A Series of Posts Exploring the Features of Active Directory and Simulating Common IT Support Scenarios


Skills Developed in This Project Series

Part 1

  • How to use important Active Directory tools and features such as: Find, View Advanced Features, Object Properties, and Attribute Editor.
  • Creation/deletion, enabling/disabling, and setting expiration dates for User Accounts.
  • How and when to use common Command Prompt commands such as ipconfig, net use, net user, and ping.
  • Connecting computers to the domain.
  • Using Active Directory from client computers on the domain.
  • Creation of Organizational Units (OU).

Part 2

  • Remotely unlocking a user account after repeated failed login attempts, and helping a user reset their password.
  • Using Group Policy Editor to set security and password policies for the domain.
  • Using the Command Prompt to view information about another domain user’s account.
  • Enabling/disabling a computer account on the domain, and how to add the same computer account back to Active Directory after deletion.
  • Creation of share folders on the domain controller and mapping those shares to users’ computers.
  • Creating Security Groups, editing permissions, and disabling inheritance.
  • Configuring the automatic creation of folders for individual users within a share drive.

Part 3

  • How to enable and use Remote Desktop, Windows Remote Assistance, Remote Administration Tools such as Remote Registry, and remotely accessing a computers file system.
  • Using Group Policy Management to remotely disable services on a computer or user account through Computer Configuration or User Configuration options.
  • Using important Group Policy commands such as gpupdate /force and gpresult /r.
  • Using Group Policy Wizard to generate reports.

Part 4

  • Installing and using PDQ Deploy Enterprise to silently install and uninstall software on computers remotely without disrupting the user.
  • Installing and using PDQ Inventory Enterprise synced with Active Directory to run reports and remotely manage computes on the domain.
  • Creating a print server, installing/updating print drivers, configuring sharing settings for a printer, client-side vs server-side rendering, and accessing the printer as a user.
  • Understanding the importance of Delegation of Control, and how to use the Delegation of Control Wizard to assign common task permissions as well as create custom tasks to delegate.

Introduction to the Project Series

This project series of 4 parts is meant to be done after reading “How to Create an Active Directory Practice Environment”. You will need to have an Active Directory practice environment set up before you can practice the skills discussed in this post. I will also assume that you have read the previous post and have learned how to navigate to find Active Directory Users and Computers, and are aware of basic terms like Organizational Unit (OU) so I will not reiterate.

There are many tools and topic to cover in this post, so it will be more like a series of mini tutorials on how to use certain functions and how to accomplish common tasks. These projects are focused on preparing for a help desk or IT support role. These posts are based primarily on an online video series made by Kevtech “https://www.youtube.com/watch?v=h7XwFtM938I&list=PLdh13bXVc6-k_u2RPqYAp8R8HtYT_ONht”. I have expanded on certain topics and added clarity based on viewer comments on the video series. There are several parts where viewers and myself were unable to replicate the steps due to missing information or differences in configurations. I hope to add to the valuable practical education Kevtech has provided to aid others wishing to learn. My post is also different in that I am using a newer version of Windows Server, and Windows 11 Enterprise instead of Windows 10 Home.

As you are going through this post, certain parts of it may seem unrelated; however, as the tasks get more complex, many of the previously covered tools and features will come together.


Using the Find feature

We will use this feature many times in Active Directory. It allows you to quickly search the entire database for specific objects.

To practice using the Find feature, go to Active Directory Users and Computers, and right-click on an OU and click Find. This feature allows you to search for specific objects, such as a user account.


A Better Way to Use the Find Feature

As an example object, we will search for the Guest User account in Active Directory.

One thing that may be confusing when searching for the Guest User account is that you are only searching in a specific domain or OU. It is better to change the search to search in the Entire Database instead of Computers for example. In this screenshot, you can see that I originally used the find tool in the Computers OU. I then widened the scope of the search to outside of that OU by changing the In section to Entire Database. You can also see in the results below that it returned a result for both the Guest User as well as the Guests Group. This is because the Find tool was set to search for Users, Contacts, and Groups.

The default In section will be whichever OU or domain you right-clicked on to launch the Find feature. For example, if you right-clicked on the domain name, then it will be set to search in that domain.


