1. Information

Active Directory Users and Computers can be accessed directly from the file server or remotely by installing Remote Server Administration Tools. That leaves one option, because it is not advised to log on directly to the file server.

To start Active Directory Users and Computers as a different user, use one of the following procedures.

  • Right-click Start | Programs | Windows Administrative Tools | Active Directory Users and Computers
    while holding down the Shift key and select Run as different user.

  • Right-click Start | Settings | Control Panel | Administrative Tools | Active Directory Users and Computers
    while holding down the Shift key and select Run as different user.

2. Machine Accounts

2.1. Join computer

  • Maesot computers: Create, configure, and reset MAC address account at Active Directory.

Windows 10

  • Logon as Administrator.

  • Open Control Panel > System.

  • Select Change settings.

  • Click Change.

    Computer name:          SMRUWS-IT00

  • Choose Domain:.

    smru.shoklo-unit.com

  • Click OK.

    User name:              ADjoincom
Password:               ********

  • Click OK.

  • Click OK.

  • Click OK.

  • Click Close.

  • Click Restart Later.

  • Close Control Panel > System.

  • Restart the computer.

Windows 11

  • Log on as Administrator.

  • Join the computer to the SMRU domain.

    • Click Start > Settings > Accounts.

    • Click Access work or school.

    • Click Connect Button on Add a work or school account.

    • Click Join this device to a local Active Directory domain.

    • Type smru.shoklo-unit.com.

    • Click Next.

    • Type SMRU\ADjoincom in the name field.

    • Type the ADjoincom password in the password field.

    • Click OK.

    • When Add an account message appear, Click Skip.

    • Click Restart Now.

  • Note: It may take up to 15 minutes before the newly joined computer is shown in AD?

  • Start Active Directory as SMRU\ADadmin.

  • Select the smru.shoklo-unit.com > Computers organizational unit.

  • Right-click SMRUWS-IT00 and select Move.

  • Select the smru.shoklo-unit.com > smru > computers organizational unit.

  • Click OK.

  • Close Active Directory.

2.2. Unjoin computer

  • Note: Make sure to write down the LAPS password before unjoining the computer from the SMRU domain.

  • Logon as Administrator.

CMD

  • Enter the following commands at a PowerShell Command Prompt.

    $Username = "ADadmin"
$Password = "********"          # Use back ticks for special characters like the dollar sign.
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Credential = New-Object PSCredential $Username, $SecurePassword
Remove-Computer -Force -UnjoinDomainCredential $Credential
GUI

  • Open Control Panel > System.

  • Select Change settings.

  • Click Change.

  • Choose Workgroup:.

    WORKGROUP

  • Click OK.

  • Click OK.

    User name:              ADjoincom
Password:               ********

  • Click OK.

  • Click OK.

  • Click OK.

  • Click Close.

  • Click Restart Later.

  • Close Control Panel > System.

  • Restart the computer.

  • Remove the computer from the AD organizational unit.

    • Start Active Directory as SMRU\ADjoincom.

    • Select the smru.shoklo-unit.com > Computers organizational unit.

    • Right-click SMRUWS-IT00 and select Delete.

    • Close Active Directory.

3. User Accounts

3.1. Delete account

  • Start Active Directory Users and Computers with ADadmin or ADuseradmin privileges.

  • Select the smru.shoklo-unit.com | smru | users organizational unit.

  • Right-click <Account> and select Delete.

  • Click Yes to confirm.

  • Close Active Directory Users and Computers.

3.2. Disable account

  • Start Active Directory Users and Computers with ADadmin or ADuseradmin privileges.

  • Select the smru.shoklo-unit.com | smru | users organizational unit.

  • Right-click <Account> and select Disable Account.

  • Click OK.

  • Close Active Directory Users and Computers.

3.3. Enable account

  • Start Active Directory Users and Computers with ADadmin or ADuseradmin privileges.

  • Select the smru.shoklo-unit.com | smru | users organizational unit.

  • Right-click <Account> and select Enable Account.

  • Click OK.

  • Close Active Directory Users and Computers.

3.4. Reset User Account Password

  • Start Active Directory Users and Computers with ADadmin or ADuseradmin privileges.

  • Select the smru.shoklo-unit.com | smru | users organizational unit.

  • Right-click <User Name> and select Reset Password.

  • Type password4SHOKLO! in the New password field.

  • Type password4SHOKLO! in the Confirm password field.

  • Check User must change password at next logon.

  • Check Unlock the user’s account.

  • Click OK.

  • Click OK.

