Anda di halaman 1dari 127

COLEGIO DE SAN JUAN DE LETRAN

Configuring, Managing and Maintaining Windows Server 2008


Charmaine Cagampang Jeremy Shayne Espineli Jenesis Navarro Claudine Mae Carlos Emmanuel Enriquez 10/3/2011

Table of Contents
Module 1: Creating AD DS User and Computer Accounts . 3 Module 2: Creating AD DS Groups and Organizational Units 36 Module 3: Implementing a Shared Folder Implementation .. 49 Module 4: Configuring Active Directory Objects and Trusts . 64 Module 5: Creating and Configuring GPOs 90 Module 6: Configure User and Computer Environment by Using Group Policy . 99 Module 7: Implementing Security Using Group Policy .. 121

Module 1
Creating AD DS User and Computer Accounts

Exercise 1: Creating and Configuring User Accounts Task 1: Start the virtual machines, and then log on
1. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. 2. In the Lab Launcher, next to 6419A NYC-DC1, click Launch. 3. In the Lab Launcher, next to 6419A NYC-CL1, click Launch. 4. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. 5. Minimize the Lab Launcher window.

Task 2: Create a new user account


1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console pane, ensure WoodgroveBank.com is expanded, right-click the ITAdmins OU, point to New, and then click User.

3. In the New Object User dialog box, enter the following information: First name: YOUR FIRST NAME (e.g. RONINA) Last name: YOUR LAST NAME (e.g. CAOILI) Full name: (e.g. RONINA CAOILI) User logon name: rcaoili Password: Pa$$w0rd 4. Click Next.

5. In the Password and Confirm Password fields, type Pa$$w0rd. 6. Verify that the User must change password at next log on check box is selected.

7. Click Next, and then click Finish.

8. On NYC-CL1, test the user account that you just created by logging on to NYC-CL1 as WOODGROVEBANK\ccarlos with the password of Pa$$w0rd.

9. When prompted, click OK, type Pa$$w0rd1 as the new password, type Pa$$w0rd1 in the Confirm password field, click the right arrow button, and then click OK.

10. Log off from NYC-CL1.

Task 3: Modify Claudine Carlos user account properties


1. On NYC-DC1, in Active Directory Users and Computers, in the details pane, right-click Claudine Carlos, and then click Properties.

2. Modify the user properties as follows: a. On the General tab, enter the following information: Telephone number: 63-927-3333331 Office: Manila E-mail: Claudine@WoodgroveBank.com

b. On the Dial-in tab, under Network Access Permission, click Allow access.

c. On the Account tab, click Logon Hours. Configure logon hours to be permitted Monday through Saturday between 8:00 A.M. to 5:00 P.M and then click OK.

d. On the Member Of tab, click Add.

e. In the Select Groups dialog box, type ITAdmins_WoodgroveGG, and then click OK twice.

Task 4: Create a template for the New York Customer Service department
1. On NYC-DC1, in Active Directory Users and Computers, click on the NYC OU, and then expand the CustomerService OU. Click CustomerService OU

10

2. Right click the CustomerService OU, click New and click Users

3. In the New Object User dialog box enter the following information: Property Value First name: CustomerService Last name: Template Full name: CustomerService Template User logon name _CustomerServiceTemplate

4. Click Next and Enter the following details and click Finish. Property Value Password: Pa$$w0rd Confirm Password: Pa$$w0rd Account is disabled: Selected User must change password at next log on: Selected

11

5. In the Detail pane right-click _CustomerServiceTemplate and then click Properties and enter the following details in general tab. Description Customer Service Representative Office New York Main Office

12

6. In the Member Of Tab type the following details. Member Of NYC_CustomerServiceGG

7. In the Organization Tab type the following details. Department Customer Service

13

8. In the Account Tab enter the following Details and click Ok. Logon Hours 6:00 A.M 6:00 P.M. Monday to Friday

Task 5: Create a new user account based on the customer service template
1. Right-click the CustomerService Template user, and then click Copy.

2. In the Copy Object User dialog box, enter the following information: First name: Ronina Last name: Caoili User logon name: rcaoili Password: Pa$$w0rd

14

3. Click Next. 4. In the Password and Confirm Password fields, type Pa$$w0rd and then click Next. 5. Click Next, and then click Finish. 6. Right-click Ronina Caoili, and then click Enable Account. Click OK.

15

7. Double-click Ronina Caoili, and verify that the group membership and logon hours are correct. Review the settings on the General and Organization tabs.

16

Task 6: Modify the user account properties for all customer service representatives in New York
1. Select the top user in the details pane, hold SHIFT, and then click the last user in the details pane. 2. Hold CTRL, and then click NYC_CustomerServiceGG.

3. Right-click the highlighted user accounts, and then clicks Properties.

4. On the General tab, select the appropriate check boxes, and enter the following information: Description: Customer Service Representative Office: New York Main Office

5. On the Organization tab, select the Department checkbox, enter Customer Service, and then click OK.

17

6. Double-click Eli Bowen, and verify that the Description, Office, and Department attributes has been updated. Click OK.

Task 7: Modify the user account properties for all Branch Managers
1. On NYC-DC1, in Active directory Users and Computers, right-click WoodgroveBank.com, and then click Find.

18

2. In the Find Users, Contacts and Groups dialog box, click the Advanced tab.

3. Click Field, point to User, and then clicks Job Title.

19

4. In the Condition list, click ls (exactly), and in the Value field, type Branch Manager.

5. Click Add, and then click Find Now.

20

6. Select all of the user accounts in the Search Results, right-click the highlighted user accounts, and then click Add to a group.

7. In the Select Groups dialog box, type BranchManagersGG, and then click OK twice.

8. Close the Find Users, Contacts, and Groups dialog box. 21

Tack 8: Create a saved query to find all investment users


1. In Active Directory Users and Computers, right-click the Saved Queries folder, point to New, and then click Query.

2. In the New Query dialog box, in the Name field, type Find Investment Users.

22

3. Click Define Query. 4. In the Find list, click Users, Contacts and Groups.

5. Click the Advanced tab. 6. Click Field, point to User and then click Department.

23

7. In the Condition list, verify that Starts with is selected, and in the Value field, type Investments.

8. Click Add, and then click OK twice. 9. Under Saved Queries, click Find Investment Users.

10. The query should display all the users in the Investment departments in each city.

24

Exercise 2: Creating and Configuring Computer Accounts


Task 1: Create a computer account by using Active Directory Users and Computers
1. On NYC-DC1, in Active Directory Users and Computers, right-click Computers, point to New, and then click Computer.

2. In the New Object Computer dialog box, in the Computer Name field, type Windows Vista1.

25

3. Click Change. 4. In the Select User or Group dialog box, type Doris, click Check Names, and then click OK twice.

Task 2: Delete a computer account in AD DS


1. On NYC-DC1, in Active Directory Users and Computers, click Computers. 2. Right-click NYC-CL1, and then click Delete.

26

3. In the Active Directory Domain Services dialog box, click Yes.

4. On NYC-CL1, press the right ALT key and DELETE. Click Switch User. 5. Click Other User, then log on as Axel with the password of Pa$$w0rd.

6. Press ENTER, read the error message, and then click OK.

27

Task 3: Join a computer to an AD DS domain


1. Log in as NYC-CL1\LocalAdmin with a password of Pa$$w0rd.

2. Click Start, right-click Computer, and then click Properties.

28

3. In the System control panel, click Change settings. In the User Account Control dialog box, click Continue.

29

4. On the Computer Name tab, click Change. 5. In the Computer Name/Domain Changes dialog box, for Computer name, type NYC-CL5. 6. Under Member Of, click Workgroup, and then type WORKGROUP. Click OK.

7. In the Windows Security dialog box, in the Username field, type Administrator and in the Password field, type Pa$$w0rd. 8. Click OK twice.

9. In Computer Name/Domain Changes dialog box, click OK twice, and then click Close.

30

10. Click Restart Now.

11. After the computer restarts, log in as LocalAdmin with a password of Pa$$w0rd.

12. Click Start, right-click Computer, and then click Properties.

31

13. In the System control panel, click Change settings.

14. In the User Account Control dialog box, click Continue.

32

15. On the Computer Name tab, click Change.

16. In the Computer Name/Domain Changes dialog box, under Member Of, click Domain, and then type Woodgrovebank.com. Click OK.

17. In the Windows Security dialog box, in the User name field, type Administrator and in the Password field, type Pa$$w0rd.

18. Click OK twice. 19. In the Computer Name/Domain Changes dialog box, click OK twice, and then click Close. 20. Click Restart Now.

33

21. On NYC-DC1, in Active Directory Users and Computers, click Computers or press F5 to refresh the view.

Verify that the NYC-CL5 account has been added to the container object.

22. After NYC-CL3 restarts, verify that you can log on as WoodgroveBank\Axel with a password of Pa$$w0rd.

34

35

Module 2
Creating AD DS Groups and Organizational Units

36

Exercise 1: Creating AD DS Groups


Task 1: Start the virtual machines, and then log on
1. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. 2. In the Lab Launcher, next to 6419A NYC-DC1, click Launch. 3. In the Lab Launcher, next to 6419A NYC-SVR1, click Launch. 4. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 5. Minimize the Lab Launcher window.

Task 2: Create three groups using Active Directory Users and Computers
1. On NYC-DC1, open Active Directory Users and Computers.

37

2. In the WoodgroveBank.com domain, create a new group in the Users container using the following parameters: Group Name: VAN_BranchManagersGG Scope: Global Type: Security

3. Repeat step 2 to create two more groups that have the same scope and type. The two group names are as follows: VAN_CustomerServiceGG VAN_InvestmentGG

38

Task 3: Create a group using Dsadd command-line tool


1. At a command prompt, enter the following command: dsadd group cn=VAN_MarketingGG,cn=Users,dc=WoodgroveBank,dc=com samid VAN_MarketingGG secgrp yes scope g 2. Press ENTER.

