MEGA LAB SERIES

Transcription

MEGA LAB SERIES

Windows 2000/Server 2003
MEGA LAB SERIES
www.trainsignal.com
Advanced Group Policy in
Windows 2000 & Server 2003
Video CBT Lab 14
Part 1 of 3 in the Advanced Active Directory in
Windows 2000 & Server 2003 SeriesWindows 2000 & Server 2003
A c t iv e D ir e c t o r y
L a b S e tu p
S w itc h
C o m p u te r N a m e : D C 1
S t a t ic IP : 2 0 0 .2 0 0 .2 0 0 .1 /2 4
O S : W in d o w s S e r v e r 2 0 0 3
S e r v ic e s :
DNS
D o m a in C o n tro lle r
C o m p u te r N a m e : D C 2
S t a tic IP : 2 0 0 .2 0 0 .2 0 0 .2 /2 4
O S : W in d o w s S e rv e r 2 0 0 3
S e r v ic e s :
A d d itio n a l D o m a in C o n tro lle r
C o m p u te r N a m e : C lie n t1
S t a t ic IP : 2 0 0 .2 0 0 .2 0 0 .1 1 /2 4
O S : W in d o w s X P P r o fe s s io n a l
© Train Signal, Inc, 2005
Benandbrady.com
Internet
ISA
Server
San Francisco , CA
Windows XP
Professional
Wiorkstations
Windows Server 2003
First Name
Jack
Sue
Bob
Peter
Maria
Mark
Christina
ISA
Server
Charlotte, NC
Windows XP
Professional
Wiorkstations
Windows Server 2003
Last Name Username Password
OU
Straw
jstraw
Password1 NCÆMarketing
Password1 NCÆSales
Stevens
sstevens
Password1 NCÆAccounting
Hayes
bhayes
Ramirez
pramirez Password1 NCÆAccounting
Password1 CAÆMarketing
Perez
mperez
Password1
Jones
mjones
CAÆSales
Sanchez
csanchez Password1 CAÆAccounting
Advanced Group Policy in
Windows 2000 & Server 2003
Video CBT Lab 14
Part 1 of 3 in the
Advanced Active Directory in
Windows 2000 & Server 2003 Series
Page 1 of 110
© Train Signal, Inc., 2002-2005
Page 2 of 110
About the Author
Obaid Chhatriwala (MBA, MCSE, Security+, CNA) is an experienced technology
consultant and trainer. He has designed and administered networks for a variety of
industries, including healthcare and financial companies. He also has over 9 years of
experience teaching a variety of computer courses in Windows NT, Windows 2000/2003,
Windows XP, Novell Netware, Cisco Routing and Switching, Network Security and
Computer Hardware. You will greatly benefit from Obaid’s true passion for education and
the amount of detail that he covers whenever he undertakes computer networking training.
Train Signal, Inc.
400 West Dundee Road
Suite #106
Buffalo Grove, IL 60089
Phone - (847) 229-8780
Fax – (847) 229-8760
www.trainsignal.com
Copyright and other Intellectual Property Information
© Train Signal, Inc., 2002 - 2005. All rights are reserved. No part of this publication,
including written work, videos, and on-screen demonstrations (together called “the
Information” or “THE INFORMATION”), may be reproduced or distributed in any form
or by any means without the prior written permission of the copyright holder.
Products and company names, including but not limited to, Microsoft, Novell and Cisco, are
the trademarks, registered trademarks, and service marks of their respective owners.
Page 3 of 110
Disclaimer and Limitation of Liability
Although the publishers and authors of the Information have made every effort to ensure
that the information within it was correct at the time of publication, the publishers and the
authors do not assume and hereby disclaim any liability to any party for any loss or damage
caused by errors, omissions, or misleading information.
TRAIN SIGNAL, INC. PROVIDES THE INFORMATION "AS-IS." NEITHER TRAIN
SIGNAL, INC. NOR ANY OF ITS SUPPLIERS MAKES ANY WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED. TRAIN SIGNAL, INC. AND ITS SUPPLIERS
SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION
OF THE INFORMATION WILL BE UNINTERRUPTED, ERROR-FREE, OR VIRUSFREE, OR THAT THE INFORMATION WILL MEET ANY PARTICULAR
CRITERIA OF PERFORMANCE OR QUALITY. YOU ASSUME THE ENTIRE RISK
OF SELECTION, INSTALLATION AND USE OF THE INFORMATION.
IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT
LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL
TRAIN SIGNAL, INC. OR ANY OF ITS SUPPLIERS BE LIABLE TO YOU OR ANY
OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING WITHOUT
LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,
COMPUTER MALFUNCTION, OR ANY OTHER KIND OF DAMAGE, EVEN IF
TRAIN SIGNAL, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. IN NO EVENT SHALL TRAIN SIGNAL, INC. BE LIABLE FOR
DAMAGES IN EXCESS OF TRAIN SIGNAL, INC.'S LIST PRICE FOR THE
INFORMATION.
To the extent that this Limitation is inconsistent with the locality where you use the
Software, the Limitation shall be deemed to be modified consistent with such local law.
Choice of Law:
You agree that any and all claims, suits, or other disputes arising from your use of the
Information shall be determined in accordance with the laws of the State of Illinois, in the
event Train Signal, Inc. is made a party thereto. You agree to submit to the jurisdiction of
the state and federal courts in Cook County, Illinois for all actions, whether in contract or in
tort, arising from your use or purchase of the Information.
Page 4 of 110
TABLE OF CONTENTS
INTRODUCTION............................................................................................................... 7
LAB SETUP...................................................................................................................... 9
SETTING UP THE LAB................................................................................................... 10
COMPUTER1............................................................................................................................ 12
COMPUTER 2 ........................................................................................................................... 12
COMPUTER 3 ........................................................................................................................... 12
LAB 1.............................................................................................................................. 15
SCENARIO – THE BEN AND BRADY ICE CREAM CORP. DOMAIN ........................... 16
ACTIVE DIRECTORY ..................................................................................................... 19
INSTALLING ACTIVE DIRECTORY ............................................................................... 19
BACKING UP THE ACTIVE DIRECTORY DATABASE ................................................. 26
INSTALLING THE SECOND DOMAIN CONTROLLER FROM A BACKUP FILE .......... 29
REPLICATION BETWEEN THE DOMAIN CONTROLLERS.......................................... 37
JOINING CLIENTS AND SERVERS TO THE DOMAIN ................................................. 38
LAB 2.............................................................................................................................. 43
SCENARIO - DEPLOYING MICROSOFT OFFICE XP PROFESSIONAL USING GROUP
POLICY ........................................................................................................................... 44
INSTALLING THE GROUP POLICY MANAGEMENT TOOL (GPMC) ........................... 44
APPLICATION DEPLOYMENT USING GROUP POLICY OBJECTS. ........................... 45
STEP 1: CREATE A SOFTWARE DEPLOYMENT POINT (SDP) ............................................. 45
STEP 2: CREATE THE ORGANIZATIONAL UNIT (OU) STRUCTURE AND CREATE USERS47
STEP 3: CREATE THE GROUP POLICY OBJECT (GPO) TO DEPLOY OFFICE XP .............. 50
STEP 4: INSTALLING OFFICE XP ON CLIENT1 USING THE “ASSIGN” METHOD ................ 54
LAB 3.............................................................................................................................. 57
SCENARIO - DEPLOYING LEGACY APPLICATIONS IN THE BENANDBRADY.COM
DOMAIN USING ZAP FILES .......................................................................................... 58
SOFTWARE LIFE CYCLE AND GROUP POLICY OBJECTS........................................ 59
Page 5 of 110
UPGRADING MICROSOFT OFFICE XP WITH MICROSOFT OFFICE 2003 ON
CLIENT1 ......................................................................................................................... 62
REMOVING THE OFFICE 2003 SOFTWARE................................................................ 63
PUBLISHING A ZAP FILE .............................................................................................. 65
CREATING APPLICATION CATEGORIES .................................................................... 69
LAB 4.............................................................................................................................. 73
SCENARIO ..................................................................................................................... 74
MAPPING NETWORK DRIVES WITH LOGIN SCRIPTS............................................... 75
TESTING THE GPO ....................................................................................................... 81
RE-DIRECTING THE MY DOCUMENTS FOLDER........................................................ 82
CUSTOM DESKTOP SETTINGS AND SECURITY USING GROUP POLICY OBJECTS
........................................................................................................................................ 86
