scope: domain local (l), global (g), or
universal (u)

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-56 Configuring
Modif
Key Po
LDIFDE
LDIF op
Finance
dn: CN
change
add: m
member
Accoun
member
Accoun
-
g and Troubleshooting W
fy Group Me
oints
E can also be use
perations with a c
e group, the LDIF
N=Finance,OU=Ro
etype: modify
member
r: CN=April Ste
nts,dc=contoso,
r: CN=Mike Fitz
nts,dc=contoso,
indows Server 2008 Activ
embership w
d to modify exist
changeType of m
F file would be as
ole,OU=Groups,DC
ewart,OU=Employe
dc=com
zmaurice,OU=Empl
dc=com
ve Directory Domain Serv
with LDIFDE
ting objects in Ac
modify. To add tw
s follows.
C=contoso,DC=co
ees,OU=User
loyees,OU=User
ices
ctive Directory by
wo members to th
om

y using
he
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-57
The changeType is set to modify, and then the change operation is specified: add
objects to the member attribute. Each new member is then listed on a separate line
that begins with the attribute name, member. The change operation is terminated
with a line containing a single dash. Changing the third line to the following would
remove the two specified members from the group.
delete: member

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-58 Configuring
Copy
Key Po
You can
the follo
the mem
those us
dsget
dsmod
Notice t
of the fi
DNs tha
Similarl
member
dsget
d
g and Troubleshooting W
Group Mem
oints
n use DSGet in co
owing example, t
mbers of the Sale
sers to the Marke
group "CN=Sale
group "CN=Mark
the use of piping.
irst group) is pipe
at are missing fro
ly, the DSGet and
rship of one obje
user "SourceUs
dsmod group ad
indows Server 2008 Activ
mbership
ombination with
the DSGet comm
s group, and then
eting group.
es,OU=Role,OU=Gr
keting,OU=Role,O
. The "output" of
ed, using the pipe
om the -addmbr s
d DSMod comma
ect, such as a user
serDN" memberof
ddmbr "TargetUse
ve Directory Domain Serv
DSMod to copy g
mand is used to ge
n, by piping that
roups,DC=contos
OU=Groups,DC=co
DSGet (distingui
e symbol ("|"), to
switch.
ands can work tog
r, to another obje
f |
erDN"
ices
group membersh
et information ab
list to DSMod, to
o,DC=com" memb
ontoso,DC=com"
ished names of m
o act as the "input
gether to copy th
ect.

hip. In
out all
o add
bers |
addmbr
members
t" for the
he group
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Delet
Key Po
You can
right-cli
Also, DS
basic sy
dsrm O
The obj
will be p
-noprom
which e
without
The -sub
-subtree
e Groups
oints
n delete a group i
icking the group
Srm can be used
yntax of DSRm is
ObjectDN ... [-
ect is specified by
prompted to con
mpt option. The -c
errors are reporte
t the -c switch, pr
btree option caus
-exclude option w
in the Active Dire
and choosing the
to delete a group
as follows.
subtree [-exclu
y its distinguishe
nfirm the deletion
switch puts DSR
ed but the comma
ocessing halts on
es DSrm to delet
will delete all chil
ectory Users and
e Delete comman
p or any other Ac
ude]] [-nopromp
ed name in the Ob
n of each object, u
Rm into continuo
and keeps proces
n the first error.
e the object and a
d objects, but no
Managing Group
Computers snap-
nd.
tive Directory obj
pt] [-c]
bjectDN paramete
unless you specify
us operation mo
ssing additional o
all child objects. T
t the object itself
ps 4-59

-in by
ject. The
er. You
y the
de, in
objects;
The
f.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-60 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To delete the Public Relations group, type the following command.
dsrm "CN=Public Relations,OU=Role,OU=Groups,DC=contoso,DC=com"
Know the Impact Before Deleting a Group
When you delete a group, you are removing a point of management in your
organization. Be certain you have evaluated the environment to know that there are
no permissions or other resources that rely on the group. Deleting a group is a
serious action with potentially significant consequences. When you delete a group,
you remove its SID. Re-creating the group with the same name does not restore
permissions, because the new group's SID is different than that of the original
group.
We recommend that before you delete a group, you record its membership and
remove all members for a period of time, to determine whether the members lose
access to any resources. If anything goes wrong, simply re-add the members. If the
test succeeds, then delete the group.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab A: Ad
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log


5.-Open
6. Run
Pat
dministe
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
n Windows Explo
n Lab04a_Setup
t.Coleman_Admi
r Groups
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
orer and then bro
.bat with admini
in with the passw

rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
owse to D:\Labfi
strative credentia
word Pa$$w0rd.
Managing Group
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
les\Lab04a.
als. Use the accou
ps 4-61

e you
d then
ne,
rts.
unt
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-62 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
7. The lab setup script runs. When it is complete, press any key to continue.
8. Close the Windows Explorer window, Lab04a.

Lab Scenario
To improve the manageability of resource access at Contoso, Ltd., you have
decided to implement role-based management. The first application of role-based
management will be to manage who can access the folders containing sales
information. You must create groups that manage access to that sensitive
information. Business rules are that Sales and Marketing employees, and a team of
Consultants, should be able to read the Sales folders. Additionally, Bobby Moore
requires Read access. Finally, you have been asked to discover a way to produce a
list of group members, including those who are in nested groups; and a list of a
user's group membership, including indirect or nested membership.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-63
Exercise 1: Implement Role-Based Management by Using
Groups
In this exercise, you will implement role-based management by using groups and
the best practice group nesting strategy, IGDLA. You will create different scopes
and types by using both the Active Directory Users and Computers snap-in, and
command-line tools.
The main tasks for this exercise are as follows:
1. Create role groups with Active Directory Users and Computers.
2. Create role groups with DSAdd.
3. Add users to the role group.
4. Implement a role hierarchy in which Sales Managers are also part of the Sales
role.
5. Create a resource access management group.
6. Assign permissions to the resource access management group.
7. Define which roles and users have access to a resource.


Task 1: Create role groups with Active Directory Users and Computers.
1. Run Active Directory Users and Computers with administrative credentials.
Use the account Pat.Coleman_Admin, with the password, Pa$$w0rd.
2. Create global security groups called, Sales and Consultants, in the
Groups\Role OU.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-64 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Task 2: Create role groups with DSAdd.
1. Run command prompt with administrative credentials. Use the account,
Pat.Coleman_Admin, with the password, Pa$$w0rd.
2. Using the DSAdd command, create a global security group named, Auditors,
in the Groups\Role OU.
3. In Active Directory Users and Computers, confirm that the object has been
created.

Task 3: Add users to the role group.
1. Add Tony Krijnen to the Sales group by using the Members tab of the Sales
group.
2. Add Linda Mitchell to the Sales group by right-clicking Linda Mitchell and
choosing Add to a group.

Task 4: Implement a role hierarchy in which Sales Managers are also
part of the Sales role.
Add the Sales Managers group as a member of the Sales group by using the
Member Of tab of the Sales Managers group.

Task 5: Create a resource access management group.
Create a domain local security group named, ACL_Sales Folders_Read, in the
Groups\Access OU.

Task 6: Assign permissions to the resource access management group.
1. Verify that there is a folder in D:\Data named, Sales.
2. Right-click the Sales folder, click Properties, and then click the Security tab.
3. Click Edit, and then click Add.
4. Type ACL_ and press ENTER.
Notice that when you use a prefix for group names, such as the ACL_ prefix
for resource access groups, you can find them quickly.
5. Click ACL_Sales Folders_Read, and then click OK.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-65
6. Confirm that the group has been given Read & execute permission.
7. Click OK to close each open dialog box.

Task 7: Define the roles and users that have access to a resource.
Add Sales, Consultants, Auditors, and Bobby Moore to the ACL_Sales
Folders_Read group.

Results: In this exercise, you implemented simple role-based management to manage
Read access to the Sales folder.

Exercise 2 (Advanced Optional): Explore Group
Membership Reporting Tools
Advanced Optional exercises provide additional challenges for students who are
able to complete lab exercises quickly. There are no answers in the Lab Answer
Key.
The main tasks for this exercise are as follows:
1. Open D:\AdminTools\Members_Report.hta. Enter the name of a group, and
then click SHOW MEMBERS.
2. Open D:\AdminTools\MemberOf_Report.hta. Enter the name of a user,
computer, or group, and then click Report.

Exercise 3 (Advanced Optional): Understand "Account
Unknown" Permissions
Advanced Optional exercises provide additional challenges for students who are
able to complete lab exercises quickly. There are no answers in the Lab Answer
Key.
The main tasks for this exercise are as follows:
1. In the Role OU, create a global security group named, Test.
2. Give the group Read & Execute permission to the D:\Data\Sales folder.
3. Delete the group named, Test.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-66 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. Examine the Security tab of the Sales folder's properties dialog box. If you still
see the Test group listed, Windows Explorer may be caching the mapping of
the SID to the group name. Log off, log on, and check again.

Note: Do not shut down the virtual machines after you are finished with this lab because the
settings you have configured here will be used in Lab B.
Lab Review Questions
Question: Describe the purpose of global groups in terms of role-based
management.
Question: What types of objects can be members of global groups?
Question: Describe the purpose of domain local groups in terms of role-based
management of resource access.
Question: What types of objects can be members of domain local groups?
Question: If you have implemented role-based management and are asked to
report who can read the Sales folders, what command would you use to do so?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 3
Best Prac
After co
Des
acci
Del
ctices for
ompleting this les
scribe the best pr
idental deletion.
legate group mem
r Group M
sson, you will be a
ractices for group
mbership manage
Managem
able to:
p documentation.
ement by using th
Managing Group
ment
Protect a group
he Managed By ta
ps 4-67

from
ab.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-68 Configuring
Best P
Key Po
Creating
group is
use of a
how an
immens
g and Troubleshooting W
Practices for
oints
g a group in Activ
s used correctly o
a group by docum
d when to use th
sely useful to you
indows Server 2008 Activ
Documentin
ve Directory is ea
over time. You ca
menting its purpo
he group. There ar
ur enterprise grou
ve Directory Domain Serv
ng Groups
asy. It is not so ea
n facilitate the co
ose, to help admin
re several best pr
up administration
ices
asy to ensure that
orrect managemen
nistrators unders
ractices that will p
n.

t the
nt and
tand
prove
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-69
Establish and Adhere to a Strict Naming Convention
An earlier lesson dealt with a suggested naming convention. In the context of
ongoing group administration, establishing and following group naming standards
increases administrative productivity. Using prefixes to indicate the purpose of a
group, and using a consistent delimiter between the prefix and the descriptive part
of the group name can help users locate the correct group for a particular purpose.
For example, the prefix APP can be used to designate groups that are used to
manage applications, and the prefix ACL can be used for groups that are assigned
permissions on access control lists (ACLs). With such prefixes, it becomes easier to
locate and interpret the purpose of groups named, for example, APP_Accounting
versus ACL_Accounting_Readthe former is used to manage the deployment of
the accounting software, and the latter to provide Read access to the accounting
folder. Prefixes also help to group the names of groups in the user interface as
illustrated in the example shown in the following screen shot.

When attempting to locate a group to use in assigning permissions to a folder, you
can type the prefix, ACL,_in the Select dialog box and click OK. A Multiple Items
Found dialog box appears showing only the ACL_ groups in the directory, thereby
ensuring that permissions will be assigned to a group that is designed to manage
resource access.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-70 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Summarize a Groups Purpose with its Description Attribute
Use the Description attribute of a group to summarize the groups purpose.
Because the Description column is enabled by default in the details pane of the
Active Directory Users and Computers snap-in, the groups purpose can be highly
visible to administrators.
Detail a Groups Purpose in its Notes
When you open a groups Properties dialog box, the Notes field is visible at the
bottom of the General tab. This field can be used to record the groups purpose.
For example, you can list the folders to which a group has been given permission,
as follows.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Prote
Key Po
Protect
protecti
easy to p
To prot
1. In t
and
2. Op
3. On
box
4. Clic
This is o
Clicking
ct Groups fr
oints
yourself from the
ing each group yo
protect any objec
tect an object, per
the Active Direct
d ensure that Adv
en the Propertie
the Object tab, s
x.
ck OK.
one of the few pla
g Apply does not
om Accident
e potentially deva
ou create from de
ct from accidenta
rform the followin
tory Users and C
vanced Features
s dialog box for a
select the Protect
aces in Windows
t modify the ACL
tal Deletion
astating results of
eletion. Windows
al deletion.
ng steps:
Computers snap-i
is selected.
a group.
t Object From Ac
s in which you ac
L based on your s
Managing Group
f deleting a group
s Server 2008 ma
in, click the View
ccidental Deletio
tually have to clic
election.
ps 4-71

p by
akes it
w menu
on check

ck OK.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-72 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Protect Object From Accidental Deletion option applies an access control
entry (ACE) to the ACL of the object that explicitly denies the Everyone group both
the Delete permission and the Delete Subtree permission. If you really do want to
delete the group, you can return to the Object tab of the Properties dialog box and
clear the Protect Object From Accidental Deletion check box.
Deleting a group has a high impact on administrators, and potentially, on security.
Consider a group that has been used to manage access to resources. If the group is
deleted, access to that resource is changed. Either users who should be able to
access the resource are suddenly prevented from access, creating a denial-of-service
scenario, or if you had used the group to deny access to a resource with a Deny
permission, inappropriate access to the resource becomes possible.
Additionally, if you re-create the group, the new group object will have a new SID,
which will not match the SIDs on ACLs of resources. So you must instead perform
object recovery to reanimate the deleted group before the tombstone interval is
reached. When a group has been deleted for the tombstone interval60 days, by
defaultthe group and its SID are permanently deleted from Active Directory.
When you reanimate a tombstoned object, you must re-create most of its attributes,
including importantly, the member attribute of group objects. That means, you
must rebuild the group membership after restoring the deleted object.
Alternatively, you can perform an authoritative restore; or, in Windows Server
2008, turn to your Active Directory snapshots to recover both the group and its
membership. Authoritative restore and snapshots are discussed in Module 13.
In any event, it is safe to say that recovering a deleted group is a skill you should
hope to use only in disaster recovery fire drills, not in a production environment.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Deleg
Tab
Key Po
After a g
groups
for the r
finance
folder fo
ACL_Bu
the help
busines
group. Y
allowing
need ac
the chan
delegate
manage
is the m
gate Membe
oints
group has been c
membership to a
resource that the
manager is respo
or the budget and
udget_Edit. If som
p desk to enter a
ss approval, and t
You can improve
g the finance man
ccess can request
nge, thus removin
e the managemen
er the Allow Write
multivalued attribu
rship Manag
created, you migh
a team or an indi
group manages.
onsible for creatin
d assign Write pe
meone needs acce
request, the help
then the help des
the responsiven
nager to change t
access directly fr
ng the intermedia
nt of a groups me
e Member permis
ute that is the gro
gement with
ht want to delegat
ividual who has t
For example, let
ng next years bu
ermission to a gro
ess to the budget
desk contacts th
sk adds the user t
ess and accounta
the groups memb
rom the finance m
ate step of contac
embership, you m
ssion for the grou
oups membershi
Managing Group
the Manage
te the manageme
the business resp
s assume that yo
udget. You create
oup named,
t folder, he or she
he finance manag
to the ACL_Budg
ability of the proc
bership. Then, us
manager, who can
cting the help des
must assign to the
up. The member
ip.
ps 4-73
ed By

nt of the
onsibility
our
a shared
e contacts
er for
get_Edit
cess by
sers who
n make
sk. To
e finance
attribute
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-74 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The easiest way to delegate membership management of a single group is to use
the Managed By tab. The Managed By tab of a group objects Properties dialog
box is shown here:

The Managed By tab serves two purposes. First, it provides contact information
related to the manager of a group. You can use this information to contact the
business owner of a group to obtain approval before adding a user to the group.
The second purpose served by the Managed By tab is to manage the delegation of
the member attribute. Note the check box shown in the preceding screenshot. It is
labeled Manager can update membership list. When selected, the user or group
shown in the Name box is given the Allow Write Member permission. If you
change or clear the manager, the appropriate change is made to the groups ACL.
Tip: You must actually click OK to implement the change. Clicking Apply does not change the
ACL on the group.
It is not quite so easy to insert a group into the Managed By tab of another group.
When you click the Change button, the Select User, Contact, Or Group dialog
box appears. If you enter the name of a group and click OK, an error occurs. That
is because this dialog box is not configured to accept groups as valid object types,
even though Group is in the name of the dialog box itself. To work around this
odd limitation, click the Object Types button, and then select the check box next
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-75
to Groups. Click OK to close both the Object Types and Select dialog boxes.
Ensure to select the Manager Can Update Membership List check box if you
want to assign the Allow Write Member permission to the group. When a group is
used on the Managed By tab, no contact information is visible, because groups do
not maintain contact-related attributes.

After you have delegated group membership management, a user does not require
Active Directory Users and Computers to modify the membership of the group. A
user can simply use the Search Active Directory capability of Windows clients to
find the group, and then change its membership.
To find a group:
1. Click Start, and then click Network.
2. Click the Search Active Directory button on the toolbar.
3. Type the name of the group and click Find Now.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-76 Configuring
Lab B: Be
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log


g and Troubleshooting W
est Practi
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
indows Server 2008 Activ
ices for G
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
ve Directory Domain Serv
Group Ma
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
ices
anagemen
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
nt

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-77
Lab Scenario
Your implementation of role-based management at Contoso, Ltd. has been highly
successful. As the number of groups in the domain has increased, you've come to
realize that it is important to record the groups and prevent administrators from
accidentally deleting a group. Finally, you want to allow the business owners of
resources to manage access to those resources by delegating to those owners the
right to modify the membership of appropriate groups.

Exercise 1: Implement Best Practices for Group
Management
In this exercise, you will perform the following tasks to record, delegate, and
secure groups:
1. Create a well-documented group.
2. Protect a group from accidental deletion.
3. Delegate group membership management.
4. Validate the delegation of group membership management.


Task 1: Create a well-documented group.
1. Run Active Directory Users and Computers with administrative credentials.
Use the account, Pat.Coleman_Admin, with the password, Pa$$w0rd.
2. Browse to the Groups\Access OU. In the properties of the ACL_Sales
Folders_Read group, configure the following:
A Description that summarizes the resource management rule
represented by the group: Sales Folders (READ)
In the Notes box, type the following paths to represent the folders that
have permissions assigned to this group.
\\contoso\teams\Sales (READ)
\\file02\data\Sales (READ)
\\file03\news\Sales (READ)
Task 2: Protect a group from accidental deletion.
1. Enable the Advanced Features view of the Active Directory Users and
Computers snap-in.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-78 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
2. Protect the ACL_Sales Folders_Read group from being accidentally deleted.
3. Attempt to delete the group. Confirm that the attempt to delete the group is
denied.

Task 3: Delegate group membership management.
Configure the Managed By attribute of Auditors to refer to Mike Danseglio.

Task 4: Validate the delegation of group membership management.
1. Log off from NYC-DC1, then log on with user name, Mike.Danseglio, and the
password, Pa$$w0rd.
2. Open the Network window and use Search Active Directory to locate the
Auditors group.
3. Add the Executives group to the Auditors group.
4. Log off from NYC-DC1.


Results: In this exercise, you created a well-documented group, protected it from
accidental deletion, and delegated group membership management.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this,
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6425B-NYC-DC1 in the Virtual Machines list, and then
click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-79
Lab Review Questions
Question: What are some benefits of using the Description and Notes fields of a
group?
Question: What are the advantages and disadvantages of delegating group
membership?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-80 Configuring
Module
Review
1. Mem
citie
with
loca
2. You
gro
with
3. Wh
Commo
Issue
Cannot convert g
Cannot add grou
g and Troubleshooting W
Review a
w Questions
mbers of a Sales
es travel frequent
h access to printe
al groups?
u are responsible
up members. A u
hin the company
hich group scope
on Issues Related
group scope
up to another grou
indows Server 2008 Activ
and Takea
department in a
tly between doma
ers on various do
for managing ac
user in your grou
y. What should yo
can be assigned
d to Group Man
Troubleshoot
Check if conv
up Check if desir
ve Directory Domain Serv
aways
company that ha
ains. How will yo
omains that are m
counts and acces
p transfers into a
ou do with the us
permissions in an
agement
ting tip
version scenario is
red nesting scenar
ices
as branches in mu
ou provide these
managed by using
ss to resources fo
another departme
sers account?
ny domain or for
supported.
rio is supported.

ultiple
members
g domain
r your
ent
rest?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Groups 4-81
Issue Troubleshooting tip
Cannot create group in AD DS
Real-World Issues and Scenarios
A project manager in your department is starting a group project that will
continue for the next year. Several users from your department and other
departments will be dedicated to the project during this time. The project team
must have access to the same shared resources. The project manager must be
able to manage the user accounts and group accounts in AD DS. However, you
do not want to give the project manager permission to manage anything else in
AD DS. What is the best way to do this?
Best Practices for Group Management
When managing access to resources, try to use both rule and role groups.
Use Universal groups only when necessary because they add weight to
replication traffic.
Use Windows PowerShell with Active Directory Module for batch jobs on
groups.
Avoid adding users to Built-in and Default Groups.

Tools
Tool Use Where to find it
Active Directory Users
and Computers
Manage groups Administrative Tools
Windows Power Shell
with Active Directory
Module
Manage groups Installed as Windows
Feature
DS utilities Manage groups Command line

Content Specific to Windows Server 2008 R2
Feature Version Module Reference
Windows PowerShell with Active
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4-82 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Feature Version Module Reference
Directory Module


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-1
Module 5
Managing Computer Accounts
Contents:
Lesson 1: Create Computers and Join the Domain 5-4
Lab A: Create Computers and Join the Domain 5-34
Lesson 2: Administer Computer Objects and Accounts 5-42
Lab B: Administer Computer Objects and Accounts 5-62
Lesson 3: Offline Domain Join 5-71
Lab C: Offline Domain Join 5-78

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-2 Configuring
Module
Compu
with a lo
days or
access t
comput
account
Managin
devices
added t
exchang
leading
managin
Active D
g and Troubleshooting W
Overview
ters in a domain
ogon name and p
so. They authent
to resources, and
ters sometimes lo
ts that need to be
ng computersb
is one of the day
to your organizati
ged between user
to an access of re
ng the identity of
Directory.
indows Server 2008 Activ
w
are security prin
password that Wi
ticate with the do
be configured by
ose track of their p
e disabled or enab
oth the objects in
y-to-day tasks of
ion, computers a
rs or roles, and o
eplacement syste
f the computer re
ve Directory Domain Serv
cipals, like users.
indows changes
omain. They can b
y Group Policy. In
passwords, requi
bled.
n Active Directory
most IT professio
re taken offline fo
lder equipment i
ems. Each of these
epresented by its
ices
. They have an ac
s automatically ev
belong to groups
n addition, like u
ire a reset, or hav
y and the physic
onals. New system
or repairs, machi
s retired or upgra
e activities requir
object, or accoun

ccount
very 30
s, have
users,
ve
cal
ms are
nes are
aded,
res
nt, and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-3
Unfortunately, most enterprises do not invest the same kind of care and process in
the creation and management of computer accounts as they do for user accounts,
even though both are security principals. In this module, you will learn how to
create computer objects, which include attributes that are required for the objects
to be accounts. You will learn how to support computer accounts through their life
cycle, including configuring, troubleshooting, repairing, and de-provisioning
computer objects. You will also deepen your understanding of the process through
which a computer joins a domain, so that you can identify and avoid potential
points of failure. In the third lesson of this module, you will be introduced to a new
feature of Windows Server 2008 R2 Active Directory, called Offline Domain Join.
This feature enables administrators to join computers to a domain even if the
computers do not have a connection to the corporate network.
Objectives
After completing this module, you will be able to:
Create computer accounts and join them to a domain.
Administer computer objects and accounts by using the Windows Interface
and command-line tools.
Describe and perform the Offline Domain Join process.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-4 Configuring
Lesson 1
Create C
The def
Window
workgro
comput
an acco
sAMAcc
uniquel
credent
secure r
account
comput
joins th
g and Troubleshooting W
Computer
fault configuratio
ws server and clie
oup. Before you c
ter must belong t
unt in the domai
countName attrib
ly represents the
tials allow the com
relationship that
ts. In this lesson,
ter account, and y
e domain.
indows Server 2008 Activ
rs and Joi
n of Windows Se
ent operating sys
can log on to a co
to the domain. To
in, which, like a u
bute), a password
computer as a se
mputer to authen
then allows users
you will learn th
you will explore t
ve Directory Domain Serv
in the Do
erver 2008and o
temsis that the
omputer with a d
o join the domain
user account, incl
d, and a security i
ecurity principal i
nticate against the
s to log on to the
he steps to prepar
the process throu
ices
omain
of all other versio
computer belong
omain account, t
n, the computer m
ludes a logon nam
identifier (SID) th
in the domain. Th
e domain and to c
system with dom
re the domain for
ugh which a comp

ons of
gs to a
that
must have
me (the
hat
hose
create a
main
r a new
puter
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-5
Objectives
After completing this lesson, you will be able to:
Understand the relationship between a domain member and the domain, in
terms of identity and access.
Identify the requirements for joining a computer to the domain.
Prestage a computer account.
Join a computer to the domain.
Redirect the default computer container.
Prevent nonadministrative users from creating computers and joining the
domain.
Use command-line tools to import, create, and join computers.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-6 Configuring
Work
Key Po
In a wor
account
identity
databas
user aga
shared f
system
remote
intents
g and Troubleshooting W
kgroups, Dom
oints
rkgroup, each sy
ts against which u
y store on each co
se. If a user logs o
ainst its local SAM
folder, the user is
and will probably
system. From a s
and purposes, a s
indows Server 2008 Activ
mains, and T
stem maintains a
users can be auth
omputer is called
on to a workgroup
M database. If a u
s reauthenticated
y be prompted to
security perspecti
stand-alone syste
ve Directory Domain Serv
rusts
an identity store o
henticated and ac
the Security Acco
p machine, the sy
user connects to a
d against the iden
o enter a new set
ive, a workgroup
em.
ices
of user and group
ccess can begin. T
ounts Manager (S
ystem authentica
another system to
tity store of the re
of credentials for
computer is, for

p
The local
SAM)
tes the
o access a
emote
r the
all
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-7
When a computer joins a domain, it delegates the task of authenticating users to
the domain. Although the computer continues to maintain its SAM database to
support local user and group accounts, user accounts will typically be created in
the central domain directory. When a user logs on to the computer with a domain
account, the user is authenticated by a domain controller, rather than by the SAM.
In other words, the computer now trusts another authority to validate a user's
identity. Trust relationships are generally discussed in the context of two domains,
as you will learn in another module, but there is also a trust between each domain
member computer and its domain that is established when the computer joins the
domain. Because all domain member computers trust the domain, they also trust
each account that is authenticated by that domain. This allows users with an
account in Active Directory to access resources on various servers with only one set
of credentials.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-8 Configuring
Requi
Key Po
Three c
domain
A co
You
per
the
You
cha
The rem
Note: It is not m
recomm
creating
g and Troubleshooting W
irements for
oints
onditions are req
n:
omputer object s
u must have appr
rmissions allow y
domain.
u must be a mem
ange its domain o
mainder of this les
mandatory to crea
mended. However,
a computer objec
indows Server 2008 Activ
r Joining a Co
quired for you to j
should be created
ropriate permissio
you to join a comp
mber of the local A
or workgroup me
sson examines ea
ate a computer obj
many administrato
ct. When you do th
ve Directory Domain Serv
omputer to t
join a computer
d in the directory
ons to the compu
puter with the sam
Administrators gr
embership.
ach of these requ
ject in the director
ors join computers
his, Windows attem
ices
the Domain
to an Active Dire
service.
uter object. The
me name as the o
oup on the comp
irements.
ry service, but it is
s to a domain with
mpts to join the do

ctory
object to
puter to

highly
hout first
omain to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-9
an existing object. When Windows does not find the object, it fails back and creates a
computer object in the default computer container. The step of creating a computer
object, either by an administrator before the join or by Windows during the join, is
necessary before the computer can join the domain. It is still a requirement. It
uses a different set of permissions in Active Directory (your permission to create
a computer object) than the join itself, and if you do not happen to have
permissions to create computer objects in the default computer container, the
join will fail. The bottom line is that it is a requirement for the computer object
to exist prior to the join, but Windows helps meet that requirement
automatically.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-10 Configuring
The C
Key Po
Before y
to put it
The De
When y
(CN=Co
of the C
contain
subdivid
contain
comput
g and Troubleshooting W
Computer's C
oints
you create a comp
t.
fault Computers
you create a doma
omputers). This c
Container class. T
er and an OU. Yo
de the Computer
er. Therefore, we
ter objects, instea
indows Server 2008 Activ
Container an
puter object in th
s Container
ain, the Compute
container is not a
There are subtle b
ou cannot create
rs OU; and you ca
e highly recomme
ad of using the Co
ve Directory Domain Serv
d Organizati
he directory servic
ers container is cr
an organizational
but important dif
an OU within a c
annot link a Grou
end that you crea
omputers contain
ices
ional Units
ce, you must hav
reated by default
unit (OU); it is a
fferences between
container, so you
up Policy object t
te custom OUs to
ner.

e a place
an object
n a
u cannot
to a
o host
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-11
OUs for Computers
Most organizations create at least two OUs for computer objects: one to host
computer accounts for client computersdesktops, laptops, and other user
systemsand another for servers. These two OUs are in addition to the Domain
Controllers OU created by default during the installation of Active Directory. In
each of these OUs, computer objects are created. There is no technical difference
between a computer object in a client's OU and a computer object in a server's or
domain controller's OU: computer objects are computer objects. However,
separate OUs are typically created to provide unique scopes of management, so
that you can delegate management of client objects to one team and management
of server objects to another.
Your administrative model might necessitate further dividing your client and server
OUs. Many organizations create sub-OUs beneath a server OU to collect and
manage specific types of serversfor example, an OU for file and print servers and
an OU for database servers. By doing so, the team of administrators for each type
of server can be delegated permissions to manage computer objects in the
appropriate OU. Similarly, geographically distributed organizations with local
desktop support teams often divide a parent OU for clients into sub-OUs for each
site. This approach enables each sites support team to create computer objects in
the site for client computers, and join computers to the domain using those
computer objects. This is an example only. What is most important is that your
OU structure reflects your administrative model so that your OUs provide single
points of management for the delegation of administration.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-13
Additionally, separate OUs allow you to create different baseline configurations
using different Group Policy objects (GPOs) linked to the client and the server
OUs. Group Policy, discussed in detail in another module, allows you to specify
configuration for collections of computers by linking GPOs that contain
configuration instructions to OUs. It is common for organizations to separate
clients into desktop and laptop OUs. GPOs specifying desktop or laptop
configuration can then be linked to appropriate OUs.
If your organization has decentralized, site-based administration and wants to
manage unique configurations for desktops and laptops, you face a design
dilemma. Should you divide your clients OU based on administration and then
subdivide desktops and laptops, or should you divide your clients OU into
desktop and laptop OUs, and then subdivide based on administration? The
options are illustrated as follows.




