Lab 7-1: Planning Group Policy Deployment

Lab Objectives

This lab prepares you to design Group Policy deployment by meeting the following objectives:

  • Design placement of Group Policy objects
  • Design filtering for Group Policy application
  • Troubleshoot Group Policy application errors

About This Lab

This lab looks at the Group Policy deployment plan for Contoso Ltd. It covers designing Group Policy creation, and the filtering and troubleshooting Group Policy application.

Before You Begin

Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on designing your administrative structure.

Scenario: Contoso Ltd.

Contoso Ltd., an international magazine sales company, wants to design standardized security configuration by using Group Policy. This lab looks specifically at the Group Policy assignments required for the Seattle, Lima, and London domains.

Group Policy Requirements

The Group Policy design must meet the following business requirements:

  • All users in the network must have Entire Network removed from My Network Places to reduce the amount of browsing that takes place on the network. This setting shouldn't apply to any members of the Information Technology (IT) department or the Administrators group.
  • All client computers in the domain must have their Administrator and Guest accounts renamed to reduce attacks involving the default account names.
  • Many users have been tinkering with the Control Panel programs. Unless the user is a member of Server Operators or Administrators, you should prevent access to the Control Panel.
  • The Accounting department requires that all client computers with the Accounting software have a drive mapping assigned the letter M: that points to the \\Accounting\Shareddata folder. The accounting software is installed only on desktop computers to ensure that no accounting data can be removed from the premises on a laptop computer.

Group Policy Objects

To meet the requirements, the following Group Policy objects are defined and can be used in each of the three domains:

  • Hide Entire Network. This Group Policy object hides the Entire Network icon when a user opens My Network Places. The setting is configured in \User Configuration\Administrative Templates\Windows Components \Windows Explorer\No "Entire Network" In My Network Places.
  • Rename Default Accounts. This Group Policy object renames the Administrator and Guest accounts with alternate names provided in the Group Policy object. This Group Policy object contains two separate settings:
    • Computer Configuration\Windows Settings\Security Settings \Local Policies\Security Options\Rename Administrator Account
    • Computer Configuration\Windows Settings\Security Settings \Local Policies\Security Options\Rename Guest Account
  • Disable Control Panel. This Group Policy object disables the Control Panel for any users that the Group Policy setting is applied to. This Group Policy setting is configured in \User Configuration\Administrative Templates\Control Panel\Disable Control Panel.
  • Accounting Logon Script. This Group Policy object applies a machine-based logon script that runs a startup. The script contains the command NET USE M: \\ACCOUNTING\SHAREDDATA. This setting is configured in \Computer Configuration\Windows Settings\Scripts\Startup.

Active Directory Structure

This lab focuses on the Seattle deployment of the Group Policy objects. For this lab, assume that the Group Policy objects will be applied to the Active Directory hierarchy shown in Figure 7.12.

Figure 7.12 The seattle.contoso.tld Active Directory hierarchy

You need to answer questions on the design implications for applying the same types of Group Policies to the london.contoso.tld and lima.contoso.tld domains.

Exercise 1: Applying Group Policy

This exercise looks at how to decide where to apply Group Policy objects in the Contoso Active Directory to meet security requirements. The answers to these questions can be found in the appendix.

  1. Based on the design requirements, where would you apply the Hide Entire Network Group Policy object to meet the requirements to hide the Control Panel for all network users?


  2. Where would you apply the Group Policy object to rename the Administrator and Guest accounts on all client computers?


  3. Where would you apply the "Disable Control Panel" Group Policy object to meet design requirements?


  4. Where would you apply the Accounting Logon Script Group Policy object to meet design requirements?


  5. Do you need to configure any other properties for these Group Policy objects to meet design requirements?


Answers

Exercise 2: Designing Group Policy Filtering

This exercise looks at using the Group Policy object Security tab to filter Group Policy application to specific security groups. The answers to these questions can be found in the appendix.

  1. What security group filtering must you apply for the application of the Hide Entire Network Group Policy object? Assume that the Group Policy object is applied at the Seattle Users OU.


  2. What security group filtering must you apply for the application of the Disable Control Panel Group Policy? Assume that the Group Policy object is applied at the Seattle Users OU.


  3. You can apply both the Disable Control Panel and the Hide Entire Network Group Policy objects at the Seattle Users OU. Why can't you combine these two Group Policy objects into a single Group Policy object?


  4. What issues would you face if you applied the Rename Default Accounts Group Policy object at the Seattle Computers OU?


  5. What can you do to prevent the need for filtering for the Accounting Logon Script Group Policy object?


Answers

Exercise 3: Troubleshooting Group Policy Application

This exercise looks at the Group Policy application deployment to determine where the Block Policy Inheritance, No Override, or security group filtering may be affecting Group Policy application. All examples in this exercise are based on the Active Directory structure introduced at the beginning of this lab. The answers to these questions can be found in the appendix.

Determining Effective Group Policy Settings

Assume that the Hide Entire Network, Disable Control Panel, and Enable Control Panel Group Policies have been applied to the following locations in the seattle.contoso.tld domain.

Policy Location Permissions Optional Attributes
Enable Control Panel Domain

Users: Read

Users: Apply Group Policy

None
Disable Control Panel Seattle Users

Users: Read

Users: Apply Group Policy

None
Hide Entire Network Marketing

Marketing: Read

Marketing: Apply Group Policy

Administrators: Deny Apply Group Policy

None
Hide Entire Network Sales

Sales: Read

Sales: Apply Group Policy

Administrators: Deny Apply Group Policy

None
Enable Control Panel IT

IT: Read

IT: Apply Group Policy

None
  1. If Julie is a member of the sales force and her user account is in the Sales OU, would she be able to use the Control Panel?


  2. Would Julie be able to view the Entire Network in My Network Places?


  3. Jackson is a member of the IT department. Would Jackson be able to access the Control Panel?


Determining the Effect of Blocking Policy Inheritance and No Override

Assume that the Hide Entire Network, Disable Control Panel, and Enable Control Panel Group Policies have been applied to the following locations in the seattle.contoso.tld domain. The optional attributes indicate whether Block Policy Inheritance or No Override has been applied.

Policy Location Permissions Optional Attributes
Enable Control Panel Domain

Users: Read

Users: Apply Group Policy

None
Disable Control Panel Seattle Users

Users: Read

Users: Apply Group Policy

None
Hide Entire Network Marketing

Marketing: Read

Marketing: Apply Group Policy

Administrators: Deny Apply Group Policy

Block Policy Inheritance
Hide Entire Network Sales

Sales: Read

Sales: Apply Group Policy

Administrators: Deny Apply Group Policy

Block Policy Inheritance
Enable Control Panel IT

IT: Read

IT: Apply Group Policy

None
  1. If Julie is a member of the sales force and her user account exists in the Sales OU, would she be able to use the Control Panel?


  2. Would Julie be able to view the Entire Network in My Network Places?


  3. What could the network administrator for the seattle.contoso.tld domain do to prevent the Block Policy Inheritance settings for the Sales and Marketing OUs from affecting the Disable Control Panel Group Policy applied at the Seattle Users OU?


  4. If the No Override attribute was enabled for the Disable Control Panel Group Policy applied at the Seattle Users OU, what additional security configuration must you perform to ensure that the IT department could use the Control Panel?


Answers



Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net