Advanced Windows Server

Administration
Group Policies
Last Updated: 11/13/2014 5:43 PM Version 2
Document Prepared for: Professor Lindstrom's Student

Name Camille Pond ID 10655970

Instructions
Answer all questions directly in this document. You will save and upload this
completed document as your homework submission.

Overview
In this lab you will experiment with Group Policy Objects to discover the flexibility
and power of a central directory that can provide configuration directives for your
organizations infrastructure.

Setup
Start your pfsense, GUI, Win10 and Win8 computers.

Task 1setting the default domain password rules

Overview
Your first group policy will set the security parameters for the behavior of your
domain regarding passwords.

Objectives

Edit the Default Domain Policy. This policy is effective for all computers in a
domain.

Change password security behavior via policies.

Create a computer based policy

Create users for test scenarios

Steps
1. Using either the Active Directory Administration Center or PowerShell, create
a new Organizational Unit named GPO Demo OU.
PS Command: New-ADOrganizationalUnit -name "GPO Demo OU"

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
1

2. Using either PowerShell or Active Directory Administration Center create a

user named GPOUser in the Organizational Unit GPO Demo OU.
Attribute

Value

LogonName/SAM Account
Name

GPOUser

First name

GPO

Last Name

User

Password and Confirm

Password

aaaa

Password options

Make sure user is not required

to change password

1.

Were you successful? No

What error did you receive? Did not have permission to create the user
1 Try creating the user with a more complex password like Password1.
Were you successful? Yes
3. Fix the problem with a group policy. Start the Group Policy Management Tool
(StartAdministrative Tools then choose Group Policy Management tile) or

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
2

just search, locate the Default Domain Policy

4. Create the password policy

1. Right click on the Default Domain Policy and select edit. This will
open the Group Policy Object (GPO) editor.
2. Find the Password Policies (Computer
Configuration/Policies/Windows Settings/Security Settings/Account
Policies/Password Policy)
3. Set the minimum password length to 4
4. Set the Password must meet complexity requirements to
disabled.
5. Close the policy editor, policies are automatically saved.
5. Change GPOUserss password to aaaa. Make sure you uncheck the box
require user to change password at next logon
6. Was this successful? No, need a more secure and complex password.
7. If the change was not successful it is probably because the policy has not
been applied yet. You can force the group policies to be updated on a
computer by entering the command gpupdate. The /force option will force
a foreground refresh, the command has to be run from the computer that you
want to refresh.
8. As of Server 2012 you can trigger computers within an OU to update their
policies. From the Group Policy Management tool. Select the OU then right-

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
3

click and choose Group Policy Update.

9. Create two more users in GPO Demo OU named Daydreamer, and EJFudd
with the password aaaa (make sure you clear the user must change
password at next logon box).
10.These accounts must be created before you can continue.

Task 2managing the windows firewall

Overview
In this exercise you will configure a group policy to enforce the use of the windows
firewall on all client computers in the domain. You will allow ICMP echo request to
all computers. Recall that the network utility ping uses the ICMP protocol. Ping is a
useful tool to check connectivity.

Objectives:

Modify the Domain GPO to manage firewall ICMP settings

Test your results

Steps
1. From your GUI server ping your other VMs
a. ping win10 What was the result? Yes
b. ping win8 What was the result? Yes

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
4

2. Create a new Group Policy named "Client Firewall"

a. Right-click the Group Policy Objects node and select new.
b. Name the GPO Client Firewall, do not use a starter GPO
3. Edit the Client Firewall Group Policy
a. Find the following node: Computer
Configuration\Policies\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\ Windows
Firewall with Advanced Security

b. Click on the Windows Firewall Properties link

c. You will see the Firewall configuration dialog. Configure the Domain
Profile as follows
i. Firewall state: on
ii. Inbound connections: Block
iii. Outbound connections: Allow

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
5

d. For this exercise we won't configure the other profiles but you would do
it the same way. When you are done it should look like this.

4. Click the settings customize button and configure as follows

a. Apply local firewall rules: Yes

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
6

b. When you are done it should look like this.

5. Click OK to close then OK to save the settings

6. Now you will configure inbound exceptions
a. Right-Click on in Inbound rules node and select New Rule
b. You should see the New Inbound rule wizard.

c. The inbound rule wizard allows you to make rules several different
ways. You can create rules by program, port, predefined, or custom.
Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
7

First you will use predefined to allow remote management of the

workstation.
i. Select the predefined radio button
ii. From the dropdown list select Windows Remote Management
iii. Click next, you should now see two rules for management, one
for public networks and one for private and domain networks.
Uncheck the public profile rule since we don't want to allow
management if you are not connected to a secure network.
iv. Click Next
v. On the next screen make sure the Allow the connection radio
button is selected then click Finish.
d. Add the following predefined rules for the domain and private
networks.
i. Remote Desktop
ii. Remote Shutdown
iii. Windows Management Instrumentation (WMI)
e. Now create a rule to allow inbound ICMP.
i. Create a new custom rule
ii. Click next to go to the Protocols and Ports page.
iii. Select ICMPv4 in the Protocol type:
iv. Click Next on the Scope Page
v. Click Next on the Action Page
vi.Deselect the Public profile on the Profile page
vii.
f.

