Learning Activity #1 in Monday class

Learning Activity #1

By using Server 2012 and Win10, create the following from a clean installation:

Note: Continuously test your network configuration as you attempt this practical activity.

• Configure the PC name and static IPs for your SRV2012 and Windows 10 client.
• Configure the DNS with a forward and reverse lookup zones
• Configure a DHCP scope that will distribute the IPs of 100-200 out to your client devices.
• It is recommended to take a virtual snapshot before installing the AD role
• Configure an Active Directory (AD) forest and domain that must match your DNS forward lookup zone name
• Join your Win10 PC to the domain - change from a workgroup to a domain so it becomes a member on the domain
• Create 3 Organisational Units (OU) in the AD that will represent the different departments
  
  • Sales
  • HR
  • Accounting
• Create 4 user accounts per each OU e.g.
  • Sales User1
  • Sales User2
• Create 2x Domain Local groups for all 3 Groups e.g.
  • Sales_RO - Sales Read Only
  • Sales_FC - Sales Full Control or Full Access
• Place all groups and users into their corresponding OU
• Place 2x users into the Department_RO group
• Place the remaining 2 users into the Department_FC group
• Create a folder on the C:\Shared on SRV2012
• Create a sub folder for Sales, HR and Accounting inside of the C:\Shared folder
• On the C:\Shared folder adjust the sharing and security permissions to:
  • Sharing Permissions: Everyone - Allow Full Control
  • Security Permissions: Everyone - Allow Full Control
• On each department's folders you will need to remove inheritable permissions and only allow their corresponding groups to have access e.g.
  • Sales folder
    • Sales_FC should allow full control
    • Sales_RO should allow read access only
• On the Win10 PC, you will need to sign in with the different user accounts that you created for Sales, HR and Accounting
• On the Win10 PC, test access to the C:\Shared folder and sub folders by accessing the share by using \\SRVname.domainname\Shared
• What permissions do your user accounts have inside of the Shared Folder and the Sales, HR and account folders?
• Do your 2x user accounts for the department_FC group have access to read/view, create and delete any files?
• Do your 2x user accounts for the department_RO group only have access to view the files and they cannot create or delete any files?
• On the SRV2012 we will be creating group polices that will be attached to each OU: Sales, HR and Accounting
  • Open the Group Policy Management Console
  • Create a New Group Policy Object (GPO) and link it to the Sales, HR and Accounting OUs
  • Edit these GPOs under the User Configuration Level with:
    • Sales
      • Prohibit Access to Control Panel
    • HR
      • Lock the taskbar
    • Accounting
      • CTRL+Alt+Delete Options - enable these options:
        • Remove Change Password
        • Remove Task Manager
• Test the GPO restrictions by updating the group polices by running: gpupdate /force on your Win10 PC
  • Login with your various accounts to check if the restrictions are working on the correct users and groups
• On the SRV2012 PC, inside the Active Directory Users and Computers, move the Win10 PC from the Computers folder and place it into a new OU called - Client PCs
• Create a new GPO and link it to the Client PCs OU and adjust the Computer Configuration level with:
  • Interactive LogonMessage Title and Body
    • Interactive Login Message Title: This is a secure PC. Only authorised users are allowed to connect.
    • Interactive Logon Message Text: Please ensure your login details have not been disclosed to any unauthorised users before attempting logon. Your actions will be monitored
• Test this new GPU by updating the group policy on the Win10 PC
• Logout and check if the Interactive Logon message appears.
• What are the differences from assigning group policies at the Computer Configuration level compared to that of the User Configuration level?
• Will group policies only take affect if computers and user accounts/groups have been added to the OU where the GPO will be attached?