Windows server transcript

so our first step will be setting up our

environment for learning Windows Server
we're gonna be setting it up on a
virtual machine a virtual machine is a
separate operating system that runs
independently but side-by-side with your
host operating system it uses your
computer's hardware but any changes made
within a virtual machine will not affect
your host operating system to do this
we're going to use a software called
VMware Workstation now there is a paid
version of VMware Workstation but we're
going to be using the free trial in
order to set this up there are other
software packages out there that allow
you to do the same thing like VirtualBox
we're going to be using VMware
Workstation you can access VMware
Workstation by going to VMware comm
products workstation we're gonna select
try for free and I'm running windows
64-bit and so I'm going to hit download
once the download is complete we'll open
up the Installer
and we'll simply follow the prompts the
default should be fine for most
installations
once the installation is finished we'll
click finish and we'll open up VMware
Workstation before we create our virtual
machine and install Windows Server we
need to obtain the installation media
for Windows Server 2012 normally when
you install Windows or Windows Server
you can use a bootable cd/dvd or USB
Drive for our purposes we're installing
on a virtual machine so we'll require a
special file called an ISO file that
will allow us to install Windows Server
2012 as if we were using an installation
disk to get this file we're going to
obtain an evaluation copy of Windows
Server 2012 to do that we're gonna head
over to the Microsoft TechNet evaluation
Center you can reach this at Microsoft
comm / en - Us / eval Center click the
evaluate Now button and select Windows
Server 2012 r2 or release 2 in order to
download our evaluation copy of Windows
Server 2012 we need to have a Microsoft
account so I'll go ahead and sign in
and once I've signed in with my
Microsoft account I'll select the type
of file I want to download
we need an ISO file we'll hit register
and continue and we'll fill in the
information some of this information is
not necessary for instance I can select
other for my role in my company
organization we're just using this as an
evaluation we do not need the system
center components and if you'd like to
sign up for tech nuts communication
emails you can check the box for
subscribe we'll go ahead and click
continue and our download will begin
this is a larger file about four to 4.2
gigabytes so it may take a little while
to download feel free to pause the video
if you're following along and we'll pick
back up as soon as the download is
finished now that our download has
completed I've gone ahead and move the
file to my desktop
let's open back up VMware Workstation
and we'll click create a new virtual
machine we're going to use the typical
configuration and we'll select installer
disk image file and we'll select our
Windows Server ISO that we downloaded
we have the option of changing our
virtual machine name and selecting a
location for the files for the virtual
machine now keep in mind that you'll
need enough storage space to handle
approximately 60 gigabytes which is the
default here we can change the maximum
hard disk size if you don't have enough
space for the 60 gigabytes you can turn
this down but it is recommended that you
stay above 40 gigabytes I'm going to
leave it at the default before we start
we'll uncheck the power-on virtual
machine after creation and click finish
now our virtual machine is setup and
it's ready to install Windows Server
alright we've set up our virtual machine
and we've installed our ISO into the
virtual CD drive of our virtual machine
and now we're ready to power on and
install Windows Server 2012 so go ahead
and select your VM that you made and
click power on this virtual machine
you'll see on screen just like you would
in front of a physical machine that the
Installer will begin very similar to
installing Windows or any other
operating system
we'll select our language and keyboard
and then click install now now there are
several different versions of Windows
Server in fact there are four foundation
essentials standard and data center with
this evaluation that we've downloaded we
have a choice between standard and data
center for this tutorial we're going to
stick with the standard evaluation now
when you select the operating system
Edition make sure you select the one
that has the option server with a GUI or
graphical user interface
you'll be presented with the license
terms for Windows Server 2012 we'll
accept those and click Next
we're not doing an upgrade obviously so
we're going to install Windows only and
you'll see that we have one virtual hard
drive available to us we'll go ahead and
click Next
windows will begin copying Windows files
getting those files ready for
installation and finishing up the
remainder of updating and setting up the
system this process may take 5 to 15
minutes depending on the speed of your
computer so we'll skip ahead to the end
of the installation once the
installation has finished the computer
will automatically restart if you were
installing us on a physical machine it
would also restart installation will
continue after this reboot
once the computer has restarted you'll
be prompted to set up the built-in
administrator account I'll type in a
password and click finish
now that Windows has been successfully
installed and I've set up my built-in
administrator account I'll press ctrl
Alt Delete to sign-in in VMware
Workstation control delete won't work so
you'll press ctrl alt insert on a
physical machine you would press ctrl
Delete I'll type in my password that I
set up for my account and I'll be signed
in the server manager window will open
giving me an overview of my server from
here we successfully installed Windows
Server onto a virtual machine and from
here we can begin to set up our
environment now that we have a working
Windows Server 2012 installation our
next step is to create a Windows domain
well what is a Windows domain a Windows
domain is a computer network where user
accounts computers and resources and the
security for all those things are stored
and defined on one or more servers that
are called domain controllers users and
computers on the domain are
authenticated through the domain
controllers and the permissions to the
resources are based on user accounts and
the groups that contain user accounts so
with that information in mind it's time
to set up our Windows server as a domain
controller and create our first domain
for the remainder of this course I'm
going to be using VMware Workstation in
full-screen mode at the very top of the
window you can see the enter full screen
mode button to exit full-screen mode
simply move your cursor to the top and
click the full screen mode button again
this will help us to be able to see what
we're doing with inside the window when
we first start up Windows server and
login we should see the server manager
utility the server manager utility
allows us to get an overview of the
different roles and configurations that
we've set up for our local server as
well as servers that we've added to any
groups within the domain once we've
created it if you don't see the server
manager window when you first log into
Windows you can access it through the
quick launch toolbar or through the
Start menu there are some preliminary
steps that we need to set up in order to
make our domain controller active and
working properly we can go up to
configure this local server to set some