Enter Inbound ICMPv4 for the name then click finish

Create a rule for ICMPv6

7. Close the policy editor.

8. Now you have created a policy you need to create a link to AD. Since these
rules are for client computers lets create an OU for client computers to link
to.

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
8

a. Create an Organizational Unit Named Client Computers.

b. Move the Win10 and Win8 computer accounts to the Client
Computers OU.
c. Create a link in the Client Computers OU to the Client Firewall
policy.
9. Force the update of group policies on both Win10 and Win8 with the
command
gpupdate /force
10.After the update you should be able to ping your Win10 and Win8 computer.
Test your new firewall rules. By pinging Win10 and Win8 from GUI
11.You can also reboot them remotely with the Restart-Computer
<computername>

Task 3remote desktop access

Overview
Now you will use a group policy to allow everyone Remote Desktop Access to make
life a bit easier to test Group Policies.

Objectives

Create a Policy that contains a restricted group to manage who can remote to
client computers and enables remote desktop on the client computers.

Add Domain Users to the RDClientAccess group we created earlier.

Steps
1) Add (or Verify) Domain Users group is a member of the RDClientAccess
group.
2) Create a new Group policy named Client Remote Desktop.
a) Add a Restricted Group
i) Navigate to Computer Configuration/Policies/Windows
Settings/Security Settings
ii) Right click on Restricted Groups select Add group.
iii) Enter Remote Desktop Users for the group (this is the group that grants
access permissions to remote desktop)
iv) In the Members of this group list add esage\RDClientAccess.
b) Make sure Remote access is turned on

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
9

i) Navigate to Computer Configuration/Policies/Administrative

Templates/Windows Components/Remote Desktop
Services/Remote Desktop Session Host/Connections
ii) Enable the Allow users to connect remotely by using Remote
Desktop Services Setting.
c) Close the group policy editor.
3) Link the Client Remote Desktop Policy to the Client Computers OU.
a) Right-click on the Client Computer OU and select Link an Existing GPO.
b) Select the Client Remote Desktop Policy and click OK.
4) Refresh the group policy on both Win10 and Win8 using the Group Policy
Manager
a) Right click on the Client Computers OU and select group policy update.

Task 4user folder redirection

Overview
In this exercise you will redirect users My Documents Folders to a network server.

Objectives

Create a user based policy

Create a shared folder on a server to store users documents

Create a folder redirection policy

Test the results

Steps
1. The folder you shared in the storage lab will be used for folder redirection.
2. Edit the Default Domain Policy locate Folder Redirection Settings (User
configuration/Policies/Windows Settings/Folder
Redirection/Documents)
a. Modify the Documents properties (right click on the Documents node in
the tree and select properties)
b. On the Target tab configure as follows
i. Setting Basic
ii. Target folder location
1. Create a folder for each user under the root path
iii. Root path
1. \\gui\users
c. Close the Properties window. Say yes to the Warning.
d. Close the Policy Editor to save the updated policy.

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
10

3. From Your Win10 computer log on as esage\GPOUser password aaaa

4. Create a simple text document and save it in Documents
5. Login to your Win7 VM as esage\GPOUser.
a. Look in the Documents folder you should see the text file you created.

Task 5software installation policy

Overview
You have made a corporate decision to install chrome on your client workstations.
For this task you will configure a policy to automatically install chrome.

Objectives

Create a group policy to install software

Test policy

Steps
1. Download the file (from any VM)
http://classfiles.esage.com/labs/aws/GoogleChromeStandaloneEnterprise.msi
and save it to the software share on gui (\\gui\software)
2. Create a new GPO Named Software Installation.
3. Edit the policy to Create a user installation rule
a. Right click on Software Installation (Computer
Configuration/Policies/Software Settings/Software Installation) select
NewPackage
b. Browse to the install file IMPORANT: Make sure you browse to it
via the network share! (\\gui\software)
c. Select Assigned as the deployment method.
4. Link the policy to the Client Computers OU
5. Test the Policy
a. Restart the Win8 computer from gui use PowerShell
restart-computer win8 force
or from Win7
shutdown r
b. Wait a few minutes then log on to the Win7 chrome should be
installed. If it is not force the group policy to update.

Task 6exploring GPOs

Overview
Now you have seen the basic GPO types see what you can do.

Objectives

Personal exploration of GPOs

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
11

Steps
1. Create another GPO named Exploring GPOs
2. Explore at least 3 other GPO settings. Describe what you discovered. Some
other Group Policy tasks include Link GPO, Delegate GPO, or Backup GPO.
There is lots to explore with GPOs. Also you can use these commands by
using Get-Command or Measure-Object

Task 7exporting your GPOs

Overview
You can save and restore copies of your GPOs using the GPO Manager

Objectives

Save your GPOs

Steps
1. From the GPO management tool right click on your ExploringGPOs policy and
Select Backup
2. Save your GPO in c:\GPOBackups (you will need to create the folder)
3. Explore c:\GPOBackups with the file explorer.
4. Zip up your backups GPOBackups folder

Deliverable
Upload this document & your GPOBackups.zip file with completed answers to
canvas.

Craig Lindstrom 2013-2014 all rights reserved, use or duplication without permission is
prohibited.
12