Creating Group Policy Objects
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Creating Group Policy Objects as PDF for free.
More details
- Words: 4,694
- Pages: 18
2
Table of Contents
Table of Contents Creating Group Policy Objects.................................................................................................................. 3 Exercise 1 Showing the Default Group Policy Objects .......................................................................................4 Exercise 2 Resetting the Default Group Policy Objects ......................................................................................8 Exercise 3 Creating a Marketing Users GPO.....................................................................................................11 Exercise 4 Viewing the Results of the Marketing Desktop GPO.......................................................................13 Exercise 5 Blocking Inheritance of the Marketing Desktop GPO .....................................................................17
Creating Group Policy Objects
Creating Group Policy Objects Objectives
Scenario
After completing this lab, you will be able to:
Show the Default Group Policy Objects.
Set the Default Group Policy Objects.
Creating a Marketing Users GPO.
Viewing the Results of the Marketing Desktop GPO.
Blocking Inheritance of the Marketing Desktop GPO
In this lab, we will review the Group Policy Management Console and discuss many of its features. The Group Policy Management Console significantly improves the overall management of Group Policy by consolidating several features located in other MMCs, into one, easy and intuitive user interface. We will also compare the difference between the Group Policy Management Console and the Group Policy Object Editor. We will create new Group Policies and apply the settings to target users and computers. In previous sessions, we have seen the beginnings of Group Policy object creation. In this session expose the core aspects of Group Policy object creation. Finally, we will edit Group Policy objects and see how the edited settings overwrite previous settings.
Estimated time to complete this lab: 60 minutes
3
4
Creating Group Policy Objects
Computers used in this lab: SEA-DC-01
WRK-SEA-001 The password for both computers is: Passw0rd
Exercise 1 Showing the Default Group Policy Objects Scenario Windows Server 2003 domain controllers include two default polices: the Default Domain Policy and the Default Domain Controllers Policy. Both policies are linked to their respective Scopes of Management, or SOMs. Windows Server 2003 includes a more secure default install, derived from these default policy settings.
SEA-DC-01
Tasks 1.
Open the Group Policy Management Console.
Detailed steps a.
Click the SEA-DC-01 link in the My Machines browser.
b. Click in the virtual machine window. c.
Press Right-ALT + DEL.
d. Logon as Administrator with a password of Passw0rd.
2.
3.
e.
Double-click the Group Policy Management icon on the desktop.
f.
The Group Policy Management window appears; maximize the window.
View at the Default Domain Policy. The link for this policy resides on the domain container, contoso.com.
a.
In the console-pane, expand Forest: contoso.com | Domains | contoso.com.
c.
Hover the mouse over contoso.com.
View the settings of the Default Domain Policy.
a.
In the console-pane, click Default Domain Policy.
b. Hover the mouse over Default Domain Policy.
b. Hover the mouse over the details-pane. c.
In the console-pane, expand Group Policy Objects and click Default Domain Policy.
d. Hover the mouse over the details-pane.
Creating Group Policy Objects
5
The properties shown on the link are the same properties shown if we access the group policy object directly by clicking on the object in the Group Policy Objects container. 4.
As we just saw, this policy is linked to the contoso.com container.
a.
In the details-pane, under Location, hover the mouse over contoso.com.
Note that this policy applies only to the Authenticated Users group, which is likely everyone who logs into the domain. b. Under Security Filtering, hover the mouse over Authenticated Users.
Note that this policy applies only to the Authenticated Users group, which is likely everyone who logs into the domain. c.
Under WMI Filtering, hover the mouse over <none>.
No WMI Filters have been applied to the Default Domain Policy. We will expand upon security settings and WMI Filters in a future lab. d. In the details-pane, click the Details tab.
Let’s quickly view the globally unique identifier, or GUID of this policy. As you may recall, this information is located on the Details pane. We will use this GUID in a later task. Note that this GUID begins with 31B2F340.
5.
View the settings configured on the Default Domain Policy. Since this policy is linked to the domain container, all users and computers that reside in contoso.com will receive these settings.
e.
Hover the mouse over Unique ID and 31B2F340.
a.
In the details-pane, click the Settings tab and click show all.
A good practice to employ is keeping the settings simple on policies designed to be applied to large groups, such as all domain users. Use policies linked to organizational units or child organizational units to configure more exact settings for your user community. b. In the details-pane, under Account Policies/Password Policy, hover
the mouse over Maximum Password Age. c.
Hover the mouse over Minimum Password length.
By default, Windows Server 2003 enforces a stringent password policy. Here, domain user account passwords must be changed every 42 days, must be at least 7 characters in length, and must meet complexity requirements. d. Hover the mouse over Password must meet complexity
requirements. Complex passwords must not contain part of the user’s account name, and must contain at least three of these types of characters: English upper case letters, English lower case letters, base digits, or 0-9, and non-alphabetic characters, such as & or !. These settings decrease the chances of a person or a program successfully guessing a user account password. e.
In the details-pane, scroll down to Account Policies/Account Lockout Policy.
f.
Hover the mouse over Account lockout threshold.
An additional security setting includes locking a user’s account after any invalid logon attempts. This setting prevents programs or users from continuously attempting to guess a user account password. It is important to note that an account lockout duration has not been defined.
6
Creating Group Policy Objects
6.
Add an account lockout policy threshold to the domain policy. Notice that when you edit a GPO, the Group Policy Editor, or GPOE is launched.
a.
In the console-pane, under Group Policy Objects, right-click Default Domain Policy and click Edit.
b. The Group Policy Object Editor window appears; maximize the
window. c.
In the console-pane, expand Computer Configuration | Windows Settings | Security Settings | Account Policies and click Account Lockout Policy.
d. In the details-pane, double-click Account lockout duration. e.
The Account lockout duration Properties window appears; check Define this policy setting.
f.
Hover the mouse over 30 and click OK.
30 minutes is a duration long enough to discourage a person from continually trying to guess a user account password, but short enough to allow a user unfortunate enough to mistype their password to continue working within a reasonable amount of time. g.
The Suggested Value Changes dialog box appears; hover the mouse over 5 invalid logon attempts and 30 minutes and click OK.
Since we have changed the default setting for the account lockout duration, Windows presents suggested values for the remaining account lockout related settings. We will accept the new setting of 5 invalid logon attempts and Reset account lockout counter after 30 minutes. This means users will have 5 attempts to logon on correctly before their account is locked out. The account lockout counter, if there are less than 5 invalid attempts, will reset after 30 minutes. h. Close the Group Policy Object Editor. 7.