of these options first we need to give
our server a name in the top left hand
corner you can see that I've already set
a name for my server if I click the name
I can change it
it'll open the system properties menu I
can click Change and from here I can
change my servers name once I click OK
and confirm my changes I'll need to
restart the server in order to save the
change we'll also want to make sure that
Windows updates are turned on the
windows update settings when you click
them will show you what your current
settings are I've already turned mine on
and it's always a good idea to keep your
server up to date with the latest
patches this prevents any
vulnerabilities or any bugs from
occurring that would impact user
experience we'll also want to make sure
that our time zone and our time are set
correctly
I prefer setting up an internet time
server so that Windows can sync with an
external source there are some built-in
options for time servers which you can
use or you can use one of your own if
you're familiar with the protocol I also
want to make sure that my time zone is
set correctly
there are some other options on the
left-hand side that we'll want to
configure as well the defaults for
Windows Firewall remote management and a
remote desktop
will be fine for now NIC teaming is an
option that allows you to combine
different physical network interfaces to
one IP address we'll skip that for now
since that's a more advanced feature we
do need to configure a static IP address
for this server since it's going to be a
domain controller its IP address must
not change if it does that could cause
some problems in the future
so let's go ahead and configure a static
IP address now when we click our current
configuration within server manager we
will be presented with a list of our
current Ethernet adapters this server
only has one since that's what we
configured as a typical configuration in
vmware if i right click this and click
status and then details it'll show you
the current IP address and IP settings
that have been given by the DHCP server
built into VMware we need to change this
so that this information is static and
will not change so I'm going to make a
quick note of my IP address my gateway
as well as the DNS server now I'll go
into properties open up IP protocol
version 4 and instead of obtain IP
address automatically I'll use the
following IP address and enter that
information I took from before
once I've entered my settings you can
click OK
now we've prepared our server with the
basic settings that will allow it to
become a domain controller let's go back
to the dashboard on the server manager
and click add roles and features to add
the Active Directory domain services
role the add roles and features wizard
will appear and we can click Next the
Active Directory and domain services
role is a role based and feature-based
installation so that default setting is
perfect if we have multiple servers in
our pool which right now we only have
one we can select it and install roles
to different servers but we're going to
install this one locally will select
Active Directory domain services and
then click Next we should also install
group policy management as that will
help us in some of the later lectures in
this course
then we'll click install
once the rolls have been installed we'll
be prompt to perform any additional
steps that are necessary in activating
that rolls features in this example
we're setting up a domain controller and
we need to take advantage of the Active
Directory domain services so this server
needs to be promoted to a domain
controller the Active Directory domain
services configuration wizard will open
will first be prompted to select a
deployment operation you'll see three
options you can add a domain controller
to an existing domain add a new domain
to an existing forest or add a new
forest this is a new term forest what is
it a forest is simply a group of domains
if you remember from the beginning of
this lecture a domain is a computer
network where the domain controller
houses all of the user computer and
resource information in a local
directory a forest is simply a group of
domains where there are separate groups
of domain controllers and all of that
information is controlled on an
individual per domain basis but all
belong to the same forest we don't have
a forest yet so we need to create a new
one we'll be prompted to enter a root
domain name now when you hear the word
domain name you may be thinking of
something like google.com or yahoo.com
in a Windows domain context domain name
doesn't refer to an Internet domain name
but rather a record that all the
computers and all of the user accounts
use to look up resources within the
domain I could enter something like
google.com as my root domain name
however anytime somebody within the
domain tried to access something with
the domain name google.com the computer
would think that that is a resource
within the domain I can't use something
that's on the Internet because then my
users would not be able to access that
Internet web address instead we should
use a domain name that doesn't exist on
the internet and isn't used anywhere
else within our domain as a web resource
or any other type of resource a good
practice to use
always using something that does not
exist on the Internet and the best
practice is to use something that ends
in dot local because dot local addresses
cannot exist on a public domain name
space so I'm going to use the domain
name test dot local next we'll set our
forest and domain functional levels the
functional level of a forest or a domain
is simply a set of features that is
allowed on that domain as a whole this
is mainly controlled by what versions of
Windows Server are active domain
controllers within your domain for
example if all of my servers within a
domain were Windows Server 2012 r2 then
I could easily set my forest and domain
functional level to Windows Server 2012
r2 there are additional considerations
to make if you're using older versions
of Windows server your forest or domain
functional level may need to be set
lower since this is the only domain
controller in our domain the default
works just fine we're also asked to
specify this domain controllers
capabilities we want this domain
controller to be a DNS server will
describe more about DNS servers later
but basically it's simply a record of
all the computers and devices within the
domain network and their IP addresses
that are associated with them a global
catalog is simply a record of all of the
resources that exist on the domain
controller and are advertised to all the
users and computers based on their
permissions the primary domain
controller that we're setting up now has
to be a global catalog because it's the
first domain controller you'll also see
that the read only domain controller is
grayed out and you cannot enable it this
is because the first primary domain
controller is being set up and needs to
be writable later you could set up a
domain controller that is read-only for
special purposes lastly we need to set
up a directory services restore mode
password D SRM is a tool that's used to
recover directory services and directory
information in case of a disaster so
we'll set up a password for that now
make sure you note this down in case you
ever need it in the future when you
first set up a primary domain controller
in a basic domain you'll be warned that
delegation for the DNS server cannot be
created because of an authoritative
parent zone not being able to be found
this is normal and it can be ignored
next we'll be asked to set the NetBIOS
domain name NetBIOS is simply the first
