Home > Articles > Certification > Microsoft Certification

  • Print
  • + Share This
This chapter is from the book

Apply Your Knowledge


3.1 Creating User Accounts via Automation

Imagine that our fictional company, Lantrainers, has a class starting next week, and the students registered for the class will need user accounts. Each account will need to be a member of the Students group, and we'll need the student's title, company name, and business phone number in the user account information.

We will use dsadd, csvde, and dsmod to make an OU called LanStudents, create user accounts, set passwords, and make the user accounts members of the Students global group.

Here is the data we'll be using:





Prairie Sky Consulting



Systems Analyst


Housing Associates





Prairie Sky Consulting





Prairie Sky Consulting



Network Administrator


Goldenrod Developments



Network Administrator


Goldenrod Developments



Network Administrator


Goldenrod Developments



Systems Analyst


Goldenrod Developments



Systems Analyst


Housing Associates



Systems Analyst


Goldenrod Developments





Prairie Sky Consulting





Prairie Sky Consulting



Network Administrator


Prairie Sky Consulting



Network Administrator





Systems Analyst


Housing Associates



Systems Analyst


Housing Associates





Prairie Sky Consulting



Network Administrator


Goldenrod Developments



Systems Analyst


Housing Associates



Systems Analyst


Housing Associates



Network Administrator


Goldenrod Developments

Estimated Time: 45 minutes

  1. Open a command prompt and change to the root directory of the C: drive.

  2. Use dsadd to create an OU called "OU=LanStudents,OU=Vancouver,OU=LTI, DC=lantrainers,DC=local".

  3. Type a csvde command to create a list of the user accounts in the OU=Users,OU=Vancouver,OU=LTI,DC=lantrainers,DC=local OU. Use the parameter -l l,company,objectclass,name,title,company,l,telephoneNumber,userAccountControl,samaccountname to limit the number of fields displayed. Send the output to csvde-out.txt. Copy the file to csvde-in.txt.

  4. Use a spreadsheet program, a database program, or Notepad to modify csvde-in.txt. Retain the first record (it has the field names we'll need), but replace the data lines with data from the preceding table. Ensure that the fields are in the proper columns.

  5. Use csvde to input the data in csvde-in.txt into Active Directory. Confirm that the records were created with Active Directory Users and Computers (csvde -i -f csvde-in.csv -j c:\).

  6. Use dsquery to display all the users in the LanTrainers OU, and pipe the result as input to a dsmod command that sets the password for all users to Security and enables the account (dsquery user "OU=LanStudents,OU=Vancouver, OU=LTI,DC=lantrainers,DC=local" | dsmod user -pwd Secur1ty -mustchpwd yes -disabled no).

  7. Open Active Directory Users and Computers and navigate to the LanStudents OU to see the user accounts.

3.2 Creating Users and Groups

In this exercise we will create three groups and add members to them. Then we will make the three groups members of a universal group. Because there aren't many groups to work with, we'll use Active Directory Users and Computers.

Estimated Time: 5 minutes

  1. Open Active Directory Users and Computers, and navigate to the LanStudents OU.

  2. Create a global security group object called AdminStudents. Add the user accounts for those users whose title is Network Administrator to the member list of the group.

  3. Create a global security group object called AnalystStudents. Add the user accounts for those users whose title is Systems Analyst to the member list of the group.

  4. Create a global security group object called TrainerStudents. Add the user accounts for those users whose title is Trainer to the member list of the group.

  5. Create a universal security group object called AllStudents. Add the three group accounts we just created to the member list of the group.

Review Questions

  1. Because you can do everything you need to do, in terms of creating and managing accounts, with Active Directory Users and Computers, why is it worthwhile to learn the command-line and automation methods?

  2. What are the similarities and differences between csvde and ldifde?

  3. What would be the impact of using groups of Universal scope exclusively, rather than using groups of Domain Local, Global, and Universal scope?

  4. You are planning to implement Remote Installation Services. How can you ensure that the computer accounts the users create go in the right Organizational Units?

  5. You are setting up instructions for help desk analysts, and you're writing a list of items for them to check when users cannot log on. What should go on that list?

  6. Your manager has asked you to investigate Terminal Services and report on how you can control the Terminal Services sessions. What do you report?

  7. Every month your manager wants you to produce a list of all accounts that have passwords that do not expire and all accounts that are disabled. How will you do this?

  8. Explain how to ensure that the order-entry clerks will all see the same desktop environment each time they log on.

Exam Questions

  1. You want to create a user account for Joan Myles using a command from the command prompt. The account is to be a member of the Engineers group in the Vancouver container, disabled when created, have Secur1ty as its password, and be placed in the "ou=Users,ou=Vancouver,ou=LTI, dc=Lantrainers,dc=local" container. Which of the following tools or combination of tools can do the job?