Because the primary design driver for Active Directory OUs is the efficient
delegation of administration through the inheritance of access control lists (ACLs)
on OUs, the design on the left would be recommended.
Delegating Permission to Create Computers
By default, the Enterprise Admins, Domain Admins, Administrators, and Account
Operators groups have permission to create computer objects in any new OU.
However, as discussed in the module about groups, we recommend that you
tightly restrict membership in the first three groups, and that you do not add
administrators to the Account Operators group.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Instead, you should delegate the permission to create computer objects to
appropriate administrators or support personnel. The permission required to
create a computer object is Create Computer Objects. This permission, assigned to
a group for an OU, allows members of the group to create computer objects in that
OU. For example, you might allow your desktop support team to create computer
objects in the clients OU, and allow your file server administrators to create
computer objects in the file servers OU.
The permissions required to perform computer management tasks are listed in the
topic, "Secure Computer Creation and Joins." Module 8 details the process of
delegation.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Presta
Key Po
You can
the com
advance
age a Compu
oints
n and should crea
mputer to the dom
e is called prestag
uter Account
ate a computer ac
main. This proces
ging a computer.
Mana
t
ccount in the corr
ss of creating a co
aging Computer Account
rect OU before jo
omputer account
ts 5-15

oining
in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
After you have been given permission to create computer objects, you can do so by
right-clicking the OU and choosing Computer from the New menu. The New
Object Computer dialog box, shown below, appears:

Enter the computer name, following the naming convention of your enterprise,
and select the user or group that will be allowed to join the computer to the
domain with this account. The two computer namesComputer Name and
Computer Name (Pre-Windows 2000)should be the same: There is very rarely, if
ever, a justification for configuring them separately.
Note: The permissions that are applied to the user or group you select in the wizard are more
than necessary simply to join a computer to the domain. The selected user or group is
also given the ability to modify the computer object in other ways. For guidance
regarding a least privilege approach to delegating permission to join a computer to the
domain, see Windows Administration Resource Kit: Productivity Solutions for IT
Professionals by Dan Holme (Microsoft Press, 2008).
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-17
The process you complete to create a computer account before joining the
computer to the domain is called prestaging the account.
There are two major advantages of prestaging a computer:
The account is in the correct OU and is therefore delegated according to the
security policy defined by the access control list (ACL) of the OU.
The computer is within the scope of GPOs linked to the OU, before the
computer joins the domain.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-18 Configuring
Join a
Key Po
By prest
a compu
has perm
local ad
member
the proc
To join
1. Log
Adm
On
com
g and Troubleshooting W
a Computer t
oints
taging the compu
uter to a domain
missions to join a
dministrator of th
rship and enter t
cess.
a computer to th
g on to the compu
ministrators grou
ly local administr
mputer.
indows Server 2008 Activ
to the Doma
uter object, you fu
: the computer ob
a computer with
he computer can c
he specified dom
he domain, perfor
uter with credent
up on the comput
rators can alter th
ve Directory Domain Serv
ain
ulfill the first two
bject exists, and y
the same name to
change the comp
main credentials to
rm the following
tials that belong t
ter.
he domain or wor
ices
o requirements fo
you have specifie
o the domain. No
uters domain
o successfully com
steps:
to the local
rkgroup member

or joining
ed who
ow, a
mplete
rship of a
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-19
2. Open the System Properties dialog box by using one of the following
methods:
In Windows XP, Windows Server 2003:
Open the System properties dialog box by doing one of the following:
Right-click My Computer, and then click Properties.
Press Windows Logo+Pause.
In Windows Vista, Windows 7, Windows Server 2008, and Windows Server
2008 R2:
a. Open the System properties dialog box by doing one of the following:
Right-click Computer, and then click Properties.
Press Windows Logo+Pause.
b. In the Computer name, domain, and workgroup settings section, click
Change Settings.
c. If prompted by User Account Control, click Continue or enter
administrative credentials as appropriate.
3. Click the Computer Name tab.
4. Click Change.
5. Under Member Of, click Domain.
6. Type the name of the domain you want to join.
Note: Use the full DNS name of the domain. Not only is this more accurate and more likely to
succeed, but if it does not succeed, it indicates that there could be a problem with DNS
name resolution that should be rectified before joining the machine to the domain.
7. Click OK.
8. Windows prompts for the credentials of your user account in the domain.
The domain checks to see if a computer object already exists with the name of
the computer. One of the following three things happens:
If the object exists and a computer with that name has already joined the
domain, an error is returned, and you cannot join the computer to the
domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
If the object exists and it is prestageda computer with the same name has
not joined the domainthe domain confirms that the domain credentials
you entered have permission to join the domain using that account. These
permissions were discussed in the section, Prestaging a Computer
Account.
If the computer account is not prestaged, Windows checks to see if you
have permissions to create a new computer object in the default computer
container. If you do have permissions to create a new computer object in
the default computer container, the object is created with the name of the
computer. This method of joining a domain is supported for backwards
compatibility, but is not recommended. We recommend that you prestage
the account as indicated earlier, and as detailed in the next section,
Secure Computer Creation and Joins.

The computer then joins the domain by assuming the identity of its Active
Directory object. It configures its SID to match the domain computer accounts
SID and sets an initial password with the domain. The computer then
performs other tasks related to joining the domain. It adds the Domain
Admins group to the local Administrators group and the Domain Users group
to the local Users group.
9. You are prompted to restart the computer. Click OK to close this message box.
10. Click Close (in Windows Vista) or OK (in Windows XP) to close the System
Properties dialog box.
11. You are prompted again to restart the computer, after which the system is fully
a member of the domain, and you can log on by using domain credentials.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Secur
Key Po
Creating
sensitiv
possible
Prestag
The bes
the dom
without
local ad
demand
gives yo
the syst
There a
re Computer
oints
g computer accou
e operations. The
e.
ge Computer O
st practice is to pr
main. However, W
t following this b
dministrator and c
d, Windows creat
ou permission to j
tem to the domain
re three problem
r Creation an
unts and joining
erefore, it is very
Objects
restage a comput
Windows allows y
est practice. You
change the comp
tes a computer ob
join a computer
n.
ms with this Wind
Mana
nd Joins
computers to a d
important that th
ter account prior
you to join a com
can log on to a w
puter membershi
bject in the defau
to that object, an
dows process:
aging Computer Account
domain are securi
hese steps are as s
to joining the ma
mputer to a domai
workgroup compu
ip to the domain.
ult computer cont
nd then proceeds
ts 5-21

ity-
secure as
achine to
in
uter as a
. On
tainer,
to join
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
First, the computer account created automatically by Windows is placed in the
default computer container, which is not where the computer object belongs
in most enterprises.
Second, you must move the computer from the default computer container
into the correct OU, which is an extra step that is often forgotten.
Third, any domain user can also do thisno domain-level administrative
permissions are required. Any user can join any computer to the domain if you
don't manage and secure the process. Because a computer object is a security
principal, and because the creator of a computer object owns the object and
can change its attributes, this exposes a potential security vulnerability. The
next sections detail these disadvantages.

Configuring the Default Computer Container
When you join a computer to the domain and the computer object does not
already exist in Active Directory, Windows automatically creates a computer
account in the default computer container, which is called, Computers
(CN=Computers,DC=domain) by default. The problem with this relates to the
discussion of OU design earlier in the lesson. If you have implemented the best
practices described there, you have delegated permissions to administer computer
objects in specific OUs for clients and servers. Additionally, you might have linked
GPOs to those OUs to manage the configuration of these computer objects. If a
new computer object is created outside of those OUs, in the default computer
container, the permissions and configuration it inherits from its parent container
will be different than what it should have received. You will then need to
remember to move the computer from the default container to the correct OU after
joining the domain.
There are two recommended steps to reduce the likelihood of this problem. First,
you should attempt to always prestage computer accounts. If an account is
prestaged for a computer in the correct OU, when the computer joins the domain,
it will use the existing account and will be subject to the correct delegation and
configuration.
Second, to reduce the impact of systems being joined to the domain without a
prestaged account, you should change the default computer container so that it is
not the Computers container itself, but instead is an OU that is subject to
appropriate delegation and configuration. For example, if you have an OU called
New Clients, you can instruct Windows to use that OU as the default computer
container, so that if computers are joined to the domain without prestaged
accounts, the objects are created in the New Clients OU.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-23
The redircmp.exe command is used to redirect the default computer container
with the following syntax.
redircmp "DN of OU for new computer objects"
Now, if a computer joins the domain without a prestaged computer account,
Windows creates the computer object in the specified organizational unit. On this
OU, you can apply some baseline GPO settings that affect all computers in the
domain.
Note: The same concepts apply to the creation of user accounts. By default, if a user account is
created by using a legacy practice that does not specify the OU for the account, the
object is created in the default user container (CN=Users,DC=domain, by default). The
redirusr.exe command can be used to redirect the default container to an actual OU that
is delegated and configured appropriately. Redirusr, like redircmp, takes a single option:
the distinguished name (DN) of the OU that will become the default user container.
Restricting the Ability of Users to Create Computers
When a computer account is prestaged, the permissions on the account determine
who is allowed to join that computer to the domain. When an account is not
prestaged, Windows will, by default, allow any authenticated user to create a
computer object in the default computer container. In fact, Windows will allow any
authenticated user to create 10 computer objects in the default computer
container. The creator of a computer object, by default, has permission to join that
computer to the domain. It is through this mechanism that any authenticated user
can join 10 computers to the domain without any explicit permission to do so.
The 10-computer quota is configured by the ms-DS-MachineAccountQuota
attribute of the domain. It allows any authenticated user to join a machine to the
domain, no questions asked. This is problematic from a security perspective
because computers are security principals, and the creator of a security principal
has permission to manage that computers properties. In a way, the quota is like
allowing any domain user to create 10 user accounts, without any controls.
We highly recommend that you close this loophole, so that nonadministrative
users cannot join machines to the domain. To change the ms-DS-
MachineAccountQuota attribute, perform the following steps:
1. Open the ADSI Edit MMC console from the Administrative Tools folder.
2. Right-click ADSI Edit, and then click Connect To.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
3. In the Connection Point section, click Select A Well Known Naming
Context, and then select Default Naming Context from the drop-down list.
4. Click OK.
5. In the console tree, expand Default Naming Context.
6. Right-click the domain folderdc=contoso,dc=com, for exampleand then
click Properties.
7. Click ms-DS-MachineAccountQuota, and then click Edit.
8. Type 0.
9. Click OK.

The Authenticated Users group is also assigned the user right to add workstations
to the domain, but you do not have to modify this right if you have changed the
default value of the ms-DS-MachineAccountQuota attribute.
After you have changed the ms-DS-MachineAccountQuota attribute to 0, you can
be assured that the only users who can join computers to the domain are those
who have been specifically delegated permission to join prestaged computer
objects or to create new computer objects.
After youve eliminated this loophole, you must ensure you have given appropriate
administrators explicit permission to create computer objects in the correct OUs,
as described in the "Delegating Permission to Create Computers" section, otherwise
the following error message will appear.

Delegating Computer Management
The fourth task to improve the security of computer accounts is to delegate
computer management tasks at the OU level. Delegation is discussed in Module 8.
The following dsacls commands can be used to delegate computer management
tasks:
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-25
Create a computer.
dsacls "DN of OU" /I:T /G "DOMAIN\group":CC;computer
Delete a computer.
dsacls "DN of OU" /I:T /G "DOMAIN\group":DC;computer
Join a computer to the domain.
dsacls "DN of OU" /I:S /G "DOMAIN\group":
"Validated write to DNS host name";computer
dsacls "DN of OU" /I:S /G "DOMAIN\group":
"Validated write to service principal name";computer
dsacls "DN of OU" /I:S /G "DOMAIN\group":
CA;Reset Password;computer
dsacls "DN of OU" /I:S /G "DOMAIN\group":
WP;Account Restrictions;computer
The preceding four commands should be entered at the command prompt
with no space after the colon.
Move a computer.
Requires permissions to delete computers in the source OU and create
computers in the destination OU. Even though a move does not actually delete
or create the account, this is the permission that is used by the Access Check.

Question: What two factors determine whether you can join a computer account
to the domain?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-26 Configuring
Autom
Key Po
The step
you are
same tim
(CSVDE
Director
of comp
is, to pe
convent
g and Troubleshooting W
mate Compu
oints
ps you have learn
tasked with crea
me. Commands s
E), Lightweight D
ry Exchange (LD
puter objects. Scr
erform business lo
tions.
indows Server 2008 Activ
uter Account
ned for creating a
ating dozens or ev
such as Comma S
Directory Access P
DIFDE), and DSAd
ripts can also allo
ogic such as the e
ve Directory Domain Serv
t Creation
a computer accou
ven hundreds of
Separated Value D
Protocol (LDAP)
dd can import an
w you to provisio
enforcement of c
ices
unt become burde
computer accoun
Directory Exchan
Data Interchange
nd automate the c
on computer obje
omputer naming

ensome if
nts at the
nge
e Format
creation
ects, that
g
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Impo
Key Po
CSVDE
from or
text file
csvde
The -i o
export.
option i
errors, i
value al
rt Computer
oints
is a command-lin
r to a comma-deli
, or .csv file). The
[-i] [-f "File
ption specifies im
The -f option ide
is useful during im
including object
lready exists.
rs with CSVD
ne tool that impo
imited text file (al
e basic syntax of t
ename"] [-k]
mport modewith
entifies the file na
mport operations
t already exists,
Mana
DE
orts or exports Ac
lso known as a co
the CSVDE comm
hout it, the defau
ame to import fro
s, because it instr
constraint violat
aging Computer Account
ctive Directory ob
omma-separated
mand is.
lt mode of CSVD
m or export to. T
ructs CSVDE to ig
tion, and attribu
ts 5-27

bjects
value
DE is
The -k
gnore
ute or
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Comma-delimited files can be created, modified, and opened with tools as familiar
as Notepad and Microsoft Office Excel. The first line of the file defines the
attributes by their LDAP attribute names. Each object follows, one per line, and
must contain exactly the attributes listed on the first line. A sample file is shown in
Excel as follows.

When importing computers, be sure to include the userAccountControl attribute,
and set it to 4096. This attribute ensures that the computer will be able to join the
account. Also include the pre-Windows 2000 logon name of the computer, the
sAMAccountName attribute, which is the name of the computer followed by a
dollar sign ($), as shown in the preceding sample.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Impo
Key Po
LDIFDE
format.
lines sep
object th
type of
rt Computer
oints
E.exe imports dat
LDIF files are tex
parated by a blan
hat is the target o
operation: add, m
rs with LDIFD
ta from files in th
xt files within wh
nk line. Each oper
of the operation. T
modify, or delete.
Mana
DE
he LDAP Data Inte
hich operations ar
ration begins wit
The next line, ch
aging Computer Account
erchange Format
re specified by a b
th the DN attribu
angeType, specifi
ts 5-29

t (LDIF)
block of
te of the
fies the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The following listing is an LDIF file that will create a computer account in the
Servers OU.
dn: CN=FILE25,OU=File,OU=Servers,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: FILE25
userAccountControl: 4096
sAMAccountName: FILE25$

The basic syntax of the LDIFDE command is similar to that of the CSVDE
command.
ldifde [-i] [-f "Filename"] [-k]
By default, LDIFDE is in export mode. The -i option specifies the import mode.
You must specify -f to identify the file you are using for import or export. LDIFDE
will stop when it encounters errors, unless you specify the -k option, in which case,
LDIFDE continues processing.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Create
Key Po
The DSA
comput
dsadd
where C
CN=DE
If the co
marks. T
for new
multiple
By t
e Computer
oints
Add command is
ter objects, simply
computer Compu
ComputerDN is th
ESKTOP123,OU=
omputers DN inc
The ComputerDN
w computer object
e objects at once.
typing each DN a
Accounts w
s used to create o
y type the follow
uterDN
he distinguished
=NYC,OU=Client
cludes a space, su
N option can incl
ts, making DSAdd
. The option can
at the command p
Mana
with DSAdd a
bjects in Active D
ing command.
name (DN) of th
Computers,DC=
urround the entir
lude more than o
d Computer a ha
be entered in one
prompt, separate
aging Computer Account
nd PowerSh
Directory. To crea
he computer, such
=contoso,DC=com
re DN with quota
one distinguished
andy way to gener
e of the following
ed by spaces.
ts 5-31
ell

ate
h as
m.
ation
d name
rate
g ways:
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
By leaving the DN option empty, at which point, you can type the DNs, one at
a time, at the keyboard console of the command prompt. Press ENTER after
each DN. Press CTRL+Z and ENTER after the last DN.
By piping a list of DNs from another command, such as DSQuery.

The DSAdd Computer command can take the following options after the DN
option:
-samid ComputerName
-desc Description
-loc Location

Note: Content in the following section is specific to Windows Server 2008 R2.
You can also use the Active Directory module for Windows PowerShell to create a
computer account in AD DS. The following example demonstrates how to create a
new computer, DESKTOP123, in the Client Computers OU in the contoso.com
domain.
New-ADComputer -SamAccountName DESKTOP123 Path OU=Client
Computers,DC=contoso,DC=com'
For a full explanation of the parameters that you can pass to New-ADComputer, at
the Active Directory module command prompt, type Get-Help New-ADComputer
detailed, and then press ENTER.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Create
Key Po
The Net
security
comput
netdom
[/
This com
indicate
/Passwo
the orga
OUDN
contain
comput
e and Join C
oints
tDom command
y tasks from the c
ter account, by ty
m add ComputerN
/UserD:DomainUs
mmand creates th
ed by the /domain
ordD. The /ou op
anizational unit d
is supplied, the c
er. The user cred
ter objects.
Computers w
is also able to pe
command promp
yping the followin
Name /domain:Dom
sername /Passwor
he computer acco
n option, using th
ption causes the o
distinguished nam
computer accoun
dentials must, of c
Mana
with NetDom
erform a variety o
t. You can also u
ng command.
mainName [/ou:"
rdD:DomainPassw
ount for Comput
he credentials sp
object to be creat
me (OUDN) follo
nt is created in the
course, have perm
aging Computer Account
m and PowerS
f domain accoun
se NetDom to cre
OUDN"]
word]
terName in the do
ecified by /UserD
ed in the OU spe
owing the option.
e default comput
missions to create
ts 5-33
Shell

nt and
eate a
omain
D and
ecified by
. If no
ter
e
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-34 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Using NetDom.exe
The NetDom.exe command allows you to join a computer to the domain from the
command prompt. The basic syntax of the command is as follows.
netdom join MachineName /Domain:DomainName [/OU:"OUDN"]
[/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ]
[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]
[/SecurePasswordPrompt]
[/REBoot[:TimeInSeconds]]
It can be useful to join a machine to a domain from the command prompt. The first
reason this is useful is because the join can be included in a script that performs
other actions. For example, you could create a batch file that creates the computer
account by using NetDom or DSAddthe latter of which allows you to specify
other attributes, including descriptionand then joins the machine to that account
by using NetDom. Second, NetDom.exe can be used to remotely join a machine to
the domain. Third, NetDom.exe allows you to specify the OU for the computer
object. The commands options are, for the most part, self explanatory. /UserO and
/PasswordO are credentials that are members of the workgroup computers local
Administrators group. Specifying * for the password causes NetDom.exe to prompt
for the password at the command prompt. /UserD and /PasswordD are domain
credentials with permission to create a computer object, if the account is not
prestaged, or to join a computer to a prestaged account. The /reboot option causes
the system to reboot after joining the domain. The default timeout is 30 seconds.
The /SecurePasswordPrompt option displays a popup for credentials when * is
specified for either /PasswordO or /PasswordD.
Note: If you want to use NetDom remotely, the Windows Firewall configuration on the
computer that will be joined to the domain must allow Network Discovery and Remote
Administration.
Note: Content in the following section is specific to Windows Server 2008 R2.
Beside the netdom command, you can also use Windows PowerShell with Active
Directory Module to perform a domain join for a local machine. In PowerShell, you
should use the Add-Computer cmdlet to perform a domain join.
The following example demonstrates how to add the local computer on which this
command is being run, to the contoso.com domain. The local computer is added
to the OU in the directory that is specified by the OUPath parameter, using the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-35
current logged-on user credentials. You must run this command on the local
computer.
Add-Computer -DomainOrWorkgroupName Contoso -OUPath OU=Client
Computers,DC=contoso,DC=com
For a full explanation of the parameters that you can pass to Add-Computer, at the
Active Directory Module command prompt, type Get-Help Add-Computer
detailed, and then press ENTER.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-36 Configuring
Lab A: Cr
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



g and Troubleshooting W
reate Com
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto

indows Server 2008 Activ
mputers a
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman_Admi
$w0rd
so
ve Directory Domain Serv
and Join
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
in
ices
the Dom
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
main

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-37
5. Open Windows Explorer and then browse to D:\Labfiles\Lab05a.
6. Run Lab05a_Setup.bat with administrative credentials. Use the account
Pat.Coleman_Admin, with the password, Pa$$w0rd.
7. The lab setup script runs. When it is complete, press any key to continue.
8. Close the Windows Explorer window, Lab05a.
9. In Hyper-V Manager, click 6425C-NYC-SVR2, and in the Actions pane,
click Start.
10. In the Actions pane, click Connect. Wait until the virtual machine starts. Do
not log on to NYC-SVR2 until directed to do so.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-38 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Scenario
You are an administrator for Contoso, Ltd. During a security audit, it was identified
that there is no control over the creation of new computer accounts: both clients
and servers are being added to the domain with no assurance that process is being
followed. In fact, a number of computer accounts were discovered in the
Computers container. These computer objects were for active computer accounts,
but the computers had not been created in or moved to the correct OUs within the
Client Computers or Servers OUs according to standard procedures. Youve been
tasked with improving the procedures.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-39
Exercise 1: Join a Computer to the Domain with the
Windows Interface
In this exercise, you will join a computer to the domain using the Windows
interface, and then you will remove the machine from the domain.
The main tasks for this exercise are as follows:
1. Identify and correct a DNS configuration error.
2. Join NYC-SVR2 to the domain.
3. Verify the location of the NYC-SVR2 account.
4. Remove NYC-SVR2 from the domain.
5. Delete the NYC-SVR2 account.


Task 1: Identify and correct a DNS configuration error.
1. Log on to NYC-SVR2 as Administrator, with the password, Pa$$w0rd.
2. Open System Properties by using one of the following methods:
Click Start, right-click Computer, and then click Properties.
Open System from Control Panel.
Press the Windows logo key and the Pause key.
3. Attempt to join the computer to the domain, contoso.com, being sure to use
the fully qualified domain name (contoso.com) rather than the NetBIOS name
for the domain (contoso).
Doing so tests that DNS is configured correctly on the client for locating the
domain.
4. Change the DNS Server configuration on the client to 10.0.0.10.

Question: Why might the join have succeeded if you had used the domain name
contoso, instead of contoso.com? What might go wrong after the domain was
successfully joined but with DNS incorrectly configured?
Answer: The use of the fully qualified name forced the name resolution process to
use DNS, and because DNS failed, the domain join failed. The domain name,
contoso, is a flat domain name that could be resolved through NetBIOS name
resolution. Even though the domain join would be successful, the client would
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-40 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
likely have problems locating domain controllers in other sites, and locating other
resources in the domain. Performing the join with a fully qualified domain name
ensures that DNS is functioning before joining the domain.

Task 2: Join NYC-SVR2 to the domain.
1. Join NYC-SVR2 to the domain. When prompted for domain credentials, enter
the user name, Aaron.Painter, and the password, Pa$$w0rd.
Note that Aaron.Painter is a standard user in the contoso.com domain. He has
no special rights or permissions, and yet he is able to join a computer to the
domain. He does have to be logged on to the computer with an account that is
a member of the computer's Administrators group.
2. Allow the system to restart.

Task 3: Verify the location of the NYC-SVR2 account.
1. On NYC-DC1, run Active Directory Users and Computers as an administrator,
with the user name, Pat.Coleman_Admin, and the password, Pa$$w0rd.
2. Locate the NYC-SVR2 account.

Question: In which OU or container does the account exist?
Answer: The Computers container.
Task 4: Remove NYC-SVR2 from the domain.
1. Log on to NYC-SVR2 as Administrator, with the password, Pa$$w0rd.
2. Change NYC-SVR2's domain/workgroup membership to a workgroup named,
WORKGROUP.
3. Restart the server.

Task 5: Delete the NYC-SVR2 account.
Question: On NYC-DC1, refresh the view of the Computers container and
examine the NYC-SVR2 account. What is its status?
Answer: The status is Disabled.
Question: You were not prompted for domain credentials in Task 4, and yet a
change was made to the domain: the computer account was reset and disabled.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-41
What credentials were used to do this? What credentials were used to change the
workgroup/domain membership of NYC-SVR2?
Answer: This is a tricky question. Domain credentials with appropriate permissions
are required to make a change to the domain, such as resetting and disabling a
computer account; and credentials that are in the local Administrators group on
the client are required to change the computers workgroup/domain membership.
You were logged on to NYC-SVR2 as the local Administrator, so you were able to
change the computers workgroup/domain membership. Normally, you would
have been prompted for domain credentials, but it just so happens that the local
Administrator accounts user name, Administrator, and password, Pa$$w0rd, are
identical to those of the domain Administrator account, which of course has
permission to modify objects in the domain. Windows attempts to authenticate
you behind the scenes, and only prompts you for domain credentials if that
authentication fails. In this case, because of the similarity in credentials, you were
actually authenticated as the domains Administrator.
In a production environment, the domains Administrator account should have a
very long, complex, secure password that is different from the passwords used for
Administrator accounts in the domain member computer.
1. Delete the NYC-SVR2 computer object.