LAB 5.............................................................................................................................. 91
SCENARIO - MANAGING INHERITANCE, BACKING UP AND RESTORING GROUP
POLICY AND PLAYING “WHAT-IF ANALYSIS”............................................................. 92
INHERITANCE OF GPOS AND BLOCKING/ENFORCEMENT OF GPOS .................... 93
BACKING UP AND RESTORING GROUP POLICY OBJECTS ..................................... 99
RESULTANT SET OF POLICIES (RSOP) AND PLAYING “WHAT-IF” SCENARIOS .. 103
RESULTANT SET OF POLICIES (RSOP) ............................................................................... 103
“WHAT-IF” SCENARIOS ......................................................................................................... 107
Page 6 of 110
Introduction
Welcome to Train Signal!
This series of labs on Windows Server 2000 & 2003 is designed to give you detailed, handson experience working with Windows Server 2000 & 2003. Train Signal’s Audio-Visual Lab
courses are targeted towards the serious learner, those who want to know more than just the
answers to the test questions. We have gone to great lengths to make this series appealing to
both those who are seeking Microsoft certification and to those who want an excellent
overall knowledge of Windows 2000/2003.
Each of our courses put you in the driver’s seat, working for different fictitious companies,
deploying complex configurations and then modifying them as your company grows. They
are not designed to be a “cookbook lab,” where you follow the steps of the “recipe” until
you have completed the lab and have learned nothing. Instead, we recommend that you
perform each step and then analyze the results of your actions in detail.
To complete these labs yourself, you will need three computers equipped as described in the
Lab Setup section. You also need to have a foundation in Windows 2000/2003 and TCP/IP
concepts. You should be comfortable with installing Windows XP Professional or Windows
Server 2000/2003 and getting the basic operating system up and running. Each of the labs
in this series will start from a default installation of Windows 2000/2003 and will then run
you through the basic configurations and settings that you must use for the labs to be
successful. It is very important that you follow these guidelines exactly, in order to get the
best results from this course.
The course also includes a CD-ROM that features an audio-visual walk-through of all of the
labs in the course. In the walk-through, you will be shown all of the details from start to
finish on each step, for every lab in the course. During the instruction, you will also benefit
from live training that discusses the current topic in great detail, making you aware of many
of the fine points associated with the current topic.
Thanks for choosing Train Signal!
Scott Skinger
Owner
Train Signal, Inc.
Page 7 of 110
Page 8 of 110
Lab Setup
Page 9 of 110
Setting up the Lab
1. Computer Equipment Needed
Item
Minimum
Recommended
Computers
(3) Pentium I 133 MHz
(3) Pentium II 300MHz or greater
Memory
128 MB
256 MB
Hard Drive
2 GB for Windows XP,
10 GB or larger
6 GB for Windows Server 2003
NIC
1/machine
1/machine
Switch or Hub
1
1
Network Cable
(3) Category 5 cables
(3) Category 5 cables
Software
Office 2000, Office XP or
Office 2003
2nd copy of Office XP or 2003 to
perform a GPO Software Update
You are strongly urged to acquire all of the recommended equipment in the list above. It
can all be easily purchased from eBay or another source, for around $500 (less if you already
have some of the equipment). This same equipment is used over and over again in all of
Train Signal’s labs and will also work great in all sorts of other network configurations that
you may want to set up in the future. It will be an excellent investment in your education.
You may also want to look into a disk-imaging product such as Norton Ghost. Disk
imaging software will save you a tremendous amount of time when it comes to reinstalling
Windows 2000/2003 for future labs. Many vendors offer trial versions or personal versions
of their products that are very inexpensive.
Page 10 of 110
2. Computer Configuration Overview
Computer
Number
1
2
3
Computer Name
DC1
DC2
Client1
IP Address
200..200.200.1/24
200..200.200.2/24
200..200.200.11/24
OS
Windows Server 2003
Windows Server 2003
Windows XP
Professional
Additional
Configurations
SP2
***Important Note***
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND is not connected to a business network.
Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of
liability which appears at the beginning of this document and on our Website at:
www.trainsignal.com
Page 11 of 110
3. Detailed Lab Configuration
Computer 1
Computer 1 will be named DC1 and the operating system on this computer will be Windows
Server 2003. If you do not have a copy of Windows Server 2003 you can obtain an
evaluation copy within the Microsoft Press series of books. When setting up DC1 you may
want to leave left over space for a second partition. This partition will not be used in Lab 14
but if you keep your configuration for Lab 15 you will need a free partition in order to install
RIS.
DC1 will have a static IP address of 200.200.200.1 with a 255.255.255.0 subnet mask. The
default gateway field can be left blank but you should enter this computer’s own IP address
for the Preferred DNS field (200.200.200.1). The alternate DNS Server field can be left
blank. See figure 1, next page.
Computer 2
Computer 2 will be named DC2 and Windows Server 2003 will be installed on this
computer. DC2 will have a static IP address of 200.200.200.2 with a 255.255.255.0 subnet
mask. The default gateway field can be left blank but you should configure the preferred
DNS server setting to point to DC1, 200.200.200.1, and leave the alternate DNS setting
blank. See figure 1, next page.
Computer 3
Computer 3 will be named Client1 and have Windows XP Professional SP2 installed as the
operating system. Client1 will have a static IP address of 200.200.200.11 with a 255.255.255.0
subnet mask. The default gateway field can be left blank but you should configure the
preferred DNS server setting to point to DC1, 200.200.200.1 and leave the alternate DNS
setting blank. See figure 1, next page.
Important - You should test the network connections (using the PING command) between
each of these machines to ensure that your network is set up properly. Testing before you
get started will save you major time and effort later.
Page 12 of 110
Active Directory
Lab Setup
Switch
Computer Name: DC1
Static IP: 200.200.200.1/24
OS: Windows Server 2003
Services:
DNS
Domain Controller
Computer Name: DC2
Static IP: 200.200.200.2/24
OS: Windows Server 2003
Services:
Additional Domain Controller
Computer Name: Client1
Static IP: 200.200.200.11/24
OS: Windows XP Professional
(Figure 1)
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND is not connected to a business network.
Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of
liability which appears at the beginning of this document and on our Website at:
www.trainsignal.com
Page 13 of 110
Page 14 of 110
Lab 1
Creating an Active Directory Domain
Infrastructure for
Ben & Brady’s Ice Cream, Corp.
You will learn how to:
• Install Active Directory
• Perform a backup of the Active Directory
• Add additional domain controllers to the domain
• Join clients to the domain
• Test Active Directory replication between domain controllers
Page 15 of 110
Scenario – The Ben and Brady Ice Cream Corp. Domain
Ben & Brady’s Ice Cream Corp., is a manufacturer of gourmet ice cream products that are
sold internationally. They are in the process of migrating their network from Novell to
Windows Server 2003 as well as replacing all of their current servers with new equipment.
Their main headquarters is located in San Francisco and they have a manufacturing facility in
Charlotte, North Carolina. The San Francisco office is connected to the Internet with a full
T1 (1.544 Mbps) and Microsoft’s ISA Server (firewall) will protect the internal network. The
facility in Charlotte is used to manufacture ice cream and to ship to Ben & Brady’s East
Coast distributors. The San Francisco office has five servers that have just been purchased all will be running Windows Server 2003. They also have 25 workstations that will be
running Windows XP Professional. The Charlotte location has five new servers that were
recently purchased, all running Windows Server 2003, and 45 workstations, all running
Windows XP Professional. Charlotte is connected to the Internet with a Fractional T1 (768
Kbps) and they also use ISA Server to protect their internal network. The two locations will
be connected together through a VPN that will be formed between the two ISA Servers over
the Internet.
Ben & Brady’s Ice Cream Co. has hired you on a contract basis to help with the
implementation of a new pristine Windows 2003 domain. You have been given the task of
