Environment Setup (Read This First!)
1. Server Core Installation
○ You must perform all tasks on a Windows Server Core installation, not the full GUI.
○ Verify you’re in Server Core (no GUI shell). If you see a desktop environment, that’s the wrong edition!
2. Local User (First Name) in Administrators Group
○ Before promoting your machine to a domain controller, create a local user
named after your first name (e.g., if you are James Bond, use James).
Add this user to the local administrators group on the Server Core system. Example commands:
net user James P@ssw0rd123 /add
net localgroup Administrators James /add
○ This ensures your first AD account will be your first name and a domain administrator, instead of simply “Administrator”
Assign a static IP to your Server Core. Either use below, or sconfig Example:
New-NetIPAddress -InterfaceAlias “Ethernet” -IPAddress 192.168.1.10 -PrefixLength 24
-DefaultGateway 192.168.1.1
Set-DnsClientServerAddress -InterfaceAlias “Ethernet” -ServerAddresses 192.168.1.10
3. Custom Domain
○ Your AD domain must be yourLastName.com. If your last name is Smith, use
smith.com.
4. Computer Name
Rename your Server Core machine to lastname-dc1 (e.g., Smith-DC1). Example: Rename-Computer -NewName “Smith-DC1”
Restart-Computer
5. Promote to Domain Controller
○ After you’ve done the above steps (local admin, static IP, rename), install and promote the machine to a domain controller for your domain (lastname.com).
6. Custom PowerShell Prompt
Modify your prompt in PowerShell to display the computer name and date/time as done with Windows 11 in your Template Instructions.
○ Ensure this custom prompt is visible in all screenshots.
7. Submission Template
○ You’ll place all required screenshots in a single PowerPoint file
Scenario / Backstory
You are now an AD Administrator at AlphaTech, running on Server Core with the domain
lastname.com (replace “lastname” with your real surname). You’ll automate:
1. Onboarding new users from an HR CSV.
2. Organizing them into security groups.
3. Offboarding (disabling) departed users.
4. Deleting accounts after 90 days.
5. Auditing group memberships, spotting potential overprivilege.
All tasks require PowerShell CLI verification (no GUI tools) on your Server Core with a custom prompt.
Part 1: Onboard New Users from CSV
Why
● HR data is provided in CSV format. Automating user creation saves time, avoids errors.
Steps
1. CSV File
Create C:UsersList.csv with at least two entries, e.g.:
FirstName,LastName,UserName,Department,Email John,Doe,jdoe,IT,jdoe@smith.com Jane,Smith,jsmith,HR,jsmith@smith.com
○ Adjust for your actual last name and domain (e.g., brown.com).
2. Onboarding Script
○ Use or adapt the provided script to:
■ Import the CSV
■ Check if each user exists
■ If not, create a disabled AD user account
3. CLI Verification
From Server Core PowerShell, verify the users were created:
Get-ADUser -Filter “SamAccountName -eq ‘jdoe’ -or SamAccountName -eq ‘jsmith'”
○ Check your custom PowerShell prompt is visible.
Screenshot #1
● Single screenshot showing:
○ Script output (e.g. “Created user: jdoe”).
○ Get-ADUser results for those SamAccountNames.
○ Your custom prompt (server name + date/time).
Part 2: Create Security Groups & Add Users
Why
● Different organizational units need distinct resource access. Groups let you control permissions collectively.
Steps
1. Group Creation
○ Create at least three security groups (e.g., Development, Operations, Executives).
Example:
$groups = @(“Development”,”Operations”,”Executives”) foreach ($g in $groups) {
if (-not (Get-ADGroup -Filter “Name -eq ‘$g'”)) {
New-ADGroup -Name $g -GroupScope Global -GroupCategory Security Write-Host “Created group: $g”
}
}
2. Add Users to Groups
Assign your newly created CSV users to relevant groups:
Add-ADGroupMember -Identity “Development” -Members “jdoe” Add-ADGroupMember -Identity “Operations” -Members “jsmith”
3. CLI Verification
Check membership:
Get-ADGroupMember “Development” Get-ADGroupMember “Operations” Get-ADGroupMember “Executives”
○ Ensure your custom prompt is visible.