Result: After completing this exercise, you will be familiar with typical legacy practices
used to join computers to a domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Secure Computer Joins
In this exercise, you will implement best practices to secure the joining of
machines to the domain.
The main tasks for this exercise are as follows:
1. Redirect the default computer container.
2. Restrict unmanaged domain joins.
3. Validate the effectiveness of ms-DS-MachineAccountQuota.

Task 1: Redirect the default computer container.
1. On NYC-DC1, run a command prompt as an administrator with the user
name, Pat.Coleman_Admin, and the password, Pa$$w0rd.
2. Use the RedirCmp command to redirect the default computers container to
the New Computers OU in the contoso.com domain.

Task 2: Restrict unmanaged domain joins.
1. Run the ADSI Edit console as an administrator with the user name,
Pat.Coleman_Admin, and the password, Pa$$w0rd.
2. Connect to the domain and, in the properties of the domain, change the ms-
DS-MachineAccountQuota to zero (0).

Task 3: Validate the effectiveness of ms-DS-MachineAccountQuota.
Log on to NYC-SVR2 as Administrator and attempt to join NYC-SVR2 to the
contoso.com domain just as you did in Exercise 1. When prompted for
domain credentials, enter the user name, Aaron.Painter, and the password,
Pa$$w0rd.
In Exercise 1, Aaron Painter was able to join the domain. Now, he is unable to
join the domain.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-43
Question: What message do you receive when a user is no longer able to create a
computer object because of the ms-DS-MachineAccountQuota?
Results: After completing this exercise, the container for creating computer accounts
will be redirected to the New Computers OU, and users will be restricted from joining
computers to the domain without explicit permissions to do so.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-44 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 3: Manage Computer Account Creation
In this exercise, you will implement several best practices for creating computer
accounts and joining machines to the domain.
The main tasks for this exercise are as follows:
1. Prestage a computer account.
2. Join a computer remotely to a prestaged account by using NetDom.

Task 1: Prestage a computer account.
1. On NYC-DC1, run Active Directory Users and Computers as an
administrator with the user name, Pat.Coleman_Admin, and the password,
Pa$$w0rd.
2. In the Servers\File OU, create a new computer object for NYC-SVR2 and give
the AD_Server_Deploy group permission to join the computer to the domain.

Task 2: Join a computer remotely to a prestaged account by using
NetDom.
In this task, you will join NYC-SVR2 to the domain remotely, using credentials that
are in the local Administrators group of NYC-SVR2 and domain credentials that are
in the AD_Server_Deploy group.
1. Run the command prompt as an administrator, with the user name,
Aaron.Painter_Admin, and the password, Pa$$word.
Note that Aaron.Painter_Admin is not an administrator. The Run as an
administrator command allows you to run a process with any credentials, as
long as those credentials have sufficient privilege to run the process itself.
2. Type the command, whoami /groups, to list the group memberships of the
current account (Aaron.Painter_Admin). Note that the user is a member of
AD_Server_Deploy and is not a member of any other administrative group.
3. Using the NetDom command, join NYC-SVR2 to the domain. Use the local
Administrator account credentials for NYC-SVR2 and the domain credentials
for Aaron.Painter_Admin, who is a member of AD_Server_Deploy and
therefore has permission to join the computer to the domain. Configure the
server to reboot automatically in 5 seconds.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-45
Type the following command, and then press ENTER.
netdom join NYC-SVR2 /domain:contoso.com
/UserO:Administrator /PasswordO:*
/UserD:CONTOSO\Aaron.Painter_Admin /PasswordD:*
/REBoot:5
Note: The NYC-SVR2 firewall exceptions are configured for ports 135, 139, and for Network
Discovery (NB-Name-In). These exceptions allow NetDom Join to be used to remotely
join NYC-SVR2 to the domain.
4. The server restarts.
5. Log on to NYC-SVR2 as Contoso\Pat.Coleman, with the password of
Pa$$w0rd. This confirms that the server has successfully joined the domain.
6. Log off from NYC-SVR2.

Results: After completing this exercise, NYC-SVR2 will be joined to the domain with an
account in the Servers\File OU.
Important: Do not shut down the virtual machines after you are finished with this lab because
the settings you have configured here will be used in Lab B.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-46 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Review Questions
Question: What did you learn about the pros and cons of various approaches to
creating computer accounts in an AD DS domain?
Question: What are the two credentials that are necessary for any computer to join
a domain?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Administ
A comp
joins th
propert
renamin
object. T
involved
Object
After co
Con
Mo
Rec
ter Comp
puter account beg
e domain. Day-to
ties; moving the c
ng, resetting, disa
This lesson looks
d with these task
tives
ompleting this les
nfigure computer
ve a computer be
cognize computer
puter Obj
gins its life cycle w
o-day administrat
computer between
abling, enabling, a
s closely at the co
ks, and will equip
sson, you will be a
r account propert
etween OUs.
r account problem
Mana
jects and
when it is created
tive tasks include
n OUs; managing
and eventually de
omputer propertie
you to administe
able to:
ties.
ms.
aging Computer Account
Account
d and when the co
configuring com
g the computer it
eleting the comp
es and procedure
er computers in a
ts 5-47
ts

omputer
mputer
tself; and
uter
es
a domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-48 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Reset a computer account.
Rename a computer.
Disable and enable a computer.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Confi
Key Po
When y
Compu
includin
domain
creating
process
Open a
configu
object o
read-on
using th
account
gure Compu
oints
you create a comp
ters, you are prom
ng the computer
n. Computers hav
g the computer ob
s of staging the co
computer object
re its group mem
of the user to who
nly. The informati
hat account, at wh
t.
uter Attribut
puter object by us
mpted to configu
name and the de
ve several propert
bject; you should
omputer account.
ts Properties dia
mberships and dia
om the computer
ion will be blank
hich time the clie
Mana
es
sing Active Direc
ure only the most
elegation to join t
ties that are not v
d configure these
.
alog box to set its
al-in permissions
r is assigned. The
until a computer
ent publishes the
aging Computer Account
tory Users and
t fundamental att
he computer to t
visible when you a
properties as par
location and des
, and link it to th
Operating Syste
r has joined the d
information to it
ts 5-49

ributes,
the
are
rt of the
scription,
e user
em tab is
domain
ts
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Several object classes in Active Directory support the managedBy attribute that is
shown on the Managed By tab. This linked attribute creates a cross-reference to a
user object. All other propertiesthe addresses and telephone numbersare
displayed directly from the user object. They are not stored as part of the computer
object itself. Some organizations use the Managed By tab to link the computer to
the primary user of the computer. Alternatively, you might choose to link the
computer to a group that is responsible for the support of a computer. For
example, this as an option might be attractive for computer accounts that represent
servers.
On the Member Of tab of a computers Properties dialog box, you can add the
computer to groups. The ability to manage computers in groups is an important
and often underutilized feature of Active Directory. A group to which computers
belong can be used to assign resource access permissions to the computer, to filter
the application of a GPO, or as a collection for a software management tool, such
as Microsoft System Center Configuration Manager 2007.
As with users and groups, it is possible to select more than one computer object
and subsequently manage or modify properties of all selected computers
simultaneously.
Configuring Computer Attributes with DSMod
You can use the DSMod command to modify the description and the location
attributes of a computer object. It uses the following syntax.
dsmod computer "ComputerDN" [-desc "Description"] [-loc "Location"]
Note: Content in the following section is specific to Windows Server 2008 R2.
Attributes of a computer account can also be managed by using Windows
PowerShell with Active Directory Module.
The following example demonstrates how to modify the ManagedBy attribute of
the computer LON-SRV1.
Set-ADComputer LON-SRV1 -ManagedBy 'CN=SQL Administrator
01,OU=UserAccounts,OU=Managed,DC=contoso,DC=com'
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Move
Key Po
Many o
exampl
module
will nee
To mov
you can
Clic
loca
Rig
The DSM
The syn
dsmove
e a Compute
oints
rganizations have
e, have computer
e. If you have mor
ed to move a com
ve a computer by
n use one of the fo
ck the computer
ation.
ht-click the comp
Move command
ntax of DSMove is
e ObjectDN [-ne
r
e multiple OUs fo
r OUs based on g
re than one OU f
mputer between O
using the Active
ollowing options
and then drag an
puter, and then cl
allows you to mo
s as follows.
ewname NewName]
Mana
or computer obje
geographic sites, a
for computers, it i
OUs.
Directory Users a
:
nd drop the comp
lick Move.
ove a computer o
[-newparent Pa
aging Computer Account
ects. Some domai
as shown earlier
is likely that som
and Computers s
puter to the desir
object or any othe
arentDN]
ts 5-51

ins, for
in this
meday you
snap-in,
red

er object.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The -newname option allows you to rename an object. The -newparent option
allows you to move an object. To move a computer named, DESKTOP153, from
the Computers container to the NYC OU, you would type the following command.
dsmove "CN=DESKTOP153,CN=Computers,DC=contoso,DC=com" -newparent
"OU=NYC,OU=Client Computers,DC=contoso,DC=com"
Note: Content in the following section is specific to Windows Server 2008 R2.
You can also perform the move process for a computer by using Windows
PowerShell with Active Directory Module. This is performed by using pipelined
cmdlets, Get-ADComputer and Move-ADObject. The following example
demonstrates how to move the computer, Workstation1, to the
ManagedComputers OU in the contoso.com domain.
Get-ADComputer Workstation1 | Move-ADObject -TargetPath
'OU=ManagedComputers,DC=contoso,DC=com'
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Comp
Key Po
Every m
account
account
authorit
so. The
establish
Compu
domain
no long
include
Afte
una
nam
com
doe
puter Accoun
oints
member computer
t with a user nam
t does. The comp
ty (LSA) secret an
NetLogon servic
hes the secure ch
ter accounts and
n are robust. How
ger able to authen
the following:
er reinstalling the
able to authentica
me. Because the n
mputer does not k
es not belong to t
nt and Secur
r in an Active Dir
me (sAMAccountN
puter stores its pa
nd changes its pa
ce uses the creden
hannel with a dom
the secure relatio
wever, certain scen
nticate with the do
e operating system
ate, even though
new installation g
know the compu
the domain and c
Mana
re Channel
rectory domain m
Name) and passw
assword in the for
assword with the
ntials to log on to
main controller.
onships between
narios might arise
omain. Examples
m on a workstatio
the technician us
generated a new S
uter account passw
cannot authentica
aging Computer Account
maintains a compu
word, just like a u
rm of a local secu
domain every 30
o the domain, wh
n computers and t
e in which a com
s of such scenario
on, the workstati
sed the same com
SID and because
word in the dom
ate to the domain
ts 5-53

uter
ser
urity
0 days or
hich
their
mputer is
os
ion is
mputer
the new
ain, it
n.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-54 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
A computer is completely restored from backup and is unable to authenticate.
It is likely that the computer changed its password with the domain after the
backup operation. Computers change their passwords every 30 days, and
Active Directory remembers the current and previous password. If the restore
operation restored the computer with a significantly outdated password, the
computer will not be able to authenticate.
A computers LSA secret gets out of synchronization with the password known
by the domain. You can think of this as the computer forgetting its password;
although it did not forget its password, it just disagrees with the domain over
what the password really is. When this happens, the computer cannot
authenticate and the secure channel cannot be created.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Recog
Key Po
The mo
Mes
the
acc
secu
exa
gnize Compu
oints
ost common signs
ssages at logon in
computer accou
ount is incorrect,
ure relationship
ample is shown h
uter Account
s of computer acc
ndicate that a dom
nt might be miss
, or that the trust
) between the co
here.
Mana
t Problems
count problems a
main controller c
sing, that the pass
t relationship (an
mputer and the d
aging Computer Account
are the following:
cannot be contact
sword on the com
other way of sayi
domain has been

ts 5-55

:
ted, that
mputer
ing the
n lost. An
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-56 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Error messages or events in the event log indicate similar problems or suggest
that passwords, trusts, secure channels, or relationships with the domain or a
domain controller have failed. One such error is NETLOGON Event ID 3210:
Failed To Authenticate, which appears in the computer's event log.
A computer account is missing in Active Directory.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Reset
Key Po
When th
adminis
workgro
has the
comput
the dom
SID, and
created.
Do not
If the tru
domain
To reset
Active D
NLTest
maintai
a Computer
oints
he secure channe
strators do so by
oup, and then rej
potential to dele
ters SID, and mo
main, even though
d all the group m
.
t remove a com
ust with the dom
n and rejoin it. Ins
t the secure chan
Directory Users an
.exe. If you reset
ns its group mem
r Account
el fails, you must
removing the com
joining the doma
te the computer a
ore importantly, it
h the computer h
memberships of th
mputer from the
main has been lost
stead, reset the se
nnel between a do
nd Computers sn
the account, the
mberships.
Mana
reset the secure
mputer from the
ain. This is not a g
account altogethe
ts group member
has the same nam
he previous comp
e domain and r
t, do not remove
ecure channel.
omain member an
nap-in, DSMod.ex
computers SID r
aging Computer Account
channel. Many
domain, putting
good practice bec
er, which loses th
rships. When you
me, the account ha
puter object must
rejoin it.
a computer from
nd the domain, u
xe, NetDom.exe,
remains the same
ts 5-57

it in a
cause it
he
u rejoin
as a new
t be re-
m the
use the
or
e and it
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-58 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To reset the secure channel by using the Active Directory Users and Computers
snap-in:
1. Right-click a computer, and then click Reset Account.
2. Click Yes to confirm your choice.
3. Rejoin the computer to the domain, and then restart the computer.

To reset the secure channel by using DSMod:
1. Type the following command.
dsmod computer "ComputerDN" reset.
2. Rejoin the computer to the domain, and then restart the computer.

To reset the secure channel by using NetDom:
Type the following command,
netdom reset MachineName /domain DomainName /UserO UserName
/PasswordO {Password | *}
where the credentials belong to the local Administrators group of the
computer.
This command resets the secure channel by attempting to reset the password
on both the computer and the domain, so it does not require rejoining or
rebooting.

To reset the secure channel by using NLTest, on the computer that has lost its
trust, type the following command.
NLTEST /SERVER:SERVERNAME /SC_RESET:DOMAIN\DOMAINCONTROLLER
For example, the following command, like NetDom, attempts to reset the secure
channel by resetting the password on both the computer and in the domain, so it
does not require rejoining or restarting.
nltest /server:NYC-SVR2 /sc_reset:CONTOSO\NYC-SVR2
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-59
Because NLTest and NetDom reset the secure channel without requiring a reboot,
you should try those commands first. Only if those are not successful should you
use the Reset Account command or DSMod to reset the computer account.
Note: Content in the following section is specific to Windows Server 2008 R2.
You can also use Windows PowerShell with Active Directory Module to reset a
computer account. The following example demonstrates how to reset the secure
channel between the local computer and the domain to which it is joined. You
must run this command on the local computer.
Test-ComputerSecureChannel Repair
For a full explanation of the parameters that you can pass to Test-
ComputerSeureChannel, at the Active Directory Module command prompt, type
Get-Help Test-ComputerSecureChannel detailed, and then press ENTER.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-60 Configuring
Renam
Key Po
When y
that the
only the
must re
object a
You can
or with
1. Op
2. In t
Cha
3. If y
g and Troubleshooting W
me a Compu
oints
you rename a com
e computer uses i
e domain object,
ename the compu
are changed.
n rename a comp
a remote desktop
en System Prope
the Computer na
ange Settings.
ou are prompted
indows Server 2008 Activ
uter
mputer, you must
its name to authe
or only the comp
uter in such a way
uter correctly by
p session.
erties from Contr
ame, domain, an
d by User Accoun
ve Directory Domain Serv
t be careful to do
enticate with the d
puter itself, they w
y that both the co
logging on to the
rol Panel.
nd workgroup se
nt Control, click
ices
it correctly. Rem
domain, so if you
will be out of syn
omputer and the
e computer, eithe
ttings section, cli
Continue.

member
u rename
nch. You
domain
er locally
ick
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-61
4. Click the Computer Name tab.
5. Click the Change button.

6. Type the new name and click OK twice to close the dialog boxes.
7. Restart the computer to allow the change to take effect.

From the command prompt, you can use the NetDom command, with the
following syntax.
netdom renamecomputer MachineName /NewName:NewName
[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]
[/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ]
[/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-62 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
In addition to specifying the machine to rename (MachineName) and the desired
new name (NewName), you must have credentials that are a member of the local
Administrators group on the computer and credentials that have permission to
rename the domain computer object. By default, NetDom will use the credentials
with which the command is run. You can specify credentials by using /UserO and
/PasswordO for the credentials in the computers local Administrators group, and
/UserD and /PasswordD for the domain credentials with permission to rename the
computer object. Specifying * for the password causes NetDom.exe to prompt for
the password at the command prompt. The /SecurePasswordPrompt option
displays a popup for credentials when * is specified for either /PasswordO or
/PasswordD. After you rename a computer, you must reboot the computer. The
/REBoot option causes the system to reboot after 30 seconds, unless otherwise
specified by TimeInSeconds.
When you rename a computer, you can adversely affect services running on the
computer. For example, Active Directory Certificate Services (AD CS) relies on the
servers name. Be certain to consider the impact of renaming a computer before
doing so. Do not use these methods to rename a domain controller.
Note: The content in the following section is specific to Windows Server 2008 R2.
It is also possible to use Windows PowerShell with Active Directory Module to
rename a computer. You can use this approach to change the local computer name
and to change the Active Directory computer object name. The following example
demonstrates how to rename the local domain-joined computer on which the
command is being run. This command must be run on the local computer.
ReName-Computer -NCN MyComputer
The second example shows how to change the name of computer object named,
Server1, in the ManagedComputers OU in the contoso.com domain.
Rename-ADObject
CN=fabrikamsrv1,OU=ManagedComputers,DC=Fabrikam,DC=com NewName
fabrikamsrv3
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Disab
Key Po
If a com
you sho
security
minimu
Disablin
so when
To disab
click the
A disabl
And Co
ble and Enab
oints
mputer is taken of
ould consider dis
y principle that an
um number of acc
ng the account do
n the computer is
ble a computer in
e computer, and
led account appe
mputers snap-in,
le a Comput
ffline or is not to
abling the accoun
n identity store sh
counts required t
oes not modify th
s brought back on
n the Active Direc
then click Disabl
ears with a down-
, as shown here:
Mana
ter
be used for an ex
nt. This recomme
hould allow auth
to achieve the goa
he computers SID
nline, the accoun
ctory Users and C
le Account.
-arrow icon in the

aging Computer Account
xtended period o
endation reflects
entication only o
als of an organiza
D or group memb
nt can be enabled
Computers snap-i
e Active Directory
ts 5-63

f time,
the
of the
ation.
bership,
.
in, right-
y Users
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-64 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
While an account is disabled, the computer cannot create a secure channel with
the domain. The result is that users who have not previously logged on to the
computer, and who therefore do not have cached credentials on the computer, will
be unable to log on until the secure channel is reestablished by enabling the
account.
To enable a computer account, right-click the computer, and then click Enable
Account.
To disable or enable a computer from the command prompt, use the DSMod
command. The syntax used to disable or enable computers is as follows.
dsmod computer ComputerDN -disabled yes
dsmod computer ComputerDN -disabled no
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Delet
Key Po
You hav
unique
Also, lik
to unde
is delete
and ano
new acc
permiss
account
require
To dele
perform
1. Rig
You
reve
e and Recyc
oints
ve learned that ea
SID, which enabl
ke user accounts,
erstand the effect
ed, its group mem
other computer a
count, with a new
sion assigned to t
t. Delete compute
those security-re
te a computer acc
m the following st
ht-click the comp
u are prompted to
ersible, the defau
le Computer
ach computer acc
les an administra
computers can b
of deleting a com
mberships and SI
account is created
w SID. Group mem
the deleted comp
er objects only w
lated attributes o
count by using A
teps:
puter object, and
o confirm the del
ult response to th
Mana
r Accounts
count, like each u
ator to grant perm
belong to groups.
mputer account. W
ID are lost. If the
d with the same n
mberships must b
puter must be rea
hen you are certa
of the object.
Active Directory U
then click Delete
letion, and becau
e prompt is No.
aging Computer Account
user account, main
missions to comp
. Therefore, it is im
When a compute
deletion is accide
name, it is noneth
be reestablished,
ssigned to the ne
ain that you no lo
Users and Compu
e.
use deletion is not
ts 5-65

ntains a
puters.
mportant
r account
ental,
heless a
and any
ew
onger
uters,
t
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-66 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
2. Click Yes to delete the object.
The DSRm command allows you to delete a computer object from the command
prompt. To delete a computer with DSRm, type the following command.
dsrm ObjectDN
Where ObjectDN is the distinguished name of the computer, such as
CN=Desktop154, OU=NYC,OU=Client Computers,DC=contoso,DC=com. Again,
you will be prompted to confirm the deletion.
Recycling Computers
If a computer accounts group memberships and SID, and the permissions
assigned to that SID, are important to the operations of a domain, you do not want
to delete that account. So what would you do if a computer was replaced with a
new system, with upgraded hardware? That is another scenario in which you
would reset a computer account.
Resetting a computer account resets its password, but maintains all of the
computer objects properties. With a reset password, the account becomes, in
effect, available for use. Any computer can then join the domain using that account,
including the upgraded system. In effect, youve recycled the computer account,
assigning it to a new piece of hardware. You can even rename the account. The SID
and group memberships remain the same.
As you learned earlier in this lesson, the Reset Account command is available in the
context menu when you right-click a computer object. The DSMod command can
also be used to reset a computer account, when you type dsmod computer
"ComputerDN" -reset.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab B: Ad
Account
Lab Se
The virt
A. Howe
through
success
1. Star
2. Log
3. Star

dminister
s
etup
tual machines sho
ever, if they are n
h exercises 1 to 3
fully complete La
rt 6425C-NYC-DC
g on to NYC-DC1
rt 6425C-NYC-SV
r Comput
ould already be s
not, you should co
in Lab A before c
ab B unless you h
C1.
1 as Pat.Coleman
VR2. Do not log o

Mana
ter Objec
started and availa
omplete steps 1 t
continuing. You w
have completed L
n.admin, with the
on until directed
aging Computer Account
cts and
able after complet
to 3 and then step
will be unable to
Lab A.
e password, Pa$$
to do so.
ts 5-67

ting Lab
p
$w0rd.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-68 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Scenario
You are an administrator for Contoso, Ltd. During a security audit, a number of
computer accounts were discovered. Those computers no longer exist in the
domain. Youve been tasked with improving the management of computer
accounts, and identifying the best practices for administering the entire life cycle of
a computer account.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-69
Exercise 1: Administer Computer Objects Through Their Life
Cycle
In this exercise, you will configure common attributes of computer objects,
including description and ManagedBy. You will also manage the group
membership of computers and move computers between OUs.
The main tasks for this exercise are as follows:
1. Configure computer object attributes.
2. Add computers to software management groups.
3. Move a computer between OUs.
4. Disable, enable, and delete computers.


Task 1: Configure computer object attributes.
1. On NYC-DC1, run Active Directory Users and Computers as an
administrator, with the user name, Pat.Coleman_Admin, and the password,
Pa$$w0rd.
2. In the Client Computers\SEA OU, use the Managed By tab of computer
objects to assign LNO8538 to Linda Mitchell and LOT9179 to Scott
Mitchell.
3. Because Scott and Linda Mitchell will occasionally use each other's computer,
use multiselect to change the description of both LNO8538 and LOT9179 to
Scott and Linda Mitchell.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-70 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Task 2: Add computers to software management groups.
Microsoft Office Project is required on both Scott's and Linda's computers.
Contoso, Ltd. uses security groups as collections for scoping the deployment of
software. You will add each of their computers to the group, APP_Project, by using
two different methods.
1. In the Client Computers\SEA OU, right-click LOT9179, and then click Add
to a group.
2. Type APP_ and press ENTER.
The Multiple Items Found dialog box appears.
3. Click APP_Project, and then click OK.
A message appears: The Add to Group operation was successfully completed.
4. Click OK.
5. In the console tree, expand the Groups OU, and then click Application.
6. Right-click APP_Project, and then click Properties.
7. Click the Members tab.
8. Click Add.
9. Type LNO8538 and press ENTER.
The Name Not Found dialog box appears.
By default, the Select Users, Computers, or Groups interface does not search
for computer objects.
10. Click Object Types.
11. Select the check box next to Computers, and then click OK.
12. Click OK to close the Name Not Found dialog box.
Both computers can now be seen on the Members tab.
13. Click OK.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-71
Task 3: Move a computer between OUs.
Scott and Linda are relocating to the Vancouver office. You will move their
computers to the new OU by using two different methods.
1. In the Client Computers\SEA OU, click LOT9179.
2. Drag LOT9179 into the VAN OU, visible in the console tree.
A message appears that reminds you to be careful about moving objects in
Active Directory.
3. Click Yes.
4. Right-click LNO8538, and then click Move.
The Move dialog box appears.
5. In the console tree, expand Client Computers, and then click VAN.
6. Click OK.

Task 4: Disable, enable, and delete computers.
1. In the Client Computers\SEA OU, disable, and then enable the account for
DEP6152.
2. Delete the account for DEP6152.

Result: In this exercise, you added computers to software management groups, moved
a computer between OUs, and deleted a computer..
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-72 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Administer and Troubleshoot Computer
Accounts
In this exercise, you will administer and troubleshoot computer accounts and the
secure channel.
The main tasks for this exercise are as follows:
1. Reset a computer account.
2. Experience a secure channel problem.
3. Reset the secure channel.

Task 1: Reset a computer account
Recently, Scott Mitchell's computer required reinstallation. The naming convention
at Contoso, Ltd. is to use the name of a computer object as its asset tag, assigned
by the IT inventory team. Because Scott reinstalled his computer on the same piece
of hardware, the computer name is the same: LOT9179. He now wants to join the
machine to the domain, but there is already an account for LOT9179, and the
account is a member of groups that ensure the correct software (including
Microsoft Office Project) and configuration are applied to the system. Therefore, it
is important that the account not be deleted, so that group memberships can be
retained.
In the Client Computers\VAN OU, reset the account for LOT9179.
You could now join Scott's reinstalled computer to the domain.

Task 2: Experience a secure channel problem.
1. Log on to NYC-SVR2 as Pat.Coleman, with the password, Pa$$w0rd. After the
desktop appears, log off.
2. To "break" the secure channel, use Active Directory Users and Computers on
NYC-DC1 to reset the account for NYC-SVR2.
3. Attempt to log on to NYC-SVR2 as Pat.Coleman, with the password,
Pa$$w0rd.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-73
Task 3: Reset the secure channel.
To solve a broken trust relationship between a domain member and the domain,
you can reset the computer's account, move the computer into a workgroup, and
then rejoin the domain.
Reset the computer account for NYC-SVR2.
After resetting the secure channel, you could move NYC-SVR2 into a
workgroup, and then rejoin the domain. It will join its reset account, thereby
retaining its group memberships. Do not perform that step at this time.

Result: In this exercise, you addressed secure channel issues..


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-74 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Review Question
Question: What insights did you gain into the issues and procedures regarding
computer accounts and administering computer accounts through their life cycle?


