CTU June 2011 - Guided Hands on Lab on GPO - GPP
Download as PPTX, PDF0 likes935 views
This document outlines an agenda for a guided hands-on lab on Group Policy Objects (GPO) and Group Policy Preferences (GPP). The lab includes 5 sessions that demonstrate how to restrict local administrator groups, deploy printers, manage Office settings, use WMI filters for targeting, and perform basic troubleshooting. It provides instructions for configuring GPOs and GPPs to achieve specific results on virtual client machines. Tips are also shared on GPO/GPP functionality like apply once settings and identifying conflicting preferences.
![Tips and TricksGPP – Settings with Red and Green Underline – What does it mean?Red – [No Go], Will not DeliverGreen – [Go], Will be Delivered](https://image.slidesharecdn.com/guidedhands-onlabongpo-gpp-110630011140-phpapp01/85/CTU-June-2011-Guided-Hands-on-Lab-on-GPO-GPP-33-320.jpg)
CTU June 2011 - Guided Hands on Lab on GPO - GPP
- 1. Guided Hands-On Lab on GPO-GPPPresenter Tan CheeTitle MVP in GPOEvent CTU 2011 JuneDate 25th June 2011
- 2. Guided HOL on GPO-GPPGetting Familiarize with the HOL SetupHOL Session #1 – Restricted Group (GPO & GPP)HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP)HOL Session #3 – Managing Office 2010 settings (GPO)HOL Session #4 – WMI FilterHOL Session #5 – Basic TroubleshootingTips and Tricks plus Discussion (Sharing Experience)Agenda
- 3. Getting Familiarize with the HOL SetupThe SetupVirtual Machines (Hyper-V): Private NetworkDomain Name: ONPREM.LOCALPhysical Host
- 4. Quick Walk Through on the HOL Setup
- 5. Getting ReadyUnder “START” > “Administrative Tools”Start “Active Directory Users and Computers” ConsoleUnderstand the OU structureUnderstand where is the User ObjectsUnderstand where is the Computer ObjectsStart “Group Policy Management” ConsoleStart “Active Directory Sites and Services” Console (For manual replication)DC1.onprem.local (Domain Controller)
- 6. OU Structure and Dummy Accounts
- 7. GPMCOU that cannot link GPO to
- 8. Getting ReadyLogin as Domain AdminOpen Command PromptGet ready to run following commandsGPUPDATE /FORCEYou may be required to login as CTUUSER01 in later partClient1.onprem.local (Domain Machine)
- 9. HOL Session #1 – Restricted Group (GPO)
- 10. HOL Session #1Restrict adding of members to local administrators groupInsertion of Domain Group to be a member of local administrators groupRestricted Group through GPO
- 11. HOL #1a - Restrict adding of members to local machine administrators group
- 12. HOL Session #1aOn DC1.onprem.local (Domain Controller)Start GPMCCreate and Configure GPO – “CTU_Restricted_Group”Link the GPO to the OU containing Computer – “Client1”On Client1.onprem.local (Client Machine)Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group.Then under command prompt, run “GPUPDATE /FORCE”Restrict adding of members to local machine administrators group
- 13. HOL Session #1aExpected Result:User able to insert another domain group to the local machine administrators group.User un-able to add another domain account to the local machine administrators group.Restrict adding of members to local machine administrators group
- 14. HOL #1b - Insert Domain Group to be a member of local machine administrators group
- 15. HOL Session #1bOn DC1.onprem.local (Domain Controller)Start GPMCCreate and Configure GPO – “CTU_Inject_LocalAdmin”Link the GPO to the OU containing Computer – “Client1”On Client1.onprem.local (Client Machine)Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group.Then under command prompt, run “GPUPDATE /FORCE”Insert Domain Group to be a member of local machine administrators group
- 16. HOL Session #1bExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.Insert Domain Group to be a member of local machine administrators group
- 17. HOL #1c – Managing Local Machine Administrators Group using GPP
- 18. GPP contain similar settings? Yes!
- 19. HOL #1c – Managing Local Machine Administrators Group using GPPDEMO
- 20. HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP)
- 21. Getting ReadyOn DC1.onprem.localPrint Service (Add Role)Add Printer Drivers (Both x64 and x86)Share out the Printer (192.168.1.40 – CTU Printer)Create and Configure GPO – “CTU_Deploy_Printer”Link the GPO to the OU containing ComputerOn Client machine, under command prompt, run “GPUPDATE /FORCEDeployment of TCPIP Printer (GPO & GPP)
- 22. Deployment of TCPIP Printer (GPO & GPP)Printer Driver (32bit and 64bit)GPO Setting – Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions: EnabledImpact to Boot UpThrough Computer or User GPP?Pointers to take note
- 23. HOL Session #3 – Managing Office 2011 settings (GPO)
- 24. Getting ReadyOn DC1.onprem.localCreate and Configure GPO – “CTU_Office2010”Import GPO template files for Office 2010Note that the settings are under User ConfigurationLink the GPO to the OU containing Users – “CTUUser01”Managing Office 2011 settings (GPO)
- 25. Setting to TryConfigure as following.On Client, Login as CTUUser01 to verify setting is applied.Default Font Name, Size
- 26. HOL Session #4 – WMI FilterDEMO
- 27. WMI Filter (GPO)Useful to target GPO for Machine running different OS under same OU.Demo on how to import and apply WMI Filter
- 28. HOL Session #5 – Basic Troubleshooting Relates to GPO
- 29. Basic TroubleshootingOn Client machine (Login with Domain account)Event Viewer of ClientRun Command Line – GPRESULT /H <Filename>.htmlOn Domain ControllerUse GPMC to generate a Group Policy Result
- 30. Requirement for GPMC Group Policy Results Wizard to work WMI service on target must be runningFirewall port must open for WMI (Predefined Program)
- 31. Tips and Tricks plus Discussion!!
- 32. Tips and TricksIn Client Machine, Remove the following registry key and run GP update, the GPP that is configured as Apply Once Only will apply again.HKLM\SOFTWARE\Microsoft\Group Policy\Client\RunOnceGPP – Apply Once Only?
- 33. Tips and TricksGPP – Settings with Red and Green Underline – What does it mean?Red – [No Go], Will not DeliverGreen – [Go], Will be Delivered
- 34. Tips and TricksGPO Settings Supersede GPP Settings
- 35. Discussion
- 36. Thank You!!
Editor's Notes
- #5: Guide class to login to Physical Host and launch Hyper-VAccessing to the Hyper-V VMsLogin to the VM using the Domain Admin AccountsDomain Admin: AdministratorDomain Account: CTUUser01CTUUser02Domain Groups:CTU_LocalAdminCTU_Users
- #8: To show that for certain OU, one cannot link GPO to it.
- #12: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User un-able to add another domain account to the local machine administrators group.
- #15: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #18: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #20: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #21: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #24: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #27: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #29: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #31: Mention that DNS must be able to resolve properly too!But DNS is very critical for GPO to function properly
- #32: Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
- #33: Create Batch file containing following line to perform the action to remove the registry keyREG DELETE "HKLM\\SOFTWARE\\Microsoft\\Group Policy\\Client\\RunOnce" /va