20411B-ENU-TrainerHandbook
.pdf
|
Administering Windows Server® 2012 |
MCT |
||
|
5-37 |
|
||
Examine Policy Event Logs |
|
|
|
|
Windows Vista, Windows 7, Windows 8, Windows |
|
|
USE |
|
|
|
|||
Server 2008, and Windows Server 2012 improve |
|
|
||
your ability to troubleshoot Group Policy not only |
|
|
||
|
|
|
|
|
with RSoP tools, but also with improved logging |
|
|
|
|
of Group Policy events, including the: |
|
|
|
|
• System log, in which you will find high-level |
|
|
.ONLY |
|
information about Group Policy, including |
|
|
||
errors created by the Group Policy client |
|
|
||
|
|
|
|
|
when it cannot connect to a domain |
|
|
|
|
controller or locate GPOs. |
|
|
|
|
• Application log, which captures events |
|
|
|
|
|
|
|
|
|
recorded by CSEs. |
|
|
|
• Group Policy Operational Log, which provides detailed information about Group Policy processing.
To find Group Policy logs, open the Event Viewer snap-in or console. The System and Application logs are
in the Windows Logs node. The Group Policy Operational Log is found in: STUDENT Applications And Services Logs\Microsoft \Windows\GroupPolicy\Operational
PROHIBITED USE
5-38 Implementing a Group Policy Infrastructure
Lab: Implementing a Group Policy Infrastructure |
MCT |
|
Scenario |
||
|
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and a data center are located in London to support the London office and other locations. A. Datum recently has deployed a Windows Server 2012 server and client infrastructure.
You have been asked to use Group Policy to implement standardized security settings to lock computer |
USE |
|
screens when users leave computers unattended for 10 minutes or more. You also have to configure a |
||
|
||
policy setting that will prevent access to certain programs on local workstations. |
|
After some time, you have been made aware that a critical application fails when the screens saver starts, and an engineer has asked you to prevent the setting from applying to the team of Research engineers that uses the application every day. You have also been asked to configure conference room computers to use a 45 minute timeout.
After creating the policies you need to evaluate the resultant set of policies for users in your environment |
ONLY. |
||
to ensure that the Group Policy infrastructure is optimized, and that all policies are applied as they were |
|||
STUDENT |
|||
intended. |
|
||
Objectives |
|
||
After completing this lab, you will be able to: |
|
||
• Create and configure a GPO. |
|
||
• Manage Group Policy scope. |
|
||
• Troubleshoot Group Policy application. |
|
||
• Manage GPOs. |
|
||
Lab Setup |
|
||
Estimated Time: 90 minutes |
|
||
|
|
||
|
|
USE |
|
|
|
||
Virtual machine(s) |
20411B-LON-DC1 |
||
|
20411B-LON-CL1 |
||
|
|
||
User Name |
Adatum\Administrator |
||
|
|
||
|
|
|
|
Password |
Pa$$w0rd |
|
|
|
|
|
1. |
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. |
||
2. |
In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start. |
PROHIBITED |
|
|
|||
3. |
In the Actions pane, click Connect. Wait until the virtual machine starts. |
|
|
4. |
Sign in using the following credentials: |
|
|
|
a. |
User name: Administrator |
|
|
b. |
Password: Pa$$w0rd |
|
|
c. |
Domain: Adatum |
|
5. |
Repeat steps 2 and 3 for 20411B-LON-CL1. Do not sign in to LON-CL1 until directed to do so. |
|
Administering Windows Server® 2012 |
MCT |
|
5-39 |
|
Exercise 1: Creating and Configuring GPOs
Scenario
You have been asked to use Group Policy to implement standardized security settings to lock computer USE
screens when users leave computers unattended for 10 minutes or more. You also have to configure a policy setting that will prevent users from running the Notepad application on local workstations.
The main tasks for this exercise are as follows:
1. Create and edit a Group Policy Object (GPO).
1.On LON-DC1, from Server Manager, open the Group Policy Management console. ONLY
2.Create a GPO named ADATUM Standards in the Group Policy Objects container. .
3.Edit the ADATUM Standards policy, and navigate to User Configuration, Policies, Administrative Templates, System. STUDENT
4.Prevent users from running notepad.exe by configuring the Don’t run specified Windows applications policy setting.