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 3
Offline D
Offline
This fun
network
and how
Object
After co
Des
Des
Per
Note: The cont

Domain Jo
Domain Join is a
nctionality enable
k connectivity. In
w to use it.
tives
ompleting this les
scribe Offline Do
scribe the process
form an Offline D
tent in this lesson
oin
new functionalit
es administrators
n this lesson you w
sson you will be a
main Join.
s for performing
Domain Join.
is specific to Wind

Mana
ty specific to Win
s to join compute
will learn how Of
able to:
an Offline Doma
ows Server 2008 R
aging Computer Account
ndows Server 200
ers to domain wit
ffline Domain Joi
ain Join.
R2.
ts 5-75

08 R2.
hout
in works
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-76 Configuring
What
Key Po
In earlie
domain
scenario
provisio
located
unless y
network
Offline
Window
connect
prepara
still offl
domain
necessa
required
centers.
g and Troubleshooting W
Is an Offline
oints
er Windows versi
n controller to join
os, this can be a l
on of computers t
in the same plac
you join the comp
k connections are
Domain Join is a
ws 7 that allows y
ted to the networ
ation steps are pe
ine. After it gets c
n is established wi
ary to complete th
d to complete a la
.
indows Server 2008 Activ
e Domain Jo
ions, it was mand
n a computer to t
imitation. For ex
that are currently
e as domain cont
puters to a doma
e established.
new functionalit
you to join a com
rk where the dom
rformed on a dom
connected to a ne
ithout any user in
he domain join. T
arge-scale compu
ve Directory Domain Serv
in?
datory to have a n
the Active Directo
ample, if you nee
y not connected t
trollers, you cann
ain, and restart th
ty in Windows Se
mputer to domain
main controller re
main controller a
etwork, a trust re
ntervention. No a
This helps reduce
uter deployment i
ices
network connecti
ory domain. In so
ed to perform a fu
to a network, or n
not complete the
hem once more af
erver 2008 R2 an
without actually
esides. In fact, all
and a computer w
lationship with th
additional restart
e the time and effo
in places such as

ion to a
ome
ull
not
process
fter
nd
y being
while it is
he
t is
ort
data
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-77
You can also benefit from the Offline Domain Join feature if you are deploying
virtual machines. Offline Domain Join makes it possible for you to join the virtual
machines to the domain when they initially start following the operating system
installation. No additional restart is required to complete the domain join. This can
significantly reduce the overall time required for wide-scale virtual machine
deployments.
To perform an Offline Domain Join, you do not have to have domain controllers
running on Windows Server 2008 R2, It is also not mandatory to have the domain
or forest in the Windows Server 2008 functional mode. The only essential
requirement for using this method is that the machine used for provisioning and
the machine being provisioned must have Windows 7 or Windows Server 2008
R2,
.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-78 Configuring
Proce
Key Po
To perfo
named,
DS and
being jo
Perform
Djoin.ex
Pro
acc
Gen
Off
oth
a do
Inse
com
g and Troubleshooting W
ess for Perfor
oints
orm an Offline D
Djoin.exe. This u
for inserting dom
oined to the dom
ming an Offlin
xe performs the f
ovisions a new co
ount and sets it u
nerates a text file
fline Domain Join
her information ab
omain controller
erts the data prov
mputer being join
indows Server 2008 Activ
rming an Off
Domain Join, you
utility is used to b
main data into th
ain by using this
ne Join by Using
following tasks:
mputer account i
up to be connecte
(a blob) that con
n. The blob conta
bout the domain,
, the SID of the d
vided in the blob
ned to the domain
ve Directory Domain Serv
fline Domain
must use a new c
both provision co
e operating syste
method.
g Djoin.exe
into AD DS. This
ed at a later date.
ntains informatio
ins the machine a
, including the do
domain, and so on
into the operatin
n
ices
n Join
command-line ut
omputer accounts
m of the comput
precreates a com

n that is necessar
account passwor
omain name, the
n
ng system of the

tility
s into AD
ter that is
mputer
ry for an
rd and
name of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-79

Prerequisites for Performing an Offline Join
The computer on which you run Djoin.exe to provision computer account data
into AD DS must be running Windows 7 or Windows Server 2008 R2. The
computer that you want to join to the domain must also be running Windows 7 or
Windows Server 2008 R2.
It is not mandatory that you perform an Offline Domain Join right after you
provision a computer account into AD DS. You can do it at any time later.
To perform an Offline Domain Join, you must have the rights that are necessary to
join workstations to the domain and to create computer accounts in the domain.
Members of the Domain Admins group have these rights by default. If you are not
a member of the Domain Admins group, a member of the Domain Admins group
must delegate you the right to join computers to the domain by using Group Policy
or by editing an ACL of the container where the computer account will be stored.
Djoin.exe should be run at an elevated command prompt to provision the
computer account metadata. When you run the provisioning command, the
computer account metadata is created in a .txt file that you specify as part of the
command. After you run the provisioning command, you can either run Djoin.exe
again to request the computer account metadata and insert it into the Windows
directory of the destination computer, or you can save the computer account
metadata in the Unattend.xml file and then specify the Unattend.xml file during an
unattended operating system installation of the destination computer.
Offline Domain Join Process
The Offline Domain Join process includes the following steps:
1. Run the djoin.exe /provision command to create the computer account
metadata for the destination computer (the computer that you want to join to
the domain). As part of this command, you must specify the name of the
domain that you want the computer to join and the name of the computer, as
follows.
djoin /provision /domain contoso.com /machine DESKTOP123 /savefile
C:\desktop123.txt
After performing this step, a computer account named, DESKTOP123, will be
provisioned to AD DS, and a blob file named desktop123.txt will be created. Now
you have to transfer this file to the computer that is being joined to the domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-80 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note: The base64-encoded metadata blob that is created by the provisioning command
contains very sensitive data. It should be treated just as securely as a plaintext password.
2. Run the djoin.exe /requestODJ command to insert the computer account
metadata into the Windows directory of the destination computer, as follows.
djoin /requestODJ /loadfile desktop123.txt /windowspath %SystemRoot%
/localos
3. When you start the destination computer, either as a virtual machine or after a
complete operating system installation, the computer will be joined to the
domain that you specify.
The switch /localos from the previous command is used only if you perform a
djoin operation on the computer that you are joining to the domain. However, if
during the provisioning process, you are mounting system hard drives (virtual or
physical) from the computers that you are provisioning, you should not use the
/localos switch.
Note: Using deployment tools such as Windows System Image Manager, you can perform an
unattended domain join during an operating system installation by providing
information that is relevant to the domain join in an Unattend.xml file. Using the same
Unattend.xml file, you can supply the information that is necessary for the computers
that run Windows 7 and Windows Server 2008 R2 to perform an Offline Domain Join.

Question: What is the content of the text file that is created during a djoin
provisioning process?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
In this d
Domain
Demon
Pro
usin

onstration: P
oints
demonstration, y
n Join.
nstration Steps
ovision a new com
ng the djoin utilit
Perform an O
our instructor wi
s
mputer account c
ty.

Mana
Offline Doma
ill show you how
alled, NYC-CL2,
aging Computer Account
ain Join
w to perform an O
in the contoso do
ts 5-81

Offline
omain by
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-82 Configuring
Lab C: Pe
Lab Se
For this
begin th
1. On
clic
2. Ens
3. Log



4. Star
mac
g and Troubleshooting W
erform an
etup
s lab, you will use
he lab, you must:
the host comput
ck Hyper-V Mana
sure that the 642
g on to 6425C-NY
User name: Pat.
Password: Pa$$
Domain: Conto
rt the 6425C-NY
chine until direct
indows Server 2008 Activ
n Offline
e the available vir
ter, click Start, po
ager.
5C-NYC-DC1 vir
YC-DC1 by using
.Coleman_Admi
$w0rd
so
YC-CL2 virtual ma
ted to do so.
ve Directory Domain Serv
Domain
rtual machine env
oint to Administr
rtual machine is r
g the following cr
in
achine. Do not lo
ices
Join
vironment. Before
rative Tools, and
running.
edentials:
og on to the client

e you
d then
t
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-83
Lab Scenario
You are an administrator for Contoso, Ltd. You must provision a large number of
new computers in a short period of time. Not all computers can have network
connectivity, so you have decided to leverage the Offline Domain Join
functionality. In this lab, you will test this functionality on one virtual machine.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-84 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Perform an Offline Domain Join
In this exercise, you will perform an Offline Domain Join.
The main tasks for this exercise are as follows:
1. Ensure that the client computer is not joined to the domain.
2. Provision a computer account and perform an Offline Domain Join.

Task 1: Ensure that the client computer is not joined to the domain.
1. Log on to NYC-CL2 as Admin, with the password, Pa$$w0rd.
2. Open System Properties and ensure that the computer is joined to a
workgroup, instead of a domain

Task 2: Provision a computer account and perform an Offline Domain
Join
1. On NYC-DC1, open a command prompt using administrative credentials and
use djoin.exe to provision a new computer account to AD DS by typing the
following command.
djoin /provision /domain contoso.com /machine NYC-CL2 /savefile
C:\NYC-CL2.txt
2. Open Active Directory Users and Computers and verify that the NYC-CL2
machine has been provisioned in the Computers container.
3. On NYC-CL2, create a folder called C:\DJOIN. Use Windows Explorer and
browse to \\NYC-DC1\C$.
4. Copy NYC-CL2.txt to the C:\DJOIN folder.
5. Open a Command Prompt using administrative privileges, type the following
command, and then press ENTER.
djoin /requestodj /loadfile C:\DJOIN\NYC-CL2.txt /windowspath
%SystemRoot% /localos
6. After the command is completed, restart NYC-CL2.
7. Log on as Contoso\Pat.coleman and ensure that NYC-CL2 is joined to the
contoso.com domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-85
Result: In this exercise, you joined the NYC-CL2 computer to the domain by using
Offline Domain Join technology.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this,
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6425C-NYC-DC1 in the Virtual Machines list, and then
click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6425C-NYC-SVR2 and 6425C-NYC-CL2.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-86 Configuring
Module
Review
1. Wh
2. Wh
com
3. Wh
pro
util
Comm
Issue
The co
domai

g and Troubleshooting W
Review a
w Questions
hat is the main dif
hen should you re
mputer account th
hen performing an
ovision a new com
lity?
mon Issues Rela
omputer cannot be
n.
indows Server 2008 Activ
and Takea
fference between
eset a computer a
han to disjoin an
n Offline Domain
mputer account to
ated to Comput
Trou
e joined to C
C
c
C
ve Directory Domain Serv
aways
n the Computers c
account? Why is i
d rejoin it to the
n Join, what shou
o the domain by
ter Account Ma
ubleshooting tip
Check if the doma
Check the IP addre
client computer.
Check if the accou
ices
container and an
it better to reset t
domain?
uld you do after y
using the djoin.e
anagement
in controller is ava
ess and DNS settin
nt that is being us

n OU?
the
you
exe

ailable.
gs on a
sed to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Computer Accounts 5-87
Issue Troubleshooting tip
join the computer to the domain has
appropriate privileges to join computer to
domain.
Group Policy is not applied to the
computer after it is joined to the
domain.

Offline Domain Join is not working
as expected.
Check if the name of the provisioned
computer account is the same as the name
of the computer being joined to the
domain.
Make sure that you do not use the /localos
switch if you are mounting a drive from the
destination computer.

Real-World Issues and Scenarios
1. You are working as an IT technician in Contoso, Ltd. You are managing the
Windows Server based infrastructure. You have to find a method for joining
new Windows 7 based computers to a domain during the installation process
without intervention of a user or an administrator.

Best Practices Related to Computer Account Management
Always provision a computer account before joining computers to a domain
and place them in appropriate OUs.
Redirect the default Computer container to another location.
Reset the computer account, instead of just doing a disjoin and rejoin.
Integrate the Offline Domain Join functionality with unattended installations.

Tools
Tool Use for Where to find it
Windows PowerShell
with Active Directory
Module
Computer account
management
Administrative Tools
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5-88 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tool Use for Where to find it
CSVDE,LDIFDE Importing computer accounts
in AD DS
Windows Server 2008
command prompt
Djoin.exe Offline domain join Windows Server 2008
command prompt

Content Specific to Windows Server 2008 R2
Lesson Content Subject
Lesson 1 and 2 Topics where Windows
PowerShell is used
Windows PowerShell
with Active Directory
Module
Lesson 3 All topics Offline Domain Join

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-1
Module 6
Implementing a Group Policy Infrastructure
Contents:
Lesson 1: Understand Group Policy 6-4
Lesson 2: Implement Group Policy Objects 6-21
Lab A: Implement Group Policy 6-38
Lesson 3: A Deeper Look at Settings and GPOs 6-42
Lab B: Manage Settings and GPOs 6-64
Lesson 4: Group Policy Preferences
Lab C: Manage Group Policy Preferences
Lesson 5: Manage Group Policy Scope 6-71
Lab D: Manage Group Policy Scope 6-102
Lesson 6: Group Policy Processing 6-110
Lesson 7: Troubleshoot Policy Application 6-120
Lab E: Troubleshoot Policy Application 6-132

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-2 Configuring
Module
In Modu
the foun
running
configu
you lear
comput
and com
within w
comput
g and Troubleshooting W
Overview
ule 1, you learned
ndational service
g Windows, and
ration of even the
rned how to adm
ters. Now, you wi
mputers by using
which settings ca
ters in the enterp
indows Server 2008 Activ
w
d that Active Dire
s of an identity an
d that AD DS also
e largest, most co
minister AD DS se
ill examine the m
g Group Policy. G
n be defined cen
rise.
ve Directory Domain Serv
ectory Domain S
nd access solutio
o supports the ma
omplex networks
curity principals:
management and c
Group Policy prov
trally and deploy
ices
Services (AD DS)
on for enterprise n
anagement and
s. In Modules 2 th
: users, groups, an
configuration of u
vides an infrastruc
yed to users and

provides
networks
hrough 5,
nd
users
cture
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-3
In an environment managed by a well-implemented Group Policy infrastructure,
little or no configuration needs to be made by directly touching a desktop. The
entire configuration is defined, enforced, and updated by using the settings in
Group Policy objects (GPOs) that affect a portion of the enterprise as broad as an
entire site or a domain, or as narrow as a single organizational unit (OU) or a
group. In this module, you will learn what Group Policy is, how it works, and how
best to implement it in your organization. Several subsequent modules will apply
Group Policy to specific management tasks such as security configuration, software
deployment, password policy, and auditing.
Objectives
After completing this module, you will be able to:
Describe the components and technologies that comprise the Group Policy
framework.
Implement GPOs.
Configure and understand a variety of policy setting types.
Understand and configure Group Policy preferences.
Scope GPOs by using links, security groups, Windows Management
Instrumentation filters, loopback processing, and preference targeting.
Describe how GPOs are processed.
Locate the event logs containing Group Policyrelated events and troubleshoot
Group Policy application.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-4 Configuring
Lesson 1
Understa
A Group
not only
want to
compre
inner w
Object
After co
Ide
Un
Exp
g and Troubleshooting W
and Grou
p Policy infrastru
y what each part
assemble them i
ehensive overview
workings.
tives
ompleting this les
ntify the busines
derstand the core
plain the fundam
indows Server 2008 Activ
up Policy
ucture has several
does, but also ho
in various configu
w of Group Policy
sson, you will be a
s drivers for conf
e components an
mentals of Group P
ve Directory Domain Serv
l moving parts. Y
ow they work tog
urations. In this l
y: its components
able to:
figuration manag
nd terminology of
Policy processing
ices
ou need to under
gether and why yo
esson, you will g
s, its functions, an
ement.
f Group Policy.
g.

rstand
ou might
et a
nd its

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

What Is Con
Key Po
If you h
you nee
several w
Control
well for
multiple
and you
change
return t
maintai
comput
nfiguration M
oints
have only one com
ed to make a chan
ways to do that. M
l Panel and make
one user, but ma
e users. Say, for e
ur family. You hav
your mind and w
to each user's pro
ning a consistent
ters.
Management
mputer in your en
nge such as modi
Most people wou
e the change by u
ay become tediou
example, that you
ve to make the ch
want to change th
ofile and make the
t environment be
Implementing a G
t?
nvironmentat ho
ifying the desktop
uld probably open
sing the Window
us if you want to
u want the same b
hange multiple tim
he background ye
e change. Implem
ecomes even mor
Group Policy Infrastructur
ome, for example
p background, th
n Personalization
ws interface. That
make the change
background for y
mes, and then if y
et again, you have
menting the chan
e difficult across
re 6-5

eand
here are
n from
works
e across
yourself
you ever
e to
ge and
multiple
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuration management is a centralized approach to applying one or more
changes to one or more users or computers. If you remember that, everything else
will be easier to understand. The key elements of configuration management are:
A centralized definition of a change, which is known as a setting. The setting
brings a user or a computer to a desired state of configuration.
A definition of the user(s) or computer(s) to whom the change applies, which
is known as the scope of the change.
A mechanism or process that ensures that the setting is applied to users and
computers within the scope, which is known as the application.

Group Policy is a framework within Windowswith components that reside in
Active Directory, on domain controllers, and on each Windows server and client
that enables you to manage configuration in an AD DS domain. As we turn our
attention to Group Policy, which can become very complex, always remember that
everything boils down, in the end, to just these few basic elements of configuration
management.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Overv
Key Po
The mo
also kno
For exa
editing
be unab
you can
setting t
view of Polic
oints
ost granular comp
own simply as a p
mple, a policy se
tools. If you defin
ble to run tools su
n use to rename th
to rename the Ad
cies
ponent of the Gro
policy that define
tting exists that p
ne that policy set
uch as Regedit.ex
he local Administ
dministrator acco
Implementing a G
oup Policy is an in
es a specific confi
prevents a user fr
tting and apply it
xe. Another policy
trator account. Yo
unt on all user d
Group Policy Infrastructur
ndividual policy
iguration change
rom accessing reg
to the user, the u
y setting is availab
ou can use this p
esktops and lapto
re 6-7

setting,
to apply.
gistry-
user will
ble that
policy
ops.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
These two examples illustrate an important point: that some policy settings affect a
user, regardless of the computer to which the user logs on, and other policy
settings affect a computer, regardless of which user logs on to that computer.
Policy settings such as the setting that prevents access to registry-editing tools are
often referred to as user configuration settings or user settings. Policy settings such
as the one that disables the Administrator account and similar settings are often
referred to as computer configuration settings or computer settings. You will also
hear these referred to as user policies and computer policies. The terminology used
in the industry is not exact.
There are various policy settings that can be managed by Group Policy, and the
framework is extensible so, in the end, you could manage just about anything with
Group Policy.
To define a policy setting, double-click it.
The policy setting Properties dialog box appears, as shown in the following
example:

A policy setting can have three states: Not Configured, Enabled, and Disabled.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-9
In a new GPO, every policy setting is set to Not Configured. This means that the
GPO will not modify the existing configuration of that particular setting for a user
or computer. If you enable or disable a policy setting, a change will be made to the
configuration of users and computers to which the GPO is applied.
The effect of the change depends on the policy setting. For example, if you enable
the Prevent Access To Registry Editing Tools policy setting, users will be unable
to launch the Regedit.exe Registry Editor. If you disable the policy setting, you
ensure that users can launch the Registry Editor. Notice the double negative in this
policy setting: You disable a policy that prevents an action, so you allow the action.
Some policy settings bundle several configurations into one policy and might
require additional parameters. In the screenshot above, you can see that by
enabling the policy to restrict registry editing tools, you can also define whether
registry files can be merged into the system silently by using regedit /s.
Note: Many policy settings are complex, and the effect of enabling or disabling them might not
be immediately clear. Also, some policy settings affect only certain versions of Windows.
Be sure to review a policy settings explanatory text in the Group Policy Management
Editor (GPME) detail pane or on the Explain tab in the policy settings Properties dialog
box. In addition, always test the effects of a policy setting and its interactions with other
policy settings before deploying a change in the production environment.
You will explore policy settings and how to manage them in Lesson 3.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-10 Configuring
Group
Key Po
Policy s
one or m
for a us
g and Troubleshooting W
p Policy Obje
oints
settings are define
more policy settin
er or a computer
indows Server 2008 Activ
ects
ed and exist with
ngs and thereby a
.
ve Directory Domain Serv
hin a GPO. A GPO
applies one or mo
ices
O is an object that
ore configuration

t contains
n settings
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-11
GPOs can be managed in Active Directory by using the Group Policy Management
console (GPMC), shown here:

GPOs are displayed in a container named Group Policy Objects.
To create a new GPO in a domain, right-click the Group Policy Objects container,
and then click New.
To modify the configuration settings in a GPO, right-click the GPO and click Edit.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The GPO opens in the GPME snap-in, formerly known as the Group Policy Object
Editor (GPO Editor), shown here:

The GPME displays the thousands of policy settings available in a GPO in an
organized hierarchy that begins with the division between computer settings and
user settings, the Computer Configuration node and the User Configuration node.
The next levels of the hierarchy are two nodes called Policies and Preferences. You
will learn about the difference between these two nodes as this lesson progresses.
Drilling deeper into the hierarchy, you will see that the GPME displays folders,
which are also called nodes or policy setting groups. Within the folders are the
policy settings themselves. The Prevent Access To Registry Editing Tools option
is selected in the screenshot shown here.
The GPO must be applied to domain, site, or OU in the AD DS hierarchy for the
settings within the object to take effect.
You will learn how to implement and manage GPOs in Lesson 2.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

GPO S
Key Po
Configu
changes
have sp
scoping
will app
You can
link. GP
domain
users w
by the c
be linke
Scope
oints
uration is defined
s in a GPO do no
ecified the comp
a GPO. The scop
ply the settings in
n use several meth
POs can be linked
n, or OU then bec
within the site, dom
configurations sp
ed to more than o
d by policy setting
ot affect computer
uters or users to
pe of a GPO is the
n the GPO.
hods to manage t
d to sites, domain
comes the maxim
main, or OU, incl
ecified by the po
one site or OU.
Implementing a G
gs in GPOs. How
rs or users in you
which the GPO a
e collection of use
the scope of GPO
ns, and OUs in Ac
mum scope of the
luding those in c
licy settings in th
Group Policy Infrastructur
wever, the configu
ur enterprise unti
applies. This is ca
ers and computer
Os. The first is the
ctive Directory. T
GPO. All compu
hild OUs, will be
he GPO. A single
re 6-13

ration
l you
alled
rs that
e GPO
The site,
ters and
e affected
GPO can
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
You can further narrow the scope of the GPO with one of two types of filters:
security filters that specify global security groups to which the GPO should or
should not apply, and Windows Management Instrumentation (WMI) filters that
specify a scope by using characteristics of a system, such as operating system
version or free disk space. Use security filters and WMI filters to narrow or specify
the scope within the initial scope created by the GPO link.
Windows Server 2008 introduced a new component of Group Policy: Group
Policy Preferences. Settings that are configured by Group Policy Preferences within
a GPO can be filtered, or targeted, based on several criteria. Targeted preferences
allow you to further refine the scope of Preferences within a single GPO.
Group Policy preferences are detailed in Lesson 4.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Group
Key Po
How ex
service r
Window
R2, dete
any GPO
extensio
to the lo
major c
security
software
of Wind
are seve
One of
really cl
triggerin
technol
p Policy Clie
oints
xactly are the poli
running on all W
ws Vista, Windo
ermines which G
Os that are not al
ons (CSEs) interp
ocal computer or
ategory of policy
y changes, a CSE
e, and a CSE that
dows has added C
eral dozen CSEs n
the more importa
lient-driven. The
ng the CSEs to ap
ogy.
nt and Clien
icy settings applie
Windows systems,
ows 7, Windows S
POs apply to the
lready cached. Th
pret the settings i
to the currently
setting. For exam
that executes star
t makes changes
CSEs to extend th
now in Windows
ant concepts to r
Group Policy clie
pply settings loca
Implementing a G
t-Side Exten
ed? When Group
, which is called t
Server 2008, and
computer or use
hen, a series of pr
in a GPO and ma
logged-on user. T
mple, there is a se
rtup and logon s
to registry keys a
he functional reac
s.
emember about G
ent pulls the GPO
ally. Group Policy
Group Policy Infrastructur
nsions
p Policy refresh be
the Group Policy
d Windows Server
er. This service do
rocesses called cl
ake appropriate ch
There are CSEs fo
ecurity CSE that a
cripts, a CSE that
and values. Each v
ch of Group Polic
Group Policy is th
Os from the doma
y is not a push
re 6-15

egins, a
y Client in
r 2008
ownloads
ient-side
hanges
or each
applies
t installs
version
cy. There
hat it is
ain,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
In fact, the behavior of CSEs can be configured by using Group Policy. Most CSEs
will apply settings in a GPO only if that GPO has changed. This behavior improves
overall policy processing by eliminating redundant applications of the same
settings. Most policies are applied in such a way that standard users cannot change
the setting on their systemthey will always be subject to the configuration
enforced by Group Policy. However, some settings can be changed by standard
users, and many can be changed if a user is an administrator on that system. If
users in your environment are administrators on their computers, consider
configuring CSEs to reapply policy settings even if the GPO has not changed. That
way, if an administrative user changes a configuration so that it is no longer
compliant with policy, the configuration will be reset to its compliant state at the
next Group Policy refresh.
Note: You can configure CSEs to reapply policy settings, even if the GPO has not changed, at
background refresh. To do so, configure a GPO scoped to computers and define the
settings in the Computer Configuration\Policies\Administrative Templates\System\
Group Policy node. For each CSE you want to configure, open its policy processing policy
setting, such as Registry Policy Processing for the Registry CSE. Click Enabled, and select
the Process even if the Group Policy objects have not changed check box.
An important exception to the default policy processing settings is settings
managed by the security CSE. Security settings are reapplied every 16 hours even if
a GPO has not changed.
Note: It is highly recommended that you enable the Always Wait For Network At Startup And
Logon policy setting for all Windows clients. Without this setting, by default, Windows
XP, Windows Vista, and Windows 7 clients perform only background refreshesa client
might start up, and a user might log on without receiving the latest policies from the
domain. The setting is located in Computer Configuration\Policies
\Administrative Templates\System\Logon. Be sure to read the policy settings explanatory
text. The contoso.com domain used in this course has been preconfigured with this
additional Group Policy setting.
Group Policy application is discussed in detail in Lesson 6.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Group
Key Po
When a
applied
policy s
applicat
You can
You wil
p Policy Refr
oints
are policies applie
at system startup
settings are applie
tion of policies is
n also force a poli
l learn more abou
resh
ed? Policy setting
p and every 901
ed at logon and e
called Group Po
icy refresh by usin
ut Group Policy r
Implementing a G
gs in the Compute
120 minutes there
every 90120 min
olicy refresh.
ng the GPUpdat
refresh in Lesson
Group Policy Infrastructur
er Configuration
eafter. User Conf
nutes thereafter. T
e command.
n 6.
re 6-17

node are
figuration
The
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-18 Configuring
Result
Key Po
Compu
specifie
scope o
comput
configu
evaluate
applied
GPO.
RSoP w
g and Troubleshooting W
tant Set of P
oints
ters and users wi
d in the GPO. An
f multiple GPOs
ter exists. This lea
red differently in
e the Resultant Se
by a client when
will be examined i
indows Server 2008 Activ
Policy
ithin the scope of
n individual user
linked to the site
ads to the possib
n multiple GPOs.
et of Policy (RSoP
n the settings are
in Lesson 7.
ve Directory Domain Serv
f a GPO will appl
or a computer is
es, domain, or OU
ility that policy se
You must be able
P), which determ
configured diverg
ices
ly the policy setti
likely to be withi
Us in which the u
ettings might be
e to understand a
mines the settings
gently in more th

ngs
in the
user or
and
that are
han one
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Review
Key Po
As discu
when d
Sett
Pol
sett
Pol
Con
com
sett
Sco
app
dom
gro
App
refr
w the Comp
oints
ussed in previous
ealing with Grou
ting. This represe
icy object. In Win
tings. Group Poli
icy. Settings can b
nfigured. The effe
mplex to evaluate
tings before deplo
ope. After Group P
ply the GPO. This
main, or OU. Wit
ups or WMI filte
plication. When p
resh intervals for
ponents of G
s topics, the most
up Policies are:
ents a specific set
ndows Server 200
cy settings provid
be enabled or dis
ect of enabling or
e, so be sure to re
oying them in pr
Policy settings ar
s is defined by sco
thin the link scop
rs.
planning Group P
various types of
Implementing a G
roup Policy
t important comp
tting that is config
08 R2, there almo
de the meaning a
sabled, but by de
r disabling a setti
ad the explanato
oduction.
re configured, you
ope. A GPO can b
pe, a GPO can be
Policy application
computers. Com
Group Policy Infrastructur
ponents to take c
gurable in each G
ost 3,000 differen
and purpose of G
fault, they are No
ng can sometime
ry text and test a
u must decide wh
be linked to a site
filtered with secu
n, you must be aw
mputer settings are
re 6-19

are of
Group
nt
Group
ot
es be
all
here to
e,
urity
ware of
e applied
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
at startup and every 90120 minutes thereafter. User settings are applied at
logon and every 90120 minutes thereafter.
Tools. There are several tools for managing GPOs. GPOs are managed through
the Group Policy Management console. Policy settings within a GPO are
configured by using the GPME. GPUpdate allows you to manually trigger
Group Policy refresh. RSoP tools allow you to evaluate and model the settings
that were applied by Group Policy.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Impleme
Now th
you can
detail.
Object
After co
Cre
Ide
Con
Exp
ent GPOs
at you have a bro
n look closely at e
tives
ompleting this les
eate, edit, and link
ntify change and
nfigure policy set
plain GPO storag

