Dokumentasi Dan Manual Pengguna v0.1 - 221212 - Final

KEMENTERIAN PENDIDIKAN MALAYSIA
(KPM)
Dokumentasi dan Manual Pengguna
PERKHIDMATAN PENGURUSAN POLISI KESELAMATAN DAN KAWALAN CAPAIAN

KEMENTERIAN PENDIDIKAN MALAYSIA
CT210000000009538
Produced by Inteksoft Sdn Bhd for KPM
Prepared by
INTEKSOFT AD DS Team
Document Control Information
Document Author: INTEKSOFT AD DS Team

Document Owner: Muhammad Habibullah Bin Ismayuddin
Document Distribution: (All persons who have a need to receive the document)
Name Role
KPM AD DS Team KPM AD DS Project Team
INTEKSOFT AD DS Team INTEKSOFT AD DS Project Team
Summary of Document Changes:

Version Date Authored By Short Description of Changes
0.1 09/06/2022 Nur Amanina Binti Johari Draft Created
The latest version of this document supersedes all other previous issues.
Page i
Table of Contents
1 Introduction ................................................................................................................................ 1
1.1 Project Overview ............................................................................................................... 1
1.2 Purpose ............................................................................................................................ 1
1.3 Assumption ....................................................................................................................... 1
2 Domain User Account Policy ...................................................................................................... 2

2.1 Password Policy Security Settings .................................................................................... 2
2.2 Account Lockout Policy Security Settings ......................................................................... 3
2.3 Lock Windows Computer Screen Policy Security Settings ................................................ 4
3 Prerequisite for Preparing Windows Computer and Joining KPM.LOCAL Domain ..................... 5
3.1 Windows Computer Run on Certain Level of Windows Operating System Edition ............ 5
3.2 Windows Computer Reside on PCN or MyGov*Net Network ............................................ 5
3.3 Windows Computer Resolve The IP Address for Domain Controller ................................. 5
3.4 Windows Computer Able to Exchange Traffic With Domain Controller on Several Different
TCP and UDP Ports ................................................................................................................... 8
4 User Guide for Managing Windows Computer in Domain Network Environment ...................... 10
4.1 Windows Logon Concept ................................................................................................ 10
4.1.1 Domain Logon ..................................................................................................... 10
4.1.2 Local Logon ......................................................................................................... 12
4.2 Access to Join Domain Network Tool .............................................................................. 14
4.3 Checking Whether a Windows Computer is Joined to Domain ........................................ 17
4.4 Join a Windows Computer to Domain ............................................................................. 19
4.5 Grant a Domain User Become Administrator on Windows Computer .............................. 23
4.6 Unjoin a Windows Computer from Domain ..................................................................... 26
4.7 Common Technical Issue Discovered in Current Environment ........................................ 30
4.7.1 Issue on Windows Computer With Same Machine ID .......................................... 30
4.8 Common Technical Error Discovered in Current Environment ........................................ 31
4.8.1 Error on “The trust relationship between this workstation and the primary domain
failed” 31
4.8.2 Error on “The security database on the server does not have a computer account
for this workstation trust relationship” .............................................................................. 32
4.9 Rollback Step From Domain Computer to Workgroup..................................................... 34
5 User Guide for Managing Domain User and Computer with Microsoft Active Directory Users and
Computers Console ........................................................................................................................ 35
5.1 Access to Microsoft Active Directory Users and Computers Console .............................. 35
5.1.1 Install Remote Server Administration Tools (RSAT) Through Optional Feature ... 35
5.1.2 Install Remote Server Administration Tools (RSAT) Through Microsoft Websites 41
5.1.3 Create Custom View by Location using Microsoft Management Console (MMC) . 44
Page ii
5.1.4 Launch Custom MMC By Using Delegated Data Administrator Account .............. 49
5.2 Create Domain User Account ......................................................................................... 50
5.3 View & Update Properties of Domain User Account ........................................................ 54
5.4 Reset Password For Domain User Account .................................................................... 57
5.5 Unlock Domain User Account ......................................................................................... 59
5.5.1 Unlock Domain User Account Through Reset Password Command .................... 59
5.5.2 Unlock Domain User Account Through User Object Properties Command .......... 61
5.6 Disable & Enable Domain User Account ......................................................................... 63
5.6.1 Disable Domain User Account ............................................................................. 63
5.6.2 Enable Domain User Account .............................................................................. 65
5.7 Move Domain User Account ........................................................................................... 66
5.8 Delete Domain User Account .......................................................................................... 68
5.9 Disable & Enable Domain Computer Account ................................................................. 69
5.9.1 Disable Domain Computer Account ..................................................................... 69
5.9.2 Enable Domain Computer Account ...................................................................... 71
5.10 Reset Domain Computer Account ................................................................................. 72
6 User Guide for Managing Domain User and Computer with ManageEngine ADManager Plus . 73
6.1 System Access to ManageEngine ADManager Plus ....................................................... 73
6.2 Create Domain User Account ......................................................................................... 76
6.2.1 Create Domain User Account (Single) ................................................................. 76
6.2.2 Create Domain User Account (Bulk) .................................................................... 79
6.2.3 Create Domain User Account (Import From CSV File) ......................................... 83
6.3 View & Update Properties of Domain User Account ........................................................ 86
6.4 Reset Password For Domain User Account .................................................................... 88
6.5 Unlock Domain User Account ......................................................................................... 91
6.6 Disable & Enable Domain User Account ......................................................................... 93
6.6.1 Disable Domain User Account ............................................................................. 94
6.6.2 Enable Domain User Account .............................................................................. 96
6.7 Move Domain User Account ........................................................................................... 98
6.8 Delete Domain User Account ........................................................................................ 100
6.9 Disable & Enable Domain Computer Account ............................................................... 102
6.9.1 Disable Domain Computer Account ................................................................... 103
6.9.2 Enable Domain Computer Account.................................................................... 105
6.10 Reset Domain Computer Account ............................................................................... 107
6.11 Reports on Domain User Account ............................................................................... 111
6.12 Reports on Domain Computer Account ....................................................................... 116
7 User Guide for Domain User Account Self Service ................................................................. 119
7.1 Register Password Self-service in ADSelfService ......................................................... 119
7.2 Update User Profile Details in ADSelfService ............................................................... 122
Page iii
7.3 Change Password in ADSelfService ............................................................................. 126

7.4 Change Password in Windows Operating System ........................................................ 128
7.5 Password Reset in ADSelfService When Forgot Your Password .................................. 130
7.6 Account Unlock in ADSelfService When Your User Account Get Locked Out ............... 133
8 Fix Windows Temporary Profile .............................................................................................. 136

8.1 Fix Temporary Profile By Rename Profilelist ................................................................. 136
8.2 Fix Temporary Profile Using Profile Migration Tools...................................................... 142
9 Statement Of Acceptance....................................................................................................... 149
Page iv
1 INTRODUCTION
1.1 PROJECT OVERVIEW