View other settings.
a.
In the details-pane, scroll down to Account Policies/Kerberos Policy.
b. Hover the mouse over Maximum tolerance for computer clock
synchronization. Note the Maximum tolerance for computer clock synchronization. This setting states that all Windows 2000, XP, or Server 2003 machines that authenticate to contoso.com, must have their computer clock configured correctly. If a machine that has a time setting discrepancy greater than 5 minutes between it and the domain controller, the user won’t be able to logon onto the domain. This security setting helps prevent replay attacks on the network. This setting can be extended to a longer time threshold, or you can employ time synchronization tools such as the Windows Time Service to ensure users can authenticate to contoso.com. c.
In the details-pane, slowly scroll to the bottom of settings.
The remaining settings configured on the Default Domain Policy include Public Key Policies, which are closely related to Certificate services, and settings related to Remote Installation Services. These settings are beyond the scope of this WebCast session, but will be further discussed in a future WebCast. 8.
View the Default Domain Controllers policy.
a.
In the console-pane, expand Domain Controllers.
b. Hover the mouse over Default Domain Controllers Policy.
Creating Group Policy Objects
7
This policy is linked to the Domain Controllers OU that is created by default on Windows Server 2003 Active Directory domains. c.
In the console-pane, under Domain Controllers, click Default Domain Controllers Policy.
When we viewed the Default Domain Policy properties, we clicked on the policy object directly. This time, we will use the link to view the policy settings. d. Click the Scope tab and, in the details-pane, under Location, hover the
mouse over Domain Controllers. The Default Domain Controllers policy is linked to the Domain Controllers OU. e.
Under Security Filtering, hover the mouse over Authenticated Users.
f.
Under WMI Filtering, hover the mouse over <none>.
Again, only Authenticated Users are allowed to access this policy and there are no WMI Filters applied to the policy. g.
In the details-pane, click the Settings tab.
h. Click show all.
This policy contains only computers settings and not user settings. So, it will apply only to computers placed in the Domain Controllers OU. i.
In the details-pane, under Local Policies/Audit Policy, hover the mouse over all audit settings.
The Default Domain Controllers Policy contains an audit policy for the domain controllers. The audit results are written to the Security event log on the domain controller. The audit settings are defined to track things such as logon events and policy changes. This helps keep track if someone makes changes such as disabling audit policies, as well as system events such as a server reboot. j.
In the details-pane, scroll down to Local Policies/User Rights Assignment.
k. Slowly scroll down through the list of policies to Local
Policies/Security Options. The list of settings is too long to present in detail, but we can browse through the list. These settings include who can log on to a domain controller, either locally or remotely, who can back up files on the machine, change system time, add users, and other important functions. l.
In the details-pane, slowly scroll down to the bottom of the page.
The remaining settings configure how communication channels are configured between servers. Future Webcasts will delve into these settings as part of a server hardening demonstration. m. Close Group Policy Management.
8
Creating Group Policy Objects
Exercise 2 Resetting the Default Group Policy Objects Scenario In the first exercise, we edited the Default Domain policy and modified some account lockout settings. In doing so, we changed the number of invalid logon attempts before lockout from 0 to 5. Consider a scenario where other administrators have been making changes to the Default Domain policy and unexpected restrictions have been occurring. A change management process has not been followed, so we have no way of knowing the number or types of changes that have been made on the Default Domain policy. What we need to do is reset the Default Domain controller policy to the original settings to resolve a number of policy related issues. This exercise introduces us to some advanced topics regarding Group Policy and how it works. We will touch on these topics, but not go into them in great detail yet. Future WebCasts will further explain the backend mechanics of Group Policy in greater detail.
SEA-DC-01
Tasks 1.
View the GptTmpl.inf file.
Detailed steps a.
On the desktop, double-click My Computer.
b. The My Computer window appears; maximize the window. c.
Navigate to C:\WINDOWS\SYSVOL\sysvol\contoso.com\Policies\{31B2F340016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit.
d. Hover the mouse over GptTmpl.inf.
The Default Domain Policy settings are stored in a template file called the Gpttmpl.inf. This file contains plain text information that configures the registry. Notice that the file resides in the SYSVOL directory, in the GUID directory that corresponds to our Default Domain policy. This is the same GUID we saw earlier. Remember, we edited the account lockout setting in the Computer Configuration container. This setting is a machine based setting. e.
Right-click Gpttmpl.inf and click Open.
f.
The Notepad window appears; maximize the window.
g.
In the Gpttmpl.inf window, highlight text beginning with LockoutBadCount and ending with LockoutDuration = 30.
Note this file is plain text. Here are the three settings we changed in the first task. h. Minimize Gpttmpl.inf. 2.
Use a default copy of the Gpttmpl.inf file to reset the
a.
In Windows Explorer, navigate to C:\Technet Content\TNT403\Demos\Demo Files.
Creating Group Policy Objects policy settings.
9
A default copy of the Gpttmpl.inf file has been saved as a text file to a Technet Content folder for this demonstration. The default copy of the Gpttmpl.inf file was obtained through a restored copy of the orginal file. b. Double-click GPTTMLE.txt. c.
The Gpttmpl.txt window appears; maximize the window.
One way to reset all settings in the Default Domain Policy, is to simply copy the settings from the backup file and paste them into the existing GptTmpl.inf file. d. Click the Edit | Select All menu command. e.
Click the Edit | Copy menu command.
f.
Close Gpttmpl.txt.
g.
Restore Gpttmpl.inf.
h. Click the Edit | Select All menu command. i.
Click the Edit | Paste menu command.
j.
In Gpttmpl.inf, highlight LockoutBadCount = 0.
The account lockout settings we changed in the first task have now been reset. k. Close Gpttmpl.inf. l.
The Notepad dialog box appears; click Yes.
We will save the edited Gpttmpl.inf file. m. Close the Explorer window. 3.
Ensure the Gpttmpl.inf file we just updated is replicated to all domain controllers in contoso.com.
a.
In Windows Explorer, navigate to C:\WINDOWS\SYSVOL\sysvol\contoso.com\Policies\{31B2F340016D-11D2-945F-00C04FB984F9}.
b. Right-click GTP.ini and click Open. c.
The GPT.ini window appears; maximize the window.
