Differences between revisions 35 and 47 (spanning 12 versions)
Revision 35 as of 2020-08-12 00:31:36
Size: 3172
Editor: scot
Comment:
Revision 47 as of 2022-09-29 18:26:02
Size: 2789
Editor: scot
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Lab 03-04 = ## page was renamed from WindowsAdministration/Lab04OuGroupLab
= Lab 04 =
Line 3: Line 4:
In this lab you will create some organizational units, groups and users in your AD. In this lab you will use the organizational units, groups and users in your AD that we created last time to delegate control to managers of their department users. Then we will setup a share for each department and for each user. In your domain controller (Using the RSAT tools or powershell):
Line 5: Line 6:
Create a new VM:  1. Delegate control over users in the OU_Sales Organizational unit to jpatterson so that he can change their password, but nothing else.
    a. Right click on the OU, select Delegate control, Add the user.
    a. On theTasks to Delegate select only the following:
       1. Reset user passwords and force password change at next logon
       1. Reset inetOrgPerson passwords and force password change at next logon
       1. Read all inetOrgPerson information
 1. Delegate control over users in the OU_Developers Organizational unit to kthompson
    a. like the first one...
 1. Delegate control over users in the OU_CSuite Organizational unit to kthompson
    a. ...
Line 7: Line 17:
 1. Add a new Windows 10 virtual machine
  a. Change its network address to be IP=192.168.1.5, subnet=255.255.255.0, DNS=192.168.1.2 and verify that you can access the internet.
  a. Change its name to be cpte230w
  a. Add the new Windows 10 computer to the top Active directory domain.
     1. Right click start, system, advanced settings
     1. Under Computer Name, click "Change..." and add it to your active directory.
     1. In the Windows 10 computer as administrator add the "Domain Users" to the list of users allowed to use remote desktop
        1. Right click start
        1. Select System, Advanced System Settings
        1. Select Remote, Select Users and Add "Domain Users" to the list.
 1. Find and install the remote administration tools. (Hint: you can do this through powershell easier than through the GUI)
 1. Instal Windows Admin Center
 1. Enable remote desktop connections
Shares:
Line 21: Line 19:
In your domain controller (Using the RSAT tools or powershell):  1. Create a share for each group Sales, Developers and Managers and make sure the groups have read/write access to the share.
    a. On C:\ create a folder called shares, we will use this for all our shares.
    a. Create folders in c:\shares named:
       1. sales
       1. developers
       1. managers
       1. home
    a. Share and Assign permissions to the sales, developers and managers
       1. Right click on sales, select properties, sharing, Share...
       1. add the sales group and set permission level to "Read/Write" and share.
       1. Select the security tab and make sure that the sales group does not have full control. Remove if that right by clicking on edit, selecting sales and unchecking Full Control.
    a. Repeat these steps for developers and managers.
 2. Create shares for users: Follow the directions at https://www.petenetlive.com/KB/Article/0000739 to complete this.
Line 23: Line 33:
 1. Create an organizational unit in your child domain named {{{OU_Contractors}}} and add the following items to this OU.
  a. Create a global group called {{{g_contractors}}}
  a. Create a user called {{{contractor}}} and put them in {{{g_contractors}}} group.
 1. Create a user mgr in the users folder of your parent domain.
  a. Make mgr the Administrator for the {{{OU_Contractors}}} by using the delegation wizard. Make sure the the user has "Reset user passwords..." and "Modify the membership of a group"
  a. Set the mgr password and document it in the "password" page. Make sure there is no requirement to change the password.
 1. Create a new folder on your cpte230a (parent domain controller) and share it. Make the share name {{{contractors}}}.
  a. Set permissions on the share to allow {{{g_contractors}}} to read and write to it.
  a. Set permissions on the share to give the mgr user full control.
 1. You will demonstrate mgr's ability by changing the password for "contractor".
  a. You can demonstrate this by logging in to your windows 10 machine and starting the active directory users and computers tool.
  a. Find the contractor user and reset the password.
Line 37: Line 35:
 1. Document the OU structures added and Groups added to each domain on the domains page. Do this in a new section called "Organizational Units" and "Groups"
 1. Document the delegations for control that you made in the "Organizational Units" section.
Line 42: Line 41:
||Video Shows: OU structures and groups created in the instructions ||10 ||
||Video Shows: A remote login event to windows 10 using the mgr user. ||10 ||
||Video Shows: the mgr user changing the password for the contractor user on the windows 10 machine. ||20 ||
||Video Shows: the contractor user accessing the file share and adding a new text file || 20 ||
||Video Shows: the mgr user accessing the file share and deleting the new text file || 20 ||
||Video Shows: Login as one of the manager users using remote desktop and change a user's password for which they have been delegated control || 40 ||
||Video Shows: Login as the user you changed the password for and show that it worked.
||Video Shows: Shares by going to \\cptr230a and showing shares. Access shares that the manager should have access too, and show that they are denied access to shares they shouldn't have access to. || 40 ||

Lab 04

Instructions

In this lab you will use the organizational units, groups and users in your AD that we created last time to delegate control to managers of their department users. Then we will setup a share for each department and for each user. In your domain controller (Using the RSAT tools or powershell):

  1. Delegate control over users in the OU_Sales Organizational unit to jpatterson so that he can change their password, but nothing else.
    1. Right click on the OU, select Delegate control, Add the user.
    2. On theTasks to Delegate select only the following:
      1. Reset user passwords and force password change at next logon
      2. Reset inetOrgPerson passwords and force password change at next logon
      3. Read all inetOrgPerson information
  2. Delegate control over users in the OU_Developers Organizational unit to kthompson
    1. like the first one...
  3. Delegate control over users in the OU_CSuite Organizational unit to kthompson
    1. ...

Shares:

  1. Create a share for each group Sales, Developers and Managers and make sure the groups have read/write access to the share.
    1. On C:\ create a folder called shares, we will use this for all our shares.
    2. Create folders in c:\shares named:
      1. sales
      2. developers
      3. managers
      4. home
    3. Share and Assign permissions to the sales, developers and managers
      1. Right click on sales, select properties, sharing, Share...
      2. add the sales group and set permission level to "Read/Write" and share.
      3. Select the security tab and make sure that the sales group does not have full control. Remove if that right by clicking on edit, selecting sales and unchecking Full Control.
    4. Repeat these steps for developers and managers.
  2. Create shares for users: Follow the directions at https://www.petenetlive.com/KB/Article/0000739 to complete this.

Documentation

  1. Document the delegations for control that you made in the "Organizational Units" section.
  2. Document the Share created and its purpose in a new section called "Shared Resources"

Video Grade Guide

Topics

Points

Video Shows: Login as one of the manager users using remote desktop and change a user's password for which they have been delegated control

40

||Video Shows: Login as the user you changed the password for and show that it worked.

Video Shows: Shares by going to \\cptr230a and showing shares. Access shares that the manager should have access too, and show that they are denied access to shares they shouldn't have access to.

40

Video talks through the required documentation.

20

WindowsAdministration/Lab04DelegationAndShares (last edited 2024-10-03 19:39:01 by scot)