Chapter 16 – Creating Group Policy Objects MOAC 70-410

LAB 16
CREATING GROUP
POLICY OBJECTS

THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:

Exercise 16.1 Lab Pre-Configuration

Exercise 16.2 Creating Group Policy Objects

Exercise 16.3 Linking a Group Policy Object

Lab Challenge Confirming GPO Application

BEFORE YOU BEGIN

The lab environment consists of three servers connected to a local area network, one
of which is configured to function as the domain controller for a domain called
HCTX.AE. The computers required for this lab are listed in Table 16-1.

Table 16-1
Computers Required for Lab 16
Computer Operating System Computer Name
Domain controller 1 Windows Server 2012 SVR-DC-A
Member server 2 Windows Server 2012 SVR-MBR-B
Member server 3 Windows Server 2012 SVR-MBR-C

In addition to the computers, you also require the software listed in Table 16-2 to
complete Lab 16.

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 1 of 8

Adapted from MOAC Lab
Chapter 16 – Creating Group Policy Objects MOAC 70-410

Table 16-2
Software Required for Lab 16
Software Location
Lab 16 student worksheet Lab16_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, take screen shots, and
perform other activities that you will document in a worksheet named for the lab, such
as Lab16_worksheet.docx. It is recommended that you use a USB flash drive to store
your worksheets, so you can submit them to your instructor for review. As you
perform the exercises in each lab, open the appropriate worksheet file, fill in the
required information, and save the file to your flash drive.

After completing this lab, you will be able to:

 Create a starter GPO

 Create new GPOs

 Link GPOs to organizational units

 Confirm GPO application to OU

Estimated lab time: 55 minutes

16.1 - Lab Pre-Configuration

Overview In this exercise you will create Paris OU and Servers security Group.

Completion time 10 minutes

1. Login to SVR-DC-AX

2. Open Active Directory Users and Computers.

3. Create a OU called Paris in your Domain HCTX.ae and create three more OUs
called Computers, Users and Groups under Paris OU.

4. Move SVR-MBR-BX to Computers OU in Paris

5. Create two Domain Local Security Group called Servers and Paris IT Admin
under groups OU in Paris

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 2 of 8

Adapted from MOAC Lab
Chapter 16 – Creating Group Policy Objects MOAC 70-410

6. Create a Domain Global Security Group called Players

7. Create following users under users OU in Paris with Pa$$w0rd as password.

First Last User Logon Name User Properties

Name Name

Lionel Messi LMessi Remov user must

“change password
at next logon”

Cristiano Ronaldo CRonaldo Remov user must

“change password
at next logon”

Your Your Your firstname 1st Remov user must

Firstname Lastname character+lastname “change password
at next logon”

8. Add users Cristiano Ronaldo and Lionel Messi to be member of Players Global
Group

9. Add SVR-MBR-BX to be member of Servers security group.

10. Add your user account to be member of Paris IT Admin security group

11. Delegate Paris IT Admin fullcontrol permission for Paris OU.

Note: Whlie Delegating select “Create a custom task to delegate” in Tasks to

Delegate windows and select full control under Permission window.

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 3 of 8

Adapted from MOAC Lab
Chapter 16 – Creating Group Policy Objects MOAC 70-410

Exercise
16.1 Creating Group Policy Objects
Overview To complete this exercise, you use the starter GPO you created
previously to create a new GPO with additional settings.

Mindset How do I use a starter GPO to create additional GPOs?

Completion time 10 minutes
1. On SVR-DC-AX, in Server Manager, click Tools > Group Policy
Management. The Group Policy Management console appears.

2. In the left pane, expand the Forest: HCTX.AE node, the Domains node, and the
HCTX.AE node (see Figure 16-1).

Figure 16-1
The Group Policy Management console

3. Right click on Group Policy Objects and click New, in the Name text box, type
Paris Lockdown and click OK.

4. Right-click the Paris Lockdown GPO and, from the context menu, select Edit.
The Group Policy Management Editor console appears (see Figure 16-2).

Figure 16-2
The Group Policy Management Editor console

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 4 of 8

Adapted from MOAC Lab
Chapter 16 – Creating Group Policy Objects MOAC 70-410

5. Now, browse to the Computer Configuration > Policies > Windows Settings >
Security Settings > Account Policies > Account Lockout Policy folder.

