Exercise 1: Verifying GPO Application
Task 1: Start NYC-CL1
• Log on to NYC-CL1 as WOODGROVEBANK\
Anton
with the password Pa$$w0rd.Task 2: Verify that a Miami branch user is receiving the correct policy 1. Click Start and then verify that the Control Panel is not present on the Start
menu.
2. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu.
3. Log off.
Task 3: Verify that a Miami Branch Manager is receiving the correct policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Roya with a password of Pa$$w0rd.
2. Click Start and then verify that the Control Panel is present on the Start menu.
3. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu.
4. Log off.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L6-58 Module 6: Creating and Configuring GPOs
Task 4: Verify that a user in the IT Admin OU is receiving the correct policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Betsy with a password of Pa$$w0rd.
2. Click Start and then verify that the Control Panel is present on the Start menu.
3. Click Start, point to All Programs, point to Accessories and then verify that Run is present in the Start menu.
4. Click Start and then click Internet.
5. In the Internet Explorer window, click the Favorites Center button, and then verify that the link to Tech Support is present.
6. Log off.
Task 5: Verify that a user in the Executive OU user is receiving the correct policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Chase with a password of Pa$$w0rd.
2. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu.
3. Click Start and then verify that the Control Panel is present on the Start menu.
4. Click Start and then click Control Panel.
5. In the Control Panel window, under Appearance and Personalization, click Change desktop background and then verify that there is no access to the Desktop Display Settings.
6. Log off.
Hint: When you attempt to access display settings you will receive a message informing you that this has been disabled.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Verifying and Managing GPOs L6-59
Task 6: Verify that the last logged on username does not appear
• Verify that the last logged on username does not appear.
Note: To see this information, press CTRL-ALT-DEL to see the logon screen.
Task 7: Use Group Policy modeling to test kiosk computer settings 1. On NYC-DC1, in the Group Policy Management window, right-click the
Group Policy Modeling folder, and then click Group Policy Modeling Wizard.
2. In the Group Policy Modeling Wizard, click Next.
3. On the Domain Controller Selection page, click Next.
4. On the User and Computer Selection page, under Computer information, click Computer.
5. In the Computer field, type WOODGROVEBANK\NYC-CL1, and then click Next.
6. On the Advanced Simulation Options page, click Loopback Processing, and then click Next.
7. On the Alternate Active Directory Paths page, click Next.
8. On the User Security Groups page, click Next.
9. On the Computer Security Groups page, click Add.
10. In the Select Groups dialog box, type Kiosk Computers, click OK, and then click Next.
11. On the WMI Filters for Users page, click Next.
12. On the WMI Filters for Computers page, click Next.
13. On the Summary of Selections page, click Next.
14. On the Completing the Group Policy Modeling Wizard page, click Finish.
15. In Group Policy Management window, view the report. This will take a few moments to process.
Result: At the end of this exercise you will have tested and verified a GPO application
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L6-60 Module 6: Creating and Configuring GPOs
Exercise 2: Managing GPOs
Task 1: Back up an individual policy
1. On NYC-DC1, in the Group Policy Management window, under the Group Policy Objects folder, right-click the Restrict Control Panel policy, and then click Back Up.