Enabling View Advanced Features in Active Directory Users and Computers

In Active Directory Users an Computers, if you click the View tab in the toolbar and select Advanced Features from the drop-down menu, then you will be able to see many things that you could not see before. In the context of using the Find tool to find an object, like the Guest User example, View Advanced Features being enabled will add additional tabs when looking at the Guest User Properties. You can see in the screenshot that there is now an Object tab in the properties which was not available without View Advanced Features enabled. This Object tab shows the exact directory path to this guest account, which tells us which OU’s it is in.




Making a New Account by Copying an Existing Account

Administrator accounts have to be configured to have the permissions that they need to administrate, so making a new admin account from scratch takes time and effort which you can avoid by just copying the account. When you right-click an admin account (or any account) and select copy, it will make a new account with all the same settings and permissions but with a new name. This is a great way to save time and also be sure that the new admin account is configured the same as the existing accounts. Just make sure that you actually want that account to be a complete copy, and that you don’t have to remove certain permissions.

You can see in the image below that I copied my existing admin account (Joseph Sanders from the _ADMINS OU), and made a new account named helpdesk.

Keep in mind that a real Help Desk account would not really have access to something like Server Manager. That is for higher level positions. For the purposes of this project, we can let the Help Desk have that access because there is nothing at risk here.


Active Directory Administrative Center

The Active Directory Administrative Center can be found in the start menu under Windows Administrative Tools.

Enabling the Recycle Bin for a domain can be done from the Administrative Center.


The ipconfig, net use, and net user Commands

ipconfig

Get the basic IP information, default gateway, and DNS suffix.

ipconfig /all

The /all option provides all the same information as ipconfig, but with even more information. One of the most important pieces of information for a help desk role is the DHCP status (Enabled or Disabled) and DHCP server address. DHCP will usually need to be enabled on most clients, but it may be disabled on something that needs a static IP like a printer.

net use

This command will tell you what share drives a user has access to.

net user username /domain

Make sure to replace username with the actual username, but leave the actual word /domain. Do not replace it with your domain name. This will tell you important user information like when the password expires, when it was last set, and when it will be changeable. It will also show what groups the user is a part of.

We will cover other commands later in the project as they become necessary.


Adding a Local Administrator Account to a Client on the Domain

The local account will work on the client even when there is some issue with the client connecting to the domain. Even if there is network connectivity to the domain, there may be other issues preventing the client from being able to log in with a domain user account. For this reason, you may need to use a local account on the client to change configurations and get the domain user account login working. One example of a reason you may use the local Admin account is to remove the client from the domain, then re-add it back to the domain.

For this reason, we can add a local Administrator account on the client. To start, log in to the existing local user account that was made during the setup of the client, as covered in the previous post on Active Directory practice environment setup.

Once logged in to the local account, open File Explorer. Then right-click This PC, and select Show more options (Only for Windows 11). Then click Manage (This will be immediately visible if right-clicking on Windows 10).


That should open up Computer Management. From here, click the Local Users and Groups, then select Users. This shows all of the available user accounts on this PC. You may have noticed that you didn’t see any of these accounts in the login screen. That is because they are disabled. There is already an Administrator account on this PC, it is just disabled.

If you are connected to a domain, then you can gain administrator privileges using the domain Admin account. This is what we will do to enable the local Admin account with the Administrator Command Prompt. When you search for the Command Prompt in the search bar, and right-click to Run as Administrator, you will be prompted to log in using a domain Admin account. This will then give you access to the Administrator Command Prompt. Note that you can also do this with PowerShell. Before we successfully enable the local Admin account, let me show you a problem you could have.

If we just use the net user administrator /active:yes command, we can receive this error. This is because there is no password set for the administrator account, and the absence of a password is a violation of our domain’s password policy requirements. You can also get this error if you already assigned the local Admin account with a password that fails to meet your domain’s password policy requirements.

To stop getting this error, we need to first assign a password to the local Admin account with the following command:

net user administrator *

You will then be prompted to enter a password. After the password is successfully added, you can run the command shown in the error example above.

net user administrator /active:yes

Alternatively, you can activate it using the GUI from the screenshots above once the password is added.