This project has been formally authorized through a contract between KPM with INTEKSOFT
as below;
Contract Name Perjanjian Perkhidmatan Pengurusan Polisi Keselamatan Dan

Kawalan Capaian Kementerian Pendidikan Malaysia
Contract No CT210000000009538
Contract Duration 42 Months 3 May 2021 – 2 November 2024
Installation Site Ibu Pejabat Kementerian Pendidikan Malaysia (KPM), Jabatan

Pendidikan Negeri (JPN), Pejabat Pendidikan Daerah (PPD), Kolej
Matrikulasi (KM), Institut Pendidikan Guru (IPG), Bahagian Audit
Sekolah (PAS), Jemaah Nazir (JN) & Institut Aminuddin Baki (IAB)
1.2 PURPOSE
This document describes the Dokumentasi dan Manual Pengguna in this project.
1.3 ASSUMPTION
• This information is written for experienced Windows system administrators who are familiar
with Active Directory Domain Services.
• The Manual Pengguna should be performed by a competent individual who have a good
working knowledge of the Microsoft Active Directory environment and also understand the
risk of performing the procedure.
Produced by Inteksoft Sdn Bhd Page 1

2 DOMAIN USER ACCOUNT POLICY
2.1 PASSWORD POLICY SECURITY SETTINGS
Name Policy Impacts
Account Policies\Password
Policy
Enforce password history 3 passwords The number of unique new passwords that
remembered must be associated with a user account before
an old password can be reused
Maximum password age 180 days The period of time (in days) that a password
can be used before the system requires the
user to change it.
Minimum password age 0 days The period of time (in days) that a password
must be used before the user can change it.
Minimum password length 12 characters The least number of characters that can make
up a password for a user account.
Password must meet Enabled Whether passwords must meet a series of

complexity requirement strong-password guidelines.
1. Passwords may not contain the user's

samAccountName (Account Name) value
or entire displayName (Full Name value).
2. The password contains characters from
three of the following categories:
• Uppercase letters of European
languages
• Lowercase letters of European
languages
• Base 10 digits (0 through 9)
• Non-alphanumeric characters (special
characters)
• Any Unicode character that's
categorized as an alphabetic character
but isn't uppercase or lowercase.
Complexity requirements are enforced when

passwords are changed or created.

Indirect impacts of policy on user experience can be summarized as below:
• KPM User will require to create a password with min 12 characters.

• The password going to create, or change must meet complexity requirement.
• The newly create or change password will only last for 180 days only. After reach 180
days limit, the system will require the KPM User to change it.
• KPM User is not allow to reuse back the last 3 unique old password when perform
change password action.
2.2 ACCOUNT LOCKOUT POLICY SECURITY SETTINGS
Name Policy Impacts
Account Policies\Account
Lockout Policy
Account Lockout Duration 15 minutes The number of minutes that a locked-out

account remains locked out before
automatically becoming unlocked
Account Lockout Threshold 5 invalid login The number of failed sign-in attempts that will
attempts cause a user account to be locked.
A locked account cannot be used until you

reset it or until the number of minutes specified
by the Account lockout duration policy setting
expires.
Reset Account Lockout 15 minutes The number of minutes that must elapse from
Counter After the time a user fails to log on before the failed
logon attempt counter is reset to 0.
If Account lockout threshold is set to a number

greater than zero, this reset time must be less
than or equal to the value of Account lockout
duration.
• The continuous 5 of failed sign-in attempts will cause the KPM User account to be
locked.
• The locked-out account remains locked out for 15 minutes before automatically becoming
unlocked.

2.3 LOCK WINDOWS COMPUTER SCREEN POLICY SECURITY SETTINGS
Name Policy Impacts
User Configuration\Administrative Templates\Control Panel\Personalization
Enable Screen Saver Enabled Enables desktop screen savers.
Screen saver timeout 1,200 Seconds Specifies how much user idle time must elapse
before the screen saver is launched.
Password protect the screen Enabled Determines whether screen savers used on
saver the computer are password protected.
• Computer screen will lock and enter screen saver mode when 20 minutes inactivity.
• KPM User will require to reenter his/her password to exit from screen saver mode.

3 PREREQUISITE FOR PREPARING WINDOWS COMPUTER AND JOINING

KPM.LOCAL DOMAIN
3.1 WINDOWS COMPUTER RUN ON CERTAIN LEVEL OF WINDOWS OPERATING SYSTEM

EDITION
Windows computer must be running Windows operating system edition as below.
▪ Windows 11 Professional, Windows 11 Professional for Workstations, Windows 11
Professional Education, Windows 11 Education, Windows 11 Enterprise
▪ Windows 10 Professional, Windows 10 Professional for Workstations, Windows 10
Professional Education, Windows 10 Education, Windows 10 Enterprise
▪ Windows 8.1 Professional, Windows 8.1 Professional for Students, Windows 8.1
Professional with Media Center, Windows 8.1 Enterprise
(Windows 8 will reach end of Extended Support on 10 January 2023)
▪ Windows 7 Professional, Windows 7 Ultimate, Windows 7 Enterprise
(Windows 7 support ended on 14 January 2020)
Remarks:
Windows operating system edition that CANNOT join a domain.
▪ Windows 11 Home
▪ Windows 10 Home
▪ Windows 8.1 (Core), Windows 8.1 with Bing
▪ Windows 7 Starter, Windows 7 Home Basic, Windows 7 Home Premium
3.2 WINDOWS COMPUTER RESIDE ON PCN OR MYGOV*NET NETWORK

Only Windows computer resides on PCN or MyGov*Net network under KPM enterprise
network CAN join the new KPM Active Directory Domain Network.
Windows computer resides on interim network (e.g. TM Unifi, TM Streamyx, TIME Internet
& etc) is NOT ABLE to join the new KPM Active Directory Domain Network.
3.3 WINDOWS COMPUTER RESOLVE THE IP ADDRESS FOR DOMAIN CONTROLLER

In KPM enterprise networks, network client Windows computer receive an IP address
assignment from a DHCP server, and the DHCP server provides addresses for AD DS-
enabled DNS servers that can resolve the domain controller IP address.
If another DNS server is configured, IT person in charge from respective site should update
the network client Windows computer's IP configuration to use an AD DS-enabled DNS server.
IT person in charge may contact Bahagian Pengurusan Maklumat (BPM) for further assistant.

No Procedure
1. Check and ensure Windows computer is configuring and using designated DNS Server as
below.
Zone IP Address States
KPM Zone Putrajaya 10.22.70.201 Putrajaya

10.22.70.202
KPM Zone Tengah 10.46.51.56 Selangor, WP Kuala Lumpur,

Perak, Negeri Sembilan
10.46.51.58
KPM Zone Utara 10.46.51.44 Kedah, Pulau Pinang, Perlis

10.46.51.46
KPM Zone Selatan 10.46.51.48 Johor, Melaka

10.46.51.49
KPM Zone Pantai Timur 10.46.51.135 Pahang, Terengganu, Kelantan

10.46.51.136
KPM Zone Malaysia 10.46.51.138 Sabah, Sarawak, WP Labuan

Timur
10.46.51.139
Remarks:
▪ It is not necessary to perform this checking on each Windows computer. Just require
check once or when encountered cannot contact domain network issue.

