What is Group Policy
33: https://www.udemy.com/windows-server-2016/learn/v4/t/lecture/6537814?start=0
- Group Policy is a tool used by System Administrators to make configuration changes to users and computers within Active Directory.
- With GP, you can implement security configurations across your domain
- Restrict some users from logging into computers
- Allow certain users to access certain files
- Assign specific users (or all users) a specific background image
- Deploy software to domain workstations
- Group Policy works by applying GPO (Group Policy Objects) to the OU (Organizational Unit) structure created in AD
- A Group Policy Object contains configuration settings for Users and Computers. When a GPO is applied to an OU, the settings configured in the GPO are applied to the users and computers within the OU.
- You can also configure GPOs to only apply to certain objects by assigning security filtering.
- The most common, and default choice, is the Authenticated Users group, which is basically any valid user or computer within AD.
- GPOs are applied recursively, so the settings will also be applied to all sub OUs
How to start Group Policy
- Server Manager > Tools > Group Policy Management
- Once the console opens, you’ll need to expand the ‘Forest’
- Domains: Contains all the domains that are underneath the Forest
- Sites: Contains all sites you may have configured through AD Sites and Services
- This is used when you have servers that are physically in a different location, like a different building, city or country.
- Group Policy Modeling and Group Policy Results are both tools that can be used to troubleshoot issues with Group Policy
- Domains > Domain name
- Default Domain Policy
- Created automatically when a domain is created.
- Because it is directly under the domain, it will be applied to all AD objects within the Domain.
- Group Policy Objects
- Contains all the GPOs that are inside your domain whether they are currently in use or not.
- Includes
- Default Domain Policy (above)
- Default Domain Controllers Policy (Domain > Domain Controllers)
- Includes
- Contains all the GPOs that are inside your domain whether they are currently in use or not.
- WMI Filters
- Allows you to add specific rules of when a specific GPO should be applied or not.
- Only apply this rule is a computer is running Windows 7 or newer
- Allows you to add specific rules of when a specific GPO should be applied or not.
- Starter GPOs are when you want to import or export GPOs from other environments.
- Default Domain Policy
Creating and Managing Group Policy Objects (GPOs)
34: https://www.udemy.com/windows-server-2016/learn/v4/t/lecture/6733724?start=0
- Group Policy Objects contain settings and configurations that are applied to users and computers that are stored in Active Directory
- Domains can contain several GPOs and you will almost never see a domain that contains only 1 GPO
- A single GPO can be applied to multiple OUs
- GPOs are added by ‘Linking’ them
- Rclick the OU >
- Create a GPO in this domain, and Link it here…
- Link an existing GPO
- Rclick the OU >
- GPOs are Modular.
- An Admin will generally create several GPOs and apply them as needed.
- Create a GPO that installs Flash
- Create a GPO that prevents the use of Internet Explorer
- This should be EVERY computer đ
- An Admin will generally create several GPOs and apply them as needed.
Create a new GPO
- Rclick Domain > Create a new GPO in this …
- Name: Test GPO
- [ OK ]
- Will appear under the Domain and in Group Policy Objects
- Rclick Test GPO
- Edit: Make changes to the GPO
- Enforce: Apply higher priority than other GPOs for that OU
- Link Enabled: if unchecked, will remain linked to the OU, but settings will not be applied.
- Save Report: Save all settings in an HTML file
- or – Click the GPO > Settings tab if you don’t want to save it to view it
Edit a GPO
- Rclick Test GPO > Edit
- Two types of Configurations
- Computer Configurations:ONLY applied to Computer objects
- User Configurations: ONLY applied to User objects
- If the GPO is applied to an OU that only contains users, and you make a change under Computers, none of the settings will be applied to those users.
Delete a GPO
- To fully delete a GPO (and from ALL linked OUs) it must be deleted under Group Policy Objects
- Deleting a GPO from under an OU will only delete that link to the OU
Group Policy Precedence
35: https://www.udemy.com/windows-server-2016/learn/v4/t/lecture/6509842?start=0
There will be times when multiple GPOs are trying to compete for the same settings. Precedence defines which setting will be applied and which will be ignored.
Lowest to Highest Priority
- Local Group Policy (gpedit.msc)
- First thing applied to the computer
- Least important
- Site
- Over writes any policies written in the Local GP
- Domain
- Organizational Unit
- Sub OUs (over rule the parent OU)
- Enforced Group Policy Objects
- Most important
- The last GPO to be applied WINS
- Remember LSDOE
Computer Vs. User
- Computer Config applied first
- User applied second
- User Wins!