oad understandin
each component.
sson, you will be a
k GPOs.
configuration m
ttings.
ge, replication, an
Implementing a G
ng of Group Polic
In this section, y
able to:
management capab
d versioning.
Group Policy Infrastructur
cy and its compon
you will examine
bilities of Group
re 6-21

nents,
GPOs in
Policy.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-22 Configuring
Local
Key Po
To man
the poli
the syst
of doma
Compu
2003 ha
local GP
a non-n
%System
the com
policies
Configu
g and Troubleshooting W
GPOs
oints
nage configuration
icy settings you re
tem, known as th
ain-based GPOs.
ters that run Win
ave one local GPO
PO exists whethe
networked environ
mRoot%\System
mputer on which t
s are configured o
ured.
indows Server 2008 Activ
n for users and co
equire. Each com
he local GPOs, an
ndows 2000 Serv
O each, which ca
er or not the comp
nment. It is store
m3\GroupPolicy. T
the GPO is stored
on a systems loca
ve Directory Domain Serv
omputers, you cr
mputer has severa
d can be within t
ver, Windows XP,
n manage that sy
puter is part of a
ed in
The policies in th
d. By default, only
al GPO. All other
ices
reate GPOs that c
al GPOs stored lo
the scope of any n
, and Windows S
ystems configura
domain, a workg
he local GPO affec
y the Security Set
policies are set a

contain
cally on
number
Server
ation. The
group, or
ct only
ttings
at Not
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-23
When a computer does not belong to an Active Directory domain, the local policy
is useful to configure and enforce configuration on that computer. However, in an
Active Directory domain, settings in GPOs that are linked to the site, domain, or
OUs will override local GPO settings and are easier to manage than GPOs on
individual computers.
Windows Vista, Windows 7, Windows Server 2008, and later systems have
multiple local GPOs. The Local Computer GPO is the same as the GPO in the
previous versions of Windows. In the Computer Configuration node, you can
configure all computer-related settings. In the User Configuration node, you can
configure settings you want to apply to all users on the computer. The user settings
in the Local Computer GPO can be modified by the user settings in two new local
GPOs: Administrators and Non-Administrators. These two GPOs apply user
settings to logged-on users according to whether they are members of the local
Administrators group in which case they would use the Administrators GPO or not
members of the Administrators group (and use the Non-Administrators GPO). You
can further refine the user settings with a local GPO that applies to a specific user
account. User-specific local GPOs are associated with local, not domain, user
accounts.
RSoP is easy for computer settings: The Local Computer GPO is the only local
GPO that can apply computer settings. User settings in a user-specific GPO
override conflicting settings in the Administrators and Non-Administrators GPOs,
which themselves override settings in the Local Computer GPO. The concept is
simplethe more specific the local GPO, the higher the precedence of its settings.
To create and edit local GPOs:
1. Click the Start button, in the Start Search box, type mmc.exe, and then press
ENTER.
An empty Microsoft Management console (MMC) opens.
2. Click File, and then click Add/Remove Snap-in.
3. Select the Group Policy Object Editor, and then click Add.
A dialog box appears, prompting you to select the GPO to edit.
4. The Local Computer GPO is selected by default. If you want to edit another
local GPO, click the Browse button. On the Users tab, you will find the Non-
Administrators and Administrators GPOs and one GPO for each local user.
Select the GPO and click OK.
5. Click Finish, and then click OK to close each of the dialog boxes.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Group Policy Object Editor snap-in is added, focused on the selected GPO.
Question: If domain members can be centrally managed by using domain-linked
GPOs, in which scenarios can you use local GPOs?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Doma
Key Po
Domain
controll
comput
GPOs ra
When A
Control
Defaul
This GP
Therefo
that are
passwor
to modi
and acc
GPO. If
create a
ain-Based GP
oints
n-based GPOs are
lers. They are use
ters in the domain
ather than local G
AD DS is installed
llers Policy and D
lt Domain Polic
PO is linked to th
ore, it affects all u
domain controll
rd, account locko
ify the default set
count lockout pol
f you need to con
additional GPOs l
POs
e created in Active
ed to manage con
n. The remainder
GPOs, unless oth
d, two default GP
Default Domain P
cy
he domain and ha
sers and comput
lers. This GPO co
out, and Kerberos
ttings in this GPO
licies. You should
nfigure other settin
linked to the dom
Implementing a G
e Directory and s
nfiguration centra
r of this course re
herwise specified.
Os are created: D
Policy.
as no security gro
ers in the domain
ontains policy set
s policies. In Mod
O to align with yo
d not add unrelat
ngs to apply broa
main.
Group Policy Infrastructur
stored on domain
ally for users and
efers to domain-b

Default Domain
oup or WMI filter
n, including comp
ttings that specify
dule 9, you will le
our enterprise pas
ted policy setting
adly in your dom
re 6-25

n
based
rs.
puters
y
earn how
ssword
s to this
main,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Default Domain Controllers Policy
This GPO is linked to the OU of the domain controllers. Because computer
accounts for domain controllers are kept exclusively in the Domain Controllers
OU, and other computer accounts should be kept in other OUs, this GPO affects
only domain controllers. The Default Domain Controllers GPO should be modified
to implement your auditing policies, as you will see in Modules 7 through 9. It
should also be modified to assign user rights required on domain controllers.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
To creat
New.
You mu
By defau
are dele
To dele
Objects
the con
After yo
linking
To link
GPO.
You can
OU, and
onstration: C
oints
te a GPO, right-cl
ust have permissio
ult, the Domain A
egated the ability
gate permission t
s container in the
sole details pane
ou have created a
it to a site, doma
a GPO, right-clic
n also create and
d then click Crea
Create, Link, a
lick the Group P
on to the Group
Admins group an
to create GPOs.
to create GPOs to
GPMC console t
.
GPO, you can cr
ain, or OU.
ck the site, domai
link a GPO with
ate A GPO In Thi
Implementing a G
and Edit GPO
olicy Objects con
Policy Objects co
nd the Group Poli
o other groups, se
tree and then clic
reate the initial sc
n, or OU, and th
a single step: righ
is Domain And L
Group Policy Infrastructur
Os
ntainer, and then
ontainer to create
icy Creator Owne
elect the Group P
ck the Delegation
cope of the GPO b
en click Link An
ht-click a site, dom
Link It Here.
re 6-27

n click
e a GPO.
ers group
Policy
n tab in
by
Existing
main, or
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note that you will not see your sites in the Sites node of the GPMC until you right-
click Sites, click Show Sites, and then select the sites you want to manage.
You must have permission to link GPOs to a site, domain, or OU. In the GPMC,
select the container in the console tree, and then click the Delegation tab in the
console details pane. From the Permission drop-down list, click Link GPOs. The
users and groups displayed hold the permission for the selected OU. Click the Add
or Remove buttons to modify the delegation.
To edit a GPO, right-click the GPO in the Group Policy Objects container and
choose Edit.
The GPO is opened in the GPME. You must have at least the Read permission to
open the GPO in this way.
To make changes to a GPO, you must have the Write permission to the GPO.
Permissions for the GPO can be set by selecting the GPO in the Group Policy
Objects container and then clicking the Delegation tab in the details pane.
The GPME will display the name of the GPO as the root node. The GPME also
displays the domain in which the GPO is defined and the server from which the
GPO was opened and to which changes will be saved. The root node is in the
GPOName [ServerName] format. In the screenshot of the GPME on an earlier page
in this module, the root node is CONTOSO Standards [SERVER01.contoso.com]
Policy. The GPO name is CONTOSO Standards, and it was opened from
SERVER01.contoso.com, meaning that the GPO is defined in the contoso.com
domain.
By default, both the GPMC and the GPME console connect to a specific domain
controller in your environment with the domain controller acting as the PDC
Emulator. In a later module, you will learn to identify and manage which domain
controller has this role.
This is done to reduce the possibility that a single GPO might be changed on two
different domain controllers, at which point during replication there would be no
way to reconcile the changes, and only one version of the entire GPO would
prevail and be replicated. Focusing the administrative tools on one domain
controller helps ensure that changes are made in one place.
However, in a large, distributed environment, the PDC Emulator may be in a
distant site, resulting in slow performance for the GPMCs. You can right-click the
root node of each console and connect to a specific domain controller closer to
you. Just be cognizant of the replication issue: If you are the only one who is
editing a GPO, it is perfectly acceptable for you to do so on a local, higher
performing domain controller.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-29
Demonstration Steps
Create a GPO
Open a GPO for editing
Link a GPO
Delegate the management of GPOs

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-30 Configuring
GPO S
Key Po
Group P
tools, bu
a Group
The GP
within t
objects,
uniquel
attribut
contain
controll
where G
of a GPO
opened
By defau
only if t
g and Troubleshooting W
Storage
oints
Policy settings ar
ut a GPO is actua
p Policy Template
C is an Active Dir
the domain-nami
each GPC includ
ly identifies the o
es of the GPO, bu
ed in the GPT, a
ler in the %System
GPOGUID is the
O, the changes ar
.
ult, when Group
the GPO has been
indows Server 2008 Activ
e presented as GP
ally two compone
e (GPT).
rectory object sto
ng context of the
des a globally uni
bject within Activ
ut it does not con
collection of files
mRoot%\ SYSVO
GUID of the GPC
re saved to the G
Policy refresh oc
n updated.
ve Directory Domain Serv
POs in Active Dir
ents: a Group Pol
ored in the Group
e directory. Like a
ique identifier (G
ve Directory. The
ntain any of the se
s stored in the SY
OL\Domain\Poli
C. When you mak
PT of the server f
ccurs, the CSEs ap
ices
rectory user inter
licy Container (G
p Policy Objects c
all Active Director
GUID) attribute th
e GPC defines bas
ettings. The settin
YSVOL of each do
cies\GPOGUID p
ke changes to the
from which the G
pply settings in a

rface
GPC) and
container
ry
hat
sic
ngs are
omain
path,
e settings
GPO was
a GPO
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-31
The Group Policy client can identify an updated GPO by its version number. Each
GPO has a version number that is incremented each time a change is made. The
version number is stored as an attribute of the GPC and in a text file, GPT.ini, in
the GPT folder. The Group Policy client knows the version number of each GPO it
has previously applied. If, during Group Policy refresh, the Group Policy client
discovers that the version number of the GPC has been changed, the CSEs will be
informed that the GPO is updated.
GPO Replication
The two parts of a GPO are replicated between domain controllers by using
distinct mechanisms.
The GPC in Active Directory is replicated by the Directory Replication Agent (DRA)
by using a topology generated by the Knowledge Consistency Checker (KCC) that
can be defined or refined manually. You will learn more about Active Directory
Replication in Module 12. The result is that the GPC is replicated within seconds
to all domain controllers in a site and is replicated between sites based on your
intersite replication configuration. This process will also be discussed in Module
12.
The GPT in the SYSVOL is replicated by using one of the following two
technologies. The File Replication Service (FRS) is used to replicate SYSVOL in
domains running Windows Server 2008, Windows Server 2008 R2,, Windows
Server 2003, and Windows 2000. If all domain controllers are running Windows
Server 2008 or newer, you can configure SYSVOL replication by using Distributed
File System Replication (DFSR), which is a much more efficient and robust
mechanism.
Because the GPC and GPT are replicated separately, it is possible for them to
become out of sync for a short time.
Typically, when this happens, the GPC will replicate to a domain controller first.
Systems that obtained their ordered list of GPOs from that domain controller will
identify the new GPC, will attempt to download the GPT, and will notice that the
version numbers are not the same. A policy processing error will be recorded in the
event logs. If the reverse happens, and the GPO replicates to a domain controller
before the GPC, clients obtaining their ordered list of GPOs from that domain
controller will not be notified of the new GPO until the GPC has replicated.
You can download from the Microsoft Download Center the Group Policy
Verification Tool, GPTool.exe, which is part of Windows Resource Kits. This tool
reports the status of GPOs in the domain and can identify instances in which, on a
domain controller, the GPC and the GPT do not have the same version. For more
information about GPTool.exe, type gpotool /? at the command line.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-32 Configuring
Demo
Key Po
Group P
viewed
more cl
Compu
There a
the Com
Configu
The
com
whe
120
The
logs
ther
g and Troubleshooting W
onstration: Ex
oints
Policy settings, al
and modified by
osely at the categ
uter Configurat
re two major divi
mputer Configura
uration node.
e Computer Conf
mputers, regardle
en the operating
0 minutes thereaf
e User Configura
s on to the comp
reafter.
indows Server 2008 Activ
xploring Gro
lso known as pol
using the GPME
gories of settings
tion and User C
isions of policy se
ation node and u
figuration node c
ess of who logs on
system starts and
fter.
tion node contain
uter and during b
ve Directory Domain Serv
oup Policy Se
icies, are contain
E. In this demonst
available in a GP
Configuration
ettings: computer
ser settings, cont
contains the settin
n to them. Comp
d during backgro
ns settings that a
background refre
ices
ettings
ned in a GPO and
tration, you will l
O.
r settings, contain
tained in the User
ngs that are appli
uter settings are
ound refresh ever
re applied when
esh every 90120

are
look
ned in
r
ied to
applied
ry 90
a user
0 minutes
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-33
Within the Computer Configuration and User Configuration nodes are the Policies
and Preferences nodes. Policies are settings that are configured and behave
similarly to the policy settings in the earlier versions of Windows. Preferences are
introduced in Windows Server 2008. The following sections examine these nodes.
Within the Policies nodes within Computer Configuration and User Configuration
are a hierarchy of folders containing policy settings. Because there are thousands of
settings, it is beyond the scope of the exam and of this course to examine
individual settings. It is worthwhile, however, to define the broad categories of
settings in the folders.
Software Settings Node
The Software Settings node is the first node. It contains only the Software
Installation extension. This extension helps you specify how applications are
installed and maintained within your organization. It provides a place for
independent software vendors to add settings. Software deployment with Group
Policy is discussed in Module 7.
Windows Settings Node
In both Computer Configuration and User Configuration nodes, the Policies node
contains a Windows Settings node, which includes the Scripts, Security Settings,
and Policy-Based QoS nodes.
The Scripts extension enables you to specify two types of scripts,
startup/shutdown (in the Computer Configuration node) and logon/logoff (in the
User Configuration node). Startup/shutdown scripts run at computer startup or
shutdown. Logon/logoff scripts run when a user logs on or off. When you assign
multiple logon/logoff or startup/shutdown scripts to a user or computer, the
Scripts CSE executes the scripts from top to bottom. You can determine the order
of execution for multiple scripts in the Properties dialog box. When a computer is
shut down, the CSE first processes logoff scripts, followed by shutdown scripts. By
default, the timeout value for processing scripts is 10 minutes. If the logoff and
shutdown scripts require more than 10 minutes to process, you must adjust the
timeout value with a policy setting. You can use any ActiveX scripting language to
write scripts. Some possibilities include Microsoft Visual Basic Scripting Edition
(VBScript), Microsoft JScript, Perl, and Microsoft MS-DOSstyle batch files (.bat
and .cmd). Logon scripts on a shared network directory in another forest are
supported for network logon across forests.
The Security Settings node allows a security administrator to configure security by
using GPOs. This can be done after, or instead of, using a security template to set
system security. For a detailed discussion of system security and the Security
Settings node, refer to Module 7.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-34 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Policy-Based QoS node defines policies that manage network traffic. For
example, you might want to ensure that users in the Finance department have
priority for running a critical network application during the end-of-year financial
reporting period. The Policy-Based QoS node enables you to do that.
In the User Configuration node only, the Windows Settings folder contains the
additional Remote Installation Services, Folder Redirection, and Internet Explorer
Maintenance nodes. Remote Installation Services (RIS) policies control the
behavior of a remote operating system installation. Folder Redirection enables you
to redirect user data and settings folders such as AppData, Desktop, Documents,
Pictures, Music, and Favorites from their default user profile location to an
alternate location on the network, where they can be centrally managed. Internet
Explorer Maintenance enables you to administer and customize Microsoft Internet
Explorer.
Administrative Templates Node
In the Computer Configuration and User Configuration nodes, the Administrative
Templates node contains registry-based Group Policy settings. There are thousands
of such settings available for configuring the user and computer environment. As
an administrator, you might spend a significant amount of time manipulating these
settings. To assist you with the settings, a description of each policy setting is
available in two locations:
On the Explain tab in the Properties dialog box for the setting. In addition,
the Settings tab in the Properties dialog box for each setting also lists the
required operating system or software for the setting.
On the Extended tab of the GPME. The Extended tab appears on the lower
right of the details pane and provides a description of each selected setting in a
column between the console tree and the settings pane. The required
operating system or software for each setting is also listed.

The Administrative Templates node is discussed in detail later in this module.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab A: Im
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



5. Star
do
mplemen
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
rt 6425C-NYC-CL
so.
t Group P
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
L1. Do not log on
Implementing a G
Policy
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
n to the client com
Group Policy Infrastructur
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
mputer until dire
re 6-35

e you
d then
ne,
rts.
ected to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-36 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Scenario
You are responsible for managing change and configuration at Contoso, Ltd.
According to the corporate IT security policies at Contoso, Ltd, computers cannot
be left unattended and logged on to for more than 10 minutes. You will therefore
configure the screen-saver timeout and password-protected screen-saver policy
settings. Additionally, you will lock down access to registry editing tools.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-37
Exercise 1: Create, Edit, and Link Group Policy Objects
In this exercise, you will create a GPO that implements a setting mandated by the
corporate security policy of Contoso, Ltd and scope the setting to all users and
computers in the domain. You will then examine the effect of the GPO. You can
also explore other settings that are made available within a GPO.
The main tasks for this exercise are as follows:
1. Create a GPO.
2. Edit the settings of a GPO.
3. Scope a GPO with a GPO link.
4. View the effects of Group Policy application.
5. Explore GPO settings.


Task 1: Create a GPO
1. On NYC-DC1, run Group Policy Management as an administrator, with the
user name Pat.Coleman_Admin and the password Pa$$w0rd.
2. Create a Group Policy Object named CONTOSO Standards in the Group
Policy Objects container.

Task 2: Edit the settings of a GPO
1. Edit the CONTOSO Standards GPO.
2. Navigate to the User Configuration, Policies, Administrative Templates,
System folder.
3. Prevent users from running Registry Editor and regedit /s.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-38 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. Navigate to the User Configuration, Policies, Administrative Templates,
Control Panel, Personalization folder.
5. Examine the explanatory text for the Screen saver timeout policy setting.
6. Configure the Screen saver timeout policy to 600 seconds.
7. Enable the Password protect the screen saver policy setting.

Task 3: Scope a GPO with a GPO link
Link the CONTOSO Standards GPO to the contoso.com domain.

Task 4: View the effects of Group Policy application
1. Log on to NYC-CL1 as Pat.Coleman.
2. Attempt to change the screen saver wait time and resume settings. You are
prevented from doing so by Group Policy.
3. Attempt to run Registry Editor. You are prevented from doing so by Group
Policy.

Task 5: Explore GPO settings
On NYC-DC1, edit the CONTOSO Standards GPO and spend time exploring
the settings that are available in a GPO. Do not make any changes.

Results: In this exercise, you created a GPO named Contoso Standards that configures
password-protected screen saver, screen-saver timeout, and registry editing tool
restrictions
Note: Do not shut down the virtual machines after you are finished with this lab because the
settings you have configured here will be used in subsequent labs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-39
Lab Review Questions
Question: Which policy settings are already being deployed by using Group Policy
in your organization?
Question: Which policy settings did you discover that you might want to
implement in your organization?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-40 Configuring
Lesson 3
Deeper L
In Lesso
in an AD
Policy in
and ma
Object
After co
Un
unm
Cre
Doc
g and Troubleshooting W
Look at S
ons 1 and 2, you
D DS domain. Ho
n a real-world, co
nagement of Gro
tives
ompleting this les
derstand the diffe
managed settings
eate the central st
cument GPO and
indows Server 2008 Activ
Settings a
learned enough
owever, to really m
omplex enterprise
oup Policy in deta
sson, you will be a
ferences between
s.
tore for administr
d policy settings b
ve Directory Domain Serv
and GPOs
fundamentals to
master Group Po
e, you must unde
ail.
able to:
policies, preferen
rative templates.
by using commen
ices
s
implement Grou
olicy and manage
erstand settings, G
nces, and manage
nts.

up Policy
Group
GPOs,
ed and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-41
Search for specific policy settings in a GPO.
Create a GPO from a Starter GPO.
Back up a GPO.
Create a GPO with settings from a backed up GPO.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-42 Configuring
Regist
Key Po
In the A
to contr
g and Troubleshooting W
try Policies i
oints
Administrative Te
rol many aspects
indows Server 2008 Activ
n the Admin
emplates node, yo
of Windows.
ve Directory Domain Serv
nistrative Tem
ou will find sever
ices
mplates Nod
al settings that al
de

llow you
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-43
Given here is the Properties dialog box for the Prevent Access To Registry
Editing Tools policy setting.

If this setting is enabled and the user tries to start a registry editor, a message
appears, explaining that a setting prevents the action.
Note: To prevent users from using other administrative tools, use the Run Only Specified
Windows Applications setting or use Software Restriction Policies, which are beyond
the scope of this course.
Policies in the Administrative Templates node make changes to the registry.
Settings provided in the Computer Configuration node will modify registry values
in the HKEY_LOCAL_MACHINE (HKLM) key on the machine where Group
Policy is applied. Settings in the Administrative Templates node in the User
Configuration node modify registry values in the HKEY_CURRENT_USER
(HKCU) key.
In the case of this policy setting, the following registry value is modified:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disable
RegeditMode
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-44 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
If you choose to restrict Regedit from running silently, that value is set to 2. If you
choose to restrict only the Registry Editor UI tool, the value is set to 1.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Mana
Key Po
There is
Templa
and unm
A mana
The
pol
con
tim
Cha
pol



aged Settings
oints
s a nuance to the
ates node that is im
managed policy s
aged policy setting
e user interface (U
icy settings resul
nfigure the Screen
meout delay.
anges are made in
icy settings:
HKLM\Softwar
HKCU\Softwar
HKLM\Softwar
(computer settin
s, Unmanage
registry policy se
mportant to und
settings.
g has the followin
UI) is locked, so a
t in the appropria
nsaver Timeout p
n one of four key
re\Policies (comp
re\Policies (user s
re\Microsoft\Win
ngs)
Implementing a G
ed Settings,
ettings configured
erstandthe diffe
ng characteristics
a user cannot cha
ate UI being disa
policy setting, a us
ys in the registry r
puter settings)
settings)
ndows\Current V
Group Policy Infrastructur
and Preferen
d by the Adminis
erence between m
s:
ange the setting.
abled. For exampl
ser cannot chang
reserved for man
Version\Policies
re 6-45
nces

strative
managed
Managed
le, if you
ge the
aged
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-46 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
HKCU\Software\Microsoft\Windows\Current Version\Policies (user
settings)
These keys are secured so that only administrators can make a change.
Together with UI lockout, this means that nonadministrative users will receive
the change specified by the policy setting and cannot modify the setting on
their computer.
Changes made by a Group Policy setting and the UI lockout are released if the
user or computer falls out of scope of the GPO. For example, if you delete a
GPO, managed policy settings that had applied to a user will be released. This
means that, generally, the setting resets to its previous state. Additionally, the
UI interface for the setting is enabled.

The registry policy settings that have been discussed so far and that are
encountered in the practices of this topic are examples of managed policy settings.
A managed policy setting effects a configuration change when the setting is applied
by a GPO. When the user or computer is no longer within the scope of the GPO,
the configuration is released automatically.
For example, if a GPO prevents access to registry editing tools and then the GPO is
deleted, disabled, or scoped so that it no longer applies to users, those users will
regain access to registry-editing tools at the next policy refresh. This is the default
behavior, of Windows, unless you have implemented a restriction at some other
level.
In contrast, an unmanaged policy setting makes a change that is persistent in the
registry. If the GPO no longer applies, the setting remains. This is often called
"tattooing" the registry, in other words, making a permanent change. To reverse the
effect of the policy setting, you must deploy a change that reverts the configuration
to the desired state. Additionally, an unmanaged policy setting does not lock the
UI for that setting.
By default, the GPME hides unmanaged policy settings to discourage you from
implementing a configuration that is difficult to revert. However, you can make
many useful changes with unmanaged policy settings, particularly for custom
administrative templates to manage configuration for applications.
To control which policy settings are visible, right-click Administrative Templates
and click Filter Options, and then select from the Managed drop-down list.
Later in this module, you will work with Group Policy Preferences. When a change
is made by a preference, the change is not forced, but rather recommended.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Admi
Key Po
The Adm
the setti
templat
nistrative Te
oints
ministrative Tem
ings that the nod
tes.
emplates
mplates nodes are
des contain are de
Implementing a G
called Administr
erived from files c
Group Policy Infrastructur
rative Templates b
called administra
re 6-47

because
ative
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-48 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
An administrative template is a text file that specifies the registry change to be
made and that generates the user interface to configure the Administrative
Templates policy settings in the GPME. The screen shot here shows the properties
dialog box for the Prevent Access To Registry Editing Tools policy setting.

The fact that the setting exists and that it provides a drop-down list with which to
disable Regedit.exe from running silently is determined in an administrative
template. The registry setting that is made based on how you configure the policy
is also defined in the administrative template.
Some software vendors provide administrative templates as a mechanism to
manage the configuration of their application centrally. For example, you can
obtain administrative templates for all recent versions of Microsoft Office from the
Microsoft Downloads Center. You can also create your own custom administrative
templates. A tutorial on creating custom administrative templates is beyond the
scope of this course.
.ADM Files
In versions of Windows prior to Windows Vista, an administrative template had an
.ADM extension. .ADM files have several drawbacks. First, all localization must be
performed within the .ADM file. That is, if you want to create an .ADM file to help
deploy configuration in a multilingual organization, you would need separate
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-49
.ADM files for each language to provide a user interface for administrators who
speak that language. If you were to decide later to make a modification related to
the registry settings managed by the templates, you would need to make the
change to each .ADM file.
The second problem with .ADM files is the way they are stored. An .ADM file is
stored as part of the GPT in the SYSVOL. If an .ADM file is used in multiple GPOs,
it is stored multiple times, contributing to SYSVOL bloat. There were also
challenges maintaining version control over .ADM files.
To add classic administrative templates to the GPME, right-click the
Administrative Templates node and then click Add/Remove Templates.
.ADMX/.ADML Files
In Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008
R2, an administrative template is a pair of XML files, one with an .ADMX extension
that specifies changes to be made to the registry and the other with an .ADML
extension that provides a language-specific user interface in the GPME. When
changes need to be made to settings managed by the administrative template, they
can be made to the single .ADMX file. Any administrator who modifies a GPO that
uses the template accesses the same .ADMX file and calls the appropriate .ADML
file to populate the user interface.
To add .ADMX/.ADML administrative templates to the GPME, copy the .ADMX file
into the %SystemRoot%\PolicyDefinitions folder on your client or in the central
store. Copy the .ADML file into the language-and-regionspecific subfolder, such
as en-us, of %SystemRoot%\PolicyDefinitions on your client or in the central store.
The central store will be discussed in the next topic.
No Need to Take Sides
.ADM and .ADMX/.ADML administrative templates can coexist. Settings generated
by .ADM files will appear under the Administrative Templates node in a node
labeled Classic Administrative Templates (ADM).
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Migrate Classic Administrative Templates to .ADMX
The ADMX Migrator enables you to convert ADM files to the ADMX format. For
more information, see:
ADMX Migrator
http://go.microsoft.com/fwlink/?LinkId=99466
ADMX Migrator download (Blog)
http://go.microsoft.com/fwlink/?LinkId=113124


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Centr
Key Po
As was p
When y
GPME l
.ADMX/
the data
GPO, th
This wo
include
Window
SYSVOL
have set
templat
ral Store
oints
previously stated
you edit a GPO th
loads the .ADM fr
/.ADML files are
a that the client n
he GPME pulls th
orks well for smal
custom adminis
ws Server 2008 in
L that holds all th
t up Central Stor
tes from Central S
d, .ADM files are s
hat uses administ
rom the GPT to p
used as administ
needs for processi
he .ADMX and .AD
ller organizations
trative templates
ntroduces Centra
he .ADMX and .A
e, the GPME reco
Store instead of fr
Implementing a G
stored as part of t
trative templates i
produce the user
trative templates,
ing Group Policy
DML files from th
s, but for complex
or that require m
al Store. Central S
ADML files that ar
ognizes it and loa
rom the local ma
Group Policy Infrastructur
the GPO itself in
in the .ADM form
interface. When
the GPO contain
y, and when you e
he local workstat
x environments t
more centralized c
Store is a single fo
re required. After
ads all administra
achine.
re 6-51

the GPT.
mat, the
ns only
edit the
tion.
that
control,
older in
you
ative
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To create a central store:
1. Create a folder called PolicyDefinitions in the
\\FQDN\SYSVOL\FQDN\Policies path.
For example, the central store for the contoso.com domain would be.
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions
If you log on to a domain controller, locally or by using Remote Desktop, the
local path to the PolicyDefinitions folder is.
%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions
2. Copy all .ADMX files from the %SystemRoot%\PolicyDefinitions folder of a
Windows Server 2008 system to the new SYSVOL PolicyDefinitions folder.
3. Copy the .ADML files from the appropriate language-specific subfolder of
%SystemRoot%\PolicyDefinitions into the language-specific subfolder of the
new SYSVOL PolicyDefinitions folder.
For example, English (United States) .ADML files are located in
%SystemRoot%\PolicyDefinitions\en-us. Copy them into
\\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\en-us.
4. If additional languages are required, copy the folder that contains the .ADML
files to Central Store.