The Gpt.ini file controls the GPO template version numbers. We will edit the Gpt.ini file to increase the GPO template version number so the Gpttmpl.inf file is properly replicated. d. Increase the Version number by an increment of one. For instance, if
the Version number is 65549, edit it to state 65550. This will force the domain controllers to pull down the latest version of the Default Domain policy.
4.
5.
Refresh Group Policy on this computer by running GPUpdate.
Look at the Default Domain Policy settings to view our changes.
e.
Close GPT.ini.
f.
The Notepad dialog box appears; click Yes.
g.
Close Windows Explorer.
a.
On the desktop, double-click Command Prompt.
b. The Command Prompt window appears; type GPUpdate /force and
press Enter. c.
When the refresh has completed, close Command Prompt.
a.
On the desktop, double-click Group Policy Management.
b. In the console-pane, under contoso.com, click Default Domain Policy. c.
In the details-pane, click Settings and click show all.
d. Under Account Policies\Account Lockout Policy, hover the mouse
10
Creating Group Policy Objects over 0 invalid logon attempts. Notice that the Account Lockout settings have reverted back to the settings we saw earlier. Resetting the Default Domain Controller policy is the same process performed just now, but we would edit a different file located in a different GUID based directory.
Creating Group Policy Objects
11
Exercise 3 Creating a Marketing Users GPO Scenario We have created some GPOs in prior labs to show features of Group Policy, the GPMC, and Group Policy settings. In this exercise, we will create a new GPO and follow the process from its initial creation to the application of the GPO. We will create a fairly simple GPO with just a few settings. This Group Policy will configure users’ desktop environment to fit Contoso’s company standards. This GPO will be linked to the Sales and Marketing OU.
SEA-DC-01
Tasks 1.
Create and Link a new GPO.
Detailed steps a.
In the console-pane, expand Sales and Marketing.
b. Right-click Sales and Marketing and click Create and Link a GPO
Here. c.
The New GPO window appears; for Name, type Marketing Desktop and click OK.
Notice that the new GPO is now listed under the Sales and Marketing OU with the other GPOs. 2.
View the link order.
a.
In the console pane, click Sales and Marketing.
b. In the details-pane, hover the mouse over Marketing Desktop. c.
Hover the mouse over the Link Order.
You can see that it listed as third in the link order. Link ordering allows you to apply GPOs in a certain order, with last GPO that is processed settings taking precedence. 3.
4.
Display the properties of the Marketing GPO.
a.
Edit the Marketing GPO settings to meet Contoso’s company standards for user desktops, including removing the Run menu, setting up a bitmap wallpaper, and routing users’ My Documents folders.
a.
In the console-pane, double-click Marketing Desktop.
b. In the details-pane, hover the mouse over the properties.
In the console-pane, right-click Marketing Desktop and click Edit.
b. Navigate to User Configuration | Administrative Templates and
click Start Menu and Taskbar. c.
In the details-pane, double-click Remove Run menu from Start Menu.
d. The Remove Run menu from Start Menu Properties window
appears; click Enabled and click OK. This will help prevent users from easily accessing applications that run from a command line such as the Registry Editor. However, this will not prevent users from actually launching the Run application. The company standard is to just remove easy access to this tool, not to
12
Creating Group Policy Objects prevent it from working. e.
Navigate to User Configuration | Administrative Templates | Desktop and double-click Active Desktop.
Contoso has a standard desktop bitmap that is to be placed on desktops. We will use the Active Desktop to enforce the use of this desktop background. f.
In the details-pane, double-click Enable Active Desktop.
g.
The Enable Active Desktop Properties window appears; click Enabled and click OK.
h. In the details-pane, double-click Active Desktop Wallpaper. i.
The Active Desktop Wallpaper Properties window appears; click Enabled.
We will enter a Universal Naming Convention path, or UNC path to where our standard desktop bitmap resides and we will leave the bitmap centered. j.
For Wallpaper Name, type \\SEA-DC-01\Public\Contoso.bmp and hover the mouse over Center and click OK.
k. In the console-pane, collapse Administrative Templates. l.
Navigate to User Configuration | Windows Settings | Folder Redirection | My Documents.
m. In the console-pane, right-click My Documents and click Properties. n. The My Documents Properties window appears; for Setting, expand
the drop-down menu and click Basic- Redirect everyone’s folder to the same location. This will route all users’ My Documents Folder to the same location. o.
Hover the mouse over Create a folder for each user under the root path.
p. For Root Path, type \\SEA-DC-01\Public and hover the mouse over
\\SEA-DC-01\Public\Claire\My Documents. q. Click the Settings tab. r.
Click to select the Redirect the folder back to the local userprofile location when policy is removed radio button and click OK.
Our Marketing Desktop policy has been configured s.
Close Group Policy Object Editor.
Creating Group Policy Objects
13
Exercise 4 Viewing the Results of the Marketing Desktop GPO Scenario Now that we have created a Marketing Desktop GPO and configured settings for the GPO, we will see the GPO applied to our two users.
SEA-DC-01
WRK-SEA-001
Tasks
Detailed steps
Complete the following 2 tasks on:
a.
SEA-DC-01 1.
To disable the link to the Marketing Desktop GPO.
In the console-pane, under Sales and Marketing, right-click Marketing Desktop and uncheck Link Enabled.
Since we created and linked the GPO to the OU that contains our users, if we logged on right now, the GPO would be applied. To prevent this from occurring, we will disable the link for now. To disable the link, we simply uncheck Link Enabled in the context menu for the link. b. Hover the mouse over the Marketing Desktop icon.
2.
Review where the two users reside in the logical structure of contoso.com.
c.
Minimize Group Policy Management.
a.
On the desktop, double-click Active Directory Users and Computers.
b. The Active Directory Users and Computers window appears;
maximize the window. c.
In the console-pane, expand contoso.com | Sales and Marketing.
d. In the console-pane, click Sales and Marketing. e.
In the details-pane, hover the mouse over Marketing User.
The Marketing User resides in the Sales and Marketing OU. f.
Hover the mouse over Sales Team.
There is a child OU in the Sales and Marketing OU called Sales Team. g.
Double-click Sales Team, and in the details-pane, hover the mouse over Sales User.
The Sales Team OU contains the Sales User object. It’s important to remember the Group Policy processing order: Site, Domain, OU and then Child OU. Viewing the user object location will help you to understand how to control application of the Marketing Desktop GPO later on in this exercise. h. Close Active Directory Users and Computers.
Complete the following 4 tasks on: WRK-SEA-001
a.