After running those commands successfully, you can see that the Account is disabled box is no longer checked in Administrator Properties. This is what I saw as soon as I re-opened it. Also one thing you should know is that if the icon of that user account has a downward pointing arrow on it, then it is disabled. That is a way to quickly see it is disabled without having to open up the account’s properties.

Now we can restart the client. You may be confused at first, because there is no visible option to sign in as Administrator. You can, but it isn’t immediately visible. If you click on Other user, and click How do I sign in to another domain?, then it will show you how to log in to another local account. It requires you to add PC name\ (in my example it would be CLIENT1\) in front of the local user name. So for this Administrator account it would look like this:

CLIENT1\Administrator

The computer will automatically recognize that you are logging in to a local device account if you type:

.\Administrator

It should say Sign in to CLIENT1 below as soon as you type CLIENT1\.

Anytime you sign in to a new account for the first time, Windows will take a minute to “Set things up for you”.

Now that we have a local Administrator account, we can remove the original local account we had made during the Windows 11 install and setup process. There is no reason to have another local account on the client once we have the client connected to the domain and also have a local Administrator account.

To delete the local user account from the client, repeat the steps we did to view the user accounts in Computer Management, but this time right-click on the user account we want to delete, and click Delete.


Accessing Active Directory Tools from a Client

In order to access Active Directory tools from a Windows client, we need to install various features on the client. This will be slightly different on Windows 10 and 11. In Windows 10 it’s called Apps and features and on Windows 11 it’s called Apps. I’ll cover Windows 11 here.

Go to Settings, click Apps, then click Optional features. Click View features next to Add an optional feature.


Add the following features:

RSAT: Active Directory Certificate Services Tools

RSAT: Active Directory Domain Services and Lightweight Directory Services

RSAT: DHCP Server Tools

RSAT: DNS Server Tools

RSAT: Group Policy Management Tools

RSAT: Remote Desktop Services Tools

RSAT: Server Manager

As stated earlier, RSAT: Server Manager is not going to actually be available to Help Desk in the real world, but we will add it so that we can see what it’s like to control a server from a client on the domain. Also, both of these screenshots will look different on Windows 10, but everything has the same name. It will just have a different look to the GUI and button placement will be different.

In addition to these Active Directory tools, I am also going to download TeamViewer for use in later projects. TeamViewer can be downloaded from the web browser. From: https://www.teamviewer.com/en-us/download/windows/

Download the Full Client x64 version on this client, because this client is going to be the Help Desk employee’s workstation. We will use a second Windows 11 client to act as the person who needs support. As mentioned in the previous post, the single Windows 11 Enterprise Eval ISO can be used to make multiple VM’s at the same time.


Test Out Logging in as Help Desk on CLIENT1

To verify that your Help Desk account can log in on CLIENT1, we need to log out of the local Administrator account. Click Other user at the log in screen and confirm that it says Log in to: MYDOMAIN underneath. Once again, it will take a minute to “Set things up for you”. Once you have logged in, go ahead and check to see if all the Active Directory tools we installed are accessible to the Help Desk account, and check if TeamViewer is available as well.

The first post used Windows Server 2019 to install Active Directory on to. That GUI is basically a Windows 10 GUI, so in our Windows 11 GUI, it’s a bit different to access the Active Directory tools we found in Windows Administrative Tools. They are under Windows Tools which can be reached by clicking All Apps in the start menu, and scrolling down to Windows Tools. Windows Tools can also be found in System and Security in the Control Panel. You can also just search Windows Tools, but I like knowing where things are located in the operating system, just in case you can’t remember exactly what something is called. That way you can poke around until you see it. I guess for something with a name as simple as Windows Tools that’s not as necessary.

Once you are there, confirm the Active Directory tools are in there. Try to open Active Directory Users and Computers to see if you are able to open it.


Creating a User to Help

Now that the Help Desk client has access to the Active Directory Users and Computers, we can make new accounts for the domain from the Help Desk client. The new account will be used for the 2nd Windows 11 Enterprise Eval VM, and will act as the person who needs out support. Using the same user account creation steps covered previously, let’s make the account.