When you have copied all .ADMX and .ADML files, the PolicyDefinitions folder on
the domain controller should contain the .ADMX files and one or more folders
containing language-specific .ADML files.
Note: You can use the Central Store in a mixed environment with clients and servers running
operating systems earlier than Windows Vista and Windows Server 2008. However, you
must use a Windows Vista, Windows Server 2008, or later to manage Group Policy. That
is, your administrative workstation must be running a version of Windows that is able to
work with the Central Store. The GPOs you create can be applied to previous versions of
Windows.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo

Key Po
Group P
function
demons
Filter A
A weakn
the inab
choose
The new
Templa
onstration: W
oints
Policy editing too
nalities that ease
stration, we will r
Administrative
ness of the Group
bility to search for
from, it can be di
w GPME in Wind
ate settingsyou c
Work with Se
ols in Windows S
configuration an
review these optio
Template Poli
p Policy editing t
r a specific policy
ifficult to locate e
dows Server 2008
can now create fil
Implementing a G
ettings and G
Server 2008 R2 pr
d management o
ons.
icy Settings
ools in previous v
y setting. With th
exactly the setting
8 solves this prob
lters to locate spe
Group Policy Infrastructur
GPOs
rovide several new
f GPOs. In this
versions of Wind
housands of polic
g you want to con
blem for Administ
ecific policy settin
re 6-53

w
dows is
cies to
nfigure.
trative
ngs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-54 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To create a filter:
1. Right-click Administrative Templates and click Filter Options.
2. To locate a specific policy, select the Enable keyword filters check box, enter
the words with which to filter, and select the fields within which to search. The
screen shot here shows an example of a search for policy settings related to the
screen saver.


In the top section of the Filter Options dialog box shown, you can filter the view
to show only policy settings that are configured. This can help you locate and
modify settings that are already specified in the GPO.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-55
You can also filter for Group Policy settings that apply to specific versions of
Windows, Internet Explorer, and other Windows components.
Unfortunately, the filter only applies to settings in the Administrative Templates
nodes.
Comments
You can also search and filter based on policy-setting comments. Windows Server
2008 enables you to add comments to policy settings in the Administrative
Templates node. To do so, double-click a policy setting and click the Comment
tab.
It is a best practice to add comments to configured policy settings to document the
justification for a setting and its intended effect. You should also add comments to
the GPO itself. Windows Server 2008 enables you to attach comments to a GPO. In
the GPME, right-click the root node in the console tree, click Properties, and then
click the Comment tab.
Starter GPOs
Another new Group Policy feature in Windows Server 2008 is starter GPOs. A
starter GPO contains Administrative Template settings. You can create a new GPO
from a starter GPO, in which case the new GPO is prepopulated with a copy of the
settings in the starter GPO. A starter GPO is, in effect, a template. When you create
a new GPO, you can still choose to begin with a blank GPO, or you can select one
of the preexisting starter GPOs or a custom starter GPO.
After you have created a GPO from a starter GPO, there is no link to the starter
GPO. Changes to the starter GPO do not affect the GPOs that were previously
created from the starter GPO.
Other Ways to Copy GPO Settings
Starter GPOs can contain only Administrative Templates policy settings. There are
two other ways to copy settings from one GPO into another new GPO.
You can copy and paste entire GPOs in the Group Policy Objects container of
the GPMC so that you have a new GPO with all settings of the source GPO.
To transfer settings between GPOs in different domains or forests, right-click a
GPO and click Back Up. In the target domain, create a new GPO, right-click it,
and click Import Settings. You will be able to import the settings of the
backed up GPO.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-56 Configuring
Mana
Key Po
When y
appears
Cop
con
wan
sett
dom
cop
You
pas
from
defa
g and Troubleshooting W
age GPOs and
oints
you right-click a G
s.
py. You can copy
ntainer and select
nt to create a new
tings as an existin
main, for example
py a GPO between
u must have perm
ste a GPO, you ar
m the original GP
fault ACL for new
indows Server 2008 Activ
d Their Setti
GPO in the GPMC
y a GPO and then
t Paste to create a
w GPO in the sam
ng GPO. It is also
e, between a test
n domains, add t
mission to create G
e given the optio
PO, which preserv
w GPOs in the targ
ve Directory Domain Serv
ngs
C, a list of useful
n right-click the G
a copy of the GPO
me domain and to
o useful to copy a
domain and a pr
the target trusted
GPOs in the targ
n to copy the acc
ves the security f
get domain.
ices
management com
Group Policy Obje
O. This is useful w
o start with the sa
a GPO into anoth
roduction domain
domain to the G
et domain. When
cess control list (A
filtering or to use

mmands
ects
when you
ame
er
n. To
GPMC.
n you
ACL)
the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-57
Back Up. As with any critical data, it is important to back up GPOs. Because a
GPO consists of several files, objects, permissions, and links, managing the
backup and restore of GPOs is quite difficult. Luckily, the Back Up command
pulls all of those pieces into a single place and makes restore a simple task.
Restore from Backup. Restore an entire GPO, including its files, objects,
permissions, and links into the same domain in which the GPO originally
existed.
Import Settings. Import only the settings from a backed up GPO. Although
this option does not import permissions or links, it can be useful for
transferring GPOs between nontrusted domains that cannot use copy and
paste. If a GPO includes potentially domain-specific settings, including the
UNC paths or names of security groups, you will be prompted as to whether
you want to import those settings exactly as they were backed up or to use a
migration table that maps source to destination names.
Save Report. Use this to save an HTML report of the GPO settings.
Delete.
Rename.



B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-58 Configuring
Lab B: M
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



g and Troubleshooting W
Manage Se
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
indows Server 2008 Activ
ettings an
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
ve Directory Domain Serv
nd GPOs
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
ices
vironment. Before
rative Tools, and
n the Actions pan
tual machine star

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-59
Lab Scenario
You were recently hired as the domain administrator for Contoso, Ltd, replacing
the previous administrator, who retired. You are not certain what policy settings
have been configured, so you decide to locate and document GPOs and policy
settings. You also discover that the company has not leveraged either the
functionality or the manageability of administrative templates.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-60 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 1: Use Filtering and Commenting
In this exercise, you will use the new commenting and filtering features of Group
Policy to locate and document policy settings.
The main tasks for this exercise are as follows:
1. Search and filter policy settings.
2. Document GPOs and settings with comments.

Task 1: Search and filter policy settings
1. If necessary, open the GPMC and then edit the CONTOSO Standards GPO.
2. In the User Configuration\Policies\Administrative Templates folder, filter
the view to show only policy settings that contain the phrase screen saver.
Spend a few moments examining those settings.
3. Filter the view to show only configured policy settings. Spend a few moments
examining those settings.
4. Turn off the filter from Administrative Templates.

Task 2: Document GPOs and settings with comments
1. Edit the comment to the CONTOSO Standards GPO and add the following
comment to the GPO: Contoso corporate standard policies. Settings are
scoped to all users and computers in the domain. Person responsible for
this GPO: your name.
This comment appears on the Details tab of the GPO in the GPMC.
2. Add the following comment to the Screen saver timeout policy setting:
Corporate IT Security Policy implemented with this policy in combination
with Password Protect the Screen Saver.
3. Add the following comment to the Password protect the screen saver policy
setting: Corporate IT Security Policy implemented with this policy in
combination with Screen Saver Timeout.

Results: In this exercise, you added comments to your Group Policy object and
settings.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-61
Exercise 2: Manage Administrative Templates
Administrative templates provide the instructions with which the GPME creates a
user interface to configure Administrative Templates policy settings and specify the
registry changes that must be made based on those policy settings. In this exercise,
you will examine and manage administrative templates. You will also create a
central store of administrative templates to centralize the management of
templates.
The main tasks for this exercise are as follows:
1. Explore the syntax of an administrative template.
2. Manage classic administrative templates (.ADM files).
3. Manage .ADMX and .ADML files.
4. Create the central store.

Task 1: Explore the syntax of an administrative template
1. On NYC-DC1, click Start, then click Run, then type
%SystemRoot%\PolicyDefinitions and press ENTER. The PolicyDefinitions
folder opens.
2. Open the en-US folder or the folder for your region and language.
3. Double-click ControlPanelDisplay.adml.
4. Choose the Select a program from a list of installed programs option and
click OK.
5. Select Notepad and click OK.
6. Click the Format menu and select Word wrap.
7. Search for the text ScreenSaverIsSecure.
This is a definition of a string variable called ScreenSaverIsSecure.
8. Note the text between the <string> and </string> tags.
9. Note the name of the variable on the following line,
ScreenSaverIsSecure_Help, and the text between the <string> and </string>
tags.
10. Close the file.
11. Navigate up to the PolicyDefinitions folder.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-62 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
12. Double-click ControlPanelDisplay.admx.
13. Choose the Select a program from a list of installed programs option and
click OK.
14. Select Notepad and click OK.
15. Search for the text, ScreenSaverIsSecure.
16. Examine the code in the file, also shown below:
<policy name="ScreenSaverIsSecure" class="User"
displayName="$(string.ScreenSaverIsSecure)"
explainText="$(string.ScreenSaverIsSecure_Help)"
key="Software\Policies\Microsoft\Windows\Control Panel\Desktop"
valueName="ScreenSaverIsSecure">
<parentCategory ref="Display" />
<supportedOn ref="windows:SUPPORTED_Win2kSP1" />
<enabledValue>
<string>1</string>
</enabledValue>
<disabledValue>
<string>0</string>
</disabledValue>
</policy>
17. Identify the parts of the template that define the following:
The name of the policy setting that appears in the GPME
The explanatory text for the policy setting
The registry key and value affected by the policy setting
The data put into the registry if the policy is enabled
The data put into the registry if the policy is disabled
18. Close the file, and then close Windows Explorer.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-63
Task 2: Manage classic administrative templates (.ADM files)
1. Open the GPME and, in the User Configuration\Policies\Administrative
Templates folder, add the office12.adm template from
D:\Labfiles\Lab06b\Office 2007 Administrative Templates.
Classic administrative templates (.ADM files) are provided primarily for
enterprises that do not manage Group Policy with Windows Vista or Windows
Server 2008 or newer operating systems.
You should use a computer running the most recent version of Windows to
manage Group Policy. By doing so, you will be able to view and modify all
available policy settings, including those that apply to previous versions of
Windows. If you have at least one computer running Windows Vista,
Windows Server 2008, or later, you should use that computer to manage
Group Policy, and then you will not need classic administrative templates
(.ADM files) when .ADMX/.ADML files are available.
Note that the template format affects only the management of Group Policy.
Settings will apply to versions of Windows as described in the Supported on
or Requirements section of the policy setting properties.
2. Examine the settings in this administrative template.
3. Remove the template.

Task 3: Manage .ADMX and .ADML files
Copy all .ADMX files and the en-us subfolder (or the appropriate subfolder for
your language and region) from D:\Labfiles\Lab06b\Office 2007
Administrative Templates to %SystemRoot%\PolicyDefinitions. When you
paste the files, you will be prompted for administrative credentials. Use the
user name Pat.Coleman_Admin and the password Pa$$w0rd.
Close and then reopen the GPME for CONTOSO Standards. In the console
tree, expand User Configuration\Policies\Administrative Templates. Note
the addition of Microsoft Office 2007 policy setting folders.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-64 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Task 4: Create the central store
1. In the GPME, select the Administrative Templates node under User
Configuration\Policies, and note the heading in the details pane reports:
Policy definitions (ADMX files) retrieved from the local machine.
2. Close the GPME.
3. Copy all .ADMX files from %systemroot%\PolicyDefinitions to
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions.
4. Copy all .ADML files from %systemroot%\PolicyDefinitions\en-us (or the
appropriate folder for your language and region) to
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions\en-us
(or the appropriate folder for your language and region).
5. Edit the CONTOSO Standards GPO and, in the GPME, select the
Administrative Templates node under User Configuration\Policies, and
note the heading in the details pane reports: Policy definitions (ADMX files)
retrieved from the central store.

Results: In this exercise, you created a central store of administrative templates and
added the Microsoft Office 2007 templates.

Note: Do not shut down the virtual machines after you are finished with this lab because the
settings you have configured here will be used in subsequent labs.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-65
Lab Review Questions
Question: Describe the relationship between administrative template files (both
.ADMX and .ADML files) and the GPME.
Question: When does an enterprise get a central store? What benefits does it
provide?
Question: What are the advantages of managing Group Policy from a client
running the latest version of Windows? Do the settings you manage apply to
previous versions of Windows?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-66 Configuring
Lesson 4
Group Po
In the p
mapped
delivere
delivere
Window
Preferen
configu
settings
Object
After co
Des
Des
Pre
Con
g and Troubleshooting W
olicy Pref
previous versions
d drives, that affe
ed through ordin
ed through logon
ws Server 2008 R
nces in the GPMC
re, deploy, and m
s that they previou
tives
ompleting this les
scribe Group Poli
scribe the differen
ferences.
nfigure and deplo
indows Server 2008 Activ
ferences
of Windows Serv
ct the user and co
ary Group Policy
n scripts or imagin
R2 include the new
C. Group Policy P
manage many com
usly were not abl
sson, you will be a
icy Preferences.
nces between Gro
oy Group Policy P
ve Directory Domain Serv
ver, many comm
omputer environ
y settings. These s
ng solutions. Win
w built-in feature
Preferences enabl
mmon operating
le to manage by u

able to:
oup Policy setting
Preferences.
ices
on settings, such
nment could not b
settings were usu
ndows Server 200
e called Group Po
le IT professional
system and appli
using Group Poli
gs and Group Po

h as
be
ually
08 and
olicy
ls to
ication
cy.
olicy
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

What
Key Po
Group P
Window
Group P
GPO. In
youve d
Benefit
Group P
Red
the
com
netw
You
Lim
are
Are Group P
oints
Policy Preference
ws Server 2008 R
Policy extensions
n contrast to polic
deployed the Gro
ts of Group Pol
Policy preference
duces the need fo
need for logon s
mmon tasks perfo
work drives, con
u can accomplish
mits configuration
often the reason
Policy Prefer
es are a new featu
R2 operating syste
s that expand the
cy settings, you a
oup Policy Prefere
licy Preference
es provide the foll
or logon scripts. A
scripts, it significa
ormed by logon s
figuring registry
h these tasks by u
n errors. Configur
for support calls
Implementing a G
rences?
ure in the Window
ems, and they inc
e range of configu
allow the users to
ences.
es
lowing benefits:
Although preferen
antly reduces thei
scripts are installi
settings, and cop
sing preferences.
ration errors duri
s and escalations
Group Policy Infrastructur
ws Server 2008 an
clude more than 2
urable settings wi
o change preferen
nces might not el
ir need. The mos
ing printers, map
pying files and fol
.
ing and after dep
that lead to high
re 6-67

nd
20 new
ithin a
nces after
liminate
t
pping
lders.
ployment
er
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-68 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
deployment costs. Group Policy preferences significantly help reduce these
costs.
Minimizes image maintenance. Using Group Policy preferences, you can
significantly reduce the time and cost of maintaining disk images. Instead of
updating images to reflect configuration changes, you can deploy a generic
image and update Group Policy preferences.

Deploying Group Policy Preferences
Group Policy preferences do not require you to install any services on servers. By
default, Windows Server 2008 includes Group Policy Preferences as part of the
GPME. Group Policy Preferences can be deployed in a Windows Server 2003
environment by installing Remote Server Administration Tools (RSAT) on a
computer running Windows Vista SP1 or Windows 7.
Although you do not have to install any services to create GPOs that contain Group
Policy Preferences, you must deploy the Group Policy Preferences CSE to any
client computer to which you want to deploy preferences. The CSE is available as a
separate download from Microsoft. It supports the following Windows versions:
Windows XP SP2
Windows Vista
Windows Server 2003 SP1
Windows Server 2008 and Windows Server 2008 R2 already includes the CSE.
You must use the new version of the GPME to configure preferences. This new
version is part of the RSAT that can be installed on Windows Server 2008,
Windows Vista, and newer operating systems.
Features of Group Policy Preferences
Preferences support a number of features that settings do not. Most Group Policy
Preferences extensions support the following actions for each preference item:
Create. Create a new item on the targeted computer.
Delete. Remove an existing item from the targeted computer.
Replace. Delete and re-create an item on the targeted computer. The result is
that Group Policy preferences replace all existing settings and files associated
with the preference item.
Update. Modify an existing item on the targeted computer.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-69
Every Group Policy Preference item has a Common tab that you can use to
configure additional options that control the behavior of the item. The following
table describes the settings.
Option Description
Stop processing
items in this
extension if an
error occurs
By default, errors do not prevent Group Policy Preferences from
processing the remaining preference items in the same
extension. If you want preferences to stop processing additional
items if an error occurs, enable this option.
Run in logged-on
user's security
context
By default, Group Policy preferences process preference items by
using the local System account. As a result, these items can only
access system environment variables and local resources. To
access user environment variables and network resources,
including network drives, you must enable this option to process
the item by using the logged-on users account.

Remove this item
when it is no
longer applied
Unlike policy settings, Group Policy does not remove preferences
when the GPO is removed from the user or the computer.
Choosing this option changes the default behavior: when the
GPO is removed from the user or the computer.
Apply once and do
not reapply
Group Policy refreshes preference items during the regular
refresh interval, by default. As a result, Group Policy restores
preference items, even though users can change the settings
they create.
Item-level
targeting
Targeting determines to which users and computers a preference
item applies. Enable this option, and then click the Targeting
button to configure targeting items for the preference item.

Targeting Control
Item-level targeting determines the users and computers to which Group Policy
applies individual preference items within a GPO. You can target different
preference items within a single GPO at computers based on different criteria. You
can use logical operators to join criteria. For example, you can apply a preference if
the computer matches a specific IP Address range and operating system version.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-70 Configuring
Differ
Key Po
The key
Policy s
settings
enforce
allow us
The foll
Prefere
Prefer
User in
Impor
entire
remot
Not av
g and Troubleshooting W
rences Betwe
oints
y difference betwe
strictly enforces p
s, managed and u
. Unmanaged set
sers to change pr
lowing table desc
ences
rences are not enfo
nterface is not disa
rt individual registr
registry branches
te computer.
vailable in local Gr
indows Server 2008 Activ
een Group P
een preferences a
policy settings. Or
unmanaged. Mana
ttings are preferen
references after yo
cribes the differen
orced.
abled.
ry settings or
from a local or a
roup Policy.
ve Directory Domain Serv
Policy Prefere
and policy setting
rganizations typic
aged settings are
nces. In contrast
ou have deployed
nces between pol
Policies
Settings are enfo
User interface is
Cannot create po
files, folders, and
Available in loca
ices
ences and Se
gs is enforcement
cally deploy two
policy settings th
to policy settings
d them.
icies and preferen
orced.
disabled.
olicy settings to m
d so on.
l Group Policy.
ettings

t. Group
types of
hat you
s, you
nces.
anage
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-71
Preferences Policies
Supports non-Group Policyaware
applications.
Requires Group Policyaware applications.
Original settings are overwritten. Original settings are not changed.
Removing the preference item does not
restore the original setting.
Removing the policy setting restores the
original settings.
Targeting is granular with a user
interface for each type of targeting
item.
Filtering is based on Windows Management
Instrumentation (WMI) and requires writing
WMI queries.
Supports targeting at the individual
preference item level.
Supports filtering at a GPO level.

When choosing whether to deploy an item by using Group Policy settings or
preferences, the most important factor you must consider is whether you want to
enforce the setting. To configure a setting without enforcing it, use preferences.
The next factor to consider is whether the application or feature is Group Policy
aware. To enforce items for which no policy setting is available, you can deploy
them as preference items and then disable the Apply Once And Do Not Reapply
option in the configuration of the setting.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-72 Configuring
Demo
Key Po
In this d
Policy P
Demon
Add
Add
R2.

g and Troubleshooting W
onstration: C
oints
demonstration, y
Preferences.
nstration Steps
d a shortcut to N
d a folder named

indows Server 2008 Activ
Configure Gro
our instructor wi
s
otepad for NYC-C
Reports to all co

ve Directory Domain Serv
oup Policy P
ill show you how
CL1.
omputers running
ices
Preferences
w to configure som
g Windows Serve

me Group
er 2008

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab C: M
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



Manage G
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
roup Pol
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
Implementing a G
icy Prefe
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
Group Policy Infrastructur
rences
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
re 6-73

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-74 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Scenario
You were recently hired as the domain administrator for Contoso, Ltd. To simplify
Group Policy management, which includes eliminating the need for logon scripts
to map drives, you need to deploy several Group Policy Preferences settings that
will allow for more flexibility for corporate users.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-75
Exercise 1: Configure Group Policy Preferences
The main tasks for this exercise are:
1. Add a shortcut to Notepad on the desktop of NYC-DC1.
2. Create a new folder named Reports on the C: drive of all computers running
Windows Server 2008.
3. Configure drive mapping.
Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1
1. On 6425C-NYC-DC1, in the Group Policy Management window, configure the
Default Domain Policy GPO with the following settings:
Under Computer Configuration, Preferences, Windows Settings, right-
click Shortcuts, point to New, and then click Shortcut.
In the New Shortcut Properties dialog box, create a shortcut for
Notepad.exe in the All Users Desktop location.
On the Common tab, configure item-level targeting for the computer
NYC-DC1.
2. Leave the Group Policy Management Editor window open for the next task.

Task 2: Create a new folder named Reports on drive C: of all
computers running Windows Server 2008
1. In the Group Policy Management Editor window, under Windows Settings,
right-click Folders, point to New, and then click Folder.
2. In the New Folder Properties dialog box, create the C:\Reports folder.
3. On the Common tab, configure item-level targeting for the Windows Server
2008 R2 operating system.
4. Leave the Group Policy Management Editor window open for the next task.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-76 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Task 3: Configure drive mapping
1. In the Group Policy Management Editor window, under User Configuration,
Preferences, Windows Settings, Drive Maps, right-click Drive Maps, point to
New, and then click Mapped Drive.
2. Create a new mapped drive labeled Data for \\NYC-DC1\Data by using the
drive letter P and select the Reconnect option.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-77
Exercise 2: Verify Group Policy Preferences Application
The main tasks for this exercise are:
1. Verify that the preferences have been applied.

Task 1: Verify that the preferences have been applied
1. On NYC-DC1, log off, and then log on again as Contoso\Pat.Coleman.
2. Verify that drive P is mapped to the Data share on NYC-DC1.
3. Verify that the C:\Reports folder exists.
Note: It may take a few moments for this folder to appear.
Note: Do not shut down the virtual machines after you are finish with this lab as the settings
you have configured here will be used in the subsequent labs.


