Module 5: Implementing Group Policy Lab A: Implementing a Group Policy infrastructure (VMs: 20742B-LON-DC1, 20742B-LON-CL1) Exercise 1: Creating and configuring GPOs Task 1: Create and edit a GPO 1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management. 2. If necessary, switch to the Group Policy Management window. 3. In Group Policy Management Console, in the navigation pane, expand Forest: Adatum.com, Domains, and Adatum.com, and then click the Group Policy Objects container. 4. In the navigation pane, right-click the Group Policy Objects container, and then click New. 5. In the Name text box, type ADATUM Standards and then click OK. 6. In the details pane, right-click the ADATUM Standards Group Policy Object (GPO), and then click Edit. 7. In the Group Policy Management Editor window, in the navigation pane, expand User Configuration, expand Policies, expand Administrative Templates, and then click System. 8. Double-click the Prevent access to registry editing tools policy setting. 9. In the Prevent access to registry editing tools dialog box, click Enabled, and then click OK. 10. In the navigation pane, expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then click Personalization. 11. In the details pane, double-click the Screen saver timeout policy setting. 12. In the Screen saver timeout dialog box, click Enabled, in the Seconds text box, type 600 and then click OK. 13. Double-click the Password protect the screen saver policy setting. 14. In the Password protect the screen saver dialog box, click Enabled, and then click OK. 15. Close the Group Policy Management Editor window. Task 2: Link the GPO 1. In the Group Policy Management window, in the navigation pane, right-click the Adatum.com domain, and then click Link an Existing GPO. 2. In the Select GPO dialog box, click ADATUM Standards, and then click OK. Task 3: View the effects of the GPO’s settings 1. Switch to LON-CL1, and then sign in as Adatum\Administrator with the password Pa55w.rd. 2. Right-click Start, and then click Control Panel. 3. Click System and Security, and then click Allow an app through Windows Firewall. 4. In the Allowed apps and features list, select the following check boxes, and then click OK: o Remote Event Log Management o Windows Management Instrumentation (WMI) 5. Sign out, and then sign in as Adatum\Connie with the password Pa55w.rd 6. Click Start, type screen saver and then click Change screen saver. (It may take a few minutes for the option to appear.) 7. In the Screen Saver Settings dialog box, notice that the Wait option is dimmed—you cannot change the time-out. Notice that the On resume, display logon screen option is selected and dimmed and that you cannot change the settings. If the On resume, display logon screen option is not selected and dimmed, then perform the following steps: a. Right-click Start and then click Run. b. In the Run dialog box, in the Open text box, type gpupdate /force and then click OK. c. Click Start, type screen saver and then click Change screen saver. d. Click OK. e. Right-click Start, and then click Run. f. In the Run dialog box, in the Open text box, type regedit and then click OK. g. In the Registry Editor dialog box, click OK. Results: After completing this exercise, you should have created, edited, and linked the required GPO successfully. Exercise 2: Managing GPO scope Task 1: Create and link the required GPOs 1. On LON-DC1, in Group Policy Management Console, in the navigation pane, if necessary, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Research. 2. Right-click the Research organizational unit (OU), and then click Create a GPO in this domain, and Link it here. 3. In the New GPO dialog box, in the Name text box, type Research Application Override and then click OK. 4. In the details pane, right-click the Research Application Override GPO, and then click Edit. 5. In the console tree, expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then click Personalization. 6. Double-click the Screen saver timeout policy setting. 