No Procedure
2. Check network name resolution connectivity with KPM.LOCAL domain.

i. Run CMD. Type ping KPM.LOCAL.
Remarks:
▪ Ping command reply result could be from any IP Address of DNS & Domain
Controller.
a) 10.22.70.201
b) 10.22.70.202
c) 10.46.51.56
d) 10.46.51.58
e) 10.46.51.44
f) 10.46.51.46
g) 10.46.51.48
h) 10.46.51.49
i) 10.46.51.135
j) 10.46.51.136
k) 10.46.51.138
l) 10.46.51.139
▪ If ping command result failed to resolve KPM.LOCAL to any IP Address of DNS &
Domain Controller, kindly double check and make sure update the Windows
computer's IP configuration to use the designated DNS server.

3.4 WINDOWS COMPUTER ABLE TO EXCHANGE TRAFFIC WITH DOMAIN CONTROLLER

ON SEVERAL DIFFERENT TCP AND UDP PORTS
Bahagian Pengurusan Maklumat (BPM) is working closely with the Managed Security
Services (MSS) team for ensuring necessary network communication ports connectivity are in
place between network client Windows computer and DNS & Domain Controller.
No Procedure
1. INTEKSOFT will notify BPM to request activate the firewall rules for a particular site. Then
will notify IT person in charge from respective site to perform network communication and
connectivity testing between client computer with KPM.LOCAL domain controller.
2. Check network communication ports connectivity with KPM.LOCAL domain controller.

i. Open path on Run, type \\KPM.LOCAL.
ii. Supply valid user credential to authenticate with KPM.LOCAL domain controller.
iii. Sample result will as below if authentication success. When user authentication
success, that mean the necessary network communication ports connectivity
requirements are in place between network client Windows computer and DNS &
Domain Controller.

No Procedure
Remarks:
▪ It is not necessary to perform this checking on each Windows computer. Just require
check once or when encountered cannot contact domain network issue.

4 USER GUIDE FOR MANAGING WINDOWS COMPUTER IN DOMAIN

NETWORK ENVIRONMENT
4.1 WINDOWS LOGON CONCEPT
4.1.1 DOMAIN LOGON

• In Windows, a domain user is one whose username and password are stored on a
domain controller rather than the computer the user is logging into.
• A domain logon requires that the user has a user account in Active Directory.
• The computer must have a computer account in the Active Directory domain (join
computer into Active Directory domain) and be physically connected to the network.
• A domain logon grants a user permission to access local and domain resources.
• Users must also have the user rights to log on to a local computer or a domain.
• Domain user account information and group membership information are used to
manage access to domain and local resources.
• Sample login Windows with Domain User Account on Domain Computer
Domain User
Account’s User
Logon Name
Logon into KPM

(“Short Name”)
Domain Network

No Procedure
1. Sample login Windows with Domain User Account on Domain Computer
By default, after a Windows computer has been joined to Domain, Windows computer will
accept any User Logon Name enter and treat as Domain User Account.
Any valid domain user may login to Windows by clicking on Other user. The logon screen
will display Sign in to: KPM domain.
Below shows an example of Domain User Account called “usertesting3” is attempting to

login into Windows computer which has been joined to KPM Domain.

4.1.2 LOCAL LOGON

• In Windows, a local user is one whose username and encrypted password are stored
on the computer itself.
• A local logon requires that the user has a user account in the Security Accounts
Manager (SAM) on the local computer.
• The SAM protects and manages user and group information in the form of security
accounts stored in the local computer registry.
• The computer can have network access, but it is not required.
• Local user account and group membership information is used to manage access to
local resources.
• Sample login Windows with Local User Account
Example:
[ Computer Name\User Logon Name ]
KPMF18PC0003\administrator
Local User
Logon into Account’s User
Logon Name
Local Computer
(“Computer Host
Name”)
• Sample login Windows with Local User Account without Typing Computer Name
Example:
[ .\User Logon Name ]
.\administrator
Local User
Logon into Account’s User
Logon Name
Local Computer
(“Computer Host
Name”)

No Procedure
1. Sample login Windows with Local User Account without Typing Computer Name
By default, after a Windows computer has been joined to Domain, Windows computer will
accept any User Logon Name enter and treat as Domain User Account.
To login with Local User Account, user will have to add “.\” before User Logon Name.
Windows will display computer hostname at Sign in to: field.
Below shows an example of Local User Account called “pcadmin4bpm” is attempting to

login into Windows computer called “TOTF01PC0001”.

4.2 ACCESS TO JOIN DOMAIN NETWORK TOOL
No Procedure
1. INTEKSOFT team will provide the username and password to access the Join Domain
Network Tool application. Kindly email to moe.adjoin@inteksoft.com.my to get access the
application.
Download the Join Domain Network Tool application:

i. Open browser and enter URL: http://join.moe.gov.my/ or http://10.46.50.137/
(This URL only can be access within PCN and MyGov*Net network)
ii. Enter your username and password.
iii. Click Sign in to continue.

No Procedure
2. Click on Sites. Choose related site to join domain.
3. This tool will simply the join domain activity. It will perform computer rename according to
newly define computer naming convention standard. Then place the newly join Domain
Computer object into designed Organization Unit for easy of management and monitoring.
Click Starter Kit to download the Join Domain Network Tool.

No Procedure
4. Extract file starter_kit_lite.zip. Make sure name for the text file is same with agency to join
domain.

4.3 CHECKING WHETHER A WINDOWS COMPUTER IS JOINED TO DOMAIN
No Procedure
1. Click on Windows icon > search “This PC” > Right click and select Properties

No Procedure
2. Under “Computer name, domain, and workgroup settings”, check on configuration

settings for Windows computer either showing Workgroup or Domain.
By default, the newly fresh install Windows computer is configured in Workgroup network.
In Workgroup network environment, it only supports Local User Account to logon into
Windows operating system.
Next, the IT admin can manually join the Windows computer to a Domain network. It will
result a Domain Computer Account is created in Active Directory Domain Services (AD
DS) database. In Domain network environment, it supports both Local User Account and
Domain User Account to logon into Windows operating system.
Below is the sample screenshot of a Windows computer which successfully joined to

KPM.LOCAL domain network.

4.4 JOIN A WINDOWS COMPUTER TO DOMAIN
No Procedure
1. The tool will need to perform computer rename and computer join domain tasks. Please
make sure the user account use for logon into the computer must has local administrative
privilege.
2. Run Join Domain Network Tool using Start.exe.
3. Right click on Start.exe and run as administrator

No Procedure
4. Check Computer Information and Installation Site.

i. Make sure the Location Name is correct
ii. Select Computer Type as either PC or Laptop
iii. Click Next

No Procedure
5. The tool will generate the next unique Computer Name from database according to
Installation Site and Location Name. It will perform computer rename and then join the
computer’s operating system into KPM.LOCAL Active Directory Domain Network.
Click Next to begin computer join domain.

