Installing Windows Server 2008

Exercise 7

Viewing Computer In
Active Directory

Exercise 7 : Viewing Computer In Active Directory

In this section you will use Active Directory Users and Computers to view information for
computers and servers.

When a client workstation is installed using Windows XP Professional or Windows 2000
Professional or Windows Vista or Windows 7, it has its own accounts database and rights.
When that client computer joins a domain or Windows Server 2008 network, this means that the
domain wide accounts are available for use at the workstation. When a user logs on using the
client computer, any policies are applied to the client computer.

Client workstations running Windows XP Professional have their own local accounts database.
This means it is possible for an administrator on the workstation to create a local workstation
account, which is not the same as the domain account, and allow users to logon to the local
computer rather than the domain.

Currently, you should have the Windows Server 2008 and a Windows XP Professional client
workstation running.

Log on as administrator to the Windows Server 2008.

EXERCISE 7.1

Viewing Computers and Servers in Active Directory

In this exercise, you will use Active Directory Users and Computers to view the workstations and
servers in the domain.

1. Log on the Windows Server 2008 as administrator.
2. Launch Active Directory Users and Computers. Click Start ► Administrative Tools ►

Active Directory Users and Computers (Figure 0172)

Figure 0172 : Launch Active Directory Users and Computers
3. Expand the domain icon (Figure 0173).

Figure 0173 : AD – myserver.com

4. Click on the Computers folder from the list (Figure 0174).

Figure 0174 : AD – Computers
You can see CLIENTXP61 listed under Computer folder.
5. Double-click on the CLIENTXP61 to display its properties (Figure 0175).

Figure 0175 : CLIENTXP61 Properties
Now you can see the general information about CLIENTXP61 including it DNS name
and it role.

6. Click on the Operating System tab (Figure 0176).

Figure 0176 : CLIENTXP61 Properties - Operating System
Here you can find information about Operating System, version and service pack using
by client.
7. Click OK to close the properties box.
8. Click on the Domain Controllers folder under myserver.com (Figure 0177)

Figure 0177 : AD - Domain Controllers

9. Double-click on the domain controllers to display its properties (Figure 0178).

Figure 0178 : SERVER21 Properties
10. Click on the Operating System tab (Figure 0179.)

Figure 0179 : SERVER21 Properties - Operating System
Here you can find information about Operating System, version and service pack using
by server.
11. Click OK to close the properties box and close all remaining dialog box.
In this exercise you viewed properties of workstations and servers in your network using
Active Directory.

EXERCISE 7.2
Using the Local Workstation Account
In this exercise you will log on the Windows XP Professional workstation using a local
administrator account.

1. Log on the Windows XP Professional as administrator (Figure 0180).

Figure 0180 : Log on to Windows XP
2. Log off the client computer. Click Start ► Shutdown and select Logoff Administrator

(Figure 0181).

Figure 0181 : Log off Windows XP

3. Click OK (Figure 0182).

Figure 0182 : Log off Windows XP Administrator
EXERCISE 7.3
Using Domain wide account at the client computer
In this exercise you will log on the client computer using a domain account.

1. Press CTRL+ALT+DEL to display the logon dialog box (Figure 0183).

Figure 0183 : Windows XP Logon

2. Log on the Windows XP Professional as zul.zcomby and comby as password (Figure
0184).

Figure 0184 : Log on to Windows XP
3. Click OK.
4. You will receive a Logon Message. Why? (Figure 0185)

Because zul.zcomby not created on the local client account, it was created in the server
active directory account.
Just now, you were tried to logon to the client using active directory user account.

Figure 0185 : Logon Message
5. Click OK to dismiss the dialog box.

6. Now, look at the logon box. There is an extra field displayed, called Logon to: (Figure
0186).

Figure 0186 : Log on to Windows XP
7. Click the Logon to: box, and select MYSERVER (Figure 0187)

Figure 0187 : Log on to server

8. Enter the same user credentials as previously (Figure 0188).

Figure 0188 : Log on to server using client workstation

9. Click OK.

What happened? Could you log on? It should be no problem.