installing the first domain controller on the network at the San Francisco office, which will
install Active Directory and create a new domain for Ben & Brady’s Ice Cream Co. You are
also in charge of making sure that all of the installed client computers are able to join the
new domain. The Operations Manager, Jill, also mentions that there is an opportunity for
you to become a full time Administrator with the company if the project goes well.
In this lab, you will create a new domain for Ben & Brady’s Ice Cream Co., called
benandbrady.com by building the first domain controller on the network using the Active
Directory installation program. Once your domain controller is working properly, you will
install a second Windows Server 2003 as an additional domain controller and a Windows XP
Professional machine as a client to the domain. Finally, you will test replication between the
two domain controllers.
Page 16 of 110
Benandbrady.com
Internet
ISA
Server
San Francisco , CA
Windows XP
Professional
Wiorkstations
Page 17 of 110
Windows Server 2003
ISA
Server
Charlotte, NC
Windows XP
Professional
Wiorkstations
Windows Server 2003
Active Directory
Client1
Active
Directory
Database
DC1
`
Active Directory Replication
Active
Directory
Database
Switch
DC2
In lab 1 you will configure DC1 & DC2 as domain controllers.
Then test the Active Directory replication between both servers.
Page 18 of 110
Active Directory
Active Directory is a feature in Windows Server 2003 domains that allows users to logon and
access resources from anywhere in the network. It is a central, hierarchical database that
allows administrators to manage the network from a single location and makes network
security much easier to manage. Resources include users, groups, computers, printers and
shared folders, to name just a few. A directory, much like a telephone book, is essentially a
store of information. When Active Directory is installed on a Windows 2003 server, that
server is then called a domain controller. All of the domain controllers within a domain hold
the same copy of the Active Directory database in a file named NTDS.DIT. Windows 2003
domain controllers are multi-master replication partners, all replicating data back and forth
to each other.
Installing Active Directory
1. Log on as Administrator to DC1. From the desktop click on Start Æ Run then type in
DCPROMO in the run command and click OK.
Page 19 of 110
2. This will begin the Active Directory installation wizard. The first screen to appear is the
Welcome screen - click on Next to continue. The next screen will inform you that
Windows Server 2003 domains are not compatible with legacy Windows 95 and
Windows NT 4.0 SP3 or earlier clients due to enhanced security in Windows Server
2003. Click Next to continue.
3. This screen will ask you for the type of domain controller you would like to install. You
have two options - one is to install this as the first domain controller for a new domain
and the other is to install this as an additional domain controller for an already existing
domain. This is the first domain controller on the network, select Domain controller
for a new domain and click Next.
Page 20 of 110
4. The next screen will ask you to create a Domain in a new forest, to install this DC as a
Child domain, or a new Domain tree in an existing forest. Select Domain in a new
forest and click Next.
5. The next screen asks you to enter the name of the new domain. In the text box type
benandbrady.com and click Next.
Page 21 of 110
6. You will now be asked to specify the NetBIOS name for the domain. This is the domain
name that legacy systems (anything before Windows 2000) and applications that only
support NetBIOS will use. BENANDBRADY should already be entered as the default
NetBIOS name. You can modify this name if you like, but it will most likely lead to
confusion down the road as your domain will effectively have two names. Leave the
default name, BENANDBRADY. Click on Next.
7. The next screen will ask where you want to place the Active Directory database and log.
It’s recommended, in a production environment, that you place the log file on a separate
physical hard drive to increase the performance of Active Directory. By default it uses
%systemroot%\WINNT\NTDS for both the database and the log, where %systemroot%
is the name of the drive in which Windows Server 2003 is installed. Leave the default
values and click Next to continue. Note, that drive E: is shown below but your drive
letter will most likely be C:.
Page 22 of 110
8. The next screen will ask you for the location of the SYSVOL folder. This system folder
stores any user configurations, default profiles and logon scripts that you may have on
the network.
The default location of the folder is %systemroot%\WINNT\SYSVOL. The most
important thing here is that the SYSVOL folder must be on an NTFS volume. Leave the
default location for the folder and click Next.
9. A dialog box will appear and tell you that the Wizard was unable to find the DNS server
that handles the name benandbrady.com. It will then ask you to confirm that the DNS
configuration is working properly, or to install and configure a DNS server on this
computer. Active Directory was designed to work with DNS and will not function
without a DNS server that handles name resolution for the domain. Choose Install and
configure the DNS server on this computer and click Next to continue.
Page 23 of 110
10. The next screen is the Permissions screen. Due to enhanced security in Windows Server
2003, you can choose to make your new domain compatible with Windows 2000/2003
OS only or to lower the security settings to make it compatible with pre-Windows 2000
systems. Let’s leave the default for Windows 2000/2003 only and click Next.
11. The next screen will ask you for a Directory Services Restore Mode Administrator
Password. This password is used to protect against anyone other than an Administrator
from rebuilding the Active Directory database from the directory services restore mode.
This password is different from any logon password and should also be different from
the administrator’s logon password in case the administrator’s account is compromised.
Type in rainbow as the password and click Next.
Page 24 of 110
12. The next screen will give you a summary of all the information you entered in the
Wizard. Review and confirm that everything is correct and click Next to start the Active
Directory installation. You may be asked for the i386 folder during the installation of
DNS, so you should have the Windows Server 2003 CD-Rom handy. The installation
should take about 15-30 minutes.
13. You will eventually get a screen letting you know that the installation is done. Click on
Finish and you will see a dialog box appear telling you that the server must be restarted
before the changes made by the Active Directory installation wizard can take effect.
Click Restart Now for the computer to restart.
Page 25 of 110
Backing up the Active Directory database
1. Log on to benandbrady.com (from DC1) as the Administrator. Click Start Æ Run and
then type ntbackup.exe in the Run box and click OK.
2. Click Next in the Welcome screen to continue. In the next screen, ensure that Backup
files and settings is selected and click Next to continue.
Page 26 of 110
3. In the next screen, ensure that Let me choose to backup is selected and click Next to
continue. In the next screen, expand My Computer by clicking on the + sign next to it.
In the expanded list, select System State. System State Data consists of the A.D.
database, the settings of the registry and all other system settings and files that are
needed to successfully backup and restore the database. Click Next to continue.
4. In the next screen, you must specify which device/drive you would like to backup on. In
our case, we will backup to C:\ADBackup. In a production environment you would
want to store your backup on another server or removable media. Click on the Browse
button, navigate to the C: drive and create a new folder called ADBackup by clicking on
the Create New Folder button on the toolbar. The File name text box has the name
Backup.bkf – the name of the A.D. backup file. Click on Save. Click Next to continue.
Page 27 of 110
5. The final screen shows the selections you have made for the backup. Click on Finish to
start the Backup process. The Backup Progress window will appear to show your
progress and vital statistics such as Time required and Estimated time. This process
usually takes 5 to 7 minutes, but is largely dependent upon the size of the A.D. database.
Click on the Close button to finish the process. In the next lab we will use this copy of
Active Directory Backup to create an additional domain controller for the
benandbrady.com domain.
Page 28 of 110
Installing the second Domain Controller from a backup file
In this lab we will also install the second Domain Controller for the benandbrady.com
domain. Typically, you must log in as the Administrator on the computer on which
Windows Server 2003 is installed. You must also ensure that DC1 (200.200.200.1) is listed as
