Exercise 1: Configure Administrative Templates
Task 1: Modify the Default Domain Policy allow remote administration through the firewall for all domain computers
1. On NYC-DC1, in the Group Policy Management console pane, right-click Default Domain Policy and then click Edit.
2. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
3. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception.
4. In the Windows Firewall: Allow inbound remote administration exception dialog box, click Enabled, and then click OK.
5. In the console pane, under Administrative Templates, expand System, and then click Group Policy.
6. In the details pane, double-click Group Policy slow link detection.
7. In the Group Policy slow link detection Properties dialog box, click Enabled.
8. In the Connection speed (Kbps) field, type 800, and then click OK.
9. Close Group Policy Management Editor.
Result: At the end of this task, you will have enabled remote administration through the firewall. This allows the Group Policy Results Wizard to query target computers.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L7-70 Module 7: Configure User and Computer Environments by Using Group Policy
Task 2: Create and assign a GPO to prevent the installation of removable devices
1. In the Group Policy Management console pane, right-click Group Policy Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type Prevent Removable Devices, and then click OK.
3. Right-click Prevent Removable Devices, and then click Edit.
4. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, expand Device Installation, and then click Device Installation Restrictions.
5. In the details pane, double-click Prevent installation of removable devices.
6. In the Prevent installation of removable devices Properties dialog box, click Enabled, and then click OK.
7. Close Group Policy Management Editor.
8. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO.
9. In the Select GPO dialog box, click Prevent Removable Devices, and then click OK.
10. Repeat the previous two steps to link the Prevent Removable Devices GPO to the NYC and Toronto OUs.
Task 3: Create and assign a GPO to encrypt offline files for executive computers
1. In the Group Policy Management console pane, right-click Group Policy Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type Encrypt Offline Files, and then click OK.
3. Right-click Encrypt Offline Files, and then click Edit.
4. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network and then click Offline Files.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Configuring Administrative Templates L7-71
5. In the details pane, double-click Encrypt the Offline Files cache.
6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled, and then click OK.
7. Close Group Policy Management Editor.
8. In the Group Policy Management console pane, right-click Executives, and then click Link an Existing GPO.
9. In the Select GPO dialog box, click Encrypt Offline Files, and then click OK.
Task 4: Create and assign a domain-level GPO for all domain users 1. In the Group Policy Management console pane, right-click Group Policy
Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type All Users Policy, and then click OK.
3. Right-click All Users Policy, and then click Edit.
4. In the Group Policy Management Editor console pane, under User
Configuration, expand Policies, expand Administrative Templates, and then click System.
5. In the details pane, double-click Prevent access to registry editing tools.
6. In the Prevent access to registry editing tools Properties dialog box, click Enabled, and then click OK.
7. In the console pane, click Start Menu and Taskbar.
8. In the details pane, double-click Remove Clock from the system notification area.
9. In the Remove Clock from the system notification area Properties dialog box, click Enabled, and then click OK.
10. Close Group Policy Management Editor.
11. In the Group Policy Management console pane, right-click WoodgroveBank.com, and then click Link an Existing GPO.
12. In the Select GPO dialog box, click All Users Policy, and then click OK.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L7-72 Module 7: Configure User and Computer Environments by Using Group Policy
Task 5: Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users
1. In the Group Policy Management console pane, right-click Group Policy Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type Branch Users Policy, and then click OK.
3. Right-click Branch Users Policy, and then click Edit.
4. In the Group Policy Management Editor console pane, under User
Configuration, expand Policies, expand Administrative Templates, expand System, and then click User Profiles.
5. In the details pane, double-click Limit profile size.
6. In the Limit profile size Properties dialog box, click Enabled.
7. In the Max Profile size (KB) field, type 1000000 and then click OK.
8. In the console pane, under Administrative Templates, expand Windows Components, and then click Windows Sidebar.
9. In the details pane, double-click Turn off Windows Sidebar.
10. In the Turn off Windows Sidebar Properties dialog box, click Enabled, and then click OK.
11. Close Group Policy Management Editor.
12. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO.
13. In the Select GPO dialog box, click Branch Users Policy, and then click OK.
14. Repeat the previous two steps to link the Branch Users Policy GPO to the NYC and Toronto OUs.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Configuring Administrative Templates L7-73
Exercise 2: Verify GPO Application
Task 1: Verify that the settings for Executives have been applied 1. On NYC-CL1, log on as WOODGROVEBANK\Tony using the password
Pa$$w0rd.
Note: Some user settings can only be applied during logon or may not apply due to cached credentials. These include roaming user profile path, Folder Redirection path, and Software Installation settings. If the user is already logged on when these settings are detected, they will not be applied until the next time the user is logged on.
2. Verify that the Windows Sidebar is not displayed.
3. In the notification area, verify that the clock is not displayed.
4. Right-click the Taskbar, and then click Properties.
5. In the Taskbar and Start Menu Properties dialog box, on the Notification Area tab, verify that you do not have the option to display the clock, and then click Cancel.
6. Click Start, type regedit, and then press ENTER.
7. In the Registry Editor dialog box, review the error, and then click OK.
8. Log off NYC-CL1.
Task 2: Log on as a user in a Branch Office and observe the applied settings
1. On NYC-CL1, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd.
2. Verify that the Windows Sidebar is not displayed.
3. In the notification area, verify that the clock is not displayed.
4. In the notification area, double-click the Available profile space icon.
5. In the Profile Storage Space dialog box, review the information and then click OK.
6. Click Start, right-click Documents, and then click Properties.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L7-74 Module 7: Configure User and Computer Environments by Using Group Policy
7. In the Documents Properties dialog box, verify the location is C:\Users\Roya, and then click Cancel.
8. Click Start, type regedit, and then press ENTER.
9. In the Registry Editor dialog box, review the error, and then click OK.
10. Click Start, and then click Computer.
11. In the Computer window, verify that the K: drive is mapped to the Data share on NYC-DC1.
12. Log off NYC-CL1.
Task 3: Use the Group Policy Results Wizard to review Group Policy application for a target user and computer
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Results, and then click Group Policy Results Wizard.
2. In the Group Policy Results Wizard, click Next.
3. On the Computer Selection page, click Another computer, type WoodgroveBank\NYC-CL1 and click Next.
Note: If you receive an error after the step above, retry the step above in 2 minutes.
4. On the User Selection page, click WOODGROVEBANK\Tony, and then click Next.
5. On the Summary of Selections page, click Next, and then click Finish.
6. In the details pane, click show all.
7. Review the list of applied computer and user GPOs.
Question: Which GPOs were applied to the computer?
Answer: Only the Default Domain Policy.
Question: Which GPOs were applied to the user?
Answer: All Users Policy, Login Script, and Executive Redirection.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Configuring Administrative Templates L7-75
8. On the Settings tab, under Computer Configuration, click Administrative Templates, and then expand each of the settings.
Question: What settings were delivered to the computer?
Answer: Windows Firewall: Allow inbound remote administration exception.
9. Under User Configuration, expand each of the settings.
Question: What settings were delivered to the user?
Answer: The Executive Redirection policy delivers folder redirection settings.
The All Users Policy delivers settings to remove the clock and disable registry editing.
Result: At the end of this exercise, you will have configured several Administrative Templates policy settings for various OUs in the organization and then verified successful GPO application.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L7-76 Module 7: Configure User and Computer Environments by Using Group Policy