Exercise 4: Planning Group Policy (optional)

Scenario
You are tasked with planning a GPO model for the current infrastructure to manage security for the
user desktops and servers. You need to finalize the delegation model for administrative tasks, and
determine the administrators who will have rights on the client computers.

A. Datum management also wants you to configure Windows Update settings, and restrict
administrative tools for regular user accounts. Additionally, one of the security requirements is that the
company have a compliance warning related to misuse of corporate computers.

As the administrator of A. Datum, you are tasked with translating the business requirements into GPO
settings. You must then design and implement the GPOs at the appropriate levels of the OU design.

In this exercise, you will design the GPO strategy that meets the business and organizational
requirements for A. Datum.

Supporting Documentation

Beth Burke
From: Huong Tang [Huong@adatum.com]
Sent: 2nd July 11:43

To: Beth@adatum.com
Subject: GPO Design

Hello Beth,

As we’ve discussed in our meeting yesterday, we need to strengthen the security of servers and
configure the users’ desktops according to the first initial design.

I’ve included the notes of our meeting in the attached proposal document. Please read the document.

Also, it would be great if you could send me the updated proposal document later this week.
Thank you very much,

Huong

A. Datum GPO Strategy Proposal

Document Reference Number: BS00918/1

Document Author Beth Burke

Date 2nd July

Requirements Overview
Design a GPO strategy that meets the following requirements:
 All the organization’s computers should have a core group of GPO settings that must be
applied. These settings should include:
A. Datum GPO Strategy Proposal
o Configuring the local administrator accounts.
o Configuring update settings.
o Restricting certain options, such as access to the registry editor.
These settings should not apply to administrator desktops.
 Each office should have a core group of settings that apply to their workstations. As of now, you
need to implement the following:
o Display a security warning prior to computer sign-in stating that only A. Datum employees
can use the computers. This setting needs to be applied to each location, and to display
automatically in other languages for foreign locations.
 All users must have a default set of mapped drives assigned to them. You should base the
mapped drive on the department membership.
 The central IT administrators in London must be able to manage all GPOs and settings in the
organization. Administrators in each office should be able to manage only GPOs that apply to
that office.

Summary of Information
The supporting OU structure includes the following:
 Users are currently grouped by department in a top-level OU.
 Clients are in the top-level Clients OU, which is separated by location on the next level.
 Proposals
 Which of the requirements will necessitate creating one or more GPOs?

 Can you fulfill any of the requirements without creating GPOs?

 Are there any exceptions to the default GPO application that you must consider?

 List the GPOs that you must create to fulfill the lab scenario’s requirements. Provide the
following information in the table provided:
o Name of the GPO
o The requirements that the GPO fulfills
o The configuration settings (user policies, computer policies, user preferences, or computer
preferences) that the GPO will contain
o The container (domain, OU, site) to which the GPO will be linked

Name Requirements fulfilled Configuration settings Applies to

 List other configuration tasks that you must perform within the Group Policy Management
Console to fulfill the scenario requirements.
The main tasks for this exercise are as follows:
1. Read the supporting documentation.

2. Update the proposal document with your planned course of action.

3. Examine the suggested proposals in the Lab Answer Key.

4. Discuss your proposed solution with the class, as guided by your instructor.

 Task 1: Read the supporting documentation

 Read the documentation provided.

 Task 2: Update the proposal document with your planned course of action
 Answer the questions in the proposals section of the A. Datum GPO Strategy Proposal document.

 Task 3: Examine the suggested proposals in the Lab Answer Key

 Compare your proposals with the ones in the Lab Answer Key.

 Task 4: Discuss your proposed solution with the class, as guided by your instructor
 Be prepared to discuss your proposals with the class.

Results: After completing this exercise, you will be able to:

 Design a GPO strategy.

Question: Which options can you use to separate users’ redirected folders to different
servers?

Question: Can you name two methods that you could use to assign a GPO to selected
objects within an OU?

Question: You have created Group Policy preferences to configure new power options.
How can you make sure that the preferences apply only to laptop computers?
Lab Answer Key

Exercise 4: Planning Group Policy (optional)

 Task 1: Read the supporting documentation
 Read the documentation provided.

 Task 2: Update the proposal document with your planned course of action
 Answer the questions in the proposals section of the A. Datum GPO Strategy Proposal document.

Proposals

 Which of the requirements will necessitate creating one or more GPOs?

The central IT administrators in London must be able to manage all GPOs and settings in the
organization. Administrators in each office should be able to manage only GPOs that apply to that
office. Although you can complete any of the remaining tasks manually on each computer, using
GPOs requires the least effort. You could implement some of the other requirements, such as the
security warning or preventing access to registry editing tools, by using local policies only.
However, because local policies are hard to manage, GPOs are also beneficial for these settings.

 Can you fulfill any of the requirements without creating GPOs?

You can fulfill all the requirements without creating GPOs.
 Are there any exceptions to the default GPO application that you must consider?

Yes, there is one exception: security filtering of administrator desktops so that they will not be
prevented from accessing registry editing tools.
 List the GPOs that you must create to fulfill the lab scenario’s requirements. Provide the following
information in the table provided:

o Name of the GPO

o The requirements that the GPO fulfills

o The configuration settings (user policies, computer policies, user preferences, or computer
preferences) the GPO will contain

o The container (domain, OU, site) to which the GPO will be linked
 Requirements
Name Configuration settings Applies to
fulfilled

All_Clients Configures the Computer OU=Clients

local admin Configuration\Policies
accounts \Windows Settings\Security
Settings
\Restricted Groups

All_Clients Configures Computer OU=Clients

general Windows Configuration\Policies
Update settings \Administrative Templates
\Windows Components
\Windows Update
\Configure Automatic Updates

All_Users_but_Admins Prevents editing User Configuration DC=adatum

of the registry \Policies
\Administrative Templates
\System
\Prevent access to registry
editing tools

London_Clients Displays a Computer Configuration OU=London,

compliance \Windows Settings OU=Clients
message \Security Settings
\Local Policies\Security Options
\Interactive Logon: Message
text for users attempting to log
on
Interactive Logon: Message
title for users attempting to log
on

Marketing_Share Users must have User Configuration OU=Marketing

a default set of \Preferences\Windows Settings
mapped drives \Drive Maps

 List other configuration tasks that you must perform within the Group Policy Management Console
to fulfill the scenario requirements.

Other configuration tasks include:

 The All_Users_but_Admins policy needs security filtering to deny access. This will apply the policy
to the users but not to the administrators group, Group IT.

You must configure the administration of GPOs as desired.

 Task 3: Examine the suggested proposals in the Lab Answer Key

 Compare your proposals with the ones shown previously.
 Task 4: Discuss your proposed solution with the class, as guided by your instructor
 Be prepared to discuss your proposals with the class.