    1. A. Net User followed by dsmove

    2. ldifde followed by dsmod

    3. dsadd

    4. csvde followed by dsmove

    5. dsquery followed by dsmod

  2. A manager tells you one of his staff has taken a job in another company. The manager wants to ensure that the user cannot access his computer or his files on the network file server. What is your best course of action?

    1. A. Delete the user account.

    2. Rename the user account to "Departed User."

    3. Select the Account Is Disabled check box.

    4. Change the value in the Account Expires field.

  3. You are planning for resource access in a multidomain forest. Some users from all domains will need access to three continental headquarters domains. What is the recommended strategy for providing access to these resources?

    1. Users -> universal groups -> global groups -> domain local groups -> permissions to resources

    2. Users -> global groups -> universal groups -> domain local groups -> permissions to resources

    3. Users -> domain local groups -> universal groups -> global groups -> permissions to resources

    4. Users -> universal groups -> permissions to resources

  4. You need to explain profiles to your management, and you realize that you need to start your presentation with definitions of the three profile types. Choose the three profile types.

    1. Active Directory user profile

    2. Local user profile

    3. Group profile

    4. Group policy user profile

    5. Roaming user profile

    6. Mandatory user profile

  5. You are the network administrator for a small company that provides customer service operators for other companies. One of your users calls to complain that the photograph of her grandson that she added to her desktop yesterday wasn't there when she logged on this morning. What is the most likely cause of her problem?

    1. Her user profile is corrupted.

    2. She logged in to a different computer.

    3. She is logged on locally.

    4. She was assigned a mandatory profile.

  6. Due to economic circumstances, your company had to lay off 200 people. The Human Resources department has provided you with a list of names in a text file. Which command can be used to delete these user accounts?

    1. A. dsmod

    2. dsadd delete

    3. csvde

    4. dsrm

  7. Your company has recently purchased a small company. The other company runs Unix with an LDAP-compatible directory. Your job is to create user accounts in Active Directory for the employees from this company. What is the best tool to use for this task?

    1. dsadd

    2. ldifde

    3. csvde

    4. dsrm

  8. You are the administrator for a small university. As usual for this type of environment, bored students try to hack into the university billing system every night between 10 p.m. and 2 a.m. What two steps can you take to ensure that a dictionary attack will fail, while still allowing your user to log on at 8 a.m.?

    1. Set Account Lockout Threshold to 0.

    2. Set Account Lockout Duration to 60.

    3. Set Account Lockout Duration to 0.

    4. Set Account Lockout Threshold to 3.

  9. You are the network administrator for a small company that provides customer service operators for other companies. One of your users calls to complain that she can't see any files in her My Documents folder. She was able to get to them with no problem yesterday. Group Policy is not in use. What is the most likely cause of her problem?

    1. Her user profile is corrupted.

    2. She logged in to a different computer.

    3. She is logged on locally.

    4. She was assigned a mandatory profile.

  10. You are the junior administrator for a large engineering firm with several locations. You read in a magazine that the best way to assign resources in a multidomain environment is to assign permissions to a Domain Local group, then add the Global groups to the Domain Local group, and then add the Global groups to a Universal group. However, the server won't let you create a Universal group. What is the most likely problem?

    1. You don't have the proper authority.

    2. The domain function level is at Windows 2000 mixed.

    3. The domain functional level is at Windows 2000 native.

    4. The domain functional level is not at Windows 2003 native.

  11. You are the administrator for a small, family-owned firm. Because of the firm's size and informality, it has been tough to get users to understand the need for security. You want to change the password policy so that the users will be required to change their passwords every 30 days and can't reuse a password more than every 2 years. Which of the following choices will accomplish this?

    1. Set the password history to 730 and the maximum password age to 30.

    2. Set the password history to 365 and the maximum password age to 30.

    3. Set the password history to 25 and the maximum password age to 28.

    4. Set the password history to 24 and the maximum password age to 30.

  12. A manager tells you that his administrative assistant has left the company. The manager wants to ensure that her replacement has access to her computer and her files on the network file server. What is your best course of action?

    1. Create a new user account for the replacement and grant the replacement access to the necessary files.

    2. Rename the old user account for the new user.

    3. Create a new user account for the replacement and copy the necessary files to her home directory.

    4. Give the new user the user ID and password of the departed administrative assistant.

Answers to Review Questions

  1. Using Active Directory Users and Computers for creating and managing accounts is fine if you're dealing with just a few accounts. But it's time consuming and error prone if you are dealing with dozens or hundreds of accounts. The command-line and automation tools are much more efficient for dealing with large numbers of users. See "Creating and Modifying User Accounts with Command-line Tools."

  2. csvde and ldifde can both be used to import or export large numbers of accounts. csvde uses CVS-formatted files for input and output, whereas ldifde uses files in the LDAP Directory Interchange Format (LDIF). Only ldifde can be used to modify or delete existing accounts. See "Importing and Exporting User Accounts."