Result: In this exercise, you configured and tested Group Policy Preferences and
verified their application.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-78 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Review Questions
1. Question: What is the alternate method of providing drive mapping to users,
instead of using Preferences?
2. Question: If you apply a Group Policy preferences setting, can you change this
setting on the client side?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 5
Manage
A GPO
by the C
or comp
receive
GPO wi
the scop
The
The
The
Sec
WM
Pol
Pre
Group P
is, by itself, a coll
CSEs of computer
puters. The GPO
and process the G
ill apply the settin
pe of a GPO. The
e GPO link to a si
e Enforce option
e Block Inheritan
curity group filter
MI filtering
icy node enabling
ferences targeting
olicy Sco
lection of configu
rs. Until the GPO
s scope determin
GPO and only th
ngs in that GPO.
e following mecha
ite, domain, or O
of a GPO
nce option on an O
ring
g or disabling
g
Implementing a G
ope
uration instructio
O is scoped, it doe
nes the CSEs of w
he computers or u
In this lesson, yo
anisms are used t
OU and whether t
OU
Group Policy Infrastructur
ns that will be pr
es not apply to an
which computers
users within the s
ou will learn to m
to scope a GPO:
hat link is enable
re 6-79

rocessed
ny users
will
scope of a
manage
ed
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-80 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Loopback policy processing

You must be able to define the users or computers to which configuration is
deployed, and therefore, you must master the art of scoping GPOs. In this lesson,
you will learn each of the mechanisms with which you can scope a GPO and, in the
process, you will master the concepts of Group Policy application, inheritance, and
precedence.
Objectives
After completing this lesson, you will be able to:
Manage GPO links.
Identify the relationship between OU structure and GPO application.
Evaluate GPO inheritance and precedence.
Understand the Block Inheritance and Enforced link options.
Apply security filtering to narrow the scope of a GPO.
Apply a WMI filter to a GPO.
Target Group Policy preferences.
Identify best practices for scoping Group Policy.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

GPO L
Key Po
A GPO
a policy
contain
OUs.
As you l
To link
click Lin
In This
You can
Active D
To show
Show S
Links
oints
can be linked to
y is linked to a sit
er are within the
learned in Lesson
a GPO, right-clic
nk as existing G
{Domain | OU
n choose the sam
Directory sites are
w sites in the GPM
ites.
one or more Acti
e, domain, or OU
scope of the GPO
n 1, you can link
ck the domain or
GPO. If you have n
| Site} And Link
e commands to l
e not visible in th
MC, right-click Si
Implementing a G
ive Directory sites
U, the users or co
O, including com
a GPO to the dom
OU in the GPMC
not yet created a
It Here.
ink a GPO to a si
he GPMC.
ites in the GPMC
Group Policy Infrastructur
s, domains, or OU
mputers and use
mputers and users
main, site or to an
C console tree, an
GPO, click Creat
ite, but by default
console tree and
re 6-81

Us. After
ers in that
s in child
n OU.
nd then
te A GPO
t, your
d choose
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-82 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note: A GPO linked to a site affects all computers in the site without regard to the domain to
which the computers belong (as long as all computers belong to the same Active
Directory forest). Therefore, when you link a GPO to a site, that GPO can be applied to
multiple domains within a forest. Site-linked GPOs are stored on domain controllers in
the domain in which the GPO was created. Therefore, domain controllers for that domain
must be accessible for site-linked GPOs to be applied correctly. If you implement site-
linked policies, you must consider policy application when planning your network
infrastructure. Either place a domain controller from the GPOs domain in the site to
which the policy is linked, or ensure that a wide area network (WAN) connectivity
provides accessibility to a domain controller in the GPOs domain.
When you link a GPO to a site, domain, or OU, you define the initial scope of the
GPO. Select a GPO and click the Scope tab to identify the containers to which the
GPO is linked. In the details pane of the GPMC, the GPO links are displayed in the
first section of the Scope tab, as seen here:

The impact of the GPOs links is that the Group Policy Client downloads the GPO
if either the computer or the user objects fall within the scope of the link. The GPO
will be downloaded only if it is new or updated. The Group Policy Client caches
the GPO to make policy refresh more efficient.
Link a GPO to Multiple OUs
You can link a GPO to more than one site or OU. It is common, for example, to
apply configuration to computers in several OUs. You can define the configuration
in a single GPO and link that GPO to each OU. If you later change settings in the
GPO, your changes will apply to all OUs to which the GPO is linked.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-83
Delete or Disable a GPO Link
After you have linked a GPO, the GPO link appears in the GPMC underneath the
site, domain, or OU. The icon for the GPO link has a small shortcut arrow. When
you right-click the GPO link, a context menu appears, as shown here:

To delete a GPO link, right-click the GPO link in the GPMC console tree and then
click Delete.
Deleting a GPO link does not delete the GPO itself, which remains in that GPO
container. Deleting the link does change the scope of the GPO so that it no longer
applies to computers and users within a site, domain, or OU to which it was
previously linked.
You can also modify a GPO link by disabling it.
To disable a GPO link, right-click the GPO link in the GPMC console tree and then
deselect the Link Enabled option.
Disabling the link also changes the GPO scope so that it no longer applies to
computers and users within that container. However, the link remains so that it
can be easily re-enabled.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-84 Configuring
GPO I
Key Po
A policy
conflict
GPO, di
precede
with hig
shown a
the high
GPOs. S
to view
When a
configu
Not Con
higher p
lower p
A site, d
GPOs d
g and Troubleshooting W
Inheritance a
oints
y setting can be c
with one anothe
isabled in anothe
ence of the GPOs
gher precedence p
as a number in th
her the precedenc
Select the domain
the precedence o
a policy setting is
red setting takes
nfigured by defau
precedence, the p
recedence will ta
domain, or OU ca
determines the pr
indows Server 2008 Activ
and Precede
onfigured in mor
er. For example, a
er GPO, and not c
determines whic
prevails over a G
he GPMC. The sm
ce, so a GPO with
n or OU and then
of each GPO.
enabled or disab
effect. However,
ult. If a policy set
policy setting (eith
ake effect.
an have more tha
recedence of GPO
ve Directory Domain Serv
ence
re than one GPO
a policy setting ca
configured in a th
ch policy setting t
GPO with lower pr
maller the numbe
h a precedence of
n click the Group
bled in a GPO wit
remember that p
ting is not config
her enabled or di
n one GPO linke
Os in such a scena
ices
, and GPOs can b
an be enabled in o
hird GPO. In this
the client applies
recedence. Preced
erthat is, the clo
f 1 will prevail ov
p Policy Inherita
th higher precede
policy settings are
gured in a GPO w
isabled) in a GPO
ed to it. The link o
ario. GPOs with a

be in
one
s case, the
s. A GPO
dence is
ser to 1
ver other
nce tab
ence, the
e set to
with
O with
order of
a higher-
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

link ord
OU in t
GPOs li
The def
contain
user log
user obj
comput
GPOs. P
site, foll
from th
It is a la
because
Group
The seq
Policies
will be t
der take preceden
the GPMC, the Li
inked to that OU
fault behavior of G
er are inherited b
gs on, the Group
ject in Active Dire
ter or user. Then,
Policies are applie
lowed by those li
e top-level OU do
ayered application
e it has higher pre
p Policy Proc
quential applicatio
are inherited, so
the cumulative ef
nce over GPOs wi
inked Group Poli
.
Group Policy is th
by lower-level con
Policy Client exa
ectory and evalua
the client-side ex
ed sequentially, b
inked to the dom
own to the OU in
n of settings, so a
ecedence, overrid
cessing Orde
on of GPOs creat
o the resultant set
ffect of site, doma
Implementing a G
ith a lower-link o
icy Objects tab sh
hat GPOs linked
ntainers. When a
amines the locatio
ates the GPOs wi
xtensions apply p
beginning with th
main, followed by
n which the user
a GPO that is app
des settings appli
er
tes an effect called
t of group policie
ain, and OU polic
Group Policy Infrastructur
rder. When you
hows the link ord
to a higher-level
computer starts
on of the comput
ith scopes that in
policy settings fro
he policies linked
those linked to O
or computer obje
plied later in the p
ed earlier in the p
d policy inheritan
s for a user or co
cies.
re 6-85
select an
der of
up or a
ter or
nclude the
om these
d to the
OUs
ect exists.
process,
process.

nce.
mputer
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-86 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
By default, inherited GPOs have lower precedence than GPOs linked directly to the
container. For example, you might configure a policy setting to disable the use of
registry-editing tools for all users in the domain by configuring the policy setting in
a GPO linked to the domain. That GPO, and its policy setting, is inherited by all
users within the domain. However, you probably want administrators to be able to
use registry-editing tools, so you will link a GPO to the OU that contains
administrators accounts and configure the policy setting to allow the use of
registry-editing tools. Because the GPO linked to the administrators OU takes
higher precedence than the inherited GPO, administrators will be able to use
registry-editing tools. The following figure below Group Policy Inheritance:

Precedence of Multiple Linked GPOs
An OU, domain, or site can have more than one GPO linked to it. If there are
multiple GPOs, the objects link order determines their precedence. In the
following figure, two GPOs are linked to the People OU:

The object higher on the list, with a link order of 1, has the highest precedence.
Therefore, settings that are enabled or disabled in the Power User Configuration
PO has precedence over the same settings in the Standard User Configuration
GPO.
To change the precedence of a GPO link:
1. Select the OU, site, or domain in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-87
4. Use the Up, Down, Move To Top, and Move To Bottom arrows to change the
link order of the selected GPO.

Block Inheritance
A domain or OU can be configured to prevent the inheritance of policy settings.
To block inheritance, right-click the domain or OU in the GPMC console tree and
select Block Inheritance.
The Block Inheritance option is a property of a domain or OU, so it blocks all
Group Policy settings from GPOs linked to parents in the Group Policy hierarchy.
When you block inheritance on an OU, for example, GPO application begins with
any GPOs linked directly to that OUGPOs linked to higher-level OUs, the
domain, or the site will not apply.
The Block Inheritance option should be used sparingly. Blocking inheritance
makes it more difficult to evaluate Group Policy precedence and inheritance. In a
later topic, you will learn how to scope a GPO so that it applies to only a subset of
objects -or so that it is prevented from applying to a subset of objects. With security
group filtering, you can carefully scope a GPO so that it applies to only the correct
users and computers in the first place, making it unnecessary to use the Block
Inheritance option.
Enforce a GPO Link
In addition, a GPO link can be set to Enforced.
To enforce a GPO link, right-click the GPO link in the console tree and choose
Enforced from the context menu.
When a GPO link is set to Enforced, the GPO takes the highest level of
precedence; policy settings in that GPO will prevail over any conflicting policy
settings in other GPOs. In addition, a link that is enforced will apply to child
containers even when those containers are set to Block Inheritance. The Enforced
option causes the policy to apply to all objects within its scope. Enforced will cause
policies to override any conflicting policies and will apply regardless of whether a
Bloc-k Inheritance option is set.
In the figure on the following page, Block Inheritance has been applied to the
Business OU. As a result, GPO D, which is applied to the domain, is blocked and
does not apply when a user from the Employees OU logs on to a computer in the
Clients OU. However, the Security GPO, GPO S, linked to the domain with the
Enforced option, does apply. In fact, it is applied last in the processing order,
meaning that its settings will override those of GPOs B, C, and E.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-88 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
When you configure a GPO that defines configuration mandated by your corporate
IT security and usage policies, you want to ensure that those settings are not
overridden by other GPOs. You can do this by enforcing the link of the GPO. The
figure here shows just this scenario:

Configuration mandated by corporate policies is deployed in the CONTOSO
Corporate IT Security & Usage GPO, which is linked with an enforced link to the
Contoso.com domain. The icon for the GPO link has a padlock on itthe visual
indicator of an enforced link. On the People OU, the Group Policy Inheritance tab
shows that the GPO takes precedence even over the GPOs linked to the People OU
itself.
Evaluating Precedence
To facilitate evaluation of GPO precedence, you can simply select an OU (or
domain) and click the Group Policy Inheritance tab. This tab will display the
resulting precedence of GPOs, accounting for GPO link, link order, inheritance
blocking, and link enforcement. This tab does not account for policies that are
linked to a site, nor does it account for GPO security or WMI filtering.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Use S
Key Po
By now
you mig
than to
directly
security
and Allo
Each GP
Allow R
user or
comput
permiss
appropr
settings
By defau
on each
ecurity Filter
oints
, youve learned t
ght need to apply
all users or comp
link a GPO to a
y groups. The pol
ow Apply Group
PO has an ACL th
Read and Allow A
computer. For ex
ters OU, but the
sions, it will not d
riate permissions
s apply only to th
ult, Authenticated
h new GPO. This
ring to Mod
that you can link
y GPOs only to ce
puters within the
security group, th
licies in a GPO ap
Policy permissio
hat defines permi
Apply Group Polic
xample, if a GPO
computer does n
download and ap
s for security grou
e computers and
d Users are given
means that by de
Implementing a G
ify GPO Scop
a GPO to a site,
ertain groups of u
e scope of the GPO
here is a way to a
pply only to users
ns to the GPO.
issions to the GP
cy, are required fo
is scoped to a co
not have Read and
pply the GPO. Th
ups, you can filter
d users you specif
n the Allow Apply
efault, all users an
Group Policy Infrastructur
pe
domain, or OU. H
users or compute
O. Although you
apply GPOs to sp
s who have Allow
PO. Two permissi
or a GPO to apply
omputer by its lin
d Apply Group P
erefore, by settin
r a GPO so that it
fy.
y Group Policy pe
nd computers are
re 6-89

However,
ers rather
cannot
ecific
w Read
ions,
y to a
nk to the
Policy
g the
ts
ermission
e affected
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-90 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
by the GPOs set for their domain, site, or OU, regardless of the other groups in
which they might be members. Therefore, there are two ways of filtering GPO
scope:
Remove the Apply Group Policy permission (currently set to Allow) for the
Authenticated Users group but do not set this permission to Deny. Then,
determine the groups to which the GPO should be applied and set the Read
and Apply Group Policy permissions for these groups to Allow.
Determine the groups to which the GPO should not be applied and set the
Apply Group Policy permission for these groups to Deny. If you deny the
Apply Group Policy permission to a GPO, the user or computer will not apply
settings in the GPO, even if the user or computer is a member of another
group that is allowed the Apply Group Policy Permission.

Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group:
1. Select the GPO in the Group Policy Objects container in the console tree.
2. In the Security Filtering section, select the Authenticated Users group and
click Remove.
Note: GPOs can be filtered only with global security groups; not with domain local security
groups.
3. Click OK to confirm the change.
4. Click Add.
5. Select the group to which you want the policy to apply and click OK.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-91
The result will look similar to the figure shown herethe Authenticated Users
group is not listed, and the specific group to which the policy should apply is
listed.

Filtering a GPO to Exclude Specific Groups
The Scope tab of a GPO does not allow you to exclude specific groups. To exclude
a groupthat is, to deny the Apply Group Policy permissionyou must use the
Delegation tab.
To deny a group the Apply Group Policy permission:
1. Select the GPO in the Group Policy Objects container in the console tree.
2. Click the Delegation tab.
3. Click the Advanced button.
The Security Settings dialog box appears.
4. Click the Add button.
5. Select the group you want to exclude from the GPO. Remember, it must be a
global group. GPO scope cannot be filtered by domain local groups.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-92 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6. Click OK.
The group you selected is given the Allow Read permission by default.
7. Clear the Allow Read permission check box.
8. Select the Deny Apply Group Policy check box.
The figure here shows an example that denies the Help Desk group the Apply
group policy permission and, therefore, excludes the group from the scope of
the GPO.
9. Click OK.
You are warned that Deny permissions override other permissions.
Because Deny permissions override Allow permissions, it is recommended that
you use them sparingly. Microsoft Windows reminds you of this best practice
with the warning message. The process to exclude groups with the Deny Apply
Group Policy permission is far more laborious than the process required to
include groups in the Security Filtering section of the Scope tab.
10. Confirm that you want to continue.
Important! Deny permissions are not exposed on the Scope tab. Unfortunately, when you
exclude a group, the exclusion is not shown in the Security Filtering section of the Scope
tab. This is yet one more reason to use Deny permissions sparingly.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

WMI
Key Po
WMI is
monitor
filtering
capacity
applicat
of every
query is
Languag
Filters
oints
a management in
r and control man
g systems based o
y, IP address, ope
tions, and printer
y object within a c
s virtually unlimit
ge (WQL).
nfrastructure tech
naged objects in
on characteristics
erating system ve
r properties. Beca
computer, the lis
ted. WMI queries
Implementing a G
hnology that enab
the network. A W
, including RAM,
rsion and service
ause WMI expose
t of attributes tha
s are written by u
Group Policy Infrastructur
bles administrato
WMI query is cap
, processor speed
e pack level, insta
es almost every p
at can be used in
using WMI Query
re 6-93

ors to
able of
d, disk
alled
property
a WMI
y
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-94 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
You can use a WMI query to create a WMI filter, with which a GPO can be filtered.
A good way to understand the purpose of a WMI filter, both for the certification
exams and for real-world implementation, is through examples. Group Policy can
be used to deploy software applications and service packsa capability that is
discussed in Module 7. You might create a GPO to deploy an application and then
use a WMI filter to specify that the policy should apply only to computers with a
certain operating system and service packWindows XP SP3, for example. The
WMI query to identify such systems is:
Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft
Windows XP Professional" AND CSDVersion="Service Pack 3"
When the Group Policy Client evaluates GPOs it has downloaded to determine
which should be handed off to the CSEs for processing, it performs the query
against the local system. If the system meets the criteria of the query, the query
result is a logical True, and the CSEs process the GPO.
WMI exposes namespaces, within which are classes that can be queried. Many
useful classes, including Win32_Operating System, are found in a class called
root\CIMv2.
To create a WMI filter:
1. Right-click the WMI Filters node in the GPMC console tree, and then click
New.
Type a name and description for the filter, and then click the Add button.
2. In the Namespace box, type the namespace for your query.
3. In the Query box, enter the query.
4. Click OK.

To filter a GPO with a WMI filter:
1. Select the GPO or GPO link in the console tree.
2. Click the Scope tab.
3. Click the WMI drop-down list, and select the WMI filter.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-95
A GPO can be filtered by only one WMI filter, but that WMI filter can be a complex
query that uses multiple criteria. A single WMI filter can be linked to, and thereby
used to filter, one or more GPOs. The General tab of a WMI filter, shown in the
figure here, displays the GPOs that use the WMI filter:

There are three significant caveats regarding WMI filters.
First, the WQL syntax of WMI queries can be challenging to master. You can
often find examples on the Internet when you search by using the keywords
WMI filter and WMI query, along with a description of the query you want to
create.
Second, WMI filters are expensive in terms of Group Policy processing
performance. Because the Group Policy Client must perform the WMI query at
each policy processing interval, there is a slight impact on system performance
every 90120 minutes. With the performance of todays computers, the impact
might not be noticeable, but you should certainly test the effects of a WMI
filter prior to deploying it widely in your production environment.
Note that the WMI query is processed only one time, even if it is used to filter
the scope of multiple GPOs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-96 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Third, WMI filters are not processed by computers running Windows 2000
Server. If a GPO is filtered with a WMI filter, a Windows 2000 Server system
ignores the filter and processes the GPO as if the results of the filter were True.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Enabl
Key Po
You can
nodes fr

e or Disable
oints
n prevent the sett
rom being proces
GPOs and G
tings in the Comp
ssed during polic

Implementing a G
GPO Nodes
puter Configurati
cy refresh by chan
Group Policy Infrastructur
ion or User Confi
nging the GPO St
re 6-97

iguration
tatus.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-98 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

To enable or disable a GPO's nodes, select the GPO or GPO link in the console
tree, click the Details tab, shown in the figure above, and then select one of the
following from the GPO Status drop-down list :
Enabled. Both computer configuration settings and user configuration settings
will be processed by CSEs during policy refresh.
All Settings Disabled. CSEs will not process the GPO during policy refresh.
Computer Configuration Settings Disabled. During computer policy refresh,
computer configuration settings in the GPO will not be applied.
User Configuration Settings Disabled. During user policy refresh, user
configuration settings in the GPO will not be applied.

You can configure GPO status to optimize policy processing. If a GPO contains
only user settings, for example, setting the GPO Status option to disable computer
settings prevents the Group Policy client from attempting to process the GPO
during computer policy refresh. Because the GPO contains no computer settings,
there is no need to process the GPO, and you can save a few cycles of the
processor.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-99
Note: You can define a configuration that should take effect in case of an emergency, security
incident, or other disasters in a GPO and link the GPO so that it is scoped to appropriate
users and computers. Then, disable the GPO. If you require the configuration to be
deployed, enable the GPO.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-100 Configuring
Targe
Key Po
Preferen
mechan
single G
you cou
enginee
target th
criteria
time, Li

g and Troubleshooting W
et Preference
oints
nces, which are n
nism called item-l
GPO, and each pr
uld have a single G
ers and another it
he items by using
that can be used,
ightweight Direct
indows Server 2008 Activ
es
new to Windows
level targeting. Yo
reference item can
GPO with a prefe
tem that specifies
g a security group
, including hardw
tory Access Proto

ve Directory Domain Serv
Server 2008, hav
ou can have mult
n be targeted or f
erence that specif
s folder options fo
p or OU. There ar
ware and network
col (LDAP) queri
ices
ve a built-in scopin
tiple preference it
filtered. So, for ex
fies folder option
or sales people. Y
re over a dozen o
k characteristics,
ies, and more.

ng
tems in a
xample,
ns for
You can
other
date and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-101

Note: Whats new about preferences is that you can target multiple preference items within a
single GPO instead of requiring multiple GPOs. With traditional policies, you often need
multiple GPOs filtered to individual groups to apply variations of settings.
Like WMI filters, item-level targeting of preferences requires the CSE to perform a
query to determine whether to apply the settings in a preferences item. You must
be aware of the potential performance impact of item-level targeting, particularly if
you use options such as LDAP queries, which require processing time and a
response from a domain controller to process. As you design your Group Policy
infrastructure, balance the configuration management benefits of item-level
targeting against the performance impact you discover during testing in a lab.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-102 Configuring
Loopb
Key Po
By defau
Director
policies
howeve
the com
user des
such as
is also im
remote
Services
g and Troubleshooting W
back Policy P
oints
ult, a users settin
ry. Regardless of
s that determine t
er, in which you m
mputer in use. For
sktops when user
conference room
mportant for virt
virtual machines
s in previous vers
indows Server 2008 Activ
Processing
ngs come from G
which computer
the users environ
might want to con
r example, you m
rs log on to comp
ms, reception area
tual desktop infra
and Remote Des
sions.
ve Directory Domain Serv
POs scoped to th
r the user logs on
nment is the same
nfigure a user diff
might want to lock
puters in closely
as, laboratories, c
astructure (VDI)
sktop Services (R
ices
he user object in A
n to, the resultant
e. There are situa
ferently, dependi
k down and stand
managed environ
classrooms, and k
scenarios, includ
RDS), known as T

Active
set of
ations,
ing on
dardize
nments
kiosks. It
ding
Terminal
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Imagine
for the W
areas of
Group P
User Co
users, re
does no
which u
Loopba
client to
configu
Configu
can be d
scoped
The Use
Configu
GPME,
Disable
When e
e a scenario in wh
Windows deskto
f your office. How
Policy? Policy set
onfiguration node
egardless of whic
ot give you a way
user logs on. That
ack policy process
o obtain the order
ration. Instead of
uration node of G
determined by th
to the computer
er Group Policy l
uration\Policies\A
can be, like all po
ed.
enabled, the polic
hich you want to
p on all compute
w will you central
ttings that configu
e of a GPO. Ther
ch computer they
to scope user set
ts where loopbac
sing alters the de
red list of GPOs t
f user configurati
GPOs that are sco
he User Configura
object.
loopback process
Administrative T
olicy settings, set
cy can specify the
Implementing a G
enforce a standa
ers in conference
lly manage this co
ure desktop appe
efore, by default,
y log on to. The d
ttings to apply to
ck policy process
efault algorithm u
that should be ap
ion being determ
ped to the user o
ation node policie
sing mode policy,
emplates\System
to Not Configur
e Replace or Merg
Group Policy Infrastructur
rd corporate app
rooms and other
onfiguration by u
earance are locate
the settings appl
default policy proc
computers, rega
sing comes in.
used by the Group
pplied to a users
ined by the User
object, user config
es of GPOs that a
, located in the C
m\Group Policy fo
red, Enabled, or
ge mode.
re 6-103
pearance
r public
using
ed in the
ly to
cessing
rdless of
p Policy
guration
are
Computer
older in

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-104 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Replace. In this case, the GPO list for the user (obtained in step 5 in the
Group Policy Processing, the next section) is replaced entirely by the GPO
list already obtained for the computer at computer startup (in step 2). The
settings in User Configuration policies of the computers GPOs are applied to
the user. The Replace mode is useful in a situation such as a classroom where
users should receive a standard configuration rather than the configuration
applied to those users in a less managed environment.
Merge. In this case, the GPO list obtained for the computer at computer
startup (step 2 in the Group Policy Processing section) is appended to the
GPO list obtained for the user when logging on (step 5). Because the GPO list
obtained for the computer is applied later, settings in GPOs on the computers
list have precedence if they conflict with settings in the users list. This mode
would be useful to apply additional settings to users typical configurations.
For example, you might allow a user to receive the users typical configuration
when logging on to a computer in a conference room or reception area, but
replace the wallpaper with a standard bitmap and disable the use of certain
applications or devices.
Note: It is a less documented fact that when you combine the loopback processing with
security group filtering, the application of user settings during policy refresh uses the
credentials of the computer to determine which GPOs to apply as part of the loopback
processing. However, the logged-on user must also have the Apply Group Policy
permission for the GPO to be successfully applied.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab D: M
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



5. Star
do
Manage G
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
rt 6425C-NYC-CL
so.
Group Pol
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
L1. Do not log on
Implementing a G
licy Scope
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
n to the client com
Group Policy Infrastructur
e
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
mputer until dire
re 6-105

e you
d then
ne,
rts.
ected to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-106 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Scenario
You are an administrator of the contoso.com domain. The Contoso Standards
GPO, linked to the domain, configures a policy setting that requires a ten-minute
screen saver timeout. An engineer reports that a critical application that performs
lengthy calculations crashes when the screens saver starts, and the engineer has
asked you to prevent the setting from applying to the team of engineers that uses
the application every day. You have also been asked to configure conference room
computers to use a 45-minute timeout so that the screen saver does not launch
during a meeting.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-107
Exercise 1: Configure GPO Scope with Links
In this exercise, you will modify the scope of GPOs by using GPO links, and you
will explore inheritance, precedence, and the effects of Enforced links and Block
Inheritance.
The main tasks for this exercise are as follows:
1. Create a GPO with a policy setting that takes precedence over a conflicting
setting.
2. View the effect of an Enforced GPO link.
3. Apply Block Inheritance.


Task 1: Create a GPO with a policy setting that takes precedence over
a conflicting setting
1. On NYC-DC1, run Active Directory Users and Computers as an
administrator, with the user name Pat.Coleman_Admin and the password
Pa$$w0rd.
2. In the User Accounts\Employees OU, create a sub-OU called Engineers, and
then close Active Directory Users and Computers.
3. Run the Group Policy Management Console as an administrator, with the user
name Pat.Coleman_Admin and the password Pa$$w0rd.
4. Create a new GPO linked to the Engineers OU called Engineering
Application Override.
5. Configure the Screen saver timeout policy setting to be disabled, and then
close the GPME.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-108 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6. Select the Engineers OU, and then click the Group Policy Inheritance tab.
Notice that the Engineering Application Override GPO has precedence over
the CONTOSO Standards GPO. The screen saver timeout policy setting you
just configured in the Engineering Application Override GPO will be applied
after the setting in the CONTOSO Standards GPO. Therefore, the new setting
will overwrite the standards setting, and will "win." Screen saver timeout will
be disabled for users within the scope of the Engineering Application
Override GPO.
Task 2: View the effect of an Enforced GPO link
1. In the GPMC console tree, select the Domain Controllers OU, and then click
the Group Policy Inheritance tab.
2. Notice that the GPO named 6425C has the highest precedence. Settings in this
GPO will override any conflicting settings in any of the other GPOs.
The Default Domain Controllers GPO specifies, among other things, which groups
are given the right to log on locally to domain controllers. To enhance the
security of domain controllers, standard users are not given the right to log on
locally. In order to allow a nonprivileged user account such as Pat.Coleman to
log on to domain controllers in this course, the 6425C GPO gives Domain
Users the right to log on locally to a computer. The 6425C GPO is linked to
the domain, so its settings would normally be overridden by settings in the
Default Domain Controllers GPO. Therefore, the 6425C GPO link to the
domain is configured as Enforced. In this way, the conflict in user rights
assignment between the two GPOs is "won" by the 6425C GPO.

Task 3: Apply Block Inheritance
1. In the GPMC console, select the Engineers OU, and examine the precedence
and inheritance of GPOs on the Group Policy Inheritance tab.
2. Block the inheritance of GPOs to the Engineers OU.
Question: What GPOs continue to apply to users in the Engineers OU? Where are
those GPOs linked? Why did they continue to apply?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-109
3. Turn off Block Inheritance from the Engineers OU.

Results: In this exercise, you created a GPO called Engineering Application Override
and linked it to the Engineers OU. You also have an understanding of inheritance,
precedence, and the effects of an Enforced link and Block Inheritance.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-110 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2: Configure GPO Scope with Filtering
As time passes, you discover that only a small number of engineers require the
screen saver timeout override that is currently applied to all users in the Engineers
OU. In addition, you discover that a few users must be exempted from the screen
saver timeout policy and other settings configured by the CONTOSO Standards
GPO. You decide to use security filtering to manage the scope of the GPOs.
In this exercise, you will modify the scope of GPOs by using filtering.
The main tasks for this exercise are as follows:
1. Configure policy application with security filtering.
2. Configure an exemption with security filtering.

Task 1: Configure policy application with security filtering
1. Run Active Directory Users and Computers as an administrator, with the
user name Pat.Coleman_Admin and the password Pa$$w0rd.
2. In the Groups\Configuration OU, create a global security group named
GPO_Engineering Application Override_Apply.
3. In the GPMC console, select the Engineering Application Override GPO.
Notice that in the Security Filtering section, the GPO applies by default to all
authenticated users.
4. Configure the GPO to apply only to the GPO_Engineering Application
Override_Apply group.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-111
Task 2: Configure an exemption with security filtering
1. Run Active Directory Users and Computers as an administrator, with the
user name Pat.Coleman_Admin and the password Pa$$w0rd.
2. In the Groups\Configuration OU, create a global security group named
GPO_CONTOSO Standards_Exempt.
3. In the GPMC console, select the CONTOSO Standards GPO. Notice that in
the Security Filtering section, the GPO applies by default to all authenticated
users.
4. Configure the GPO to deny Apply Group Policy permission to the
GPO_CONTOSO Standards_Exempt group.

Results: In this exercise, you configured the Engineering Application Override GPO to
apply only to the members of GPO_Engineering Application Override_Apply. You also
configured a group with the Deny Apply Group Policy permission, which overrides the
Allow permission. If any user requires exemption from the policies in the CONTOSO
Standards GPO, you can simply add the computer to the group GPO_CONTOSO
Standards_Exempt.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-112 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 3: Configure Loopback Processing
You need to configure the screen saver timeout in conference rooms to 45 minutes
so that a screen saver does not appear in the middle of a meeting.
In this exercise, you will configure loopback GPO processing.
The main task for this exercise is as follows:
Configure loopback processing.

Task 1: Configure loopback processing
1. Create a new GPO named Conference Room Policies and link it to the
Kiosks\Conference Rooms OU.
2. Confirm that the Conference Room Policies GPO is scoped to Authenticated
Users.
3. Modify the Screen Saver timeout policy to launch the screen saver after 45
minutes. Modify the User Group Policy loopback processing mode policy
setting to use Merge mode.

