LAB 7 ANSWER KEY

EMPLOYING SECURITY
CONCEPTS
This lab contains the following exercises:
Exercise 7.1
Exercise 7.2
Exercise 7.3

Using Naming Standards and Secure Passwords

Employing Administrator Account Security
Delegating Administrative Responsibility

Estimated lab time: 55 minutes

Exercise 7.1

Using Naming Standards and Secure Passwords

Overview

Company policy states that each employee's user account name must be
created from the first letter of the employee's first name, the employee's
entire last name, and the employee's unique identification number. All
employee passwords will be complex.

Completion time

5 minutes

NOTE

1. Turn on the Server## computer and log on using your Administrator account and the password
P@ssw0rd.
Remember to use your domain adminstrator account and not the local
administrator account.

2. Turn on the Server##A computer, but do not logon yet.

3. On Server## use the Active Directory Users And Computers console to create a user account based
on your name in the Users container. Use the naming standard described in the scenario for this
project. Substitute ## for the employee identification number. For example, a user named Reed
Koch who is using Computer99 would have the following values:

First Name: Reed

Last Name: Koch

Full Name: Reed Koch

Logon Name: RKoch99

Password: P@ssw0rd

User Must Change Password at Next Logon: Not selected

4. Log off of both computers.

Exercise 7.2

Employing Administrator Account Security

Overview

You must demonstrate the various methods for using the runas utility to
allow administrators to reduce the exposure of administrative accounts.

Completion time

20 minutes

PART A: Using Runas from the Command Prompt

NOTE

1. Turn on the Server##A computer and log on to Server##A using the account that you created in
Project 6.1.
In order to log using another account click switch user, then other user
and enter the username of the account.

2. Open the Active Directory Users And Computers console.

3. Try to reset your password. Click the Users container in the left window pane. In the right window
pane, right-click your user account and click Reset Password. A Reset Password dialog box is
displayed. Key Password#1 in both of the password boxes. Click OK. A message box is
displayed. Read the message and click OK.

Question
1

Were you able to reset your password? Answer: No an

access denied message is displayed.

4. Close the Active Directory Users And Computers console.

5. Open a command prompt window. Key runas /user:administrator@Domain##.Local "mmc
dsa.msc" Press Enter.

6. When you are prompted for the password, key P@ssw0rd. Press Enter. Wait a few seconds and
the Active Directory Users And Computers console will be displayed.

7. Try to reset your password. Click the Users container in the left window pane. In the right window
pane, right-click your user account and click Reset Password. The Reset Password dialog box is
displayed. Key Password#1 in both of the password boxes. A message box is displayed.

Why were you successful this time? Answer: You were

Question
2

successful because the Active Directory Users and

Computers console was opened using administrative
credentials.

8. Click OK.
9. Close the Active Directory Users And Computers console and the command-prompt window.

 PART B: Creating and Using a Runas Shortcut

You want to create a shortcut on your desktop that will allow you to easily manage your
domains and forest without requiring you to log off when using your domain user account.
1. Find an area of the desktop where there are no icons and right-click that area.
2. Click New, and then click Shortcut. A Create Shortcut Wizard is displayed.

3. Key runas /user:administrator@Domain##.Local "mmc domain.msc" in the Type The

Location Of The Item text box. Click Next.

4. Key Domains and Trusts in the Type A Name For This Shortcut text box. Click Finish.

5. Double-click the icon on the desktop that you just created. A command-prompt window is
displayed.

6. Key P@ssw0rd and Press Enter. The Active Directory Domains And Trusts console is displayed.

7. Close the Active Directory Domains and Trusts console.

 PART C: Attempting to Run Multiple Runas Consoles Simultaneously

You want to see if you can run multiple consoles simultaneously with the runas utility.
1. Click the Start button. Key runas /user:administrator@Domain##.Local "mmc dsa.msc".
Press Enter. A command-prompt window is displayed.

2. Key P@ssw0rd in the command-prompt window. Press Enter. The Active Directory Users And
Computers console is displayed.

3. Click the Start button again. Key runas /user:administrator@Domain##.Local "mmc

dssite.msc". Press Enter. A command-prompt window is displayed.

4. Key P@ssw0rd in the command-prompt window. Press Enter. The Active Directory Sites And
Services console is displayed.

5. Click the Start button again. Key runas /user:administrator@Domain##.Local "mmc

domain.msc". Press Enter. A command-prompt window is displayed.

6. Key P@ssw0rd in the command-prompt window. Press Enter. The Active Directory Domains
And Trusts console is displayed.

7.

