Chapter 01: Group Policy - The Basics File Action View Help ¢%|FISSibs J Local Computer Policy ye ere tates | Selctanitem to view ts dscptin. | Name Windows Settings (i Computer Configuration [El Name Resolution Policy 18, User Configuration LE Script (tarp /Shutdow m Deployed Printers > fb Security Setings dy Potcy-baced Qos “Administrative Templates 1B Contro! Panel Network Di Printers (Dl Server > (1 Start Menu and Taskbar © System (BD Windows Components S AllSettings © Wh User Configuration Software Settings > Gl Windows Settings > Administrative Templates \etended (SendardfTH Group Poy Management lik File Action >| 0m) XG! Bo [ik Gp Poti Management © Forest mydomainiocal © iG Domaine View Window Help [Default Domain Policy + Bj mydorwinsoat 1 Odaut Domain Pocy 1 Domain Contes [B roup Py Onjens writer State GPOe i Stes B omni etiog Se2pe Detas Setings Dsepsion rks Daplayrksnt catn: el Thefoloung sts, domains and Os ae inked the GPO: Lecton Evoced Unk Estes Path Sinveonan ea Ne Yer rydonan ea ‘Secunty Fitering The sange nthe GAO can an ap tothefolones goupe ue and conor Neve Asters Uses a ‘WHI Fiteing ‘Tha GPO eikestothefotowng WI er [2]Ta Active Decoy Stern Senne Fle Action View Help #%/Ba8/mia a Active Deion Stes nd Seni Name eat sees 1 nter-Ste Tansports Snes Joo ttearone fo wesenzone © Bh GrancRapids i seves © Serves Type Description Sites Container OB Sites _& Group Policy Management | File Action View Window Help e9| am xX oe | Group Policy Management YQ Forest: mydomain.iocal ¥ IG Domains V By mydomaindocal 3) Default Domain Policy {E) Domain Controllers [Group Policy Objects WM Filters (@ Starter GPOs Group Policy Modelin a ip Policy 9 Group Policy Results [3]1 Group Policy Management - oa x |i Fle Action View Window Help ag le >| ales @| ik Group Poti Management Firewall Settings © A Forest mydomainiocal ‘cove [DE © ih Domaine — © i mydomaintoca ee if Detour Domsin Pobcy |) ete rks nts oat oman ca ¥ [3 Accounting Trefeloving ses, dma, and OUs inked this GF: Domain Controller . 2 i teenteoeee lecsen Etoced Unc Erbied Pah 1 Fewal Settings BAe Reences » conan caiman ar Wn Destope < > 5] Win Laptope G GrowpPoicy Objects |] Sort tering 1 varies ‘The stings nthe GPO cane ap othe folowng oops, we and compen 1D tater Oe = 5 ip ster {8 Group Poey Modeing Group Policy Rests a8 Remove Poets WHI Fiteing| “Tat GPO Inked thefolowng WMI ter ‘wane 7 os [4]oO Gj Windows Setup Select the operating system you want to install Operating sysien ‘Aichiteciure _ | Date modified Windows Server 2016 Siandarc x64 2/4/2018 Description ‘hie option ic useful when a GU i cequired—for example, te provide backward compstailty or an aoplication that cannot be nun on 2 Server Core installation. All serves roles and features are supported, For more details see "Windows ServerInstalltion Options.” [5]Internet Protocol Version 4 (TCP/IPv4) Properties General You can get IP settings assigned automatically if your network supports this capabilty. Otherwise, you need to ask your network administrator for the appropriate IP settings. obtain an IP address automaticaly Use the folowing IP address: P address: 192.168. 1. 10 Subnet mask: 255.255 .255. 0 Default gateway: 192.168. 1. 1 (Obtain ONS server address automatically @Use the folowing DNS server addressest Preferred ONS server: 192,168. 1. 10 Alternate DNS server: validate setings upon ext [6]System Properties Computer Name Hardware Advanced Remote Diy Wedowe utes the flowing infomation to idertfy your compe on the network. Full computername: DCT mydomain ocal Domain: ‘mydomain local ok [71‘Computer Name/Domain Changes ‘You can change the name and the membership ofthis ‘computer. Changes might affect access to network resources. Computer name [oct Full computer name: ocr Member of ‘ODomain: @ Workgroup: [WORKGROUP ok i x pomputer ok i Aoply [8]& fae Select server roles = ——. x Seana areas nae nee Active Directory Certificate Services Active Directory Domain Services Fn an Doran cd (AD 5) stores formation about ete Desi Feterie sees: coon neo Fs Add Roles and Festures Wierd x ees Ad features that are required fr Active Dit te pemites A fetes that ae required or AciveDrecoy pene, es | vou cannot install Active Directory Domain Services unless the. eee Tok Grup Pole Nanogeent «Reet Sever sansa ok le Aint Tse 220 0S 3d ADDS Tos Cpetecreret etree a hoostess Tel Active recy Adit ener Tools} AD DS Snap-ins and Command-Line Tools: =] 2 eh epmes peli aden [ cme [9]Features > NET Framework 3.5 Features 1» Il] .NET Framework 46 Features (2 of 7 installed) > Ly Background Inteligent Transfer Service (BITS) Eo Bittocker Drive Encryption C BitLocker Network Unlock BranchCache 2 Client for NFS CO Containers Data Center Bridging Ci Direct Play i Enhanced Storage O Failover Clusterir w CZ WO Ouality of Service CIS Hostable Web Core Internet Printing Client i IP Address Management (IPAM) Server CZ Osns Server service 71 LPR Port Monitor Description Group Policy Management is a scriptable Microsoft Management Console (MMC) snap-in, providing a single administrative tool for ‘managing Group Policy across the enterprise. Group Policy Management is the standard tool for ‘managing Group Policy. View installation progress @ Festue instalation — instalation started on DC1 Deployment Configuration TY oa ceinertopeaton Domain Controle ‘dd » domain controler to an exiting domain [id 2 new demain to an exting forest fienal Options Paths © ald anew forest Review Options ‘Spciy the domain information fr this operation Proves Root domain name TARGET SERVER ci Imydomainiocal [10]TE Active Directory Domain Services Configuration Wizard Domain Controller Options Deployment Configuration Type the Directory Sences Restore Mae (OSRM) pasword Pacoword Confirm passord Fest functional lve DDomin unctona lve Specty domein controle apa Sect functional level ofthe new forest and oot demain Domain Name Stem (DNS) server © Gaba Ctaog (60 Read only domain controler (RODS) Windows Server 2016 Windows Server 2016 a x TARGET SERVER Dat (11]Internet Protocol Version 4 (TCP/IPv4) Properties General You can get IP settings assigned automatically if your network supports this copabilty. Otherwise, you need to ask your network administrator for the appropriate IP settings. Obtain an IP address automatically @Use the following IP address: IP address: 192.168. 1. 0 Subnet mask: 255 . 255.255. 0 Default gateway: 192.168. 1. 