Windows Lab 9 - Group Policy

Introduction

In this lab we're going to control the user's environment by applying Group Policies to our users and computers.

Map Network Drives

In the last lab we created shared folders and setup permissions to make sure only the correct users could access the data. We were able to modify the user account so when a user logged into a client computer they had an H drive that opened to their home folder. But when we wanted to access the common share we had to type in the UNC path to access it. We're going to use a group policy to map the shared folders to drive letters on their computers.

Using Server Manager open the Group Policy Management tool.

In Group Policy Management branch open until you see the organizational units you created.

We want to create a new GPO (Group Policy Object) and apply it to all our users. Right click on GotoHull Users and select Create a GPO in this domain, and Link it here.

We're going to name the GPO Map Network Drives. Click Ok.

Now that we have a GPO we need to edit it to set the settings we want to apply to our users. Right click on Map Network Drives and select Edit.

In the GPO we're going to modify the users section since we're applying the GPO to an OU that contains users. Open Preferences then Windows Settings. Then right click on Drive Maps and select New - Mapped Drive.

We're going to enter the UNC for the common share next in the location field: \\Server01\Common then set the drive letter to J. Click Ok.

Repeat the steps for the public and apps shares then close the GPO.

We now have a GPO applied to our users let's test it out, start up Client01.

Log in to Client01 using your account and open File Explorer and click This PC on the left side. You should see four mapped drives at the bottom.

Redirect Folders

We've made it very easy for our users to access our file shares. But we'll still have people store their data in the local Documents folder because they're used to doing that. We're going to set it up so the Documents folder is redirecting their home folder so their data will be on the server by default. This way we don't have to fight to change user's behaviors, we can have them save where they want and behind the scenes we'll place the data where we want. This will let us keep the data secure and make sure it's backed up properly.

Create a new GPO named Folder Redirection and link it to the GotoHull Users OU. Right click on the GPO and select Edit.

We're still working in the User Configuration since this policy is applied to an OU that contains users. branch open Policies - Windows Settings - Folder Redirection and right click on Documents and select Properties.

Set Setting to Basic - Redirect everyone's folder to the same location and Target folder location to Redirect to the user's home directory. Click the Settings tab.

Deselect the Grant the user exclusive rights to Documents then click Ok.

Right click on Pictures and select Properties. Set this to Follow the Documents folder and click Ok.

Repeat the step above for Music and Videos. When complete close the GPO.

We want to test the settings. Before we can test it we have to tell the client to connect to the server and look for new group policy settings. It will do this over time, but we can run a command to expedite the process. Open Windows Terminal.

In PowerShell type in gpupdate /force and hit enter. Press Y then enter to log off.

Log back in as yourself and open File Explorer. You should see Documents is set to sync with the server by the green sync symbol. You can also see Pictures, Music and Videos are listed as being part of Documents.

You can verify by right clicking on Documents and selecting Properties.

The location field should be set to \\Server01\Home. You've successfully redirected the user's Documents folder to their home folder on the server!

Modifying Local Administrators Group

We're going to create a policy that will apply to our computers, not our users. Every time you join a computer to the domain a computer account is created for that device in Active Directory. By default these computer accounts are placed in the Computers container. We're going to create an OU for our computers and move our client's computer account into the OU. We can't apply a GPO to a generic container so we need to create an OU first.

Open Active Directory Administrative Center and select the domain on the left side. Click New - Organizational Unit.

Type in GotoHull Computers for the name of the OU and click Ok.

Double click on the Computers container to open it.

Select Client01 then choose the Move task on the right.

Browse to GotoHull Computers and click Ok.

Now that the computer account has been moved to the GotoHull Computers OU switch to the GotoHull Computers OU. Click the arrow next to the domain and double click on GotoHull Computers.

You should see the computer account for Client01 there.

You can close Active Directory Administrative Center and return to Group Policy Management Console. Now that we've made a change to the structure of Active Directory we need to refresh Group Policy Management Console to see the new OU. Select the domain and click the refresh button at the top of the screen.

Select GotoHull Computers and create a new GPO named Local Administrators. Open the new GPO in edit mode.

We're going to use this group policy to set who's considered a local admin on our domain computers. When you setup a Windows client computer there's a disabled Administrator account which is an administrator. Then the first account you create on the computer is added to the local administrators group. In our case that was an account named admin. Once the computer's joined to the domain the Domain Admins group is add to the local administrators group. This allows any user who's a domain admin to administer any client joined to the domain.

We want our IT department to be local administrators of the client computers. We could add them to the Domain Admins group, but we probably don't want to give them all full control over the domain. So we're going to use a GPO to add the Information Technology group to the local Administrators group.

