Exercises 8.1. Delegating administrative control In this exercise, you will use the Delegation of Control Wizard to assign the reset password permissions for the Kansas City\Users OU to a domain user. Estimated Time: 20 minutes 1. | Select Start, Programs, Administrative Tools, and then select Active Directory Users and Computers.
| 2. | Select the desired domain, select the Kansas City OU, and then right-click the Users OU.
| 3. | From the pop-up menu, select Delegate Control. The Delegate Control Wizard starts.
| | | 4. | The Welcome to the Delegation of Control Wizard window appears; click Next to continue.
| 5. | The Users or Groups window appears; click Add. The Select Users, Computers, or Groups window appears.
| 6. | Enter one of the users that you created in previous exercises. Make sure that this user is not a member of the Managers group. Click OK to continue. You are returned to the Users or Groups window. Click Next to continue.
| 7. | The Tasks to Delegate window appears. Select the Reset Users Passwords and Force Password Changes at Next Logon check box. Click Next to continue.
| 8. | The Summary window appears. Review the items to make sure they are correct. If not, click the Back button and make the necessary corrections, or click Finish to end.
| 9. | Log on as the user on a member server or workstation in your test domain (not the domain controller).
| 10. | Open the Active Directory Users and Computers MMC.
| 11. | Navigate to the Kansas City\Users OU, and reset the password of one of the users.
| 12. | Log off when you are finished.
|
8.2. Checking effective permissions In this exercise, you will continue the previous exercise by verifying that the reset password permissions for the Kansas City\Users OU was assigned by checking the effective permissions on a user object in the OU. Estimated Time: 10 minutes 1. | Select Start, Programs, Administrative Tools, and then select Active Directory Users and Computers.
| 2. | Select the desired domain, select the Kansas City OU, and then right-click the Users OU.
| 3. | Select a user object in the Users OU, right-click the object, select Properties from the pop-up menu, and click the Security tab in the resulting dialog box.
| 4. | From the Security tab, click the Advanced button.
| 5. | The Advanced Security Settings dialog box appears. Select the Effective Permissions tab.
| 6. | The Effective Permissions tab appears. Click the Select button.
| 7. | The Select User or Group dialog box appears. Enter the user who was granted reset password permissions, and then click the OK button.
| 8. | This returns you to the Advanced Security Settings dialog box. The Effective Permissions for the user are shown. Scroll down to verify the Reset Password entry. Click OK here and in the Object Properties dialog box to quit.
|
Exam Questions | 1. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain. The functional level of the domain is Windows Server 2003 native. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. You decide to assign the Reset Password permission for the Cessna OU to the SmallPlaneManagers Group. However, when you open the Properties page for the OU object, you don't see the Security tab. What should you do? 
| A. | Log off and then log on again with an account with Domain Administrators rights. |
| B. | Use the RunAs command. |
| C. | Select Tools from the system menu and select Advanced Features. |
| D. | Select View from the system menu and select Advanced Features. |
| | 2. | You are the system administrator for a small manufacturing company. Your company just bought another company of about the same size, and you have just finished adding their users to your domain. Unfortunately, all the IT personnel from the other company quit, leaving you to manage everything. You have spoken to several of the department managers, and they have agreed to take over some of the low-level administrative tasks such as creating users and resetting passwords. What is the best way to grant them the proper authority?
| A. | Add the department managers to the Domain Administrators group. |
| B. | Add the department managers to the Account Operators group. |
| C. | Use the Delegation of Control Wizard. |
| D. | Create a separate domain. |
| | 3. | You are the system administrator for a small manufacturing company. Your company has decided to split off the research and development department into a wholly owned subsidiary. Unfortunately, this new subsidiary is undercapitalized, so it will still use the same office space and will need to continue to use your network. However, their general manager wants to manage all the computers and users himself. What is the best way to grant him the proper authority? (Choose two.)
| A. | Add his user account to the Domain Administrators group. |
| B. | Add his user account to the Account Operators group. |
| C. | Use the Delegation of Control Wizard. |
| D. | Create a separate domain, and move the subsidiary's resources into the domain. |
| E. | Create a separate OU, and move the subsidiary's resources into the OU. |
| | | | 4. | You are the system administrator for a small chemical company. One of your department managers just called, and she wants you to give Joe, one of the employees, read access to an object in Active Directory. The objects have the current assignments ReadManagers group ReadSupervisors group DenyEmployees group Joe is currently a member of the Employees group. What must you do to give him access to only this object?
| A. | Add his user account to the Managers group. |
| B. | Add his user account to the Supervisors group. |
| C. | Remove his user account from the Employees group. |
| D. | None of the above. |
| | 5. | You are the system administrator for a mid-sized research firm. You assigned one of your junior administrators to block inheritance of the permissions on all objects in your test OU so that only you will be able to manage them. The permissions are as follows: BEFORE Full ControlDomain Admins group ReadJunior Admins DenyEmployees group AFTER Full ControlDomain Admins group ReadJunior Admins DenyEmployees group You verified that inheritance was disabled. What did the junior administrator do wrong?
| A. | Nothing, this is the default. |
| B. | He selected Copy permissions. |
| C. | He selected Remove permissions. |
| D. | He selected Cancel permissions. |
| | | | 6. | You are the system administrator for Rite-Built, Inc. Your company has decided to split off the research and development department into a wholly owned subsidiary. You are going to create a new domain and move all the research ad development's resources into the new domain. What is the best tool to use to accomplish this task?