3. Use the Find command to locate the new group in the WoodgroveBank.com OU.

39

Task 4: Add members to the new groups


1. In Active Directory Users and Computers, search the WoodgroveBank.com domain by using the standard Find box to find each of the user accounts listed in the table in Step 2. 2. Add each worker to the groups indicated in the following table: Find Add to Group Neville Burdan VAN_BranchManagersGG Suchitra Mohan VAN_BranchManagersGG Anton Kirilov VAN_CustomerServiceGG Shelley Dyck VAN_CustomerServiceGG Barbara Moreland VAN_InvestmentsGG Nate Sun VAN_InvestmentsGG Yvonne McKay VAN_MarketingGG Monika Buschman VAN_MarketingGG Bernard Duerr VAN_MarketingGG

40

Task 5: Create a new user account based on the customer service template
1. In Active Directory Users and Computers, click the Users container in WoodgroveBank.com. In the contents view area, right-click VAN_BranchManagersGG, and view its properties. 2. Open the Members tab and observe that Neville Burdan and Suchitra Mohan are now members.

Exercise 2: Creating an OU Hierarchy


Task 1: Create OUs using Active Directory Users and Computers
1. On NYC-DC1, open Active Directory Users and Computers.

41

2. At the root level of WoodgroveBank.com, create a new OU called Vancouver.

3. Inside the Vancouver OU, create three OUs with the following names: BranchManagers CustomerService Marketing

Task 2: Create an OU using Dsadd


1. Click Start, click Run, and then type cmd to open a command-line window. 2. Type the following command at the command prompt: dsadd ou ou=Investments,dc=WoodgroveBank,dc=com desc Investment Department d WoodgroveBank.com u Administrator p Pa$$w0rd 3. Press ENTER.

42

4. In Active Directory Users and Computers, refresh WoodgroveBank.com domain object, and note the presence of the new OU.

Task 3: Nest an OU inside another OU


1. In Active Directory Users and Computers, refresh the object tree. 2. Move the new Investments OU from WoodgroveBank.com domain level into the Vancouver OU. Click OK to dismiss the warning message.

43

Task 4: Move groups that you created in Exercise 1 into the appropriate OUs
1. In Active Directory Users and Groups, locate the remaining groups that you created in Exercise 1 for the new Vancouver subsidiary in the WoodgroveBank.com OU. 2. Move the following groups into the following Vancouver OUs:

Task 5: Find and move users into Vancouver OUs


Use Active Directory Users and Computers to find and move the following users into the OUs that the following table lists:

44

Find Add to Group Neville Burdan VAN_BranchManagersGG Suchitra Mohan VAN_BranchManagersGG Anton Kirilov VAN_CustomerServiceGG Shelley Dyck VAN_CustomerServiceGG Barbara Moreland VAN_InvestmentsGG Nate Sun VAN_InvestmentsGG Yvonne McKay VAN_MarketingGG Monika Buschman VAN_MarketingGG Bernard Duerr VAN_MarketingGG

Task 6: Delegate control over an OU


1. In Active Directory Users and Computers, select the Vancouver\Marketing OU, and open the Delegation of Control Wizard.

2. Add Yvonne McKay to the selected users and group list, and then click Next.

45

3. Delegate to her the following common tasks: Create, delete and manage user accounts Reset user passwords and force password change at next log on Create, delete and manage groups Modify the membership of a group

4. Click Next and then click Finish.

Task 7: Test delegated user rights


1. On NYC-SVR1, log on with the account WoodgroveBank\Yvonne and the password Pa$$w0rd

46

2. Start Server Manager as an Administrator. Provide the domain administrator credentials when prompted.7

3. Install the Active Directory Domain Services Tools features. 4. When prompted, restart the computer and log on as Yvonne. Start Server Manager as an Administrator, and let the installation complete. 5. Start Active Directory Users and Computers. 6. Rest the password of Monika Buschmann using the password Pa$$w0rd again. You should see the following message: Password for Monika Buschmann has been changed. 7. Try to move a user from the Miami BranchManagers OU into the Vancouver BranchManagers OU. You should see the following message: Windows cannot move object [username] because: Access denied.

47

Task 8: Close all virtual machines and discard undo disks


1. For each virtual machine that is running, close the Virtual Machine Remote C0ntrol window. 2. In the Close box, select Turn off machine and discard changes. Click OK. 3. Close the 6419A Lab Launcher.

48

Module 3
Implementing a Shared Folder Implementation

49

Exercise 2: Implementing a Shared Folder Implementation


Task 1: Start the virtual machines, and then log on
1. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. 2. In the Lab Launcher, next to 6419A NYC-DC1, click Launch. 3. In the Lab Launcher, next to 6419A NYC-CL1, click Launch. 4. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 5. Minimize the Lab Launcher window.

Task 2: Create four new folders by using Windows Explorer


1. On NYC-DC1, open Windows Explorer.

50

2. On drive C, create folders named: Marketing Managers Investments CustomerService

51

Task 3: Set share properties for the folder


1. Right-click the Marketing folder, and then click Share.

2. In File Sharing dialog box, type TOR_MarketingGG, and then click Add.

52

3. Change the permission level to Contributor, and then click Share.

4. Repeat creating shares for each of the remaining folders, assigning the groups and permissions. TOR_BranchManagersGG (Managers Folder) TOR_InvestmentsGG (Investments Folder) TOR_CustomerServiceGG (CustomerService Folder)

53

Task 4: Create another shared folder by using Share and Storage Management MMC.
1. On the Start menu, in Administrative Tools, click Share and Storage Management.

2. Start Provision Share Wizard.

54

3. Click the Browse button. In the Browse Folder window, create a new folder named CompanyNews on the C drive.

55

4. Do not change any other settings, but click Next all the way through to the Create button. Click Create, and then click Close.

56

5. In the Shares list of the Share and Storage Management MMC, right-click CompanyNews, and then click Properties.

6. In the Permissions tab, click Share Permissions. Add the Domain Users group, and notice that their permission is set as Read.

57

7. Add the TOR_BranchManagersGG group, and give them Full Control permissions.

8. Finish the Permissions settings, and exit Share and Storage Management MMC.

58

Task 5: Create a new group and shared folder for an interdepartmental project
1. Open Active Directory Users and Computers MMC.

2. Click the Toronto OU, and add a new global security group named TOR_SpecialProjectGG.

3. Expand the following Toronto OUs, and use the Add to group command to add the users listed in the table: Toronto OUs Names Investment Aaron Con Marketing Aidan Delaney Branch Managers Sven Buck Customer Service Dorena Pashke

59

4. Close Active Directory Users and Computers. 5. Create a new folder in drive C, and name it SpecialProjects.

6. Share the folder, adding the TOR_SpecialProjectGG group that has Contribute permission levels.

7. Click Share.

Task 6: Block inheritance of a folder in a shared folder


1. Open the SpecialProjects folder. 2. Create a new folder called Unshared.

3. Change Unshared Properties by removing the inheritable permissions.

60

4. Give permissions back the Administrator.

Exercise 2: Evaluating the Shared Folder Implementation


Task 1: Log on to NYC-CL1 as Sven
Log on to NYC-CL1 as Sven, with the password Pa$$w0rd.

Task 2: Check the permissions for Company News


1.After you are logged on as Sven, open the Company News folder and create a text file. Name it News.txt.

2. Create a folder named News, and drag News.txt into it.

3. Close the Company News window and log off.

61

Task 3: Check permissions of interdepartmental share Special Project


1. Log on as Dorena with the password Pa$$w0rd. 2. Open the Special Project volume and create a text document.

3. Try to open Company News. Open the News.txt file inside the News folder.

62

4. Log off as Dorena

63

Module 4
Configuring Active Directory Objects and Trusts
Lab A: Configuring Active Directory Delegation

64

Exercise 1: Delegating Control of AD DS Objects


Task 1: Start each virtual machine and log on
1. In the lab launcher, next to 6419A NYC-DC1, click Launch. 2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 3. Minimize the Lab Launcher window.

Task 2: Assign full control of users and groups in the Toronto OU


1. On NYC-DC1, click Start, point to Administration Tools, and then click Active Directory Users and Computers.

2. In the console pane, right-click Toronto, and then click Delegate Control. 3. In the Delegation of Control Wizard, click Next. 4. On the Users or Groups page, click Add. 5. In the Select Users, Computers, or Groups dialog box, type TOR_BranchManagersGG, and then click OK.

65

6. Click Next. 7. On the Tasks to Delegate page, select the Create, delete, and manage user accounts and the Create, delete and manage groups check boxes.

66

8. Click Next, and then click Finish.

Task 3: Assign rights to reset passwords and configure private user information in the Toronto OU
1. On NYC-DC1, in Active Directory Users and Computers, right-click Toronto, and then click Delegate Control.

67

2. In the Delegation of Control Wizard, click Next.

3. On the Users and Groups page, click Add.

4. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, and then click OK.

5. Click Next.

68

6. On the Tasks to Delegate page, select the Reset user passwords and force password change at next logon check box.

69

7. Click Next, and then click Finish.

8. Right-click Toronto, and then click Delegate Control.

9. In the Delegation of Control Wizard, click Next.

10. On the Users or Groups page, click Add.

11. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, click OK.

12. Click Next.

13. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

70

14. On the Active Directory Object Type page, click Only the following objects in the folder, and then select the User objects check box.

71

15. Click Next.

16. On the Permissions page, ensure that the General check box is selected.

17. Under Permissions, select the Read and Write personal information check box, and then click Next.

72

18. Click Finish.

Task 4: Verify the effective permissions assigned for the Toronto OU


1. On NYC-DC1, in Active Directory Users and Computers, on the View menu, click Advanced Features.

2. In the console pane, right-click the Toronto OU, and then click Properties.

73

3. In the Toronto Properties dialog box, on the Security tab, click Advanced.

74

4. In the Advanced Security Settings for Toronto dialog box, on the Effective Permissions tab, click Select.

75

5. In the Select Users, Computers, or Group dialog box, type Sven, and then click OK. Sven Buck is a member of the TOR_BranchManagersGG group.