part of the root domain name that we set
we want this to be the same so the
default is perfect next we'll be asked
to specify the location of the ad DS
database or the Active Directory domain
services database the log files and the
sysvol folder the defaults for these
folders are fine but in more advanced
lessons you can learn to modify the
locations of these to suit your purposes
we'll leave them by default for now
we're then given an option to review all
of our selections and to make sure that
everything looks correct when we click
Next
Windows server will begin checking to
make sure that all of the prerequisites
for becoming a domain controller are met
it will give you warnings in case
anything needs to be brought attention
the first item is a warning about
security there is a setting in Windows
2012 domain controllers by default that
is turned on that allows compatibility
in cryptography with older Windows
Server systems this is a potential
security risk because older cryptography
algorithms are sometimes weaker and
subject to vulnerability we'll ignore
this for now but is a good thing to read
up on the different vulnerabilities that
might exist when you're warmed about
them we'll also see that the warning we
got earlier about DNS server is showing
up as well as before this morning can be
ignored we'll see that all of our
prerequisite checks have been completed
and they have all passed successfully
we're ready to upgrade this server and
promote it to a domain controller
once the server has successfully
installed Active Directory domain
services and upgraded to a domain
controller we'll be warned that we're
about to be signed out and the computer
will restart once our server has
restarted it is now a primary domain
controller on the test domain we can now
log in as our administrator account and
the server manager window will open from
here we can configure our domain
services and add other roles and
features onto our domain controller at
the very bottom of your server manager
you'll see that ad DS has been installed
as well as DNS and file and storage
services in the next few lectures you'll
learn how to configure these services as
well as add others so now that our
server is now a domain controller and
we've installed Active Directory domain
services we now have to configure Active
Directory well what is Active Directory
it is the foundation of the Windows
domain it's essentially a catalog of all
the registered objects in the domain and
it provides authentication services and
security principles that allow those
users and computers to access the
resources that they've been granted
permissions to so we're going to start
with a real-world scenario we're going
to provide some realistic examples of
how Active Directory might be set up and
we're can go through and actually
configure it as if we were starting
fresh for a real business so we're going
to be working with the imaginary
Carmack's dealership it has one
headquarter location and two sales
locations the headquarters has an
administrative department accounting and
HR and then the two locations have sales
staff mechanic staff and management so
we're going to go into Active Directory
set up these different objects and go
from there so back on our server with
the server manager window open we'll go
up into the top right hand corner to
tools then we'll click Active Directory
users and computers to open that snappin
on the left-hand side of a duck or
Active Directory users and computers
you'll see our test dot local domain if
we expand that we'll see some of the
built-in oh use or organizational units
that come by default now when we're
structuring Active Directory my rule of
thumb is always to start with the
biggest organizational unit I can think
of and then work my way smaller so with
our example business we want to start
with the biggest division or biggest
organizational structure unit that we
can think of and then work smaller so
for our business we'll start with our
three locations we've got a headquarters
and two sales locations so with our
domain selected we'll right-click in the
middle of the screen then click new
organizational unit and we'll give it a
name for instance headquarters and we'll
repeat that step for the other two
locations now before I click new I have
the headquarters oh you selected so
right now I'm creating new objects
within the so you if I want to create a
know you inside the root domain I'll
have to click that first so I'll create
two more organizational units and we'll
call our two sales locations
Carmack's east
and Carmack's west from here following
our rule we'll go to the next largest
group of objects that we're gonna put
into Active Directory personally I like
to take each oh you and separate them
into users and computers since that's
going to be the most common object in
our Active Directory structure
so for each location I'm going to select
it and creating new öyou for computers
make sure you name each one individually
so when you're looking at it on an
individual basis you know which one it
is
so with this structure I can put my
users into headquarters and the
computers at headquarters into the
computers - headquarters oh you I'll
repeat this for the next two
organizational units
so now I have three OU's our
headquarters location and our two sales
locations and a sub oh you for each one
for the computers at that location I'll
put the users and the user groups in
each location so starting with
headquarters we want to create our next
smallest item now here's what we can set
up our departments for each location now
when we're talking about departments or
small groups of users like that we need
to consider what kind of things those
people are going to need to access when
we're talking about security principles
like that whether it's accessing a file
share or access to a printer we want to
base that on a user basis and a group
basis commonly in businesses accounting
and administrative people have access to
different sets of resources so in our
headquarters location we're going to set
up a user group for each of our
departments in our headquarters group
selected we'll right-click and then
create a new group oops
new group
we'll give the group a name we'll make
sure that the security group type is
enabled and we'll make sure that it is a
global group then click OK we'll repeat
this step for the other two departments
that we have at our headquarters
location accounting and HR
so now our headquarters location has a
place for computers a place for users
and separate groups of users that
correspond to the different departments
at that location now we also need to
create our departments for our sales
locations now keep in mind within a
domain you can't have two groups with
the same name even if they're in
different organizational units so it's
best practice like with our computers
group that we have or the computers oh
you under each location to also append
an individual or unique name to a group
if it's specific to the so you so will
do sales at cm East make sure that it's
a security group and a global group and
we'll repeat that for the other two
so now I have three user groups at that
sales location and since none of them
have just the management mechanics or
sales name I can create the other three
groups with CM West so there's no
conflicts
so now we have our basic Active
Directory structure created the only
thing that we're missing is some users
so we'll put in some dummy users and you
can use whatever user names that you'd
like or whatever names you'd like as
long as you remember to create one user
that you'll want to use when you log in
