A.2 Security Pro Domain 1: Access Control and Identity Management
View Lab Report 2 You are the IT administrator for a small corporate network. You recently added an Active Directory domain on the CorpDC server to manage network resources centrally. Organizational units (OUs) in the domain represent departments. User and computer accounts have been moved into their respective departmental OUs. Over the past few days, several personnel changes have occurred that require changes to the user accounts. In this lab, your task is to use the following information to make the necessary user account changes on CorpDC: • In the Accounting department, Mark Woods has been fired. Disable his account. • In the Research-Dev department, Pat Benton is returning from maternity leave. Her account is disabled to prevent logon. Enable her account. • Andrea Simmons in the Research-Dev department has recently married: o Rename the account Andrea Socko. o Change the last name to Socko. o Change the display name to Andrea Socko. o Change the user logon and the pre-Windows 2000 user logon name to asocko. • In the Accounting department, Mary Barnes has forgotten her password, and now her account is locked: o Reset the password to 1234abcd$. o Require a password change at the next logon. o Unlock the account. • Allow all users in the Support OU to log on only to the Support computer. Do not restrict the users in the SupportManagers OU. To efficiently complete these tasks, right-click the user account and select: • Enable Account to allow logon to the account. • Disable Account to prevent logon to the account. • Rename to rename the account (change the full name) and modify other name-dependent properties for the user account. • Reset Password to unlock a locked account, change the password, and force the user to change the password at the next logon. You can also accomplish most of these tasks by editing the properties for the user account and modifying the settings on the General or Account tabs. However, the only way you can rename the account (and change the full name property) is through the right-click menu.
Task Summary Disable the Mark Woods user account Enable the Pat Benton user account Modify the Andrea Simmons user account Hide Details Rename the account to Andrea Socko Change the last name to Socko Change the display name properties to Andrea Socko Change the user logon name to asocko Change the pre-Windows 2000 user logon name to asocko Unlock the Mary Barnes user account Hide Details Reset the password to 1234abcd$ Require a password change at the next logon Unlock the account Restrict Janice Rons and Tom Plask to use only the Support computer Explanation In this lab, you perform the following tasks: • In the Accounting department, Mark Woods has been fired. Disable his account. • In the Research-Dev department, Pat Benton is returning from maternity leave. Her account is disabled to prevent logon. Enable her account. • Andrea Simmons in the Research-Dev department has recently married: o Rename the account Andrea Socko. o Change the last name to Socko. o Change the display name to Andrea Socko. o Change the user logon and the pre-Windows 2000 user logon name to asocko. • In the Accounting department, Mary Barnes has forgotten her password, and now her account is locked: o Reset the password to 1234abcd$. o Require a password change at the next logon. o Unlock the account. • Allow all users in the Support OU to log on only to the Support computer. Do not restrict the users in the SupportManagers OU. Complete this lab as follows: 1. Disable a user account as follows: a. From Server Manager on CorpDC, select Tools > Active Directory Users and Computers. b. Browse the Active Directory structure and select the Accounting OU. c. Right-click Mark Woods and select Disable Account. d. Click OK to apply the changes. 2. Enable a user account as follows: a. Select the Research-Dev OU. b. Right-click Pat Benton and select Enable Account. c. Click OK. 3. Rename the user account as follows: a. In the Research-Dev OU, right-click Andrea Simmons and select Rename. b. Enter Andrea Socko. c. Click outside the Name field to open the Rename User dialog. d. In the Last name field, enter Socko. e. In the Display name field, enter Andrea Socko. f. In the User logon name field, enter asocko. g. Verify that the pre-Windows 2000 user logon name is asocko. h. Click OK. 4. Unlock a user account as follows: a. In the Accounting OU, right-click Mary Barnes and select Reset Password. b. In the New password field, enter the 1234abcd$. c. In the Confirm password field, enter 1234abcd$. d. Make sure that User must change password at next logon is selected. e. Make sure that Unlock the user's account is selected. f. Click OK. 5. Configure user account restrictions as follows: a. Navigate to and select the Support OU. b. Press Ctrl and select both the Tom Plack and Janice Ronsusers to edit multiple users at the same time. In Safari, press Command and select each user. c. Right-click the user accounts and select Properties. d. Select the Account tab. e. Mark Computer restrictions. f. Select Log on to. g. Select The following computers. h. In the Computer name field, enter Support; then select Add. i. Click OK. 6. Click OK.