10. Log off the client computer. But leave it running Windows XP Professional (do not shut
the computer down yet).

11. If you are currently logged in to the Windows Server 2008, log off.

12. Attemp to log on to the server as zul.zcomby.

12.1. Click Switch User button (Figure 0189).

Figure 0189 : Switch User button

12.2. Click Other User button (Figure 0190).

Figure 0190 : Other User button

12.3. Enter user as zul.zcomby and password as comby (Figure 0191).

12.4. Figure 0191 : Logon to server using user account
Press ENTER.

13. What happened? Could you log on?
A error message appeared (Figure 0192).

Figure 0192 : Logon Error Message
Why?
Because the user account you are using to login into server do not have permission to
login into server directly.

14. Click OK.

15. Logon to the server as administrator.

16. Launch Active Directory Users and Computers. Click Start ► Administrative Tools ►
Active Directory Users and Computers (Figure 0193).

Figure 0193 : Launch Active Directory Users and Computers
17. Click on the Stkm Organizational Unit (Figure 0194).

Figure 0194 : Active Directory Users and Computers - Stkm

18. Double-click on the user Zul Zcomby to display the properties box (Figure 0195).

Figure 0195 : Zul Zcomby Properties
19. Click the Member Of tab (Figure 0196).

Figure 0196 : Zul Zcomby Properties - Member Of

20. Click Add… button (Figure 0197).
Figure 0197 : Add Button

21. Click Advanced button (Figure 0198).

Figure 0198 : Select Groups
22. Click Find Now button (Figure 0199).

Figure 0199 : Select Groups - Advanced

23. Double-click Server Operators from the list (Figure 0200).

Figure 0200 : Select Groups – Find Now
24. Click OK.
25. Click OK (Figure 0201).

Figure 0201 : Select Groups

26. Click OK (Figure 0202).

Figure 0202 : Zul Zcomby Properties - Member Of
27. Log off server. Click Start ► Log Off (Figure 0203).

Figure 0203 : Log Off Server

28. Attemp to log on to the server as zul.zcomby.

28.1. Press Ctrl + Alt + Del.

28.2. Click Switch User button (Figure 0204).

Figure 0204 : Switch User button

28.3. Click Other User button (Figure 0205).

Figure 0205 : Other User button

28.4. Enter user as zul.zcomby and password as comby (Figure 0206).

28.5. Figure 0206 : Logon to server using user account
Press ENTER.

What happened? Could you log on? It should be no problem.

Summary

Servers do not allow normal users to logon locally. Servers run the network and provide
resources, which users connect to remotely across a network. Servers are not designed to have
users physically sitting at their keyboards trying to log on and run programs. Users actually
logon to a client computer in the network and access resources using a network connection.

Client computers running Windows XP Professional have their own accounts database.

Exercise 8

Delegating
Management Of

Users

Exercise 8 : Delegating Management Of Users

In this exercise you will create new local groups and look at assigning managers to users and
organizational units.
EXERCISE 8.1
DelegatingControl
In this portion of the exercise you will make zul.zcomby a manager of the Stkm organizational
unit. Once he is a manager, he will be able to modify user accounts within the Stkm OU.

1. Log on the Windows Server 2008 as administrator.
2. Launch Active Directory Users and Computers. Click Start ► Administrative Tools ►

Active Directory Users and Computers (Figure 0207)

Figure 0207 : Launch Active Directory Users and Computers
3. Expand the domain icon (Figure 0208).

Figure 0208 : AD – myserver.com
4. Right click the Stkm OU and select Delegate Control (Figure 0209).

Figure 0209 : AD – Stkm
5. This starts the Delegation of Control Wizard (Figure 0210).

Figure 0210: Delegation of Control Wizard

6. Click Next (Figure 0210).
7. Click the Add… button (Figure 0211).

Figure 0211: Delegation of Control Wizard – Users or Groups
8. Click the Advanced… button (Figure 0212).

Figure 0212: Select Users, Computers, or Groups

9. Click the Find Now button (Figure 0213).

Figure 0213: Select Users, Computers, or Groups – Advanced
10. Select Zul Zcomby account (Figure 0214).

Figure 0214: Select Users, Computers, or Groups – Find Now

11. Click OK (Figure 0214).
12. Click OK (Figure 0215).

Figure 0215: Select Users, Computers, or Groups – User Added
13. Click Next (Figure 0216).

Figure 0216: Delegation of Control Wizard – Users Added

14. Delegate the following tasks as illustrated (Figure 0217).

Figure 0217: Task to Delegate
15. Click Next (Figure 0217).
16. Click Finish (Figure 0218).

Figure 0218: Delegation of Control Wizard – Finish
17. Log off server. Click Start ► Log Off (Figure 0219).