1 Obtain DNS server address automatically se the following DNS server addresses: Preferred DNS server: 192.168. 1. 10 Alternate DNS server: [eo [Validate settings upon eit ae [12]@ Home About Cours ea a ree Drea Cree ea = sence “nme | TB Tablet mode Fi mutetasting Windows specifications ‘Shared experiences Edition ‘Windows 10 Enterprise oo ‘Computer name: Laptop change settings megterame tate a Workgroup: ‘WORKGROUP [13]Computer Name/Domain Changes x ‘You can change the name and the membership of this ‘computer Changes might affect access to network resources, Computer name: roo Full computer name: LAPTOP Menber of © dona: rvdonen oa Owen (WORKGROUP Wed Sey Computer Name/Domain Changes Enter the name and password of an account with permission to join the domain. aaministrator OK Cancel [14]Chapter 02: Group Policy Management Console (GPMC) [Eset [15]‘Active Directory Administrative Center Active Directory Domine and Trust Active Directory Module for Windows PowerShell ‘Active Directory Sites and Services ‘Active Directory Users and Computers Component Services Computer Management Defragment and Optimize Drives Disk Cleanup DNS Group Policy Management iSCSI Initiator Local Security Policy Microsoft Azure Services ‘ODRC Dats Sources (22-bit) (ODAC Data Soureas (64-bit) Performance Meritor Print Management Resource Monitor Services System Configuration System Information “Task Scheduler Windows Firewall with Advanced Security Windows Memory Diagnostic Windows PowerShell Windows PowerShell (6) [16]WE Consciet - [Console Root) ll Fle) Action View Favorites Window |Help New | Open. sore eas Cte cule ces There are no items to show in this view [Enables you to adel enap-ine to or remove them from the snap-in console. > (17]‘Add ot Remove Snap-ins ‘Youcan select snaps for this console from those avaiable on your computer and configure the selected setof snaps. For extensible stapins, you can configure which extensions are enebled Available enap-ne Selected snap-in regs vendor (A console Reot a Extensens [Blsuttorization Manager Micros Eshop Foley Management = i certheates sicoso = $. comporent serves aso Belcomputer Management Microso’ PAevice Manager Nise FF Dsk Management Nicos 7 Ada > Fos recom | Sal Event Vener Mioso Broder sicose [soup Poly aragement ——_Nicoso Gown Poly NaragementEdtor Hcros0 Group Pokcy ObjectEdtor ——Mcos0' ‘rn 7 > Advanced. Desert ei Mcroseft Corporation. Alnghts reserved. Ths products lcersed ‘lows management of Group Pokey aces ses, domains, and organizational units win one or more forests ox Coneel [18]TB Ceonsoiet- [Console Root Group Policy Management Fores: mydomsin local Domaine\mydomain local |i Fie Action View Favorites Window Help >| aim O| @| Be [Bl Console Root ‘Group Policy Objects in mydomain.local ‘actions 1B Group Policy Management com | ep Poy Oc | © A Forest mydomain local — ¥ i Domains Name FO See wn More Actions > © mydominiocal Osta Danae Corto... Enabled Me ii] DefouttDomsinPoticy |} | sf Detauk Conan Foley Enabled > 8] Domain Controles > [Grp Baiy Objects > Gp Wal iter: > (B sterer POs > lip Stes 18) Group Policy Modeling Group Policy Rese Bi Consolet- [Console Root\ONS\DC1] lak Fie Action View Favorites Window Help eo ami xXOesibmliaa [Bi Console Root © Lik Group Policy Management © Forest mydomainiocel YG Domaine © Bi mydomsinlocs! > i Stes 8d Group Policy Modeling 1, Group Policy Results © fall Active Director Ste and Services { DCI mydomsinocal] > Gl Stes Ey Active Directory Users and Computers| OC mydomainlocal] (Saves Cuenes > i mydomsiniocsl » 3 ons > (giper [19]tere Pere Vets eee poset eae: a eed Se eee Care EO ° 8 BE scotinia [20]Sb Mieco common | Fle Aton view Wien Her ool) x aloe Fox mcemaio ~ ik Donate ~* Zana oon iE Demon Comotoe B Gevproiey ones SS inaries sate roe I eptotey Rene Bed Oae2 ua gpmemse| [Defautt domain Patiy | see tek Senge Oat Detybienneeeme anni enares hte cane asters ie eet Bert is [21]‘ha Add Roles and Features Wizard Select features Before You Begin instalation Type Server Selection er Roles Select one or mor features to instal onthe selected server. Features 1] Bockground inteligent Transfer Service (875) (L] Bittocker Drive Enenption L Bittocke Network Unik BranchCache Ghent for NFS Containers Dota Center Bridging 1 iret Pay Enhanced Strage 1 Faiover Custer wz 1 WO Quay of Service ZI Hostabe Web Core Internet Priting Cent (LIP Address Management (IPAM Server ISN Sener service 1 wR Port Monitor LJ Management OData Is Extension 17] Media Foundation - o x WEB mydomsinioel Description Group Policy Managements 2 _cipfable Microsoft Management Console (MMC) snap-in, providing a Single administrative tol for ‘managing Group Policy across the ‘enterprise. Group Policy Monagement i the standard tool for ‘managing Group Policy. “ By mydomsiniocsl Nome Microsoft Azure Services Oa Sites A forest mdomain local ‘ODBC Data Sources (32-bit) SIE Group Policy Modeling ‘ODBC Data Sources (64-bit) i Group Poficy Resuks Perfomance Monitor > Print Management Resource Monitor 1h Group Policy Management =o x ig File Action View Window Help -* >| | G| Boe “ah Group Policy Management [Group Policy Management © Foret mydemainiocl — iB Domeins = i mydomsinJocal Name i Stes Create GPO inthis domain, and Lnkit here. fF Sroup Fotcy Mor Link an Existing GPO. [Group Policy Rest lock inheritance Group Policy Modeling Wied. New Organizational Unit Search. Change Domain Controller. Remove Active Directory Users and Computers. New Window from Here Refresh change domain contotes _ Popes [23]‘Change Domain Controller x Curent domain cortrller: C1 mydomain local rmydomain local Change to: O The domain controller with the Operations Master token for the PDC emulator O Sny avaiable domain controler Oay avalable domain controler running Windows Server 2003 or later @ This domain controler: Domain controler [24]Download Remote Serv x o «4 B +v wu microsoft.com Choose the download you want File Name WindowsT#-RSAT_WS_1709-x64:msu WindowsTH-RSAT_WS_1709-x86msu WindowsTH-RSAT WS 1803-x64msu WindowsTH-RSAT_WS_1803-x86msu WindowsTH-RSAT_WS2016-x64.msu WindowsTH-RSAT.