under an Active Directory account so in
headquarters I'm going to create one
user new user give him a name and create
a user name or a user logon name it's
best to always have a naming convention
for both computers users and as we've
created Oh using groups I like to use
first initial last name but you can use
whatever you want
we'll set a password for our user and
since we have the user must change
password at next logon when this user
first logs on with the password that you
set they'll be prompted to create a new
one now our John Jones user that we've
created is a member of the
administrative department so we need to
add him to that group we'll right-click
select add to group and the select
groups window will open whenever we see
this window all we're doing is we're
selecting the name of the object that we
want to add to we selected John Jones
and we clicked add to group so right now
we're looking for groups within the test
dot local domain that we want to add
John Jones or whichever users we've
selected to so we're gonna enter
administrative and we're gonna click
check names looks like it found the
group because it underlined it and we'll
click OK the Abdul group operation is
completed and if we open our
administrative group by right-clicking
and hitting properties we can go to
members to see that John Jones has been
added the purpose of groups of course is
to give permissions to a group of users
without having to go into each
individual user and modifying their
permissions if I gave the administrative
group access to a resource John Jones
gets access because he is a member of
administrative now let's practice adding
one more user to a group but this time
let's do it at one of the sales
locations so remember we're putting our
users in the root oh you of the location
will right-click go to new and then
select new user will give the user a
name and following our naming convention
we'll give them a user name will set a
password
and click Next now we'll add Mike Jones
to the mechanics group of CM East so
we'll right-click Mike Jones add to
group and this time we'll just search
mechanics click check names and you'll
see that there are multiple matches
because remember we have a mechanics
group at CM east and CM west well Mike
is mechanic at CM East so we'll select
the CM East mechanics group we'll select
ok the operation completed and we can go
into mechanics to check to make sure
that he is properly added there's
another way to add users to a group and
that's by going through the group itself
let's say Mike Jones is also a member of
the sales department so we'll
right-click the sales department click
properties click members and then click
Add this window looks familiar instead
of searching for groups we're searching
for users in the test that local domain
which user do we want to add we want to
add Mike Jones now we can search by his
name or his user name I know his name so
whilst type in Mike check names and it
looks like it found our Mike Jones will
click OK and then we'll click apply
that's the other way of adding a user to
a group next we'll go over moving
disabling and deleting Active Directory
users and other objects so let's work
with our Mike Jones user let's say that
Mike Jones got moved to headquarters
because he got promoted we're gonna move
him by right-clicking his a user account
clicking move and then selecting the
container that we want to move him to
we're gonna move him to the headquarters
oh you
so you'll see that Mike's account is
gone from the CM East oh you and has
been moved to the headquarters of you
now when we move user accounts or groups
they still retain their group membership
so if we go into Mike Jones's account
even though we've moved him to a new oh
you he is still a member of mechanics
and sales at CM East so we need to
remove him from these groups now that he
is at the headquarters of you we're
gonna select CM east and we can hold
down the shift or control key to select
the two groups we can select remove and
click yes to remove them from those
groups with user accounts we also have
the ability to disable them this has
multiple uses in the real world but for
example let's say Mike goes on an
extended vacation we need to disable his
account for security reasons while he's
away we can right-click his account then
click disable and it will confirm that
we've disabled the account on the left
hand side we can see that his account
has a downward-facing arrow indicating
that his account has been disabled when
an account is disabled that user will
not be able to access any resources and
if they're connected to the domain
network they will not be able to log in
we can enable Mike's account by right
clicking then clicking enable where the
disabled button used to be when you need
to delete a user or a group or any other
Active Directory object you can simply
right-click the object then click delete
it will confirm your selection and the
object will be deleted
lastly we'll go over several more
options we have with modifying users and
several of the actions that we can take
with their accounts if we look at our
John Jones user we can right click and
we get some several options we haven't
gone over yet for instance we can copy
which copies John Jones's account and
all of its settings into a new account
allowing you to rename that new account
and model a new user after John Jones we
can reset John's password enabling him
to change it again after he logs on the
next time if we go into the properties
page of a user
we have several tabs where we can edit
the user's information like address
account settings profile options as well
as a variety of other settings the most
commonly used tab in the user account
properties page is the account tab here
we can change the user's username or a
user logon name we can unlock or lock
the account and we can make some changes
to the account options we can also set
an expiration on the user account if
it's a temporary account here we can
also set logon hours when the user is
permitted to log on
in the next lecture we'll be going over
DNS I hope to see you there in this
lecture we're going to be going over
Group Policy group policy is a tool that
allows you to create and deploy policies
and settings for the users and computers
within your domain now I'm not going to
be able to cover the entirety of group
policy and all that you can do with it
in this lecture and the reason for that
is because there are literally thousands
of potential policies that you could
push out instead what we'll do is we'll
use some common examples and ones that
would fit within the context of our
imaginary business that we're setting up
so first we need to make sure that group
policy management is installed and if
you remember back when when we installed
ad domain services we checked the box
for group policy management so that we
wouldn't have to do it around here at
this time but we can still make sure
it's installed if we go to add roles and
features within the server manager and
group policy is a feature so we'll skip
ahead down to the features section and
we'll see the group policy management is
already installed and if it wasn't we
could go ahead and check the box hit
next and install that and to open group
policy management we'll go to the top
right hand corner to tools and we'll
click group policy management and the
snap-in will open in the top left-hand
corner you'll see our forest test dot
local and then you'll see domains and
then you'll see our domain that we
created test that local now when we talk
about group policy in terms of structure
we need to realize that everything that
