Assignment 14 – Exercise 7 Group Policy 10/21/2014
Preliminary: 1. This exercise requires all preliminary work and the work in the Week 8 Exercise run sheet be completed including the 3 printers and shared folders from Week 8. 2. This exercise requires that a Windows 8.1 workstation has been added to the domain. 3. Remember that when you are working in the Console Window, Ctl & Alt & Insert replaces the usual Ctl & Alt & Delete key sequence. 4. Create a MS Word document named LastnameFirstname-ict364-09 (Use your Lastname and Firstname) 5. When you see “SCREENSHOT” in the instructions, paste the required screenshots into the exercise document. When completed, you will submit this for your grade for this assignment. Objective: This Exercise involves applying Group Policy to Domain Objects. Rather than going to each computer and setting up security, network access, firewall exceptions, and printer settings it can be controlled through AD DS Group Policy. Pre-lab maintenance: 1. Your server has multiple snapshots at this time. It’s time to clean them up. Shut down the student-2012-01 server. Once it’s shut down, right click on your student-2012r2-01 VM and select Snapshot manager. One by one, click each snapshot (except for the 1st original clean one) prior to the “Pre-Groups” snapshot and click “Delete” at the bottom. This will merge the different files into a single file keeping the changes made. It may take up to 5 minutes for each snapshot delete to complete. When finished deleting the prior snapshots, Take a new snapshot of the AD server before we start any changes (see instructions from the assignment 5), call this snapshot “Pre-Group Policy”. Do not Snapshot the virtual machine’s memory. So once finished, you’ll have the original clean snapshot, the Pre-Groups and the Pre-Group Policy snapshots. Exercise Run Sheet:
1. Before we start working with Group Policy, we need to make sure the time on our server and workstation is correct. 1.1. Check the time settings on the AD DS server 1.1.1. Log in to Student-2012-01 as corpcom\domainAdmin and open a command prompt.(Windows key & R – type cmd and hit enter) 1.1.2. Type w32tm /tz 1.1.3. Is the computer’s time zone set to “Mountain” ?
1.1.4. Type “net time” into the command window. 1.1.5. Is the time correct according to your local computer or phone?
1
Assignment 14 – Exercise 7 Group Policy 10/21/2014
1.1.6. If either of these are wrong on your AD DS server. Correct them by double clicking on the time in the lower right corner or going onto the control panel and choosing “Date and Time” 1.2. Check the time settings on the Workstation 1.2.1. Log in to Student-W8.1-01 as cgarcia and open a command prompt.(Windows key & R – type cmd and hit enter) 1.2.2. Type w32tm /tz 1.2.3. Is the computer’s time zone set to “Mountain” ? 1.2.4. If not, change it per instructions in 1.1.6 above. 1.2.5. At the command prompt, type “w32tm /monitor” 1.2.6. Is the workstation synchronizing with the domain controller for its local time? 1.2.7. Look at the NTP offset. It MUST be less than 5 minutes.
1.2.8. Look at the available w32tm commands by typing “w32tm /?” 1.2.9. What message do you get when you run “w32tm /resync” 1.2.10. Open a command prompt as an administrator 1.2.11. Type the command “set computer”, then retry “w32tm /resync” followed by “w32tm /monitor”
1.2.12. SCREENSHOT the command prompt after running these two commands and paste them into your worksheet. NOTE: When a workstation is added to a domain, the “syncfromflags” are set to the domain’s AD DS server and the workstation will attempt to synchronize with the domain controller using NTP (network time protocol). Time is synchronized as UTC time so a workstation in a different time zone from the server will reflect the correct time for that time zone even though it may be an hour (or multiple hours) different from the time server. 2. Open the Group Policy Management Console (GPMC)
2
Assignment 14 – Exercise 7 Group Policy 10/21/2014
2.1. Open Server Manager > Tools > Group Policy Management > Forest: corp.com > Domains > corp.com 3. Review the current “Default Domain Policy” 3.1. Under “corp.com” select the “Default Domain Policy” 3.2. On the main panel, click the “Settings” tab on the top. 3.3. On the far right on top, click the “show all” link 3.4. What is the “Path” to the “Account Policies/Password policy”? 3.4.1. The answer is: “Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies/Password Policy” Do you see how the path is derived? 3.4.2. Copy the following table and paste it into your Worksheet. In the right column, enter the current values from the “Default Domain Policy”
Max Password Age Minimum Password Length Maximum Tolerance for Computer clock synchronization
NOTE: When computer clocks get more than 5 minutes out of sync with its domain AD DS server, network errors start to occur, user authentication stops working, and in general “BAD THINGS HAPPEN”. If users are not able to connect to file shares and authentication gets flakey. Check the time on the computers!!!