¥ 2016-x86:msu size 945.MB 629MB 95.1 MB 9Me 923 Me oosMe Download Summary: keMace 1. WindowsTH-RSAT_WS_1803 x64msu Total Size: 95.1 MB [25]Ti Seve Manager I le Manage ‘Acbve Decor Adminiseatve Center (SeeUectayieecen arlene Active Directoy Madulefor Windows PowerShall fee oot WELCOME TO SERVER MANAGER ‘Actve Directory Users and Computers ADstEae Add other Catfcation utroity Cuter ore Uneatng Create a servy Component Series ‘Cemouter Management Deepens Deters DFS Naragernent ace Dik Cleanup vs ven Viewer FtoverClster anager Re aes eesere Resear ici | Severgouest) | Sayesichl ‘rovp Poi Mansgerent ‘SCS Inter Local Securty ley 1g Group Policy Management © A Forest: mydomain local ¥ Domains YG mydomainocal sa] Detault Domain Policy |] Domain Controllers © [Group Policy Objects J Default Domain Controllers J Default Domain Policy WMEFitters (BD Starter GPOs [26]Tih Group Policy Management [ik File Action View Window Help je >| aX o/e -i% Group Poy Management [Defautt Domain Policy ¥ 4 forse moni © i mydomaindocal Unk J Detaut Domain Policy Desir can: imydoman boca 1B Domain Controls Thefolonng ates, domaine ond OU we ike te GPO: © 1B Group Pe Objects Peal [tae Ted UKE Pah batt Coren Petey | | Bierman om a 1 von res sone cece ‘ . Sanda Seer Fen rotons ‘aero GPO cae es bela ou ee conn: 1a Guy oy Meseing 5 Grup Pho ete a Se Adtertcte es ws = Peon ‘Wil tein TeGiOattadio bef Wit [iy Group Policy Management Default Domain Policy © A Forest mydomain cal ‘© I Domaine Scope Details Setings Delegation Status 3 mydomeinsocel Donan syd iocal ai] Default Domain Policy © Bl Domain Controllers Owner: Doman Adrins(MYDOMAIN\Domain Adin) sa Default Domain Controllers Grated TAB 43104 PM Group Policy Objecte 3 Default Domain Controllers Po} Madied Trane 42:12PM a J Default Domain Policy User version: 00). 0.8YSvO) Writers 5 Starter GPOs Conputerverion: 3 (AD). 3(SYSVOL) i Sites El GrandRopids Uniaue 10 ‘182F340.0160-1102948F-00CD4FES84FS) we aye GPO Sets Enabled ¥ {8 Group Policy Modeling 1 Group Policy Results ——e [27]Default Domain Policy Scope Detais Seiings Delegation Status Default Domain Policy Data collected on: 8/15/2018 9:52:31 AM (Computer Configuration (Enabled) ‘Security Settings Account Policies/Password Policy Policy Setting Enforce password history 24 passwords remembered ‘Maximum password age A2days Minimum password age days ‘Minimum password length 7 characters Password must meet complenty requrements Enabled ‘Store passwords using reveraible encryption Disabled ‘Account Policies/Account Lockout Policy Policy Setting Account lockout threshold invalid logon attempts [28]Default Domain Policy Scope Detais Settings Delegation Status ‘These groups and users have the specified pennission for this GPO. Groups and users: ‘Name ‘Domain Admins (MYDOMAIN\Domain Admins) [8 Erterise Admins (MYDOMAIN\Ertemise Adrins) (ENTERPRISE DOMAIN CONTROLLERS Sg sysTEM Edt settings, delete, modty securty Remove Properties Advanced. [29]‘a {J Default Dome "ate 8 GPO in this domain, and Link it here. B] Domain Cont _Linkan Existing GPO... ¥ [Group Policy Block Inheritance J Default Ds J DefoultD, Group Policy Modeling Wizard... ( WM Fiters New Organizational Unit va DEO eh EB GrandRapids ‘Chenge Domein Controle. [Bl Holtana Remove fi Group Policy Modeli Active Directory Users and Computers. Group Policy Results View 5 New Window from Here i Group Peey Monogemert ~ i Foret mydomsintocal ¥ Bh Domaine © 3 mydomainlocal 4 Delo Domain Policy {Domain Contos © IB Group Poy Objects J Datel Brain Coren =) DetsttDmsin Pcy Wn Fite Siar P02 imydomain.local Satin Urked Gu Pole Obects Group Pley bhartance Dalgston| kOe FO Etoced Unk Erabies GPO Sain 1 3] Delain Donan Pokey No Yen rales [30]Chapter 03: Daily Tasks in Group Policy Default Domain Policy Data collected on: 8/15/2018 8:52:31 AM Computer Configuration (Enabled) ‘Security Settings ‘Account Policies/Password Policy Policy Setting Exforce password history ‘2Apasswords remembered Maximum password age A2deys Minimum password age days Minimum password length 7 characters Passwort must meet complenty requremerts Enabled Store passwords using eversble encryption Disabled ‘Account Policies/Account Lockout Policy Policy Setting ‘Account lockout threshold Oinvakd logon attempts ‘Account Policies/Kerberos Policy Policy Setting Exforce userlogon restictions Enabled Maximum ifetime for service ticket 600 minutes Maximum fete for user ticket Whours Maximum ifeime for user ticket renewal Teays Maximum tolerance for computer clock smnchroization Srinutes [31][Default Domain Policy Scope Detais Settings Delegation Status Links Display links in this location ees The folowing stes, domains, and OUs are linked to this GPO: Location * Enforced Link Enabled Path a mydomain local No Yes mydomain local < Secumity Filtering ‘The settings in this GPO can only apply to the following groups, users, and computers: Name om [32][i cep Paetangene (oe tl | Gm Peete Sf a msec 2 ore + fysomantc SOc amin obi |B demn Conan » © Seip Pe Ones 1B Dos Doman ote, are see chor vase “ste hate Gripe Nong 1 GPa tee 7 naomi aot ‘Betaut Domain Controers Pay See San SO Dapten i ‘Delait Domain Controllers Policy [trance Ono SUL Eadae ete LTH nn 2010 Cpa ce KT Senet Eevee ULI Se etn BLT [ik Group Policy Management © Forest domain oes! iG Domaine Bi mydomaintocs! > Z| Domain Controle I Group Policy Objects Ey Defaut Domain Controle Poticy 5 Detaut Domain Poicy ig Writes Dsante Poe > Ui sees 1 Group Pokey Modeling Defeutt Domain Poticy ‘Default Domain Policy ‘Seape Deals Setrgs Deegaton Sis nk Depa rk heaton: ydoman ca zi Tetlonng tes, oman, nt OUs erketo hs GPO, [33]LF) Group Policy Management Editor - a x Fie Action View Help @ >| [el S| Bo [3] Default Domain Policy [DC1.MYDOMAINLOCAL| Pl (BB Computer Configuration Select an iter to view its description, Name ¥ Policies > I Software Settings (Name Resolution Policy Yl Windows Stings LB Scripts (Startup/Shutdown) > [Ej Name Rescuton Policy ImDeployed Printers Script (Startup/Shutdown) Ii Securty Stings > i Deployed Printers sdyPoticy-based Qos > iB Security Settings > a Poicy-based Qos Gl Adminitrative Templates Policy definitions > (Preferences ~ User Configurtion > I Policies > Gh Preferences >|\etended (Standard? ——s—“—sSSSsSCSC‘“CSCSCSCSC‘#dY Daou Domain Per ‘on Onan Seve eon Sine fe teen vente Del OoneinPoey Core ae 8 Compa ein lous 7 en — LSS, Seana Sheeran tay Sern re as Seen Bogor haemo mat me comply urns Depa =< Brant 8 fares ot 2 3 romanceInternet Explorer x Content within this application coming from the ae website listed below is being blocked by Intemet Explorer Enhanced Security Configuration. ‘about securty_mme.exe \Fyou trust this website. you can lower securty settings for ‘Add the site by adding t to the Trusted sites zone. if you know this webste is on your local