5.Navigate to the User Configuration, Policies, Administrative Templates, Control Panel, Personalization folder, and then configure the Screen saver timeout policy to 600 seconds.
6.Enable the Password protect the screen saver policy setting, and then close the Group Policy Management Editor window.
1.Sign in to LON-CL1 as Adatum\Pat with the password Pa$$w0rd. USE
2.Attempt to change the screen saver wait time and resume settings. You are prevented from doing this by Group Policy.
3.Attempt to run Notepad. You are prevented from doing this by Group Policy. Task 3: View the effects of the GPO’s settings
After some time, you have been made aware that a critical application that the Research engineering team uses is failing when the screen saver starts. You have been asked to prevent the GPO setting from applying to any member of the Engineering security group. You also have been asked to configure conference room computers to be exempt from corporate policy. However, they always must have a 45minute screensaver timeout applied.
PROHIBITED
5-40 Implementing a Group Policy Infrastructure
The main tasks for this exercise are as follows: |
MCT |
||
1. |
Create and link the required GPOs. |
||
2. |
Verify the order of precedence. |
USE |
|
3. |
Configure the scope of a GPO with security filtering. |
||
|
|||
4. |
Configure loopback processing. |
|
|
Task 1: Create and link the required GPOs |
.ONLY |
||
1. |
On LON-DC1, open Active Directory Users and Computers and in the Research OU, create a sub- |
||
|
|||
|
OU called Engineers, and then close Active Directory Users and Computers. |
|
|
2. |
In the Group Policy Management Console, create a new GPO linked to the Engineers OU called |
|
|
|
Engineering Application Override. |
|
|
3. |
Configure the Screen saver timeout policy setting to be disabled, and then close the Group Policy |
|
|
|
Management Editor. |
|
|
Task 2: Verify the order of precedence |
|
||
• |
In the Group Policy Management console tree, select the Engineers OU, and then click the Group |
|
|
|
Policy Inheritance tab. Notice that the Engineering Application Override GPO has precedence over |
|
|
|
the ADATUM Standards GPO. The screen saver timeout policy setting you just configured in the |
|
|
|
Engineering Application Override GPO will be applied after the setting in the ADATUM Standards |
|
|
|
GPO. Therefore, the new setting will overwrite the standards setting, and will win. Screen saver |
|
|
|
timeout will be disabled for users within the scope of the Engineering Application Override GPO. |
|
|
1. |
On LON-DC1, open Active Directory Users and Computers. In the Research\Engineers OU, create |
|
|
|
a global security group named GPO_Engineering Application Override_Apply. |
|
|
2. |
In the Group Policy Management console, select the Engineering Application Override GPO. Notice |
||
|
|
STUDENT |
|
|
that in the Security Filtering section, the GPO applies by default to all authenticated users. Configure |
||
|
the GPO to apply only to the GPO_Engineering Application Override_Apply group. |
USE |
|
3. |
In the Users folder, create a global security group named GPO_ADATUM Standards_Exempt. |
||
4. |
In the Group Policy Management console, select the ADATUM Standards GPO. Notice that in the |
||
|
Security Filtering section, the GPO applies by default to all authenticated users. |
||
5. |
Configure the GPO delegation to deny Apply Group Policy permission to the GPO_ADATUM |
PROHIBITED |
|
|
Standards_Exempt group. |
||
1. |
On LON-DC1, switch to Active Directory Users and Computers. |
||
2. |
Create a new OU called Kiosks. |
||
3. |
Under Kiosks, create a sub-OU called Conference Rooms. |
||
4. |
Switch to the Group Policy Management console. |
||
5. |
Create a new GPO named Conference Room Policies and link it to the Kiosks\Conference Rooms |
||
|
OU. |
||
6. |
Confirm that the Conference Room Policies GPO is scoped to Authenticated Users. |
||
|
|
Administering Windows Server® 2012 |
MCT |
|
5-43 |
|
5.Browse to the Group Policy Operational log and locate the first event related in the Group Policy refresh you initiated in Exercise 1, with the GPUpdate command. Review that event and the events that followed it.
Results: After this exercise, you should have successfully used RSoP tools to verify the correct applicationUSE of your GPOs.