Blocked Inheritance
- Applies to Organizational Units
- OUs may block inheritance
- Only GPOs inside the OU will apply
- EXCEPT for enforced GPOs above the OU
To block inheritance
- Rclick the OU and select ‘Block Inheritance’
Storing User Input into Variables with Powershell
36: https://www.udemy.com/windows-server-2016/learn/v4/t/lecture/6744866?start=0
PowerShell New-ADUser Variables
Prerequisites
- Logged into a DC or
- Have rset intsalled
Creating our first script
- Open PowerShell ISE
- Server Manager > Tools > Windows PowerShell ISE
- PowerShell > Script drop down (upper right corner next to ‘Script’ to show the editor
- # Store users name and password into variables
- $firstname = Read-Host -Prompt “Enter the user’s first name”
- $lastname = Read-Host -Prompt “Enter the user’s last name”
- $firstname = Read-Host -Prompt “Enter $firstname $lastname’s password”
- # Display the results
- echo “$firstname $lastname’s password is $password.”
- Run the script by clicking the green ‘Play’ button as shown below
EASY!
Creating Active Directory User Accounts with PowerShell Part 1
37: https://www.udemy.com/windows-server-2016/learn/v4/t/lecture/7045012?start=0
Import the ActiveDirectory module.
- If not on a Domain Controller or do not have rsat installed, your script will fail.
# Import required modules Import-Module ActiveDirectory
Find the path and store it in a variable
- ServerManager > Tools > Active Directory Users and Computers
- View > Advanced Features
- Rclick the OU you wish to use > Properties
- Click the ‘Attribute Editor’ tab
- Double click ‘distinguishedName’ to access the value and copy it.
# Specify where to store the user account $OUpath = "OU=Domain Users,OU=thomasroberts.name,DC=thomasroberts,DC=name"
Convert the password into a secure string
# Convert the password to a secure string $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
Create the User Account
# Create the user account New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -UserPrincipalName "$firstname.$lastname" -Path $OUpath -AccountPassword $securePassword -ChangePasswordAtLogon $True -Enabled $True
Full Script to create a user
# Import Modules Import-Module ActiveDirectory # Store users name and password into variables $firstname = Read-Host -Prompt "Enter the user's first name" $lastname = Read-Host -Prompt "Enter the user's last name" $password = Read-Host -Prompt "Enter $firstname $lastname's password" # Display the results echo "$firstname $lastname's password is $password." # Specify where to store the user account $OUpath = "OU=Domain Users,OU=thomasroberts.name,DC=thomasroberts,DC=name" # Convert the password to a secure string $securePassword = ConvertTo-SecureString $password -AsPlainText -Force # Create the user account New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -UserPrincipalName "$firstname.$lastname" -Path $OUpath -AccountPassword $securePassword -ChangePasswordAtLogon $True -Enabled $True
Creating Active Directory User Accounts with PowerShell Part 2
38: https://www.udemy.com/windows-server-2016/learn/v4/t/lecture/7044978?start=0
Add a While loop to add multiple users
$exit=""
while ($exit -ne 'q'){
...
$exit = Read-Host -Prompt "Enter more users? Enter 'q' to quit."
}
Saving a PowerShell Script
- Save to your desktop or where ever
- Locate the script and Rclick ‘Run with PowerShell”
- Execution Policy Change
- The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topc at http://blah.blah. Do you want to change the execution policy?
- [Y} Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”):
Creating Users Accounts from a CSV Spreadsheet with Powershell
39: https://www.udemy.com/windows-server-2016/learn/v4/t/lecture/7069922?start=0
# Import Modules Import-Module ActiveDirectory # Get file path and read $filepath = Read-Host -Prompt "Please enter the CSV file path" $users = ImportCsv $filepath $securePassword = ConvertTo-SecureString "TempP@ssw0rd" -AsPlainText -Force # Loop through the users ForEach ($user in $users) # First line = column names # Note: if 'First Name' is stored at 'FirstName', no quotes required! $fname = $user.'First Name' $lname = $user.'Last Name' $jtitle = $user.'Job Title' $officephone = $user.'Office Phone' $emailaddress = $user.'Email Address' $description = $user.Description $OUpath = $user.'Organizational Unit' # Create the user account New-ADUser -Name "$fname $lname" -GivenName $fname -Surname $lname -UserPrincipalName "$fname.$lname" -Path $OUpath -AccountPassword $securePassword -ChangePasswordAtLogon $True -Enabled $True -OfficePhone $officephone -Description $description -EmailAddress $emailaddress # Display the results echo "User $fname $lame has been created." }