6. Review Svens effective permissions. Verify that Sven has permissions to create and delete user and group objects.

7. Click Cancel twice.

76

8. Expand the Toronto OU, and then click the Customer Service OU.

9. In the details pane, right-click Matt Berg, and then click Properties.

77

10. In the Matt Berg Properties dialog box, on the Security tab, click Advanced.

11. In the Advanced Security Settings for Matt Berg dialog box, on the Effective Permissions tab, click Select.

78

12. In the Select Users, Computers, or Groups dialog box, type Helge, and then click OK. Helge Hoeing is a member of the TOR_CustomerServiceGG group.

13. Review Helges effective permissions. Verify that Helge has permissions to reset passwords and to write personal information.

79

14. Click Cancel twice.

15. Close Active Directory Users and Computers.

80

Task 5: Test the delegated permissions for the Toronto OU


1. Log on to NYC-DC1 as WOODGROVEBNK\Sven with the password of Pa$$w0rd.

81

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.

4. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and then point to New, and then click User.

82

5. Create a new user with the following properties: a. First name: Test1 b. User logon name: Test1

c. Password: Pa$$w0rd

83

6. Click Next. This task will succeed because Sven Buck was delegated the authority to perform that task.

7. Right-click the Toronto OU, and then point to New, and then click Group.

8. Create a new global security group named Group1. This task will succeed because Sven Buck was delegated the authority to perform that task.

9. Right-click the ITAdmins OU, and review the menu options. Verify that Sven does not have permissions to create any new objects in the ITAdmins OU. Close Active Directory Users and Computers.

84

10. Log off and then log on to NYC-DC1 as WOODGROVEBANK\Helge with the password of Pa$$w0rd.

11. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers

12. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.

85

13. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and review the menu options. Verify that Helge does not have permissions to create any new objects in the Toronto OU.

14. Expand Toronto, click CustomerService, right-click Matt Berg, and then click Reset Password.

86

15. In the Reset Password dialog box, in the New password and Confirm password fields, type Pa$$w0rd, and then click OK twice.

16. Right-click Matt Berg, and then click Properties.

87

17. In the Matt Berg Properties dialog box, verify that Helge has permission to set some user properties such as Office and Telephone number, but not settings such as Description and E-mail.

18. Click Cancel.

88

19. Close Active Directory Users and Computers, and then log off.

89

Module 5: Creating and Configuring GPOs

Lab A: Creating and Configuring GPOs


Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.

Exercise 1: Creating and Configuring Group Policy Objects


Task 1: Start the virtual machines, and then log on
1. In the Lab Launcher, next to 6419A-NYC-DC1, Click Launch. 2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the Pa$$word. 3. Minimize the Lab Launcher window.

Task 2: Create the group policy settings


1. Click Start, point to Administrative Tools and the click Group Policy Management. 2. In the Group Policy Management window, ensure Forest: Woodgrovebank.com and domain are expanded, expand WoodgroveBank.com, and the expand Group Policy Objects. 3. Right click the Group Policy Objects folder, and then click New. 4. In the New GPO dialog box, in the Name field type Restrict Control Panel, and then click OK. 5. Repeat the previous two steps create the following GPOs: Restrict Desktop Display Restrict Run Command Baseline Security Vista and XP Security Admin Favorites Kiosk Computer Security

Task 3: Configure the policy settings


A. Configure the Baseline Security Policy 1. In the Group Policy Management window, in the Group Policy Objects folder, rightclick the Baseline Security policy, and then click edit. 2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. 3. In the details pane, double-click interactive logon: Do not display last user name. 4. In the Interactive logon: Do not display last username Properties dialog box, select the Define this policy setting check box, click Enabled and then click OK. 5. Close Group Policy Management Editor B. Configure the Admin Favorites policy 1. In the Group Policy Management window, in the Group Policy Objects folder, rightclick the Admin Favorites policy, and then click Edit. 90

2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Window Settings, expand Internet Explorer Maintenance, and then click URLs. 3. In the details pane, double-click Favorites and Links. 4. In the Favorites and Links dialog box, click Add URL. 5. In the Details dialog box, in the Name field, type Tech Support 6. In the URL field, type http://support.microsoft.com. 7. Click OK twice. 8. Close Group Policy Management Editor. C. Configure the Restrict Desktop Display policy 1. In the Group Policy Management window, in the Group Policy Objects folder, rightclick the Restrict Desktop Display policy, and then click Edit 2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then click Display. 3. In the details pane, double-click User Group Policy loopback processing mode Properties dialog box, click Enabled, and then click OK. 4. In the User Group Policy loopback processing mode Properties dialog box, click Enabled, ensure the Mode is set to Replace, and then click OK. 5. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Desktop. 6. In the details pane, double-click Hide and Disable all items on the desktop. 7. In the Hide and Disable all items on the desktop Properties dialog box, click Enabled, and then click OK. 8. Close Group Policy Management Editor. D. Configure the Kiosk Computer Security Policy 1. In the Group Policy Management window, in the Group Policy Objects folder, rightclick the Kiosk Computer Security policy and then click Edit. 2. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Group Policy. 3. In the details pane, double-click User Group Policy loopback processing mode. 4. In the User Group Policy loopback processing mode Properties dialog box, click Enabled, ensure the Mode is set to Replace, and then click Desktop. 5. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Desktop. 6. In the details pane, double-click Hide and Disable all items on the desktop. 7. In the Hide and Disable all items on the desktop Properties dialog box, click Enabled, and then click OK. 8. Close Group Policy Management Editor.

91

E. Configure the Restrict Computer Security policy 1. In the Group Policy Management window, in the Group Policy Objects folder, rightclick the Restrict Control Panel policy and then click Edit. 2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Control Panel. 3. In the detail pane, double-click Prohibit access to the Control Panel. 4. In the Prohibit access to Control Panel Properties dialog box, click Enabled, and then click OK. 5. Close Group Policy Management Editor F. Configure the Restrict Control Panel policy 1. In the Group Policy Management window, in the Group Policy Objects folder, rightclick the Restrict Control Panel policy, and then click Edit. 2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar. 3. In the detail pane, double-click Remove Run menu from the Start Menu. 4. In the Remove Run menu from the Start Menu Properties dialog box, click Enabled, and then click OK. 5. Close Group Policy Management Editor G. Configure the Vista and XP Security policy 1. In the Group Policy Management window, in the Group Policy Objects folder, rightclick the Vista and XP Security GPO, and then click Edit. 2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand System and then click Logon. 3. In the detail pane, double-click Always wait for the network at computer startup and logon. 4. In the Always wait for the network at computer startup and logon Menu Properties dialog box, click Enabled, and then click OK. 5. Close Group Policy Management Editor

Task 4: Link the GPOs to the appropriate containers


1. In the Group Policy Management window, right-click the WoodgroveBank.com domain, and then click Link an Existing GPO. 2. In the Select GPO dialog box, click the Baseline Security GPO. Hold down CTRL and then click the following GPOs: Kiosk Computer Security Restrict Run Command Vista and XP Security 3. Click OK. 4. Right-click the ITAdmins OU, and then click Link an Existing GPO. 5. In the Select GPO dialog box, click Admin Favorites GPO, and then click OK. 6. Right-click the Executives OU, and then click Link an Existing GPO. 7. In the Select GPO dialog box, click the Restrict Desktop Display GPO and then click OK. 8. Right-click the Miami OU, and then click Link an Existing GPO. 92

9. In the Select GPO dialog box, click the Restrict Control Panel GPO, and then click OK. 10. Repeat the previous two steps to link the Restrict Control Panel policy to the NYC and Toronto OUs. Result: At the end of this exercise you will have created and configured GPOs.

Exercise 2: Creating and Configuring Group Policy Objects


Task 1: Configure Group Policy management for the domain container
1. In the Group Policy Management window, expand the WoodgroveBank.com domain to expose the linked policies (denoted by the shortcut icons). 2. Right-click the Baseline Security link, and then click Enforced. Result: At the end of this exercise you will have created and configured GPOs. 3. Click the Baseline Security link. 4. When the Group Policy Management Console dialog appears, select Do not show this message again, and then click OK. 5. In the details pane, click the Details tab. 6. In the GPO Status list, click User configuration settings disabled. 7. When the Group Policy Management dialog appears, click OK. 8. Click the Kiosk Computer Security link. 9. In the details pane, click the Delegation tab. 10. Click Advanced. 11. In the Kiosk Computer Security Security Settings dialog box, click the Authenticated Users group, and then click Remove. 12. Click Add, and then in the Select Users, Computers, or Groups dialog box, type Kiosk Computers, and then click OK. 13. Under Permissions for Kiosk Computers, next to Apply group policy, select Allow, and then click OK.

Task 2: Configure Group Policy management for the IT Admin OU In the Group Policy Management window, right-click the ITAdmins OU, and then
click Block Inheritance.

Task 3: Configure Group Policy management for the branch OUs


1. In the Group Policy Management window, in the console pane under the Group Policy Objects folder, click the Restrict Control Panel policy. 2. In the details pane, click the Delegation tab, and then on the Delegation tab click Advanced. 3. In the Restrict Control Panel Security Settings dialog box, click Add. 4. In the Select Users, Computer, or Groups dialog box, type MIA_BranchManagersGG; NYC_BranchManagersGG; TOR_BranchManagersGG 5. Click OK. 6. Under Group or user names, click MIA_BranchManagersGG

93

7. Under Permissions for MIA_BranchManagersGG pane, next to Apply group policy, select Deny. 8. Repeat the previous two steps for NYC_BranchManagersGG and TOR_BranchManagersGG. 9. Click OK. 10. In the Windows Security dialog, click Yes.