7 You are the IT security administrator for a small corporate network. You use a special user account called Administrator to log on to your Linux computer. You suspect that someone has learned your password. You are currently logged on as Administrator. In this lab, your task is to change your password to r8ting4str. The current password for the Administrator account is 7hevn9jan.
Task Summary Change the administrator user password to r8ting4str Explanation In this lab, you change your administrator password from 7hevn9jan to r8ting4str as follows: 1. At the command prompt, type passwd and press Enter. 2. Enter 7hevn9jan and press Enter for the UNIX password. 3. Enter r8ting4str and press Enter for the new password. 4. When prompted to retype the new password, enter r8ting4str and press Enter.
4 You are the IT Administrator for the CorpNet domain. You are in the process of implementing a group strategy for your network. You have decided to create a global group as a shadow group for specific departments in your organization. Each global group will contain all users in the corresponding department. In this lab, your task is to complete the following actions on the CorpDC server: • Create a global security group named Accounting in the Accounting OU. • Create a global security group named Research-Dev in the Research-Dev OU. • Create a global security group named Sales in the Sales OU. • Add all user accounts in the corresponding OUs and sub-OUs as members of the newly-created groups.
Task Summary Create a global security group named Accounting in the Accounting OU Add the correct employees as members of the Accounting group Hide Details Add Mark Woods as a member of the Accounting group Add Mary Barnes as a member of the Accounting group Create a global security group named Research-Dev in the Research-Dev OU Add the correct employees as members of the Research-Dev group Hide Details Add Andrea Socko as a member of the Research-Dev group Add Arlene Kimbly as a member of the Research-Dev group Add Pat Benton as a member of the Research-Dev group Add Scott Trans as a member of the Research-Dev group Add Stella Hanson as a member of the Research-Dev group Add Tre Julian as a member of the Research-Dev group Add Wendy Pots as a member of the Research-Dev group Create a global security group named Sales in the Sales OU Add the correct employees as members of the Sales group Hide Details Add Susan Smith as a member of the Sales group Add Mark Burnes as a member of the Sales group Add Borey Chan as a member of the Sales group Explanation In this lab, you complete the following tasks: • Create a global security group named Accounting in the Accounting OU. • Create a global security group named Research-Dev in the Research-Dev OU. • Create a global security group named Sales in the Sales OU. • Add all user accounts in the corresponding OUs and sub-OUs as members of the newly-created groups. Following are steps an expert might take to complete this lab: 1. From Server Manager, select Tools > Active Directory Users and Computers. 2. Browse the Active Directory structure to the appropriate OU. 3. Right-click the OU you want to create the group in and select New > Group. 4. In the Group name field, enter the name of the group. 5. Select the group scope. 6. Select the group type; then click OK. 7. Add a user account to a group as follows: a. Right-click the user account and select Add to a group. (Use the Ctrl or Shift keys to select and add multiple user accounts to a group at the same time.) b. In the Enter the object names to select, enter the name of the group. c. Select a group scope and a group type, and then click OK. d. Select Check Names. e. Click OK. f. Click OK. g. Repeat step 7 to add users to the group. 8. Repeat steps 6-8 to add additional users to the group.
