• Windows Server
• Active Directory Users and Computers
• PowerShell

This lab shows how to enable authorized users access to protected resources while denying access to unauthorized users. The first step in identifying a user is through a userame. The next step is to challenge the user by providing additional information such as a password or generated token value to prove that the supplied identity is authentic. Once the user has been authenticated, the next step is to see what permissions the user has. Permissions determine what the user can and cannot do. When a user requests access to a resource, the request is compared to the permissions list for that user which will determine if access will be granted or denied. This process is known as access control. Access controls protect resources from unauthorized access. This lab will utilize Active Directory to create several new users and groups. Folder structure will be created to align with the new groups and permissions will be assigned that will restrict user access to each folder based on group membership. Access will be verified by logging in as each user and attempting to access each folder.

From the Windows Server taskbar, click Server Manager icon, to open the Server Manager application.

.

1. Select Tools from the Server Manager menu bar, then select Active Directory Users and Computers.

2. In the left pane of the Active Directory Users and Computersconsole, expand the domain to show all objects in the domain. In this case, the domain is the securelabsondemand.com domain.

3. Locate the Users container to see a list of all the existing users and groups in the domain.

4. Click the Create a new group in the current container on the Active Directory Users and Computers toolbar. This will open the New Object-Group dialog box.

5. In the New Object - Group dialog box, type Developers in the Group name: box. Set the group scope to Global and the group type to Security. Once this is complete, create a new global security group named Managers.

6. Now we will create a new global security group titled Human Resources using Powershell.

• New-ADGroup created a new Active Directory group. This new group is created in the Users OU by default.
• -Name specifies the group name.
• -GroupScope determines how the group is applied to the domain. The three possible domains are: Universal, Global, or Domain Local.
• -GroupCategory specifies the type of group. The two possible options for category are: Security or Distrubution(email).

7. At the PowerShell prompt, type New-ADGroup -Name HumanResources -GroupScope Global -GroupCategory Security then press Enter to create the new group.

8. Restore the Active Directory Users and Computer window. Locate and right-click an empty area in the right pane, and click Refresh to verify that the new HumanResources group was added to the Users OU.

9. Now we are going to add new Users to our Groups. Click Create a new user in the current container icon to open the New Object - User dialog box.

10. In the New Object - User dialog box, type the following information, then click Next.

• First name: Sam
• Last name: Carpenter
• User logon name: scarpenter

11. For the password, type the following information:

• Password: P@ssw0rd!
• Confirm password:P@ssw0rd!

Uncheck User must change password at next logon checkbox, then click Next to continue.

12. Click Finish to create the account for the new user.

13. In the Users list, right-click the Sam Carpenter user account and select Add to a group

14. In the Select Group dialog box, type Developers in the Enter the object name to select box, then click Check Names to confirm that the group exists and check spelling. Click OK to complete the process. Click OK to close the success dialog box.

15. Repeat these steps to create a user with the following:

• First name: Carl
• Last name: Prince
• User logon name: cprince

Repeat steps 13 and 14 to add cprince to the Developers and Managers groups.

16. Now we will create another user using PowerShell using the following command:

• New-ADUser creates a new user account in Active Directory.
• -Name specifies the name of the object in Active Directory.
• -UserPrincipalName determines the logon name for the new user
• -AccountPassword specifies a password for the new user account. The account password should be set once the account is created or the account will be disabled until a password is set. A password can be set using the Set-ADAccountPassword cmdlet in a separate step.
• -GivenName sets the user's first name.
• -New-ADUser sets the user's last name.
• -Enabled enables the account ($true) only if a password is set.

17. Now we will create an account for Laura Casado. At the PowerShell prompt, type the following then press enter:

New-ADUser -Name lcasado -UserPrincipalName [email protected] -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd!" -Force) -GivenName Laura -Surname Casado -Enabled $true

18. The new user Laura Casado needs to be added to a group. We will add her the the Human Resources group using Powershell using the following command:

Add-ADGroupMember -Identity HumanResources -Members lcasado

19. Restore the Active Directory Users and Computer window. Locate and right-click an empty area in the right pane, and click Refresh to verify that the new user, lcasado was added to the Users OU and is a member of Human Resources group.

20. At the PowerShell prompt, type gpupdate /force and press Enter to force an immediate update of all group policies on the domain controller. The system will generate a confirmation message indicating that the Computer and User Policy update has been updated successfully.