Results: After this exercise, you will have created a Conference Room Policies GPO that
applies a 45-minute screen saver timeout to users when they log on to conference
room computers.
Note: Do not shut down the virtual machines after you are finished with this lab because the
settings you have configured here will be used in subsequent labs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-113
Lab Review Questions
Question: Many organizations rely heavily on security group filtering to scope
GPOs, rather than linking GPOs to specific OUs. In these organizations, GPOs are
typically linked very high in the Active Directory logical structureto the domain
itself or to a first-level OU. What advantages are gained by using security group
filtering rather than GPO links to manage the scope of the GPO?
Question: Why might it be useful to create an exemption groupa group that is
denied the Apply Group Policy permissionfor every GPO you create?
Question: Do you use loopback policy processing in your organization? In what
scenarios and for what policy settings can loopback policy processing add value?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-114 Configuring
Lesson 6
Group Po
Now th
Group P
Object
After co
Un
Imp
g and Troubleshooting W
olicy Pro
at you have learn
Policy, you are re
tives
ompleting this les
derstand, improv
plement loopback
indows Server 2008 Activ
cessing
ned more about th
eady to examine G
sson, you will be a
ve, and manually
k policy processin
ve Directory Domain Serv
he concepts, com
Group Policy pro
able to:
trigger policy ref
ng.
ices
mponents, and sco
cessing closely.
fresh.

oping of

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Deta
Key Po
This top
Policy is
in an or
higher p
earlier. T
domain
1. The
Serv
are
iled Review
oints
pic details Group
s all about applyi
rder (site, domain
precedence; their
The following seq
n-based GPO are a
e computer starts
vice (RPCSS) and
started. The Gro
of Group Po
p Policy processin
ing configuration
n, and OU), and t
r settings, when a
quence details th
applied to affect a
s, and the networ
d Multiple Univer
up Policy Client
Implementing a G
olicy Processi
ng. As you read it,
ns defined by GPO
that GPOs applie
applied, will overr
he process throug
a computer or us
rk starts. Remote
rsal Naming Con
is started.
Group Policy Infrastructur
ing
, remember that G
Os, that GPOs are
ed later in the ord
ride settings appl
gh which settings
ser.
Procedure Call S
nvention Provider
re 6-115

Group
e applied
der have
lied
in a
System
r (MUP)
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-116 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
2. The Group Policy Client obtains an ordered list of GPOs scoped to the
computer.
The order of the list determines the order of GPO processing, which is, by
default, local, site, domain, and OU.
Local GPOs. Each computer running Windows Server 2003, Windows XP,
and Windows 2000 has exactly one GPO stored locally. Windows Vista
and Windows Server 2008 have multiple local GPOs. The precedence of
local GPOs is discussed in the Local GPOs section in Lesson 2.
Site GPOs. Any GPOs that have been linked to the site are added to the
ordered list next. When multiple GPOs are linked to a site, a domain, or
an OU, the link order, configured on the Scope tab, determines the order
in which they are added to the list. The GPO that is highest on the list,
with the number closest to 1, has the highest precedence, and is added to
the list last. It will, therefore, be applied last, and its settings will override
those of the GPOs applied earlier.
Domain GPOs. Multiple domain-linked GPOs are added as specified by
the link order.
Note: Domain-linked policies are not inherited by child domains. Policies from a parent domain
are not inherited by a child domain. Each domain maintains distinct policy links.
However, computers in several domains might be within the scope of a GPO linked to a
site.
OU GPOs. GPOs linked to the OU highest in the Active Directory
hierarchy are added to the ordered list, followed by GPOs linked to its
child OU, and so on. Finally, the GPOs linked to the OU that contains the
computer are added. If several group policies are linked to an OU, they are
added in the order specified by the link order.
Enforced GPOs are added at the end of the ordered list, so their settings
will be applied at the end of the process and will, therefore, override
settings of GPOs earlier in the list and in the process. As a point of trivia,
enforced GPOs are added to the list in the reverse order: OU, domain, and
site. This is relevant when you apply corporate security policies in a
domain-linked enforced GPO. That GPO will be at the end of the ordered
list and will be applied last, so its settings will take precedence.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-117
3. The GPOs are processed synchronously in the order specified by the ordered
list. This means that settings in the local GPOs are processed first, followed by
GPOs linked to the site, the domain, and the OUs containing the user or
computer. GPOs linked to the OU of which the computer or user is a direct
member are processed last, followed by enforced GPOs.
As each GPO is processed, the system determines whether its settings should
be applied based on the GPO status for the computer node (enabled or
disabled) and whether the computer has the Allow Group Policy permission. If
a WMI filter is applied to the GPO, and if the computer is running Windows
XP or later, it performs the WQL query specified in the filter.
4. If the GPO should be applied to the system, CSEs trigger to process the GPO
settings. Policy settings in GPOs overwrite policies of previously applied GPOs
in the following ways:
If a policy setting is configured (set to Enabled or Disabled) in a GPO
linked to a parent container (OU, domain, or site), and the same policy
setting is Not Configured in GPOs linked to its child container, the
resultant set of policies for users and computers in the child container will
include the parents policy setting. If the child container is configured with
the Block Inheritance option, the parent setting is not inherited unless the
GPO link is configured with the Enforced option.
If a policy setting is configured (set to Enabled or Disabled) for a parent
container, and the same policy setting is configured for a child, the child
containers setting overrides the setting inherited from the parent. If the
parent GPO link is configured with the Enforced option, the parent setting
has precedence.
If a policy setting of GPOs linked to parent containers is Not Configured,
and the child OU setting is also Not Configured, the resultant policy
setting is the setting that results from the processing of local GPOs. If the
resultant setting of local GPOs is also Not Configured, the resultant
configuration is the Windows default setting.
5. When the user logs on, the process is repeated for user settings. The client
obtains an ordered list of GPOs scoped to the user, examines each GPO
synchronously, and hands over GPOs that should be applied to the
appropriate CSEs for processing. This step is modified if User Loopback
Group Policy Processing is enabled. Loopback policy processing is discussed
in the next topic.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-118 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note: Some Policy settings are in both Computer Configuration and User Configuration nodes.
Most policy settings are specific to either the User Configuration or Computer
Configuration node. A few settings appear in both nodes. Although in most situations,
the setting in the Computer Configuration node overrides the setting in the User
Configuration node, it is important to read the explanatory text accompanying the policy
setting to understand the settings effect and its application.
6. Every 90120 minutes after computer startup, computer policy refresh occurs,
and the process is repeated for computer settings.
7. Every 90120 minutes after user logon, user policy refresh occurs, and the
process is repeated for user settings.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Slow
Key Po
One of
software
Installat
configu
Imagine
You wo
because
The Gro
connect
conside
whether
forgo po
default,
(kbps).
Links and Di
oints
the tasks that can
e installation. In
tion (GPSI), whic
re a GPO to insta
e, however, that a
uld not want larg
e performance wo
oup Policy Client
tion to the domai
ered a slow link. T
r to apply setting
olicy processing s
a link is conside

isconnected
n be automated a
Module 7, you'll
ch is provided by
all one or more so
a user connects to
ge software packa
ould be problema
t addresses this c
in and determinin
That determinatio
gs. The software e
so that software i
ered to be slow if
Implementing a G
Systems
and managed with
learn about Grou
y the software ins
oftware packages
o your network o
ages to be transfe
atic.
oncern by detect
ng whether the c
on is then used b
extension, for exa
is not installed if
it is less than 500
Group Policy Infrastructur
h Group Policy is
up Policy Softwar
tallation CSE. Yo
s.
over a slow conne
erred over the slo
ing the speed of
connection should
by each CSE to de
ample, is configur
a slow link is det
0 kilobits per sec
re 6-119

s
re
u can
ection.
ow link
the
d be
ecide
red to
tected. By
cond
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-120 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
If Group Policy detects a slow link, it sets a flag to indicate the slow link to the
CSEs. The CSEs can then determine whether to process the applicable Group
Policy settings. The default slow link speed is 500 kilobits per second (Kbps), but
you can configure this. The following table describes the default behavior of the
client-side extensions:

Client-Side
Extension
Slow link processing Can it be
changed?
Registry policy
processing
On No
Internet
Explorer
maintenance
Off Yes
Software
Installation
policy
Off Yes
Folder
Redirection
policy
Off Yes
Scripts policy Off Yes
Security policy On No
Internet
Protocol
Security (IPSec)
policy
Off Yes
Wireless policy Off Yes
EFS Recovery
policy
On Yes
Disk Quota
policy
Off Yes

If a user is working while disconnected from the network, the settings previously
applied by Group Policy continue to take effect, so a users experience is identical,
irrespective of whether he or she is on the network or working away from the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-121
network. There are exceptions to this rule, most notably that startup, logon, logoff,
and shutdown scripts will not run if the user is disconnected.
If a remote user connects to the network, the Group Policy client wakes up and
determines whether a Group Policy refresh window has been missed. If so, it
performs a Group Policy refresh to obtain the latest GPOs from the domain. Again,
the CSEs determine, based on their policy processing settings, whether settings in
those GPOs are applied. This process does not apply to Windows XP or Windows
Server 2003 systems. It applies only to Windows Vista, Windows Server 2008, and
newer operating systems.


B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-122 Configuring
Ident
Key Po
There a
are actu
topic
GPO R
Before a
must be
obtains
SYSVOL
Group
Finally,
is used
be in th
the com
to upda
g and Troubleshooting W
ify When Set
oints
re several proces
ually applied to a
Replication Mus
a GPO can take e
e replicated to the
its ordered list o
L must replicate t
Changes Must
if you have adde
to filter the GPO
he security token
mputer to update
ate its group mem
indows Server 2008 Activ
ttings Take E
ses that must be
user or a compu
st Happen
ffect, the Group P
e domain control
of GPOs. Addition
to the same dom
t Be Incorporat
ed a new group or
, that change mu
of the computer
its group membe
mbership).
ve Directory Domain Serv
Effect
completed befor
ter. We will discu
Policy container (
ller from which th
nally, the Group P
ain controller.
ted
r changed the me
st also be replica
and the user, wh
ership) or a logof
ices
e Group Policy se
uss these process
(GPC) in Active D
he Group Policy
Policy template (G
embership of a gr
ted, and the chan
ich requires a res
ff and logon (for t

ettings
ses in this
Directory
Client
GPT) in
roup that
nge must
start (for
the user
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-123
User or Computer Group Policy Refresh Must Occur
As you know, refresh happens at startup (for computer settings) and logon (for
user settings) and every 90-120 minutes thereafter, by default.
Note: Remember that the practical impact of the Group Policy refresh interval is that when you
make a change in your environment, it will be on average one-half that time, or 45 to 60
minutes, before the change starts to take effect.
By default, Windows XP, Windows Vista, and Windows 7 clients perform only
background refreshes at startup and logon, which means that a client might start
up and a user might log on without receiving the latest policies from the
domain. We highly recommend that you change this default behavior so that
policy changes are implemented in a managed, predictable way. Enable the policy
setting Always Wait For Network At Startup And Logon for all Windows clients.
The setting is located in Computer Configuration\Policies\Administrative
Templates\System\Logon. Be sure to read the policy settings explanatory text.
Note that this does not affect the startup or logon time for computers that are not
connected to a network. If the computer detects that it is disconnected, it does not
"wait" for a network. The contoso.com domain used in this course has been
preconfigured with this additional Group Policy setting.
Settings Might Not Take Effect Immediately
Although most settings are applied during a background policy refresh, some CSEs
do not apply the setting until the next startup or logon event. For example, newly
added startup and logon script policies do not run until the next computer startup
or logon. Software installation, which is discussed in Module 7, will occur at the
next startup if the software is assigned in computer settings. Changes to folder
redirection policies will not take effect until the next logon.
Manually Refresh Group Policy with GPUpdate
When you are experimenting with Group Policy or trying to troubleshoot Group
Policy processing, you might need to initiate a Group Policy refresh manually so
that you do not have to wait for the next background refresh. The GPUpdate
command can be used to initiate a Group Policy refresh. Used on its own, this
command triggers processing identical to a background Group Policy refresh. Both
computer policy and user policy are refreshed. Use the /target:computer or
/target:user parameter to limit the refresh to computer or user settings,
respectively. During background refresh, by default, settings are applied only if the
GPO has been updated. The /force switch causes the system to reapply all settings
in all GPOs scoped to the user or computer. Some policy settings require a logoff
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-124 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
or reboot before they actually take effect. The /logoff and /boot switches of
GPUpdate cause a logoff or reboot, respectively. You can use these switches when
you apply settings that require a logoff or reboot.
So the command that will cause a total refresh, application and (if necessary)
reboot and logon to apply updated policy settings is:
gpupdate /force /logoff /boot
In Windows 2000 Server, the Secedit.exe command was used to refresh policy, so
you might encounter a mention of the Secedit.exe command on the exam.
Most CSEs Do Not Reapply Settings if the GPO Has Not Changed
Remember that most CSEs apply settings in a GPO only if the GPO version has
changed. This means if a user can change a setting that was originally specified by
Group Policy, the setting will not be brought back into compliance with the
settings specified by the GPO until the GPO changes. Luckily, most policy settings
cannot be changed by a nonprivileged user. However, if a user is an administrator
of their computer, or if the policy setting affects a part of the registry or of the
system that the user has permissions to change, this could be a real problem.
You have the option of instructing each CSE to reapply the settings of GPOs even if
the GPOs have not been changed. Processing behavior of each CSE can be
configured in the policy settings found in Computer Configuration\Administrative
Templates\System\Group Policy.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 7
Troubles
With th
variety o
underst
troubles
before t
two too
Policy (
explore
support
shoot Pol
he interaction of m
of methods, Grou
tand. Therefore, y
shoot your Group
they arise, and so
ls that are indisp
RSoP) and the G
the use of these
t scenarios.
licy Appli
multiple settings i
up Policy applica
you must be equi
p Policy impleme
lve unforeseen ch
pensible for suppo
Group Policy Oper
tools in both pro
Implementing a G
ication
in multiple GPOs
tion can be comp
ipped to effective
entation, identify
hallenges. Micros
orting Group Pol
rational Logs. In
oactive and reactiv
Group Policy Infrastructur
s scoped by using
plex to analyze an
ly evaluate and
potential problem
soft Windows pro
licy, Resultant Set
this lesson, you w
ve troubleshootin
re 6-125

g a
nd
ms
ovides
t of
will
ng and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-126 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Objectives
After completing this lesson, you will be able to:
Analyze the set of GPOs and policy settings that have been applied to a user or
computer.
Proactively model the impact of Group Policy or Active Directory changes on
the Resultant Set of Policy(RSOP).
Locate the event logs containing Group Policyrelated events.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Result
Key Po
In Lesso
multiple
its often
RSoP is
GPO lin
security
RSoP is
the app
comput
to any u
settings
scenario
objects
and trou
tant Set of P
oints
on 4, you learned
e GPOs. Group P
n difficult to dete
the net effect of
nks, exceptions, s
y and WMI filters
also a collection
lication of Group
ter and report bac
user who has logg
s that are anticipa
os, including mov
group members
ubleshoot conflic
Policy
d that a user or co
Policy inheritance
ermine which pol
GPOs applied to
such as Enforced
.
of tools that help
p Policy settings.
ck the exact settin
ged on to the com
ated to be applied
ving the object be
hip. With these c
cting policies.
Implementing a G
omputer can be w
e, filters, and exce
licy settings will a
a user or compu
and Block Inheri
p you evaluate, m
RSoP can query a
ngs that were app
mputer. RSoP can
d to a user or com
etween OUs or si
capabilities, RSoP
Group Policy Infrastructur
within the scope o
eptions are comp
apply.
uter taking into ac
itance, and applic
model, and troubl
a local or remote
plied to the comp
n also model the p
mputer under a va
ites or changing t
P can help you ma
re 6-127

of
plex, and
ccount
cation of
leshoot
puter and
policy
ariety of
the
anage
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-128 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Windows Server 2008 provides the following tools for performing RSoP analysis:
The Group Policy Results Wizard
The Group Policy Modeling Wizard
GPResult.exe

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Gener
Key Po
To help
comput
Wizard.
user or
The Gro
remote
Window
about th
occurre
errors th
and the
rate RSoP Re
oints
p you analyze the
ter in your organi
. If you want to u
a computer, and
oup Policy Result
computer runnin
ws Server 2008. T
he way Group Po
d, which GPOs w
hat were encount
eir source GPO.
eports
cumulative effec
ization, the GPM
understand exactl
why, the Group
ts Wizard can rea
ng Window Vista
The WMI provide
olicy was applied
were applied, whi
tered, and the ex
Implementing a G
t of GPOs and po
C includes the G
ly which policy se
Policy Results W
ach into the WMI
a, Windows XP, W
er can report ever
to the system. It
ich GPOs were no
act policy setting
Group Policy Infrastructur
olicy settings on a
roup Policy Resu
ettings have appl
Wizard is the tool t
I provider on a lo
Windows Server 2
rything there is to
knows when pro
ot applied and w
gs that took prece
re 6-129

a user or
ults
lied to a
to use.
ocal or
2003, or
o know
ocessing
why,
edence
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-130 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
There are several requirements for running the Group Policy Results Wizard, as
follows:
You must have administrative credentials on the target computer.
The target computer must be running Windows XP or newer. The Group
Policy Results Wizard cannot access Windows 2000 systems.
You must be able to access WMI on the target computer. This means it must
be powered on, connected to the network, and accessible through ports 135
and 445.
Note: Performing RSoP analysis by using Group Policy Results Wizard is just one example of
remote administration. To perform remote administration, you may need to configure
inbound rules for the firewall used by your clients and servers.
The WMI service must be started on the target computer.
If you want to analyze RSoP for a user, that user must have logged on at least
once to the computer. It is not necessary for the user to be currently logged on.

After you have ensured that the requirements are met, you are ready to run an
RSoP analysis.
To run an RSoP report, right-click Group Policy Results in the GPMC console tree
and then click Group Policy Results Wizard.
The wizard prompts you to select a computer. It then connects to the WMI
provider on that computer and provides a list of users that have logged on to it.
You can then select one of the users or opt to skip RSoP analysis for user
configuration policies.
The wizard produces a detailed RSoP report in a dynamic HTML format. If Internet
Explorer Enhanced Security Configuration is set, you will be prompted to allow
the console to display the dynamic content. You can expand or collapse each
section of the report by clicking the Show or Hide link, or by double-clicking the
heading of the section.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-131
The report is displayed on three tabs:
Summary. The Summary tab displays the status of Group Policy processing at
the last refresh. You can identify information that was collected about the
system, the GPOs that were applied and denied, security group membership
that might have affected GPOs filtered with security groups, WMI filters that
were analyzed, and the status of CSEs.
Settings. The Settings tab displays the resultant set of policy settings applied
to the computer or user. This tab shows you exactly what has happened to the
user through the effects of your Group Policy implementation. A tremendous
amount of information can be gleaned from the Settings tab, but some data
isnt reported, such as IPSec, wireless, and disk quota policy settings.
Policy Events. The Policy Events tab displays Group Policy events from the
event logs of the target computer.

After you have generated an RSoP report with the Group Policy Results Wizard,
you can right-click the report to rerun the query, print the report, or save the report
as either an XML file or an HTML file that maintains the dynamic expanding and
collapsing sections. Both file types can be opened with Internet Explorer, so the
RSoP report is portable outside the GPMC.
If you right-click the node of the report itself, under the Group Policy Results folder
in the console tree, you can switch to Advanced View. In Advanced View, RSoP is
displayed by using the RSoP snap-in, which exposes all applied settings, including
IPSec, wireless, and disk quota policies.
Generate RSoP Reports with GPResult.exe
The GPResult.exe command is the command-line version of the Group Policy
Results Wizard. GPResult taps into the same WMI provider as the wizard,
produces the same information and, in fact, enables you to create the same
graphical reports. GPResult runs on Windows Vista, Windows XP, Windows
Server 2003, and Windows Server 2008. Windows 2000 includes a GPResult.exe
command, which produces a limited report of Group Policy processing, but is not
as sophisticated as the command included in later versions of Windows.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-132 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
When you run the GPResult command, you are likely to use the following options.
/s computername
This option specifies the name or IP address of a remote system. If you use a
dot (.) as the computer name, or do not include the /s option, the RSoP
analysis is performed on the local computer.
/scope [user | computer]
This displays RSoP analysis for user or computer settings. If you omit the
/scope option, RSoP analysis includes both user and computer settings.
/user username
This specifies the name of the user for which RSoP data is to be displayed.
/r
This option displays a summary of RSoP data.
/v
This options displays verbose RSoP data, which presents the most meaningful
information.
/z
This displays super verbose data, including the details of all policy settings
applied to the system. Often, this is more information than you will require for
typical Group Policy troubleshooting.
/u domain\user /p password
This provides credentials that are in the Administrators group of a remote
system. Without these credentials, GPResult runs by using the credentials with
which you are logged on.
[/x | /h] filename
This option saves the reports in the XML or HTML format. These options are
available in Windows Vista SP1 and later and Windows Server 2008 and later.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-133
Troubleshoot Group Policy with the Group Policy Results Wizard and
GPResult.exe
As an administrator, you will likely encounter scenarios that require Group Policy
troubleshooting. You might need to diagnose and solve problems, including the
following:
GPOs are not being applied at all.
The resultant set of policies for a computer or user is not what was expected.

The Group Policy Results Wizard and GPResult.exe will often provide the most
valuable insight into Group Policy processing and application problems.
Remember that these tools examine the WMI RSoP provider to report exactly what
happened on a system. Examining the RSoP report will often point you to GPOs
that are scoped incorrectly or policy processing errors that prevented the
application of GPO settings.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-134 Configuring
Perfo
Wizar
Key Po
If you m
security
change.
will also
to a syst
Before y
the RSo
RSoP an
perform
To perfo
the GPM
the step
Modelin
are first
g and Troubleshooting W
rm What-If A
rd
oints
move a computer
y group members
Therefore, the R
o change if slow l
tem characteristic
you make any of
oP of the user or c
nalysis only on w
m what-if analyses
orm Group Policy
MC console tree,
ps in the wizard.
ng is performed b
t asked to select a
indows Server 2008 Activ
Analyses wit
or user between
ship, the GPOs sc
RSoP for the comp
link or loopback
c that is targeted
these changes, yo
computer. The Gr
what has actually h
s, you can use the
y Modeling, right
click Group Polic
by conducting a s
a domain controll
ve Directory Domain Serv
th the Group
sites, domains, o
coped to that user
puter or user will
processing occur
by a WMI filter.
ou should evalua
roup Policy Resu
happened. To pre
e Group Policy M
t-click the Group
cy Modeling Wiz
simulation on a d
ler that is runnin
ices
p Policy Mod
or OUs, or change
r or computer wi
l be different. The
rs, or if there is a
ate the potential im
ults Wizard can p
edict the future a
Modeling Wizard.
Policy Modeling
zard, and then per
domain controller
g Windows Serve
deling

e its
ill
e RSoP
change
mpact to
erform
and to
g node in
rform
r, so you
er 2003
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-135
or later. You do not need to be logged on locally to the domain controller, but the
modeling request will be performed on the domain controller. You are then asked
to specify the settings for the simulation.
Select a user or computer object to evaluate, or specify the OU, site, or domain
to evaluate.
Choose whether slow link processing should be simulated.
Specify to simulate loopback processing and, if so, choose Replace or Merge
mode.
Select a site to simulate.
Select security groups for the user and for the computer.
Choose which WMI filters to apply in the simulation of user and computer
policy processing.

When you have specified the settings for the simulation, a report is produced that
is very similar to the Group Policy Results report discussed earlier. The Summary
tab shows an overview of which GPOs will be processed, and the Settings tab
details the policy settings that will be applied to the user or computer. This report,
too, can be saved by right-clicking it and choosing Save Report.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-136 Configuring
Exam
Key Po
Window
Group P
Policy e
In t
incl
dom
The
A n
info
To find
System
Operati
\Windo
g and Troubleshooting W
ine Policy Ev
oints
ws Vista and Win
Policy not only w
events.
the System log, yo
luding errors crea
main controller o
e Application log
new log, called the
ormation about G
the Group Policy
and Application
ional Log is found
ows\GroupPolicy
indows Server 2008 Activ
vent Logs
ndows Server 200
with RSoP tools, b
ou will find high-
ated by the Grou
or locate GPOs.
captures events r
e Group Policy O
Group Policy proc
y logs, open the E
logs are in the W
d in Applications
y\Operational.
ve Directory Domain Serv
08 improve your
but also with impr
-level information
up Policy client wh
recorded by CSE
Operational Log, p
cessing.
Event Viewer sna
Windows Logs nod
s And Services Lo
ices
ability to trouble
roved logging of
n about Group Po
hen it cannot con
Es.
provides detailed
p-in or console. T
de. The Group Po
ogs\Microsoft

shoot
Group
olicy,
nnect to a
d

The
olicy
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab E: Tr
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log



5. Star
of P
roublesho
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
rt 6425C-NYC-CL
Pa$$w0rd.
oot Policy
e the available vir
complete the foll
ter, click Start, po
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
L1. Log on to NY
Implementing a G
y Applica
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
YC-CL1 as Pat.Co
Group Policy Infrastructur
ation
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
leman with the p
re 6-137

e you
d then
ne,
rts.
password
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-138 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Scenario
You are responsible for administering and troubleshooting the Group Policy
infrastructure at Contoso, Ltd. You want to evaluate the resultant set of policies for
users in your environment to ensure that the Group Policy infrastructure is
healthy, and that all policies are applied as they were intended.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-139
Exercise 1: Perform RSoP Analysis
In this exercise, you will evaluate the resultant set of policy by using both the
Group Policy Results Wizard and the GPResults command.
The main tasks for this exercise are as follows:
2. Refresh Group Policy.
3. Create a Group Policy results RSoP report.
4. Analyze RSoP with GPResults.


Task 1: Refresh Group Policy
1. On NYC-CL1, run the command prompt as an administrator, with the user
name Pat.Coleman_Admin and the password Pa$$w0rd.
2. Run the gpupdate /force command. After the command has completed, make
a note of the current system time, which you will need to know for a task later
in this lab.
3. Restart NYC-CL1 and wait for it to restart before proceeding with the next
task.

Task 2: Create a Group Policy results RSoP report
1. On NYC-DC1, run Group Policy Management console as an administrator,
with the user name Pat.Coleman_Admin and the password Pa$$w0rd.
2. Use the Group Policy Results Wizard to run an RSoP report for Pat.Coleman
on NYC-CL1.
3. Review the Group Policy Summary results. For both user and computer
configuration, identify the time of the last policy refresh and the list of allowed
and denied GPOs. Identify the components that were used to process policy
settings.
4. Click the Settings tab. Review the settings that were applied during user and
computer policy application, and identify the GPO from which the settings
were obtained.
5. Click the Policy Events tab, and locate the event that logs the policy refresh
you triggered with the GPUpdate command in Task 1.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6-140 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6. Click the Summary tab, right-click the page, and choose Save Report. Save the
report as an HTML file to drive D with a name of your choice. Then open the
RSoP report from drive D.

Task 3: Analyze RSoP with GPResults
1. Log on to NYC-CL1 as Pat.Coleman_Admin with the password Pa$$w0rd.
2. Run the command prompt with administrative credentials.
3. Type gpresult /r and press ENTER.
RSoP summary results are displayed. The information is very similar to the
Summary tab of the RSoP report produced by the Group Policy Results
Wizard.
4. Type gpresult /v and press ENTER.
A more detailed RSoP report is produced. Notice that many of the Group
Policy settings applied by the client are listed in this report.
5. Type gpresult /z and press ENTER.
The most detailed RSoP report is produced.
6. Type gpresult /h:"%userprofile%\Desktop\RSOP.html" and press ENTER.
An RSoP report is saved as an HTML file to your desktop.
7. Open the saved RSoP report from your desktop.
8. Compare the report, its information, and its formatting to the RSoP report you
saved in the previous task.

Results: In this exercise, you learned how to do a resultant set of policy in two ways by
using a wizard and from the command line.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Implementing a Group Policy Infrastructure 6-141
Exercise 2: Use the Group Policy Modeling Wizard
Before you roll out the Conference Room Policies GPO for production use, you
want to evaluate the effect it will have on users who log on to conference room
computers. In this exercise, you will use the Group Policy Modeling Wizard to
model the resultant set of policies applied to a user, Mike Danseglio, if he were to
log on to a conference room computer, NYC-CL1.
The main task for this exercise is as follows:
Perform Group Policy results modeling.

Task 1: Perform Group Policy results modeling
1. Switch to NYC-DC1.
2. In the Group Policy Management console tree, expand Forest:Contoso.com,
and then click Group Policy Modeling.
3. Right-click Group Policy Modeling, and then click Group Policy Modeling
Wizard.
The Group Policy Modeling Wizard appears.