  • Close Active Directory Users and Computers.

3.5. New user account

3.5.1. Add

  • Note: Provide user the User accounts.pdf document. File location is T:\IT\Helpdesk\General.

  • Start Active Directory Users and Computers with ADadmin or ADuseradmin privileges.

  • Select the smru.shoklo-unit.com | smru | users organizational unit.

  • Check if there is already a user account with the same first name.

  • If yes, then ???

  • Unselect any user.

  • Select Action | New | User.

    First name:                             <First>
Last name:                              <Last>
Full name:                              <First> <Last>
User logon name:                        <First>@smru.shoklo-unit.com
User logon name (pre-Windows 2000):     SMRU\<First>

  • Click Next.

  • Active Group: User does need domain account.

    Password:                               password4SHOKLO!
Confirm password:                       password4SHOKLO!

■ User must change password at next logon
□ User cannot change password
□ Password never expires
□ Account is disabled

  • No Active Group: User does not need domain account.

    Password:                               password4SHOKLO!
Confirm password:                       password4SHOKLO!

■ User must change password at next logon
□ User cannot change password
□ Password never expires
■ Account is disabled

  • Click Next.

  • Click Finish.

  • Right-click <First> <Last> and select Properties.

  • Select the General tab.

    First name:                             <First>
Last name:                              <Last>
Display name:                           <First> <Last>
Description:                            <Nickname>
Office:                                 <Site> - <Office building>

Telephone number:                       <012 345 6789>
E-mail:                                 <first>@shoklo-unit.com or <first>@bhf-th.org
Web page:

  • Select the Profile tab.

    Profile path:
Logon script:                           logon.bat

  • Select the Organization tab.

  • Click Change.

  • Enter <Line manager> name for the object name and click Check Names.

  • Click OK.

    Job Title:                              <Job title>
Department:                             <Department>
Company:                                SMRU

Name:                                   <Line manager>

  • Select Member Of tab.

  • Click Apply.

  • Click OK.

  • Close Active Directory Users and Computers.

3.5.2. Configure

  • Log on as SMRU\ADadmin or SMRU\ADuseradmin on your workstation with RDP using 127.0.0.2.

  • Start Windows Explorer.

  • Select the \\SMRU-SRV\Home$ folder.

  • Create the \\SMRU-SRV\Home$\<User> folder.

  • Select the \\SMRU-SRV\Home$\<User> folder.

  • Right-click the \\SMRU-SRV\Home$\<User> folder and select Properties.

  • Select the Security tab.

  • Click Edit.

  • Click Add.

  • Type <User> and click Check Names.

  • Click OK.

  • Check <User> | Modify | Allow.

  • Click Apply.

  • Click OK.

  • Click OK.

  • Close Windows Explorer.

3.6. List locked accounts

  • Note: User account will be automatically unlocked after 30 minutes.

  • Log on as SMRU\ADadmin or SMRU\ADuseradmin on your workstation with RDP using 127.0.0.2.

  • Enter the following commands at a PowerShell Command Prompt.

    Search-ADAccount -LockedOut
Unlock-ADAccount <Domain user>

3.7. List disabled accounts

  • Log on as SMRU\ADadmin or SMRU\ADuseradmin on your workstation with RDP using 127.0.0.2.

  • Enter the following commands at a PowerShell Command Prompt.

    Disable-ADAccount <Domain user>
Enable-ADAccount <Domain user>
Search-ADAccount -AccountDisabled -UsersOnly |
    Select-Object -Property SID, Name | Sort-Object -Property Name
Search-ADAccount -AccountDisabled -UsersOnly |
    Select-Object Name |
    Out-File \\SMRU-SRV\Teams$\IT\Tmp\DisabledUsers.txt

3.8. Get account last logon date

  • Log on as SMRU\ADadmin or SMRU\ADuseradmin on your workstation with RDP using 127.0.0.2.

  • Enter the following commands at a PowerShell Command Prompt.