Exercise 4: Managing GPOs
Scenario
You must back up all critical GPOs. You use the Group Policy Management backup feature to back up the ADATUM Standard GPO.
The main tasks for this exercise are as follows: |
ONLY |
|
1. Perform a backup of GPOs. |
||
. |
||
|
2. |
Perform a restore of GPOs. |
|
3. |
|
|
1. |
Switch to LON-DC1, and in the Group Policy Management console, in the navigation pane, click on |
|
|
the Group Policy Objects folder. |
STUDENT |
2. |
Back up the ADATUM Standards GPO to C:\. |
|
• |
In the Group Policy Management console, restore the previous back up of ADATUM Standards. |
|
|
|
•When you have finished the lab, revert all virtual machines back to their initial state.
Results: After this exercise, you should have successfully performed common management tasks on yourUSE GPOs.
PROHIBITED
|
|
6-1 |
|
|
|
|
|
|
|
Module 6 |
|
MCT |
||
|
USE |
|||
Managing User Desktops with Group Policy |
|
|||
Contents: |
|
|||
|
.ONLY |
|||
Module Overview |
6-1 |
|||
Lesson 1: Implementing Administrative Templates |
6-2 |
|||
Lesson 2: Configuring Folder Redirection and Scripts |
6-7 |
|||
Lesson 3: Configuring Group Policy Preferences |
6-12 |
|||
Lesson 4: Managing Software with Group Policy |
6-16 |
|||
Lab: Managing User Desktops with Group Policy |
6-19 |
|||
|
|
|||
Module Review and Takeaways |
6-23 |
|
|
|
Module Overview |
|
|
|
|
Using Group Policy Objects (GPOs), you can implement desktop environments across your organization |
||||
|
|
STUDENT |
by using Administrative Templates, Folder Redirection, Group Policy preferences, and where applicable, use software deployment to install and update application programs. It is important to know how to use these various GPO features so that you can configure your users’ computer settings properly.
• |
Describe and implement Administrative Templates. |
USE |
|
||
• Configure folder redirection and scripts by using GPOs. |
|
|
• |
Configure GPO preferences. |
|
• Deploy software by using GPOs. |
PROHIBITED |
|
|
|
6-2 Managing User Desktops with Group Policy |
MCT |
|||
|
|
|||
|
|
|
|
|
Lesson 1 |
|
|
||
Implementing Administrative Templates |
USE |
|||
The Administrative Template files provide the majority of available GPO settings, which modify specific |
||||
|
|
|||
registry keys. Using Administrative Templates sometimes is referred to as registry-based policy. For many |
|
|
||
applications, the use of registry-based policy that the Administrative Template files deliver is the most |
|
|
||
simple and best way to support centralized management of policy settings. In this lesson, you will learn |
|
|
||
how to configure Administrative Templates. |
.ONLY |
|||
Lesson Objectives |
||||
|
|
|||
After completing this lesson, you will be able to: |
|
|
||
• Describe Group Policy administrative templates. |
|
|
||
• Describe ADM and ADMX, or administrative template, files. |
|
|
||
• Describe the central store. |
|
|
||
• Describe example scenarios for using Administrative Templates. |
|
|
||
• Explain how to configure settings with Administrative Templates. |
|
|
||
What Are Administrative Templates? |
|
|
||
You can use Administrative Templates to |
|
|
|
|
|
STUDENT |
|||
control the environment of an operating system |
||||
and the user experience. There are two sets of |
||||
Administrative Templates: one for users and one |
||||
for computers. |
||||
Using the Administrative Template sections of the |
||||
GPO, you can deploy hundreds of modifications |
|
|
•They are organized into subfolders that deal USE with specific areas of the environment, such
as network, system, and Windows®
•components. PROHIBITED The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in the registry, and the
settings in the user section edit the HKEY_CURRENT_USER hive in the registry.
•Some settings exist for both user and computer. For example, there is a setting to prevent Windows Messenger from running in both the user and the computer templates. In case of conflicting settings, the computer setting prevails.
•Some settings are available only to certain versions of Windows operating systems. For example, you can apply a number of new settings only to Windows 7 and newer versions of the Windows operating system. Double-clicking the settings displays the supported versions for that setting.