Close all open consoles and log off Server##A.

Exercise 7.3

Delegating Administrative Responsibility

Overview

You must now create an administrative structure that you can use for new
administrators. Group administrators into separate global groups. Then,
create a universal group that can be used to give new administrators
permissions equivalent to the local administrators of each domain.

Completion time

30 minutes

PART A: Delegating Control on the Domain

1. On Server## open a command-prompt window and key the following three commands to create
user accounts that you will delegate limited permissions to:

dsadd user cn=User1,cn=Users,dc=Domain##,dc=Local samid User1 upn

user1@Domain##.Local pwd P@ssw0rd

dsadd user cn=User2,cn=Users,dc=Domain##,dc=Local samid User2 upn

user2@Domain##.Local pwd P@ssw0rd

dsadd user cn=Manager,cn=Users,dc=Domain##,dc=Local samid Manager upn

manager@Domain##.Local pwd P@ssw0rd

2. Press Ctrl+Prt Scr to take a screen shot of the copmmand prompt windows showing the three user
accounts were succesffully added, and then press Ctrl+V to paste the resulting image into the
lab07_worksheet file in the page provided.
3. Open the Active Directory Users And Computers console. Right-click the Domain##.Local object
in the left pane. Click New, and then click Organizational Unit. A New ObjectOrganizational
Unit dialog box is displayed.

4. Key Mgmt1 in the Name text box, and then click OK.

5. In the left pane of the Active Directory Users And Computers console, right-click the Mgmt1 OU
and click Delegate Control. The Delegation Of Control Wizard is displayed.

6. Click Next. The Users Or Groups page is displayed.

7. Click Add. The Select Users, Computers, Or Groups dialog box is displayed.

8. Key Manager in the Enter The Object Names To Select text box, and then click Check
Names. The Manager username should now appear underlined. Click OK.

9. In the Users Or Groups page, click Next. The Tasks To Delegate page is displayed.

10. Place a checkmark next to Reset User Passwords and Force Password Change At Next Logon.
Click Next, and then click Finish.

11. Move the User1 account from the Users container to the Mgmt1 OU. You can use the drag-anddrop method to move the user account. You can also right-click the user account and then click

Move. A Move dialog box is displayed. Select the Mgmt1 OU, and then click OK. An Active
Directory Domain Services message about moving accounts appears, click Yes.

12. Open a command-prompt window. Key the following command and then press Enter:

dsmove cn=user2,cn=users,dc=Domain##,dc=Local newparent

ou=Mgmt1,dc=Domain##,dc=Local

13. In the left pane of the Active Directory Users And Computers console, select the Mgmt1 OU.
Refresh the display by clicking Refresh on the Action menu or by pressing F5. User1 and User2
should be displayed in the right pane.

14. Press Ctrl+Prt Scr to take a screen shot of the Active Directory Users and Computers console
showing that the User1 and User2 accounts have been moved to the Mgmt1 OU, and then press
Ctrl+V to paste the resulting image into the lab07_worksheet file in the page provided.
15. Close the command-prompt window, close the Active Directory Users And Computers console,
and log off of the computer.

 PART B: Testing Delegated Permissions on the Parent Domain

NOTE

1. On the Server##A computer, log on using the Manager user account and the password P@ssw0rd.
In order to log using another account click switch user, then other user
and enter the username of the account.

2. Open the Active Directory Users And Computers console.

3. In the left window pane, expand the Domain##.Local object and click the Mgmt1 OU.

4. In the right pane, right-click User2 and click Reset Password. The Reset Password dialog box is
displayed.

5. Key Password#1 in the New Password text box and in the Confirm Password text box. Click
OK. The Active Directory message box is displayed, verifying that the user's password has
changed. Click OK.

6. In the right window pane, right-click User1 and click Delete. An Active Directory warning
message is displayed asking you to confirm the deletion of the account. Click Yes.

7. The Active Dirctory message box is displayed, telling you that you do not have sufficient
privileges to delete the user account. Click OK.

Question
3

Why can the manager change a user's password in the

Mgmt1 OU but cannot delete a user's account? Answer:
The Manager account was only delegated permission to
change passwords not to make any other account changes.

8. Try changing the password for another user that is not a member of the Mgmt1 OU; for example,
the Administrator in the Users container.

Question
4

Is the manager account able to change an account

password outside of the Mgmt1 OU? Answer: No the
manager account cannot change the password of an account
outside of the Mgmt1 OU.

9. Close the Active Directory Users And Computers console and log off of both computers.