Task 4: Create and apply a WMI filter for the Server Security GPO
1. In the Group Policy Management window console pane, right-click the WMI Filters folder, and then click New 2. In the New WMI Filter dialog box, in the Name field, type Windows Vista or XP operating system. 3. Click Add. 4. In the WMI Query dialog box, in the Query field, type Select * from Win32OperatingSystem where Caption = Microsoft Windows Vista Enterprise OR Caption = Microsoft Windows XP Professional. 5. Click OK, and then click Save. 6. In the Group Policy Objects folder, click the Vista or XP Security policy, and then in the details pane, click the Scope tab. 7. In the WMI Filtering list, click Windows Vista or XP operating system. 8. In the Group Policy Management dialog, click Yes. Result: At the end of this exercise you will have configured the scope of GPO settings.

94

Lab B: Creating and Configuring GPOs

Exercise 1: Creating and Configuring Group Policy Objects


Task 1: Start NYC-CL1
1. Log on to NYC-CL1 as WOODGROVEBANK\Anton with the password Pa$$word.

Task 2: Verify that a Miami branch user is receiving the correct policy
1. Click Start and then verify that the Control Panel is not present on the Start menu. 2. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu. 3. Log off.

Task 3: Verify that a Miami branch Manager is receiving the correct policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Roya with a password Pa$$word. 2. Click Start and then verify that the Control Panel is present on the Start menu. 3. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu. 4. Log off.

Task 4: Verify that a user in the IT Admin OU is receiving the correct policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Betsy with a password Pa$$word. 2. Click Start and then verify that the Control Panel is present on the Start menu. 3. Click Start, point to All Programs, point to Accessories and then verify that Run is present. 4. Click Start and then click Internet. 5. In the Internet Explorer Window, click the Favorite Center button, and then verify that the link to Tech Support is present. 6. Log off

Task 5: Verify that user in the Executive OU user is receiving the correct policy
1. Log on NYC-CL1 as WOODGROVEBANK\Chase with a password Pa$$word. 2. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu. 3. Click Start and then verify that the Control Panel is present on the Start menu. 4. Click Start and then click Control Panel. 5. In the Control Panel Window, under Appearance and Personalization, click Change Desktop background and then verify that there is no access to the Desktop Display Settings. 6. Log off. HINT: When you attempt to access display settings you will receive a message informing you that this has been disabled.

Task 6: Verify that the last logged on username does not appear
Verify that the last logged on username does not appear. NOTE: To see this information, press CTRL + ALT +DEL to see the logon screen. 95

Task 7: Use Group Policy modeling to test kiosk computer settings


1. On NYC-DC1, in the Group Policy Management windows, right-click the Group Policy Modeling folder, and then click Group Policy Modeling Wizard. 2. In the Group Policy Modeling Wizard, click Next. 3. On the Domain Controller Selection page, click Next. 4. On the User and Computer Selection page, under Computer Information, click Computer. 5. In the Computer field, type WOODGROVEBANK\NYC-CL1, and then click Next. 6. On the Advanced Simulation Options page, click Loopback processing, and then click Next. 7. On the Alternate Active Directory Paths page, click Next. 8. On the User Security Groups page, click Next. 9. On the Computer Security Groups page, click Add. 10. In the Select Groups dialog box, type Kiosk Computers, click OK, and then click Next. 11. On the WMI Filters for Users page, click Next. 12. On the WMI Filters for Computers page, click Next. 13. On the Summary of Selections page, click Next. 14. On the Completing the Group Policy Modeling Wizard page, click Finish. 15. In Group Policy Management windows, view the report. This will take a few moments to process. Result: At the end of this exercise you will have tested and verified a GPO application.

Exercise 2: Managing GPOs


Task 1: Back up an individual policy
1. On NYC-DC1, in the Group Policy Management windows, under the Group Policy Objects folder, right-click the Restrict Control Panel policy, and then click Back Up. 2. In the Back Up Group Policy Object dialog box, click Browse. 3. Browse to C:\ and then click Make New Folder. 4. Type GPO Backup, and then press ENTER. 5. Click OK, and then click Back Up. 6. When the backup completes, click OK.

Task 2: Back up all GPOs


1. In the console pane, right-click the Group Policy Objects folder and then click Back Up All. 2. In the Back Up Group Policy Object dialog box, in the Location field, type C:\GPO Backup and then click Back Up. 3. When the backup completes, click OK.

Task 3: Delete and restore an individual GPO


1. In the Group Policy Objects folder, right-click the Admin Favorites policy, and then click Delete. 2. In the Group Policy Management dialog box, click Yes. 3. Right-click the Group Policy Objects folder, and then click Manage Backups. 96

4. In the Manage Backups dialog box, click the Admin Favorites GPO, and then click Restore. 5. In the Group Policy Management dialog box, click OK. 6. In the Restore dialog box, click OK and then click Close. 7. Verify that the Admin Favorites GPO appears in the Group Policy Objects folder.

Task 4: Import a GPO


1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Right-click the Group Policy Objects folder, and then click New. In the New GPO dialog box, in the Name field, type Import, and then click OK. Right-click the Import GPO, and then click Import Settings. In the Import Settings Wizard, click Next. On the Backup GPO page, click Next. On the Backup location page, verify the Backup folder is C:\GPO Backup, and then click Next. On the Source GPO page, click Restrict Control Panel, and then click Next. On the Scanning Backup page, click Next, and then click Finish When the import completes, click OK. In the Group Policy Objects folder, click Import GPO, and then in the details pane, click the Setting tab. Click show all. Verify that the Prohibit access to the Control Panel policy setting is enabled.

Exercise 3: Delegating Administrative Control of GPOs


Task 1: Grant Betsy the right to create GPOs in the domain
1. On NYC-DC1, in the Group Policy Management window, click the Group Policy Objects folder. 2. In the details pane, click the Delegation tab, and then click Add. 3. In the Select User, Computer, or Group dialog box, type Betsy, and then click OK.

Task 2: Delegate the right to edit the Import GPO to Betsy


1. 2. 3. 4. In the Group Policy Objects folder, click Import GPO. In the details pane, click the Delegation tab, and then click Add. In the Select User, Computer, or Group dialog box type Betsy, and then click OK. In the Add Group or User dialog box, in the Permission list, click Edit settings, and then click OK.

Task 3: Delegate the right to link GPOs to Executives OU to Betsy


1. 2. 3. 4. In the WoodgroveBank.com domain, click Executives OU. In the details pane, click the Delegation tab, and then click Add. In the Select User, Computer, or Group dialog box type Betsy, and then click OK. In the Add Group or User dialog box, in the Permission list, click This container only, and then click OK.

97

Task 4: Enable Domain Users to log on to domain controllers


Note: This step is included in the lab to allow you to test the delegated permissions. As a best practice you should install the administrative tools on a Windows workstation rather than enable Domain Users to log on to domain controllers. 1. In the Group Policy Management windows, expand Domain Controllers. 2. Right-click Default Domain Controllers Policy, and then click Edit. 3. In the Group Policy Management Editor windows, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment. 4. In the details pane, double-click Allow log on locally. 5. In the Allow log on locally Properties dialog box, click Add User or Group. 6. In the Add User or Group dialog box, type Domain Users, and click OK twice. 7. Close all open windows 8. Click Start, and then click Command Prompt. 9. In the Command Prompt window, type GPUpdate /force and press ENTER. 10. Wait for the command to complete, type exit, and then press ENTER. 11. Log off.

Task 5: Test the delegation


1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Log on to NYC-DC1 as WOODGROVEBANK\Betsy Click Start, type MMC, and then press ENTER. In the User Account Control dialog box, type Pa$$w0rd, and then click OK. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog, click Group Policy, click Add, and then click OK. Expand Group Policy Management, expand Forest WoodgroveBank.com, expand Domains, and then expand WoodgroveBank.com Right-click the Group Policy Objects folder, and then click New. In the New GPO dialog box, type Test, and then click OK. This operation will succeed. Expand the Group Policy Objects folder, and right-click the Import GPO, and then click Edit. This operation will succeed. Close Group Policy Management Editor. Right-click the Executives OU, and then click Link an Existing GPO. In the Select GPO dialog box, click Test and click OK. This operation will succeed. Right-click the Admin Favorites GPO, and then click Edit. This operation is not possible because the Edit link is grayed out.

Task 6: Close all virtual machines and discard undo disks


1. For each virtual machine that is running, close the Virtual Machine Remote Control windows. 2. In the Close dialog box, click Turn off machine and discard changes, and then click OK. 3. Close the 6419A Lab Launcher. Result: At the end of this exercise you will have backed up restored and imported GPOs.

98

Module 6: Configure User and Computer Environment by Using Group Policy

Lab A: Configuring Scripts and Folder Redirection with Group Policy


Exercise 1: Configure Logon Scripts and Folder Redirection
Task 1: Start the 6419A-NYC-DC1 virtual machines, and then log on
1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. 2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 3. Minimize the Lab Launcher window.

Task 2: Review the logon script to map a network drive


1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, and then click Computer. In the Computer window, browse to E:\Mod07\LabFiles\Scripts. Right-click Map.bat, and then click Edit. In the Notepad window, review the script and then close Notepad. Right-click Map.bat, and then click Copy. Close Windows Explorer.

Task 3: Configure and link the Logon Script GPO


1. Click Start, point to Administrative Tools Management, and then click Group Policy Management. 2. In the Group Policy Management console pane, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, right click Group Policy Objects, and then click New. 3. In the New GPO dialog box, in the Name field, type Logon Script, and then click OK. 4. Expand Group Policy Objects, right click Logon Script, and then click Edit. 5. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Window Settings, and then click Scripts (Logon/Logoff). 6. In the details pane, double click Logon. 7. In the Logon Properties dialog box, click Show Files. 8. In the Logon window details pane, right click and then click Paste to copy the Map.bat script from the clipboard to the script folder. 9. Close the Logon window. 10. In the Logon Properties dialog box, click Add. 11. In the Add a Script dialog box, click Browse. 12. In the Browse dialog box, click Map.bat, and then click Open. 13. Click OK twice. 14. Close Group Policy Management editor. 99

15. In the Group Policy Management window console pane, right-click WoodgroveBank.com, and then click Link an Existing GPO.