the DNS server in the TCP/IP properties and that you can ping DC1. Next, you will run the
Active Directory installation wizard by typing dcpromo as you did previously with one
exception - this time you will select the option Additional Domain Controller for an
Existing Domain. DC2 would then install A.D by getting a copy of the A.D. database from
DC1. This method is great for a LAN. On a WAN, however, this is not the best method.
The size of the A.D. database and the type of WAN connection can cause problems in
creating an additional domain controller.
Windows Server 2003 has a new method of creating an additional domain controller from a
backup copy of the existing domain controller. We will use this new method to create our
second domain controller.
1. Log on to DC2 as the Administrator. Click Start Æ Run and type \\DC1\C$ in the
text box and click OK. You will now be connected to the C: drive of DC1 (you may
need to enter the credentials of the benandbrady.com domain Administrator).
Page 29 of 110
2. Next, select ADBackup. Click Edit Æ Copy to Folder Æ Local Disk (C:) Æ Copy
to copy the A.D backup from DC1 to DC2.
3. On the C: drive - create a new folder called ADRestore. (File Æ New Æ Folder). We
will now restore Active Directory from our backup folder (ADBackup) to the new
folder, ADRestore. This step is necessary before we install Active Directory on this
computer. Click Start Æ Run Æ ntbackup.exe to start the Windows Backup program.
Then click Next on the Welcome screen. On the following screen, select Restore files
and settings.
Page 30 of 110
4. On the What to Restore screen, browse to select ADBackup, click on Open and then
click OK
Page 31 of 110
5. On the What to Restore screen, navigate to and select System State. Click Next.
6. On the next screen, click on the Advanced button to select the Restore location.
Page 32 of 110
7. On the Where to Restore screen, select Alternate location and click on Browse to select
the ADRestore folder. Click OK and then Next.
8. Click Next on the How to Restore screen and then click Next on the Advanced Restore
Options screen. Click Finish to start the restore of Active Directory to C:\ADRestore.
After the restore has finished, you will run the Active Directory Installation Wizard in
advanced mode and point to the C:\ADRestore folder to load the Active Directory
database.
Page 33 of 110
9. Click Start Æ Run and then type dcpromo /adv in the text box. This will start the
Active Directory Installation Wizard that will use the A.D backup that you have restored
in the previous steps.
10. The first screen of the wizard is the Welcome screen, click Next to continue. Click Next
again on the Operating System Compatibility screen. From the Domain controller Type
screen, select Additional domain controller for an existing domain and then click
Next.
Page 34 of 110
11. On the Copying Domain Information screen, select From these restored backup files:
Click the Browse button and select the ADRestore folder from the C: drive. Click
Next.
12. Click Next, leaving the default setting of No on the Global Catalog screen. This feature
will be discussed in depth in another lab in this series.
Page 35 of 110
13. On the Network Credentials screen, type administrator for the User name and
password for the Password field. Click Next. Then click Next on the Database and
Log Folders screen and click Next again on the Shared System Volume screen. Type
rainbow as the Restore Mode password and confirm the password. Finally, click Next
on the Summary screen that shows the selections you have made.
14. The wizard now finalizes the process by installing Active Directory and making DC2 an
additional domain controller for the benandbrady.com domain. Click Finish and then
restart the computer.
Page 36 of 110
Replication between the Domain Controllers
You can create Active Directory objects such as users and groups on any of the domain
controllers. The domain controllers then replicate the Active Directory database with each
other so that they all have a current copy of the A.D. database.
This replication takes places automatically between domain controllers on a LAN every few
minutes. However, sometimes you will want to force replication between these domain
controllers. You should force replication every time you create an additional domain
controller to ensure that your domain is synchronized.
1. Log on to DC1 as Administrator. Then select Start Æ Administrative Tools Æ Active
Directory Sites and Services.
Page 37 of 110
2. In the left pane, expand Sites, expand Default-First-Site-Name, expand Servers, and
then expand DC1. Finally, select NTDS Settings. Now, in the right hand pane, right
click <automatically generated> and select Replicate Now. The replication process
will now take place. In a similar way, you can replicate by expanding DC2 on the same
screen and following the above steps. Click OK.
Important Tip: If the replication process does not go smoothly as outlined in the above
steps, simply shut down both DC1 and DC2. Then first start DC1 only. After you
have successfully logged in on DC1, start DC2. After DC2 is up and running, wait a
couple of minutes and then try the replication process again. This is a fairly common
occurrence that takes place immediately after installing a new domain controller.
Joining clients and servers to the Domain
1. Log on as the Administrator on Client1. On the Desktop, right click My Computer Æ
Properties Æ Computer Name tab Æ Click on Change button. In the Member of
section, select Domain and type benandbrady.com. Click OK.
Page 38 of 110
2. When the Computer Name Changes box appears, type administrator in the User Name
field and type password in the Password field. Click OK.
You need the permissions of the Administrator of the benandbrady.com domain to join
that domain. The username and password you entered are the credentials of the Domain
Administrator of benandbrady.com.
3. Click OK on the message Welcome to the benandbrady.com domain and restart the
computer when prompted.
Page 39 of 110
4. When the computer restarts, press CTRL+ALT+DEL to log on. Click on the Options
button. In the Log on to field click on the drop-down box and select
BENANDBRADY. Enter administrator and password as the username and
password respectively and click OK to log on to the benandbrady.com domain as the
Administrator. Then right click on the Desktop Æ Properties Æ Desktop tab Æ
Customize Desktop and click on the check boxes for My Documents, My
Computer, My Network Places and Internet Explorer so that they are displayed on
the desktop for convenience and easy access. Click OK twice to get back to the desktop.
5. On the Desktop right click My Computer Æ Properties Æ Computer Name tab.
Now verify that Client1 is a member of the benandbrady.com domain. Click OK.
Page 40 of 110
6. Next, verify that the computer objects can be found in the Active Directory of the
benandbrady.com domain. Log on as the Administrator on DC1. Click Start Æ
Administrative Tools Æ Active Directory Users and Computers. Expand the
benandbrady.com domain by clicking on the + sign to its left. Click on the Domain
Controllers container in the left pane. In the right pane observe that DC1 and DC2 are
listed as the two domain controllers in the domain.
7. Click on the Computers container in the left pane. Observe that Client1 is listed as a
client in the benandbrady.com domain. Close the window.
Page 41 of 110
Page 42 of 110
Lab 2
Using Group Policy Objects (GPOs) to
Deploy Applications
• Download & Install the Group Policy Management tool
• Create a Software Distribution Point (SDP)
• Install Office XP by “Assigning” it to an OU
• Create an Organizational Unit Structure
• Deploy applications using GPOs
Page 43 of 110
Scenario - Deploying Microsoft Office XP using Group Policy
The Operations Manager is very pleased with the installation of Active Directory for the
Benandbrady.com domain. The replication between DC1 and DC2 is working fine and users
are able to log in from their desktops.
The next phase of the project is to install Microsoft Office XP Professional on all client
computers. In your meeting with the Operations Manager, you explain how Group Policy
can automatically install the necessary applications to users’ computers when they log in to
the network.
The Operations Manager would like you to create policies that will ensure that users get the
applications automatically. You will now create the necessary infrastructure to ensure a
smooth deployment of Microsoft Office XP Professional.
Installing the Group Policy Management tool (GPMC)
Download the GPMC from www.microsoft.com, by going to the download section of the
web page and searching for GPMC. The download file is called gpmc.msi. Double click
gpmc.msi to start the installation process. From the Welcome screen click Next and then
click I Agree in the License Agreement screen and then click Finish to complete the
installation of the GPMC. It is added as Group Policy Management in Administrative
Tools.
Page 44 of 110
Application Deployment using Group Policy Objects.
