{"id":2751,"date":"2020-04-28T21:29:50","date_gmt":"2020-04-28T21:29:50","guid":{"rendered":"https:\/\/wiki.thomasandsofia.com\/?p=2751"},"modified":"2020-04-30T10:52:59","modified_gmt":"2020-04-30T10:52:59","slug":"6-manage-your-workstations","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=2751","title":{"rendered":"6 Manage Your Workstations"},"content":{"rendered":"<p><a href=\"\/5-group-policy-troubleshooting\/\">&lt; 5 Group Policy Troubleshooting<\/a> | <a href=\"\/active-directory-and-group-policies\/\">Home<\/a> | <a href=\"\/7-securing-your-domain\/\">7 Securing your Domain &gt;<\/a><\/p>\n<h1>25: Deploying a Desktop Background to your domain with a GPO<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8305284#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8305284#content<\/a><\/p>\n<h1>Comments<\/h1>\n<ul>\n<li>It is a good idea to create a GPO for each individual thing you want to do.\n<ul>\n<li>Example: Password Policies, Create a GPO called Password Policies and put all your Password related settings in it.<\/li>\n<li>If all configs are in one GPO, could be impossible to find it later.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Overview<\/h2>\n<ul>\n<li>Create Fileshare<\/li>\n<li>Put desktop image in Fileshare<\/li>\n<li>Set Fileshare permissions so all users can access<\/li>\n<li>Create and configure GPO<\/li>\n<li>Test &amp; Apply<\/li>\n<\/ul>\n<h2>Procedure<\/h2>\n<ul>\n<li>Create Fileshare\n<ul>\n<li>C:\\ [RtClk] &gt; New &gt; Folder &gt; MyShare<\/li>\n<li>MyShare [RtClk] &gt; Properties &gt; Sharing Tab &gt; Advanced Sharing\n<ul>\n<li>[ x ] Share this folder<\/li>\n<li>[Permissions]\n<ul>\n<li>Remove &#8216;Everyone&#8217;<\/li>\n<li>Add &#8216;Authenticated Users&#8217;<\/li>\n<\/ul>\n<\/li>\n<li>Allow &#8216;Read&#8217;<\/li>\n<li>[Apply] &gt; [OK]<\/li>\n<\/ul>\n<\/li>\n<li>[Apply] &gt; [OK]<\/li>\n<li>Network Path = \\\\WINAD01\\MyShare<\/li>\n<\/ul>\n<\/li>\n<li>Configure Group Policy Object\n<ul>\n<li>GPM &gt; &#8230; &gt; domain.tld [RtClk] &gt; Create a GPO&#8230; &gt; Name: Desktop Backgrounds<\/li>\n<li>Desktop Backgrounds [RtClk] &gt; Edit&#8230;\n<ul>\n<li>User Configs &gt; Policies &gt; Admin Templates &gt; Desktop &gt; Desktop &gt; Desktop Wallpaper [DblClk]\n<ul>\n<li>Enable<\/li>\n<li>Wallpaper Name: \\\\winad01\\myshare\\desktop.jpg<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Initialize &amp; verify the GPO\n<ul>\n<li>CMD\n<ul>\n<li>gpupdate \/force<\/li>\n<li>gpresult \/r<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Log out and back in.<\/li>\n<\/ul>\n<h1>26: Setting up a Logon Banner<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8385624#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8385624#content<\/a><\/p>\n<ul>\n<li>Server Manager &gt; Tools &gt; Group Policy Management<\/li>\n<li>GPM &gt; &#8230; &gt; domain.tld [RtClk] &gt; New &gt; GPO and link here &gt; Interactive Logon<\/li>\n<li>IL [RtClk] &gt; Edit&#8230;\n<ul>\n<li>Computer Configs &gt; Polices &gt; Win Settings &gt; Security Settings &gt; Local Policies &gt; Security Options\n<ul>\n<li>Int log: Message title: Set a title &#8220;Go away&#8221;<\/li>\n<li>Int log: Message text: &#8220;You better go away!&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Init &amp; verify<\/li>\n<li>Logout login<\/li>\n<\/ul>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/goaway.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2755\" src=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/goaway.png\" alt=\"\" width=\"527\" height=\"300\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/goaway.png 527w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/goaway-300x171.