Task 4: Share and secure a folder for the Executives group


1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. In Windows Explorer, browse to E:\Mod07\Labfiles. Right-click ExecData and then click Properties. In the ExectData Properties dialog box, on the Sharing tab, click Advanced Sharing. In the Advanced Sharing dialog box, select the Share this folder check box, and then click Permissions. In the Permissions for ExecData dialog box, click Remove to remove the Everyone group. Click Add. In the Select Users, Computers, or Groups dialog box, type Executive_WoodgroveGG, and then click OK twice. Under Permissions for WoodgroveGG, next to Full Control, select the Allow check box, and then click OK twice. In the ExectData Properties dialog box, on the Security tab, click Advanced. In the Advanced Security Settings for ExecData dialog box, click Edit. In the Advanced Security Settings for ExecData dialog box, clear the Include inheritable permissions from this objects parent check box. In the Windows Security dialog box, click Copy. In the Advanced Security Settings for ExecData dialog box, click Remove. Repeat the above step to remove all users and groups except CREATOR OWNER and SYSTEM. Click Add. In the Select User, Computer, or Group dialog box, type Executives_WoodgroveBankGG, and then click OK. In the Permission Entry for Execdata dialog box, in the Apply to list, click This folder only. Under Permissions, next to List folder / read data and create folders / append data, select the Allow check boxes. Click OK three times, and then click Close. Close Windows Explorer.

Task 5: Redirect the Documents folder for the Executives group


1. In the Group Policy Management windows console pane, right-click Group Policy Objects, and then click New. 2. In the New GPO dialog box, in the Name field, type Executive Redirection, and then click OK. 3. Right-click Executive Redirection, and then click Edit. 4. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, expand Folder Redirection, right-click Documents, and then click Properties. 100

5. In the Documents Properties dialog box, in the Setting list, click Basic Redirect everyones folder to the same location. 6. In the Root Path field, type \\NYC-DC1\ExecData 7. On the Settings tab, review the current settings, and then click OK. 8. In the Warning dialog box, click Yes. 9. Close Group Policy Management Editor. 10. In the Group Policy Management console pane, right-click Executives, and then click Link an Existing GPO. 11. In the Select GPO dialog box, click Executive Redirection, and then click OK.

Task 6: Start the 6419A-NYC-CL1 virtual machine, and then log on as WOODGROVEBANK\Tony
1. Turn on the 6419A-NYC-CL1 VM. 2. Log on to NYC-DC1 as WOODGROVEBANK\Tony using the password Pa$$w0rd.

Task 7: Observe the applied settings while logged on as a user in the Executives OU
1. Click Start, and then click Computer. 2. In the Computer window, verify that the K: drive is mapped to the Data share on NYC-DC1. NOTE: It may take 2 to 3 minutes before this drive appears 3. Close Computer. 4. Click Start, right-click Documents, and then click Properties. 5. In the Documents Properties dialog box, verify the location is \\NYCDC1\ExecData\Tony, and then click Cancel. 4. Log off NYC-CL1. Result: At the end of this exercise you will have configured logon scripts and folders redirection.

Lab B: Configuring Administrative Templates

Exercise 1: Configure Administrative Templates


Task 1: Modify the Default Domain Policy allow remote administration through the firewall for all domain computers
1. On NYC-DC1, in the Group Policy Management console pane, right-click Default Domain Policy and then click Edit. 2. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

101

3. 4. 5. 6. 7. 8. 9.

In the details pane, double-click Windows Firewall: Allow inbound remote administration exception. In the Windows Firewall: Allow inbound remote administration exception dialog box, click Enabled, and then click OK. In the console pane, under Administrative Templates, expand System, and then click Group Policy. In the details pane, double-click Group Policy slow link detection. In the Group Policy slow link detection Properties dialog box, click Enabled. In the Connection speed (Kbps) field, type 800, and then click OK. Close Group Policy Management Editor.

Result: At the end of this task, you will have enabled remote administration through the firewall. This allows the Group Policy Results Wizard to query target computers.

Task 2: Create and assign a GPO to prevent the installation of removable devices
1. In the Group Policy Management console pane, right-click Group PolicyObjects, and then click New. 2. In the New GPO dialog box, in the Name field, type Prevent RemovableDevices, and then click OK. 3. Right-click Prevent Removable Devices, and then click Edit. 4. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, expand Device Installation, and then click Device Installation Restrictions. 5. In the details pane, double-click Prevent installation of removable devices. 6. In the Prevent installation of removable devices Properties dialog box, click Enabled, and then click OK. 7. Close Group Policy Management Editor. 8. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO. 9. In the Select GPO dialog box, click Prevent Removable Devices, and then click OK. 10. Repeat the previous two steps to link the Prevent Removable Devices GPO to the NYC and Toronto OUs.

Task 3: Create and assign a GPO to encrypt offline files for executive computers
1. In the Group Policy Management console pane, right-click Group Policy Objects, and then click New. 2. In the New GPO dialog box, in the Name field, type Encrypt Offline Files, and then click OK. 102

3. Right-click Encrypt Offline Files, and then click Edit. 4. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network and then click Offline Files. 5. In the details pane, double-click Encrypt the Offline Files cache. 6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled,and then click OK. 7. Close Group Policy Management Editor. 8. In the Group Policy Management console pane, right-click Executives, and then click Link an Existing GPO. 9. In the Select GPO dialog box, click Encrypt Offline Files, and then click OK.

Task 4: Create and assign a domain-level GPO for all domain users
1. In the Group Policy Management console pane, right-click Group Policy Objects, and then click New. 2. In the New GPO dialog box, in the Name field, type All Users Policy, and then click OK. 3. Right-click All Users Policy, and then click Edit. 4. In the Group Policy Management Editor console pane, under User Configuration, expand Policies, expand Administrative Templates, and then click System. 5. In the details pane, double-click Prevent access to registry editing tools. 6. In the Prevent access to registry editing tools Properties dialog box, click Enabled, and then click OK. 7. In the console pane, click Start Menu and Taskbar. 8. In the details pane, double-click Remove Clock from the system notification area. 9. In the Remove Clock from the system notification area Properties dialog box, click Enabled, and then click OK. 10. Close Group Policy Management Editor. 11. In the Group Policy Management console pane, right-click WoodgroveBank.com, and then click Link an Existing GPO. 12. In the Select GPO dialog box, click All Users Policy, and then click OK.

Task 5: Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users
1. In the Group Policy Management console pane, right-click Group Policy Objects, and then click New. 2. In the New GPO dialog box, in the Name field, type Branch Users Policy, and then click OK. 3. Right-click Branch Users Policy, and then click Edit.

103

4.

5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

In the Group Policy Management Editor console pane, under User Configuration, expand Policies, expand Administrative Templates, expand System, and then click User Profiles. In the details pane, double-click Limit profile size. In the Limit profile size Properties dialog box, click Enabled. In the Max Profile size (KB) field, type 1000000 and then click OK. In the console pane, under Administrative Templates, expand Windows Components, and then click Windows Sidebar. In the details pane, double-click Turn off Windows Sidebar. In the Turn off Windows Sidebar Properties dialog box, click Enabled, and then click OK. Close Group Policy Management Editor. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO. In the Select GPO dialog box, click Branch Users Policy, and then click OK. Repeat the previous two steps to link the Branch Users Policy GPO to the NYC and Toronto OUs.

Exercise 2: Verify GPO Application


Task 1: Verify that the settings for Executives have been applied
1. On NYC-CL1, log on as WOODGROVEBANK\Tony using the password Pa$$w0rd.

Note: Some user settings can only be applied during logon or may not apply due to cached credentials. These include roaming user profile path, Folder Redirection path, and Software Installation settings. If the user is already logged on when these settings are detected, they will not be applied until the next time the user is logged on. 2. Verify that the Windows Sidebar is not displayed. 3. In the notification area, verify that the clock is not displayed. 4. Right-click the Taskbar, and then click Properties. 5. In the Taskbar and Start Menu Properties dialog box, on the Notification Area tab, verify that you do not have the option to display the clock, and then click Cancel. 6. Click Start, type regedit, and then press ENTER. 7. In the Registry Editor dialog box, review the error, and then click OK. 8. Log off NYC-CL1.

Task 2: Log on as a user in a Branch Office and observe the applied settings
1. On NYC-CL1, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd. 104

2. Verify that the Windows Sidebar is not displayed. 3. In the notification area, verify that the clock is not displayed. 4. In the notification area, double-click the Available profile space icon. 5. In the Profile Storage Space dialog box, review the information and then click OK. 6. Click Start, right-click Documents, and then click Properties. 7. In the Documents Properties dialog box, verify the location is C:\Users\Roya, and then click Cancel. 8. Click Start, type regedit, and then press ENTER. 9. In the Registry Editor dialog box, review the error, and then click OK. 10. Click Start, and then click Computer. 11. In the Computer window, verify that the K: drive is mapped to the Data share on NYC-DC1. 12. Log off NYC-CL1.

Task 3: Use the Group Policy Results Wizard to review Group Policy application for a target user and computer
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Results, and then click Group Policy Results Wizard. 2. In the Group Policy Results Wizard, click Next. 3. On the Computer Selection page, click Another computer, type WoodgroveBank\NYC CL1 and click Next. Note: If you receive an error after the step above, retry the step above in 2 minutes. 4. On the User Selection page, click WOODGROVEBANK\Tony, and then click Next. 5. On the Summary of Selections page, click Next, and then click Finish. 6. In the details pane, click show all. Review the list of applied computer and user GPOs. Question: Which GPOs were applied to the computer? Answer: Only the Default Domain Policy. Question: Which GPOs were applied to the user? Answer: All Users Policy, Login Script, and Executive Redirection. 8. On the Settings tab, under Computer Configuration, click Administrative Templates, and then expand each of the settings. Question: What settings were delivered to the computer? Answer: Windows Firewall: Allow inbound remote administration exception. 7. Under User Configuration, expand each of the settings. Question: What settings were delivered to the user? Answer: The Executive Redirection policy delivers folder redirection settings. The All Users Policy delivers settings to remove the clock and disable registry

105

editing. Result: At the end of this exercise, you will have configured several Administrative Templates policy settings for various OUs in the organization and then verified successful GPO application.

