IT:Network:Microsoft Server 1 Lab Activity: Active Directory CLI/Group Policies

Page: 1 of 4

Complete/Review the previous lab Utilizing command line to create/modify Active Directory Active Directory management can be accomplished via the CLI. This portion of this lab goes through the process of creating Active Directory objects using the CLI. All user attributes can be set however, in the examples, only a few attributes will be set. Please review the following links to accomplish the first portion of this lab(hintlab is on the website which may be easier to click hyperlinks then type them in): http://technet2.microsoft.com/WindowsServer/en/Library/8d37ecb0-ac28-4e05-aa05da82dc36b54b1033.mspx http://support.microsoft.com/default.aspx?scid=kb;en-us;322684 Or browse to http://www.google.com and type dsadd + example for the search criteria. Note the number of hits for that relate to this command. 1. DSADD- uses options to add objects such as users, computers, contacts, groups, and OUs to Active Directory a. DSADD user userDN samid userDN is User Distinguished Name o cn=John Smith, OU=Sales_OU, DC=Abccompany, DC=Local pwd-sets the users password -samid-sets the users login name or sam account name (%username%) mail-sets the users email address mobile-sets the users cell phone mustchpwd YES|NO-determines whether a user must change password at next logon canchpwd YES|NO-determines whether or not a user can change password disabled YES|NO-specifies whether the account is disabled or not DSMOD-modifies users, computers, servers, contacts, OUs or groups. DSRM-removes objects from Active Directory DSMOVE-renames or moves an object DSQUERY-queries Active Directory for a list of objects using specified criteria DSGET-Shows attributes of a specified object 2. Using the command DSADD, add the following users to the appropriate OUs: SALE_OU Milton Waddams dsadd user cn=Milton Waddams, ou=Sale_OU, DC=mteske, DC=local samid miwaddams NOTE: when there are spaces, you must enclose the userDN within quotes. o ACCO_OU o INFO_OU o SALE_OU Bob Slydel
Verify if this is the current Check Master at http://network.nwtc.edu/mteske

o o o

o o o o o o

Peter Gibbons Samir Nagheenanajar

IT:Network:Microsoft Server 1 Lab Activity: Active Directory CLI/Group Policies

Page: 2 of 4

BE SURE TO MAKE SURE THE REMAINING PROPERTIES OF THESE USERS ARE CONSISTENT WITH LAB 9. IE. HOME DIRECTORY, GROUP MEMBERSHIP ETC. You may use the GUI to complete. Group Policies A Group Policy is administered through the use of Group Policy Objects, data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with the later policies being superior to the earlier applied policies. Quiz material!!! LSDOU When a computer is joined to a domain with the Active Directory and Group Policy implemented, a local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified. Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy object is applied.

1. 2. 3. 4.

Local Computer Policy runs Site Policy (doesnt apply here) Domain Policies OU Polices

Sale PC Lab Exercise Refer to your Mastering W2K8 Chapter 8, pp. 359-417book for further reference. Note which settings are Computer Configuration Settings and which ones are User Configuration Settings. Log onto your Windows 7 station as the domain Administrator. Download and install the Remote Server Administration Tools(RSAT) from the FTP server at ftp://172.17.11.16. It will be in the folder with the same name. After the application is installed, you must add features through the Add Windows Features in the Programs menu found in Control Panel. It can also be found online here: http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a0054e344e43997d&displaylang=en 1. On the Windows 7 After you have installed and added the RSAT kit, click on the Window buttonAll ProgramsAdministrative Tools and start the Group Policy Management application. Expand the Directory Services trees by clicking the black triangles. You should see your domain name, expand it. Find the Domain Controllers OU. Best practice, right mouse click on the Domain Controllers OU and select Block Policy Inheritance. This prevents any policy settings from applying to objects within this container. 2. Open Active Directory Users and Computers from Administrative Tools.
Verify if this is the current Check Master at http://network.nwtc.edu/mteske

IT:Network:Microsoft Server 1 Lab Activity: Active Directory CLI/Group Policies

Page: 3 of 4

3. Open the Users folder. Find the Administrator account, right mouse click and move this account into the Domain Controllers OU. This will prevent any Group Policy User Configuration settings from applying to the Administrator account. 4. In the GPMC, right Click on the Domain Object and select Create a GPO and Link it here. o Name the Policy yourlastname_policy. ie. Teske_Policy o Right click on the policy just created and select Edit. This will display the Group Policy Management Editor (GPME). Make the following policy setting changes. o Enable Always wait for the network at computer startup and logon This policy tells the client machines to wait for the network, therefore network policies can be applied. Computer ConfigurationAdministrative TemplatesSystemLogon Set Always wait for network at computer startup and logon to be enabled. Read the description for this setting thoroughly. (see next page)

o Turn on auditing (success and failure) for the all events except process tracking Computer Configuration->Windows Settings->Security Settings->Local Policies->Audit Policy o Set your limits on the Event Logs. Computer Configuration->Windows Settings->Security Settings->Event Log This will allow your event logs domain wide to grow or overwrite older events as needed. Maximum Application, Security and System log should be set to 2048kb Retention method for Application, Security, and System log should be to overwrite events as needed. o Set an Interactive Logon Message text for users to be: Welcome to Lab Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options>Interactive logon. o Set a Message Title for the Interactive Logon: Welcome to NWTC. Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options>Interactive Logon o Set your domain to require CTRL+ALT+DELETE to logon Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options>Interactive Logon
Verify if this is the current Check Master at http://network.nwtc.edu/mteske

IT:Network:Microsoft Server 1 Lab Activity: Active Directory CLI/Group Policies

Page: 4 of 4

o In Active Directory Users and Computers, move your workstation from the computers folder to the Sale_OU Click on the Computers Folder in Active Directory Right Mouse click on your Computer and select Move Select the Sale_OU In the GPMC, create a group policy for the Sale_OU by right mouse clicking on the OU and selecting Create GPO and Link it here. Name the policy SALE_COMPUTER_POLICY Right click on this object and Click Edit o Rename guest account to TEMP Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options o Audit all account and logon events Computer Configuration->Windows Settings->Security Settings->Local Policies->Audit Policy o Disable the Computer Browser Service Computer Configuration->Windows Settings->Security Settings->System Services->Computer Browser Check Define this policy Select Disabled o In the Sale_OU, create Sale_User_Policy and edit. o In the User configuration, make the following configuration settings o Force IE home page of http://www.google.com User Configuration->Windows Settings->Internet Explorer Maintenance->URLs->Important Urls>Home page URL Check Customize Home Page URL Type http://www.google.com o User Configuration->Windows Settings->Internet Explorer Maintenance->URLs->Favorites and Links Click Add URL Name: Teskes Network Specialist Site URL: http://network.nwtc.edu o Prohibit Access to Control Panel User Configuration->Administrative Templates->Control Panel Double click on Prohibit and check enabled. o Now Log on from a User that is not from the Sale_OU. Are the settings still present? Check Internet Explorer, check your local user accounts, can you access control panel, etc. o On the server, refer to step 15 and undo the Prohibit access to control panel o At the workstation, bring up a command prompt. Start->Run->CMD o At the command prompt, type: gpupdate /force This forces the policy to be updated Type gpupdate /? Note the options, you may update either user or computer configuration at different intervals. o Log out of your workstation and log back in. Can you now get into Control Panel? o Review additional policy settings. Review Mastering Windows 2008 Chapter 8, page 359-417 for quiz.
Verify if this is the current Check Master at http://network.nwtc.edu/mteske