No Procedure
6. Check on Summary information to verify the result of computer join domain.
The System Code: 0 is indicating the computer successfully joined into KPM.LOCAL Active
Directory Domain Network.
Click Restart to restart the computer.
7. Restart the computer for changes to take effective.

4.5 GRANT A DOMAIN USER BECOME ADMINISTRATOR ON WINDOWS COMPUTER
No Procedure
1. Please make sure the user account use for logon into the computer must has local
administrative privilege.
2. Right click on Windows icon > click Computer Management

No Procedure
3. Expand on Local Users and Groups > Expand Groups > Choose Administrators and click
Add button
4. Enter the right username, then click “Check Names” to make sure the name exists in
KPM.local. Click OK

No Procedure
5. Check account usernames that have been added in the Administrators Properties. Then,
click OK. The changes will be made when the user logon into the domain account on that
computer.

4.6 UNJOIN A WINDOWS COMPUTER FROM DOMAIN
No Procedure
1. The tool will need to perform computer unjoin domain tasks. Please make sure the user
account use for logon into the computer must has local administrative privilege.
2. Run Join Domain Network Tool using Start.exe.
3. Right click on Start.exe and run as administrator

No Procedure
4. Click Next.

No Procedure
5. On Remark, type the reason to unjoin domain. Then click Next.

No Procedure
6. Check on Summary information to verify the result of computer unjoin domain.
The System Code: 0 is indicating the computer successfully unjoined from KPM.LOCAL
Active Directory Domain Network. The computer will be leaving Domain network and join
back to default Workgroup network.
Click Restart to restart the computer.
7. Restart the computer for changes to take effective.

4.7 COMMON TECHNICAL ISSUE DISCOVERED IN CURRENT ENVIRONMENT
4.7.1 ISSUE ON WINDOWS COMPUTER WITH SAME MACHINE ID
Cause:
Windows computer with same Machine ID as a result of disk duplication of Windows
installations.
The Microsoft policy for disk duplication of Windows installations

URL: https://docs.microsoft.com/en-us/troubleshoot/windows-server/backup-and-
storage/windows-installations-disk-duplication
This article describes the SID and supported methods for cloning or duplicating a Windows
installation.
Suggested Action:
• MOE technical team require to review and analyze back the existing practice for
disk cloning or disk duplication of Windows operating system installation.
• MOE technical team require to learn the technics supported by Microsoft principal
on disk cloning or disk duplication e.g., System Preparation (Sysprep).
• MOE technical team need a soft-landing plan to stop the existing practice which
cause the computer with same Machine ID issue.
• MOE technical team need to make awareness and education to JPN, PPD & other
agency to adopt the best practice supported by Microsoft principal.
• MOE technical team should consider to adopt enterprise desktop management
solution in order to manage this kind of huge computer environment.

4.8 COMMON TECHNICAL ERROR DISCOVERED IN CURRENT ENVIRONMENT
4.8.1 ERROR ON “THE TRUST RELATIONSHIP BETWEEN THIS WORKSTATION AND THE PRIMARY
DOMAIN FAILED”
When you log on to a computer that is running Windows operating system in a domain
environment, you receive the following error message:
The trust relationship between this workstation and the primary domain failed.
Cause:
Possible root causes of the symptom are very broad but not limited as below:
• The computer changes the AD computer account password but unable to change
the local machine account password.
• The computer encountered abnormal network interruption when perform
computer account authentication to Domain Controller or changes AD computer
account password cycle.
• The computer Windows installation is reimaged without running Sysprep.
Suggested Action:
• A consistent and reliable network infrastructure (DNS, Firewall and Network
Connectivity requirements) are very important for operating Active Directory Domain
Network. It is because Domain User and Domain Computer are required to
process logon and authentication with Domain Controller on network.
• Windows operating system has been designed with smart enough to bail-out if it
can’t find/talk to a Domain Controller. But there are still will scenario that failure do
happen. Sometime, a reboot of computer will resolve because of the smart enough
design.

• Technically, Active Directory Domain User and Domain Computer are required
proper management and maintenance. The maintenance areas consist of in
Domain Controller and Domain Member (Workstation or Member Server Level).
• Pertaining to this error, Microsoft has provided workaround solutions but not limited
as below.
Workaround Solution #1:

1) Disconnect network connection of affected Windows computer.
2) Logon using Domain User by using cached credential.
3) Connect back network connection of affected Windows computer.
4) Restart the Windows for refreshing network connectivity in operating system.

1) Run powershell Reset-ComputerMachinePassword command on the affected
Windows computer to manually trigger reset the machine account password.

1) GUI Method. Reset Computer Account from AD Management Console.
2) On affected Windows computer, logon with Local User (with admin privilege)
and use Network ID wizard to connect back to Domain Network.

1) Unjoin the affected Windows computer from KPM.LOCAL Domain
2) Join back the affected Windows Computer to KPM.LOCAL Domain
4.8.2 ERROR ON “THE SECURITY DATABASE ON THE SERVER DOES NOT HAVE A COMPUTER
ACCOUNT FOR THIS WORKSTATION TRUST RELATIONSHIP”
When you log on to a computer that is running Windows operating system in a domain
environment, you receive the following error message:
The security database on the server does not have a computer account for this workstation
trust relationship

Cause:
• Domain Computer Account has been disabled or deleted from Active Directory
Domain Services (AD DS) database.
• Domain Computer’s date time settings are misconfigured and not align with current
date time defined in Active Directory Domain Services (AD DS) infrastructure.
• Unexpected network DNS service, network communication traffic failure or network
connection intermittent which result to timed out between Domain Computer and
Domain Controller.
Suggested Action:
as below.

1) Using Active Directory Management Console to find the Domain Computer
Account of the affected Windows computer.
2) Ensure the Domain Computer Account of the affected Windows computer is
existed. Then set the Domain Computer Account status to enable.
3) Disconnect network connection of affected Windows computer.
4) Logon using Domain User by using cached credential.
5) Ensure the date time settings are matching the current date time defined in
Active Directory Domain Services (AD DS) infrastructure.
6) Connect back network connection of affected Windows computer.
7) Restart the Windows for refreshing network connectivity in operating system.


4.9 ROLLBACK STEP FROM DOMAIN COMPUTER TO WORKGROUP
Sometimes you need to rollback domain computer to workgroup when Windows operating
system have problem inside domain environment.
Cause:
• Windows update is not latest patches.
• Windows operating system is corrupted.
• Profile user in the operating system is corrupted.
Suggested Action:
as below.