you do in group policy is
oh you baste a lot like Active Directory
so you'll see our Active Directory OU's
on the left hand side CM east-west
domain controllers headquarters and the
first thing that we need to talk about
when we're creating policies that we're
going to apply is that when we create a
policy we're not only working within the
context of which users or computers am I
going to apply this policy too we also
need to pay attention as to where we are
linking those policies as to the OU's
that they're placed in
when we create a policy let's say we
create a policy in the headquarters oh
you regardless of what users or
computers that we apply the policy to
they must be within the headquarters oh
you in Active Directory in order for
that policy to apply if I created a
policy in headquarters and applied it to
a user that was in cm West that policy
would not apply I have to make sure that
when I create a policy in the
headquarters of you or any other oh you
I'm applying that to users and computers
that I want to be applied that are in
the headquarters of you so pay attention
to the structure when you're setting up
domain or group policies and always keep
in mind that when you place it in an O
you you're only applying that to the
users and computers that you set that
exist within that o you so on the top
you'll see a default domain group policy
object this one comes built-in when you
install group policy management and if
we go into the settings we can see some
of the settings that exist within this
particular policy by default it sets a
password policy and account lockout
policy or Kerberos policy security
encrypting file systems we're not going
to grow go over every single one of
these but the most common that we're
gonna set up is these top two the
password policy in the account lockout
policy the password policy that is
simply a policy that applies to the
characteristics of a user's password
when do they need to reset their
password does the password need to be a
certain length or have a certain amount
of complexity how many how many
passwords can they reuse or can they
reuse any so that's a policy that we
would set up for the entire domain in
most cases we also want to set an
account lockout policy basically when a
person enters an incorrect password a
certain number of times they'll get
locked out of their account that is
where we set that setting so with this
default domain policy we're going to go
ahead and edit this now since this
policy is not in a no you it's right
under
the domain this is what we would call a
global or a global domain policy it
applies to all the OU's if you place a
group policy object within a know you it
only applies to that oh you but if we
have a policy like the default one
that's placed outside of all the OU's it
will apply to the entire domain so we'll
right-click this and hit edit and then
the group policy management editor will
open this is this is where we can edit
this particular group policy object you
can see it's name right here at the top
so if you ever don't know which or if
you ever forget which one you're working
with that will be the name of the policy
you're working with now if we step back
for a moment and we look at the settings
for this group policy object you'll see
that there are two sections one is the
computer configuration and one is the
user configuration and we can see that
also in the group policy management
editor for this particular group policy
object you'll see a section for computer
and user and the difference between the
two is that there are certain policies
that apply to users certain policies
that apply to computers and as you get
more familiar with group policy you'll
you'll start to remember where things
are located certain policies would only
apply to that user account or certain
policies would apply to the whole
computer and there are even some
policies that you could apply to either
because of the way that that policy gets
applied now we're not going to go into
depth as to which policies are where
because that's something that would take
a little while to go over and again
there are many many policies that we
could we could cover but for right now
we're primarily going to be covering
computer policies the reason for that is
because they affect every user that logs
on to that computer and we're mainly
setting up security policies for the
users that log in so if we just follow
this the hierarchy that it's got listed
in here we can go into policies under
computer configuration windows settings
and then security settings and looks
like we're going under account policies
password policies there's account policy
password policy
so there it is this is where we can
change the settings that are in here and
you can see what's currently set so
let's go over to some of the basics now
when we're editing a group policy here
these are a policy and a policy setting
if i double click this i can change the
setting now in most built-in group
policy options that you have the ability
to change you can if you don't know what
it does you can always click this
explain tab and it will tell you in
detail what what this setting will do
what options you have to change and what
will happen when you change that either
if it's a true or false or if it's a
number that you need to set what will
changing that do so always read over the
explanation if you don't know what
you're changing or what you're doing
this will always give you some good
insight as to what we're doing but with
a secure policy setting this is a
enforced password history so when a user
changes their password they can't use
that old password again until a certain
amount of password changes so let's set
this to something like 12 so a user will
need to change their password 12 times
before they can you reuse an old
password and you can set this as low or
as high as you want to or you can set it
to zero to turn it completely off so
we're gonna hit set it as 12 and hit
apply and then the maximum password age
and if we hit explain this will tell us
what that does and basically what this
setting is is how old can the password
be before the user needs to change it so
after 42 days the user will need to
change their password when they go and
login they will be forced to change it
now they can not they will also get a
warning that hey your your password is
coming up for expiration do you want to
change it now and that counter will
reset so let's change that to something
like 3 weeks let's set that for 21 days
a lot of businesses do this about a
month I'll do it for 3 weeks just in
this example and the minimum password
age that is usually not doesn't need to
be set
can be used in specific use cases we'll
leave that as one day minimum password
length that's pretty self-explanatory
how long does their password need to be
doesn't matter if it's letters and
numbers that it's not talking about that
it's just talking about how many
characters long is it will leave it at
seven that's good password must meet
complexity requirements now by default
Windows domain doesn't really allow you
to say I need this many numbers this
many character or this many special
characters that sort of thing they just
have an honor off does the password need
to be complex or can it be simple and
what they mean by complex is and needs
to have these particular requirements so
it needs to be six characters in length
and contain characters from three of the
four these four categories got to have
uppercase lowercase numbers and special
characters so it is a good idea to leave
this enabled that greatly enhances the
security in your network you definitely
