Post on 12-Jan-2015
description
Guided Hands-On Lab on GPO-GPP
Presenter Tan CheeTitle MVP in GPOEvent CTU 2011 JuneDate 25th June 2011
Guided HOL on GPO-GPP
• Getting Familiarize with the HOL Setup
• HOL Session #1 – Restricted Group (GPO & GPP)
• HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP)
• HOL Session #3 – Managing Office 2010 settings (GPO)
• HOL Session #4 – WMI Filter
• HOL Session #5 – Basic Troubleshooting
• Tips and Tricks plus Discussion (Sharing Experience)
Agenda
Getting Familiarize with the HOL Setup
The Setup
Domain Name: ONPREM.LOCAL
Physical Host
Virtual Machines (Hyper-V): Private Network
Quick Walk Through on the HOL Setup
Getting Ready
Under “START” > “Administrative Tools”
• Start “Active Directory Users and Computers” Console– Understand the OU structure– Understand where is the User Objects– Understand where is the Computer Objects
• Start “Group Policy Management” Console
• Start “Active Directory Sites and Services” Console (For manual replication)
DC1.onprem.local (Domain Controller)
OU Structure and Dummy Accounts
GPMCOU that cannot link GPO to
Getting Ready
• Login as Domain Admin
• Open Command Prompt– Get ready to run following commands
•GPUPDATE /FORCE• You may be required to login as CTUUSER01 in later part
Client1.onprem.local (Domain Machine)
HOL Session #1 – Restricted Group (GPO)
HOL Session #1
• Restrict adding of members to local administrators group
• Insertion of Domain Group to be a member of local administrators group
Restricted Group through GPO
HOL #1a - Restrict adding of members to local machine administrators group
HOL Session #1a
On DC1.onprem.local (Domain Controller)
• Start GPMC
• Create and Configure GPO – “CTU_Restricted_Group”
• Link the GPO to the OU containing Computer – “Client1”
On Client1.onprem.local (Client Machine)
• Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group.
• Then under command prompt, run “GPUPDATE /FORCE”
Restrict adding of members to local machine administrators group
HOL Session #1a
Expected Result:User able to insert another domain group to the local machine administrators group.User un-able to add another domain account to the local machine administrators group.
Restrict adding of members to local machine administrators group
HOL #1b - Insert Domain Group to be a member of local machine administrators group
HOL Session #1b
On DC1.onprem.local (Domain Controller)
• Start GPMC
• Create and Configure GPO – “CTU_Inject_LocalAdmin”
• Link the GPO to the OU containing Computer – “Client1”
On Client1.onprem.local (Client Machine)
• Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group.
• Then under command prompt, run “GPUPDATE /FORCE”
Insert Domain Group to be a member of local machine administrators group
HOL Session #1b
Expected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Insert Domain Group to be a member of local machine administrators group
HOL #1c – Managing Local Machine Administrators Group using GPP
GPP contain similar settings? Yes!
HOL #1c – Managing Local Machine Administrators Group using GPP
DEMO
HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP)
Getting Ready
On DC1.onprem.local
• Print Service (Add Role)
• Add Printer Drivers (Both x64 and x86)
• Share out the Printer (192.168.1.40 – CTU Printer)
• Create and Configure GPO – “CTU_Deploy_Printer”
• Link the GPO to the OU containing Computer
• On Client machine, under command prompt, run “GPUPDATE /FORCE
Deployment of TCPIP Printer (GPO & GPP)
Deployment of TCPIP Printer (GPO & GPP)
• Printer Driver (32bit and 64bit)
• GPO Setting – Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions: Enabled
• Impact to Boot Up
• Through Computer or User GPP?
Pointers to take note
HOL Session #3 – Managing Office 2011 settings (GPO)
Getting Ready
On DC1.onprem.local
• Create and Configure GPO – “CTU_Office2010”
• Import GPO template files for Office 2010– Note that the settings are under User Configuration
• Link the GPO to the OU containing Users – “CTUUser01”
Managing Office 2011 settings (GPO)
Setting to Try
• Configure as following.
• On Client, Login as CTUUser01 to verify setting is applied.
Default Font Name, Size
HOL Session #4 – WMI Filter
DEMO
WMI Filter (GPO)
• Useful to target GPO for Machine running different OS under same OU.
Demo on how to import and apply WMI Filter
HOL Session #5 – Basic Troubleshooting Relates to GPO
Basic Troubleshooting
On Client machine (Login with Domain account)
• Event Viewer of Client
• Run Command Line – GPRESULT /H <Filename>.html
On Domain Controller
• Use GPMC to generate a Group Policy Result
Requirement for GPMC Group Policy Results Wizard to work
• WMI service on target must be running
• Firewall port must open for WMI (Predefined Program)
Tips and Tricks plus Discussion!!
Tips and Tricks
In Client Machine, Remove the following registry key and run GP update, the GPP that is configured as Apply Once Only will apply again.
HKLM\SOFTWARE\Microsoft\Group Policy\Client\RunOnce
GPP – Apply Once Only?
Tips and TricksGPP – Settings with Red and Green Underline – What does it mean?
Red – [No Go], Will not Deliver
Green – [Go], Will be Delivered
Tips and TricksGPO Settings Supersede GPP Settings
Discussion
Thank You!!