Log on to DC1 as the Administrator.
Step 1: Create a Software Deployment Point (SDP)
1. On the C: drive, create a folder called OfficeXP. Share the folder by right clicking on
OfficeXP Æ Sharing and Security. On the OfficeXP Properties dialog box, select
Share this folder and click OK.
2. Insert the Microsoft Office XP CD into the CD-ROM drive and copy the contents of
the CD to C:\OfficeXP. This is called the Software Distribution Point (SDP) because
Office XP will be installed to the client computers from this location. Hence, the
OfficeXP folder is also shared so that clients can access it from the network.
Page 45 of 110
Active Directory
OU Structure
Benanndbrady.com
Domain
CA
Marketing
Accounting
NC
Sales
Marketing
Accounting
(Figure 2)
Page 46 of 110
Sales
Step 2: Create the Organizational Unit (OU) structure and create users
1. Log on to DC1 as the Administrator and go to Start Æ Administrative Tools Æ
Active Directory Users and Computers. On the left pane, right click on
benandbrady.com and select New Æ Organizational Unit. Type CA in the Name
field and click OK. You have now created an Organizational Unit for California called
CA. Refer to Figure 2 on the previous page if you have any hierarchal questions.
2. Next, create 3 OUs in CA - Marketing, Accounting, Sales. Since you are creating
these OUs within the CA OU, you must first right click CA and then select New Æ
Organizational Unit. Type in Marketing to create the Marketing OU under CA.
Using this procedure create 2 additional OUs for Accounting and Sales. At the end of
this step, your OU structure should be as follows.
Page 47 of 110
3. Create another OU in the benandbrady.com domain for North Carolina and name it
NC. You should now have two OUs showing in the left pane of the Active Directory
Users and Computers console. One named NC for the North Carolina location and one
named CA for the California location. Right click on the NC organizational unit and
select New Æ Organizational Unit. Type in Marketing for the name of the new
organizational unit and click OK. You have now created an organizational unit for the
marketing department within the NC (North Carolina) organizational unit. Next, create
additional organizational units for the Sales and Accounting departments within the
NC (North Carolina) OU. Your final structure should look like the screen below.
4. Next, create a user in the CA Æ Accounting OU. Under CA, right click Accounting
and select New Æ User.
Page 48 of 110
5. Type Jill in the First name, Smith in the Last name and JSmith in the User logon name
fields. Click Next. Type Password1 in the Password and Confirm password fields.
Uncheck User must change password at next logon. Click Next and then click
Finish to create the user Jill Smith.
6. Now, create the following users from within the table below. Make sure that they are
created within the correct OUs.
First Name
Jack
Sue
Bob
Peter
Maria
Mark
Christina
Page 49 of 110
Last Name Username Password
OU
Straw
jstraw
Password1 NCÆMarketing
Password1 NCÆSales
Stevens
sstevens
Password1 NCÆAccounting
Hayes
bhayes
Ramirez
pramirez Password1 NCÆAccounting
Password1 CAÆMarketing
Perez
mperez
Password1 CAÆSales
Jones
mjones
Sanchez
csanchez Password1 CAÆAccounting
Step 3: Create the Group Policy Object (GPO) to deploy Office XP
1.
Click Start Æ Administrative Tools Æ Group Policy Management. The Group
Policy Management window opens.
2. In the left pane, expand Forest: benandbrady.com by clicking on the + sign. Expand
Domains and then benandbrady.com to view all the objects in the benandbrady.com
domain.
Page 50 of 110
3. Right click CA and select Create and Link a GPO here. Type OfficeXP in the New
GPO box. Click OK.
4. The OfficeXP GPO is now listed in the Group Policy Objects container and is linked to
the CA OU.
Page 51 of 110
5. You are now ready to edit the GPO for OfficeXP deployment. Right click OfficeXP in
the Group Policy Objects container and click Edit. This opens the Group Policy Object
Editor. Expand User Configuration Æ Software Settings, right click Software
Installation and select New Æ Package.
6. In the Look in box select My Network Places. Double click Entire Network. Then
double click Microsoft Windows Network and benandbrady.com. Double click DC1
and OfficeXP and then select Proplus.msi (the .msi file might have a different name
depending upon the version of Office you are using). Click Open to select the file.
Page 52 of 110
7. Next, select Assigned in the Deploy Software box and click OK. OfficeXP is now
deployed. Close the window to return to the GPMC window.
Page 53 of 110
Step 4: Installing Office XP on Client1 using the “Assign” method
1. On the computer Client1, log on as JSmith to the benandbrady.com domain using the
password Password1. The “Assign” method of deploying applications means that
shortcuts to the applications will appear in the Start Æ All Programs menu. Click Start
Æ All Programs Æ Microsoft Word to install the application.
2. If prompted, enter the Product Key and click Next. Accept the License Agreement and
click Next. Ensure Install Now is selected and click Next. If you would like to install
the complete package with all of the graphics files and templates, you may choose
Complete. Click Install on the next screen to finish the installation.
You have successfully installed OfficeXP! Any user in the CA OU or any child OUs of
CA will get this application due to the inheritance of Group Policy Objects.
Page 54 of 110
3. Log off as JSmith and log on as JStraw (Jack Straw is a user in the NC/Marketing OU).
Click Start Æ All Programs and observe that Jack Straw does not have Office XP
installed because the OfficeXP GPO was only linked to the CA OU. If all of our users
need OfficeXP then we must link the OfficeXP GPO to the NC OU as well.
Log off as JStraw. On DC1, click Start Æ Administrative Tools Æ Group Policy
Management. Right click NC Æ Link an Existing GPO Æ select OfficeXP and
click OK. Now all the users in NC and its child OUs will be assigned OfficeXP. Let’s
test it.
Page 55 of 110
4. To refresh Group Policy Objects so that they are applied immediately, click Start Æ
Run Æ gpudpate. On Client1, log on as JStraw. Jack Straw can now use the
applications in OfficeXP.
This is all that you need to do to deploy applications to clients using Group Policy Objects
in Active Directory. To summarize you must perform the following steps:
1. Create the Software Distribution Point (SDP).
2. Create OUs and users.
3. Create GPOs and link GPOs to the appropriate OUs.
That’s it! Use the following checklist if things do not work out as expected:
9 DNS is listed correctly in the TCP/IP properties of the client.
9 The user account belongs to an OU or a child that is linked to the GPO.
9 Refresh the Group Policy using gpupdate.
9 Shut down and restart the client computer and then log off/on if all else
fail.
Page 56 of 110
Lab 3
Managing Application Life-Cycles for the
benandbrady.com Domain.
• Manage the Software Life-Cycle
• Upgrade Office XP to 2003 using a GPO
• Remove software using a GPO
• Create a custom .zap file
• Publish legacy applications using .zap files
• Create application categories
Page 57 of 110
Scenario - Deploying legacy applications using ZAP files
The Operations Manager really liked the concept of application availability at the “push of a
button”. He now asks whether policies can be configured so that every application that a
user needs can be deployed in this manner.
You explain that the ultimate goal is to make every application that a user needs available at
the “push of a button”. However, Legacy applications (older applications) prevent this from
happening. You then explain to the Operations Manager the difference between applications
that have Microsoft Installer (.msi) files versus the regular setup.exe files.
The solution for legacy applications is to “Publish” them to users using a ZAP file. The
Operations Manager wants you to implement policies that will install these legacy
applications and then train the users to install any application that they are authorized to use
from the Control Panel. You also suggest creating categories, so that users can easily find
the published applications that are available to them.
In this lab you will create Group Policy Objects that will publish legacy applications to the
Page 58 of 110
Software life cycle and Group Policy Objects
The natural life cycle of an application is Install new application Æ Upgrade to the latest
version when it becomes available Æ Uninstall the application if no longer needed
any more.
Group Policy Objects can be used to manage the entire life-cycle of applications. We have
already installed OfficeXP. Now let’s upgrade OfficeXP to Office 2003 (this can be
performed with most applications that include MSI files).
1. Log on to DC1 as the Administrator. Create an SDP by creating a folder on the C: drive
called Office2003, sharing it and copying the contents of the Office 2003 CD-Rom to
this share. Click Start Æ Administrative Tools Æ Group Policy Management. Right