    Get-ADUser -Identity <Domain user> -Properties "LastLogonDate"
Get-ADOrganizationalUnit -Filter * | Select Name, DistinguishedName

$Special = @(
    # Accounts that are forwarded: Microsoft 365 admin center > Users > Active users.
    @{ Name = "_Template User" }
    @{ Name = "DBwriter" }
    @{ Name = "DBreader" }
    @{ Name = "MKT-ANC" }
    @{ Name = "MKT-DEL" }
    @{ Name = "MKT-IPD" }
    @{ Name = "MKT-LAB" }
    @{ Name = "MKT-OPD" }
    @{ Name = "Test" }
    @{ Name = "WPA-ANC" }
    @{ Name = "WPA-DEL" }
    @{ Name = "WPA-IPD" }
    @{ Name = "WPA-LAB" }
    @{ Name = "WPA-OPD" }
)

$Users = Get-ADUser -SearchBase 'OU=users,OU=smru,DC=smru,DC=shoklo-unit,DC=com' -Filter * -Properties "LastLogonDate"
$Users | Where-Object { $Special.Name -notcontains $_.Name } |
    Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-30) } |
    Sort-Object -Property LastLogonDate | Format-Table Name, Enabled, LastLogonDate

3.9. Get account SID

  • Enter the following commands at a Command Prompt with administrative privileges.

    . 'C:\Program Files\Delta Software Labs\Windows-Tools\Debug.ps1'
$Users = Get-ADEnabledUsers
$Users | Where-Object { $_.Name -match "Chan" }

3.10. Get account information

  • Log on as SMRU\ADadmin or SMRU\ADuseradmin on your workstation with RDP using 127.0.0.2.

  • Enter the following commands at a PowerShell Command Prompt.

    Get-ADUser -Identity <Domain user> -Properties * | Select-Object -Property DisplayName, SamAccountName, Title, Department, Office, EmailAddress, telephoneNumber
Get-ADUser -Identity <Domain user> -Properties * | Select-Object -Property DisplayName, SamAccountName, Title, Department, Office, EmailAddress, telephoneNumber | Format-table
Get-ADOrganizationalUnit -Filter * | Select Name,distinguishedName
Get-ADUser -SearchBase 'OU=users,OU=smru,DC=smru,DC=shoklo-unit,DC=com' -Filter * -Properties * | Select-Object -Property DisplayName, SamAccountName, Title, Department, Office, EmailAddress, telephoneNumber | Format-table
Get-ADUser -SearchBase 'OU=users,OU=smru,DC=smru,DC=shoklo-unit,DC=com' -Filter * -Properties * | Select-Object -Property DisplayName, SamAccountName, Title, Department, Office, EmailAddress, telephoneNumber | Export-Csv -Path C:\Temp\ADUsers.csv -Delimiter ';' -NoTypeInformation
Get-ADUser -SearchBase 'OU=_ToDelete,OU=users,OU=smru,DC=smru,DC=shoklo-unit,DC=com' -Filter * -Properties * | Select-Object -Property DisplayName, SamAccountName, Title, Department, Office, EmailAddress, telephoneNumber | Format-table
    # See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379481(v=ws.10)?redirectedfrom=MSDN
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=smru,DC=shoklo-unit,DC=com' -Scope  ForestOrConfigurationSet -Target 'smru.shoklo-unit.com' -WhatIf
    WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=smru,DC=shoklo-unit,DC=com'
is an irreversible action! You will not be able to disable 'Recycle Bin Feature' on
'CN=Partitions,CN=Configuration,DC=smru,DC=shoklo-unit,DC=com' if you proceed.
What if: Performing the operation "Enable" on target "Recycle Bin Feature".
    # See https://community.spiceworks.com/topic/2077684-ad-tombstone-objects
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *

3.11. Account Password Policy

* Enforce password history                      24 passwords remembered
* Maximum password age                          365 days
* Minimum password age                          0 days
* Minimum password length                       16 characters
* Password must meet complexity requirements    Enabled
* Store passwords using reversible encryption   Disabled
* User must change password at first logon

3.12. Account Lockout Policy

* Account lockout duration              30 minutes
* Account lockout threshold             10 invalid logon attempts
* Reset account lockout counter after   30 minutes

4. Groups

4.1. Create ACL rule group

  • Start Active Directory Users and Computers with SMRU\ADadmin or SMRU\ADuseradmin privileges.

  • Expand smru.shoklo-unit.com > smru.

  • Right-click smru.shoklo-unit.com > smru > groups and select New > Group.

  • Note: Use dashes instead of spaces in the folder names.

  • Modify: Type ACL_<first-level-folder>-<second-level-folder>_rw in the Group name field.

  • Read-only: Type ACL_<first-level-folder>-<second-level-folder>_ro in the Group name field.

  • Choose Domain local under Group scope.

  • Choose Security under Group type.

    Group name:                     ACL_<first-level-folder>-<second-level-folder>_rw
Group name (pre-Windows2000):   ACL_<first-level-folder>-<second-level-folder>_rw

Group scope             Group type
● Domain local          ● Security
○ Global                ○ Distribution
○ Universal
    Group name:                     ACL_<first-level-folder>-<second-level-folder>_ro
Group name (pre-Windows2000):   ACL_<first-level-folder>-<second-level-folder>_ro

Group scope             Group type
● Domain local          ● Security
○ Global                ○ Distribution
○ Universal

  • Click OK.

