20411B-ENU-TrainerHandbook
.pdfMCT USE ONLY. STUDENT USE PROHIBITED
L4-21
Module 4: Managing User and Service Accounts |
MCT |
||
Lab: Managing User and Service Accounts |
|||
USE |
|||
Exercise 1: Configuring Password-Policy and Account-Lockout Settings |
|||
Task 1: Configure a domain-based password policy |
|||
1. |
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. |
||
|
|||
2. |
In Group Policy Management, expand Forest: Adatum.com. expand Domains, expand |
|
|
|
Adatum.com, expand Group Policy Objects, right-click Default Domain Policy, and then click Edit. |
||
3. |
In the Group Policy Management Editor, in the navigation pane, under Computer Configuration, |
ONLY. |
|
|
expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies, |
||
|
and then click Password Policy. |
||
4. |
Double-click Enforce password history. |
||
|
|
||
5. |
In the Enforce password history Properties window, type 20 in the Keep password history for field, |
||
|
and then click OK. |
|
|
6. |
Double-click Maximum password age. |
|
|
7. |
In the Maximum password age Properties window, type 45 in the Password will expire in field, and |
||
|
then click OK. |
|
|
8. |
Double-click Minimum password age. |
|
|
9. |
In the Minimum password age Properties window, ensure that the Password can be changed after |
||
|
field is 1, and then click OK. |
|
|
10. |
Double-click Minimum password length. |
|
|
11. |
In the Minimum password length Properties window, type 10 in the Password must be at least field, |
||
|
and then click OK. |
STUDENT |
|
|
USE |
||
12. Double-click Password must meet complexity requirements. |
|||
13. |
In the Password must meet complexity requirements Properties window, click Enabled, and then |
||
|
click OK. |
||
14. Do not close the Group Policy Management Editor. |
|||
|
1.In the Group Policy Management Editor, in the navigation pane, click Account Lockout Policy. PROHIBITED
2.Double-click Account lockout duration.
3.In the Account lockout duration Properties window, click Define this policy setting, type 30 in the minutes field, and then click OK.
4.In the Suggested Value Changes window, note the suggested values, including the automatic configuration of Account lockout threshold, and then click OK.
5.Double-click Reset account lockout counter after.
6.In the Reset account lockout counter after Properties window, type 15 in the Reset account lockout counter after field, and then click OK.
7.Close Group Policy Management Editor.
8.Close Group Policy Management.
Administering Windows Server® 2012 |
MCT |
|
L4-23 |
||
Exercise 2: Creating and Associating a Managed Service Account |
|
|
Task 1: Create and associate a Managed Service Account |
|
|
1.On LON-DC1, in Server Manager, click Tools, and then click Active Directory Module for WindowsUSE
Powershell.
2.Type the following In the Windows PowerShell® command window, and then press Enter:
3. |
|
Type the following In the Windows PowerShell command window, and then press Enter: |
.ONLY |
|
|
|
|
||
|
|
|
|
|
|
|
New-ADServiceAccount –Name Webservice –DNSHostName LON-DC1 – |
|
|
|
|
PrincipalsAllowedToRetrieveManagedPassword LON-DC1$ |
|
|
|
|
|
|
|
4. |
|
Type the following In the Windows PowerShell command window, and then press Enter: |
|
|
|
|
|
|
|
|
|
Add-ADComputerServiceAccount –identity LON-DC1 –ServiceAccount Webservice |
|
|
|
|
|
|
|
5. |
|
Type the following In the Windows PowerShell command window, and then press Enter: |
|
|
|
|
|
|
|
|
|
|
|
|
7. |
|
|
STUDENT |
|
|
|
|
|
|
1. |
|
On LON-DC1, type the following In the Windows PowerShell command window, and then press Enter: |
||
|
|
|
|
|
|
|
|
|
|
2. |
|
In Server Manager click the Tools menu, and then click Internet Information Services (IIS) |
|
|
|
|
Manager. |
USE |
|
3. |
|
In the Internet Information Services (IIS) Manager console, expand LON-DC1 |
||
|
|
(Adatum\Administrator), and then click Application Pools. When the Internet Information |
||
|
|
Services (IIS) Manager window appears, click No. |
||
4. |
|
In the details pane, right-click the DefaultAppPool, and then click Advanced Settings. |
||
5. |
|
In the Advanced Settings dialog box, click Identity and then click the ellipses. |
PROHIBITED |
|
6. |
|
In the Application Pool Identity dialog box, click Custom Account and then click Set. |
||
|
|
|
||
7. |
|
In the Set Credentials dialog box, type Adatum\Webservice$ in the User name: field, and then |