106

Lab C: Deploying Software with Group Policy

Exercise 1: Deploy a Software Package with Group Policy


Task 1: Copy a software package to the Data share
1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, and then click Computer. In the Computer window, browse to E:\Mod07\LabFiles. Right-click PPVIEWER.MSI, and then click Copy. Double-click Data. In the details pane, right-click, and then click Paste. Close Windows Explorer

Task 2: Configure and review the software deployment GPO


1. On NYC-DC1, in the Group Policy Management console pane, right-click WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here. 2. In the New GPO dialog box, in the Name field, type Software Deployment and then click OK. 3. Right-click Software Deployment, and then click Edit. 4. In the Group Policy Management Editor, in the console pane, under Computer Configuration, expand Policies, expand Software Settings, and then click Software installation. 5. Right-click Software installation, point to New, and then click Package. 6. In the Open dialog box, type \\NYC-DC1\Data\ppviewer.msi and then click Open. 7. In the Deploy Software dialog box, review the configuration options. When you are done, verify that Assigned is selected, and then click OK. 8. Right-click Microsoft Office PowerPoint Viewer 2003, and then click Properties. 9. In the Microsoft Office PowerPoint Viewer 2003 Properties dialog box, review the options on the following tabs General Deployment Upgrades Categories Modifications Security 10. When done, click Cancel, and then close Group Policy Management Editor.

107

Exercise 2: Verify Software Installation


Task 1: Verify that the software package has been installed
1. On NYC-CL1, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 2. Click Start | All Programs | Accessories, and then click Command Prompt. 3. In the Command Prompt window, type GPUpdate /force and then press ENTER. 4. When the update completes, read the warning that appears. When you are done, press Y, and then press ENTER. 5. In the You are about to be logged off dialog box, click Close. 6. When the computer restarts, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 7. Click Start, and then click Control Panel. 8. In the Control Panel window, click Uninstall a program. 9. Notice that the Microsoft Office PowerPoint Viewer 2003 program has been successfully installed. 10. Double-click Microsoft Office PowerPoint Viewer 2003. 11. In Programs and Features dialog box, click Yes to uninstall the program. 12. When the process completes, press F5 and notice that even though you can uninstall the program, it comes back because the program is assigned through Group Policy. 13. Close Control Panel. Result: At the end of this exercise, you will have successfully deployed an assigned software package using Group Policy.

108

Lab D: Configuring Group Policy Preferences

Exercise 1: Configure Group Policy Preferences


Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1
1. On NYC-DC1, in the Group Policy Management console pane, right-click Default Domain Policy, and then click Edit. 2. In the Group Policy Management Editor console pane, under Computer Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts, point to New, and then click Shortcut. 3. In the New Shortcut Properties dialog box, in the Action list, click Create. 4. In the Name field, type Notepad. 5. In the Location list, click All Users Desktop. 6. In the Target path field, type C:\Windows\System32\Notepad.exe. 7. On the Common tab, select the Item-level targeting check box, and then click Targeting. 8. In the Targeting Editor dialog box, on the New Item menu, click Computer Name. 9. In the Computer name field, type NYC-DC1, and then click OK twice.

Task 2: Create a new folder named Reports on the C: drive of all computers running Windows Server 2008
1. 2. 3. 4. 5. 6. In the Group Policy Management Editor console pane, under Windows Settings, right click Folders, point to New, and then click Folder. In the New Folder Properties dialog box, in the Action list, click Create. In the Path field, type C:\Reports. On the Common tab, select the Item-level targeting check box, and then click Targeting. In the Targeting Editor dialog box, on the New Item menu, click Operating System. In the Product list, click Windows Server 2008, and then click OK twice.

Task 3: Configure drive mapping


1. In the Group Policy Management Editor console pane, under User Configuration, expand Preferences, expand Windows Settings, and then click Drive Maps. 2. Right-click Drive Maps, point to New, and then click Mapped Drive. 3. In the New Drive Properties dialog box, in the Action list, click Create. 4. In the Location field, type \\NYC-DC1\Data. 5. Select the Reconnect check box. 6. In the Label as field, type Data. 7. In the Drive Letter list, click P. 8. Review the remaining configuration options, and then click OK. 109

9. Close Group Policy Management Editor.

Task 4: Remove old Logon Script GPO


1. In the Group Policy Management console pane, under WoodgroveBank.com, rightclick Logon Script, and then click Delete. 2. In the Group Policy Management dialog box, review the message and then click OK. Note: You arent actually deleting the GPO, just the link to it in the domain. 3. Close Group Policy Management.

Exercise 2: Verify Group Policy Preferences Application


Task 1: Verify that the preferences have been applied
1. On NYC-DC1, log off, and then log back on as WOODGROVEBANK\Administrator using the password of Pa$$w0rd. 2. Click Start, and then click Computer. 3. In the Computer window, verify that the P: drive is mapped to the Data share on NYC-DC1. 4. Browse to C: and then verify that the Reports folder exists. Note: It may take a few moments for this folder to appear. 5. Close Windows Explorer. Note: To apply Group Policy preferences to Windows Vista computers, you must download and install Group Policy Preference Client Side Extensions for Windows Vista(KB943729).

Task 2: Close all virtual machines and discard undo disks


1. For each virtual machine that is running, close the Virtual Machine Remote Control window. 2. In the Close box, select Turn off machine and discard changes, and then click OK. Result: At the end of this exercise, you will have configured and tested Group Policy Preferences and verified their application.

110

Lab E: Troubleshooting Group Policy Issues

Exercise 1: Troubleshoot Group Policy Scripts


Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator
1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. 2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator using the password Pa$$w0rd.

Task 2: Create and link a domain Desktop policy


1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point Administrative Tools, and then click Group Policy Management. In the Group Policy Management console pane, expand Forest:WoodgroveBank.com, and then expand Domains. Right-click WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here. In the New GPO dialog box, in the Name field, type Desktop, and then click OK. Expand WoodgroveBank.com, expand Group Policy Objects, right-click Desktop, and then click Edit. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Logon. In the details pane, double-click Always wait for the network at computer startup and logon. In the Always wait for the network at computer startup and logon Properties dialog box, click Enabled, and then click OK. In the console pane, under Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception. In the Windows Firewall: Allow inbound remote administration exceptions Properties dialog box, click Enabled, and then click OK. In the console pane, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and then click URLs. In the details pane, double click Important URLs. In the Important URLs dialog box, select the Customize Home page URL check box, type http://WoodgroveBank.com/, and then click OK. In the console pane, expand Administrative Templates, and then click Start Menu and Taskbar. In the details pane, double-click Force classic Start Menu.

7. 8. 9. 10. 11. 12. 13. 14. 15. 16.

111

17. In the Force classic Start Menu Properties dialog box, click Enabled, and then click OK. 18. Close Group Policy Management Editor.

Task 3: Restore the Lab7A GPO


1. In the Group Policy Management console pane, right-click Group Policy Objects, and then click Manage Backups. 2. In the Manage Backups dialog box, in the Backup location field, if not already present, type E:\Mod07\Labfiles\GPOBackup, and then press ENTER. 3. Click the Lab 7A GPO, and then click Restore. 4. Click OK twice, and then click Close.

Task 4: Link the Lab7A GPO to the domain


1. In the Group Policy Management console pane, right-click WoodgroveBank.com, and then click Link an Existing GPO. 2. In the Select GPO dialog box, click Lab 7A, and then click OK.

Task 5: Start NYC-CL1 and log on as WOODGROVEBANK\Administrator


1. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch. 2. Log on to NYC-CL1 as WOODGROVEBANK\Administrator using the password Pa$$w0rd. 3. Click Start and then click Control Panel. 4. The Control Panel window opens. 5. Click Security. 6. Under Windows Firewall, click Turn Windows Firewall on or off. 7. The Windows Firewall Settings dialog box appears. 8. Click Off (not recommended) and then click OK. 9. Close Control Panel.

Task 6: Test the GPO


Note: The changes you are looking for below may not appear until the second logon. 1. On NYC-CL1, click Start, and then verify you see the classic Start menu. 2. On the desktop, double click Internet Explorer. 3. In the Windows Internet Explorer window, click the Home button. After a moment the WoodgroveBank.com IIS7 home page will load. 4. Close Internet Explorer. 5. On the desktop, double-click Computer.

112

6. In the Computer window, verify that the K: drive is mapped to the Data share on NYC-DC1. 7. Log off, and then log back on to as WOODGROVEBANK\Roya using the password Pa$$w0rd. 8. Click Start, and then verify you see the classic Start menu. 9. On the desktop, double click Internet Explorer. 10. In the Windows Internet Explorer window, click the Home button. After a moment the WoodgroveBank.com IIS7 home page will load. 11. Close Windows Internet Explorer. 12. On the desktop, double-click Computer. 13. In the Computer window, notice that the J: drive is not correctly mapped to the Data share on NYC-DC1. 14. Log off NYC-CL1.

Task 7: Troubleshoot the GPO


1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Results, and then click Group Policy Results Wizard. 2. In the Group Policy Results Wizard, click Next. 3. On the Computer Selection page, click Another computer, type NYC-CL1, and then click Next. 4. On the User Selection page, click WOODGROVEBANK\Roya, and then click Next. 5. On the Summary of Selections page, click Next, and then click Finish. 6. In the details pane, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the settings for both the Desktop GPO and the Lab 7A GPO were applied successfully. 7. Click the Settings tab. 8. Under User Configuration, under Windows Settings, click Scripts, and then expand Logon. Notice that the Lab 7A GPO was applied correctly. 9. On NYC-CL1 log on WOODGROVEBANK\Roya with a password of Pa$$w0rd. 10. To test Royas permission to the scripts location, click Start, click Run, type \\NYC-DC1\Scripts, and then press ENTER. 11. In the Network Error dialog box, click Cancel. 12. Log off NYC-CL1. Note: If time permits, you can view the Group Policy operational log as Administrator on NYCCL1. If you filter the view to show events that Roya generates, you would see that the log does not detect any errors or warnings for this user. This is because the GPO only sets a registry value that defines the location of the scripts folder. Group Policy is unaware if the user has access to the location. The write to the registry was successful. Therefore, the Group Policy log does not see any errors. You would have to audit Object Access for the scripts folder to determine access issues.