Screenshot #2
● Single screenshot showing:
○ Group creation messages.
○ Membership check (e.g., jdoe in “Development”).
○ Custom prompt.
Part 3: Offboard a User (Disable Account)
Why
● When someone leaves, disable their account first to prevent unauthorized access while preserving the account for record-keeping.
Steps
1. Choose a User
○ Pick at least one user from Part 1 (e.g., jdoe).
2. Offboarding Script
Calls Disable-ADAccount on that user. Example: Disable-ADAccount -Identity jdoe
Write-Host “Disabled user: jdoe”
3. CLI Verification
Check Enabled property:
Get-ADUser -Identity jdoe -Properties Enabled
Screenshot #3
● Single screenshot:
○ Output of the offboarding script.
○ Get-ADUser showing Enabled: False.
○ Custom prompt.
Part 4: Delete Users After 90 Days
Why
● AlphaTech’s policy is to delete disabled accounts after a 90-day retention. We’ll simulate that window in this lab.
Steps
1. Simulate the 90-Day Threshold
○ Temporarily modify your script to (Get-Date).AddDays(-1) or tweak
WhenChanged to meet the time requirement for your test user.
2. Run the Deletion Script
Find disabled users older than the threshold, remove them:
$threshold = (Get-Date).AddDays(-90)
$oldUsers = Get-ADUser -Filter { Enabled -eq $false } -Properties WhenChanged | Where-Object { $_.WhenChanged -lt $threshold }
foreach ($u in $oldUsers) {
Remove-ADUser -Identity $u.SamAccountName -Confirm:$false Write-Host “Deleted user: $($u.SamAccountName)”
}
3. CLI Verification
Attempt to retrieve the user again:
Get-ADUser -Identity jdoe
○ No result or an error indicates successful deletion.
Screenshot #4
● Single screenshot showing:
○ Removal script output (e.g., “Deleted user: jdoe”).
○ Get-ADUser -Identity jdoe failing or returning nothing.
○ Custom prompt.
Part 5: Audit Security Groups (Enhanced)
Why
● Auditors require seeing membership of key groups. They also flag any user who belongs to too many groups (possible excessive access).
Steps
1. Create More Groups
○ Add at least three new groups (e.g., Finance, Research, HR).
2. Add One User to 6+ Groups
○ Pick a user (e.g., jsmith) and add them to six or more total groups.
3. Run the Audit Script
○ List members for your original and new groups.
○ Warn if any user is in more than five groups.
Example snippet:
$groupsToAudit = @(“Development”,”Operations”,”Executives”,”Finance”,”Research”,”HR”)
foreach ($g in $groupsToAudit) { Write-Host “`nMembers of $g:”
Get-ADGroupMember $g | Select SamAccountName
}
$allUsers = Get-ADUser -Filter * -Properties MemberOf foreach ($u in $allUsers) {
if ($u.MemberOf.Count -gt 5) {
Write-Warning “User ‘$($u.SamAccountName)’ is in $($u.MemberOf.Count) groups!”
}
}
4. CLI Verification
○ Check the console output to confirm:
■ Each group’s membership.
■ A warning for the user with 6+ memberships.
Screenshot #5
● Single screenshot showing:
○ Group membership listings (at least 6 groups total).
○ Warning for the user in more than five groups.
○ Custom prompt.
Submission Instructions
1. PowerPoint Template
○ Insert exactly five screenshots (one per part) into the slides as instructed.
Assignment Recap
By completing these steps on Server Core with a local first-name admin, a static IP, a
lastname.com domain, and a custom PowerShell prompt, you will demonstrate:
1. User Onboarding from CSV (Part 1).
2. Group Creation & Membership management (Part 2).
3. Offboarding (disabling accounts) (Part 3).
4. Deleting aged disabled accounts (Part 4).
5. Auditing group memberships and detecting overprivileged users (Part 5).
All PowerShell CLI outputs are shown in five screenshots, verifying your mastery of core AD administration tasks on Server Core.