Click the WRK-SEA-01 link in the My Machines browser.
b. Click in the virtual machine window. c.
Press Right-ALT + DEL.
14
Creating Group Policy Objects
3.
View the settings on the client computer for the MarketingUser (note that the link to the new GPO was disabled, so the new settings do not appear).
d. Logon as Contoso\MarketingUser with a password of Passw0rd. e.
On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is purple. f.
Click Start | Run.
g.
The Run window appears; click Cancel.
We can access the Run command from the Start Menu. h. On the desktop, right-click My Documents and click Properties. i.
The My Documents Properties window appears; next to Target, scroll left to show C:\Documents and Settings and click Cancel.
The My Documents folder currently resides on the local drive. 4.
5.
Log off as the MarketingUser.
a.
View the settings on the client computer for the SalesUser (note that the link to the new GPO was disabled, so the new settings do not appear).
a.
Click Start | Log Off.
b. The Log Off Windows dialog box appears; click Log Off.
Click in the virtual machine window.
b. Press Right-ALT + DEL. a.
Logon as Contoso\SalesUser with a password of Passw0rd.
b. On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is teal. c.
Click Start | Run.
d. The Run window appears; click Cancel.
We can access the Run command from the Start Menu. e.
On the desktop, right-click My Documents and click Properties.
f.
The My Documents Properties window appears; next to Target, scroll left to show C:\Documents and Settings and click Cancel.
The My Documents folder currently resides on the local drive. 6.
We’ll log off this user Log off as SalesUser.
Complete the following task on:
a.
Click Start | Log Off.
b. The Log Off Windows dialog box appears; click Log Off. a.
Click the SEA-DC-01 link in the My Machines browser.
b. In the console-pane, under Sales and Marketing, right-click
Marketing Desktop and click Link Enabled. SEA-DC-01 7.
Enable the link to the Marketing Desktop GPO.
c.
Minimize Group Policy Management.
Creating Group Policy Objects Complete the following 2 tasks on: WRK-SEA-001 8.
Log back on as MarketingUser to see the new settings. Force GPUpdate for the MarketingUser.
a.
15
Click the WRK-SEA-01 link in the My Machines browser.
b. Click in the virtual machine window. c.
Press Right-ALT + DEL.
a.
Logon as Contoso\MarketingUser with a password of Passw0rd.
Note: If Group Policy has updated the WRK-SEA-001 computer, skip to step f. b. On the desktop, double-click Command Prompt. c.
The Command Prompt window appears; type GPUpdate /force and press Enter.
Remember there is a refresh interval for pulling down the latest group policy settings. We will need to perform a forced update of the latest policy settings to view the Marketing Desktop policy. Remember, use GPUdate to force the update. d. At OK to logoff?, type Y and press Enter.
The policy settings are user-based and require that the user log off and back on. e.
Click in the virtual machine window.
f.
Press Right-ALT + DEL.
g.
Logon as Contoso\MarketingUser with a password of Passw0rd.
h. On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is now a Contoso approved background. i.
Click Start and hover the mouse over where Run used to be.
Now, we cannot access the Run command from the Start menu. j.
On the desktop, hover the mouse over the My Documents icon.
Notice the arrows indicating that the folder is being redirected. k. On the desktop, right-click My Documents and click Properties. l.
The My Documents Properties window appears; next to Target, scroll left to show \\SEA-DC-01\Public\MarketingUser and click Cancel.
The My Documents folder now resides on the network share. As you can see, the GPO settings have successfully applied to the Marketing User. m. Click Start | Log Off. n. The Log Off Windows dialog box appears; click Log Off. 9.
Now, check the settings for SalesUser.
a.
Click in the virtual machine window.
b. Press Right-ALT + DEL. a.
Logon as Contoso\SalesUser with a password of Passw0rd.
Since we forced an update earlier, the latest policy settings are applied to the Sales User account. b. On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is now a Contoso approved background. c.
Click Start and hover the mouse over where Run used to be.
Now, we cannot access the Run command from the Start menu.
16
Creating Group Policy Objects d. On the desktop, hover the mouse over the My Documents icon.
Notice the arrows indicating that the folder is being redirected. e.
On the desktop, right-click My Documents and click Properties.
f.
The My Documents Properties window appears; next to Target, scroll left to show \\SEA-DC-01\Public\SalesUser and click Cancel.
The My Documents folder now resides on the network share. As you can see, the GPO settings have also successfully applied to the SalesUser.
Creating Group Policy Objects
17
Exercise 5 Blocking Inheritance of the Marketing Desktop GPO Scenario Before we wrap up this lab, we will use Block Inheritance to preserve the Sales User’s original desktop settings. Ideally, you will want to design your OU structure to contain the use of Block Inheritance since the use of Block Inheritance can complicate troubleshooting Group Policy application in a complex environment. For now, we will use Block Inheritance for demonstration purposes only.
SEA-DC-01
WRK-SEA-001
Tasks
Detailed steps
Complete the following task on:
a.
Click the SEA-DC-01 link in the My Machines browser and restore Group Policy Management.
b. In the console-pane, right-click Sales Team and click Block
SEA-DC-01 1.
Configure the Sales Team OU to not inherit Group Policies from the Sales and Marketing OU.
Inheritance. Child OUs inherit GPO settings from parent OUs. Clicking this setting prevents inheritance. c.
Hover the mouse over the icon next to Sales Team.
Notice the icon for the Sales Team OU now has an exclamation mark to show that the OU has been configured to Block Inheritance. d. Close Group Policy Management.
Complete the following task on: WRK-SEA-001 2.
Log on as SalesUser (a member of the Sales Team OU) and check the desktop settings.
a.
Click the WRK-SEA- 01 link in the My Machines browser.
b. Double-click Command Prompt on the desktop. c.
Type gpupdate /force and press Enter.
d. At OK to logoff?, type Y and press Enter. e.
Log back on as Contoso\SalesUser with a password of Passw0rd.
f.
On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is back to being teal. g.
Click Start | Run.
h. The Run window appears; click Cancel.
We can once again access the Run command from the Start Menu. i.
On the desktop, right-click My Documents and click Properties.
j.
The My Documents Properties window appears; next to Target, scroll left to show C:\Documents and Settings and click Cancel.
The My Documents folder once again resides on the local drive. The Block Inheritance feature of Group Policy is powerful, but needs to be
18
Creating Group Policy Objects carefully applied.
