Professional Documents
Culture Documents
Windows-2008 Server
Administration
Asmatullah Khan,
CL/CP, GIOE,
Secunderabad.
Contents
Analyze the Installation & Describe Remote Access and VPN
Configuration of Windows 2008 Server Overview, Configuring & Implementing
Remote Access Server.
Discuss User & Group Managements.
Implementing & Configuring VPN.
Analyze the working of Device
Manager, Drivers Signing & Signature Implementing & Configuring Active
Directory Services Forest.
Analyze Verification & Managing Ports.
Implementing Server Roles, Restoring
Implement the Installing & Managing &
Active Directory.
Configuration Printers,
Implementing Local and Domain
Discuss Disk Management Tools &
Security policies
Tasks,
Explain briefly about Group policy
Describe File Systems and User
Architecture
Management.
Implementing Group Policy:
Implementing Files and Folder NTFS &
Configuring User environment by using
Share Permissions.
Group policy
Explain Managing Servers Remotely
Deploying software through Group
Using Terminal Services (Remote
Policy
Desktop).
Installation & Configuration of Windows 2008 Server
Windows Server 2008 offers two general
types of installations:
a typical Full server installation and
Server Core.
Server Core is a stripped down version of
Windows Server 2008 that doesn’t include a
GUI or any other unneeded services.
Instead, the server installs only key features
that are related to the role that it supports—
for example, Active Directory or Domain Name
System (DNS).
Installation & Configuration of Windows 2008 Server -
Pre-Installation Analysis
In Windows Server 2008, major problem (to key in bits of
information at different times throughout the installation process
such as license information, components to install, and network
configuration, etc.) has been addressed by reducing the number of
interactive steps required to get windows server up and running.
All the necessary questions for the installation are asked up front,
before you begin the actual installation process of copying the
files and performing the initial server configuration.
By doing this, the installation process no longer has to stop for
additional information before it can proceed.
Once the server software installation is complete, installation of
components and the configuration of the server can proceed under
the new integrated management tool called Server Manager.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps
1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. If
you don’t have an installation DVD for Windows Server 2008, you can download one
for free from Microsoft’s Windows 2008 Server Trial website. Reboot the computer.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
2. When prompted for an installation language and other regional options, make
your selection and press Next.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
3. Next, press Install Now to begin the installation process.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
4. Product activation is now also identical with that found in Windows Vista. Enter
your Product ID in the next window, and if you want to automatically activate
Windows the moment the installation finishes, click Next.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
If you do not have the Product ID available right now, you can leave the box empty, and
click Next. You will need to provide the Product ID later, after the server installation is
over. Press No.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
5. Because you did not provide the correct ID, the installation process cannot determine what kind of
Windows Server 2008 license you own, and therefore you will be prompted to select your correct
version in the next screen, assuming you are telling the truth and will provide the correct ID to prove
your selection later on.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
6. If you did provide the right Product ID, select the Full version of the right Windows
version you’re prompted, and click Next.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
7. Read and accept the license terms by clicking to select the checkbox and
pressing Next.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
8. In the “Which type of installation do you want?” window, click the only available
option – Custom (Advanced).
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
9. In the “Where do you want to install Windows?”, if you’re installing the server on
a regular IDE hard disk, click to select the first disk, usually Disk 0, and click Next.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
9. In the “Where do you want to install Windows?”, if you’re installing the server on
a regular IDE hard disk, click to select the first disk, usually Disk 0, and click Next.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
10. The installation now begins, and you can go and have lunch. Copying the setup files from the DVD to the hard drive
only takes about one minute. However, extracting and uncompressing the files takes a good deal longer. After 20
minutes, the operating system is installed. The exact time it takes to install server core depends upon your
hardware specifications. Faster disks will perform much faster installs… Windows Server 2008 takes up
approximately 10 GB of hard drive space.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
11. Then the server reboots you’ll be prompted with the new Windows Server 2008 type
of login screen. Press CTRL+ALT+DELto log in.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
12. Click on Other User.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
13. The default Administrator is blank, so just type Administrator and press Enter.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
14. You will be prompted to change the user’s password. You have no choice but to
press Ok.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
15. In the password changing dialog box, leave the default password blank, and enter a new, complex,
at-least-7-characters-long new password twice. A password like “topsecret” is not valid (it’s not
complex), but one like “T0pSecreT!” sure is. Make sure you remember it.