4. Modify the Default Domain Policy (Right-click the Default Domain Policy in the left column and select Edit) 4.1. Modify the default password policies for your domain 4.1.1. Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy 4.1.2. Change the Maximum password age to 180 days 4.1.3. Change the Minimum password age to 0 days 4.2. Modify the Interactive login: Do not display last user name = enabled 4.2.1. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options 4.3. Modify the Interactive logon: message text [and title] for users attempting to log on 4.3.1. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options 4.3.2. Interactive logon: Message title… = corp.com - 3 Assignment 14 – Exercise 7 Group Policy 10/21/2014 4.3.3. Interactive logon: Message text… = By logging into this machine you agree to abide by the policies set forth in Section 2.35 of the NMSU Policy Manual. Failure to abide by these policies will result in the immediate termination of your account and all associated access to NMSU resources. 4.4. Close the policy editor and log into the Win8.1 computer as cgarcia; you should not see any change in the logon message yet. Your changes shouldn’t be seen yet because a computer refreshes its group policies every 90 minutes with a random offset of 0 to 30 minutes. The random offset prevents all computers from contacting the DC at once. 4.5. Open a command prompt on The Win8.1 computer and run the “gpupdate /force” command. This will force the machine to refresh its group policies immediately. 4.6. Restart the Win8.1 computer instead of the Ctl-Alt-Delete prompt page; you should now see your new logon banner. SCREENSHOT and paste it into your exercise sheet. 4.7. Click OK on the logon banner, press the space bar to get to the Logon page. 4.7.1. You should now see a text box for Username and Password under “Other user”. 4.7.2. SCREENSHOT this screen and paste it into your exercise sheet. NOTE; the last logged in user is not displayed. This is a security setting especially useful in a public user environment. 5. Create a new group policy object called “The Basics” and link it the corp.com domain 5.1. From the GPMC, right-click corp.com and select “Create a GPO in this domain, and link it here…” 5.2. Enter “The Basics” as the name and click OK. 5.3. Select the group policy under corp.com and click the “Settings” tab in the main window. 5.3.1. Click “Show all” and observe that both the Computer and User settings are enabled 5.3.2. Notice that in each of them there are “No settings defined” 5.4. Right-click your newly created GPO “The Basics” in the left column and select Edit 5.5. Enable some basic firewall rules 5.5.1. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Window Firewall with Advanced…\Inbound Rules 5.5.2. Right-click Inbound Rules\New Rule\Predefined\File and Printer Sharing > Next x2 > Finish 5.5.3. Right-click Inbound Rules\New Rule\Predefined\Windows Remote Management > Next x2 > Finish 5.5.4. Right-click Inbound Rules\New Rule\Predefined\Remote Desktop > Next x2 > Finish 4 Assignment 14 – Exercise 7 Group Policy 10/21/2014 5.5.5. Right-click Inbound Rules\New Rule\Port\Next\TCP\Specific local ports: 135 > Next x3 > Name: “ORA 1 of 3” > Finish 5.5.6. Right-click Inbound Rules\New Rule\Program\Next\This program path: %SystemRoot%\System32\msra.exe > Next x3 >Name: “ORA 2 of 3”\Finish 5.5.7. Right-click Inbound Rules\New Rule\Program\Next\This program path: %WINDIR%\System32\raserver.exe Next x3 >Name: “ORA 3 of 3” > Finish 5.5.8. Expand the right pane to include the Local port column and SCREENSHOT the firewall settings and paste it into your worksheet. It should look similar to this: 5.6. Enable Offer Remote Assistance (ORA) 5.6.1. Computer Configuration\Policies\Administrative Templates\System\Remote Assistance 5.6.2. Configure Offer Remote Assistance = Enabled, Allow helpers to remotely control the computer 5.6.3. Click Show… (next to Helpers) and enter “corp.com\Domain Admins” (no quotes) 5 Assignment 14 – Exercise 7 Group Policy 10/21/2014 5.7. Force AutoPlay to be disabled 5.7.1. Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies 5.7.2. Turn off Autoplay = Enabled, All drives 5.7.3. Disallow Autoplay for non-volume devices = Enabled 5.8. Force the Remote Desktop to be enabled 5.8.1. Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections 5.8.2. Allow users to connect remotely by using Remote Desktop Services = Enabled 5.8.3. Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security 5.8.4. Require user authentication for remote connections… = Enabled 5.9. Customize the User’s Start Menu 5.9.1. User Configuration\Policies\Administrative Templates\Start Menu and Taskbar 5.9.2. Remove and prevent access to the Shut Down, Restart, Sleep… = Enabled 5.9.3. Add Logoff to the Start Menu = Enabled (Note Help: explanation) 5.9.4. Add the Run command to the Start Menu = Enabled 6 Assignment 14 – Exercise 7 Group Policy 10/21/2014 5.9.5. Add a LogOff icon to the Desktop for the end users: 5.9.5.1. User Configuration\Preferences\Windows Settings\Shortcuts 5.9.5.1.1. Right click in the open area and choose “New Shortcut” 5.9.5.1.2. F i l l i n Shortcut properties: 5.9.5.1.3. Action: Update 5.9.5.1.4. Name: User Logoff 5.9.5.1.5. Target Type: File System Object 5.9.5.1.6. Location: Desktop 5.9.5.1.7. Target Path: %SystemRoot%\system32\logoff.exe 5.9.5.1.8. Icon File Path, click the three dots and choose the picture shown above. Click OK to save this. 5.10. Force extensions to always display 5.10.1. User Configuration\Preferences\Control Panel Settings\Folder Options 5.10.2. Right-click Folder Options\New\Folder Options (Windows Vista and later) 5.10.3. Uncheck “Hide extensions for known file types” and click OK 5.11. Close the Group Policy Management Editor 6. View the Group Policy Settings for the “The Basics” policy 6.1. Select “The Basics” in the left pane, choose “Settings” in the right pane 6.2. Click the refresh button in the menu bar. 6.3. Click the “Show all” on the right hand side and peruse the settings we have added to “The Basics”. When researching where a particular policy is applied in Group Policy, this is the best place to look. It can also be exported to an HTML file by right clicking it and choosing “Save Report”. 7 Assignment 14 – Exercise 7 Group Policy 10/21/2014 7. Log in to The Win8.1 computer and refresh the group policies again with a gpupdate /force command and reboot. 7.1. If you completed step 5.9.2 successfully, you will not have the ability to shut down the computer the usual way from the right side slider tab. 7.2. To reboot your computer, open a command prompt and type “shutdown /?” 7.3. Notice that “shutdown /r” restarts the computer, “shutdown /p” shuts the computer down. 8. Apply Group policies to an individual Organizational Unit 8.1. Map Network Shared folder for a Department through group policy 8.1.1. Select the Accounting OU in the Group Policy Management Window 8.1.2. Click “Create a GPO in this domain, and Link it here 8.1.3. Name it “Map Q Drive” and click OK 8.1.4. A new Group Policy shows up under the “Accounting” folder. 8.1.5. Select it and click the Settings tab – Show all to see that no settings are defined in the policy yet. 8.1.6. Right click the policy and choose “Edit” 8.1.7. Go to User Configuration\Preferences\Windows Settings\Drive Maps 8.1.8. Right click in the “Drive Maps” pane and choose “New” – “Mapped Drive” 8.1.9. Leave the action to “Update” and set the location to \\student-2012-01\Accounting and Drive letter to Q 8.1.10. Click OK to save. This will create a mapped network drive for any user that is within the organizational unit “Accounting” One thing to note. The User object has to be within the organizational unit. This will NOT be applied to all the members of Groups contained within the OU. 8.1.11. Exit out of the Group Policy Editor and with the “Map Q Drive” policy selected; choose the “Details” tab on the right. 