Table of Contents
Table of Contents Creating Group Policy Objects.................................................................................................................. 3 Exercise 1 Showing the Default Group Policy Objects .......................................................................................4 Exercise 2 Resetting the Default Group Policy Objects ......................................................................................8 Exercise 3 Creating a Marketing Users GPO.....................................................................................................11 Exercise 4 Viewing the Results of the Marketing Desktop GPO.......................................................................13 Exercise 5 Blocking Inheritance of the Marketing Desktop GPO .....................................................................17
Creating Group Policy Objects
Creating Group Policy Objects Objectives
Scenario
After completing this lab, you will be able to:
Show the Default Group Policy Objects.
Set the Default Group Policy Objects.
Creating a Marketing Users GPO.
Viewing the Results of the Marketing Desktop GPO.
Blocking Inheritance of the Marketing Desktop GPO
In this lab, we will review the Group Policy Management Console and discuss many of its features. The Group Policy Management Console significantly improves the overall management of Group Policy by consolidating several features located in other MMCs, into one, easy and intuitive user interface. We will also compare the difference between the Group Policy Management Console and the Group Policy Object Editor. We will create new Group Policies and apply the settings to target users and computers. In previous sessions, we have seen the beginnings of Group Policy object creation. In this session expose the core aspects of Group Policy object creation. Finally, we will edit Group Policy objects and see how the edited settings overwrite previous settings.
Estimated time to complete this lab: 60 minutes
3
4
Creating Group Policy Objects
Computers used in this lab: SEA-DC-01
WRK-SEA-001 The password for both computers is: Passw0rd
Exercise 1 Showing the Default Group Policy Objects Scenario Windows Server 2003 domain controllers include two default polices: the Default Domain Policy and the Default Domain Controllers Policy. Both policies are linked to their respective Scopes of Management, or SOMs. Windows Server 2003 includes a more secure default install, derived from these default policy settings.
SEA-DC-01
Tasks 1.
Open the Group Policy Management Console.
Detailed steps a.
Click the SEA-DC-01 link in the My Machines browser.
b. Click in the virtual machine window. c.
Press Right-ALT + DEL.
d. Logon as Administrator with a password of Passw0rd.
2.
3.
e.
Double-click the Group Policy Management icon on the desktop.
f.
The Group Policy Management window appears; maximize the window.
View at the Default Domain Policy. The link for this policy resides on the domain container, contoso.com.
a.
In the console-pane, expand Forest: contoso.com | Domains | contoso.com.
c.
Hover the mouse over contoso.com.
View the settings of the Default Domain Policy.
a.
In the console-pane, click Default Domain Policy.
b. Hover the mouse over Default Domain Policy.
b. Hover the mouse over the details-pane. c.
In the console-pane, expand Group Policy Objects and click Default Domain Policy.
d. Hover the mouse over the details-pane.
Creating Group Policy Objects
5
The properties shown on the link are the same properties shown if we access the group policy object directly by clicking on the object in the Group Policy Objects container. 4.
As we just saw, this policy is linked to the contoso.com container.
a.
In the details-pane, under Location, hover the mouse over contoso.com.
Note that this policy applies only to the Authenticated Users group, which is likely everyone who logs into the domain. b. Under Security Filtering, hover the mouse over Authenticated Users.
Note that this policy applies only to the Authenticated Users group, which is likely everyone who logs into the domain. c.
Under WMI Filtering, hover the mouse over <none>.
No WMI Filters have been applied to the Default Domain Policy. We will expand upon security settings and WMI Filters in a future lab. d. In the details-pane, click the Details tab.
Let’s quickly view the globally unique identifier, or GUID of this policy. As you may recall, this information is located on the Details pane. We will use this GUID in a later task. Note that this GUID begins with 31B2F340.
5.
View the settings configured on the Default Domain Policy. Since this policy is linked to the domain container, all users and computers that reside in contoso.com will receive these settings.
e.
Hover the mouse over Unique ID and 31B2F340.
a.
In the details-pane, click the Settings tab and click show all.
A good practice to employ is keeping the settings simple on policies designed to be applied to large groups, such as all domain users. Use policies linked to organizational units or child organizational units to configure more exact settings for your user community. b. In the details-pane, under Account Policies/Password Policy, hover
the mouse over Maximum Password Age. c.
Hover the mouse over Minimum Password length.
By default, Windows Server 2003 enforces a stringent password policy. Here, domain user account passwords must be changed every 42 days, must be at least 7 characters in length, and must meet complexity requirements. d. Hover the mouse over Password must meet complexity
requirements. Complex passwords must not contain part of the user’s account name, and must contain at least three of these types of characters: English upper case letters, English lower case letters, base digits, or 0-9, and non-alphabetic characters, such as & or !. These settings decrease the chances of a person or a program successfully guessing a user account password. e.
In the details-pane, scroll down to Account Policies/Account Lockout Policy.
f.
Hover the mouse over Account lockout threshold.
An additional security setting includes locking a user’s account after any invalid logon attempts. This setting prevents programs or users from continuously attempting to guess a user account password. It is important to note that an account lockout duration has not been defined.
6
Creating Group Policy Objects
6.
Add an account lockout policy threshold to the domain policy. Notice that when you edit a GPO, the Group Policy Editor, or GPOE is launched.
a.
In the console-pane, under Group Policy Objects, right-click Default Domain Policy and click Edit.
b. The Group Policy Object Editor window appears; maximize the
window. c.
In the console-pane, expand Computer Configuration | Windows Settings | Security Settings | Account Policies and click Account Lockout Policy.
d. In the details-pane, double-click Account lockout duration. e.
The Account lockout duration Properties window appears; check Define this policy setting.
f.
Hover the mouse over 30 and click OK.
30 minutes is a duration long enough to discourage a person from continually trying to guess a user account password, but short enough to allow a user unfortunate enough to mistype their password to continue working within a reasonable amount of time. g.
The Suggested Value Changes dialog box appears; hover the mouse over 5 invalid logon attempts and 30 minutes and click OK.
Since we have changed the default setting for the account lockout duration, Windows presents suggested values for the remaining account lockout related settings. We will accept the new setting of 5 invalid logon attempts and Reset account lockout counter after 30 minutes. This means users will have 5 attempts to logon on correctly before their account is locked out. The account lockout counter, if there are less than 5 invalid attempts, will reset after 30 minutes. h. Close the Group Policy Object Editor. 7.
View other settings.
a.
