Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V™ Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
• User name: Administrator
• Password: Pa$$w0rd
• Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.
Exercise 1: Configuring Account and Security Policy Settings
Task 1: Create an account policy for the domain.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the Group Policy Management console pane, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Group Policy Objects.
3. In the details pane, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy.
5. In the details pane, double-click Minimum password length.
6. In the Minimum password length Properties dialog box, in the Password must be at least field, type 8, and then click OK.
7. Double-click Minimum password age.
8. In the Minimum password age Properties dialog box, in the Password can be changed after field, type 19, and then click OK.
9. Double-click Maximum password age.
10. In the Maximum password age Properties dialog box, in the Password will expire in field, type 20, and then click OK.
11. In the console pane, click Account Lockout Policy.
12. In the details pane, double-click Account lockout threshold.
13. In the Account lockout threshold Properties dialog box, under Account will not lock out, type 5, and then click OK.
14. In the Suggested Value Changes dialog box, click OK to accept the values of 30 minutes.
15. Close Group Policy Management Editor.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L11-2 Lab A: Implementing Security Using Group Policy
Task 2: Configure local policy settings for a Windows 7 client.
1. Start NYC-CL1 and log on as Contoso\Administrator, with the password, Pa$$w0rd.
2. Click Start, type MMC in the search programs and files box, and then press Enter.
3. In the Console1 window, on the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, click Finish and then click OK.
5. In the console pane, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
6. In the details pane, double-click Accounts: Administrator account status.
7. In the Accounts: Administrator account status Properties dialog box, click Enabled, and then click OK.
8. On the File menu, click Add/Remove Snap-in.
9. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, and then click Browse.
10. In the Browse for a Group Policy Object dialog box, click the Users tab.
11. Click Non-Administrators, click OK, click Finish, and then click OK.
12. In then console pane, expand Local Computer\Non-Administrators Policy, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.
13. In the details pane, double-click Remove Run menu from Start Menu.
14. In the Remove Run menu from Start Menu dialog box, click Enabled, and then click OK.
15. Close the MMC window and do not save the changes.
16. Restart NYC-CL1.
Task 3: Create a wireless network GPO for Windows 7 client.
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type Windows 7 Wireless, and then click OK.
3. Expand Group Policy Objects, right-click Windows 7 Wireless, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings.
5. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create a New Wireless Network Policy for Windows Vista and Later Releases.
6. In the New Wireless Network Policy Properties dialog box, click Add, and then click Infrastructure.
7. In the New Profiles properties dialog box, in the Profile Name field, type Corporate.
8. In the Network Name(s) (SSID) field, type Corp, and then click Add.
9. On the Security tab, in the Authentication list, click Open with 802.1X, and then click OK.
10. On the Network Permissions tab, click Add.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Implementing Security Using Group Policy L11-3
11. In the New Permission Entry dialog box, in the Network Name (SSID): field, type Research, verify that Permission is set to Deny, and then click OK twice.
12. Close Group Policy Management Editor.
13. In the Group Policy Management console pane, right-click Contoso.com, and then click Link an Existing GPO.
14. In the Select GPO dialog box, click Windows 7 Wireless, and then click OK.
Task 4: Configure a policy that prohibits a service on all domain controllers.
1. In the Group Policy Management console pane, expand Group Policy Objects, right-click Default Domain Controllers Policy, and then click Edit.
2. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click System Services.
3. In the details pane, double-click Windows Installer.
4. In the Windows Installer Properties dialog box, select the Define this policy setting check box, verify that Disabled is selected, and then click OK.
5. Close Group Policy Management Editor.
Result: After completing this exercise, you will have configured account and security policy settings.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L11-4 Lab A: Implementing Security Using Group Policy
Exercise 2: Implementing Fine-Grained Password Policies
Task 1: Create a PSO by using ADSI edit.
1. On NYC-DC1, click Start, click Run, type adsiedit.msc into the Run… dialog box , and then press Enter.
2. Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults.
3. Navigate to DC=Contoso, DC=com, expand CN=System, click CN=Password Settings Container.
4. Right-click CN=Password Settings Container, and then point to New and then click Object. . 5. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next.
6. In Value box, type ITAdmin, and then click Next.
7. In the msDS-PasswordSettingsPrecedence value, type 10. Click Next.
8. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE. Click Next.
9. In the msDS-PasswordHistoryLength value, type 30. Click Next.
10. In the msDS-PasswordComplexityEnabled value, type TRUE. Click Next.
11. In the msDS-MinimumPasswordLength value, type 10. Click Next.
12. In the msDS-MinimumPasswordAge value, type 06:00:00:00. Click Next.
13. In the msDS-MaximumPasswordAge value, type 07:00:00:00. Click Next.
14. In the msDS-LockoutThreshold value, type 3. Click Next.
15. In the msDS-LockoutObservationWindow value, type 00:00:30:00. Click Next.
16. In the msDS-LockoutDuration value, type 00:00:30:00, and then click Next and then click Finish.
Task 2: Assign the PSO to the Domain Admins global group.
1. In ADSI Edit, select the CN=Password Settings Container and then in the details pane, double-click CN=ITAdmin.
2. In the CN=ITAdmin Properties window, scroll down and then double-click msDS-PSOAppliesTo.
3. Click Add Windows Account, type Domain Admins into the Enter the object names to select (examples) field and then click OK.
4. Click OK.
5. Click OK to close the CN=ITAdmin Properties box and then close the ADSI Edit window.
Results: After completing this exercise, you will have implemented a fine-grained password policy.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Implementing Security Using Group Policy L11-5