4.2. Create Role group

  • Start Active Directory Users and Computers with ADadmin or SMRU\ADuseradmin privileges.

  • Expand smru.shoklo-unit.com > smru.

  • Right-click smru.shoklo-unit.com > smru > groups and select New > Group.

  • Type <Role name> in the Group name field.

  • Choose Global under Group scope.

  • Choose Security under Group type.

    Group name:                     <Role name>
Group name (pre-Windows2000):   <Role name>

Group scope             Group type
○ Domain local          ● Security
● Global                ○ Distribution
○ Universal

  • Click OK.

4.3. Add ACL rule and Role group member

  • ACL rule: Right-click <ACL rule> and select Properties.

  • Role: Right-click <Role> and select Properties.

  • Click Members tab.

  • Click Add.

  • ACL rule: Type <Role name> for object name and click Check Names.

  • Role: Type <User name> for object name and click Check Names.

  • Click OK.

  • Click Apply.

  • Click OK.

4.4. Remove ACL rule and Role group member

  • ACL rule: Right-click <ACL rule> and select Properties.

  • Role: Right-click <Role> and select Properties.

  • Click Members tab.

  • Select <Role>.

  • Click Remove.

  • Click Yes.

  • Click Apply.

  • Click OK.

5. HP Aruba Switch

5.1. CMD

  • Enter the following commands at a Command Prompt with administrative privileges.

    # Check MAC address account.
cd ~delta/github/git/delta-software-labs/Documentation
 cd ../Windows-Tools/src/
vi MAC-Authentication.ps1

Get-ADMacAddresses | findstr.exe /ric:"11:22:33:44:55:66"
Get-ADMacAddresses | findstr.exe /ric:"SMRUNB-DC02"

# Create MAC address account.
New-ADMacAddress 11:22:33:44:55:66 'Notebook: SMRUNB-IT01 (Ethernet)'
New-ADMacAddress 11:22:33:44:55:77 'Notebook: SMRUNB-IT01 (Wireless)'
New-ADMacAddress 11:22:33:44:55:88 'Desktop: SMRUWS-IT07'
New-ADMacAddress 11-22-33-44-55-88 'Printer: 10.10.1.##, Location, Color, Printer Name' -Force

# Delete MAC address account.
Remove-ADMacAddress 11:22:33:44:55:66
Remove-ADMacAddress 11:22:33:44:55:77
Remove-ADMacAddress 11:22:33:44:55:88

5.2. GUI

Create MAC address account

  • Start Active Directory Users and Computers with ADadmin privileges.

  • Select smru.shoklo-unit.com > smru > MAC-Addresses.

  • Click Name to sort the MAC address by name.

  • Check that the MAC address is not already in the list.

  • Right-click _Template_MACaddresses and select Copy.

  • Type the MAC address in the First name field.

  • Type the MAC address in the User logon name field.

    First name:                             <MAC address>
Initials:
Last name:
Full name:                              <MAC address>

User logon name:                        <MAC address>   @smru.shoklo-unit.com
User logon name(pre-Wndows 2000):       SMRU\           <MAC address>

  • Click Next.

  • Type password4SHOKLO! in the Password field.

  • Type password4SHOKLO! in the Confirm field.

    Password:               ********
Confirm:                ********

□ User must change password at next logon
■ User cannot change password
■ Password never expires
□ Account is disabled

  • Click Next.

  • Click Finish.

Configure MAC address account

  • Right-click MAC address and select Properties.

  • Select the General tab.

  • Type Computer or device name in the Description field.

    First name:     <MAC address>
Initials:
Last name:
Display name:   <MAC address>
Description:    <Computer or device name>
Office:

  • Select the Account tab.

  • Check Store password using reversible encryption in the Account options box.

    □ User must change password at next logon
■ User cannot change password
■ Password never expires
■ Store password using reversible encryption

  • Click Apply.

  • Click OK.

Reset MAC address account password

  • Right-click MAC address and select Reset Password.

  • Type the MAC address in the New password field.

  • Type the MAC address in the Confirm password field.

  • Check Unlock the user’s account.

    New password:           ********
Confirm password:       ********

□ User must change password at next logon
■ Unlock the user’s account

  • Click OK.

  • Click OK.

  • Close Active Directory Users and Computers.