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/goaway-150x85.png 150w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h1>27: Deploying Software with Group Policy<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8403550#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8403550#content<\/a><\/p>\n<ul>\n<li>Create a fileshare\n<ul>\n<li>Remove everyone, add Authenticated Users<\/li>\n<li>Get fileshare path<\/li>\n<li>Copy .zip to folder and extract.<\/li>\n<\/ul>\n<\/li>\n<li>Can install either per user or per computer: computer\n<ul>\n<li>Computer: will require a reboot to install the software<\/li>\n<li>User: Will install the software every time the user logs into a different computer.<\/li>\n<\/ul>\n<\/li>\n<li>GPM &gt; &#8230; &gt; domain.tld [RtClk] &gt; Create GPO &amp; Link &gt; Name: software_deply_7zip_v1701<\/li>\n<li>software_deploy&#8230; [RtClk] &gt; Edit&#8230;\n<ul>\n<li>Comp Configs &gt; Policies &gt; Software Settings [RtClk] &gt; New &gt; Package\n<ul>\n<li>On the &#8216;Open&#8217; window, Enter the name of the server: \\\\winad01 [Enter]<\/li>\n<li>Software [DblClk] &gt; 7z1701 &gt; [Open]<\/li>\n<li>Deploy Software\n<ul>\n<li>Published (User Configs only): Give user the option to install<\/li>\n<li>[ x ] Assigned: Installs without modification<\/li>\n<li>Advance: Allows changes?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Init &amp; Verify\n<ul>\n<li>After init, was asked to reboot.\u00a0 Never verified.<\/li>\n<\/ul>\n<\/li>\n<li>Validate was installed.\n<ul>\n<li>Click the &#8216;Windows&#8217; icon in the lower left and see if 7zip was installed.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/7zip.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2758\" src=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/7zip.png\" alt=\"\" width=\"636\" height=\"676\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/7zip.png 636w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/7zip-282x300.png 282w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/7zip-141x150.png 141w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/7zip-300x319.png 300w\" sizes=\"auto, (max-width: 636px) 100vw, 636px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h1>28: Configure Roaming Profiles for User Accounts<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8384200#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8384200#content<\/a><\/p>\n<p>Create shared folder for roaming profiles<\/p>\n<ul>\n<li>Server Manager &gt; File and Storage Services &gt; Shares\n<ul>\n<li>Inside Shares pane [RtClk] &gt; New Share&#8230;\n<ul>\n<li>Select Profile &gt; SMB Share &#8211; Quick &gt; [Next &gt;]<\/li>\n<li>Share Location &gt; Select Server &amp; Drive &gt; [Next &gt;]<\/li>\n<li>Share Name &gt; &#8220;Profiles$&#8221;\n<ul>\n<li>The &#8220;$&#8221; makes the folder hidden from curious users browsing the system.<\/li>\n<li>Note the Share path: \\\\minad01\\Profiles$<\/li>\n<\/ul>\n<\/li>\n<li>Other Settings:\n<ul>\n<li>[ x ] Enable access-based enumeration: Only displays files and folders that user has permissions to.\n<ul>\n<li>Read access minimum<\/li>\n<\/ul>\n<\/li>\n<li>[ x ] Allow caching of share\n<ul>\n<li>Makes content available offline<\/li>\n<\/ul>\n<\/li>\n<li>[ x ] Encrypt data access<\/li>\n<\/ul>\n<\/li>\n<li>Permissions\n<ul>\n<li>Recommended to remove default users.\u00a0 Must remove inheritance first!\n<ul>\n<li>[Disable inheritance] &gt; Convert inherited permissions into explicit permissions on this object\n<ul>\n<li>This takes the current permissions and creates a special profile just for this share.