In the details-pane, scroll down to Account Policies/Kerberos Policy.
b. Hover the mouse over Maximum tolerance for computer clock
synchronization. Note the Maximum tolerance for computer clock synchronization. This setting states that all Windows 2000, XP, or Server 2003 machines that authenticate to contoso.com, must have their computer clock configured correctly. If a machine that has a time setting discrepancy greater than 5 minutes between it and the domain controller, the user won’t be able to logon onto the domain. This security setting helps prevent replay attacks on the network. This setting can be extended to a longer time threshold, or you can employ time synchronization tools such as the Windows Time Service to ensure users can authenticate to contoso.com. c.
In the details-pane, slowly scroll to the bottom of settings.
The remaining settings configured on the Default Domain Policy include Public Key Policies, which are closely related to Certificate services, and settings related to Remote Installation Services. These settings are beyond the scope of this WebCast session, but will be further discussed in a future WebCast. 8.
View the Default Domain Controllers policy.
a.
In the console-pane, expand Domain Controllers.
b. Hover the mouse over Default Domain Controllers Policy.
Creating Group Policy Objects
7
This policy is linked to the Domain Controllers OU that is created by default on Windows Server 2003 Active Directory domains. c.
In the console-pane, under Domain Controllers, click Default Domain Controllers Policy.
When we viewed the Default Domain Policy properties, we clicked on the policy object directly. This time, we will use the link to view the policy settings. d. Click the Scope tab and, in the details-pane, under Location, hover the
mouse over Domain Controllers. The Default Domain Controllers policy is linked to the Domain Controllers OU. e.
Under Security Filtering, hover the mouse over Authenticated Users.
f.
Under WMI Filtering, hover the mouse over <none>.
Again, only Authenticated Users are allowed to access this policy and there are no WMI Filters applied to the policy. g.
In the details-pane, click the Settings tab.
h. Click show all.
This policy contains only computers settings and not user settings. So, it will apply only to computers placed in the Domain Controllers OU. i.
In the details-pane, under Local Policies/Audit Policy, hover the mouse over all audit settings.
The Default Domain Controllers Policy contains an audit policy for the domain controllers. The audit results are written to the Security event log on the domain controller. The audit settings are defined to track things such as logon events and policy changes. This helps keep track if someone makes changes such as disabling audit policies, as well as system events such as a server reboot. j.
In the details-pane, scroll down to Local Policies/User Rights Assignment.
k. Slowly scroll down through the list of policies to Local
Policies/Security Options. The list of settings is too long to present in detail, but we can browse through the list. These settings include who can log on to a domain controller, either locally or remotely, who can back up files on the machine, change system time, add users, and other important functions. l.
In the details-pane, slowly scroll down to the bottom of the page.
The remaining settings configure how communication channels are configured between servers. Future Webcasts will delve into these settings as part of a server hardening demonstration. m. Close Group Policy Management.
8
Creating Group Policy Objects
Exercise 2 Resetting the Default Group Policy Objects Scenario In the first exercise, we edited the Default Domain policy and modified some account lockout settings. In doing so, we changed the number of invalid logon attempts before lockout from 0 to 5. Consider a scenario where other administrators have been making changes to the Default Domain policy and unexpected restrictions have been occurring. A change management process has not been followed, so we have no way of knowing the number or types of changes that have been made on the Default Domain policy. What we need to do is reset the Default Domain controller policy to the original settings to resolve a number of policy related issues. This exercise introduces us to some advanced topics regarding Group Policy and how it works. We will touch on these topics, but not go into them in great detail yet. Future WebCasts will further explain the backend mechanics of Group Policy in greater detail.
SEA-DC-01
Tasks 1.
View the GptTmpl.inf file.
Detailed steps a.
On the desktop, double-click My Computer.
b. The My Computer window appears; maximize the window. c.
Navigate to C:\WINDOWS\SYSVOL\sysvol\contoso.com\Policies\{31B2F340016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit.
d. Hover the mouse over GptTmpl.inf.
The Default Domain Policy settings are stored in a template file called the Gpttmpl.inf. This file contains plain text information that configures the registry. Notice that the file resides in the SYSVOL directory, in the GUID directory that corresponds to our Default Domain policy. This is the same GUID we saw earlier. Remember, we edited the account lockout setting in the Computer Configuration container. This setting is a machine based setting. e.
Right-click Gpttmpl.inf and click Open.
f.
The Notepad window appears; maximize the window.
g.
In the Gpttmpl.inf window, highlight text beginning with LockoutBadCount and ending with LockoutDuration = 30.
Note this file is plain text. Here are the three settings we changed in the first task. h. Minimize Gpttmpl.inf. 2.
Use a default copy of the Gpttmpl.inf file to reset the
a.
In Windows Explorer, navigate to C:\Technet Content\TNT403\Demos\Demo Files.
Creating Group Policy Objects policy settings.
9
A default copy of the Gpttmpl.inf file has been saved as a text file to a Technet Content folder for this demonstration. The default copy of the Gpttmpl.inf file was obtained through a restored copy of the orginal file. b. Double-click GPTTMLE.txt. c.
The Gpttmpl.txt window appears; maximize the window.
One way to reset all settings in the Default Domain Policy, is to simply copy the settings from the backup file and paste them into the existing GptTmpl.inf file. d. Click the Edit | Select All menu command. e.
Click the Edit | Copy menu command.
f.
Close Gpttmpl.txt.
g.
Restore Gpttmpl.inf.
h. Click the Edit | Select All menu command. i.
Click the Edit | Paste menu command.
j.
In Gpttmpl.inf, highlight LockoutBadCount = 0.
The account lockout settings we changed in the first task have now been reset. k. Close Gpttmpl.inf. l.
The Notepad dialog box appears; click Yes.
We will save the edited Gpttmpl.inf file. m. Close the Explorer window. 3.
Ensure the Gpttmpl.inf file we just updated is replicated to all domain controllers in contoso.com.
a.
In Windows Explorer, navigate to C:\WINDOWS\SYSVOL\sysvol\contoso.com\Policies\{31B2F340016D-11D2-945F-00C04FB984F9}.
b. Right-click GTP.ini and click Open. c.
The GPT.ini window appears; maximize the window.
The Gpt.ini file controls the GPO template version numbers. We will edit the Gpt.ini file to increase the GPO template version number so the Gpttmpl.inf file is properly replicated. d. Increase the Version number by an increment of one. For instance, if
the Version number is 65549, edit it to state 65550. This will force the domain controllers to pull down the latest version of the Default Domain policy.