3 You are the IT administrator for the CorpNet domain. You have decided to use groups to simplify access control list administration. You want to create a group of department managers. In this lab, your task is to use Active Directory Users and Computers to complete the following tasks on the CorpDC server: • In the Users container, create a group named Managers. o Under group scope, select Global. o Under the group type, select Security. • Make the following users members of the Managers group: o Mark Woods in the Accounting OU o Pat Benton in the Research-Dev OU o Juan Suarez in the Marketing\MarketingManagers OU o Arlene Kimbly in the Research-Dev\ResearchManagers OU o Mark Burnes in the Sales\SalesManagers OU o Shelly Emery in the Support\SupportManagers OU
Task Summary Create a security group named Managers in the Users container Make users members of the Managers group Hide Details Add Mark Woods Add Pat Benton Add Juan Suarez Add Arlene Kimbly Add Mark Burnes Add Shelly Emery Explanation In this lab, you use Active Directory Users and Computers to complete the following tasks on the CorpDC server: • In the Users container, create a group named Managers. o Under group scope, select Global. o Under the group type, select Security. • Make the following users members of the Managers group: o Mark Woods in the Accounting OU o Pat Benton in the Research-Dev OU o Juan Suarez in the Marketing\MarketingManagers OU o Arlene Kimbly in the Research-Dev\ResearchManagers OU o Mark Burnes in the Sales\SalesManagers OU o Shelly Emery in the Support\SupportManagers OU Use Active Directory Users and Computers on CorpDC to create groups and add members to the groups as follows: 1. From Server Manager, select Tools > Active Directory Users and Computers. 2. Expand CorpNet.com. 3. Select Users. 4. From the menu, select the Create a new group in the current container icon. 5. In the Groups name field, enter Managers. 6. Under Group scope, make sure Global is selected. 7. Under Group type, make sure Security is selected and then click OK. 8. Add user accounts to the Managers group as follows: a. Navigate to each user. b. Right-click user and select Add to a group. c. In the Enter the object names to select field, enter Managers. You can also browse to the Managers group as follows: 1. Select Advanced. 2. Select Find Now. 3. Select the group. 4. Click OK twice. d. Click OK twice. e. Repeat steps 8a-8d to add additional users to the group.
View Lab Report 1 You are the IT Administrator for a small corporate network. You recently added an Active Directory domain on the CorpDC server so you can manage resources centrally. You are populating user accounts in the domain. In this lab, your task is to create the following user accounts on CorpDC in the CorpNet.com domain: User Job Role Juan Suarez Marketing manager Susan Smith Permanent sales employee Borey Chan Temporary sales employee Mark Burnes Sales manager Use the following user account naming standards and specifications as you create each account: • User account name:[First name] + [Last name]. • Logon name: [firstinitial] + [lastname] @CorpNet.com. • Initial password: 1234abcd$ (must be changed at the first logon) • Place each user account in the appropriate departmental OU: o The Marketing\MarketingManagers OU for the marketing manager o The Sales\PermSales OU for the permanent employee o The Sales\TempSales OU for the temporary employee o The Sales\SalesManagers OU for the sales manager • For the Temporary Sales employee: o Limit logon hours to allow logon only from 8 am to 5pm, Monday through Friday. o Expire the user account on December 31.