| A. | Active Directory User and Computers |
| B. | Dsmove. |
| C. | The Delegation of Control Wizard |
| D. | Active Directory Migration Tool |
| | 7. | You are the system administrator for a small manufacturing company. Your company has decided to split off the research and development department into a wholly owned subsidiary. All their resources are currently stored in the RD OU. Although they don't have a problem with you, the system administrator, having access to their resources, they no longer want the Plant Managers group to have any access to their OU. The Plant Managers group was previously given administrative rights to all resources in the OU via the Delegation of Control wizard. What is the best way to remove the administrative rights on the RD OU that were previously granted to the Plant Managers group?
| A. | Use the Delegation of Control Wizard to remove the administrative rights previously granted to the Plant Managers group. |
| B. | Use the OUEdit command-line tool to remove the administrative rights previously granted to the Plant Managers group. |
| C. | Use the Effective Permissions tool to remove the administrative rights previously granted to the Plant Managers group. |
| D. | Use the Security tab on the RD OU object to assign the Deny permission to the Plant Managers group. |
| | | | 8. | You are the system administrator for a small company. Your network consists of a single Windows Server 2003 domain running in Windows Server 2003 mode. This domain was created from scratch, so you decided not to include any pre-Windows Server 2003 functionality. One of your junior administrators responded to a help desk call for a user who was having trouble accessing the resources in an OU in Active Directory. The junior administrator attempted to investigate the problem using the Effective Permissions tool, but received a message that she didn't have the proper authority. Junior administrators are not members of the Domain Administrators group. What is the best way to allow the junior administrator to use the Effective Permissions tool?
| A. | Add her user account to the Domain Admins group. |
| B. | Add her user account to the Pre-Windows 2000 Compatibility Access group. |
| C. | Use the Delegation of Control Wizard to grant her access to the Effective Permissions tool. |
| D. | Add her user account to the local Administrators group on the file server containing the shared folder she is investigating. |
|
Answers to Exam Questions | 1. | D. In Windows Server 2003, the permissions for objects and their attributes are configured using the Active Directory Users and Computers snap-in. All permissions for objects are configured from the Properties window of the object, via the Security tab. However, the default in Windows Server 2003 is for the Security tab to not be displayed. It must be enabled by selecting Advanced Features from the system menu. See "Assigning Permissions to Active Directory Objects." | | 2. | C. While adding the department managers user accounts to the domain Admins or Account Operators groups will give them the necessary permissions, it will also give them some permissions that you might not want them to have. Creating a separate domain is a solution left over from Windows NT. The best solution is to group the user accounts in an appropriate OU, and then use the Delegation of Control Wizard to assign the department managers accounts only the permissions they need in that OU. See "Delegating Control of an Organizational Unit." | | 3. | C and E. Creating a separate domain is a solution left over from Windows NT. Also, because the new subsidiary is short on funds, it might not have the budget for the new hardware that a new domain would require. The best solution is to move the resources for the subsidiary to a separate OU, and then use the Delegation of Control Wizard to assign the general managers accounts full control over that OU. See "Delegating Control of an OU." | | | | 4. | D. Adding Joe's user account to either of the two groups mentioned won't give him access, because he's a member of the Employees group, which has the Deny permission, which overrides any other permission. Removing his account from the Employees group will not give him access to the object because if you are not explicitly granted permissions to objects in AD, by default you are implicitly denied access. See "Modifying Permissions for Objects in an OU." | | 5. | B. When the junior administrator turned off permissions inheritance, he elected to copy permissions. This will leave any existing inherited permissions in place. What he should have done was select the option to remove inherited permissions. This would have removed any existing permissions that were inherited from the parent. If he had selected Cancel, the permissions would still be in place, but so would inheritance. See "Permissions Inheritance." | | 6. | D. Neither the Active Directory Users and Computers snap-in nor the dsmove utility can be used to move users or resources between domains. For interdomain moves, use the Active Directory Migration Tool (ADMT), which is used to move objects from one domain to another. The Delegation of Control Wizard can be used only to grant access to objects. See "Moving AD Objects." | | 7. | D. The Delegation of Control Wizard can only apply permissions, not remove them. To view and remove the permissions, you will have to view the Security tab for the object on which you assigned permissions using the wizard. The Effective Permissions tool can be used only to view permissions, not to edit them. The OUEdit tool doesn't exist. See "Delegating Control of an OU." | | 8. | B. During the Dcpromo process, you are prompted as to whether you want to set permissions compatible with pre-Windows 2000 server operating systems. This selection adds the Everyone group to the Pre-Windows 2000 Compatible Access group, and thereby grants the Everyone group read access to most Active Directory objects. If you do not select this option, the Pre-Windows 2000 Compatible Access group is created, but it is empty. In this case, only domain administrators can use the Effective Permissions tool for Active Directory objects. Adding a junior administrator to the Domain Admins group just so she can use the Effective Permissions tools is not a good idea. The Delegation of Control Wizard cannot be used to grant access to the Effective Permissions tool. Because this is an Active Directory object she is investigating, she would need her account added to a domain controller, which doesn't have a local administrators group. See "Effective Permissions." |
Suggested Readings and Resources 1. Best Practices for Delegating Active Directory Administration. Microsoft Corporation. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid3.mspx. 2. Step-by-Step Guide to Using the Delegation of Control Wizard. Microsoft Corporation. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx. 3. The Effective Permissions Tool. Microsoft Corporation. http://technet2.microsoft.com/WindowsServer/en/Library/155c4905-6660-4c4c-9a0a-5a668907e83c1033.mspx?mfr=true. 4. Windows Server 2003 Deployment Guide. Microsoft Corporation. http://technet2.microsoft.com/WindowsServer/en/Library/c283b699-6124-4c3a-87ef-865443d7ea4b1033.mspx?mfr=true. 5. Windows Server 2003 Resource Kit. Microsoft Press, 2005. ISBN 0735614717. 6. Working with Active Directory Permissions in Exchange Server 2003. Microsoft Corporation. http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3ad.mspx. |