Installation & Configuration of Windows 2008 Server -
Interactive Installation Steps cont…
16. Someone thought it would be cool to nag you once more, so now you’ll be prompted to accept the fact that
the password had been changed. Press Ok. Finally, the desktop appears and that’s it, you’re logged on and
can begin working. You will be greeted by an assistant for the initial server configuration, and after
performing some initial configuration tasks, you will be able to start working.
Installation & Configuration of Windows 2008 Server -
Initial Post Installation Configuration Tasks
Task Description
Set the Administrator Password Lets you set the password for the Administrator account and rename the account.
Set Time Zone Sets the time zone for the server.
Configure Networking Opens the Network Connections Control Panel applet so you can configure your
various network interfaces.
Provide Computer Name and Lets you change the computer name as well as join a domain.
Domain
Enable Automatic Updating and Lets you specify how you want to configure Windows Update, Windows Error
Feedback Reporting, and the Customer Experience Improvement Program (CEIP). You should
compare the Windows Error Reporting information as well as the CEIP settings
against your organization’s policies, since both features send usage information
back to Microsoft.
Download and Install Updates Lets you download and install updates. You should do this unless you have an
alternative patch-management tool, since you want your system to be up to date
with all critical security patches before opening it up to your network. You should
manually set the configuration of the updates based on your own policies to
prevent updates from automatically restarting your server. You should also keep
checking for updates after each reboot until all the updates have been installed.
Installation & Configuration of Windows 2008 Server -
Initial Post Installation Configuration Tasks cont…
Task Description
Add Roles Lets you add roles to this server—that is, Dynamic Host Configuration Protocol
(DHCP), DNS, Internet Information Services (IIS), and so on.
Add Features This new interface replaces the Add/Remove Windows Components from the
Add/Remove Programs Control Panel applet in previous versions of Windows and
provides a much easier means of adding additional Windows components.
Enable Remote Desktop Lets you configure remote desktop.
Placing user accounts in default local groups will grant those users access to
the proper permissions and responsibilities for the groups.
The basic concept behind using groups allows you to assign permissions just
once to the group, thus granting permissions to all the members in the group
and ease way for you to delegate administration for your server.
For example, if you want to have a user perform a daily backup of your server,
you would simply need to add them to the Backup Operators group, and they
would be granted the necessary rights to perform backup and restore
operations.
Windows Server 2008 - User & Group Managements – List
of Default Groups
Group Definition and Usage
Administrators This group has unrestricted access to the local computer. This account is the main account
to accomplish any task on a server. By default, the Administrator account is the only
member of this group.
Backup Operators This group, as the name suggests, is designed for the backup and restoration of files on the
server.
Certificate Service This group is allowed to connect to certificate authorities for enrollment in your preferred
DCOM Access Public Key Infrastructure.
Cryptographic Operators This group is allowed and authorized to perform cryptography operations on your server.
These settings include the crypto settings in the IPsec policy of the Windows Firewall,
among other settings.
Distributed COM Users This group can activate and launch DCOM objects on the server. DCOM objects are used
for the communications of the applications.
Event Log Readers This group can work with and read the local event logs on the server.
Guests Users of this group by default have the same access as the Users group, except for the
Guest account, which is further restricted. By default, the only account in this group is the
disabled Guest account.
Windows Server 2008 - User & Group Managements – List of
Default Groups cont…
Group Definition and Usage
IIS_IUSRS This is the default group account for use with Internet Information Services.
Network Configuration Users in this group have some administrative privileges over managing the configuration of
Operators networking features on the server.
Performance Log Users This group allows its users to schedule the logging of performance counters, enable trace
providers, and collect event traces for the local server. The tasks can be performed locally or
remotely.
Performance Monitor This group can access the local performance counter data either locally or through remote
Users administration.
Power Users This group has limited administrative capabilities on the system and is primarily included for
backward compatibility with previous operating systems.
Print Operators These users can work with and administer printers on the local server system.
Remote Desktop Users Users in this group are given the right to log on remotely to the server.
Replicator This group is designed for file replication.
Users Have limited administrative access to the system to prevent members from inadvertently
making changes that can cause system-wide changes; however, users in this group can run
and access most applications.
