Active Directory Basics

Step 8 — Test Authentication

In this step, you will verify that Active Directory is working correctly by logging into the client as a domain user.

This confirms that identity, authentication, group membership, and DNS are all functioning end-to-end.

What you’re actually testing

A successful domain login proves that the client can locate a domain controller, authenticate the user, build a security token, and apply group membership — all core Active Directory functions.

1. Log Into the Client as a Domain User

  1. On the client VM login screen, select Other user
  2. Log in using a domain account (for example: LAB\ajohnson)
  3. Enter the password you set earlier
  4. Complete the login

The first login may take longer while the user profile is created.

If you are using Remote Desktop

Because this lab uses a Windows Server VM as the client and you are connecting through Remote Desktop, your test domain users also need permission to sign in over RDP. This is separate from Active Directory authentication: a user can be valid in AD but still be blocked from remote login on the client.

If LAB\ajohnson is the correct account but Windows says the sign-in method is not allowed, log back into CLIENT01 with the local administrator account or a domain admin account. Then add the lab groups to the client's local Remote Desktop Users group.

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "LAB\Helpdesk"
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "LAB\Accounting"
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "LAB\ITSupport"

If your NetBIOS domain name is different than LAB, replace LABwith your domain's short name. You can also add an individual user, such as LAB\ajohnson, but adding the lab groups better reflects how access is usually granted in real environments.

2. Verify Login Success

  • The desktop loads successfully
  • No local account is used
  • The session is authenticated against the domain

3. Verify the User in Active Directory

On the domain controller:

  • Open Active Directory Users and Computers
  • Navigate to _Branches → Houston → Users
  • Confirm the user account exists and is enabled

4. Verify Group Membership from the Client

On the client VM, open a command prompt and run:

whoami /groups

Review the output and confirm the user is a member of the expected security group (Helpdesk, Accounting, or ITSupport).

What This Command Proves

  • The user received a valid Kerberos access token
  • Group membership was evaluated at logon
  • Authorization decisions can now be made

This command is commonly used by administrators when troubleshooting access and permission issues.

Common Issues and What They Mean

  • Login fails immediately → DNS or domain join issue
  • Username or password is incorrect when using ajohnson → Windows may be trying a local account; use LAB\ajohnson or [email protected]
  • LAB\ajohnsonis recognized but Remote Desktop says the sign-in method is not allowed → add the user or their AD security group to the client's local Remote Desktop Users group
  • Login works but groups are missing → group membership or token issue
  • User logs in locally → incorrect username format
  • Group changes not reflected → user must log out and back in

Success Criteria

  • A domain user can log into the client successfully
  • The user exists in the correct branch OU
  • Expected group memberships appear in the token

If all of these are true, your Active Directory environment is working correctly.