113

Task 8: Resolve the issue and test the resolution


1. 2. 3. 4. 5. 6. 7. 8. 9. 10. On NYC-DC1, click Start, and then click Computer. In the Computer window, browse to E:\Mod07\Labfiles\Scripts. Right-click Scripts, and then click Share. In the File Sharing dialog box, click Change sharing permissions. Type Authenticated Users, and then click Add. Click Share, and then click Done. Close Windows Explorer. On NYC-CL1, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd. On the desktop, double-click Computer. In the Computer window, verify that the J: drive is mapped to the Data share on NYCDC1. 11. Log off NYC-CL1. Note: Another way to resolve the issue would be to move the script to the Netlogon share, or to eliminate the need for such a logon script altogether you could configure a Group Policy Preference.

Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.

114

Lab E: Troubleshooting Group Policy Issues L7-87

Exercise 2: Troubleshoot GPO Lab-7B


Task 1: Restore the Lab7B GPO
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and then click Manage Backups. 2. In the Manage Backups dialog box, click Lab 7B, and then click Restore. 3. Click OK twice, and then click Close.

Task 2: Link the Lab7B GPO to the Miami OU


1. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO. 2. In the Select GPO dialog box, click Lab 7B, and then click OK.

Task 3: Test the GPO


1. On NYC-CL1, log on as WOODGROVEBANK\Rich using the password Pa$$w0rd. Note: Rich is a member of the Miami OU. 2. Click Start, and then verify you see the classic Start menu. 3. On the desktop, double click Internet Explorer. 4. In the Internet Explorer window, click the Home button. After a moment the WoodgroveBank.com IIS7 home page will load. 5. Close Internet Explorer. 6. On the desktop, double-click Computer. 7. In the Computer window, verify that the K: drive is mapped to the Data share on NYC-DC1 8. Notice that the Control Panel does not appear on the desktop or Start menu. This is a setting from the Lab 7B GPO that was applied to the Miami OU. 9. Log off NYC-CLI, and then log back on as WOODGROVEBANK\Roya using the password Pa$$w0rd. 10. Notice that even though the GPO should prevent it, the Control Panel is still present on the desktop and Start menu. 11. Log off NYC-CL1.

Task 4: Troubleshoot the GPO


1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Results, and then click Group Policy Results Wizard. 2. In the Group Policy Results Wizard, click Next. 3. On the Computer Selection screen, click Another computer, type NYC-CL1, and then click Next. 115

4. On the User Selection screen, click WOODGROVEBANK\Rich, and then click Next. 5. On the Summary of Selections screen, click Next, and then click Finish. 6. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice the Lab 7B GPO was applied. 7. On the Settings tab, under User Configuration, click Administrative Templates, and then click Control Panel. Notice that the policy setting to prohibit access to the Control Panel is enabled. 8. In the console pane, right-click Roya on NYC-CL1, and then click Rerun Query. 9. Click Roya on NYC-CL1. 10. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the Lab 7B GPO has not been applied. 11. Click Denied GPOs. Notice that the Lab 7B GPO is listed amongst the denied GPO.

Task 5: Resolve the issue and test the resolution


1. In the Group Policy Management console pane, under Group Policy Objects, click Lab 7B. 2. In the details pane, on the Delegation tab, and then click Advanced. 3. In the Lab 7B Security Settings dialog box, click the MIA_BranchManagersGG. 4. Under Permissions for MIA_BranchManagerGG, notice that the Apply group policy setting is set to Deny. 5. Click Remove to remove the Miami_BranchManagersGG from the permission list, and then click OK. 6. On NYC-CLI, log on as WOODGROVEBANK\Roya using password Pa$$w0rd. 7. Notice that the Control Panel now correctly does not appear on the desktop or Start menu. 8. Log off NYC-CL1. Result: At the end of this exercise, you will have resolved a Group Policy objects issue.

116

Exercise 3: Troubleshoot GPO Lab-7C


Task 1: Restore the Lab7C GPO
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and then click Manage Backups. 2. In the Manage Backups dialog box, click Lab 7C, and then click Restore. 3. Click OK twice, and then click Close.

Task 2: Link the Lab7C GPO to the Miami OU


1. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO. 2. In the Select GPO dialog box, click Lab 7C, and then click OK.

Task 3: Test the GPO


1. On NYC-CLI, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd. 2. Click Start, and then notice the presence of the Run command. It is not supposed to be there. 3. Log off NYC-CL1.

Task 4: Troubleshoot the GPO


1. On NYC-DC1, in the Group Policy Management console pane, right-click Roya on NYCCL1, and then click Rerun Query. 2. Click Roya on NYC-CL1. 3. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the Lab 7C GPO is being applied. 4. On the Settings tab, under User Configuration, click Administrative Templates, and then click Start Menu and Taskbar. Notice that the Add the Run command to the Start Menu setting is enabled.

Task 5: Resolve the issue and test the resolution


1. In the Group Policy Management console pane, under Group Policy Objects, rightclick Lab 7C, and then click Edit. 2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar. 3. In the details pane, double-click Add the Run command to the Start Menu. 4. In the Add the Run command to the Start Menu Properties dialog box, click Not Configured, and then click OK. 5. Double-click Remove Run menu from the Start Menu.

117

6. In the Remove Run menu from Start Menu Properties dialog box, click Enabled, and then click OK. 7. Close Group Policy Object Editor. 8. On NYC-CLI, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd. 9. Click Start, and then notice that the Run command is no longer present. Result: At the end of this exercise, you will have resolved a Group Policy objects issue.

Exercise 4: Troubleshoot GPO Lab-7D


Task 1: Create a new OU named Loopback
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In the Active Directory Users and Computers console pane, right-click WoodgroveBank.com, point to New and then click Organizational Unit. 3. In the New Object Organizational Unit dialog box, type Loopback, and then click OK.

Task 2: Restore the Lab7D GPO


1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and then click Manage Backups. 2. In the Manage Backups dialog box, click Lab 7D, and then click Restore. 3. Click OK twice, and then click Close.

Task 3: Link the Lab7D GPO to the Loopback OU


1. In the Group Policy Management console pane, right-click Group Policy Management, and then click Refresh. 2. Right-click Loopback, and then click Link an Existing GPO. 3. In the Select GPO dialog box, click Lab 7D, and then click OK.

Task 4: Move NYC-CL1 to the Loopback OU


1. In the Active Directory Users and Computers console pane, expand WoodgroveBank.com, and then click Computers. 2. In the details pane, right-click NYC-CL1, and then click Move. 3. In the Move dialog box, click Loopback, and then click OK. 4. Close Active Directory Users and Computers.

118

Task 5: Test the GPO


1. On NYC-CL1, restart the computer. 2. When the computer restarts, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd. 3. Click Start and notice that the Run command is present once again. 4. Notice that Control Panel is present on the desktop and Start menu. These changes are not intentional. 5. On the desktop, double-click Internet Explorer. Notice that nothing happens, and Internet Explorer does not launch.

Task 6: Troubleshoot the GPO


1. On NYC-DC1, in the Group Policy Management console pane, right-click Roya on NYCCL1, and then click Rerun Query. 2. In the details pane, on the Summary tab, under Computer Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the Lab 7D GPO has been applied. 3. On the Settings tab, under Computer Configuration, click Administrative Templates, and then click System/Group Policy. Notice that loopback processing mode is enabled. Note: Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

Task 7: Resolve the issue and test the resolution


1. In the Group Policy Management console pane, expand the Loopback OU, right-click Lab 7D, and then click Link Enabled to clear the check mark. Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there were other settings in the GPO that you did wish to have applied. 2. Close Group Policy Management. 3. On NYC-CL1, restart the computer. 4. When the computer restarts, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd. 5. Click Start and notice that the Run command is no longer present. 6. Notice that Control Panel is again absent from the desktop and Start menu. 7. On the desktop, double-click Internet Explorer. Notice that Internet Explorer again opens properly.

119

Task 8: Close all virtual machines and discard undo disks


1. For each virtual machine that is running, close the Virtual Machine Remote Control window. 2. In the Close box, select Turn off machine and discard changes, and then click OK. 3. Close the 6419A Lab Launcher. Result: At the end of this exercise, you will have resolved a Group Policy objects issue.

120

Module 7: Implementing Security Using Group Policy

Lab A: Implementing Security Using Group Policy


Exercise 1: Configuring Account and Security Policy Settings
Task 1: Start the virtual machines, and then log on
1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. 2. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. 3. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. 4. Minimize the Lab Launcher window.

Task 2: Create an account policy for the domain


1. Launch the Group Policy Management Console. 2. In the Group Policy Management console pane, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. In the details pane, right-click Default Domain Policy, and then click Edit. 3. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Account Policies. 4. Edit the Account Policy in the Default Domain Policy with the following values: Password Policy: Domain passwords: 8 characters in length Strong passwords: enforced Minimum password age: 19 days Maximum password age: 20 days Account lockout policy: Account Lockout Threshold: 5 invalid logon attempts Account lockout duration: 30 minutes Lockout counter: reset after 30 minutes

Task 3: Configure local policy settings for a Windows Vista client


1. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd. 2. Create a new MMC, and then add the snap-in for the Group Policy Object Editor for the Local Computer. 3. Open Computer Configurations Windows Settings, open Security Settings, open Local Policies, open Security Options, and then enable the Accounts:Administrator Account Status setting. 4. Add the Group Policy Object Editor snap-in to the MMC again and then click Browse. 121

5. Click the Users tab, select the Non-Administrators group, click OK, and then Finish. 6. Open User Configuration, Administrative Templates, click the Start Menu and Taskbar folder, and then enable the Remove Run from Start Menu setting. 7. Close the MMC without saving the changes.

