70-742 Identity with Windows Server 2016

LAB 3
CREATING AND
MANAGING ACTIVE
DIRECTORY GROUPS
AND ORGANIZATIONAL
UNITS (OUS)

THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:

Exercise 3.1 Creating and Managing Organizational Units

Exercise 3.2 Creating and Managing Groups

Lab Challenge Using OUs to Delegate Active Directory Management Tasks

BEFORE YOU BEGIN

The lab environment consists of student workstations connected to a local area

network, along with a server that functions as the domain controller for a domain
called adatum.com. The computers required for this lab are listed in Table 3-1.
70-742 Identity with Windows Server 2016

Table 3-1
Computers required for Lab 3
Computer Operating System Computer Name
Server (VM 1) Windows Server 2016 LON-DC1

In addition to the computers, you will also require the software listed in Table 3-2 to
complete Lab 3.

Table 3-2
Software required for Lab 3
Software Location
Lab 3 student worksheet Lab03_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, shoot screen shots, and
perform other activities that you will document in a worksheet named for the lab, such
as Lab03_worksheet.docx. You will find these worksheets on the book companion
site. It is recommended that you use a USB flash drive to store your worksheets, so
you can submit them to your instructor for review. As you perform the exercises in
each lab, open the appropriate worksheet file using Word, fill in the required
information, and then save the file to your flash drive.

SCENARIO

After completing this lab, you will be able to:

 Create and manage Organizational Units

 Create and manage groups

 Use OUs to delegate Active Directory management tasks

Estimated lab time: 70 minutes

Exercise 3.1 Creating and Managing Organizational Units

Overview In this exercise, you will create new organizational units in the
adatum.com domain, each named for the departments in your
company.
Mindset The OU is the easiest object type to create in the AD DS hierarchy.
You need to supply only a name for the object and define its location in
the Active Directory tree.
70-742 Identity with Windows Server 2016

Completion time 25 minutes

1. Log on to LON-DC1 as adatum\administrator with the password of Pa$$w0rd.

2. On the LON-DC1 computer, using Server Manager, click Tools > Active Directory
Users and Computers. The Active Directory Users and Computers console appears.

3. In the left pane, right-click the Adatum.com node and choose New > Organizational
Unit.

4. In the New Object – Organizational Unit Wizard, in the Name text box, type
Engineering, as shown in Figure 3-1.

Figure 3-1
The New Object – Organizational Unit Wizard

5. Click OK.

6. In Server Manager, click Tools > Active Directory Administrative Center.

7. In the Active Directory Administrative Center console, in the left pane, select the
Adatum (local) node. Then in the Tasks pane, under Adatum (local) section, select New
> Organizational Unit.
70-742 Identity with Windows Server 2016

8. In the Create Organizational Unit dialog box (see Figure 3-2), in the Name text box, type
Projects and then click OK.

Figure 3-2
The Create Organizational Unit dialog box

9. Click the Start button and then click the Windows PowerShell tile.

10. In the Administrator: Windows PowerShell window, at the command prompt, type New-
ADOrganizationalUnit –Name HR and press Enter.

11. In the Active Directory Users and Computers console, press F5 to refresh list of
organizational units.

12. Take a screen shot of the adatum.com domain in the Active Directory Users and
Computers console, showing the OU objects you created, by pressing Alt+PrtScr, and
then paste the resulting image into the Lab03_worksheet file in the page provided by
pressing Ctrl+V.
70-742 Identity with Windows Server 2016

13. Right-click the Projects OU, and click Delete. When you are prompted to confirm this
action, click Yes.

What error message did you receive?

Question
1 You do not have the privileges to delete projects, or this
object is protected from accidental deletion.

Why are organizational units protected by default?