Windows Server 2008 - User & Group Managements –
Creating Users – Types of User Accounts
There are two types of User Accounts in case of
System Administration:
Local User Account
allows a user to logon to its own system,
access the resources that are there on the system, and
manage only and only that system.
Account credentials are saved and authenticated locally on the specific
system.
Domain User Account
allows a user to logon to any system from a remote machine configured to be
in the domain,
access any resource in the domain configured to be shared, and
manage any system configured with remote desktop or terminal services.
Account credentials are saved and authenticated on Active Directory and are
centralized throughout the domain.
Windows Server 2008 - User & Group Managements –
Creating Users – Local Users Accounts
1. Click Start, select Administrative Tools and click Computer Management.
Windows Server 2008 - User & Group Managements –
Creating Users – Local Users Accounts cont…
2. In Computer Management, click Local Users and Groups.
Windows Server 2008 - User & Group Managements –
Creating Users – Local Users Accounts cont…
3. Double click the Users folder.
Windows Server 2008 - User & Group Managements –
Creating Users – Local Users Accounts cont…
4. Right click in the users list and click New User.
Windows Server 2008 - User & Group Managements –
Creating Users – Local Users Accounts cont…
5. Fill in the information for the new user and click Create. You can create another
user. Click Close when you are done creating users.
Windows Server 2008 - User & Group Managements –
Creating Users – Local Users Accounts cont…
6. You should now see your newly created user accounts. By default, new user accounts
are given limited access permissions.
Windows Server 2008 - User & Group Managements – Creating Users – Local
Users Accounts (Granting Local Administrator Permissions)cont…
10. In Select Groups, type in Administrators and click Check Names. Click OK when you
are done. Click OK again to save the changes.
Windows Server 2008 - User & Group Managements – Creating Users –
Domain Users Accounts
1. Click Start, select Administrative Tools and click Active Directory Users and
Computers.
Windows Server 2008 - User & Group Managements – Creating Users –
Domain Users Accounts cont…
2. In Active Directory Users and Computers, navigate to the folder where you want to
store the new user.
Windows Server 2008 - User & Group Managements – Creating Users –
Domain Users Accounts cont…
6. Click Finish.
Windows Server 2008 - User & Group Managements – Creating Users –
Domain Users Accounts cont…
7. You should now see your newly created user account. By default, new user accounts
are given limited access permissions.
Windows Server 2008 - User & Group Managements – Creating Users –
Domain Users Accounts (Granting Administrator Permissions) cont…
11. In Select Groups, type in Administrators and click Check Names. Click OK when you
are done. Click OK again to save the changes.
Explain Managing Servers Remotely Using Terminal Services
(Remote Desktop)
Remote Desktop Services (RDS), known as Terminal Services in Windows Server
2008 and earlier, is one of the components of Microsoft Windows that allows a user to
take control of a remote computer or virtual machine over a network connection.
RDS is Microsoft's implementation of thin client, where Windows software, and the
entire desktop of the computer running RDS, are made accessible to a remote client
machine that supports Remote Desktop Protocol (RDP).
With RDS, only software user interfaces are transferred to the client system.
In effect, while the applications and desktops appear to be running on the local machine
they are actually running in virtual sessions on the remote server with only the display
graphics and keyboard and mouse information passing between the two systems.
This allows one or more Windows Server 2008 R2 systems (referred to as Remote
Desktop Session Hosts) to provide the applications and desktops for any number of
desktop systems.
This has a number of advantages in terms of ensuring that all users have the same
version of a particular application and also in terms of reducing administrative
overheads.