Task Summary Create the Juan Suarez account Hide Details Create the Juan Suarez account in the Marketing\MarketingManagers OU Set the first name, last name, and full name properties Use [email protected] for the logon name Specify a password of 1234abcd$ Require a password change at next logon Enable the account Create the Susan Smith account Hide Details Create the Susan Smith account in the Sales\PermSales OU Set the first name, last name, and full name properties Use [email protected] for the logon name Set the password to 1234abcd$ Require a password change at next logon Enable the account Create the Borey Chan account Hide Details Create the Borey Chan account in the Sales\TempSales OU Set the first name, last name, and full name properties Use bchan@CorpNet for the logon name Set the password to 1234abcd$ Require a password change at next logon Enable the account Limit the logon hours of Borey Chan to allow logon only from 8 am to 5 pm, Monday through Friday. Expire the Borey Chan account on December 31st Create the Mark Burnes account Hide Details Create the Mark Burnes account in the Sales\SalesManagers Set the first name, last name, and full name properties Use mburnes@CorpNet for the logon name Set the password to 1234abcd$ Require a password change at next logon Enable the account Explanation In this lab, you use Active Directory Users and Computers to create the following user accounts: User Job Role User Name OU Juan Suarez Marketing manager jsuarez Marketing\MarketingManagers Susan Smith permanent sales employee ssmith Sales\PermSales Borey Chan temporary sales employee bchan Sales\TempSales Mark Burnes Sales manager mburnes Sales\SalesManagers Complete this lab as follows: 1. Create a domain user account as follows: a. From Server Manager, select Tools > Active Directory Users and Computers. b. Browse the Active Directory structure to the appropriate OU. c. Right-click the OU and select New > User. d. Enter the following values for the new user: First name Last name User logon name (this name is required; the user will use it to log on to the domain) e. Click Next. f. Enter the user account's initial password and confirm it. g. Make sure User must change password at next logon is selected; then click Next. h. Click Finish to create the object. i. Repeat steps 1b-1h to create the rest of the users. 2. Modify user account restrictions for the temporary sales employee as follows: a. In Active Directory Users and Computers, browse to the Borey Chanuser account. b. Right-click Borey Chan and select Properties. c. Select the Account tab. d. Select Logon hours. e. In the Logon Hours dialog, select Logon Denied to clear the allowed logon hours. By default, logon is always permitted (every hour box is blue). f. Drag the mouse to select a time range. g. Select Logon Permitted to allow logon. h. Click OK. 3. Under Account expires, select End of. 4. In the Date field, enter 12/31 of the current year. 5. Click OK.
6 You are the IT security administrator for a small corporate network. An employee, Terry Brown (tbrown), recently left the organization. His colleagues have harvested the files they need from his home and other directories. Company security policy requires that user accounts are entirely removed when employees leave the company. In this lab, your task is to perform the following: • Remove the tbrown user account. • Remove the tbrown home directory. • View the /etc/passwd file and /home directory to verify that the account has been removed.
Task Summary Delete the tbrown user Delete the tbrown home directory Explanation In this lab, you perform the following: • Remove the tbrown user account. • Remove the tbrown home directory. • View the /etc/passwd file and /home directory to verify that the account has been removed. Complete this lab as follows: 1. At the command prompt, type userdel -r tbrown and press Enter to remove the user account and the home directory. (The -r switch removes the home directory when the user account is removed.) 2. Type cat /etc/passwd and ls /home to verify that the account was removed.
5 View Lab Report You are the IT security administrator for a small corporate network. An employee, Brenda Miller (bmiller), recently married. You need to update her Linux user account to reflect her new last name. In this lab, your task is to perform the following: • Rename the user account bpalmer. • Change the comment field to read Brenda Palmer. • Change the home directory to /home/bpalmer, moving the contents of the old home directory to the new location. • View the /etc/passwd file and /home directory to verify the account modifications.
Task Summary Rename the bmiller user account bpalmer Change the comment field to Brenda Palmer Change the home directory to /home/bpalmer Move the home directory contents Explanation In this lab, your task is to do the following: • Rename the user account bpalmer. • Change the comment field to read Brenda Palmer. • Change the home directory to /home/bpalmer, moving the contents of the old home directory to the new location. • View the /etc/passwd file and /home directory to verify the modification of the account. Do the following: • At the command prompt, type usermod -l bpalmer bmiller and press Enterto rename the user account. • Type usermod -c "Brenda Palmer" bpalmer and press Enter to change the comment field to read Brenda Palmer. • Type usermod -d /home/bpalmer -m bpalmer and press Enter to change the home directory to /home/bpalmer and to move the contents of the old home directory to the new location. • Type cat /etc/passwd and ls /home and press Enter to verify that the account was modified. To complete the tasks in the lab using a single command, use usermod -c "Brenda Palmer" -d /home/bpalmer -m -l bpalmer bmiller. References