Question
2
So you don’t accidentally delete user and computer accounts

14. Click OK.

15. In the Sales OU, double-click the Abbie Parsons user account.

How many tabs does Abbie Parsons Properties dialog box

Question have?
3
13 tabs

16. To close Abbie Parsons Properties dialog box, click OK.

17. Open the View menu, and click Advanced Features.

18. Take a screen shot of the adatum.com domain in the Active Directory Users and
Computers console by pressing Alt+PrtScr, and then paste the resulting image into the
Lab03_worksheet file in the page provided by pressing Ctrl+V.
70-742 Identity with Windows Server 2016

19. In the Sales OU, double-click the Abbie Parsons user account.

In the Advanced Feature view, how many tabs are shown in

Question the Abbie Parsons Properties dialog box?
4
18 tabs

20. Click the Object tab.

What is the canonical name of object that shows the location

Question of the user account?
5
Adatum.com/Sales/Abbie Parsons

21. Close the Abbie Parsons Properties dialog box by clicking OK.

22. Right-click the Projects OU and choose Properties.

23. Click the Object tab.

24. Deselect the Protect object from accidental deletion option and then click OK.

25. Right-click the Projects organizational unit and choose Delete. When you are asked
prompted to confirm this action, click Yes.
70-742 Identity with Windows Server 2016

26. In the Sales OU, right-click Abbie Parsons and choose Move.

27. In the Move dialog box, click HR and then click OK.

28. Click the HR OU.

29. Take a screen shot of the HR OU in the Active Directory Users and Computers console
by pressing Alt+PrtScr, and then paste the resulting image into the Lab03_worksheet file
in the page provided by pressing Ctrl+V.

30. Right-click the Abbie Parsons user account and then click Move.

31. In the Move dialog box, select Sales and then click OK.

Leave all windows open for the next exercise.

Exercise 3.2 Creating and Managing Groups

Overview In this exercise, you will create domain local groups using the
Active Directory Users and Computers console.

Mindset Since the early days of the Microsoft Server operating system,
administrators used groups to manage network permissions. Groups
enable you to assign permissions to multiple users simultaneously. A
group can be defined as a list of user or computer accounts that
functions as a security principal, in much the same way that a user
70-742 Identity with Windows Server 2016

does.
Completion time 30 minutes

1. On LON-DC1, in the Active Directory Users and Computers console, select the HR OU
you created in Exercise 3.1.

2. Right-click the HR OU and choose click New > Group. The New Object - Group
dialog box appears (see Figure 3-3).

Figure 3-3
The New Object – Group Wizard

3. In the Group name text box, type HR Printing.

4. Under Group scope, select the Domain local option. Answer the following question and
then click OK. The new group object appears in the HR OU.

If you want to assign rights or permissions, which group type

Question must be used?
6
The security group type
70-742 Identity with Windows Server 2016

5. Take a screen shot of the HR OU in the Active Directory Users and Computers console
by pressing Alt+PrtScr and then paste the resulting image into the Lab03_worksheet
file in the page provided by pressing Ctrl+V.

6. If Active Directory Administrative Center is not open, using Server Manager, click
Tools > Active Directory Administrative Center.

7. In the Active Directory Administrative Center console, click the Adatum (local) node in
the left pane and, in the center pane, double-click the HR OU.

8. In the Tasks right pane, in the HR section, click New > Group. The Create Group
dialog box appears, as shown in Figure 3-4.
70-742 Identity with Windows Server 2016

Figure 3-4
Adding a group in Active Directory Administrative Center

9. In the Group name text box, type Backup Managers.

10. Under Group scope, select Domain local, answer the following question, and then click
OK. The new group appears in the HR OU.

Which group scope is replicated between global catalogs in a

Question forest?
7
You have to select the universal group scope

11. In Active Directory Users and Computers, with the HR OU highlighted, in the center
tab, click the white space/blank space of the HR OU and then press F5.

