Labs‎ > ‎Windows Labs‎ > ‎

Windows Lab 09 - Group Policy

Introduction

In this lab we'll use Group Policies to setup our environment for our users.  We will also create an environment for users who need to have restricted access.  Then we'll use group policies to install software on our client computers.  The high level steps are the following:
  • Create a group policy for our users
  • Link and test the user policy
  • Create an OU for our computers
  • Create a group policy for our computers
  • Link and test the computer policy
  • Create an OU for our restricted users
  • Create a policy for restricted users
  • Test the restricted users policy

Create a Group Policy for Our Users

We want to create a policy that will set some settings for our users.  One thing we're going to do is redirect the Documents folder to their home folder.  This way if they save to the Documents folder it will be stored on the server.  We're also going to have Windows 8.1 go to the desktop automatically when users sign in.  Finally we are going to remove the Change Password link from the Ctl+Alt+Delete screen since we don't want our users changing their passwords. 

Create a Group Policy Object (GPO) named "Oak Forest Users" with the following settings:  User Configuration - Policies
  • Windows Settings
    • Folder Redirection - Documents
      • Basic - Redirect everyone's folder to the same location
      • Redirect to the user's home folder
      • Settings: Don't grant the user exclusive rights to Documents
      • Settings: Don't move the contents of Documents to the new location
    • Administrative Templates
      • Start Menu and Taskbar
        • Go to the desktop instead of Start when signing in
      • System
        • Ctl+Alt+Delete Option 
          • Remove Change Password
        • Folder Redirection
          • Do not automatically make redirected folders available offline
Server01 - Create Group Policy for Users

Link and Test the User Policy

Once the GPO is created link it to the "Oak Forest Users" OU.  This time around try dragging the GPO from the "Group Policy Objects" container to the "Oak Forest Users" OU.
Server01 - Link the GPO to the Users OU

Now we can test out the settings on our client.  Log into Client01 as MSmith and verify the Documents folder is redirected Mike's home folder.  Press Ctl+Alt+Delete and make sure the Change Password link is gone.  If they aren't working proceed to the next step for troubleshooting tips.
Client01 - Test User Settings

If the settings aren't applied then you may need to force the client to retrieve the updated policy settings from the server.  Run gpupdate /force from a command prompt on Client01.
Client01 - Run GPUpdate

Create an OU for Our Computers

In Lesson 3 we learned the difference between a container and OU is you can apply a group policy to an OU.  When we joined Client01 to the domain it's computer account was placed in the Computers container.  We need to create an OU for our computers and move Client01's computer account to the OU.  Create an OU named "Oak Forest Computers" at the same level as "Oak Forest Users" and move Client01's computer account to it.
Server01 - Create Computers OU


Create a Group Policy for Our Computers

We want to create a policy that will make the IT department local administrators on our client computers.  That way when a member of the IT team signs into a client computer they will be able to work on the computer.

Create a Group Policy Object (GPO) named "Oak Forest Computers" with the following settings:  Computer Configuration - Policies
  • Windows Settings
    • Security Settings
      • Restricted Groups
        • Add: Administrators
          • Member: OAKFOREST\Domain Admins
          • Member: OAKFOREST\IT
          • Member: Admin

Server01 - Create Group Policy for Computers

Link and Test the Computer Policy

Once the GPO is created link it to the "Oak Forest Computers" OU.  This time around try right clicking on the "Oak Forest Computers" OU and link an existing GPO.  If the "Oak Forest Computers" OU is missing you may have to refresh Group Policy Management to see the newly created OU.  Right click on the domain and hit refresh in Group Policy Management.
Server01 - Link the GPO to the Computers OU

Run gpupdate /force from a command prompt on Client01.  Restart the client then see if the local administrators group contains the changes you made.  We are going to use Microsoft Management Console to do this.  Run MMC as administrator and add the Local Users and Groups snap in.  In there you will find the local Administrators group.
Client01 - Test Computer Settings

Create an OU for Our Restricted Users

We have a user that needs to be restricted.  We will create an OU for restricted users and move Ana Mull to this OU.  Create an OU named "Restricted Users" under "Oak Forest Users" and move Ana Mull to the new OU.
Server01 - Create Restricted Users OU

Create a Policy for Our Restricted Users

Create and link a Group Policy Object (GPO) named "Restricted Users" with the following settings:  User Configuration - Policies
  • Administrative Templates
    • Control Panel
      • Prohibit access to Control Panel and PC settings
    • System
      • Prevent access to the command prompt
      • Prevent access to registry editing tools
      • Don't Run specified Windows Applications
        • iexplore.exe
        • chrome.exe
        • firefox.exe
    • Windows Components
      • File Explorer
        • Hide these specified drives
          • Restrict A, B, C and D drives only
        • Prevent access to drives
          • Restrict A, B, C and D drives only
Server01 - Create Group Policy for Restricted Users


Test the Restricted Users Policy

Run gpupdate /force from a command prompt on Client01.  Log off then login as AMull and make sure she can't access the control panel.  Also make sure she can't open the command prompt, regedit, and Internet Explorer.  Then verify she can's see or access the C drive.
Client01 - Test Restricted Users Settings

Questions

Answer the lab questions.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10