Lab answer key: Implementing identity services and Group Policy

Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.

Exercise 1: Deploying a new domain controller on Server Core

Task 1: Deploy AD DS on a new Windows Server Core server

  1. Connect to SEA-ADM1 and, if needed, sign in as CONTOSO\Administrator with a password of Pa55w.rd.
  2. On SEA-ADM1, select Start, and then select Windows PowerShell (Admin).

  3. To install the AD DS server role, at the Windows PowerShell command prompt, enter the following command, and then press Enter:

    Install-WindowsFeature –Name AD-Domain-Services –ComputerName SEA-SVR1

  4. To verify that the AD DS role is installed on SEA-SVR1, enter the following command, and then press Enter:

    Get-WindowsFeature –ComputerName SEA-SVR1

  5. In the output of the previous command, search for the Active Directory Domain Services checkbox, and then verify that it is selected. Then, search for Remote Server Administration Tools. Notice the Role Administration Tools node below it, and then verify that the AD DS and AD LDS Tools node is also selected.

    Note: Under the AD DS and AD LDS Tools node, only Active Directory module for Windows PowerShell has been installed and not the graphical tools, such as the Active Directory Administrative Center. If you centrally manage your servers, you will not usually need these on each server. If you want to install them, you must specify the AD DS tools by running the Add-WindowsFeature cmdlet with the RSAT-ADDS command.

    Note: You might need to wait a brief time after the installation process is complete before verifying that the AD DS role has installed. If you do not observe the expected results from the Get-WindowsFeature command, you can try again after a few minutes.

Task 2: Prepare the AD DS installation and promote a remote server

  1. On SEA-ADM1, on the Start menu, select Server Manager, and then, in Server Manager, select the All Servers view.
  2. On the Manage menu, select Add Servers.
  3. In the Add Servers dialog box, maintain the default settings, and then select Find Now.
  4. In the Active Directory list of servers, select SEA-SVR1, select the arrow to add it to the Selected list, and then select OK.
  5. On SEA-ADM1, ensure that the installation of the AD DS role on SEA-SRV1 is complete and that the server was added to Server Manager. Then select the Notifications flag symbol.
  6. Note the post-deployment configuration of SEA-SVR1, and then select the Promote this server to a domain controller link.
  7. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, under Select the deployment operation, verify that Add a domain controller to an existing domain is selected.
  8. Ensure that the Contoso.com domain is specified, and then in the Supply the credentials to perform this operation section, select Change.
  9. In the Credentials for deployment operation dialog box, in the User name box, enter CONTOSO\Administrator, and then in the Password box, enter Pa55w.rd.
  10. Select OK, and then select Next.
  11. On the Domain Controller Options page, ensure that the Domain Name System (DNS) server and Global Catalog (GC) checkboxes are selected. Ensure that the Read-only domain controller (RODC) checkbox is cleared.
  12. In the Type the Directory Services Restore Mode (DSRM) password section, enter and confirm the password Pa55w.rd, and then select Next.
  13. On the DNS Options page, select Next.
  14. On the Additional Options page, select Next.
  15. On the Paths page, keep the default path settings for the Database folder, Log files folder, and SYSVOL folder, and then select Next.
  16. To open the generated Windows PowerShell script, on the Review Options page, select View script.

  17. In Notepad, edit the generated Windows PowerShell script:

    • Delete the comment lines that begin with the number sign (#).
    • Remove the Import-Module line.
    • Remove the grave accents (`) at the end of each line.
    • Remove the line breaks.

  18. Now the Install-ADDSDomainController command and all the parameters are on one line. Place the cursor in front of the line, and then, on the Edit menu, select Select All to select the whole line. On the menu, select Edit, and then select Copy.

  19. When prompted for confirmation, select Yes to cancel the wizard.

  20. At the Windows PowerShell command prompt, enter the following command:

    Invoke-Command –ComputerName SEA-SVR1 { }

  21. Place the cursor between the braces ({ }), and then paste the content of the copied script line from the clipboard. The complete command should have the following format:

    Invoke-Command –ComputerName SEA-SVR1 {Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDnsDelegation:$false -Credential (Get-Credential) -CriticalReplicationOnly:$false -DatabasePath "C:\Windows\NTDS" -DomainName "Contoso.com" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SiteName "Default-First-Site-Name" -SysvolPath "C:\Windows\SYSVOL" -Force:$true}
  22. To invoke the command, press Enter.
  23. In the Windows PowerShell Credential Request dialog box, enter CONTOSO\Administrator in the User name box, enter Pa55w.rd in the Password box, and then select OK.
  24. When prompted for the password, in the SafeModeAdministratorPassword text box, enter Pa55w.rd, and then press Enter.
  25. When prompted for confirmation, in the Confirm SafeModeAdministratorPassword text box, enter Pa55w.rd, and then press Enter.
  26. Wait until the command runs and the Status Success message is returned. The SEA-SVR1 virtual machine restarts.
  27. Close Notepad without saving the file.