12. Take a screen shot of the HR OU in the Active Directory Users and Computers console
by pressing Alt+PrtScr and then paste the resulting image into the Lab03_worksheet
file in the page provided by pressing Ctrl+V.
70-742 Identity with Windows Server 2016

13. Double-click the HR Printing group.

14. Click the Members tab.

15. Click the Add button.

16. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in
the Enter the object names to select text box, type Adam Hobbs and click OK.

17. Close the HR Printing Properties dialog box by clicking OK.

18. Click the IT OU.

19. Double-click Beth Burke user account.

20. In the Beth Burke Properties dialog box, click Member Of.

Which groups is Beth Burke a member of?

Question
8
Domain users and IT

21. Click the Add button.

22. In the Select Groups dialog box, in the Enter the object names to select, type HR
Printing and then click OK.

23. Close the Beth Burke Properties dialog box by clicking OK.

24. Go to the HR OU and double-click HR Printing. Then click the Members tab.
70-742 Identity with Windows Server 2016

25. Take a screen shot of the HR Printing Properties dialog box in the Active Directory
Users and Computers console by pressing Alt+PrtScr and then paste the resulting
image into the Lab03_worksheet file in the page provided by pressing Ctrl+V.

26. Close the HR Printing Properties dialog box by clicking OK.

27. Double-click the Backup Manager group.

28. Click the Members tab.

29. Click Add.

30. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in
the Enter the object names to select text box, type HR Printing and then click OK.

31. In the Members section, double-click HR Printing and then click the Members tab.

Which two users are indirectly assigned to the Backup

Question Manager group?
9
Adam Hobbs and Beth burke

32. Close the HR Printing Properties dialog box by clicking OK.

33. Close the Backup Manager Properties dialog box by clicking OK.

Leave all windows open for the next exercise.

70-742 Identity with Windows Server 2016

Using OUs to Delegate Active Directory

Lab Challenge Management Tasks
Overview In this exercise, you will use the Delegation of Control Wizard to
grant Active Directory permissions to specific groups.
Mindset Creating OUs enables you to implement a decentralized administration
model, in which others manage portions of the AD DS hierarchy
without affecting the rest of the structure. The Delegation of Control
Wizard provides a simple interface you can use to delegate permissions
for domains, OUs, or containers.
Completion time 15 minutes

1. On LON-DC1, in the Active Directory Users and Computers console, right-click the
HR OU and choose Delegate Control.

2. In the Delegation of Control Wizard, on the Welcome to the Delegation of Control

Wizard, click Next.

3. On the Users or Groups page, click Add.

4. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to
select box, type Backup Manager and click OK. Then click Next. The Tasks to
delegate page appears, as shown in Figure 3-5.
70-742 Identity with Windows Server 2016

Figure 3-5
The Delegation of Control Wizard

5. In the Delegate the following common tasks list, select the following check boxes and
then click Next:

 Create, delete, and manage user accounts

 Create, delete, and manage groups

 Modify the membership of a group

6. The Completing the Delegation of Control Wizard page appears. Scroll to the bottom.

7. Take a screen shot of the Delegation of Control Wizard by pressing Alt+PrtScr and
then paste the resulting image into the Lab03_worksheet file in the page provided by
pressing Ctrl+V.

8. Click Finish.
70-742 Identity with Windows Server 2016

9. Right-click the HR OU and choose Properties.

10. Click the Security tab.

11. In the HR Properties dialog box, in the Group or user names section, scroll down and
click Backup Manager.

Which permissions are shown by Backup Manager for the

HR OU?
Question
10
The Allow “Special permissions” box so they got special
permissions

12. Click the Advanced button.

13. Take a screen shot of the Advanced Security Settings for HR dialog box by pressing
Alt+PrtScr and then paste the resulting image into the Lab03_worksheet file in the page
provided by pressing Ctrl+V.
70-742 Identity with Windows Server 2016

14. Close the Advanced Security Settings for HR dialog box by clicking OK.

15. Close the HR Properties dialog box by clicking OK.

End of lab.