  3. If you used universal groups exclusively, you would lose the structure and manageability of domain local and global groups. Also, you would increase the replication traffic on your network, as the member lists of universal groups are stored in the global catalog. See "Universal Groups."

  4. In the properties of Remote Installation Services (accessible on a tab of the properties of the computer running Windows Server 2003 where RIS is installed), create a default naming policy with the desired location defined. See "Creating and Managing Computer Accounts in an Active Directory Environment."

  5. Here are the items to check if users cannot log on:

    • Is the account locked out due to too many logon failures?

    • Is the account disabled?

    • If the user is trying to connect via VPN or dial-up, is Remote Access Permission set to Deny Access, or is access controlled through a Remote Access Policy that denies access?

    • Has the account expired?

  6. See "Troubleshooting Issues Related to User Account Properties."

  7. First, a Terminal Services session can be controlled. An administrator can view a user's session and control it if necessary. Second, you can specify a profile and home folder location that are different from the values set up in the user's normal profile. Third, you can configure a program to start automatically at logon and for the session to end when the program is exited. Also, you can control whether drives and printers on the client computer are available from the session.

  8. You will define a saved query with the required fields selected. When the report is due, you return to Active Directory Users and Computers, select Saved Queries, and select the query you need.

  9. Set up a mandatory user profile, by creating a user profile with the desired desktop environment, convert it to a roaming user profile stored on a server, and then rename the profile to NTUser.man. See "Creating and Enforcing Mandatory User Profiles."

Answers to Exam Questions

  1. B, C. ldifde (with the appropriate data file as input) followed by dsmod (to change the password) does the job, as does dsadd by itself. Net User cannot create a group membership. csvde cannot create group memberships, and dsmove is unnecessary because csvde can create the user account in any container. dsquery cannot create a user account.

  2. C. It is best to disable the account immediately and then reset the password and enable the account again when someone is ready to review the files held by the account. Deleting the user account makes the review of files very difficult. Renaming the account without changing the logon name or password does not stop the user from accessing the account. Changing the value in the Account Expires field would work, but it is inappropriate to the situation and hence would confuse other administrators.

  3. B. This is the recommended method for providing access to resources through group membership.

  4. B, E, F. These are the profile types.

  5. D. Although all the other choices are possibilities, in a customer service environment, it's most likely that mandatory profiles are in use. A manda- tory profile allows you to make changes; however, those changes are not saved when you log off.

  6. D. The dsrm command can be used to delete Active Directory objects, using a text file as input. The csvde command can only be used to import or export accounts, the dsmod command can be used only to change the properties of accounts, and the dsadd command doesn't have a delete option.

  7. B. ldifde is the best tool to use for this task. It allows you to extract the user list from the LDAP-compatible directory on the Unix server. Next, it allows you to change the distinguished name in the exported file to match your AD structure. Then it imports the new users into AD.

  8. B, D. Setting the lockout threshold to 3 locks the account after three failed attempts to log on. Setting the lockout duration to 60 reenables the account after 60 minutes. Setting the lockout threshold to 0 allows an indefinite number of logon attempts—definitely not what you want. Setting the lockout duration to 0 will keep the account locked until the administrator manually reenables it.

  9. B. The most likely problem is that she logged on to a different computer, and roaming profiles are not in use.

  10. B. Universal groups are available only at the Windows 2000 native and Windows Server 2003 functional levels. The Windows 2000 mixed and Windows Server 2003 interim levels are used to support Windows NT 4.0 domain controllers, so Global group nesting and Universal groups cannot be used.

  11. D. With the maximum age set to 30 days, users are prompted to change their passwords every 30 days. The history setting will retain 24 passwords, approximately 2 years worth.

  12. B. The easiest way to give the new user the proper access is to just rename the old account with the new user's name because they will be performing the same duties and need access to the same files.

Suggested Readings and Resources

  1. For information about LDAP, see RFCs 2251–2256. For information on LDIF, see RFC 2849.

  2. Windows Server 2003 Deployment Guide (not yet published). Microsoft Corporation.

  3. Windows Server 2003 Resource Kit (not yet published). Microsoft Corporation.

  4. Boswell, William. Inside Windows Server 2003. New Riders, 2003. ISBN 0735711585.

  5. Matthews, Marty. Windows Server 2003: A Beginners Guide. McGraw-Hill, 2003. ISBN 0072193093.

  6. Minasi, Mark, et al. Mark Minasi's Windows XP and Server 2003 Resource Kit. Sybex, 2003. ISBN 0782140807.

  7. Minasi, Mark, et al. Mastering Windows Server 2003. Sybex, 2003. ISBN 0782141307.

  8. Shapiro, Jeffrey, et al. Windows Server 2003 Bible. John Wiley & Sons, 2003. ISBN 0764549375.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020