Another thing we should do to make this project a bit more realistic is create some new OU’s. One OU will be IT, and will be where we move the Help Desk account to. The other OU will be a department within the organization, in this case HR, so that we don’t just have a giant list of users. In reality every user would most likely be inside an OU other than just the list of all users on the domain (_USERS). We will move the new account, which I named Confused User, to HR. I don’t intend to disrespect any HR folks by the way, everyone has been a confused user at some point in their lives.

After creating the new OU’s, let’s implement the Find feature we learned about earlier. It will be much faster than scrolling through the _USERS OU. Remember that you could right-click anywhere in here, not necessarily just on the _USERS OU. That’s because you can just set it to Entire Database in the Find settings.

Once you find the user, right-click and select move. Then select the OU you want to move the user account to. If you look closely at the screenshots, you can see when the + is no longer next to the OU name. You have to actually click the + to the left of the name, not just click the name. You can also move the user to multiple OU’s at the same time. It is possible to drag and drop if you are looking at the user account in it’s OU, but you can’t drag and drop it from the Find results.



If you have moved the user account, but you don’t see it in the OU, then just refresh Active Directory Users and Computers. The Refresh option can be found in the Action drop down menu from the toolbar.


Attribute Editor

Now we need to make sure that View Advanced Features is enabled in this client’s Active Directory Users and Computers, as discussed earlier before we were using Active Directory on the client. This will give us the ability to see the Object tab in a user account’s Properties. The reason this is important now is because the Object tab allows us to see the directory path to the user account. The path is a term referring to the location of a file in a file system. Seeing the path is useful because we can see what parent directories, or in this case, what OU a file is under (I phrase this in terms of files and directories because it’s a bit more of a universal way of understanding file systems and databases). This is important to be able to find because there are certain things we can’t do from the Find results. Now in our case we already know the location, but it’s important to replicate what we would do if we were actually working in a production environment and didn’t know where it was located.

The Attribute Editor is a tab in a user account’s Properties which is only visible with View Advanced Features enabled, and also only visible if you view the Properties by finding the account inside it’s OU. It isn’t visible from the Find results. The Attribute Editor has extensive information on the account.


Connecting CLIENT2 to the Domain

Repeating the process discussed earlier, connect the 2nd Windows 11 Enterprise Eval VM to the domain. This time we can name the PC CLIENT2, and connect to the domain with the confuseduser user name.

To check if that worked, view Active Directory Users and Computers from the Help Desk client (CLIENT1), and under Computers you should be able to see both CLIENT1 and CLIENT2.

Then we can repeat the steps required to have a local Admin account on CLIENT2. We just want to have a local Admin account available to us in case we need it. Delete whatever local account you previously created when setting up the VM. Log out of the local Admin account and log back in with the confuseduser account so we can see Attribute Editor in action. After you log in, go to the Help Desk client and pull up Confused Users’s Properties from inside their OU. Go to the Attribute Editor tab and scroll down until you see lastLogon. It should say that the last logon was just a minute or 2 ago. Now you have a tangible example of the usefulness of Attribute Editor.


Using the ping Command and Why it May Not be Working

Ctrl+C is how you stop a ping.

You could ping another computer on the network by computer name instead of IPv4 address. Here you can see that CLIENT2 was unable to ping CLIENT1, yet it still gave us the CLIENT1’s IP address. It is common for ICMP requests, which are what a basic ping uses on Windows, to be blocked by a firewall because it is often used maliciously. I confirmed that the ping was just being stopped by the firewall by disabling Windows Defender on CLIENT2 and pinging it from CLIENT1. Obviously you don’t want to actually do that, but it confirms that Windows Firewall will often block ICMP pings.


Summary of Part 1

Now is a good stopping point for this post. We have learned some of the basic tools, features, and commands to serve us with more advanced tasks later. We also have two client VM’s connected to our domain and domain user accounts to be used on each. We have a Help Desk employee and a Confused User. In the next post we will start simulating a Help Desk employee providing support to the Confused User with some very common support tickets while also learning about more tools and features in Active Directory.


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *