"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
CTU June 2011 - Guided Hands on Lab on GPO - GPP
1. Guided Hands-On Lab on GPO-GPP Presenter Tan Chee Title MVP in GPO Event CTU 2011 June Date 25th June 2011
2. Guided HOL on GPO-GPP Getting Familiarize with the HOL Setup HOL Session #1 – Restricted Group (GPO & GPP) HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP) HOL Session #3 – Managing Office 2010 settings (GPO) HOL Session #4 – WMI Filter HOL Session #5 – Basic Troubleshooting Tips and Tricks plus Discussion (Sharing Experience) Agenda
3. Getting Familiarize with the HOL Setup The Setup Virtual Machines (Hyper-V): Private Network Domain Name: ONPREM.LOCAL Physical Host
5. Getting Ready Under “START” > “Administrative Tools” Start “Active Directory Users and Computers” Console Understand the OU structure Understand where is the User Objects Understand where is the Computer Objects Start “Group Policy Management” Console Start “Active Directory Sites and Services” Console (For manual replication) DC1.onprem.local (Domain Controller)
8. Getting Ready Login as Domain Admin Open Command Prompt Get ready to run following commands GPUPDATE /FORCE You may be required to login as CTUUSER01 in later part Client1.onprem.local (Domain Machine)
10. HOL Session #1 Restrict adding of members to local administrators group Insertion of Domain Group to be a member of local administrators group Restricted Group through GPO
11. HOL #1a - Restrict adding of members to local machine administrators group
12. HOL Session #1a On DC1.onprem.local (Domain Controller) Start GPMC Create and Configure GPO – “CTU_Restricted_Group” Link the GPO to the OU containing Computer – “Client1” On Client1.onprem.local (Client Machine) Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group. Then under command prompt, run “GPUPDATE /FORCE” Restrict adding of members to local machine administrators group
13. HOL Session #1a Expected Result: User able to insert another domain group to the local machine administrators group. User un-able to add another domain account to the local machine administrators group. Restrict adding of members to local machine administrators group
14. HOL #1b - Insert Domain Group to be a member of local machine administrators group
15. HOL Session #1b On DC1.onprem.local (Domain Controller) Start GPMC Create and Configure GPO – “CTU_Inject_LocalAdmin” Link the GPO to the OU containing Computer – “Client1” On Client1.onprem.local (Client Machine) Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group. Then under command prompt, run “GPUPDATE /FORCE” Insert Domain Group to be a member of local machine administrators group
16. HOL Session #1b Expected Result: User able to insert another domain group to the local machine administrators group. User able to add another domain account to the local machine administrators group. Insert Domain Group to be a member of local machine administrators group
17. HOL #1c – Managing Local Machine Administrators Group using GPP
19. HOL #1c – Managing Local Machine Administrators Group using GPP DEMO
20. HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP)
21. Getting Ready On DC1.onprem.local Print Service (Add Role) Add Printer Drivers (Both x64 and x86) Share out the Printer (192.168.1.40 – CTU Printer) Create and Configure GPO – “CTU_Deploy_Printer” Link the GPO to the OU containing Computer On Client machine, under command prompt, run “GPUPDATE /FORCE Deployment of TCPIP Printer (GPO & GPP)
22. Deployment of TCPIP Printer (GPO & GPP) Printer Driver (32bit and 64bit) GPO Setting – Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions: Enabled Impact to Boot Up Through Computer or User GPP? Pointers to take note
24. Getting Ready On DC1.onprem.local Create and Configure GPO – “CTU_Office2010” Import GPO template files for Office 2010 Note that the settings are under User Configuration Link the GPO to the OU containing Users – “CTUUser01” Managing Office 2011 settings (GPO)
25. Setting to Try Configure as following. On Client, Login as CTUUser01 to verify setting is applied. Default Font Name, Size
29. Basic Troubleshooting On Client machine (Login with Domain account) Event Viewer of Client Run Command Line – GPRESULT /H <Filename>.html On Domain Controller Use GPMC to generate a Group Policy Result
30. Requirement for GPMC Group Policy Results Wizard to work WMI service on target must be running Firewall port must open for WMI (Predefined Program)
32. Tips and Tricks In Client Machine, Remove the following registry key and run GP update, the GPP that is configured as Apply Once Only will apply again. HKLMOFTWAREicrosoftroup PolicylientunOnce GPP – Apply Once Only?
33. Tips and Tricks GPP – Settings with Red and Green Underline – What does it mean? Red – [No Go], Will not Deliver Green – [Go], Will be Delivered
Guide class to login to Physical Host and launch Hyper-VAccessing to the Hyper-V VMsLogin to the VM using the Domain Admin AccountsDomain Admin: AdministratorDomain Account: CTUUser01CTUUser02Domain Groups:CTU_LocalAdminCTU_Users
To show that for certain OU, one cannot link GPO to it.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User un-able to add another domain account to the local machine administrators group.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Mention that DNS must be able to resolve properly too!But DNS is very critical for GPO to function properly
Work together with class on how to configure this GPO and apply.And show what is the end resultExpected Result:User able to insert another domain group to the local machine administrators group.User able to add another domain account to the local machine administrators group.
Create Batch file containing following line to perform the action to remove the registry keyREG DELETE "HKLM\\SOFTWARE\\Microsoft\\Group Policy\\Client\\RunOnce" /va