don't want somebody being able to guess
or brute force their way in so we'll
leave that on the last option is whether
or not this the passwords for users are
stored on the domain controller using a
method of encryption that's reversible
and what that means is when a password
is set on a user that is stored in such
a way that the password cannot be
decrypted very easily and so we want to
keep that disabled we want to make sure
that our passwords aren't easy to get to
so that's it for the password policy
let's go to the next one account lockout
policy that's just below that so account
lockout duration now what this is is how
long is the user locked out if they get
their password incorrect so many times
so we're gonna define this if we check
the box and now normally it's undefined
and what that means is that the policy
is simply turned off
so we'll go ahead and define this policy
and let's say we'll lock them out for 30
minutes that sounds fine now it's going
to give us a warning these other two
need to be enabled and configured in
order for that policy we just changed to
be changed successfully so it's going to
put some defaults in there we'll go
ahead and change those after the fact so
we'll apply that hit OK count lockout
threshold how many times does the user
enter their password incorrectly before
them out five that sounds just fine and
reset account lockout after how many
minutes so they'll get locked out for 30
minutes and after that 30 minutes is up
that account will be re unlocked so to
speak will leave that enable that's fine
so that's it for our two most common
policies and we're applying this again
to a computer configuration and since
it's directly underneath our domain it's
not in any Oh use it's going to get
applied to all of the computers within
that domain but we need to make sure
first that our scope is applied
correctly so we're gonna close this and
next we're going to click the scope tab
now in our default domain policy you'll
see that is a it's applying to this
domain test that local and it's filtered
to these objects and the object that
it's filtering to is authenticated users
now may be confusing we've got a policy
that's being applied to the entire
domain but there's only computer
policies in it yet we're filtering it
down to authenticated users it really
doesn't matter if you're applying a
policy to users or computers you
generally want to only apply it to user
objects when you're talking about
security filtering so the fact that this
says authenticated users that's perfect
we want that to always be the users that
we want to apply that policy to because
when that user logs in that computer
policy will apply to that computer as
long as it is a computer within the
domain since we've applied this policy
here so what I'd like to do next is
create a policy for the financial folks
that work at the headquarters at our
imaginary car dealership now the
financial people are probably working on
important accounting stuff and they
probably have some sensitive information
on their computers and we want to make
sure that their computers lock if they
get up and walk away for a certain
amount of time that's so that nobody can
just walk up and start messing around
and look at things that they shouldn't
see so we're going to create a policy in
the headquarters oh you will go ahead
and click that and then
right click and click create a GPO in
this domain and link it here we're gonna
name this GPO so we're gonna say screen
timeout and now you'll see that that GPO
is applied if we expand headquarters
we'll see that that's been applied and
by default it automatically puts our
authenticated users and that's fine so
we're gonna go ahead and edit this
policy and right click it click Edit so
we're gonna set up an inactivity lock
after the machine isn't active for so
much time the computer will
automatically lock this policy is
located under computer configuration
policies windows settings security
settings local policies and then
security options so the policy we're
looking for is under interactive logon
and it's called machine inactivity limit
we're gonna double click that we're
gonna check the box to define the
setting and we'll set that to something
like five minutes
look notice that it's asking for it in
seconds again we can always click
explain if we want to get a definition
of that policy so now once we click
apply and click OK you'll see that the
policies been defined it's been set at
300 seconds and if we exit the group
policy editor and then click settings
for this group policy will see that the
interactive logon policy has been set to
300 seconds so now when a computer is
within the headquarters oh you and a
user logs on to it once that computer
has been inactive for 300 seconds or
five minutes that computer will
automatically go to the screensaver and
then lock so when that user comes back
they'll need to sign back in in order to
unlock the computer now we need to make
sure that this policy is applying to the
particular users we don't want it to
apply to right now we've got this group
policy object
or GPO in the headquarters oh you so we
know that it's only going to apply with
two things that are in that headquarters
of you so we know that we've got the
location right but now we're going to go
to scope and we'll see that security
filtering is set to authenticated users
and what that means is users that have
been authenticated and logged on to the
computer in the domain network but we
don't want to just apply this to
authenticated users to all of them we
want to apply it to only the financial
folks so if we go back into Active
Directory and again we can go to server
manager tools Active Directory users and
computers and if we go to the
headquarters will see that we set up a
accounting group now when we're creating
this group policy when we're setting up
filtering we can apply it to groups
users and computers so perfect we have a
group that applies to this particular
GPO that we want to push this GPO out to
so we'll click remove on authenticated
users and we'll click Add and then we'll
type our accounting group we'll see it
underlined so it found it hit OK and so
now we've got that group set up this GPO
will apply to users that are in the
accounting group as long as those
members are in the headquarters oh you
so we've successfully set up our GPO
it's going to apply to our users that we
want to apply it to so that's the basics
of setting up a group policy object and
again when we're setting up group policy
keep in mind that there are literally
thousands of policies that we could set
up for computers for users we can set up
scripts that run when the user starts
the computer or logs on or logs off
there are many many options in terms of
setting up the computers in your network
the way that you want through group
policy a really good resource to use is
tekneqs website and I've included a link
within the lecture resources that will
take you to basically a list of all of
the group policy
and what they do of course you can
always use that that tool within group
policy to get an explanation but TechNet
is a really good resource to look at
some of the more common group policy
objects and what's common practice in
terms of keeping your domains secure as
well as the workstations and user
accounts within your domain next we're
going to go over file sharing and
permissions and from there we'll move on
to print services next we're going to
quickly go over print services which
allows you to share Network printers
with users and deploy them in a way
where they don't need to add a printer
individually onto their computer the
basics of it is that you set up a