intranet, review help for instructions on adding the sit to the local intranet zone instead. important. adding this website to the Tiusted sites zone will lower the security settings forall content from this web ste for all applications, including Intemet Explorer. Trusted sites x You can add and remove websites from this zone. All websites in this zone will use the zone's security settings. ‘Add this website to the zone: about:security_mmec.exe Add) Websites: http://*.technet.microsoft.com a] | Remove http: //*.update.microsoft.com http: //*.nindowsupdate.com http: //*.indowsupdate.microsoft.com ClRequire server verification (https:) for all sites in this zone [35]‘Yi Computer Configuration A] Poly Policy Setting ps = Exerc pve oy ————— Basen Noam uo ion 2B vendor, mated ioe ae = Neiman pemwedapt| 1 Name Reetaen Poy inom pote — Sg Sun nasom pened an ea conpleyrqienents tld 2 lod ie So ee ee — een nee Minimum password length Properties ? x Secury Policy Seting Explain a ‘Minimum password length Define ths policy setting Password must be atleast: Jordan Tere ee eee ere eee) Password does not meet the length, Complexity, or history requirements crete [36]File Action View Help je >| alm 3/ Bol 7 Bl ONS Cent Gi Fonts [Bl Hotepot Authentication Gl Lanman Sever [Bl Lanmnan Workstation Bi Linke Layer Topology Discovery Microsoft Peer-to-Peer Nebworkin > [Bl Network Connections [Network Connectivity Status nic 1 Newwor station Bl Network Provider Ofte Filer > [Bl QoS Packet Scheduler SNMP Gl SSL Configuration Settings vB TCPIP settings 5) ive Teanstion Technologies Gl Parameters (Bl Windows Connect Now Windows Connection Manager [1 settingts) Set Teredo State Fst policy setting. Requirements: ‘At least Windows Server 2008 R2 or Windows 7 Description: ‘This policy setting allows you to configure Tered, an address ‘dzignment and automatic tunneling technology that provides unicast Pvé connectivity cro the vi Internet. It you disable or do not configure ‘this policy setting the local host settings are used. It you enable this policy setting, Setting (B)Set tod Relay Nome Set 6to4 Relay Name Resolution Interval Set tod State |E) Set P-HTTPS State SetISATAP Router Nome SetISATAP State Set Teredo Client Port Set Teredo Default Qualified Set Tere Refresh Rate {Set Teredo ServerName a v [37]®& Set Teredo State EE SetTeredo State ONotConfigured Comment @ Enabled O Disabled ‘Supported on: Options: Previous Setting | | ‘Atleast Windows Server 2008 R2 or Windows 7 Help: ‘Select from the following states: Default State a Default State Disabled State Client Enterprise This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides, Unicast [PVE connectivity across the [Pvd Internet. If you disable or do not configure this policy setting, the local host settings are used lf you enable this policy setting, you can configure Teredo with one of the following settings: Default: The default state is "Client," Disabled: No Teredo interfaces are present on the host. Client: The Teredo interface is present only when the host is not con a network that includes a domain controller. Enterprise Client: The Teredo interface is always present, even if ‘the host is on a network that includes a domain controller. Oe] [eel | [ave [38]Group Policy Management Forest: mydomain.Jocal ¥ ig Domains ¥ ij mydomain local #3) Default Domain Policy 1B Domain Controllers ¥ [Group Policy Objects ‘FJ Default Domain P OG WM ites (Starter GPOs i Stes HB Group Policy Modeling I Group Policy Results (Group Policy Objects in mydomai Bf Default Domain ¢ IN Back Up All. Manage Backups. Open Migration Table Editor View > New Window from Here Hi Fie Aton View Window Help le >| all oi a om i Doms © i mde cal Det Domain Pay Group Poy Objects [5 Ota Domain Poy Se Dest Wappet Be © nites Destop Wapper et acting tot Venn 200 Spt he eso (eer dete. isting let youspety he pec og nd 1 alsetings 1 Pretec Tews is sting pete ited pth nd nea tele Bator nlgape mage oucan ype vac pth nh Siiveaoureetapaperome space athe pt mucho > eens Sunder seting Diable Active Deep ‘Ato on bemoaned [39]& Desktop Wallpaper o xX EB] Desktop Wallpaper Previous Setting || Next Setting ONotConfigured Comment: @ Enabled (O Disabled ‘Supported on: | at jeast Windows 2000 Options: Help: Wallpaper Name: ‘Specifies the desktop background (wallpaper) displayed on all | © users’ desktops. [CAWallpaper\Bluet-png re ‘This setting lets you specify the wallpaper on users’ desktops and. Example: Using a local path prevents users from changing the image or its presentation, The ‘CAwindows\web\wallpaper home jpg ‘wallpaper you specty canbe stored ina bitmap (~mp) or PEG Jpg) file Example: Using 3 UNC path: a \\Serer\share\Corpjpg “To use this setting, type the fully qualified path and neme of the file that stores the wallpaper image. You can type alocal path, Wellpepes Style: | Fil ‘such as C:\Windows\web\wallpape”\homejpg or @ UNC path, such 2 \\Servr\Share\Corp pg. the specfed fle is not al available when the user logs on, no wallpaper is displayed. Users Fit cannot specify alternative wallpaper. You can also use this setting ‘Span to specify thatthe wallpaper image be centered, tiled, or ‘Stretch stretched, Users cannot change this speciation. Mie IFyou disable this setting or do not configure it, no wallpaper is lsplayed. However, users can select the wallpaper oftheir choice. [ee] | ence} Group Policy Management Console x ‘You have selected a link to 3 Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO. and wil impact all other locations where this GPO is linked. [100 not show this message again | [40]Options x M Enable trust detection (Oniy forests or domains with two-way trust willbe avaiable in the console. show domain controllers after domain names For example: domain name [demain cortroller name] [Show confimation dialog to distinguish between GPOs and GPO links. Cancel Heb 1 Group Policy Management ‘Accounting va aa mydomain.local Linked Group Policy Objects ¥ [GR Domains — v dy mydomainocal Unk Order if Default Domain Policy a > i] Accounting > i Domain Cor Create a GPO in this domain, and Link it her = Nemmie unkantangero. | a > [Gj Starter Go: Group Policy Update... i Sites Group Policy Modeling Wizard... 