Explain Managing Servers Remotely Using Terminal Services
(Remote Desktop)
RDS include
RDSH – Remote Desktop Session Host
It’s a workforce where remote desktop sessions are running
Select Start -> Administrative Tools -> Routing and Remote Access
Describe Remote Access and VPN Overview, Configuring & Implementing Remote Access Server
Right Click on the Server and Select Configure and Enable Routing and
Remote Access -> Click Next
Describe Remote Access and VPN Overview, Configuring & Implementing Remote Access Server
Select Custom Configuration (as the default one will expect us to have more than one NIC)-> Click Next -
> Select VPN access and Click Next -> Click Finish (Ignore the warning Click OK) -> Click Start Service
Describe Remote Access and VPN Overview, Configuring & Implementing Remote Access Server
Right Click the Server -> select Properties -> IPv4 Tab -> Select Static
Address Pool -> Add -> Specify a range for VPN Clients
Describe Remote Access and VPN Overview, Configuring & Implementing Remote Access Server
Right Click Remote Access Logging & Policies -> Select Launch NPS ->
Select Accounting -> Click Configure Accounting
Describe Remote Access and VPN Overview, Configuring & Implementing Remote Access Server
Click Next -> Select Log to a text file on the local computer -> Click
Next
Describe Remote Access and VPN Overview, Configuring & Implementing Remote Access Server
gpthyd.local gioe.local
IP: 192.168.1.1 IP: 192.168.1.2
DNS: 192.168.1.1 DNS: 192.168.1.2
DG: 192.168.1.2 DG: 192.168.1.1
cp.gioe.local
IP: 192.168.1.3
DNS: 192.168.1.3
DG: 192.168.1.2
Implementing & Configuring Active Directory Services Forest
Make three Servers and configure IP settings as shown below along with System names.
gioe.local (parent server) gpthyd.local (parent server) cp.gioe.local (child server)
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Add Active Directory Services role to server.
Start -> Administrative Tools -> Server Manager -> Add Role
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Active Directory Services -> Next -> Add Required Features (.NET Framework)
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Next -> Install -> Close.
Active Directory Services get installed and next we have to make the server as Domain Controller.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Start -> dcpromo -> Next -> Next -> Select Create a new domain in a new forest.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Give an appropriate domain (gioe.local) and click Next -> Select appropriate forest functional level (Windows
Server 2008 R2) and click Next.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Click Next -> Yes -> Next -> Give AD Backup Password (ADBckup@Srv-1) and click Next.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Click Next -> Check Reboot on completion -> Wait till server restarts and verify and reset IP Settings once again ->
Configure DNS by Click Start -> Administrative Tools -> DNS.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Right Click Forward Lookup Zone -> New Zone -> Next -> Next -> Next.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Provide Second Tree’s Domain Name as new forward lookup zone name (gpthyd.local) and click Next -> Next -> Finish.
Then we will Delegate forward lookup zone authority to second tree server (GpthydSrv) by Right Clicking new forward lookup zone (gpthyd.local) and select New Delegation.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Click Next -> Give second tree server name GpthydSrv and click Next -> Click Add -> Provide FQDN of second Tree’s
DNS server (GpthydSrv.gpthyd.local) and click OK.
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
Click Next -> Finish.
Forward Lookup Zone on First Tree DNS Server is configured now and delegated to the Second Tree Server.
Implementing & Configuring Active Directory Services Forest - gpthyd.local (parent server-second tree)
Install Active Directory Services and promote server as Domain Controller by clicking on Start -> type dcpromo -> select Use advanced mode installation and click Next -> Select
Existing Forest and its sub choice as Create a new domain in an existing forest and select Create a new domain tree root instead of a new child domain and click Next -> Give
first tree’s domain name (gioe.local) and its corresponding login credentials by clicking Set button and click Ok and Next.
Implementing & Configuring Active Directory Services Forest - gpthyd.local (parent server-second tree)
Give second tree’s domain name (gpthyd.local) and click Next -> Next -> Next -> Select Global Catalog and click
Next.
Implementing & Configuring Active Directory Services Forest - gpthyd.local (parent server-second tree)
Click Next (as we have already created DNS Delaegation on first tree’s DNS (gioe.local)) -> Next -> Next -> Give
appropriate Active Directory Backup Password (ADBckup@Srv-2) and click Next.
Implementing & Configuring Active Directory Services Forest - gpthyd.local (parent server-second tree)
Click Next -> Select Reboot on completion wait for restart of the server.
Second tree’s Domain Controller (gpthyd.local) is ready and has got trust relationship established with the first tree’s domain controller (gioe.local).
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
Make sure the IP settings are as given below on child server and install Active Directory Services and
Promote the server as Domain Controller by clicking Start -> dcpromo -> Next -> Next -> Select Existing forest and Create a new domain in an existing forest and click Next.
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
Give parent domain name gioe.local and its corresponding credentials by clicking Set button -> it will examine Active Directory Forest
details and then give FQDN gioe.local along with its child domain name cp and click Next it will validate to proceed further.