printer within your network and you set
up Windows server to be a print server
and that provides the drivers and the
print queue on the server to be
available for users to use so first we
need to install that role so we go back
to add roles and features and this is a
Rolfe installation so we'll go to server
roles and we'll select print and
document services we'll check that it
lets us know that it's also going to
install the administration tools for
that role so we'll click add features it
gives us a little overview of print and
document services and what that does and
there's also some other features that
come along with that we can do a
distributed scan we can do internet
printing LPD right now we're just going
to do a basic print server we'll go
ahead and click install and the
installation will start
once the installation is finished we can
click close and you'll see that the
print services role has been installed
so now to access the tool for print
management we can go up to tools and
scroll down to print management in print
management and the snap-in we'll see
that we have some filters available to
view what we have installed so under all
printers we'll see that we have the
built-in XPS document writer and under
drivers we'll see that we have some
drivers available to use so what we need
to do is we need to install a network
printer and then we're going to check to
make sure that that a printer is
available to use on the network for
users so what we'll do is we'll go to
print servers we only have the one so
we'll expand our server and then we'll
go down to printers now this is a
similar view to what we did above but
within this menu we can right click and
select add printer now if you've ever
installed a network printer on Windows
or Windows 7 8 10 it's fairly simple
what we can do is do it by IP address
since I have a static IP address set up
on my printer well you can also search
for the network printer use an existing
port if it's a attached printer directly
to the server or we could manually
create a new port we're gonna do that by
the IP address since I have a static IP
on my printer so we'll type in the IP
address of our printer it's going to
contact the printer and try to grab the
most relevant drivers for that printer
looks like it found the printer and
we're gonna make sure that we turn on
sharing now what that does is it makes
that printer available on the network
for other people to use we'll give it a
friendly name and we probably want to
fill in the location let's say that this
printer is at the headquarters and it's
at the front office we can also add a
comment the users will see if they open
up the properties tab of that printer so
we'll select next it'll give us a
summary of our settings
and it will begin to install the printer
once the printer installation is
succeeded we could actually go ahead and
try to print a test page just to make
sure that the server's connection to the
printer is working or we can add another
printer if we have multiples that we
need to add but we'll go ahead and click
finish and we'll see that in the queue
this printer is ready to print now there
are multiple options in deploying this
printer in a way that the users can
access it we could list it in the
directory in Active Directory so that
when a user goes to install a printer
they can look it up and install it
themselves
or we could deploy that printer with
group policy it's going to be different
in every case if you have a printer that
everybody in the company uses or
everybody in the building uses it might
be appropriate to use group policy so
that all the people in the business had
access to that printer already installed
ready for them
even new users that might not be
familiar with installing a printer if
your users are fairly familiar with
installing printers over the network or
you can teach them how to do that it's a
lot simpler to list it in the directory
so we're going to do both so that we get
a good handle on how to do each type of
deployment so listing in the directory
is quite simple all we do is right-click
the printer and select list in directory
now that printer is listed in the
directory and if a user wanted to
install it they would simply open up
Devices and Printers on their PC select
add a printer and that printer would be
listed if they can't find it or if it's
not showing up we can select find a
printer in the directory and we'll see
that our printer is listed along with
the location and the model now if we
want to deploy a printer over group
policy it's a little more complicated
we'll right-click our printer and select
deploy with group policy now in order
for us to be able to deploy a printer
over group policy we need to have a
group policy object in place for that
policy to reside now I could go ahead
and man you
configure that I could go into Group
Policy and set up the policy and deploy
the printer by manually selecting all of
those things but this wizard within
print management allows me to create a
group policy automatically without
having to do it all manually so what
we'll do is we'll click browse and if I
already had a policy that I wanted to
add this printer to I could just go
ahead and select it and the wizard would
it would take care of adding those
settings but I don't have a policy for
printing yet so I'm going to create one
I'm going to create one within the
headquarters oh you and it might be
practical to do it for each oh you
because there might be different
printers at each location so I'll double
click the headquarters oh you and now
within that I'm going to create a new
group policy object and I'm simply going
to name that printers so with the
printers policy that we just created
we'll click OK and we'll deploy this
printer connection to the following
either per user or per machine do we
want this printer to be available for
all of the users within the headquarters
or do we want it to be available for all
of the computers well it really doesn't
matter because more than likely all of
the computers that are in the
headquarters are you oh you are going to
be used by users within that oh you you
can customize that if you have a user
coming from a different oh you using a
computer at a different location you
might want to make it permanent
they automatically have the printer in
that oh you based on this group policy
so we can configure that independently
if we want to I'm gonna do it per user
because I want the this printer to be
available only to the people who
normally work within headquarters but I
could also do per machine if I wanted so
once I have that selected I'll click Add
and now I have the printer name the GPO
that it's going to apply to and it's
going to go per user I'll go ahead and
click OK printer deployment or removal
operations succeeded and I can see the
details on that if I need to and just to
make sure that I've deployed it ok I can
go back into server manager and open up
group policy management under tools
and I can go into the headquarters and
select printers and if I go under
settings I can see my printer connection
there so when that user logs in if they
belong to the HQ oh you they're going to
automatically get that printer
connection one thing to consider when
you're setting up a print server is that
when users go to install a printer that
they don't have drivers for the server
will try to advertise drivers to that
computer then the user will have the
choice to accept the drivers that the
server is presenting to their computer
the one thing that we have to keep in
mind is in order to install drivers that
user must be an administrator so there