click CA Æ Create and link a GPO here Æ Office2003 Æ OK. Right click
Office2003 in the Group Policy Objects node and select Edit. Expand User
Configuration Æ Software Settings Æ Software installation Æ New Æ Package.
Navigate My Network Places to DC1, find the Office2003 share and select pro11.msi
(this file name will depend upon the version of Office you are running) and select Open.
Page 59 of 110
2. Next, navigate My Network Places to DC1, find the Office2003 share, select pro11.msi
and select Open. Check Assigned in the Deploy Software dialog box and click OK.
3. So far we have simply deployed Office 2003. Now we must instruct the GPO that
Office 2003 must upgrade Office XP on our client computers. To do this, in the right
hand pane, right click Microsoft Office Professional Edition 2003 Æ Properties Æ
select Upgrades tab.
Page 60 of 110
4. Click Add on the next screen and choose A specific GPO. Next, click the Browse
button and select Office XP. Choose OK to finish this step.
5. For the next step, click the Required upgrade for existing package check box and
click OK. You have now instructed the Office2003 GPO to upgrade the Office XP
package. Close the Group Policy Editor window.
Page 61 of 110
6. From this screen select CA in benandbrady.com. In the right hand pane, select
Office2003 and click on the Up arrow button to move Office2003 GPO to the top of
the Link Order. This will ensure that the Office2003 GPO gets processed first and will
look to upgrade Office XP. You should now run gpupdate to ensure that the new
GPO is in effect.
Upgrading Microsoft Office XP with Microsoft Office 2003 on Client1
1. On Client1, log on as JSmith. Notice that, in the Windows XP Professional startup
screen, you will get a message that OfficeXP is being uninstalled. Once this has finished,
select Start Æ All Programs Æ Microsoft Office to see all of the applications in this
package. Click Microsoft Word to install the application as was done in the previous
lab.
Page 62 of 110
Removing the Office 2003 Software
If users in the CA OU no longer need the Office 2003 suite of applications you can uninstall
the applications using Group Policy. Here is the procedure.
1. Click Start Æ Administrative Tools Æ Group Policy Management Æ Group
Policy Objects, right click OfficeXP Æ Delete. Click OK to delete the GPO and all its
links to OUs. The OfficeXP GPO was deleted to ensure that it is not applied after we
uninstall Office2003.
2. Next, in the Group Policy Objects node, right click Office2003 Æ Edit Æ User
Configuration Æ Software Setting Æ Software installation. In the right hand pane
right click Microsoft Office 2003 Æ All Tasks Æ Remove.
Page 63 of 110
3.
Select Immediately uninstall the software from users and computers and click OK.
Close the window.
4. Click Start Æ Run Æ gpudate to refresh the policies. Then log on as JSmith from
Client1. In the start up screen you will see the message: Removing managed software
Microsoft Office Professional Edition 2003. If you click Start Æ All Programs you
will see that Microsoft Office 2003 is no longer listed in the menu.
Page 64 of 110
Publishing a ZAP file
You will use the same steps to publish applications as you did in assigning applications in
previous labs.
1. First, you need to create a Software Distribution Point (SDP). On DC1 create a folder
called WinZip. Share the folder and download WinZip from the internet
(www.winzip.com), then save it in the WinZip shared folder. In the C:\WinZip folder
click File Æ New Æ Text Document and type zip.zap as the file name. Click Yes to
accept.
Page 65 of 110
2. Double click zip.zap and type the following lines of code:
[Application]
FriendlyName=WinZip 9.0
SetupCommand=\\DC1\Winzip\winzip90.exe
DisplayVersion=9.0
Publisher=WinZip Computing, Inc.
Click File Æ Save and then close the Notepad window. The WinZip share should now
have two files as shown in the following figure.
3. Close Windows Explorer. Click Start Æ Administrative Tools Æ Group Policy
Management. Right click CA Æ Create and link GPO here, type WinZip and click
OK. You have created a new GPO and now you must edit it.
Page 66 of 110
4. In the Group Policy Objects node, right click WinZip Æ Edit Æ User Configuration
Æ Software Settings. Right click Software Installation and select New Æ Package.
5. In the Look in box, navigate to My Network Places Æ DC1 Æ WinZip. In the Files
of type box at the bottom, ensure that you select .zap to view the zip.zap file. Click
Open. Ensure that Published is selected and click OK.
Close all windows and then click Start Æ Run Æ gpupdate.
Page 67 of 110
6. On Client1, log on as the Administrator. Click Start Æ Control Panel Æ
Add/Remove Programs and select the Add New Programs section on the left pane.
WinZip 9.0 is displayed. Click Add to install the application.
Page 68 of 110
Creating application categories
If you publish a number of applications in your domain, it is a good idea to categorize them
into logical groups such as Tools, Design, Accounting, Programming and so on. This makes
it easier for users to find the application that they need.
1. Log in to DC1 as the Administrator. Click Start Æ Administrative Tools Æ Group
Policy Management. In the Group Policy Objects container, right click WinZip Æ
Edit to open the Group Policy Editor. Then select User Configuration Æ Software
Settings Æ Right-click Software installation Æ Properties.
2. Select the Categories tab and click Add.. Type Tools in the Enter new Category box.
Click OK.
Page 69 of 110
3. In the same way, add two other categories, Accounting and Programming. Click OK.
The three categories you just created are available for use in the entire benandbrady.com
domain. If you publish an Accounting application - for example, Great Plains
Accounting - you can use the Accounting category you just created. In summary,
categories are created just once, using any GPO. Once created, they can be used to
categorize applications as needed.
4. Now select WinZip 9.0 in the right-hand pane and right click on Properties.
Page 70 of 110
5. Select the Categories tab, select Tools in the Available categories pane and then click
Select to move it to the Selected categories pane on the right hand side. Click OK.
Close the Group Policy Editor window. You have now created 3 categories and
classified WinZip 9.0 in the Tools category. Now let’s test this GPO.
6. On Client1, log on as the Administrator. Click Start Æ Control Panel Æ
Add/Remove Programs Æ Add New Programs. On the right side of the Add or
Remove Programs window, click on the Category drop down box. Observe that there
are four items here - All categories, Tools, Accounting and Programming. Select Tools
from the list to install WinZip 9.0.
Page 71 of 110
Page 72 of 110
Lab 4
Creating Login Scripts, Re-directing the
My Documents Folder and Desktop Security
• Use the Net Use command to map network drives
• Create Batch files to use in Login Scripts
• Deploy login scripts using Group Policy Objects
• Re-direct the My Documents folder for users
• Create custom desktops using Group Policy Objects
Page 73 of 110
Scenario
The Operations Manager just finished summarizing the employee survey on the
Benandbrady.com network. The employees are very satisfied with the availability of
applications “at the touch of a button”. The Operations Manager congratulates you on a job
well done. He can finally see how efficient and cost-effective Active Directory can be once it
is configured properly for the network.
You gracefully accept the compliments and inform the Operations Manager that more is yet
to come. It is now time to make user data available from any computer in the domain.
Next, you will be creating login scripts so that network resources will be mapped to the X:
Y: and Z: drives on all computers in the network. Users will continue to save their work in
the My Documents folders, but the contents of these folders will be saved on the network
server. Thus, the users can now access files from their My Documents folder from any
computer on the network.
The Operations Manager is also concerned about users changing their computer settings, as
he would like IT operations to run as smoothly in the future as they are running today. You
inform him that you will set up desktop policies and lock down the computers so that users
cannot damage the software on their computers.
In this lab you are going to create Group Policy Objects to accomplish all of the objectives
mentioned above.
Page 74 of 110
Mapping network drives with login scripts
To access resources on the network, users can either use My Network Places or the
Universal Naming Convention (UNC) of the share. If there are shares that users need to
access on a regular basis, it is best to map a drive to that share. This makes it very easy for
users to access the resource by using My Computer and double-clicking on the drive letter of
the share, just as they would access the hard drive or the CD-ROM on their computer. Login
scripts enable the administrator to map drives to network shares automatically every time the