48 Group Policy Mode ©, Group Policy Resut__ New Organizational Unit [41]Select GPO Look in this domain: mydomain.local Group Policy objects: Name Default Domain Controllers Policy Default Domain Policy [42]° ye hereto sear os ae [Bl GrandRapids ead [E Holland oa {i Group Policy Modeling Help Ing WHI her: [Set Desktop Wallpaper to Blue 1 ‘Scope Details Settings Delegation Links Display inks inthis location a The following stes, domains, and OUs are linked to this GPO: Location ° Enforced Link Enabled {i Accounting No No « [46]fener Ce Are cesta et men Computer Policy update has completed successfully. User Policy update has completed successfully. ees cosoft (R) Windows ( olicy Result too! eee en Reece cc arc Cee eee Pexae Test rey er are ena Cc eet seen eens a fee aet Rca aot at eee UP CC eG Cee mas tamer sees em rey ace a eC mae rs erate reer) Perum? Berean PooeCe eat cesar sta: Pees aees Conese otean clesoden 8201812853 Pt = et omy ee on 830201812830 PH © Notre Demat Ab Attn esa ron ut np en 21201820 15H A Attia etc ae maton [48]aes Local Disk (C:) > Temp 3 Quick access Bi Desitop JordanLaptop! F Downloads 2) Documents © Pictures [a this Pc [49]TD ordantaptopt- Notepad Fie Edt Format View Help USER SETTINGS (CNeJordan,OU=Accounting Users ,0U=Accounting,DC=mydomain, DC=local Last time Group Policy was applied: 8/30/2018 at 1:24:40 PM Group Policy was applied from: 0C1.mydomain. local Group Policy slow link threshold: 5@ kbps Domain Name: ‘MYDOMATN Domain Type: Windows 20@8 or later The following GPOs were not applied because they were filtered out Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups Domain Users Everyone BUILTIN\Users NT AUTHORITY\ INTERACTIVE [50]Resultant Set of Policy - oO xX [5F Fle Action View Favorites Window Help alelx je >| a6 3| fm [if Jordan on LAPIOPY = RSOP ab Uses Configuration Saar Desktop Wallpaper © BB Windows ating Bi Security Stings Public Key olcies || Requirements > (GG Software Restriction Policis| At least Windows 2000, ¥ G5 Administrative Templates Display Pronecies Description: i Desttop ‘Specifies the desktop background 5 Desttop Cralpaper’ displayed on at teers sestops. “This setting lets you specify the wallpaper on ueer’ desktops and prevents users from chenging the Image ois presentation. The ‘wallpaper you specify can be stored in bitmap (bmp) or PEG ig fe. ea > « > \ Bended {Standard 7 [51]Chapter 04: Advanced Filtering of Group Policy Objects 1 Group Policy Management |B File Action View Window Help #9%\am|/X o|\am Bh Group Policy Management \ Bi Forest: mydomainocal ¥ [i Domains Y i mydomaindocal Default Domain Policy Set Desktop Wallpaper to Biue 1 ¥ i] Accounting ‘Accounting Computers {Bl Accounting Users Domain Controllers > Bl MDepartment > [BF Group Policy Objects > Oy WM Fitters > [Starter GPOs > Gi Stes {iY Group Policy Medeling [12 Group Policy Results ‘Set Desktop Wallpar Scope Detais sel*]*| Links, Display inks inthis locator The folloing sites, domai Location imdomain local « ‘Security Filtering ‘The settings inthis GPO ¢ Name 8 Athentcsted Use) ES © Type here to search [52]Tid Group Policy Management |g File Action View Window Help je >| ail Xx Gi [i& Group Pokey Management © AA Forest mydomain local, © i Domains © BA mydomaintocal A] Default Domain Policy (id Set Desktop Wallpaper to Blue 1 ¥ Gl Accounting 1B Accounting Computers [Bl Accounting Users iain Controls lM Depatment Group Poiy Objects wn Fites stares 6POs ip Stes 1B Group Policy Modeling Group Policy Rests ‘Set Desktop Wallpaper to Orange 2 ‘Seope Deals Satins Delegation Unk Delay ks mths locaton ydoman ol ei Thefolowing ses, domains and OUs ae irked tothe GPO: ecaon ° Eroced Uk Enabled Pah rccorerg Ne vee yon Secanty Fitering “The eins ta GPO cane apoy tthe flowng goups use and conpute: None [53]s eee [Accounting inked Group Policy Objects Group Policy Inheritance Delegation Link Order GPO Enforced Link Enabled 1 1a Set Desktop Wallpaperto Orange 2 No Yes 2: aif Set Desktop Wellpaperto Bue 1 No Yes T = [54][Accounting Linked Group Paloy Objecto Group Pay reitence Deletion Linke Order GPO Enforced Link Enabled 1 Set Deskiop Walpanerte Bue 1 No Yes 2 si Sel Deskiop Walpoperte Grange 2 No Yes BH Command Prompt - og x [55](ih Group Policy Management =o i Fle Action View Window Help je>| a ai ao [accounting Forest mydomsinJoal es Liked Gow Pot Obecte Goun Pole rhetnce Daegtn eee ‘Tha et oes ct nce ary GPOs Inked ste, Formare deta se He. {a Detaue Domain Pocy ~ i] Set Desitop Wilipaperto Sie Precedence ro Lecaton FO Sats > Accounting a] SeDestop Watpapertoauer ||| [gz ‘St Deskop Wabspero Oange 2 Accoutrg ——Enaled Set Desitop Walaperto Orange | | |") 3 Deut Danan Pay rdemanioes End counting Computers a4 SatDesop Wabeperto Bue 1 mdonanloeal Enabled 1B Acourtng Use {Domain Conroters I Deparment, 5 Grup Poy Obes 1 ware [ste se 1h Group Policy Management ITDepartment vA Fora moment ned Group Poicy Objects ¥ By mydomainsocal Link Order Default Domain Policy Set Desktop Wallpaper to Blue 1 v Bl Accounting is] Set Desktop Wallpaper to Blue 1 = Set Desktop Wallpaper to Orange2 Accounting Computers = Bl Accounting Users {Fj Domain Controllers |B IT Department Gj Group Policy Create» GPO inthis domain, and Link there... G& WM Fitters Link an Existing GPO. GD starter GP0s Stes [M Blocknertance 8 Group Policy Moder Group Policy Update. [Toggle block inheritance Group Policy Modeling Wizard... en tcee [56][ik Group Pokey Management * |] Set Desktop Wallpaper to Blue 1 © Forest: mydomainloca © (Gh Domaine Seve [Dest] settee | Osea YH mydomainlocal a si] Defaul Domain Poicy isay rks tis locaton \mydoman local «od Set Desktop Wallpaperto Blue 1 ~ se, and OU ae irked tot GPO: Bl Accounting Edit. e————___ 1g] Set Desizop Wallpaper to Bi Erorced | Unk Eraied } St Deon ape) un Ebled Nal ie oer) Save Report. {Bl Domain Controllers View > BH MDeparment > [Group Policy Objects anon 200 othe allowing groups uses, and computes: Wh Fike Delete GQ stater GPs ne > Li Stes Group Policy Modeling Toggle the Enforced attribute for his ink [Accounting LUnked Group Policy Objects Group Pocy Ihertance Delegation This it does not include ary GPOs linked to stes. Formore deta, see Help. ‘Set Desktop Wallpaper to Orange 2 Defaut Domain Pokcy [57](By Group Policy Management Eitor - Oo x File Action View Help >| 3/8 S| om 3] Set Desktop Walipaperto Blue 1 © i Computer Configuration Policies Select an item to view te description, Name (Ri Computer Configuration 1B User Configuaion Y 0& UserContiguraton © Potces Preferences \ etendes (Standard ——SOSOSC~S~S«~ Set Desktop Wallpaper to Blue 1 Scope tails Settings Delegation Status Domain: mydomain Jocal Dumaits Aunts (MYDOMAIN\Dumaiey Adit) 8/23/2018 7:43:05 AM 8/23/2018 7-58.20 AM 1 (AD). 