are two options of dealing with that
issue
you can either simply have the user get
in touch with us with a network
administrator and have them enter their
credentials to install the drivers and
there's also a policy in group policy
that allows users to install printers on
their own without administrative
credentials that's a little advanced in
terms of setting that up but you want to
keep in mind that the user will need to
have the rights to install drivers on
their machine in order to start printing
that's it for print management next
we're going to go over file sharing over
a Windows domain network this last
lecture will be on file and storage
services this allows you to share files
on the network so that users can access
them modify them and share them amongst
each other we need to make sure that the
file and services role is installed and
you can see that it's installed and if
we didn't have it installed we could go
to add roles and features and then go to
server roles we would check the box or
file and storage services and then
install it in order to give access to
files on the server to users in our
domain we need to create a share to do
that we won't go through tools because
there is no snap indirectly related to
file and storage services instead we can
directly click on the role
and on the left side we'll see some
options that we can use to create file
and storage services for our users on
the left hand side you'll see that we
have disks as well as volumes and these
are places in which we can create files
to share with users will also see shares
on the left hand side and this is where
we will create shares of files and
folders for our users you'll see three
built in shares and these shares are
built-in into Windows domain and they
shouldn't be modified instead we can
right-click and select new share to open
the new share wizard there are several
profiles available to create shares on
the Windows Server and you'll see that
there's basically two types there's NFS
shares and SMB shares SMB shares or
server message block shares our standard
Windows shares NFS is meant for linux
unix or mac OS operating systems since
we have Windows users in our domain
we're gonna do an SMB share and we're
going to use the quick profile we'll
select the server where we want to
create the share as well as select the
volume where we want the share to be
created if we had more than one hard
drive or more than one volume on a hard
drive we would be able to select that
and change the location where the share
is located will be prompted to give the
share a name and in this case I'm going
to create a public share that all the
users will have the ability to access we
can enter a share description that users
will see if they hover over that share
or access the properties page and then
we can select the local path this is
where the actual files will be stored on
the server we can change this path if we
want but we'll leave it as default for
now the remote path to share is the path
that the users will enter in order to
access this share the default will work
fine in other settings we have some more
advanced settings we can configure
access based enumeration is probably the
most important access based enumeration
this allows a user from seeing files or
folders that they do not have access to
most administrators typically leave this
setting turned off and the reason for
that is because if a user can't see a
file or folder they may think that it
doesn't exist in most cases it's better
to let users see a file and be prompted
that they don't have access to it so
that they can contact an administrator
have that resolved so we'll leave that
setting turned off for now and the other
two settings here we can cover in more
advanced courses next we'll specify the
permissions to control access and we'll
see that we have some built-in
permissions already configured the
creator and owner of the file has full
control and that's me the users have
special and read and execute privileges
the administrators have full control and
the built in system account also has
full control we're setting up a share
that everyone will have full control on
the share by default this is already set
up so we'll leave this as default well
then get a page that shows our
selections so that we can confirm our
settings and then we'll click create
we'll see that the share was
successfully created and in the server
manager will see that our share is
listed to test this we can open up a
file browser navigate using double
backslash our server name and then the
share name we have access to the public
share and in here since I have
permissions as an administrator I can
add files delete them read them and
change permissions on those folders
since I have permissions to do so we're
going to create one more share and this
one will be restricted to certain users
so we'll right-click and select new
share once again we'll use the quick
profile we'll use our standard server
and volume and we're going to create a
share for the accounting users the
default local path and remote path
are fine we'll leave the other settings
as default now we need to make it so
that only the accounting users can have
access to this particular share in order
to do that we have to take several steps
to change the default share permissions
in the new share wizard so we'll go to
customize permissions and in here we'll
notice that we have an option to disable
inheritance basically what this means is
that these permissions are being
inherited from their parent folder in
order to set explicit permissions and
give only particular groups access we
need to turn off this inheritance and
create explicit permissions so we'll
click disable inheritance and will
convert the inherited permissions into
explicit permissions we're going to
remove our users permissions and we're
going to add permissions for the
accounting group we'll select a
principle of accounting the type is
allow and we'll apply it to this folder
and all of the subfolders and files in
the share we're going to give our
accounting group full control and select
ok now we can see that our permissions
have been changed so that only
accounting and administrators have
access to the share we'll click OK click
Next and then click create we'll see
that our share has been successfully
created and it's now in the share list
to test it we can open up our server
name again with a double backslash and
open the accounting share now if we go
back to our server right-click the
accounting share and click properties in
the security tab we'll see that the
accounting group has access
as well as administrators and no other
user groups are listed so that's the
basics of setting up a share on Windows
server in configuring permissions so
that users can access them so we've
reached the end of the course on Windows
Server 2012 administration for beginners
I'd like to thank you for participating
and I would love to hear your feedback
on the course if you look in the top
left-hand corner of your screen you'll
see some resources that are going to be
really beneficial to you as you're
getting familiar with some of the things
we went over and just to recap we've set
up a Windows server from scratch we've
created a domain and set up some of the
basic domain services and in the future
courses that I'll be putting out we'll
be getting into some of the more
intermediate and advanced setups that
you can do within a Windows domain and
so I look forward to seeing you there
once again please leave me feedback I'd
love to hear back from you whether
positive or negative and take care and
have a great day
English (auto-generated)