2) Login to local user
3) Update Windows Update patches

2) Reset Windows operating system

1) Create new profile user in the Windows operating system
2) Migrate domain profile user to new created profile user

5 USER GUIDE FOR MANAGING DOMAIN USER AND COMPUTER WITH

MICROSOFT ACTIVE DIRECTORY USERS AND COMPUTERS CONSOLE
5.1 ACCESS TO MICROSOFT ACTIVE DIRECTORY USERS AND COMPUTERS CONSOLE

Active Directory is a directory service or container which stores data objects on your local
network environment. The service records data on users, devices, applications, groups, and
devices in a hierarchical structure
Some of you might have already looked for ADUC on your laptop to discover that it’s not there.
It’s not part of the default installation, and how you get it installed depends on your version of
Windows. In current versions of Windows, ADUC is part of an administrative suite of tools
called Remote Server Administration Tools (RSAT)
5.1.1 INSTALL REMOTE SERVER ADMINISTRATION TOOLS (RSAT) THROUGH OPTIONAL FEATURE
No Procedure
1. Open Windows Start Menu > Find and open Manage optional features on search taskbar

No Procedure
2. Click Add a Feature

No Procedure
3. Find RSAT on search bar. Click on RSAT: Active Directory Domain Services and
Lightweight Directory Services Tools and click Install (1)

No Procedure
4. Wait until Windows Install RSAT

No Procedure
5. Go to Windows Start Menu and find Active Directory Users and Computers. > Right Click
> Click Open file location

No Procedure
6. Press Shift and Right Click on Active Directory Users and Computers so option for Run
as different user will come out
7. Run the management console under Domain User Account with admin privileges.

5.1.2 INSTALL REMOTE SERVER ADMINISTRATION TOOLS (RSAT) THROUGH MICROSOFT

WEBSITES
System admin can use this way if installing RSAT by optional features cannot be done due
to the Windows version. Attached here URL for downloading RSAT.
https://www.microsoft.com/en-us/download/details.aspx?id=45520
No Procedure
1. Open the URL, then click download
2. There will be two (2) download options displayed. If PC is running on 64-bit, choose
“WindowsTH-KB2693643-x64.msu”. If PC is running on 32-bit, choose “WindowsTH-
KB2693643x86.msu”

No Procedure
3. After finishing the download, open the downloaded package at the bottom left screen (if
using Google Chrome). Then, double click the package to start the installation.
4. Click “Yes” on the screen Windows Update Standalone Installer
5. On the wizard RSAT installation, choose I Accept and wait until installation done

No Procedure

5.1.3 CREATE CUSTOM VIEW BY LOCATION USING MICROSOFT MANAGEMENT CONSOLE (MMC)
No Procedure
1. On Windows Start Menu, type and click Run. Then, type “mmc.exe” and click OK
2. Click on File > Add/Remove Snap-in...

No Procedure
3. Double click on Active Directory Users and Computers > Click OK

No Procedure
4. Click on Active Directory Users and Computers > Expand KPM.Local > Expand Clients >
Choose appropriate location, then right click, and choose New Window from Here
5. Click on View > Customize... > Just tick on console tree only, other than that must untick

No Procedure
6. Click on File > Options... > under Console mode, choose User mode – limited access
single window and tick Do not save changes to this console and untick Allow the user
to customize views as diagram below. Then, click OK

No Procedure
7. Click File > “Save As...”. Naming the file that indicated the location > Click Save

5.1.4 LAUNCH CUSTOM MMC BY USING DELEGATED DATA ADMINISTRATOR ACCOUNT
No Procedure
1. Press Shift and Right Click, then click on Run as different user
2. Run the management console under Domain User Account with admin privileges.

5.2 CREATE DOMAIN USER ACCOUNT
No Procedure
1. Open Active Directory Users and Computers > Select the right OU for the user > Right click
the OU > Select New > Select User

No Procedure
2. Create New Object - User prompt
3. Fill in the appropriate user information > Select Next.

No Procedure
4. On New Object – User password prompt | Fill in the password based on domain
requirement. Optionally, we may check user must change password at next logon.
Click Next.
5. Select Finish.

No Procedure
6. Domain user account has been created successfully.

5.3 VIEW & UPDATE PROPERTIES OF DOMAIN USER ACCOUNT
No Procedure
1. Open Active Directory Users and Computers > Expand User Organizational Unit > Right
click the User > Select Properties.

No Procedure
2. Under General > Review and make changes for user details (if any).

No Procedure
3. Diagram shows make changes at Organization Tab > Click Apply, then click OK

5.4 RESET PASSWORD FOR DOMAIN USER ACCOUNT
No Procedure
click the User > Select Reset Password
2. Fill in the default password based on domain requirement. We may check user must change
password at next logon for user to change to their own password.
Click Next.

No Procedure
3. Pop out message will appear after success reset password. Click OK

5.5 UNLOCK DOMAIN USER ACCOUNT
5.5.1 UNLOCK DOMAIN USER ACCOUNT THROUGH RESET PASSWORD COMMAND
No Procedure
click the user > Select Reset Password

No Procedure
2. Menu Reset Password will appear with message Account Lockout Status on this
Domain Controller: Locked Out.
3. Fill the new and confirm password, untick at User must change password at next logon,
tick at Unlock the user’s account and click OK

5.5.2 UNLOCK DOMAIN USER ACCOUNT THROUGH USER OBJECT PROPERTIES COMMAND
No Procedure
click the User > Select Properties.

No Procedure
2. Under tab Account > Tick at Unlock Account

5.6 DISABLE & ENABLE DOMAIN USER ACCOUNT
5.6.1 DISABLE DOMAIN USER ACCOUNT
No Procedure
click the User > Select Disable Account

No Procedure
2. Message “Object user has been disabled” will appear and user icon will change to
disable. Click OK

5.6.2 ENABLE DOMAIN USER ACCOUNT
No Procedure
click the user > Select Enable Account
2. Message “Object user has been enabled” will appear and user icon will change to enable.
Click OK

5.7 MOVE DOMAIN USER ACCOUNT
No Procedure
click the User > Select Move.

No Procedure
2. Select the new Organizational Unit for the user and select OK.

5.8 DELETE DOMAIN USER ACCOUNT
No Procedure
click the User > Select Delete.
2. On confirmation prompt | Select Yes

5.9 DISABLE & ENABLE DOMAIN COMPUTER ACCOUNT
5.9.1 DISABLE DOMAIN COMPUTER ACCOUNT
No Procedure
1. Open Active Directory Users and Computers > Expand Computer Organizational Unit >
Right click the computer > Select Disable Account

No Procedure
2. Prompt confirmation message to disable computer domain. Click Yes and message
“Object Computer has been disabled.” will pop out. Click OK

5.9.2 ENABLE DOMAIN COMPUTER ACCOUNT
No Procedure
choose disable computer status > Right click the Computer > Select Enable Account
2. Message “Object computer has been enabled.” will pop out after enable computer
domain. Click OK

5.10 RESET DOMAIN COMPUTER ACCOUNT
No Procedure
Right click the Computer > Select Reset Account
2. Confirmation message to reset computer domain will pop out. Click Yes and message
“Account Computer was successfully reset.” Will pop out. Click OK

6 USER GUIDE FOR MANAGING DOMAIN USER AND COMPUTER WITH

MANAGEENGINE ADMANAGER PLUS
6.1 SYSTEM ACCESS TO MANAGEENGINE ADMANAGER PLUS
No Procedure
1. Open browser and enter URL: https://admp.moe.gov.my


No Procedure
2. Each department or agency will be given with a dedicated Data Administrator Account for
managing user and computer objects residing in their respective Organization Unit (OU).
Enter user logon name and password for Data Administrator Account, make sure selecting
log on to KPM and click Login.