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
Click Next -> Select Global Catalog along with DNS server and click Next -> Next -> Give Active Directory Recovery
Password (ADBckup@Srv-3) and click Next.
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
Next -> Select Reboot on completion and wait till server reboots.
We have configured basic forest requirements and next will test it by creating groups on individual servers and trying to include users from any where from the entire forest.
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
On the child server try to create a group Test by selecting Start -> Administrative Tools -> Active Directory Users
and Computers -> Expand cp.gioe.local -> Right click Users OU and select New and then Group.
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
Give Test as name of group and group scope as Universal and group type as Security -> click OK.
Right Click Test group and go to properties -> Click Add in Members tab -> Click Locations to browse entire forest -> select gioe.local to add users from first tree -> click OK
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
Type Enterprise Admins and click Check Names -> Click OK to add the user to the Test group, thus we are able to
use Parent server gioe.local domain users in Child server cp.gioe.local domain.
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
Similarly on Second Tree DC gpthyd.local try to add users to a group Test from the First Tree gioe.local
If we are able to add Enterprise Admins from gioe.local to gpthyd.local then our forest has been configured correctly with trust relationship among the first and second trees of the forest.
Implementing Server Roles, Restoring Active Directory
Windows Server 2008 includes a new backup application named
Windows Server Backup.
Windows Server Backup replaces the good old NTBACKUP.EXE and is
not installed by default.
You must install it by using the Add Features option in Server Manager
before you can use the Wbadmin.exe command-line tool or Windows
Server Backup on the Administrative Tools menu.
There are several methods for Active Directory backup and Recovery:
1. Through System State
2. Through the recycle bin
3. Through snapshot backups
4. Through Tombstone Reanimation
Implementing Server Roles, Restoring Active Directory
System State Backup
In Windows Server 2008, the system components that make up system state data depend on the server
roles that are installed on the computer.
The system state data includes at least the following data, plus additional data, depending on the server
roles that are installed:
Registry
COM+ Class Registration database
Boot files
Active Directory Certificate Services (AD CS) database
Active Directory database (Ntds.dit)
SYSVOL directory
Cluster service information
Microsoft Internet Information Services (IIS) metadirectory
System files that are under Windows Resource Protection
When you use Windows Server Backup to back up the critical volumes on a domain controller, the backup
includes all data that resides on the volumes that include the following:
The volume that hosts the boot files, which consist of the Bootmgr file and the Boot Configuration Data (BCD) store
The volume that hosts the Windows operating system and the registry
The volume that hosts the SYSVOL tree
The volume that hosts the Active Directory database (Ntds.dit)
The volume that hosts the Active Directory database log files
Implementing Server Roles, Restoring Active Directory
Windows Server 2008 supports the following backup types:
Manual backup
A member of the Administrators group or the or Backup Operators group can initiate a manual
backup by using Server Backup or the Wbadmin.exe command-line tool each time that a backup is
needed.
If the target volume is not included in the backup set, you can make manual backups on a remote
network share or on a volume on a local hard drive.
Manual backups made by wbadmin always create a new folder containing the full systemstate
backup.
This means you need a huge amount of disk space if you want to keep several versions of your
backup.
The wbengine creates a separate folder containing a timestamp for each backup.
Scheduled backup
A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe
command-line tool to schedule backups.
The scheduled backups must be made on a local, physical drive that does not host any critical
volumes or on any remote share(even the system volume of another server).
Allowing backing up onto system critical volumes can be forced using a registry key.
Implementing Server Roles, Restoring Active Directory
Active Directory Recycle Bin
Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability
to preserve and restore accidentally deleted Active Directory objects without restoring Active
Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting
domain controllers.
When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of
the deleted Active Directory objects are preserved and the objects are restored in their entirety
to the same consistent logical state that they were in immediately before deletion.
For example, restored user accounts automatically regain all group memberships and
corresponding access rights that they had immediately before deletion, within and across domains.
By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled.
After you enable Active Directory Recycle Bin in your environment, you cannot disable it.
When Active Directory Recycle Bin has not been enabled, objects are stripped down and marked
Tombstoned.
The Garbage collection process will delete these objects when the Tombstone Life Time has been expired.