1 (SYSVOL) (AD). 0 (SYSVOL) {CA4AA176-880F-4778-9380-80659279181C} Enabled v [Al settings disabled computer: [58]a File Action View Help s\aml¢O|\XSea\bm| Beara By Active Directory Users and Computers || Name Te [5 Saved Queries © Bi mydomain local ¥ Bl Accounting 15) Accounting Computers 15) Accounting Users, © Buitin (Computers Domain Controllers Description BELAPTOP1 Computer BH Administrator: Command Prompt al SF FereignSccurty Principals Bl IT Department BB keys © LesttndFound 1) Managed Service Accounts @_NTDS Quotas (TPM Devices [59]TH mydomainsocal © if] Accounting Accounting Commpurers > [Bl Accounting Users Delegate Control hatin ee > Computers El Domain Controllers is i Foreignsecuryprindpels UUNew 8) Computer Ml 1 Dapatinent: AllTasks Contact Gi Keys : © LostAndFound View > sind 5] Managed Sevice Accounts InetOrgPerson (5) Program Data i msD5-ShadowPrincipalContainer oer Date imsimaging-PSP= Users ie Bice: at SMG Queve Alias 5 TPM Devices ez nn e eee eo bresteanewobec. S~CSCS*«é ete User reate anew object. ‘Shared Folder Hep Group Poy Management ‘Accounting Computers va _— ‘Unked Group Policy Objects Group Policy Inhertance Delegation + mycomsiniocl \ekorer GRO si] Defauit Domain Policy i Set Desktop Wellpaperto Blue 1 © 8) Accounting J Set Desktop Wallpaper to Orange 2 |2) Accounting Computers 12) Accounting Users Create 2 GPO in this domain, and Link her. 2] Domain Controllers Link an Essting GPO.. 1G IT Depertment 1G Group Policy Objects i WM Fiters Group Policy Update. 1 Starter GP0s Block Inheritance Group Policy Modeling Wizard. (i Sites B48 Group Poicy Modeling SSE 1 Group Policy Results = , > New Window from Here reate anew Organizational Unit — [60]a Fle Acton View Help **| aml ¢o/xoe "HActiv Direcion Uses and Comput = Swes Quen 1 FeegnecuryP ince © lM eparenert s/Emtearae Nome re Desrtion ROESKTOP! Computer BDESKTOP? Computer WELTON Compute ELAPTOR? Computer 15 Group Pocy Management ¢%\ani sian Bh eee Fog egret © Foret mydomaitoel ~ i Domaine Bi mycemainioca Data Domain Poy See Destop Vaape to Bue 1 Accourting i Se Dest Watpaperto Orange (2) Accounting Computes 15 Demin Contes epee B coup Poti Obes & WiFtes BB sume 690 [61]By Active Directory U File Action View Help es\ami 4 o|\xeas Bm Setar a ® 1 Active Directory Users and Comput || Name ape Description > a one [Bl Accounting... Organizational. fi mydomain.tocal [il Accounting... Organizational... See WELAPTOP! Computer | Accounting Computers anes Accounting Users © Builtn Move x [Si Computers Domain Controllers SS ForcignSccurityPrincipals ¥ Gl IT Department TT Computers > Gi IT Users Di keys (G LostAndFound 1S) Managed Service Accounts [5 Program Data Bi system Ure [62]Th Gov Poly Managemen Lak Fie Action View Window Help je >| aim ol oi 1 Group Policy Management © A Forest mydomainlocal [BS Domains YB mydomsinlocal Af Defaut Domain Poicy vi Accounting 2 Set Desktop Wallpsper to Ornge2 Accounting Computer Jn) SetDesitop Wallpaperto ue |B Accounting Users Hl Domain Controllers BG Department © Group Pokey Objects WM Fiter: © Stater GPos (i Stes 189 Group Policy Modeling [7 Group Potcy Resuits ‘Accounting Computers: Linked Group Poicy Obects Group PoeyIhertance Delegation nk Grder GPO S 1 8] Set Desktop Walpaperto Blue 1 Enforced No [63]New Object - Organizational Unit x a Greate in: mydomain local/ Name: HR Protect container from accidental deletion (a) et) Active Directory Domain Services x You do not have sufficient privileges to delete HR, or this object is protected from accidental deletion. [64]HR Properties 7 xX General Managed By Object Security COM+ Attibute Edtor Group or user names: BR Everyone a S&CREATOR OWNER SQ SELF 82 Authenticated Users SR SYSTEM ‘8% Domain Admins (MYDOMAIN\Domain Admins) a ar emissions for Everyone Greate all child objects Delete all child objects Generate resultant set of policy fogging) Deny o o o o oo0o00 Generate resultant set of policy (planning) ‘Special permissions a click == OK Cancel Aoply Help [65]|| Advanced Security Settings for HR oa Owner: Domain Admins (MYDOMAIN\Domain Admins) Change Permissions Auditing Effective Access For additonal information, double-click a permission entry. Te modify a permission entry, select the entry and click Edt (f avaiable} Permission entries: “ype Principal ‘Access Inherited from ‘Applies to a ‘Account Operators (MYDOM... Creste/delete InetOrg... None This object only ‘Account Operators (MYDOM... Create/delete Comput... None ‘This object only ‘Account Operators (MYDOM... Create/delete Group 0... None ‘This object only Print Operators (MYDOMAIN... Create/delete Printer... None ‘This object only ‘Account Operators (MYDOM... Create/delete User obj... None This object only Domain Admins (MYDOMAL... Full control None ‘This object only [ENTERPRISE DOMAIN CONT. ‘None ‘This object only Authenticated Users None This object only SYSTEM None ‘This object only y ‘Add Remove edie Restore defaults Disable iertance Bo ed [66]iE Group Policy Management =o |ik Fle Action View Window Help - 8) je >| aa @| Bo [ak Group Policy Management ‘Set Desktop Wallpaper to Blue 1 ~ Ree mpern — IB mydomsinocal a J) Default Domain Policy Gauttrntahete imydoman local Bl Accounting ‘The following stes, domains, and OUs are inked to ths GPO- 2] Set Desitop Wallpaper to Blue 1 > a Set Desktop Wallpaperto Orange? || | Leeation Exforced Link Enabled @ Accounting Computers Accounting No. Yes Accounting Users [3] Domain Controls < > i Department Sucnaen ‘Security Fitering ines “The stings nbs PO can typ thefooning ups isan and conte > OG) Starter GPOs ‘Name ~ ih Stes I Ashercatd User 489 Group Policy Modeling 2B, Group Policy Resutts « > cr enove Popetes WM Fite ‘This GPO rked to the folowina Wl ter: ‘Security Filtering ‘The settings in this GPO can only apply to the following groups, users, and computers: [67]MYDOMAIN\Users needing Blue Desktop Wallpaper Properties X General Members MemberOF Managed By Members Name Active Directory Domain Services Folder & Jordon mmydomainocal/Accounting/Accounting Users & Laure ‘mydomain local/Accounting/Accounting Users = OK Cancel Aoply [68]“Group Policy Management |b File Action View Window Help © >| aim @|/ a 2h a5 Group Policy Management © AA Forest mydomsin local iB Domaine BE mydomaintocs! Cerificate Autoerrliment Defeuk Domain Pocy Accounting [Certificate Autoenroliment Sowpe DatlsSetings Osegtion Dania inka te locaton aes g Thefcowng sts, mara, andOUs are irkedto the GPO 1) Set Det Walpaperto Orange? 