6. Open the following three policies, click the Define this policy setting check box,
and configure them with the specified values:

 Account lockout duration – 30 minutes

 Account lockout threshold – 5 invalid Logon attempts

 Reset account lockout after – 30 minutes

7. Browse to the User Configuration > Policies > Administrative Template >
Control Panel folder > enable “Prohibit to access control panel and pc
settings” policy

8. Configure following additional security policy settings from the given location.
a. All users should notified about the Authorized access policy upon logon

i. Title: This is a highly secured Domain, Only Authorized users are

allowed
(Interactive Logon: Message Title ….) - Computer
Configuration  Policies  Windows Settings  Security
Settings  Local Policies  Security Options

ii. Logon: Unauthorized access will be legally penalized.

(Interactive Logon: Message Text ….) - Computer
Configuration  Policies  Windows Settings  Security
Settings  Local Policies  Security Options

b. All computers built-in Guest account has to be renamed to cin2003 for

security reason.
(Accounts: Rename Guest Account) - Computer Configuration 
Policies  Windows Settings  Security Settings  Local Policies 
Security Options.

c. Users should not have access to Run Command

(Remove run from start menu) - User Configuration  Policies 
Administrative Templates  Start Menu and Taskbar

d. Users are not allowed to use command prompt

(Prevent Access to Command Prompt) - User Configuration  Policies
 Administrative Templates  System

e. Users are not allowed to use the registry editor

(Prevent Access to Registry Editing Tools) - User Configuration 
Policies  Administrative Templates  System

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 5 of 8

Adapted from MOAC Lab
Chapter 16 – Creating Group Policy Objects MOAC 70-410

f. Users are not allowed to use any removable storage devices like USB
flash disk, etc.,
(All Removable Storage Classes: Deny all Access) - User Configuration
 Policies  Administrative Templates  System  Removable
Storage Access

9. Close the Group Policy Management Editor console.

End of exercise. Leave all windows open for the next exercise.

Exercise
16.3 Linking a Group Policy Object
Overview To complete this exercise, you must apply the GPO you have made
to an organizational unit, and control its application using security
filtering.
Mindset How do you control which computers receive the settings in a specific
GPO?
Completion time 10 minutes

1. On SVR-DC-AX, in the Group Policy Management console, right-click the Paris

OU and, in the context menu, select Link an Existing GPO. The Select GPO
dialog box appears (see Figure 16-3).

Figure 16-3
The Select GPO dialog box

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 6 of 8

Adapted from MOAC Lab
Chapter 16 – Creating Group Policy Objects MOAC 70-410

2. In the Group Policy Objects list, select Paris Lockdown and click OK. The GPO
appears in the right pane, on the Linked Group Policy Objects tab of Paris
OU.

3. Click the Group Policy Inheritance tab. The list of GPOs now contains the
Paris Lockdown and the Default Doman Policy GPO.

Question What causes the Default Domain Policy GPO to appear here,
1 even though it is not directly linked to the Paris OU?

In the Default Domain Policy GPO, the value assigned to the

Account Lockout Threshold policy is 0. In the Paris Lockout
Question
GPO, the same policy has a value of 5. Which of these
2
values will a computer in the Paris OU use after processing
all its Group Policy settings?

4. In the Group Policy Objects node, select the Paris Lockdown GPO (click OK if
a message appears) and, in the right pane, look at the Scope tab.

5. In the Security Filtering area, click Add. The Select User, Computer, or Group
dialog box appears.

6. In the Enter the object name to select text box, type Servers and Players and
click OK. The Servers group appears in the Security Filtering list.

7. Select the Authenticated Users group and click Remove.

8. Click OK to confirm the removal.

End of exercise. Leave all windows open for the next exercise.

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 7 of 8

Adapted from MOAC Lab
Chapter 16 – Creating Group Policy Objects MOAC 70-410

Lab
Challenge Confirming GPO Application
Overview To complete this challenge, you must demonstrate that the Group
Policy settings you have created in the Paris Lockdown GPO have
taken effect on SVR-MBR-C.
Mindset How can you tell when Group Policy settings are active?
Completion time 15 minutes

The SVR-MBR-B computer is located in the Paris OU, and is a member of the Server
group. It should, therefore, receive the settings you configured in the Paris Lockdown
GPO.

Prove that this is the case by demonstrating to your instructor that the security settings
are applied and users under players group has all the restriction configured.

Before you begin working on SVR-MBR-C, open an administrative

NOTE

command prompt and run the gpupdate /force command to refresh

the computer’s Group Policy settings.

By SAP/CIN2003/v3 CIN 2003: Enterprise Services Page 8 of 8

Adapted from MOAC Lab