When the Active Directory Recycle Bin has been enabled, deleted object are no longer tombstoned
but they receive a “Deleted” status.
In this status, all attributes are preserved.
Objects are in the Recycled status when the deleted life time expires.
In this status, most of the attributes are stripped of and lost.
The garbage collection process physically deletes the object from the AD database when the Recycled Life
Time has been expired.
Implementing Server Roles, Restoring Active Directory
If these policies are used, they are processed in the above order, especially for conflict resolution
(last policy setting takes precedence)
Domain GPOs
Domain GPOs are stored in Active Directory on domain controllers
Consists of two separate parts: a group policy template (GPT) and a group policy container (GPC)
GPT and GPC have naming structure and folder structure as common traits
Knowing GPO structure is important for resolving issues
Explain briefly about Group policy Architecture - GPT
A group policy template contains all the policy settings that make up a GPO
as well as related files, such as scripts, and is contained in the Sysvol share
on a domain controller
Upon creation of a GPO, several files and subfolders are created (exact
number may vary), but each GPT folder will contain at least three items
GPT.ini
Machine
User
Explain briefly about Group policy Architecture – Group Policy Containers
Stored in the System\Policies folder
Contains GPO properties and status information but no policy settings
Similar to GPT in that it uses a GPO’s GUID for a folder name
Information contained in a GPC
Name of the GPO
File path to GPT
Version
Status
Implementing Group Policy: Configuring User environment by using Group policy
Changing Password Requirements through Group Policy
Click on Start -> Administrative Tools -> Group Policy Management
Implementing Group Policy: Configuring User environment by using Group policy
Changing Password Requirements through Group Policy cont…
Click on Start -> Administrative Tools -> Group Policy Management
Implementing Group Policy: Configuring User environment by using Group policy
Changing Password Requirements through Group Policy cont…
Expand Domain (gioe.local) - > Double Click on Default Domain Policy -> Settings Tab will give a summary report of all the default domain level
settings. It also gives a detailed hierarchical structure of the policy settings using which we can navigate accurately to modify the required settings.
Implementing Group Policy: Configuring User environment by using Group policy
Changing Password Requirements through Group Policy cont…
Right Click Default Domain Policy -> Chose Edit -> Expand Computer Configuration then Policies then Windows
Settings then Security Settings then Accounts Policies -> Chose Password Policy.
Publishing Software
You can publish a program distribution to users.
When the user logs on to the computer, the published program is displayed in
the Add or Remove Programs dialog box, and it can be installed from there.
Deploying software through Group Policy
There are 3 things you will need in order to have a successful Software
Installation GPO:
1. The most important thing you will need is a Microsoft installer file, called
.msi -- you cannot use the .exe file that is on the DVD.
You will need to get a packaging utility to turn that .exe file into .msi file. Many of
them are available for instant download from internet.
There are a few that will cost money but there are also free downloads. Here is an
example from each:
MSI Studio (30 day free trial):
http://www.scriptlogic.com/products/msi-studio/
EXE-to-MSI: http://juice.altiris.com/download/1355/exe-to-msi
2. The second thing you will need to create is a Shared Folder on your
network for the software to live in. You need to make sure that every
computer has at least "read" access to that folder and its contents.
3. And the last thing you will need is the new Group Policy Object linked to
the appropriate Organization Unit.
Deploying software through Group Policy – 7Zip MSI Software Installation
Create a shared folder on the server and put the installation .msi file in it.
Apply share permissions to everyone with atleast read permissions.
Apply NTFS permissions to everyone with atleast read permissions.
Deploying software through Group Policy – 7Zip MSI Software Installation
Open GPMC -> Right Click on CP ou and Select Create a GPO in this domain, and link it here…
Give name as 7zip and click ok -> Navigate to the CP ou on the left hand panel and select it -> right click on the 7zip GPO in the right hand panel and select edit.
Deploying software through Group Policy – 7Zip MSI Software Installation
GPME opens up and navigate in left hand panel to Computer Configuration -> Policies -> Software Settings -> Software Installation -> Right Click Software Installtion -> new ->
Package.
Browse to the location of .msi software usinf UNC path -> select the software .msi file and click open
Deploying software through Group Policy – 7Zip MSI Software Installation
Select Assigned -> click ok. Software has got published as a GPO.
Move on to client and type gpudate /force or simply reboot the client.