Figure 0219 : Log Off Server
EXERCISE 8.2

Managing Users

In this portion of the exercise you will log on to server as zul.zcomby and attempt to manage
users.

18. Attemp to log on to the server as zul.zcomby.

18.1. Press Ctrl + Alt + Del.

18.2. Click Switch User button (Figure 0220).

Figure 0220 : Switch User button

18.3. Click Other User button (Figure 0221).

Figure 0221 : Other User button

18.4. Enter user as zul.zcomby and password as comby (Figure 0222).

18.5. Figure 0222 : Logon to server using user account
Press ENTER.

19. Launch Active Directory Users and Computers. Click Start ► Administrative Tools ►
Active Directory Users and Computers (Figure 0223).

Figure 0223: Launch Active Directory Users and Computers
20. You will be asked to reenter your password for security measure. Just reenter password

for zul.zcomby (Figure 0224).

Figure 0224: User Account Control Permission

21. Expand the domain icon (Figure 0225).

Figure 0225: Active Directory Users and Computers - Domain
22. Click on the Stkm OU (Figure 0226).

Figure 0226: Active Directory Users and Computers - Stkm
23. Double-click the user Ocah Blue (Figure 0227).

Figure 0227: Active Directory Users and Computers – User

24. Click the Account tab (Figure 0228).

Figure 0228: Ocah Blue Properties
25. Click the Logon Hours… button (Figure 0229).

Figure 0229: Logon Hours button

26. Select all areas and click Logon Denied (Figure 0230).

Figure 0230 : Logon Hours for Ocah Blue – Logon Denied
Change Ocah’s the logon hours (under Account Tab) to Monday-Friday, 8am-5pm.

27. Select the areas Monday to Friday and 8am to 5pm (Figure 0231).

Figure 0231 : Logon Hours for Ocah Blue – Select Areas
28. Select Logon Permitted (Figure 0232).

Figure 0232 : Logon Hours for Ocah Blue – Set Logon Permitted
29. Click OK.
30. Click OK again.
31. Click the Sklr OU (Figure 0233).

Figure 0233: Active Directory Users and Computers – Sklr

32. Double-click Ain Syahmi user account to display the properties of this user (Figure
0234).

Figure 0234: Active Directory Users and Computers – User
33. Attemp to change the logon hours of this user. Click Account tab (Figure 0235).

Figure 0235: Ain Syahmi Properties
34. Click the Logon Hours… button (Figure 0236).

Figure 0236: Logon Hours Button
35. A warning message will be displayed (Figure 0237).

Why do you think you are not able to modify this account?

Figure 0237: AD Error Message
Because Zul Zcomby only have permission to modify user under Stkm OU only. He only
have read permissioin for other OU’s.
36. Click OK to close the message (Figure 0237).
37. Close all remaining windows except Active Directory Users and Computers.
38. Click the Stkm OU (Figure 0238).

Figure 0238: Active Directory Users and Computers – Stkm

39. Right-click Ocah Blue account and select Reset Password… from the list (Figure 0239).

Figure 0239: AD – Ocah Blue – Reset Password
This display a reset password box that will allow the password to be changed.
40. Click Cancel (Figure 0240).

Figure 0240: Reset Password
41. Close all remaining windows.
42. Log off the server.
In the above exercise you delegated control of an Organizational Unit to a user. You then
modified account details of users belonging to that OU as the designated manager of the
OU.
Delegating control of users using the delegation control wizard is simple. When control of
users and groups is delegated, administrators can be relieved of simple administrative tasks
such as resetting passwords and modification of user accounts.

Exercise 9

Exploring Group
Scopes and Types

Exercise 9 : Exploring Group Scopes and Types

EXERCISE 9.1

Exploring Group Scopes and Types

In the following exercise you will create a number of groups. These groups will be used to
demonstrate group scope. From the notes, group scope determines who can be a member and
where that group can be used in the enterprise.

Group Scope
Type
Local User accounts, Global groups and Universal groups from any domain in the forest,
as well as local groups from the same domain.
Global User accounts and global groups from the same domain.
Universal User accounts, global groups and universal groups from any domain in the forest.

The recommended strategy for using groups in Windows Server 2008 is to use both global and
domain local groups. Place users into global groups and then place the global groups into
domain local groups and assign permissions to the domain local groups.