4.
5.
Refresh Group Policy on this computer by running GPUpdate.
Look at the Default Domain Policy settings to view our changes.
e.
Close GPT.ini.
f.
The Notepad dialog box appears; click Yes.
g.
Close Windows Explorer.
a.
On the desktop, double-click Command Prompt.
b. The Command Prompt window appears; type GPUpdate /force and
press Enter. c.
When the refresh has completed, close Command Prompt.
a.
On the desktop, double-click Group Policy Management.
b. In the console-pane, under contoso.com, click Default Domain Policy. c.
In the details-pane, click Settings and click show all.
d. Under Account Policies\Account Lockout Policy, hover the mouse
10
Creating Group Policy Objects over 0 invalid logon attempts. Notice that the Account Lockout settings have reverted back to the settings we saw earlier. Resetting the Default Domain Controller policy is the same process performed just now, but we would edit a different file located in a different GUID based directory.
Creating Group Policy Objects
11
Exercise 3 Creating a Marketing Users GPO Scenario We have created some GPOs in prior labs to show features of Group Policy, the GPMC, and Group Policy settings. In this exercise, we will create a new GPO and follow the process from its initial creation to the application of the GPO. We will create a fairly simple GPO with just a few settings. This Group Policy will configure users’ desktop environment to fit Contoso’s company standards. This GPO will be linked to the Sales and Marketing OU.
SEA-DC-01
Tasks 1.
Create and Link a new GPO.
Detailed steps a.
In the console-pane, expand Sales and Marketing.
b. Right-click Sales and Marketing and click Create and Link a GPO
Here. c.
The New GPO window appears; for Name, type Marketing Desktop and click OK.
Notice that the new GPO is now listed under the Sales and Marketing OU with the other GPOs. 2.
View the link order.
a.
In the console pane, click Sales and Marketing.
b. In the details-pane, hover the mouse over Marketing Desktop. c.
Hover the mouse over the Link Order.
You can see that it listed as third in the link order. Link ordering allows you to apply GPOs in a certain order, with last GPO that is processed settings taking precedence. 3.
4.
Display the properties of the Marketing GPO.
a.
Edit the Marketing GPO settings to meet Contoso’s company standards for user desktops, including removing the Run menu, setting up a bitmap wallpaper, and routing users’ My Documents folders.
a.
In the console-pane, double-click Marketing Desktop.
b. In the details-pane, hover the mouse over the properties.
In the console-pane, right-click Marketing Desktop and click Edit.
b. Navigate to User Configuration | Administrative Templates and
click Start Menu and Taskbar. c.
In the details-pane, double-click Remove Run menu from Start Menu.
d. The Remove Run menu from Start Menu Properties window
appears; click Enabled and click OK. This will help prevent users from easily accessing applications that run from a command line such as the Registry Editor. However, this will not prevent users from actually launching the Run application. The company standard is to just remove easy access to this tool, not to
12
Creating Group Policy Objects prevent it from working. e.
Navigate to User Configuration | Administrative Templates | Desktop and double-click Active Desktop.
Contoso has a standard desktop bitmap that is to be placed on desktops. We will use the Active Desktop to enforce the use of this desktop background. f.
In the details-pane, double-click Enable Active Desktop.
g.
The Enable Active Desktop Properties window appears; click Enabled and click OK.
h. In the details-pane, double-click Active Desktop Wallpaper. i.
The Active Desktop Wallpaper Properties window appears; click Enabled.
We will enter a Universal Naming Convention path, or UNC path to where our standard desktop bitmap resides and we will leave the bitmap centered. j.
For Wallpaper Name, type \\SEA-DC-01\Public\Contoso.bmp and hover the mouse over Center and click OK.
k. In the console-pane, collapse Administrative Templates. l.
Navigate to User Configuration | Windows Settings | Folder Redirection | My Documents.
m. In the console-pane, right-click My Documents and click Properties. n. The My Documents Properties window appears; for Setting, expand
the drop-down menu and click Basic- Redirect everyone’s folder to the same location. This will route all users’ My Documents Folder to the same location. o.
Hover the mouse over Create a folder for each user under the root path.
p. For Root Path, type \\SEA-DC-01\Public and hover the mouse over
\\SEA-DC-01\Public\Claire\My Documents. q. Click the Settings tab. r.
Click to select the Redirect the folder back to the local userprofile location when policy is removed radio button and click OK.
Our Marketing Desktop policy has been configured s.
Close Group Policy Object Editor.
Creating Group Policy Objects
13
Exercise 4 Viewing the Results of the Marketing Desktop GPO Scenario Now that we have created a Marketing Desktop GPO and configured settings for the GPO, we will see the GPO applied to our two users.
SEA-DC-01
WRK-SEA-001
Tasks
Detailed steps
Complete the following 2 tasks on:
a.
SEA-DC-01 1.
To disable the link to the Marketing Desktop GPO.
In the console-pane, under Sales and Marketing, right-click Marketing Desktop and uncheck Link Enabled.
Since we created and linked the GPO to the OU that contains our users, if we logged on right now, the GPO would be applied. To prevent this from occurring, we will disable the link for now. To disable the link, we simply uncheck Link Enabled in the context menu for the link. b. Hover the mouse over the Marketing Desktop icon.
2.
Review where the two users reside in the logical structure of contoso.com.
c.
Minimize Group Policy Management.
a.
On the desktop, double-click Active Directory Users and Computers.
b. The Active Directory Users and Computers window appears;
maximize the window. c.
In the console-pane, expand contoso.com | Sales and Marketing.
d. In the console-pane, click Sales and Marketing. e.
In the details-pane, hover the mouse over Marketing User.
The Marketing User resides in the Sales and Marketing OU. f.
Hover the mouse over Sales Team.
There is a child OU in the Sales and Marketing OU called Sales Team. g.
Double-click Sales Team, and in the details-pane, hover the mouse over Sales User.
The Sales Team OU contains the Sales User object. It’s important to remember the Group Policy processing order: Site, Domain, OU and then Child OU. Viewing the user object location will help you to understand how to control application of the Marketing Desktop GPO later on in this exercise. h. Close Active Directory Users and Computers.
Complete the following 4 tasks on: WRK-SEA-001
a.
Click the WRK-SEA-01 link in the My Machines browser.
b. Click in the virtual machine window. c.
Press Right-ALT + DEL.
14
Creating Group Policy Objects
3.