  28. After SEA-SVR1 restarts, on SEA-ADM1, switch to Server Manager, and on the left side, select the AD DS node. Note that SEA-SVR1 has been added as a server and that the warning notification has disappeared.

    Note: You might have to select Refresh.

Task 3: Manage objects in AD DS

  1. Ensure that you are connected to the console session of SEA-ADM1.
  2. Switch to Windows PowerShell (Admin).

  3. To create an Organizational Unit (OU) called Seattle in the Contoso AD DS domain, enter the following command, and then press Enter:

    New-ADOrganizationalUnit -Name "Seattle" -Path "DC=contoso,DC=com" -ProtectedFromAccidentalDeletion $true -Server SEA-DC1.contoso.com

  4. To create a user account for Ty Carlson in the Seattle OU, enter the following command, and then press Enter:

    New-ADUser -Name Ty -DisplayName 'Ty Carlson' -GivenName Ty -Surname Carlson -Path 'OU=Seattle,DC=contoso,DC=com'

  5. To set the password for the Ty’s user account, enter the following command, and then press Enter:

    Set-ADAccountPassword Ty
  6. When you receive a prompt for the current password, press Enter.
  7. When you receive a prompt for the desired password, enter Pa55w.rd, and then press Enter.
  8. When you receive a prompt to repeat the password, enter Pa55w.rd, and then press Enter.

  9. To enable the account, enter the following command, and then press Enter:

    Enable-ADAccount Ty

  10. To create a domain global group named SeattleBranchUsers, enter the following command, and then press Enter:

    New-ADGroup SeattleBranchUsers -Path 'OU=Seattle,DC=contoso,DC=com' -GroupScope Global -GroupCategory Security

  11. To add the Ty user account to the newly created group, enter the following command, and then press Enter:

    Add-ADGroupMember -Identity SeattleBranchUsers -Members Ty

  12. To confirm that the user is in the group, enter the following command, and then press Enter:

    Get-ADGroupMember -Identity SeattleBranchUsers

  13. To add the user to the local Administrators group, enter the following command, and then press Enter:

    Add-LocalGroupMember -Group 'Administrators' -Member 'CONTOSO\Ty'

    Note: This is necessary to allow sign in with the CONTOSO\Ty user account to SEA-ADM1.

Results: After this exercise, you should have successfully created a new domain controller and managed objects in AD DS.

Exercise 2: Configuring Group Policy

Task 1: Create and edit a GPO

  1. On SEA-ADM1, from Server Manager, select Tools, and then select Group Policy Management.
  2. If necessary, switch to the Group Policy Management window.
  3. In the Group Policy Management console, in the navigation pane, expand Forest:Contoso.com, Domains, and Contoso.com, and then select the Group Policy Objects container.
  4. In the navigation pane, right-click or access the context menu for the Group Policy Objects container, and then select New.
  5. In the Name text box, enter CONTOSO Standards, and then select OK.
  6. In the details pane, right-click or access the context menu for the CONTOSO Standards Group Policy Object (GPO), and then select Edit.
  7. In the Group Policy Management Editor window, in the navigation pane, expand User Configuration, expand Policies, expand Administrative Templates, and then select System.
  8. Double-click the Prevent access to registry editing tools policy setting or select the setting, and then press Enter.
  9. In the Prevent access to registry editing tools dialog box, select Enabled, and then select OK.
  10. In the navigation pane, expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then select Personalization.
  11. In the details pane, double-click or select the Screen saver timeout policy setting, and then press Enter.
  12. In the Screen saver timeout dialog box, select Enabled. In the Seconds text box, enter 600, and then select OK.
  13. Double-click or select the Password protect the screen saver policy setting, and then press Enter.
  14. In the Password protect the screen saver dialog box, select Enabled, and then select OK.
  15. Close the Group Policy Management Editor window.
  1. In the Group Policy Management window, in the navigation pane, right-click or access the context menu for the Contoso.com domain, and then select Link an Existing GPO.
  2. In the Select GPO dialog box, select CONTOSO Standards, and then select OK.

Task 3: Review the effects of the GPO’s settings

  1. On SEA-ADM1, in the search box on the taskbar, enter Control Panel.
  2. In the Best match list, select Control Panel.
  3. Select System and Security, and then select Allow an app through Windows Firewall.
  4. In the Allowed apps and features list, locate the Remote Event Log Management entry, select the checkbox in the Domain column, and then select OK.
  5. Sign out, and then sign in as CONTOSO\Ty with the password Pa55w.rd.
  6. In the search box on the taskbar, enter Control Panel.
  7. In the Best match list, select Control Panel.
  8. In the search box in Control Panel, enter screen saver, and then select Change screen saver. (It might take a few minutes for the option to display.)

  9. In the Screen Saver Settings dialog box, notice that the Wait option is dimmed. You cannot change the time-out. Notice that the On resume, display logon screen option is selected and dimmed and that you cannot change the settings.

