ITF (FC0-U61) Skills Lab: Multifactor Authentication and Run As

Exercise 1: Enabling Multifactor Authentication

Task 1: Enable Smart Card Logon

  1. Connect to the Windows Server 2019 Virtual Machine

    • Log in to the domain controller.

  2. Open Active Directory Users and Computers

    • In Server Manager, go to Tools > Active Directory Users and Computers.

  3. Locate the User Account

    • Expand the domain in the navigation pane.
    • Navigate to NAmerica > Operations.
    • Locate and right-click on User - Matthew B, then select Properties.

  4. Enable Smart Card Logon

    • In the Matthew B Properties window, go to the Account tab.
    • Scroll to Account options, check Smart Card is required for interactive logon, and click OK.

  5. Close All Windows

    • Exit all open windows and dialog boxes.

Task 2: Verify Smart Card Logon Capability

  1. Connect to the Windows 10 Virtual Machine

    • On the login screen, select Other User.

  2. Attempt to Log in as Matthew B

    • Enter Matthew B’s credentials.
    • A prompt will appear stating that a smart card is required for login.

  3. Close the Windows 10 Virtual Machine

    • Sign out and shut down the Windows 10 VM.

Exercise 2: Perform Administrative Tasks with Run As

Task 1: Move a Computer to Another Organizational Unit (OU)

  1. Connect to the Windows Server 2019 Virtual Machine

    • Log in to the domain controller.

  2. Open Active Directory Users and Computers

    • In Server Manager, go to Tools > Active Directory Users and Computers.

  3. Locate the Computer Object

    • Expand the domain and select the Computers folder.
    • Locate PLABWIN10, right-click, and select Move....

  4. Move the Computer to the Engineers OU

    • In the Move dialog box, expand EMEA > Engineers.
    • Click OK.

  5. Close All Windows

    • Exit all open windows and dialog boxes.

Task 2: Enable "Run as a Different User" Option

  1. Connect to the Windows 10 Virtual Machine

    • Log in as Admin.

  2. Open Local Group Policy Editor

    • Search for gpedit in the Start menu and select Edit Group Policy.

  3. Enable the "Run as a Different User" Command

    • Navigate to: 
      User Configuration > Administrative Templates > Start Menu and Taskbar
    • Locate Show "Run as a different user" command on Start, right-click, and select Edit.
    • Select Enabled, then click OK.

  4. Close All Windows

    • Exit the Local Group Policy Editor.

Task 3: Verify "Run as a Different User" Policy

  1. Open Computer Management with Alternate Credentials

    • Search for Computer Management, then right-click and select Run as a different user.

  2. Log in as Isaac S.

    • Enter Isaac S’s credentials.
    • The Computer Management console will open.

  3. Test Access Rights

    • Navigate to Storage > Disk Management.
    • An error message appears: 
      "You do not have access rights to Logical Disk Manager on this machine."

  4. Close All Windows

    • Exit all open windows and dialog boxes.

Task 4: Disable Secondary Logon via Group Policy

  1. Connect to the Windows Server 2019 Virtual Machine

    • Log in to the domain controller.

  2. Open Group Policy Management

    • In Server Manager, go to Tools > Group Policy Management.

  3. Create a New Group Policy Object (GPO)

    • Expand: 
      Forest > Domains > Your Domain > EMEA > Engineering
    • Right-click Engineering, then select Create GPO in this domain and link it here....
    • Name the policy Disable Secondary Logon, then click OK.

  4. Edit the New GPO

    • Right-click Disable Secondary Logon, then select Edit.
    • Navigate to: 
      Computer Configuration > Policies > Windows Settings > Security Settings > System Services

  5. Disable the Secondary Logon Service

    • In System Services, right-click Secondary Logon and select Properties.
    • Check Define this policy setting, select Disable, and click OK.

  6. Close All Windows

    • Exit all open windows and dialog boxes.

Task 5: Test the Secondary Logon Functionality

  1. Update Group Policy and Restart

    • Open PowerShell and run: 
      gpupdate /force
    • Restart the computer with: 
      restart-computer

  2. Attempt to Use "Run as a Different User"

    • Log in as Admin.
    • Search for Computer Management, right-click, and select Run as a different user.
    • Enter Jan R’s credentials and click OK.

  3. Confirm Policy Enforcement

    • An error message appears: 
      "The service cannot be started either because it is disabled or because it has no enabled devices associated with it."

  4. Verify Administrator Access is Unaffected

    • Log in as Elizabeth W.
    • Search for Services, right-click, and select Run as administrator.
    • When prompted, enter Admin credentials and press Enter.
    • The Services console will open, confirming that administrator privileges are still available.

Completion

You have successfully completed the virtual lab for configuring multifactor authentication and administrative tasks using "Run As."

Previous

ITF+ Module 7
Next

ITF+ Module 9