Task 4: Create a wireless network GPO for Windows Vista clients


1. On NYC-DC1, in the GPMC, create a new GPO named Vista Wireless. 2. Edit the GPO by right-clicking Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies, and then clicking Create a New Windows Vista Policy. 3. In the New Vista Wireless Network Policy dialog box, click Add, and then click Infrastructure. 4. Create a new profile named Corporate, and then in the Network Name (SSID) field, type Corp. 5. Click the Security tab, change the Authentication method to Open with 802.1X, and then click OK. 6. Click the Network Permissions tab, and then click Add. 7. Type Research in the Network Name (SSID): field, set the Permission to Deny, and then click OK twice. 8. Close the Group Policy Management Editor, and then leave the GPMC open.

Task 5: Configure a policy that prohibits a service on all domain controllers


1. Edit the following to disable the Windows Installer service: Default Domain Controller Policy, Computer Configuration, Policies, Windows Settings, Security Settings, and System Services. 2. Close the Group Policy Management Editor and leave the GPMC open. Result: At the end of this exercise, you will have configured account and security policy settings.

Exercise 2: Implementing Fine-Grained Password Policies


Task 1: Create a PSO using ADSI edit
1. On NYC-DC1, click Start, in the search type adsiedit.msc, and then press ENTER. 2. In the ADSI Edit window, in the console pane, right-click ADSI Edit, and then click Connect to. 3. In the Connect Setting dialog box, click OK. 4. In the console pane, expand Default naming context [NYCDC1.WoodgroveBank.com], expand DC=WoodgroveBank, DC=com, expand CN=System, right-click CN=Password Settings Container, point to New, and then click Object. 5. In the Create Object dialog box, ensure msDS-PasswordSettings is clicked, and then click Next. 6. On the Attribute: cn page, in the Value field, type ITAdmin, and then click Next. 7. On the Attribute: msDS-PasswordSettingsPrecedence page, in the Value field, type 10, and then click Next. 8. On the Attribute: msDS-PasswordRevesibleEncryptionEnabled page, in the Value field, type false, and then click Next. 122

9. On the Attribute: msDS-PasswordHistoryLength page, in the Value field, type 30, and then click Next. 10. On the Attribute: msDS-PasswordComplexityEnabled page, in the Value field, type true, and then click Next. 11. On the Attribute: msDS-MaximumPasswordLength page, in the Value field, type 10, and then click Next. 12. On the Attribute: msDS-MaximumPasswordAge page, in the Value field, type -5184000000000, and then click Next. NOTE: PSO value are time-based values entered using the integer8 format. Integer8 is a 64-bit number that represents the amount of time, in 100-nanosecond intervals, that has passed since 12:00 AM January 1, 1601 13. On the Attribute: msDS-MaximumPasswordAge page, in the Value field, type -6040000000000, and then click Next. 14. On the Attribute: msDS-LockoutThreshold page, in the Value field, type 3, and then click Next. 15. On the Attribute: msDS-LockoutObservationWindow page, in the Value field, type -18000000000, and then click Next. 16. On the Attribute: msDS-LockoutDuration page, in the Value field, type 18000000000, and then click Next, and then click Finish 17. Close the ADSI Edit

Task 2: Assign the ITAdmin password policy to the IT Admins global group
1. Click Start, point the Administrative Tools, and then click Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, on the View menu, click Advanced Features. 3. In the console pane, expand WoodgroveBank.com, expand System, and then click Password Setting Container. 4. In the details pane, right-click ITAdmin, and then click Properties. 5. In the ITAdmin Properties dialog box, on the Attribute Editor tab, scroll down, click msDS-PSOAppliesTo, and then click Edit. 6. In the Multi-valued Distinguished Name With Security Principle Editor dialog box, click Add Windows Account. 7. In the Select Users, Computers, or Groups dialog box, type ITAdmins_WoodgroveGG, and then click OK three times. 8. Close Active Directory Users and Computer Result: At the end of this exercise you will have implemented fine grained password policies.

123

Lab B: Configuring and Verifying Security Policies

Exercise 1: Configuring Restricted Groups and Software Restriction Policies


Task 1: Configure restricted groups for the local administrators group
1. If required, open the GPMC, open the Group Policy Objects folder and then edit the Default Domain Policy. 2. Navigate to Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, right-click Restricted Groups, and then click Add Group. 3. Add the Administrators group, and then click OK. 4. In the Administrators Properties dialog box, add the following groups: Woodgrovebank\ITAdmins_WoodgroveGG Woodgrovebank\Domain Admins 5. Close the Group Policy Management Editor.

Task 2: Prohibit Internet Explorer and VBS scripts from running on domain controller
1. Edit the Default Domain Controllers Policy. 2. Navigate to Windows Settings, expand Security Settings, right-click Software Restriction Policies, and then click New Software Restriction Policy. 3. Right-click Additional Rules, and then click New Hash Rule. 4. Browse and navigate to C:\Program Files\Internet Explorer\iexplore.exe, and then click Open. Ensure that the Security level is Disallowed. 5. Right-click Additional Rules, and then click New Path Rule. 6. In the Path field, type *.vbs and then click OK. 7. Close the Group Policy Management Editor. Result: At the end of this exercise, you will have configured restricted groups and software restriction policies.

Exercise 2: Configuring Security Templates


Task 1: Configure restricted groups for the local administrators group 1. On NYC-DC1, create a new MMC, and then add the snap-in for Security Templates. 2. Expand Security Templates, right-click C:\Users\Administrators\Documents\Security\Templates, and then click New Template. 3. Name the template FPSecurity. 4. Navigate to Local Polices, and then Security Options. Define the Accounts: Rename administrator account with the value FPAdmin. 5. Set the Interactive Logon: Do not display last user name to be Enabled. 6. In the folder pane, right-click FPSecurity, and then click Save. 7. Close the MMC without saving the changes.

124

Task 2: Start NYC-SVR1 and disable the Windows Firewall 1. Start NYC-SVR1 and log on as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 2. Disable the Windows Firewall. Note: This step is performed to simplify the lab and is not a recommended practice Task 3: Run the Security Configuration Wizard and import the FPSecurity template4 1. On NYC-DC1, launch the Security Configuration Wizard. 2. On the Welcome page, click Next. 3. On the Configuration Action screen, click Next. 4. On the Select Server screen type NYC-SVR1.woodgrovebank.com, and then click Next. 5. After the configuration databases processes, click Next. 6. On the Role-Based service Configuration screen, click Next. 7. On the Select server Roles screen, clear the checkbox beside DNS Server. 8. Select the checkbox beside File Server. 9. Select the checkbox beside Print Server and then click Next. 10. On the Select Client Features screen, click Next. 11. On the Select Administration and Other Options screen, click Next. 12. On the Select Additional Services screen, click Next. 13. On the Handling Unspecified Services screen, continue clicking Next until you reach the Security Policy File Name screen. 14. On the Security Policy File Name screen, type FPPolicy at the end of the C:\Windows\security\msscw\policies\ path. 15. Click Include Security Templates, and then click Add. 16. Add the Documents\Security\Templates\FPSecurity policy. 17. On the Apply Security Policy screen, click Apply Now, and then click Next. 18. On the Applying Security Policy screen, click Next, and then click Finish. Task 4: Transform the FPPolicy into a GPO 1. On NYC-DC1, launch the Command Prompt and type scwcmd transform /p:C:\Windows\security\msscw\Policies\FPpolicy.xml /g:FileServerSecurity. 2. Open the GPMC if necessary and then open the Group Policy Objects folder. Double click the FilesServerSecurity GPO and then examine the settings. 3. Close the GPMC and log off NYC-DC1. Result: At the end of this exercise, you will have configured security templates.

125

Exercise 3: Verifying the Security Configuration


Task 1: Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group
1. 2. 3. 4. Log on to NYC-CLI as NYC-CL1\administrator with the password Pa$$w0rd. Launch a Command Prompt, and run the GPupdate /force command. Ensure that the Run menu appears in the Accessories folder on the Start menu. Open Control Panel, click User Accounts, click User Accounts, click Manage User Accounts, click the Advanced tab, click Advanced, click Groups, open the Administrators group, and then ensure that the Domain Admins and the ITAdmins global groups are present. 5. Restart NYC-CL1.

Task 2: Log on to the Windows Vista computer as an ordinary user, and test the policy
1. Log on to NYC-CL1 as Woodgrovebank\Roya with the password Pa$$w0rd. 2. Ensure that the Run menu does not appear in the Accessories folder on the Start menu 3. Press Right-ALT + DELETE, and then click Change a password. 4. In the Old Password field, type Pa$$w0rd. 5. In the New Password and Confirm password fields, type w0rdPa$$. You will not be able to update the password because the minimum password age has not expired. 6. Press Right-ALT + DELETE, and then click Change a password. 7. In the New Password and Confirm password fields, type pa. You will not be able to update the password because the minimum password length has not expired. 8. Log off NYC-CL1.

Task 3: Log on to the domain controller as the domain administrator, and test software restrictions and service
1. 2. 3. 4. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Launch a Command Prompt, and then run the GPupdate /force command. Attempt to launch Internet Explorer, read the error message, and then click OK. Navigate to E:\mod08\labfiles, double-click Hello.vbs, read the error message, and then click OK. 5. Open the Services MMC in Administrative Tools. Scroll down to the Windows Installer service, and ensure that it is set up Disabled.

Task 4: Use Group Policy modeling to test the settings on the file and print server
1. 2. 3. 4. Open the GPMC, and then launch the Group Policy Modeling Wizard. Accept all the defaults except on the User and Computer Selection window. Click Computer, and then type Woodgrovebank\NYC-SVR1. After completing the wizard, observe the policy settings.

126

Task 5: Close all virtual machines and discard undo disks


1. For each virtual machine that is running, close the Virtual Machine Remote Control window. 2. In the Close box, select Turn off machine and discard changes, and then click OK. 3. Close the 6419A Lab Launcher.

Result: At the end of this exercise you will have verified the security configuration.

127