<\/li>\n<\/ul>\n<\/li>\n<li>Remove both &#8220;Users (domain\\Users) &gt; [Apply]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Create a Roaming Profiles group in AD\n<ul>\n<li>AD &gt; &#8230; &gt; domain [RtClk] &gt; New &gt; OU &gt; &#8220;Domain Groups&#8221;<\/li>\n<li>Domain Groups &gt; New &gt; Group &gt; &#8220;Roaming Profile Users&#8221;\n<ul>\n<li>[ x ] Global, [ x ] Security<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Add Members to the new group\n<ul>\n<li>Roaming Profile Users [DblClk] &gt; Members tab &gt; [Add&#8230;] &gt; (add your users)<\/li>\n<li>Return to the &#8220;Create Share Wizard&#8221;<\/li>\n<\/ul>\n<\/li>\n<li>Add the Roaming Users Group to the share.<\/li>\n<\/ul>\n<p>Starting from here:<\/p>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/shares.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2761\" src=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/shares.png\" alt=\"\" width=\"700\" height=\"480\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/shares.png 700w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/shares-300x206.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/shares-150x103.png 150w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/a><\/p>\n<ul>\n<li>MyShares [RtClk] &gt; Properties\n<ul>\n<li>Permissions &gt; [Customize permissions&#8230;]\n<ul>\n<li>[Add&#8230;]\n<ul>\n<li>Select a principal &gt; Search &#8220;Roaming&#8221; [Check Names] &gt; [ OK ]<\/li>\n<li>Uncheck all &#8216;Basic Permissions&#8217;<\/li>\n<li>Show advanced permissions\n<ul>\n<li>[ x ] List folder \/ read data<\/li>\n<li>[ x ] Create folders \/ append data<\/li>\n<li>Applies to: &#8220;This folder only&#8221;<\/li>\n<li>[ OK ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>[ Apply ]<\/li>\n<li>Select &#8220;Administrators (domain\\Admin&#8230;)&#8221; &gt; [Edit]\n<ul>\n<li>Applies to: &#8220;This folder only&#8221;<\/li>\n<li>(All available Basic permissions should be checked)<\/li>\n<li>[ OK ]<\/li>\n<\/ul>\n<\/li>\n<li>Verify Permission entries\n<ul>\n<li>Administrator (or CREATOR OWNER?): Subfolders and files only<\/li>\n<li>SYSTEM: This folder, subs and files<\/li>\n<li>Administrators: This folder only<\/li>\n<li>Roaming &#8230; : This folder only<\/li>\n<\/ul>\n<\/li>\n<li>[Apply] [ OK ]<\/li>\n<li>Should be back on the &#8220;New Share Wizard&#8221;<\/li>\n<\/ul>\n<\/li>\n<li>Permissions &gt; [Next &gt;]<\/li>\n<li>Confirmation &gt; [Create] &gt; [Close]<\/li>\n<\/ul>\n<\/li>\n<li>The Profiles$ folder should now be listed as a share.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/profilesShare.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2762\" src=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/profilesShare.png\" alt=\"\" width=\"700\" height=\"423\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/profilesShare.png 700w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/profilesShare-300x181.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/04\/profilesShare-150x91.png 150w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/a><\/p>\n<ul>\n<li>Add the share to each of the users &#8230; ??\n<ul>\n<li>AD &gt; &#8230; &gt; Domain Groups &gt; &#8220;Roaming Profile Users&#8221; [DblClk]\n<ul>\n<li>Members tab &gt; [DblClk] Each User<\/li>\n<li>\u00a0Profile tab\n<ul>\n<li>User Profile: Profile path = SERVER\\path\\%username%\n<ul>\n<li>\\\\WINAD01\\Profile$\\%username%\n<ul>\n<li>Click [ Apply ] to convert %username% to the actual Username<\/li>\n<\/ul>\n<\/li>\n<li>[ OK ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Log into another server and test with that user\n<ul>\n<li>Control Panel &gt; System and Security &gt; System &gt; Advanced system settings\n<ul>\n<li>User Profiles &gt; [Settings&#8230;]\n<ul>\n<li>domain\\user.name type = Roaming<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Create a folder on the desktop and put a fake file in it<\/li>\n<li>Log out and log in to another server on the domain<\/li>\n<li>Locate your folder on the desktop and view your file.