Microsoft Exam  70-290 – Users and Groups

Managing and Maintaining a Microsoft Windows Server 2003 Environment.  Study Guide

1. Managing Users, Computers, and Groups


To create users you must have administrative privileges.  Normally this means an Account operator or Administrator, however it could mean a user who has been delegated rights to create other users, groups or computers in an OU.

Logon name (sAMAccountName) is required and must be unique in the Domain. ‘Full name’ must be unique within OU, particularly for  Exchange mailboxes.

On Windows 98 computers user’s password must be no longer than 14 characters. 

TrainSignal - Windows Server 2008 AdminWindows Server 2008 Enterprise Admin

Train Signal have an excellent Windows Server 2008 course.  You get over 70 hrs instruction with Ed Liberman and Ben "Coach" Culbertson.  Try their step-by-step videos and master Windows Server 2008 Enterprise Admin.

The package includes the Transcender exams, which are the key to gaining the coverted Microsoft Certified IT Professional certification.  However, the course also builds practical experience so that you can manage your network effectively once you complete the course.

Watch a Demo of Train Signal’s MCITP course

Command Line Tools

Command-line tools: dsadd, dsmod, dsget, dsrm, dsmove, dsquery, gpresult, whoami.   To add users to a group use dsadd group with parameters: -secgrp <yes|no>, -scope <l|g|u>, -members, -memberof.

To modify members of a group use dsmod group with parameters: -addmbr or -rmmbr (but you cannot use both at once).

To reset computer account use dsmod with -reset parameter.

Dsquery parameters: -o <format>, -inactive <weeks>, -stalepwd <days>

By default, each ordinary user can join 10 computers the domain.  You can adjust this setting through Group Policy Object Add workstations to a domain.  If user is able to log on but he cannot access any network resources, try re-setting the password for the COMPUTER account.  You have to be a member of the local Administrators to change computer’s name.

NETDOM is a command-line Support Tool for creation and modifying domain accounts.  Nltest is an obscure command line utility to check which domain your in.

In command-line tools you use $username$ (case sensitive) not %username% (use to define path for profile storage).

After a computer is removed or disjoined from a domain its account appears as disabled. See more on Windows 8 Join Domain.

Movetree command-line tool can be used to move objects like OUs from one domain to another domain.

Groups types and scopes

Local Group can include members from any domain in a forest, from trusted domains in other forests, and from trusted down-level domains; however it’s scope is limited to that machine.  Be sure to know the difference from the next group: Domain Local Group.

Domain Local Group (mixed, interim, native) can include members from any domain in a forest, from trusted domains in other forests.  In Windows 2003 Domain Local Groups have domain-wide scope in native or Server 2003 domains.

Global Groups can only include members from within domain.  However, Global Groups can join Local or Domain local groups.  Once you raise the domain level to Window 2000 native, you can nest Global Groups within other Global Groups, and add Global to Universal

Universal Group combine the properties of Global and Domain Local, and can contain members from any domain in the forest.  As expected, Universal Groups can be granted permission in any domain including trusted forests.

Remember the acronyms AGP, AGDLP and AGUDLP

As a user logs on to the network, that user is added to the Everyone group.  Whenever a user accesses a given resource over network, that user is added to the Network group.  The opposite of Network Group, is the Interactive group.

Anonymous Logons IUSER_SERVER are a group of users using network resources without authentication process;  whereas Authenticated Users are a group of users which have been checked out by Active Directory.

Creator Owner is a group of users who created the resource.  Only available on NTFS partitions.

Dialup is a group of users connected to the network through dialup connection.

Groups conversion:

You cannot change the scope of a group if the domain level is not Windows 2000 or higher.

Global groups cannot directly be converted to domain local groups and vice versa, the trick is to change the scope to universal, then you can made the (other) change.

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change is not nested

Universal to domain local. No restrictions for this operation.

The only way to provide separate password policies to a group of users is to move their accounts to another domain (child domain does not inherit the password policy from parent domain).

Universal groups Distribution groups can be created regardless of the domain functional level.

Account Operators can move computer accounts to organizational units but surprisingly, not to default containers, such as Computers.  However, Account Operators cannot move computer accounts into the Domain Controllers organizational unit but can move computer accounts from the Domain Controllers organizational unit.

Group Policies

There is a policy called : ‘Only Allow Local User Profiles’ which disallows roaming profiles on computers.

Csvde is a command line tool for import or export of objects to and from Active Directory.  Also LDIFDE which can modify existing objects, including passwords.

ADMT can import accounts from an NT domain into Windows Server 2003 Active Directory. To copy a user profile you must be a member of Administrators group.

To create a mandatory profile rename Ntuser.dat to N.B. must be done on the server, not locally.

Account Logon Events are generated in the Event Log when a domain user account is authenticated on a domain controller. Logon Events are when users logon locally.  Account Logon events need to be monitored on each domain controller.

When you log on to workstation using a domain account, the workstation registers Logon event and the domain controller registers Account Logon event.  When you connect to a network server�s shared folder the server registers Logon event and the domain controller registers Account Logon event.

When you need to audit files or printers, turn on Object Access before you select Audit.

There is a policy to redirect My Documents, navigate to: User Configuration\Windows Settings\Folder Redirection policy.

Containers that are not OUs cannot be have Group Policies. Check Active Directory for the Icons corresponding to the yellow containers: Built-in, Users, and Computer Containers

TrainSignal - Recommended Training VideosTroubleshooting Group Policies is tricky

As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Group Policy or go for a combination of modules. See more about Group Policy training here


Which command could delete Psycho’s Active Directory account?
DSDel cn=psycho..
DSrm cn=psycho..
DSadd cn=psycho..
DsZap cn=psycho..
DScut cn=psycho..

Free sample exam