No Procedure
3. Home dashboard of ManageEngine ADManager Plus.

6.2 CREATE DOMAIN USER ACCOUNT
6.2.1 CREATE DOMAIN USER ACCOUNT (SINGLE)
No Procedure
1. Go to Management tab > User Management > Find and click Create Single User
2. Choose User Creation with basic Attributes on Selected Template and click OK.
Administrator can still use default option of System Template. The manual will show
example on creation using template User Creation with basic Attributes

No Procedure
3. Fill in new user details. Columns that are highlighted with red font are mandatory to fill which
are Logon Name, Logon name(pre-Windows 2000) and Full name. Ensure user’s location
according to the Organizational Unit (OU) code on column Select Container. Location choices
are only limited to the location(s) that had been set to administrator’s ID

No Procedure
4. Go to Account tab > select Type a password > enter default Password and Confirm
Password > Untick on selection User must change password at next logon > Click Create
to create domain user

6.2.2 CREATE DOMAIN USER ACCOUNT (BULK)
No Procedure
1. Go to Management tab > Choose Create Bulk Users on User Management
2. Select User Creation with basic Attributes on Selected Template and click OK. Then
click Add Users

No Procedure
3. Fill in user details. Column(s) that are highlighted with red font are mandatory which are
Logon Name, Logon name(pre-Windows 2000) dan Full name

No Procedure
4. Select Type a password on Password selection > Enter Password and Confirm Password
> Untick selection User must change password at next logon > Click OK
5. Users that have been created will be displayed in the form of a list. Figure below shows an
example of two new users to be created. Administrator can add the next new user until finish.
Upon completing the list, click Next>>

No Procedure
6. Select the appropriate location. Location selection is limited to locations assigned the the
administrator’s ID. Then click Create Users
7. Administrator can check the user generation status at the far right of the user list

6.2.3 CREATE DOMAIN USER ACCOUNT (IMPORT FROM CSV FILE)

Administrator is advised to create user excel file prior to proceed with the import method. The
excel file formats need to be generated using CSV (comma delimited) (*.csv).
Please refer to the URL https://admp.moe.gov.my/help/csv-import-management/active-
directory-ldap-attributes.html for more detailed information
No Procedure
1. Go to Management tab > Select User Creation with basic attributes on selection Selected
Template > Click Import and click Browse

No Procedure
2. Select the appropriate file and click Open
Click OK

No Procedure
3. Users that will be generated will be listed as in figure below. Review the user details then click
Next>>

6.3 VIEW & UPDATE PROPERTIES OF DOMAIN USER ACCOUNT
No Procedure
1. Go to Management tab > Select Modify Single User on User Management
2. Click Modify User on selected user

No Procedure
3. The screen will display a new menu to modify user details. Make any changes to the user
details if necessary. Click Update User after making changes
4. The screen will display message Successfully updated the user properties after the
details have been successfully updated

6.4 RESET PASSWORD FOR DOMAIN USER ACCOUNT
No Procedure
1. Go to Management tab > Click Reset Password on General Attributes

No Procedure
2. Select Type a password and enter the Password along with Confirm Password. In the
Password options section, select No for all three options. Then select the appropriate OU
and click the Search button to perform a user search. Administrator can perform custom
searches by filling in the username in the Find the users field
3. A list of users will be displayed, click on the checkbox of the user who wants to reset the
password and click Apply

No Procedure
4. Administrators can check the password reset status at the far right of the user list

6.5 UNLOCK DOMAIN USER ACCOUNT
No Procedure
1. Go to Management tab > select Unlock Users on Bulk User Modification
2. In the Find the users field, type username that want to be unlocked. Then click on Search

No Procedure
3. Select user that is locked on the user’s checkbox > Click Apply
4. Administrators can check the status of unlocked users on the far right of the user list

6.6 DISABLE & ENABLE DOMAIN USER ACCOUNT
No Procedure
1. Go to Management tab > Select Enable/Disable Users on Bulk User Modification

6.6.1 DISABLE DOMAIN USER ACCOUNT
No Procedure
1. Select Disable on selection Enable/disable the account > Type name / username > Click
Search

No Procedure
2. The screen will display a list of users according to search. Select the user and tick the
checkbox to disable the user and click Apply. Administrators can also select two (2) or more
accounts at once
3. Administrator can review the status of disabled users at the far right of the listi

6.6.2 ENABLE DOMAIN USER ACCOUNT
No Procedure
1. Select Enable on selection Enable/disable the account > Type name / username > Click
Search

No Procedure
2. The screen will display a list of users according to search. Select the user and tick the
checkbox to enable the user and click Apply. Administrators can also select two (2) or more
accounts at once
3. Administrator can review the status of enabled users at the far right of the list

6.7 MOVE DOMAIN USER ACCOUNT
No Procedure
1. Go to Management tab > select Move Users on Bulk User Modification
2. At the selection Select Container, select the OU destination to move. Then in the Find the
users field, type the username that want to be moved. Then click Search

No Procedure
3. Select the user to be transferred and tick the checkbox> Click Apply
4. Administrators can check the status of moved users at the far right of the user list

6.8 DELETE DOMAIN USER ACCOUNT
No Procedure
1. Go to Management tab > Click Delete Users on Bulk User Modification
2. Type name/username of user > click Search.