7. Click Disabled, and then click OK. 8. Close the Group Policy Management Editor window. Task 2: Verify the order of precedence • In the Group Policy Management Console tree, click the Research OU, and then click the Group Policy Inheritance tab. Notice that the Research Application Override GPO has higher precedence than the ADATUM Standards GPO. The screen saver time-out policy setting that you just configured in the Research Application Override GPO is applied after the setting in the ADATUM Standards GPO. Therefore, the new setting will overwrite the standards setting and will prevail. Screen saver time-out will be unavailable for users within the scope of the Research Application Override GPO. Task 3: Configure the scope of a GPO with security filtering 1. On LON-DC1, in Group Policy Management Console, in the navigation pane, if necessary, expand the Research OU, and then click the Research Application Override GPO under the Research OU. 2. In the Group Policy Management Console dialog box, read the message, select the Do not show this message again check box, and then click OK. 3. In the Security Filtering section, you will see that the GPO applies by default to all authenticated users. 4. In the Security Filtering section, click Authenticated Users, and then click Remove. 5. In the Group Policy Management dialog box, click OK. 6. In the details pane, click Add. 7. In the Select User, Computer, or Group dialog box, in the Enter the object name to select (examples): text box, type Research and then click OK. 8. In the details pane, under Security Filtering, click Add. 9. In the Select User, Computer, or Group dialog box, click Object Types. 10. In the Object Types dialog box, select the Computers check box and then click OK. 11. In the Select User, Computer, or Group dialog box, in the Enter Object Names to select (Examples) text box, type LON-CL1 and then click OK. Task 4: Configure loopback processing 1. On LON-DC1, in Group Policy Management Console, in the navigation pane, click Adatum.com, right-click Adatum.com, and then click New Organizational Unit. 2. In the New Organizational Unit dialog box, in the Name text box, type Kiosks and then click OK. 3. Right-click Kiosks, and then click New Organizational Unit. 4. In the New Organizational Unit dialog box, in the Name text box, type Conference Rooms and then click OK. 5. In the navigation pane, expand the Kiosks OU, and then click the Conference Rooms OU. 6. Right-click the Conference Rooms OU, and then click Create a GPO in this domain, and Link it here. 7. In the New GPO dialog box, in the Name text box, type Conference Room Settings and then click OK. 8. In the navigation pane, expand Conference Rooms, and then click the Conference Room Settings GPO. 9. In the navigation pane, right-click the Conference Room Settings GPO, and then click Edit. 10. In the Group Policy Management Editor window, in the navigation pane, expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then click Personalization. 11. In the details pane, double-click the Screen saver timeout policy setting, and then click Enabled. 12. In the Seconds text box, type 7200 and then click OK 13. In the navigation pane, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Group Policy. 14. In the details pane, double-click the Configure user Group Policy loopback processing mode policy setting, and then click Enabled. 15. In the Mode drop-down list, select Merge, and then click OK. 16. Close the Group Policy Management Editor window. Results: After completing this exercise, you should have configured the required scope of the GPOs successfully. Task 5: Prepare for the next lab • After you finish this lab, leave the virtual machines running for the next lab. Lab B: Troubleshooting Group Policy infrastructure Exercise 1: Verifying GPO application Task 1: Perform RSoP analysis 1. Switch to LON-CL1, and then verify that you are signed in as Adatum\Connie. If necessary, use the password Pa55w.rd. 2. Click Start, type cmd and then press Enter. 3. At the command prompt, type the following command, and then press Enter: gpupdate /force 4. Wait for the command to complete. Make a note of the current system time, which you will need to know for a task later in this lab. To record the system time, type the following command, and then press Enter twice: Time 5. Restart LON-CL1. Wait for LON-CL1 to restart before proceeding with the next task. Do not sign in to LON-CL1. 6. Switch to LON-DC1. 7. Switch to Group Policy Management Console. 8. In the navigation pane, if necessary, expand Forest: Adatum.com, and then click Group Policy Results. 9. Right-click Group Policy Results, and then click Group Policy Results Wizard. 10. On the Welcome to the Group Policy Results Wizard page, click Next. 11. On the Computer Selection page, select the Another computer option, type LON-CL1, and then click Next. 12. On the User Selection page, click ADATUM\Connie, and then click Next. 13. On the Summary of Selections page, review your settings, and then click Next. 14. Click Finish. The RSoP report appears in the details pane of Group Policy Management Console. 15. Review the summary results.