|
|
|
click OK three times. |
|
|
|
8. |
In the Actions pane, click Stop to stop the application pool. |
|
|
|
9. |
Click Start to start the application pool. |
|
|
10. Close the Internet Information Services (IIS) Manager.
L5-26 Implementing |
MCT |
|||||||
|
|
|
|
|||||
|
|
|
|
|
|
|
||
4. |
Click Screen Saver. Notice that the Wait control is disabled—you cannot change the timeout. Notice |
|||||||
|
|
|
that the On resume, display logon screen option is selected and disabled, and that you cannot |
|
|
|
|
|
|
|
|
disable password protection. |
USE |
||||
5. |
Click OK to close the Screen Saver Settings dialog box. |
|||||||
|
|
|
|
|||||
6. |
Pause the mouse pointer in the lower-right corner of the display, and then click Start. |
|
|
|
|
|||
7. |
Right-click the Start screen, and then click All apps. |
|
|
|
|
|||
8. |
In the Apps list, click Notepad. Notepad does not open. |
|
|
|
|
|||
|
|
|
|
|
|
|
||
|
|
Results: After this exercise, you should have successfully created, edited, and linked the required GPOs. |
|
.ONLY |
||||
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
||
|
|
Exercise 2: Managing GPO Scope |
|
|
|
|
||
|
|
Task 1: Create and link the required GPOs |
STUDENT |
|||||
1. |
On LON-DC1, switch to Server Manager, click Tools and then click Active Directory Users and |
|||||||
|
|
|
|
|||||
|
|
|
Computers. |
|
|
|
|
|
2. |
In the console tree, expand the Adatum.com domain and click the Research organizational |
|
|
|
|
|||
|
|
|
unit (OU). |
|
|
|
|
|
3. |
Right-click the Research OU, point to New, and then click Organizational Unit. |
|
|
|
|
|||
4. |
Type Engineers, and then click OK. |
|
|
|
|
|||
5. |
Close Active Directory® Users and Computers. |
|
|
|
|
|||
6. |
Switch to the Group Policy Management console. |
|
|
|
|
|||
7. |
In the console tree, expand Forest: Adatum.com, Domains, Adatum.com, Research, and then click |
|
|
|
|
|||
|
|
|
the Engineers OU. |
USE |
||||
8. |
Right-click the Engineers OU, and then click Create a GPO in this domain and Link it here. |
|||||||
|
|
|
|
|||||
9. |
Type Engineering Application Override, and then click OK. |
|
|
|
|
|||
10. |
Right-click the Engineering Application Override GPO, and then click Edit. |
|
|
|
|
|||
11. |
In the console tree, expand User Configuration, Policies, Administrative Templates, and Control |
PROHIBITED |
||||||
|
|
|
Panel, and then click Personalization. |
|||||
|
|
|
|
|
|
|
||
12. |
Double-click the Screen saver timeout policy setting. |
|
|
|
|
|||
13. |
Click Disabled, and click OK. |
|
|
|
|
|||
14. |
Close the Group Policy Management Editor. |
|
|
|
|
|||
1. |
In the Group Policy Management console tree, click the Engineers OU. |
|
|
|
|
|||
2. |
Click the Group Policy Inheritance tab. Notice that the Engineering Application Override GPO has |
|
|
|
|
|||
|
|
|
higher precedence than the ADATUM Standards GPO. The screen saver timeout policy setting you |
|
|
|
|
|
|
|
|
just configured in the Engineering Application Override GPO is applied after the setting in the |
|
|
|
|
ADATUM Standards GPO. Therefore, the new setting will overwrite the standards setting, and will win. Screen saver timeout will be disabled for users within the scope of the Engineering Application Override GPO.
1.On LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and MCT
Computers.
2.In the console tree, if necessary, expand the Adatum.com domain and the Research OU, and then USE click the Engineers OU.
3.Right-click the Engineers OU, point to New, and then click Group.
4.Type GPO_Engineering Application Override_Apply, and then press Enter.
5.Switch to the Group Policy Management console. ONLY
6.In the console tree, if required, expand the Engineers OU, and then double-click the link of the
Engineering Application Override GPO under the Engineers OU. A message appears.
7.Read the message, select the Do not show this message again check box, and then click OK. In the Security Filtering section, you will see that the GPO applies by default to all authenticated users.
8.In the Security Filtering section, click Authenticated Users. .
9.Click the Remove button. A confirmation prompt appears.
10.Click OK. STUDENT
11.In the details pane, click the Add button.
12.In the Select User, Computer, or Group dialog box, in the Enter the object name to select (examples): box, type GPO_Engineering Application Override_Apply, and then press Enter.
13.Switch to Active Directory Users and Computers.
14.In the console tree, expand the Adatum.com domain, and then click the Users folder.
15.Right-click Users, point to New, and then click Group.
16.Type GPO_ADATUM Standards_Exempt, and then press Enter.
17.Switch to the Group Policy Management console.
18.In the console tree, click the Adatum.com domain object, and then double-click the Adatum USE Standards GPO. In the Security Filtering section, notice that the GPO applies by default to all authenticated users.
19.Click the Delegation tab.
20.Click the Advanced button. The ADATUM Standards Security Settings dialog box appears. PROHIBITED
21.Click the Add button. The Select Users, Computers, Service Accounts, or Groups dialog box appears.
22.In the Enter the object names to select (examples): box, type GPO_ADATUM Standards_Exempt, and press Enter.
23.Select the Deny check box next to Apply group policy.
24.Click OK. A warning message appears to remind you that deny permissions override allow permissions. Click Yes. Notice that the permission appears on the Delegation tab as Custom.