1. Guided Hands-On Lab on GPO-GPP Presenter Tan Chee Title MVP in GPO Event CTU 2011 June Date 25th June 2011

2. Guided HOL on GPO-GPP Getting Familiarize with the HOL Setup HOL Session #1 – Restricted Group (GPO & GPP) HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP) HOL Session #3 – Managing Office 2010 settings (GPO) HOL Session #4 – WMI Filter HOL Session #5 – Basic Troubleshooting Tips and Tricks plus Discussion (Sharing Experience) Agenda

3. Getting Familiarize with the HOL Setup The Setup Virtual Machines (Hyper-V): Private Network Domain Name: ONPREM.LOCAL Physical Host

4. Quick Walk Through on the HOL Setup

5. Getting Ready Under “START” > “Administrative Tools” Start “Active Directory Users and Computers” Console Understand the OU structure Understand where is the User Objects Understand where is the Computer Objects Start “Group Policy Management” Console Start “Active Directory Sites and Services” Console (For manual replication) DC1.onprem.local (Domain Controller)

6. OU Structure and Dummy Accounts

7. GPMC OU that cannot link GPO to

8. Getting Ready Login as Domain Admin Open Command Prompt Get ready to run following commands GPUPDATE /FORCE You may be required to login as CTUUSER01 in later part Client1.onprem.local (Domain Machine)

9. HOL Session #1 – Restricted Group (GPO)

10. HOL Session #1 Restrict adding of members to local administrators group Insertion of Domain Group to be a member of local administrators group Restricted Group through GPO

11. HOL #1a - Restrict adding of members to local machine administrators group

12. HOL Session #1a On DC1.onprem.local (Domain Controller) Start GPMC Create and Configure GPO – “CTU_Restricted_Group” Link the GPO to the OU containing Computer – “Client1” On Client1.onprem.local (Client Machine) Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group. Then under command prompt, run “GPUPDATE /FORCE” Restrict adding of members to local machine administrators group

13. HOL Session #1a Expected Result: User able to insert another domain group to the local machine administrators group. User un-able to add another domain account to the local machine administrators group. Restrict adding of members to local machine administrators group

14. HOL #1b - Insert Domain Group to be a member of local machine administrators group

15. HOL Session #1b On DC1.onprem.local (Domain Controller) Start GPMC Create and Configure GPO – “CTU_Inject_LocalAdmin” Link the GPO to the OU containing Computer – “Client1” On Client1.onprem.local (Client Machine) Under “local users and groups” > “Groups”, try adding “CTUUser01” to “Administrators” group. Then under command prompt, run “GPUPDATE /FORCE” Insert Domain Group to be a member of local machine administrators group

16. HOL Session #1b Expected Result: User able to insert another domain group to the local machine administrators group. User able to add another domain account to the local machine administrators group. Insert Domain Group to be a member of local machine administrators group

17. HOL #1c – Managing Local Machine Administrators Group using GPP

18. GPP contain similar settings? Yes!

19. HOL #1c – Managing Local Machine Administrators Group using GPP DEMO

20. HOL Session #2 – Deployment of TCPIP Printer (GPO & GPP)

21. Getting Ready On DC1.onprem.local Print Service (Add Role) Add Printer Drivers (Both x64 and x86) Share out the Printer (192.168.1.40 – CTU Printer) Create and Configure GPO – “CTU_Deploy_Printer” Link the GPO to the OU containing Computer On Client machine, under command prompt, run “GPUPDATE /FORCE Deployment of TCPIP Printer (GPO & GPP)

22. Deployment of TCPIP Printer (GPO & GPP) Printer Driver (32bit and 64bit) GPO Setting – Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions: Enabled Impact to Boot Up Through Computer or User GPP? Pointers to take note

23. HOL Session #3 – Managing Office 2011 settings (GPO)

24. Getting Ready On DC1.onprem.local Create and Configure GPO – “CTU_Office2010” Import GPO template files for Office 2010 Note that the settings are under User Configuration Link the GPO to the OU containing Users – “CTUUser01” Managing Office 2011 settings (GPO)

25. Setting to Try Configure as following. On Client, Login as CTUUser01 to verify setting is applied. Default Font Name, Size

26. HOL Session #4 – WMI Filter DEMO

27. WMI Filter (GPO) Useful to target GPO for Machine running different OS under same OU. Demo on how to import and apply WMI Filter

28. HOL Session #5 – Basic Troubleshooting Relates to GPO

29. Basic Troubleshooting On Client machine (Login with Domain account) Event Viewer of Client Run Command Line – GPRESULT /H <Filename>.html On Domain Controller Use GPMC to generate a Group Policy Result

30. Requirement for GPMC Group Policy Results Wizard to work WMI service on target must be running Firewall port must open for WMI (Predefined Program)

31. Tips and Tricks plus Discussion!!

32. Tips and Tricks In Client Machine, Remove the following registry key and run GP update, the GPP that is configured as Apply Once Only will apply again. HKLMOFTWAREicrosoftroup PolicylientunOnce GPP – Apply Once Only?

33. Tips and Tricks GPP – Settings with Red and Green Underline – What does it mean? Red – [No Go], Will not Deliver Green – [Go], Will be Delivered

34. Tips and Tricks GPO Settings Supersede GPP Settings

35. Discussion

36. Thank You!!