2. In the Back Up Group Policy Object dialog box, click Browse.
3. Browse to C:\ and then click Make New Folder.
4. Type GPO Backup, and then press ENTER.
5. Click OK, and then click Back Up.
6. When the backup completes, click OK.
Task 2: Back up all GPOs
1. In the console pane, right-click the Group Policy Objects folder and then click Back Up All.
2. In the Back Up Group Policy Object dialog box, in the Location field, type C:\GPO Backup and then click Back Up.
3. When the backup completes, click OK.
Task 3: Delete and restore an individual GPO
1. In the Group Policy Objects folder, right-click the Admin Favorites policy, and then click Delete.
2. In the Group Policy Management dialog box, click Yes.
3. Right-click the Group Policy Objects folder, and then click Manage Backups.
4. In the Manage Backups dialog, click the Admin Favorites GPO, and then click Restore.
5. In the Group Policy Management dialog box, click OK.
6. In the Restore dialog box, click OK and then click Close.
7. Verify that the Admin Favorites GPO appears in the Group Policy Objects folder.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Verifying and Managing GPOs L6-61
Task 4: Import a GPO
1. Right-click the Group Policy Objects folder, and then click New.
2. In the New GPO dialog box, in the Name field, type Import, and then click OK.
3. Right-click the Import GPO, and then click Import Settings.
4. In the Import Settings Wizard, click Next.
5. On the Backup GPO page, click Next.
6. On the Backup location page, verify the Backup folder is C:\GPO Backup, and then click Next.
7. On the Source GPO page, click Restrict Control Panel, and then click Next.
Note: If more than one copy of the Restrict Control Panel GPO appears, choose the newer one.
8. On the Scanning Backup page, click Next, and then click Finish.
9. When the import completes, click OK.
10. In the Group Policy Objects folder, click the Import GPO, and then in the details pane, click the Settings tab.
11. Click show all.
12. Verify that the Prohibit access to the Control Panel policy setting is enabled.
Result: At the end of this exercise you will have backed up restored and imported GPOs.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L6-62 Module 6: Creating and Configuring GPOs
Exercise 3: Delegating Administrative Control of GPOs
Task 1: Grant Betsy the right to create GPOs in the domain
1. On NYC-DC1, in the Group Policy Management window, click the Group Policy Objects folder.
2. In the details pane, click the Delegation tab, and then click Add.
3. In the Select User, Computer, or Group dialog box, type Betsy, and then click OK.
Task 2: Delegate the right to edit the Import GPO to Betsy 1. In the Group Policy Objects folder, click the Import GPO.
2. In the details pane, click the Delegation tab, and then click Add.
3. In the Select User, Computer, or Group dialog box, type Betsy, and then click OK.
4. In the Add Group or User dialog box, in the Permissions list, click Edit settings, and then click OK.
Task 3: Delegate the right to link GPOs to the Executives OU to Betsy 1. In the WoodgroveBank.com domain, click the Executives OU.
2. In the details pane, click the Delegation tab, and then click Add.
3. In the Select User, Computer, or Group dialog box, type Betsy, and then click OK.
4. In the Add Group or User dialog box, in the Permissions, list, click This container only, and then click OK.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Verifying and Managing GPOs L6-63
Task 4: Enable Domain Users to log on to domain controllers
Note: This step is included in the lab to allow you to test the delegated permissions. As a best practice you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers.
1. In the Group Policy Management window, expand Domain Controllers.
2. Right-click Default Domain Controllers Policy, and then click Edit.
3. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
4. In the details pane, double-click Allow log on locally.
5. In the Allow log on locally Properties dialog box, click Add User or Group.
6. In the Add User or Group dialog box, type Domain Users, and click OK twice.
7. Close all open windows.
8. Click Start, and then click Command Prompt.
9. In the Command Prompt window, type GPUpdate /force and press ENTER.
10. Wait for the command to complete, type exit, and then press ENTER.
11. Log off.
Task 5: Test the delegation
1. Log on to NYC-DC1 as WOODGROVEBANK\Betsy.
2. Click Start, type MMC, and then press ENTER.
3. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins dialog, click Group Policy Management, click Add, and then click OK.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L6-64 Module 6: Creating and Configuring GPOs
6. Expand Group Policy Management, expand Forest: WoodgroveBank.com, expand Domains, and then expand WoodgroveBank.com.
7. Right-click the Group Policy Objects folder, and then click New.
8. In the New GPO dialog box, type Test, and then click OK. This operation will succeed.
9. Expand the Group Policy Objects folder, and right-click the Import GPO, and then click Edit. This operation will succeed.
10. Close Group Policy Management Editor.
11. Right-click the Executives OU, and then click Link an Existing GPO.
12. In the Select GPO dialog box, click Test and click OK. This operation will succeed.
13. Right-click the Admin Favorites GPO, and then click Edit. This operation is not possible because the Edit link is grayed out.
Task 6: Close all virtual machines and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote Control window.
2. In the Close dialog box, click Turn off machine and discard changes, and then click OK.
3. Close the 6419A Lab Launcher.
Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Configuring Scripts and Folder Redirection with Group Policy L7-65