user logs in.
1. Log in to DC1 as the Administrator. On the desktop, double click My Computer then
double click the C: drive and select File Æ New Æ Folder. Name the folder HR when
prompted. Then, right click HR, select Sharing and Security and select Share this
folder. Click OK.
You have now created a folder named HR and shared it. Using the same steps, create
two other shares, Production and Sales. At the end of this step, you should have three
shares - HR, Production and Sales. You will map the X: Y: and Z: drives to these shares
respectively.
Page 75 of 110
2. Next, you will create a login script using a batch file. To do this, open notepad and click
Start Æ Run and type in notepad. Click OK. Now click Start Æ Administrative
Tools Æ Group Policy Management. Right click CA and select Create and Link a
GPO here. Type DriveMapping in the name box and click OK.
3. In the notepad window, type the following lines of code:
net use x: \\dc1\hr
net use y: \\dc1\production
net use z: \\dc1\sales
Page 76 of 110
4. Click File Æ Save As then select C: in the Save in box and type login.bat for the File
name. Click Save.
You have just created a login script called login.bat and saved it to the C: drive. The
syntax to map a drive using commands is:
net use <drive letter>: \\servername\sharename
Page 77 of 110
5. In the Group Policy objects container, right click DriveMapping Æ Edit Æ User
Configuration Æ Windows Settings and select Scripts (Logon/Logoff).
6. In the right hand pane, double click Logon to open the Logon Properties box. Click the
Show Files button. This opens up a policies window. Keep this window open and
copy the file login.bat from C: to this window.
Page 78 of 110
7. Copy the file by going to the C: drive in My Computer and locating the login.bat file that
you created in an earlier step. Right click login.bat and select Copy.
8. Switch to the policies window you opened previously and paste login.bat into this
window by selecting Edit Æ Paste. This will copy the login.bat file to this window.
Close the window. Then, in the Logon Properties screen, click Add.
Page 79 of 110
9. Click Browse in the Add a Script window, select login.bat and click Open. Click OK
to close the dialog box.
10. Click OK to finish adding the login script. Close the Group Policy Object Editor
window and the Group Policy Management window.
To summarize, you have done the following:
9 Created a login script using Notepad.
9 Created a GPO.
9 Edited the GPO by copying the login.bat file at the appropriate location.
Page 80 of 110
Testing the GPO
1. On Client1, log in as JSmith. Then click Start Æ My Computer.
Observe that you have 3 drives in the Network drives section - X: Y: and Z: Users
simply have to double-click on these drive letters to access network shares. Also, you do
not have to visit each computer to map these drives. The login script is run automatically
every time a user logs in. It is now easy to add or remove network shares.
Page 81 of 110
Re-directing the My Documents folder
Each user has a storage location for personal work called the My Documents folder. This
folder is located in the C:\Documents and Settings folder under the user’s logon name.
If the user logs on to another computer, then the user would not be able to access the files
in the My Documents folder from this new computer. Hence, it is important that the
contents of the My Documents folder be saved on a central server. After this change, all
documents saved in My Documents will no longer be located on the C: drive. Instead, they
will be saved on a central server and can be retrieved from any computer in the domain. This
can be accomplished by using a Group Policy that will re-direct the My Documents folder
from the C: drive to a network share on a central server.
1. Log on as the Administrator on DC1. On the C: drive; create a new folder called
UserDocs. Share the UserDocs folder. From the Sharing tab of UserDocs, select
Permissions and give the Everyone group Full Control. Click OK.
Page 82 of 110
2. Next, select the Security tab; click Add, type Domain Users and then click OK.
3. Select Full Control for permissions and click OK.
Page 83 of 110
4. Open the Group Policy Management console by going to Start Æ Administrative
Tools Æ Group Policy Management. Right click CA and select Create and Link
GPO Here. Name the GPO MyDocs. From the Group Policy Objects container, right
click MyDocs Æ Edit Æ User Configuration Æ Windows Settings Æ Folder
Redirection Æ My Documents.
5. Right click My Documents Æ Properties then select Basic – Redirect everyone’s
folder to the same location in the Setting drop-down box. In the Root Path field, type
\\dc1\userdocs.
The GPO will now create a folder for each user in the UserDocs folder. Let’s put this
GPO to work.
Page 84 of 110
6. Close the Group Policy Editor and the Group Policy Management window. Refresh
the policies by typing Start Æ Run Æ gpupdate. On Client1, log in as JSmith. Click
Start Æ right-click My Documents and observe that all files stored in My Documents
will now be saved to the UserDocs share on DC1. In this example, a folder called JSmith
was created by the GPO to store files of this user in this folder. In the same way, each
user will have a private folder in the UserDocs folder.
Page 85 of 110
Custom desktop settings and security using Group Policy Objects
1. Click Start Æ Administrative Tools Æ Group Policy Management then right click
CA Æ Create and Link GPO Here Æ Desktop as the name of the new GPO. In the
Group Policy Objects container, right click Desktop Æ Edit Æ User Configuration
and expand and select Administrative Templates.
Page 86 of 110
2. Select Start Menu and Taskbar. In the right hand pane click on the Standard tab at
the bottom of the screen, double click Remove Run from the Start Menu and then
select Enabled and click OK.
Page 87 of 110
You have just configured the GPO to remove “Run” from the client computers of users
to which this GPO applies. Let us now configure additional policies using the following
table:
Administrative Template
Setting
Desktop
Remove properties from the My
Computer context menu
Control Panel
Prohibit access to the Control Panel
Windows Components Æ Internet
Explorer
Disable changing connections settings
3. Close the Group Policy Editor and Group Policy Management windows. Refresh by
Start Æ Run Æ gpupdate. On Client1, log on as JSmith. Let’s verify the settings
applied by the Desktop GPO.Click Start and observe that Run is missing from the
menu.
Run not
displayed
Page 88 of 110
4. Right-click My Computer Æ Properties. You will get a Message Box informing you
that this setting has been disabled by the Administrator.
Now access the Control Panel from Start Æ My Computer Æ Control Panel or try to
access the Internet Explorer settings and you will get the above message. Log off as
JSmith.
Page 89 of 110
Page 90 of 110
Lab 5
Advanced Group Policy Object (GPO)
Management & RSOP
• Block policy inheritance
• Enforce policies in the Active Directory tree
• Backup and Restore Group Policy Objects
• Determine the Resultant Set of Policies on users and computers
• Play what-if scenarios in planning policies
Page 91 of 110
Scenario – GPO Management & RSOP
The Operations Manager just concluded the meeting of the Senior Management. He
congratulates you on your accomplishments. Ben and Brady Ice Cream Corp., would like to
retain your services as a Consultant to maintain and, when necessary, upgrade the
You thank the Operations Manager. Now it is time to begin the final phase of the domain
restructure. You explain the inheritance of Group Policy object function and how you can
make exceptions to the rule so that supervisors and power users of the domain can easily
perform their duties.
The next topic on the agenda is the backup and restore mechanism. The Operations
Manager would like you to write detailed steps and do a hands-on demonstration. He would
like to ensure that backup of the Active Directory is performed on a regular basis.
The last item on the agenda is to determine the Resultant Set of Policies. When you go on to
describe the process and mention the phrase “What-if Analysis”, the Operations Manager
gets extremely involved. He regularly performs this kind of analysis with numbers on his
spreadsheet. He is confident that he would be able to generate regular reports once you
show him the procedure.
You roll up your sleeves and get down to the implementation of the final element of this
project.
Page 92 of 110
Inheritance of GPOs and blocking/enforcement of GPOs
Group Policy objects can be applied to Sites, Domains and Organization units in the Active
Directory domain. If a GPO is applied to a parent object then, by default, it is inherited by
all the child objects below it. In the benandbrady.com domain, we applied most of the
GPOs to the CA (California) Organizational Unit. There are no user accounts in the CA
OU. The GPOs were inherited by the child OUs – Marketing, Accounting and Sales. Hence,
when Jill Smith (a user in the CA/Accounting OU) logs in to the domain, she inherits all the