No Procedure
3. The screen will display a list of users according to search. Select user and tick the checkbox
to delete the user. Administrators can also select two (2) or more accounts at once. Click
Apply
4. Administrators can review the status of deleted users at the far right of the list

6.9 DISABLE & ENABLE DOMAIN COMPUTER ACCOUNT
No Procedure
1. Go to Management tab > Click on Enable/Disable Computers on Computer Management

6.9.1 DISABLE DOMAIN COMPUTER ACCOUNT
No Procedure
1. Select Disable on selection Enable/disable the Account. Type computer name on Find the
computers column in Show Computers List field, then click Search. Administrators can
leave the Find the computers field blank to search for all computers
2. List of computer searches will be displayed, click on the computer checkbox and click
Apply

No Procedure
3. Administrator can review status of disabled computer at the far right of the list

6.9.2 ENABLE DOMAIN COMPUTER ACCOUNT
No Procedure
1. Select Enable on selection Enable/disable the Account. Type computer name on Find the
computers column in Show Computers List field, then click Search. Administrators can
leave the Find the computers field blank to search for all computers
2. List of computer searches will be displayed, click on the computer checkbox and click
Apply

No Procedure
3. Administrator can review status of enabled computer at the far right of the list

6.10 RESET DOMAIN COMPUTER ACCOUNT
No Procedure
1. Go to Management tab > Computer Management > Click Reset Computers

No Procedure
2. Click on Add OUs
Select appropriate OU and click OK

No Procedure
3. Type computer name in the Find the computers column and click Search. Administrator can
leave the search column empty to perform searching for all computers in the selected OU
4. Screen will display a list of computers based on search result. Select the appropriate computer
by ticking the checkbox and click Apply. Administrator can select multiple computers at once
from the search list

No Procedure
5. Administrator can review status of reset computer at the far right of the list

6.11 REPORTS ON DOMAIN USER ACCOUNT

ADMP can generate user reports based on data from Active Directory. Reports that can be
generated include All Users, Recently Created Users, Recently Deleted Users and others
This manual will show an example of report generation for All Users
No Procedure
6. Go to Reports tab > Users Reports > Click All Users

No Procedure
7. Click Add-OUs
Select on appropriate OU. Then click OK

No Procedure
8. Click Generate to generate report for all users on selected OU
9. The All Users report for the selected OU will be generated. Administrator has the option to
export out reports if necessary, click on Export as and select the desired file format to
download

No Procedure
10. The downloaded file will be saved. Normally by default, browser will display the file at the
bottom left as shown in figure below

No Procedure
11. Figure below shows an example of a downloaded .xlsx file. The first sheet displays a summary
of total user account
The second sheet displays full list of user account

6.12 REPORTS ON DOMAIN COMPUTER ACCOUNT

ADMP can generate user reports based on data from Active Directory. Reports that can be
generated include All Computers, Active Computers, Enabled Computers and others
This manual will show an example of report generation for All Computers
No Procedure
1. Go to Reports tab > Computer Reports > Click All Computers
2. Click Add OUs and select appropriate OU. Then click on Generate to generate all
computers report based on selected OU

No Procedure
3. The All Computers report for the selected OU will be generated. Administrator has the option
to export out the report if necessary, click on Export as and select the desired file format to
download

No Procedure
4. Figure below shows an example of a downloaded .xlxs file. The first sheet displays a summary
of total computers
The second sheet displays a full list of computers account

7 USER GUIDE FOR DOMAIN USER ACCOUNT SELF SERVICE
7.1 REGISTER PASSWORD SELF-SERVICE IN ADSELFSERVICE
No Procedure
4. Access to ADSelfService application:

i. Open browser and enter URL: https://reset.moe.gov.my/
ii. Enter user logon name for Domain User Account and click Login.
iii. Enter password provided for Domain User Account and click Login.

No Procedure
5. Click Click here to enrol and register password self-service feature.
6. Register up two (2) security questions and answers. User must make sure able to
remember and recall the secret answer. Then click Next.

No Procedure
7. Registration of password self-service feature is successful.

7.2 UPDATE USER PROFILE DETAILS IN ADSELFSERVICE
No Procedure


No Procedure
2. Click on Profile tab to view the current Domain User Account details.
3. Click on Edit button to edit Domain User Account details.

No Procedure
4. Update the Domain User Account details and click on Update button to save the changes.

No Procedure
5. Changes make to Domain User Account details are updated successful.

7.3 CHANGE PASSWORD IN ADSELFSERVICE
No Procedure


No Procedure
2. Click on Change Password tab. Proceed to fill up the old password and new password by
follow the password requirements defined. Then click Change Password.
3. User successful change the password. Click Close to continue.

7.4 CHANGE PASSWORD IN WINDOWS OPERATING SYSTEM
No Procedure
1. Once you are successfully logged onto your computer using Domain User Account, press
Ctrl-Alt-Del on your keyboard. Click on “Change a password”
2. Make sure that the top field shows “KPM\” before your username, and then fill out the “Old
Password”, “New Password”, and “Confirm New Password” fields.
Then click on the arrow pointing right or alternative hit enter key.

No Procedure
3. You should then receive a message stating that you have successfully changed your
password. Click “OK” to continue.

7.5 PASSWORD RESET IN ADSELFSERVICE WHEN FORGOT YOUR PASSWORD
No Procedure
1. How to password reset when forgot his/her password.

Access to ADSelfService application:
ii. Click Forgot your password?
iii. Enter user logon name for Domain User Account.
iv. Enter the correct answer in captcha validation and click Continue.

No Procedure
2. KPM User needs to provide the correct answer for their security questions. Then enter the
correct answer in captcha validation and click Continue.

No Procedure
3. KPM User needs to enter the new password and confirm new password. Then enter the
correct answer in captcha validation and click Reset Password.
4. KPM User successful reset password. Click Back to home to continue.

7.6 ACCOUNT UNLOCK IN ADSELFSERVICE WHEN YOUR USER ACCOUNT GET LOCKED
OUT
No Procedure
1. How to account unlock when his/her user account get locked out.
Access to ADSelfService application:
ii. Click Account locked out?
iii. Enter user logon name for Domain User Account.
iv. Enter the correct answer in captcha validation and click Continue.

No Procedure
2. KPM User needs to provide the correct answer for their security questions. Then enter the
correct answer in captcha validation and click Continue.
3. Enter the correct answer in captcha validation and click Unlock Account.

No Procedure
4. KPM User successful unlock account. Click Back to home to continue.

8 FIX WINDOWS TEMPORARY PROFILE
8.1 FIX TEMPORARY PROFILE BY RENAME PROFILELIST

There could be several reasons why Windows loads temporary profile. Usually there is a delay
in loading the profile. Profile could get corrupted but loading of profile could get delayed due
the antivirus programs, some service not responding or any other operation which prevents
loading of the profile. When a temporary profile loads for the first time, it will continue to do so.
From that point forward a user will always log in with the temporary profile.
No Procedure
1. If a user signs in to their account and gets “We can't sign into your account message
and You've been signed in with a temporary profile” notification message below, then
that user has been signed in to a temporary profile (ex: C:\Users\TEMP ) instead of the
profile from their C:\Users\<user name> profile folder. Any changes that the user makes to
the temporary profile are lost after signing.
2. While signed into the account with the temporary profile, open a Command Prompt > Type
whoami /user > Click Enter
Make note of the SID (Security Identifier) for this current account. You will need to know
the SID (ex: S-1-5-21-....-1001) for your account.

No Procedure
3. Click Windows logo > Search Registry Editor > Select Run as administrator
Remarks:
▪ Make sure that you have been logged to the temporary profile

No Procedure
4. By expanding fields on the left side navigate to:

Computer \HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
NT\ CurrentVersion\ ProfileList.
You should see two profiles with the same name but one ends with .bak at the end.