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>29: How to automatically map network share drives with Group Policy<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8421550#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8421550#content<\/a><\/p>\n<h2>Overview<\/h2>\n<p>Create different file shares for different groups and map them with AD\/GP then restrict access between groups from accessing the other group&#8217;s share.<\/p>\n<ul>\n<li>Create the Users and Groups\n<ul>\n<li>Engineering Group\n<ul>\n<li>Engineering Guy<\/li>\n<\/ul>\n<\/li>\n<li>Sales Group\n<ul>\n<li>Sales Guy<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Create the Fileshares\n<ul>\n<li>Server Manager &gt; File and Storage Services &gt; Shares &gt; New Share &gt; See above\n<ul>\n<li>Engineering$<\/li>\n<li>Sales$<\/li>\n<\/ul>\n<\/li>\n<li>&#8230; Advanced Security Settings\n<ul>\n<li>[Disable inheritance] &gt; Convert&#8230;<\/li>\n<li>Remove &#8216;Users (domain\\&#8230;)&#8217; 2x<\/li>\n<li>[Add]\n<ul>\n<li>Permission Entry for Engineering$ \/ Sales$ &gt; Select a principal &gt; add group<\/li>\n<li>Basic Permissions\n<ul>\n<li>Read &amp; execute<\/li>\n<li>List folder contents<\/li>\n<li>Read<\/li>\n<li>Write<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>[Apply][OK]<\/li>\n<\/ul>\n<\/li>\n<li>[Next&gt;][Create][Close]<\/li>\n<li>Repeat for both shares\/groups<\/li>\n<\/ul>\n<\/li>\n<li>Test these work with another server&#8230;\n<ul>\n<li>Engineering user\n<ul>\n<li>\\\\SERVER\\Engineering$ &gt; Create file<\/li>\n<li>\\\\SERVER\\Sales$ &gt; Cannot access<\/li>\n<\/ul>\n<\/li>\n<li>Sales user &gt; Repeat above<\/li>\n<\/ul>\n<\/li>\n<li>Automatically Map the drives with Group Policy\n<ul>\n<li>AD Server &gt; AD &gt; &#8230; &gt; domain [RtClk] &gt; New &gt; Shared Folder\n<ul>\n<li>Name: Engineering$\/Sales$<\/li>\n<li>Network Path:\\\\SERVER\\Eng$ or Sales$<\/li>\n<\/ul>\n<\/li>\n<li>GPM &gt; &#8230; &gt; domain [RtClk] &gt; Create new GPO and link &gt; &#8216;$group&#8217; mapped drive\n<ul>\n<li>&#8230; mapped drive [RtClk] &gt; Edit&#8230;\n<ul>\n<li>User Configs &gt; Preferences &gt; Windows Settings &gt; Drive Maps [RtClk] &gt; New &gt; Mapped Drive<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Remove &#8216;Authenticated User&#8217; and add &#8216;$group&#8217;<\/li>\n<li>Add Read Only Permissions for Authenticated Users\n<ul>\n<li>This only allows Authenticated Users to read the GPO, not the mapped drive!<\/li>\n<li>$group mapped drive &gt; Delegation tab &gt; [Add] &gt; Authen&#8230; &gt; [OK]\n<ul>\n<li>Add Group or User &gt; Permissions: Read &gt; [OK]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>I &#8216;think&#8217; I had to run gpupdat on the user&#8217;s workstation and restart to get this to work, but it did!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&lt; 5 Group Policy Troubleshooting | Home | 7 Securing your Domain &gt; 25: Deploying a Desktop Background to your domain with a GPO https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8305284#content Comments It is a good idea to create a GPO for each individual thing you want to do. Example: Password Policies, Create a GPO called Password Policies and put all ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=2751\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-2751","post","type-post","status-publish","format-standard","hentry","category-active-directory"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2751"}],"version-history":[{"count":9,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2751\/revisions"}],"predecessor-version":[{"id":2768,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2751\/revisions\/2768"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}