settings of the GPOs applied to the CA OU due to inheritance. See figure 3, below.
Benanndbrady.com
Domain
CA
GPO linked
here
NC
GPO inherited
here
Marketing
Accounting
Sales
Marketing
Accounting
Sales
User objects in
these OUs
(Figure 3)
Page 93 of 110
This inheritance can be viewed by using the Group Policy Management tool.
1. On DC1, log in as Administrator. Click Start Æ Administrative Tools Æ Group
Policy Management. Expand the benandbrady.com domain and click on the CA
Organizational Unit. The right-hand pane has 3 tabs:
i)
ii )
iii )
Linked Group Policy Objects
Group Policy Inheritance
Delegation
The Linked Group Policy Objects tab lists all the GPOs that are linked directly to the
CA OU.
Page 94 of 110
2. Click on the Group Policy Inheritance tab. It lists all the GPOs inherited (and
therefore applied) to the CA OU. Notice that this tab has one additional GPO called
Default Domain Policy that it has inherited from the benandbrady.com domain object in
the Active Directory tree.
3. Click on the Delegation tab. This tab shows the groups that have permission to link
GPOs to the CA OU.
Page 95 of 110
4. Expand the CA OU and click on the Accounting OU. Notice that Accounting does not
have any linked GPOs. However, Accounting inherited the GPOs from the CA OU
since it is a child OU of CA.
5. Click on the Group Policy Inheritance tab. This tab shows all the GPOs inherited by
the Accounting OU.
Page 96 of 110
There are two ways of changing the default inheritance behavior:
1. Block Policy Inheritance.
2. Enforce Policies.
Block Policy Inheritance is used so that the child OU does not inherit the permissions of the
parent OU. Use this policy if you want a child OU to have policies that are distinct from the
parent OU.
Enforce Policies is used to ensure that the policy is forcibly applied to all child containers
regardless of the settings at the child OU. Use Enforce Policies to ensure that junior level
administrators do not override policies that are set up by the Domain or Enterprise
Administrators.
1. Select Accounting, right click and then select Block Inheritance. Notice the blue
exclamation sign:
This indicates that the Inheritance has been blocked. Also notice that the right hand
pane is blank since no policy has been inherited.
Page 97 of 110
2. In the CA OU, right click the Desktop Group Policy link and select Enforced in the
menu. Notice the padlock symbol:
This indicates that this policy will now be forcibly enforced to all child OUs.
3. Click on the Accounting OU. In the Group Policy Inheritance tab in the right hand
pane, observe that Desktop policy from the CA OU will now be enforced upon this OU.
4. Close the Group Policy Management window.
Page 98 of 110
Backing up and restoring Group Policy Objects
1. On the C: drive, create a folder called GPO-Backup. Click Start Æ Administrative
Tools Æ Group Policy Management Æ Group Policy Objects Æ DriveMapping.
Then right click and select Backup from the short-cut menu.
2. In the Back Up Group Policy Object box click Browse; locate and select GPO-Backup
in the C: drive and then click Backup.
Page 99 of 110
3. The tool will now back up the DriveMapping GPO to C:\GPO-Backup. Click OK when
the backup finishes.
4. Click Start Æ My Computer, double click the C: drive and then double click GPOBackup folder. The contents of this folder shows the backup listed with the GUID of
the GPO.
Page 100 of 110
5. Now, let’s delete the GPO and then see how it can be restored from backup. In the
Group Policy Management window, right click DriveMapping Æ Delete Æ OK in the
box that informs you that the GPO and all the links in this domain will be deleted.
6. Now, let’s restore the GPO we’ve just deleted. Select and right click Group Policy
Objects Æ Manage Backups. In the Manage Backups window, select the
DriveMapping GPO and click Restore.
Page 101 of 110
7. Click OK in the next box. The DriveMapping GPO will now be restored in the Group
Policy Objects container.
You have restored the GPO and not the links. You will now have to link the
DriveMapping GPO to Organizational Units manually.
Page 102 of 110
Resultant Set of Policies (RSoP) - Playing “What-if” scenarios
When you have several GPOs deployed in your domain, it is very important to determine
the net result that these GPOs will have on the users and/or computers. GPOs can be
linked to Sites, Domains and OUs. To make matters more complicated each Site, Domain,
and OU (and child OUs as well) can have several GPOs which will run in the Link order.
There is also inheritance to consider – a GPO can inherit from parent containers even if it is
not linked to that container. This behavior can be changed by Enforcement or Block Policy
Inheritance.
Resultant Set of Policies (RSoP)
Group Policy Management has a tool called Group Policy Results. This is a very userfriendly tool that lets the administrator determine the result of GPOs on a computer or user
object known as the Resultant Set of Policy (RSoP).
1. Click Start Æ Administrative Tools Æ Group Policy Management, then right click
Group Policy Results and click Group Policy Results Wizard.
Page 103 of 110
2. Click Continue on the Welcome page. In the Computer Selection screen, select
Another Computer, click Browse, type Client1 and click OK. Click Next to go to the
User Selection Screen.
3. Select BENANDBRADY\JSMITH and click Next.
Page 104 of 110
4. Click Next on the Summary of Selection screen and click Finish. If an Internet
Explorer security message box appears, click Close. In the left hand pane observe the
new item:
The right hand pane shows a full report of the GPOs that were applied and denied.
Page 105 of 110
5. The following figures show 2 sections of the RSoP report – Applied GPOs and
Component Status. The Components Status shows exactly which components of the
GPO object were applied to user JSmith on the computer Client1 and their status – i.e.
the Success or Failure of each component. This is accomplished by actually querying the
client and obtaining the results.
In cases marked with Failure, you will also see the reasons why the GPO failed to deploy
certain components. This will give you a good hint in fixing the problem.
Page 106 of 110
“What-if” scenarios
Group Policy Modeling lets you play “What-if” scenarios. This powerful feature will
simulate the results of the GPOs without actually applying them. You can evaluate the RSoP
by changing several variables such as OU, User Security Group and so on.
1. Go to Start Æ Administrative Tools Æ Group Policy Management Æ Group
Policy Modeling and right click and select Group Policy Modeling Wizard.
2. Click Next on the Welcome screen and then click Next on the Domain Controller
Selection screen. In the User and Computer Selection screen, select User and click
Browse, type JSmith and click OK. Click Next.
Page 107 of 110
3. Click Next on the Advanced Simulation options. In the Alternate Active Directory
Paths screen, click Browse, expand the benandbrady.com domain, expand NC and
select Accounting. Click OK and Next to continue.
4. Click Next in User Security Groups. You can use this feature to determine settings
applied to the user if group membership of the user is changed. Click Next on the WMI
filters screen, click Next on the Summary screen and then click Finish. In the report
Summary in the right pane, observe that Default Domain policy is the only GPO applied
since all the other GPOs we created were linked to the CA Organizational Unit. Now
let’s link the Desktop GPO to the NC/Accounting OU. Expand benandbrady.com,
expand NC and select Accounting. Right click and select Link an Existing GPO.
Page 108 of 110
5. Select Desktop and click OK.
Now let’s see the effect this would have on user JSmith, if the user account were moved
from CA/Accounting to NC/Accounting.
6.
In the Group Policy Modeling container, select and right click JSmith Æ Rerun
Query.
Page 109 of 110
7. In the right hand pane, notice two GPOs – Default Domain Policy and the newly linked
Desktop policy - are now applied to user JSmith.
8. In the Group Policy Modeling container, select JSmith then right click and select
Advanced View.
9. The Resultant Set of Policy (RSoP) advanced view shows exactly only those settings that
will be applied. Expand each of the containers on the left hand side and see the results of
the policies.
Notice in the above figure that “Start Menu and Taskbar” shows the setting Remove
Run menu from Start Menu as the setting that will be applied. The Advanced View only
displays the applied settings and hides all of the unapplied settings so that you can see
exactly what the GPO will accomplish.
10. Close the RSoP and the Group Policy Management windows.
Page 110 of 110

MEGA LAB SERIES

Transcription

Similar documents

RM People Directory Quick Start - RM

Group Purchasing Organizations

Windows XP Configuration

PowerDesk Pro 6

2nd Grade Summer Reading List

Tax and Accounting Sites Directory

Haken Audio Support Procedure

NJAA-Ad Form 2015 Directory PROOF3

GP implementation

Group Policy Explained - RM