No Procedure
5. Rename temporary profile (without .bak) to .temp

No Procedure
6. Remove .bak from the correct profile name (original profile)

No Procedure
7. Delete temporary profile ends with .temp at the end
8. Please restart computer to apply these changes.

Remarks:
▪ If a temporary profile is loaded again after a restart, then most likely cause is a
corrupted user profile. In that case we have to create a new user profile.

8.2 FIX TEMPORARY PROFILE USING PROFILE MIGRATION TOOLS
No Procedure
1. Press Ctrl + Alt +Delete > Click Switch User
2. Enter other domain name and password > Click Enter

No Procedure
3. Make sure the original user profile path (before becoming a temporary profile)
4. Open Profwiz.exe > Click Next

No Procedure
5. Select Name and Profile Path for the user. This profile can be confirmed with Step 3.
6. Enter new domain username > Click Next

No Procedure
7. Wait the Setting profile ACL to migrate. This procedure takes around 5 – 30 minutes depends
on data user.
WARNING: Don’t terminate this process or restart the computer if this process takes
longer than expected because it will corrupt the user profile.
After migration completed, please restart computer to apply these changes.

8. Log into computer using new domain username > Open Profwiz.exe > Click Next

No Procedure
9. Select Name and Profile Path for the user. This profile can be confirmed with Step 3.
10. Enter same domain username (user who is a temporary profile) > Click Next

No Procedure
11. Wait the Setting profile ACL to migrate. This procedure takes around 5 – 30 minutes depends
on data user.
WARNING: Don’t terminate this process or restart the computer if this process takes
longer than expected because it will corrupt the user profile.
After migration completed, please restart computer to apply these changes.

No Procedure
12. Lastly, please do cleaning on the affected computer such as deleting temporary folder and
duplicate SID name in Registry Editor.

9 STATEMENT OF ACCEPTANCE
The Dokumentasi dan Manual Pengguna above have been deployed and tested successfully.
This statement is to acknowledge that the Dokumentasi dan Manual Pengguna has been
completed and the results will be accepted by KPM.
On behalf of Inteksoft Sdn Bhd
Prepared by: Verified and approved by:

INTEKSOFT Representative INTEKSOFT Representative
----------------------------------------------------- -----------------------------------------------------
Name: Muhammad Habibullah Ismayuddin Name: Tong Fuh Shuang
Title: System Engineer Title: System Consultant
Date: Date:
On behalf of Kementerian Pendidikan Malaysia

Reviewed, Verified and Accepted by:
KPM Representative KPM Representative
----------------------------------------------------- -----------------------------------------------------
Name: Name:
Title: Title:
Date: Date:

Dokumentasi Dan Manual Pengguna v0.1 - 221212 - Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dokumentasi Dan Manual Pengguna v0.1 - 221212 - Final

Uploaded by

Copyright:

Available Formats

KEMENTERIAN PENDIDIKAN MALAYSIA

Dokumentasi dan Manual Pengguna

PERKHIDMATAN PENGURUSAN POLISI KESELAMATAN DAN KAWALAN CAPAIAN

Produced by Inteksoft Sdn Bhd for KPM

Document Control Information

Document Author: INTEKSOFT AD DS Team

KPM AD DS Team KPM AD DS Project Team

INTEKSOFT AD DS Team INTEKSOFT AD DS Project Team

Summary of Document Changes:

0.1 09/06/2022 Nur Amanina Binti Johari Draft Created

2 Domain User Account Policy ...................................................................................................... 2

7.3 Change Password in ADSelfService ............................................................................. 126

8 Fix Windows Temporary Profile .............................................................................................. 136

9 Statement Of Acceptance....................................................................................................... 149

1.1 PROJECT OVERVIEW

Contract Name Perjanjian Perkhidmatan Pengurusan Polisi Keselamatan Dan

Contract Duration 42 Months 3 May 2021 – 2 November 2024

Installation Site Ibu Pejabat Kementerian Pendidikan Malaysia (KPM), Jabatan

Produced by Inteksoft Sdn Bhd Page 1

2 DOMAIN USER ACCOUNT POLICY

2.1 PASSWORD POLICY SECURITY SETTINGS

Name Policy Impacts

Password must meet Enabled Whether passwords must meet a series of

1. Passwords may not contain the user's

Complexity requirements are enforced when

Produced by Inteksoft Sdn Bhd Page 2

Indirect impacts of policy on user experience can be summarized as below:

• KPM User will require to create a password with min 12 characters.

2.2 ACCOUNT LOCKOUT POLICY SECURITY SETTINGS

Name Policy Impacts

Account Lockout Duration 15 minutes The number of minutes that a locked-out

A locked account cannot be used until you

If Account lockout threshold is set to a number

Indirect impacts of policy on user experience can be summarized as below:

Produced by Inteksoft Sdn Bhd Page 3

2.3 LOCK WINDOWS COMPUTER SCREEN POLICY SECURITY SETTINGS

Name Policy Impacts

User Configuration\Administrative Templates\Control Panel\Personalization

Enable Screen Saver Enabled Enables desktop screen savers.

Indirect impacts of policy on user experience can be summarized as below:

Produced by Inteksoft Sdn Bhd Page 4

3 PREREQUISITE FOR PREPARING WINDOWS COMPUTER AND JOINING

3.1 WINDOWS COMPUTER RUN ON CERTAIN LEVEL OF WINDOWS OPERATING SYSTEM

3.2 WINDOWS COMPUTER RESIDE ON PCN OR MYGOV*NET NETWORK

3.3 WINDOWS COMPUTER RESOLVE THE IP ADDRESS FOR DOMAIN CONTROLLER

Produced by Inteksoft Sdn Bhd Page 5

Zone IP Address States

KPM Zone Putrajaya 10.22.70.201 Putrajaya

KPM Zone Tengah 10.46.51.56 Selangor, WP Kuala Lumpur,

KPM Zone Utara 10.46.51.44 Kedah, Pulau Pinang, Perlis

KPM Zone Selatan 10.46.51.48 Johor, Melaka

KPM Zone Pantai Timur 10.46.51.135 Pahang, Terengganu, Kelantan

KPM Zone Malaysia 10.46.51.138 Sabah, Sarawak, WP Labuan

Produced by Inteksoft Sdn Bhd Page 6

2. Check network name resolution connectivity with KPM.LOCAL domain.

Produced by Inteksoft Sdn Bhd Page 7

3.4 WINDOWS COMPUTER ABLE TO EXCHANGE TRAFFIC WITH DOMAIN CONTROLLER

2. Check network communication ports connectivity with KPM.LOCAL domain controller.

Produced by Inteksoft Sdn Bhd Page 8

Produced by Inteksoft Sdn Bhd Page 9

4 USER GUIDE FOR MANAGING WINDOWS COMPUTER IN DOMAIN

4.1 WINDOWS LOGON CONCEPT

4.1.1 DOMAIN LOGON