8.1.12. Since this policy only contains “User” settings, in order to speed up the application of this policy, change the “GPO Status” to “Computer configuration settings disabled” 8.1.13. Select the “Settings” tab for the “Map Q Drive” policy, click the refresh button and click “Show all” on the right. 8.1.14. SCREENSHOT everything in the “Map Q Drive” pane showing the Computer Configurations disabled and the Drive Map settings and paste it in your exercise 8 Assignment 14 – Exercise 7 Group Policy 10/21/2014 sheet. 8.2. Use Group Policies to Assign Printers to 8.2.1. In the Group Policy Management panel, under “Domains” select corp.com, right click and select “Create a GPO…Link it here…” 8.2.2. Give the New GPO the name “Assign Printers” and click OK. 8.2.3. Right click the new “Assign Printers” policy and choose edit 8.2.4. Select: User Configuration\Preferences\Control Panel Settings\Printers 8.2.5. Right click in the right pane and select “New” – “Shared Printer” 8.2.6. On the “General” tab: 8.2.6.1. Leave the Action as Update and add the “Share Path” “\\student-2012- 01\CanonIR5520” 8.2.6.2. Check “Set this printer as the default printer… 8.2.6.3. Check “…only if a local printer is not present” 8.2.6.4. For Legacy applications you can choose to map this to a local port. This would only be applicable to older applications that MUST print to an LPT port; usually DOS based applications. This is becoming rarer but can be found especially when printing to Dot Matrix printers. 8.2.7. Select the “Common” tab 8.2.7.1. Select “Item-level targeting and click the “Targeting…” button 8.2.7.2. Click the “New Item” and review the various Items that can be “Targeted” for assigning this printer. 8.2.7.3. Choose “Organizational Unit” from the list 8.2.7.4. Click the […] button next to the Organizational Unit text box and choose “Accounting” from the list. That should resolve to: “OU=Accounting,DC=corp,DC=com” 8.2.7.5. Leave “User in OU” selected and click OK to close the Targeting Editor NOTE: Multiple Targeting items can be added using “AND” and “OR” values. In this case we are just applying it to the Organizational Unit 9 Assignment 14 – Exercise 7 Group Policy 10/21/2014 8.2.8. Click OK to close the “canonIR5520” properties sheet. 8.3. Right click and add two more shared printers with: 8.3.1. The HP-LJ4050 targeted to the “Production” OU 8.3.2. The Sharpe-1100 targeted to the “Sales” OR “Marketing” OU 8.4. When finished, close the “Group Policy Management Editor” panel 8.5. With the “Assign Printers” GPO selected, click the “Details” tab 8.5.1. Change the “GPO Status” to “Computer configurations settings disabled” 8.6. Select the “Settings” tab and “Show all” 8.6.1. Scroll to the bottom and show the settings for the: “Shared Printer (Name:…Sharpe-1100” 8.6.2. SCREENSHOT the settings including the “OR” Value and paste it into your exercise sheet. 10 Assignment 14 – Exercise 7 Group Policy 10/21/2014 Test the Group Policy settings on a workstation: 9. Log in to The Win8.1 computer as csong 9.1. Examine the Desktop, is there a “User Logoff” icon? 9.1.1. If not, open up a command prompt and run the command “gpupdate /force” 9.2. Check to see if the correct printer was mapped for user csong ( it should be the CanonIR5520) 9.2.1. On the Win8.1 desktop, click the “File Explorer” icon in the start tray 9.2.2. In the address bar type “Control Panel” and press “Enter” 9.2.3. Choose “Category” – “Small Icons” and double click “Devices and Printers” 9.2.4. Verify that the CanonIR5520 printer is installed and set as the default printer: 9.2.5. SCREENSHOT this and paste it into your worksheet. 9.3. Was the Q: drive mapped for user csong 9.3.1. Click the “File explorer icon 9.3.2. Select “This PC” to expand it. 9.3.3. Does it show “Accounting (Q:)” in the Network Locations? 9.3.4. SCREENSHOT this and paste it into the worksheet. 10. Upload your worksheet to Canvas to complete your assignment 11. Go back to the AD DS server (student-2012-01) 11.1.1. Set up a group policy on the Technicians OU that maps the Q: drive to the “InfoTech” shared folder, 11