View the settings on the client computer for the MarketingUser (note that the link to the new GPO was disabled, so the new settings do not appear).
d. Logon as Contoso\MarketingUser with a password of Passw0rd. e.
On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is purple. f.
Click Start | Run.
g.
The Run window appears; click Cancel.
We can access the Run command from the Start Menu. h. On the desktop, right-click My Documents and click Properties. i.
The My Documents Properties window appears; next to Target, scroll left to show C:\Documents and Settings and click Cancel.
The My Documents folder currently resides on the local drive. 4.
5.
Log off as the MarketingUser.
a.
View the settings on the client computer for the SalesUser (note that the link to the new GPO was disabled, so the new settings do not appear).
a.
Click Start | Log Off.
b. The Log Off Windows dialog box appears; click Log Off.
Click in the virtual machine window.
b. Press Right-ALT + DEL. a.
Logon as Contoso\SalesUser with a password of Passw0rd.
b. On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is teal. c.
Click Start | Run.
d. The Run window appears; click Cancel.
We can access the Run command from the Start Menu. e.
On the desktop, right-click My Documents and click Properties.
f.
The My Documents Properties window appears; next to Target, scroll left to show C:\Documents and Settings and click Cancel.
The My Documents folder currently resides on the local drive. 6.
We’ll log off this user Log off as SalesUser.
Complete the following task on:
a.
Click Start | Log Off.
b. The Log Off Windows dialog box appears; click Log Off. a.
Click the SEA-DC-01 link in the My Machines browser.
b. In the console-pane, under Sales and Marketing, right-click
Marketing Desktop and click Link Enabled. SEA-DC-01 7.
Enable the link to the Marketing Desktop GPO.
c.
Minimize Group Policy Management.
Creating Group Policy Objects Complete the following 2 tasks on: WRK-SEA-001 8.
Log back on as MarketingUser to see the new settings. Force GPUpdate for the MarketingUser.
a.
15
Click the WRK-SEA-01 link in the My Machines browser.
b. Click in the virtual machine window. c.
Press Right-ALT + DEL.
a.
Logon as Contoso\MarketingUser with a password of Passw0rd.
Note: If Group Policy has updated the WRK-SEA-001 computer, skip to step f. b. On the desktop, double-click Command Prompt. c.
The Command Prompt window appears; type GPUpdate /force and press Enter.
Remember there is a refresh interval for pulling down the latest group policy settings. We will need to perform a forced update of the latest policy settings to view the Marketing Desktop policy. Remember, use GPUdate to force the update. d. At OK to logoff?, type Y and press Enter.
The policy settings are user-based and require that the user log off and back on. e.
Click in the virtual machine window.
f.
Press Right-ALT + DEL.
g.
Logon as Contoso\MarketingUser with a password of Passw0rd.
h. On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is now a Contoso approved background. i.
Click Start and hover the mouse over where Run used to be.
Now, we cannot access the Run command from the Start menu. j.
On the desktop, hover the mouse over the My Documents icon.
Notice the arrows indicating that the folder is being redirected. k. On the desktop, right-click My Documents and click Properties. l.
The My Documents Properties window appears; next to Target, scroll left to show \\SEA-DC-01\Public\MarketingUser and click Cancel.
The My Documents folder now resides on the network share. As you can see, the GPO settings have successfully applied to the Marketing User. m. Click Start | Log Off. n. The Log Off Windows dialog box appears; click Log Off. 9.
Now, check the settings for SalesUser.
a.
Click in the virtual machine window.
b. Press Right-ALT + DEL. a.
Logon as Contoso\SalesUser with a password of Passw0rd.
Since we forced an update earlier, the latest policy settings are applied to the Sales User account. b. On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is now a Contoso approved background. c.
Click Start and hover the mouse over where Run used to be.
Now, we cannot access the Run command from the Start menu.
16
Creating Group Policy Objects d. On the desktop, hover the mouse over the My Documents icon.
Notice the arrows indicating that the folder is being redirected. e.
On the desktop, right-click My Documents and click Properties.
f.
The My Documents Properties window appears; next to Target, scroll left to show \\SEA-DC-01\Public\SalesUser and click Cancel.
The My Documents folder now resides on the network share. As you can see, the GPO settings have also successfully applied to the SalesUser.
Creating Group Policy Objects
17
Exercise 5 Blocking Inheritance of the Marketing Desktop GPO Scenario Before we wrap up this lab, we will use Block Inheritance to preserve the Sales User’s original desktop settings. Ideally, you will want to design your OU structure to contain the use of Block Inheritance since the use of Block Inheritance can complicate troubleshooting Group Policy application in a complex environment. For now, we will use Block Inheritance for demonstration purposes only.
SEA-DC-01
WRK-SEA-001
Tasks
Detailed steps
Complete the following task on:
a.
Click the SEA-DC-01 link in the My Machines browser and restore Group Policy Management.
b. In the console-pane, right-click Sales Team and click Block
SEA-DC-01 1.
Configure the Sales Team OU to not inherit Group Policies from the Sales and Marketing OU.
Inheritance. Child OUs inherit GPO settings from parent OUs. Clicking this setting prevents inheritance. c.
Hover the mouse over the icon next to Sales Team.
Notice the icon for the Sales Team OU now has an exclamation mark to show that the OU has been configured to Block Inheritance. d. Close Group Policy Management.
Complete the following task on: WRK-SEA-001 2.
Log on as SalesUser (a member of the Sales Team OU) and check the desktop settings.
a.
Click the WRK-SEA- 01 link in the My Machines browser.
b. Double-click Command Prompt on the desktop. c.
Type gpupdate /force and press Enter.
d. At OK to logoff?, type Y and press Enter. e.
Log back on as Contoso\SalesUser with a password of Passw0rd.
f.
On the desktop, hover the mouse over the desktop background.
Notice the desktop wallpaper is back to being teal. g.
Click Start | Run.
h. The Run window appears; click Cancel.
We can once again access the Run command from the Start Menu. i.
On the desktop, right-click My Documents and click Properties.
j.
The My Documents Properties window appears; next to Target, scroll left to show C:\Documents and Settings and click Cancel.
The My Documents folder once again resides on the local drive. The Block Inheritance feature of Group Policy is powerful, but needs to be
18
Creating Group Policy Objects carefully applied.
Related Documents
Creating Group Policy Objects
May 2020 4
Group Policy
April 2020 11
Group Policy
May 2020 8
Policy Group
December 2019 16
Group Policy
June 2020 7