    Note: If the On resume, display logon screen option is not selected and dimmed, open a command prompt, run gpupdate /force, and repeat the preceding steps.

  10. Right-click or access the context menu for Start, and then select Run.
  11. In the Run dialog box, in the Open text box, enter regedit, and then select OK. Note the error message stating Registry editing has been disabled by your administrator.
  12. In the Registry Editor dialog box, select OK.
  13. Sign out and then sign in back as CONTOSO\Administrator with the password Pa55w.rd.
  1. On SEA-ADM1, from Server Manager, select Tools, and then select Group Policy Management.
  2. If necessary, switch to the Group Policy Management window.
  3. In the Group Policy Management console, in the navigation pane, expand Forest: Contoso.com, Domains, and Contoso.com, and then select Seattle.
  4. Right-click or access the context menu for the Seattle organizational unit (OU), and then select Create a GPO in this domain, and Link it here.
  5. In the New GPO dialog box, in the Name text box, enter Seattle Application Override, and then select OK.
  6. In the details pane, right-click or access the context menu for the Seattle Application Override GPO, and then select Edit.
  7. In the console tree, expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then select Personalization.
  8. Double-click the Screen saver timeout policy setting or select the setting, and then press Enter.
  9. Select Disabled, and then select OK.
  10. Close the Group Policy Management Editor window.

Task 5: Verify the order of precedence

  1. Back in the Group Policy Management Console tree, ensure that the Seattle OU is selected.

  2. Select the Group Policy Inheritance tab and review its content.

    Note: The Seattle Application Override GPO has higher precedence than the CONTOSO Standards GPO. The screen saver time-out policy setting that you just configured in the Seattle Application Override GPO is applied after the setting in the CONTOSO Standards GPO. Therefore, the new setting will overwrite the CONTOSO Standards GPO setting. Screen saver time-out will be disabled for users within the scope of the Seattle Application Override GPO.

Task 6: Configure the scope of a GPO with security filtering

  1. On SEA-ADM1, in the Group Policy Management console, in the navigation pane, if necessary, expand the Seattle OU, and then select the Seattle Application Override GPO under the Seattle OU.
  2. In the Group Policy Management Console dialog box, review the following message: You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked.
  3. Select the Do not show this message again checkbox, and then select OK.
  4. Review the Security Filtering section and note that the GPO applies by default to Authenticated Users.
  5. In the Security Filtering section, select Authenticated Users, and then select Remove.

  6. In the Group Policy Management dialog box, select OK, review the Group Policy Management warning, and then select OK again.

    Note: Group Policy requires each computer account to have permissions to read GPO data from domain controllers to successfully apply the user GPO settings. You should keep it in mind when modifying security filtering settings of a GPO.

  7. In the details pane, select Add.
  8. In the Select User, Computer, or Group dialog box, in the Enter the object name to select (examples): text box, enter SeattleBranchUsers, and then select OK.
  9. In the details pane, under Security Filtering, select Add.
  10. In the Select User, Computer, or Group dialog box, select Object Types.
  11. In the Object Types dialog box, select the Computers checkbox and then select OK.
  12. In the Select User, Computer, or Group dialog box, in the Enter the object name to select (examples): text box, enter SEA-ADM1, and then select OK.

Task 7: Verify the application of settings

  1. In the navigation pane, in Group Policy Management, select Group Policy Modeling.
  2. Right-click or access the context menu for Group Policy Modeling, and then select Group Policy Modeling Wizard.
  3. In Group Policy Modeling Wizard, select Next.
  4. On the Domain Controller Selection page, accept the default settings, and then select Next.
  5. On the User and Computer Selection page, in the User information section, select User, and then, in the User text box, enter CONTOSO\Ty or use the Browse command button to locate the Ty user account.
  6. On the User and Computer Selection page, in the Computer information section, select Computer, and then, in the Computer text box, enter CONTOSO\SEA-ADM1 or use the Browse command button to locate the SEA-ADM1 computer.
  7. On the User and Computer Selection page, select Next.
  8. On the Advanced Simulation Options page, accept the default settings, and then select Next.
  9. On the Alternate Active Directory Paths page, note the user and computer locations, and then select Next.
  10. On the User Security Groups page, verify that the list of groups includes CONTOSO\SeattleBranchUsers, and then select Next.
  11. On the Computer Security Groups page, select Next.
  12. On the WMI Filters for Users page, accept the default settings, and then select Next.
  13. On the WMI Filters for Computers page, accept the default settings, and then select Next.
  14. On the Summary of Selections page, select Next.
  15. Select Finish when prompted.
  16. In the details pane, select the Details tab, and then select show all.
  17. In the report, scroll down until you locate the User Details section, and then locate the Control Panel/Personalization section. Note that the Screen saver timeout settings are disabled and the winning GPO is set to Seattle Application Override GPO.
  18. Close the Group Policy Management console.

Results: After this exercise, you should have successfully created and configured GPOs.