Under Computer Configuration branch open Policies - Windows Settings - Security Settings and right click on Restricted Groups and choose Add Group.

Type in Administrators for the name of the group.

The policy will replace the contents of the local Administrators group so we have to add back in the entries that were already there. Add the following users and groups to the Members of this group section.

  • Admin

  • Administrator

  • GOTOHULL\Domain Admins

  • GOTOHULL\Information Technology

Click Ok and close the Group Policy Management Editor window.

The policy should now be created and linked to the GotoHull Computers OU. Let's test it.

On the client run gpupdate /force and log off when asked.

Log back into Client01 as yourself. Click the start menu and start typing the word local. This will bring up the control panel entry Edit Local users and groups. Click on it. It may not be in the same location on your computer, it may be further down the list.

Click on Groups then double click on Administrators.

You'll see the four entries you entered including the Information Technology group. This means if a member of the IT department signs into this computer they'll be able to install software and perform other administrative tasks.

Restrict Users

We have a user who's been doing things on their computer that she shouldn't. Anna Mull has been acting like an animal on her computer and we need to lock her account down. In order to do this we're going to create a new OU, move her account to that new OU, then build a GPO that will lock down the Windows interface.

Open Active Directory Administrative Center and select GotoHull Users on the left side. If it's not visible you may have to browse to it using the arrow next to the domain. Once selected click New - Organizational Unit on the right side.

Name the OU Restricted Users and click Ok.

Now switch back to the main page by clicking Overview on the left side. We're going to use the global search box to find Anna Mull's account. Type Mull into the search box and hit enter.

Select Anna Mull's account and click the Move task on the right side.

Browse to the Restricted Users OU under GotoHull Users and click Ok. That will move her account to the Restricted Users OU.

You can close Active Directory Administrative Center and open Group Policy Management Console. Create a new GPO named Restricted Users linked to the Restricted Users OU. Edit the GPO.

The changes we're going to make are in the User Configuration because this will be applied to user accounts. The first thing we're going to restrict is access to the Control Panel and the Settings program. Browse to:

User Configuration - Policies - Administrative Templates - Control Panel - Prohibit access to Control Panel and PC Settings

Set the policy to Enabled. Click Ok.

Let's block access to the command prompt. Browse to:

User Configuration - Policies - Administrative Templates - System - Prevent access to the command prompt.

Set the policy to Enabled. Click Ok.

Now we're going to stop her from editing the registry. Open the next policy down Prevent access to the registry editing tools.

User Configuration - Policies - Administrative Templates - System - Prevent access to the registry editing tools

Set the policy to Enabled. Click Ok.

She should only be able to access her network drives, there's no reason her her to be accessing the local drives at all so let's hide them.

User Configuration - Policies - Administrative Templates - Windows Components - File Explorer - Hide these specified drives in My Computer

Set the policy to Enabled. Then select Restrict A, B, C, and D drive only from the drop down. Click Ok.

A little ways down open the policy Prevent access to drives from My Computer.

User Configuration - Policies - Administrative Templates - Windows Components - File Explorer - Prevent access to drives from My Computer

Set the policy to Enabled. Then select Restrict A, B, C, and D drive only from the drop down. Click Ok. Close the Group Policy Management Editor.

Click on the policy to open it in the right panel. A warning may display letting you know if you change the settings of a policy it will change the GPO which may be linked to other OUs. You can check the box Do no show this message again then click Ok.

Click the settings tab. This will load up the settings in an embedded browser tab. Due to extra security on the server we have to add this address to the list of trusted sites. Click Add.

Click Add again, the Close.

In this view you can see all policies that have been enabled. It makes it easier to see what's going on in a GPO, the alternative being scrolling through all the options to see what's been enabled.

Let's test out our restrictions by logging into Client01 as Anna Mull. amull P@ssw0rd

Click the Windows button and start typing Control, the control panel will appear, click it.

You won't be able to open the Control Panel and will receive a message about restrictions preventing you from accessing.

Open Windows Explorer and click This PC on the left side. You'll notice you're unable to see any of the local drives, they're hidden.

If you type in C: into the address bar and hit enter it will normally open the C drive.

When you try that with the restrictions enabled you'll see you can't access the local drives. They are more than just hidden, you're prevented from accessing them.

Now we're going to try and open the command prompt. Click the Windows button and start typing command, click Command Prompt to open it.

We'll see that it's been disabled.

When you try to open Settings by click the Windows button then Settings it won't open at all. It won't do anything, no error, no message, it just won't open.

Once you've completed shut down all virtual machines and take snap shots of all of them named Lab 9 Complete.

Client01 - Test Restricted Users Settings

Questions

Answer the lab questions.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10