Global groups have access to accounts in the local domain. Where the enterprise consists of
more than one domain, local groups allow the use of accounts across all the domains. Where
the enterprise has combined a number of domains into a forest, Universal groups provide
access to any accounts in the forest.

1. Log on server as Administrator (Figure 0241).

Figure 0241 : Administrator Login

2. Launch Active Directory Users and Computers. Click Start ► Administrative Tools ►
Active Directory Users and Computers (Figure 0242).

Figure 0242 : Launch Active Directory Users and Computers
3. Right-click the domain icon and select New - Group from the list (Figure 0243).

Figure 0243 : Active Directory Users and Computers – New Group

4. Create a global group called Technical Support (Figure 0244).
4.1 Key-in Technical Support in the Group name: box
4.2 Verify Group scope set to Global.
4.3 Verify the Group type is set to Security.

Figure 0244 : New Object - Group
5. Click OK (Figure 0244).
6. Add Ali Uddin as a member of Technical Support.

6.1 Double-click Technical Support (Figure 0245).

Figure 0245 : Active Directory Users and Computers – Technical Support

6.2 Click Members tab (Figure 0246).

Figure 0246 : Technical Support Properties
6.3 Click Add … button (Figure 0247).

Figure 0247 : Add button
6.4 Click Advanced … button (Figure 0248).

Figure 0248 : Select Users, Contacts, Computers, or Group box

6.5 Click Find Now button (Figure 0249).

Figure 0249 : Select Users, Contacts, Computers, or Group - Advanced
6.6 Select Ali Uddin user account (Figure 0250).

Figure 0250 : Select Users, Contacts, Computers, or Group – Find Now

6.7 Cick OK (Figure 0250).
6.8 Cick OK (Figure 0251).

Figure 0251 : Select Users, Contacts, Computers, or Group
6.9 Cick OK (Figure 0252).

Figure 0252 : Technical Support Properties

7. Create a new Domain Local group called Intranet Users (Figure 0253).
7.1. Right-click the domain icon and select New - Group from the list (Figure 0253).

Figure 0253 : Active Directory Users and Computers – New Group
7.2. Key-in Intranet Users in the Group name: box (Figure 0254).
7.3. Verify Group scope set to Domain Local (Figure 0254).
7.4. Verify the Group type is set to Security (Figure 0254).

Figure 0254 : New Object - Group
7.5. Click OK (Figure 0254).
8 Double-click Intranet Users (Figure 0255).

Figure 0255: Active Directory Users and Computers
9 Add the Intranet Users group as a Member Of Technical Support.

9.1. Click Member Of tab (Figure 0256).

Figure 0256 : Intranet Users Properties
9.2. Click Add … button (Figure 0257).

Figure 0257 : Add Button

9.3. Click Advanced … button (Figure 0258).

Figure 0258 : Select Groups - Add
9.4. Click Find Now button (Figure 0259).

Figure 0259 : Select Groups - Advanced
9.5. Select Technical Support. What happened? (Figure 0260).

Figure 0260 : Select Groups – Search Results
Can you find Technical Support? Why do you think this happened?
9.6. Close all windows except Active Directory Users and Computers.
10 Now try adding the Technical Support group as a Member Of Intranet Users.
10.1. Double-click Technical Support group (Figure 0261).

Figure 0261 : Active Directory Users and Computers - Technical Support

10.2. Click Member Of tab (Figure 0262).

Figure 0262 : Technical Support Properties
10.3. Click Add … button (Figure 0263)

Figure 0263 : Add Button
10.4. Click Advanced … button (Figure 0264)

Figure 0264 : Select Groups - Add
10.5. Click Find Now button (Figure 0265)

Figure 0265 : Select Groups - Advanced
10.6. Select Intranet Users and click OK button (Figure 0266).

Figure 0266 : Select Groups – Search Result
What happened?
10.7. Click OK button (Figure 0267).

Figure 0267 : Select Groups – Intranet Users Group Added
Can you add the Technical Support group as a Member Of Intranet Users?
Why do you think this is so?
11 Click OK button (Figure 0268).

Figure 0268 : Technical Support Properties – Member Of Intranet Users
12 Log off Administrator.
Summary
Windows Server 2008 running in native mode supports the use of different group types. Global
groups have access to user accounts and other global groups in the same domain. Local
groups allow you to access accounts outside the current domain, and universal groups provide
access across organizations (forests).

Exercise 10

Creating And
Applying Group

Policies