1 Accounting Compuses Accounting Urs > [i Domain Controllers > MT Oeparment 1G Group Pty Obes 5 aan state cP0s ister i Grup Poe Modeing S rup ote Kes Domsin Controls Leeson Ectoced Une Erted Path BM Depanment Bimonan ca aL conan Group Pty Objes > Wan Fite 7 7 1 stacer 0: ‘i Sites: ‘Scouity Fitlering ae The stings nthe GPO can oy apo the folowing ou, ue, and conte: Name z 1 Oreeicne Corot (MYDOMAN Orechccee Cont) 5 Oreticne Serer (YODA rections Serves) a8 enore Fontes ‘Wt Fitesno| Tha GPO rato te flown WM Rr cone | [ik Goup Pokey Management ‘Set Desktop Wallpaper to Orange 2 ~ fot moma ‘Scope Dale Seung Deepen © i mydomsiniocal Links if Centcate toenrlimet Droleyinkanthalocaion —_mdonanioa ¥ if Default Domain Policy ‘Thefoloning tes, dans. and OUs ae inked othe GPO: eee) Lecation Enforced Link Enabled = Path Gi Setestop Watpaperto ue Accounting No Yes smydoman |File Action View Window Help le >| 2 o| a Group Policy Management * |[Lock down Contro! Panel Forest mydomsin.ocal Seopa] Osis [Setroe] Onegin YG Domain y MR mds tocal Theee groupe and uershavethe sctied pemiesen forth GPO A Cerificate Autoenreliment |] Supe and users a Oefauit Domain Policy ane owed Femssons byte deen Coal Pin Sa Athertested Uses Read from Secrty Fite) ¥ Bl Accounting §2,Donan Adrmra (YOON... Et stings, delete, macy ocuty Set Desttop Wallpaperto || | St eter Admin HYD... Eat stings, delete, modtysecurty Set Desttop Wallpaper to NIN... Read 12) Accounting Computers b SYSTEM Eat segs, delete, modtysecurty i Accounting Users {Domain Controle: 1 IT Department Group Policy Objects WOM Filters oun or er names BR CREATOR OWN Sa svsTeM 5 Doman Admin (MYDOMAIN\Doman Aine) [8 Erteroe Arne (MYDOMAIN Erte Admins) Lock down Control Panel Security Settings Securty a Pemisonsfor Asherticted see Create al cid cbt Delete al child tects Fey go pokey Fer spec pemseoons or advanced stings dk Advanced [70]Lock down Control Panel Security Settings ‘Security. Group or user names: 82 Domain Admins (MYDOMAIN\Domain Admins) a ‘58, Enterprise Admins (MYDOMAIN\Enterprise Admins) $8 ENTERPRISE DOMAIN CONTROLLERS 58, (T Gurus (MYDOMAIN\IT Gurus) Remove Permissions for IT Gurus Read Write Create all child objects Delete all child objects Apply group policy For special permissions or advanced settings. [Advanced | click Advanced Advanced conn jf Deny oO o o Oo yi v [71]a [ix File Action View Window Help le >| ail | Boe | MF x IK Group Policy Management Name: © A Forest: mydomain loca [Conten wah posnanes nckidng LAPTOP” [i Domains ¥ q mydomainJocal pesca a} Cerificate Autoenraiment| [Ts WMI Fer ppies GPO on to computers whese hostnames nce the wor! LAPTOF | iJ Default Domsin Policy | uses si) Lockdown Control Panel | iamesrace | Gveny ad Bl Accounting rootCini2 Select“ From Win82OperatngSysiem Where | Domain Controliers (Csiiame ke LAPTOP") \ El HR Department Disable Windows Fre Aa) Set Firewall Rules for La] 1% IT Department G} Group Policy Objects WM Filters 1 Starter GPOs See Caneel (i Sites Remove 1 T Department Group Policy Objects Gp WM Fiters & Computers with hostnames including "LAPTOP™ Computers with hostnames NOT including "LAPTOP" (Starter POs > OB Sites HY Group Policy Modeling [72][ak Gop Pay anagem Feast mydomainics © i Domaine YB mdominices! {BOs Domain Poicy Leck own Conte! Pane 15 Accounting {EL Domain Controls © EL MR Department Hl Daable Windows Feat 1 St Freval Rule for apt BF o PokeyDefntions I Quickaceess ens Mee tO mtn FP downleads #1 paaemoveregrameadms [Documents AowduldPeviewadr Picwes —#—( AppCompetadme Dt Apps: ppd wimec ‘ppiackageManageradms 1 Networe AppsRurtimeadme ‘tachmentdanager adic Avatsetingsadme ‘AutePay ado 196iteme [74]Setting £ Set Group Policy refresh interval for computers Set Group Policy refresh interval for domain controllers Set how links are opened in Internet Explorer [E| Set indexed database storage limits for individual domains [Set IP Stateless Autoconfiguration Limits State Set IP-HTTPS State Set ISATAP Router Name Set ISATAP State Set large or small icon view in desktop search results ‘Set maximum application cache individual resource size Set maximum application cache resource list size ‘Set maximum application caches storage limit forall domains Set maximum indexed database storage limit forall domains [za)Set maximum Kerberos SSPI contest token buffer size forthe network if @ user has 2 roar ‘Set Minimum Idle Connection Timeout for RPC/HTTP conn. ‘Set Netlogon share compatibility Set path for Remote Desktop Services Roaming User Profile [75]ah Group Petey Management |i Fle Action View Window Help je>| alm So|xXe {ik Group Policy Management © A Forest mydomainlocal Ii Domains Yi mydomaintocal, J Cerificate Autoenrllment i Detslt Domain Policy 1 Lock down Contra Panel ‘Accounting 15] Oomsin Controls |Bl HR Department 1G Deparment 15 Testing GPOr © Group Poicy Objects I CeniiateAitoenoient 13] Deft Domain Controle Policy [3] Deaut Domain Plcy {3 Diese Windows Fevall, Siete lockout pokey tock down Contr! Pane 13} Set Desktop Wallpaper to Blue [a] Sa Dektop Welpper to Orange 2 13) Set Frewal Rules for Laptops 1 Wanner [ip state GPO: id Stee ‘Secunty Fitenna “The seanga nha GPO can ely apy the olowng ups uses and compton S ptertcaed son ma Fenore Procter Wi Fitesing Ts GPO edo thaflowrs Wier cone? | [76]Group Pocy Management Editor a ™ File Action View Hep je >| al XE |B (BE Computer Configuration Policy a PobcySelting El a | Interactive logon: Display user information when the ses... Not Defined 2 See setae See eae ee — {El nteractive logon: Do not require CTRL+ALT+DEL Not Defined aan Interactive logon: Machine account lockout threshold Not Defined > tg Deployed Printers © Bh Sccuty Setings (Bh Account Plces Loca Policies > Gj Audi Poicy > User Right Assignment _F Securty Options > i Brent Log Restricted Groupe 1 Sytem Services > Gi Regity FieSytem “Interactive logon: lnteractve logon: Message title for users attempting t {El Interactve logon: Number of previous lagons to cache (i. sword belo. Interactive logon: Require Domain Controller authentic. {Interactive logon: Prompt userto change interactive logon: Require smart card Ei Intersctive logon: Smart card removal behavior E) Microsoft network client: Digitally sign communications 5 Microsoft network client: Digitally sign communications E. Microsoft network client: Send unencrypted password tou. Ci Microsoft network server Amount of idle ime requite . Not Defined Not Defined Not vetines Not Defined Not Defined Not Defined Not Defined Not Defined Not Defined Not Defined v [77]Interactive logon: Machine inactivity imit Properties ‘Securty Poly Setting | Explain i” Interactive logon: Machine inactivty lt Define this policy setting Machine willbe locked after (eo 3] seconds ‘OK Cancel [78]Interactive logon: Machine inactivity limit Properties ? Securty Policy Setting Explain Interactive logon: Machine inactivity im Windows notices inactivty ofa logon session, andif the amount of nactve ume exceeds the mactivty lm, then the screen saver wil rn, locking the session. Defauit: not enforced. For more infomation about securty policy and related Windows features. bee the Nicrosof websia (oT) eres [79]Select GPO x Look in this domain mydomain local v Group Policy objects: eee befatuman cotter Pokey rs eeoenicewa ree setbestnWabeoe foe Set edo Wabepe to Orage 2 aerate ‘Administrator. Command Prompt [80]Tete cout pay TDCI TBO © Compute Configuration ( Poties 15 Pretec BB UserConfguaton YE Pater Sofware eninge 5 Windows Settings © (5 Adminsraive Template: Pt © 19 Conta Pore Add orRemave Progam 5 bspay © Peralztion 1 Printes 5 Progam: [Regen onan 1 eseop Newore 7 Shorea Foire (5 Stat Mang and Tstbar 5 Sistem Ii Wretows Components alin 2 Preferences Pesonsizton| Password protect thescreensver Ft poke Reauienets Atlee Windows 2100 Sei Pack Deception Determine: whether screen savers teed onthe computer ae wd pleted Fyouenable thi sating 3 crea saves ate passuord protected. you czble th Feng pacciord protection {Srnot be st on ay seen ever “This seing ao cistbles the Posner protested ‘heceber onthe Seren Sauer fdoing nthe Personae oF Dey Control ne, pres teers femehangng the pes9ord Protection e209, sting Pret chiding Coie Prevent changing visual styler windows 2 [E Enable eran saver [E Poti selection cf veal sve fort size Prevent changing color and appearance [E]Prevent changing desitop background Prevent chenging deste icone Prevent chenging mous pointes seaieeaig tevin {Prevent changing suede [)Sceen saver timeout Load a spectic theme siete Not conigured Not configured abe Noteonfiguied Noteanfgued Not eonfgured ot eonigured Nt configured ened nab Noteonfiguied Neteanfgued [81]Bane page [Bj Bante programe st orion ONerconigues Comment: @ avis O disbes Suppor on: Options emstorunslogon [Shon Previous Seting | Newt Setting Show Contents a x eotrdiees [eae = eave open oad weds anton OK Comsat | {aly quelied patho thee you dsb or dnt configure this poi sting, the user [82]Standard [83]Certificate Services Client - Auto-Enrallment Properties 2X Enrollment Policy Configuration Enroll user and comouter certficates automaticaly Configuration Model: Enabled v Renew expired certificates, update pending certificates, and remove reveled certBestes Update certificates that use certificate templates Log expiry events and show expiry notifications when the percentage of Temainng cerbficate Wetme is wp] % Additional stores. Use *,"to separate multiple stores. For example: “stores, Store2, Stores+ TO Blane € 9-4 tem were > Network [84]File Action View Help + %/ am GSlen J Running Scripts [DC1.MYDOMAIN.LOCAL| Pot |" a aD © #8 comput Coniguatn ra Bh Sofware Settings © Windows Settings [Bl Name Resolution Policy Saige TE Startup Proper Deployed Printers Ba Security Settings 1 Policy-based Qos (2) Administrative Templates: Policy def © Preferences Y User Configuration Policies i Preternces Display Propestis Sets PowrShel Scie ‘Satu Sent for Parcng Sete To vw the sep es dared inthe Geu Pokey Obes. prose thebatonbaow Show Fes [85]& Tum off Local Group Policy Objects processing o xX EE] Tum off Local Group Policy Objects processing Reece] (vere ONetConfgured Comment @ Enabled O Disabled Supported on: [at least Windows Vista lOptions: Help: This policy setting prevents Local Group Policy Objects (Local .GPOs) from being applied, By default, the policy settings in Local GPOs are applied before ‘any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the ‘processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. If you enable this policy setting, the system does not process and apply any Local GPOs. Ifyou disable or do not configure this policy setting, Local GPO continue to be applied. Note: For computers joined to @ domain, itis strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will e ignored on ‘computers that are joined to a workgroup, Hea ues 2 Type here to search, o [86]Senge @ Home Find a setting Personalization Background ® colors TB Lock screen Themes '% Fonts sat taskbar Background *Some settings are hidden or managed by your organization, Picture [87]9 Sound x Playback Recording Communications Select a playback device below to modify its settings: No audio devices are installed Prop OK Cancel Appl @ Restictions x 2 This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator. ms settingzperzonalization background ‘This file does not have an app associated with it for performing this action. Please install an app ot. if one is already installed, create an association in the Default Apps Settings page. [88]Net Configured Comment: @ Enabled O Disabled Ey Configure user Group Policy loopback processing mode % Configure user Group Policy loopback processing mode epee Previous Setting |Next Setting ‘Supported on: {at least Windows 2000 Help: “This policy setting directs the system to epply the set of Group | Policy objects for the computer to any user who logs onto a computer affected by this setting, It is intended for special-use computers, such as these in public places, laboratories, and classrooms, where you must modify the user setting based on ‘the computer that is being used. By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs conto this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. Ifyou enable thie setting, you can select one ofthe following ‘modes from the Mode box "Replace indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. "Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally [a] ces to [89]Chapter 06: Group Policy Preferences 7) Group Policy Management Editor o x File Action View Help @ > || 2 | Bo [57 Lock down Control Panel [0C1.MYDOMAIN] BE Computer Configuration Eh Poficies ‘Select an item to view ts description, Name i Preferences Computer Configuration iB User Configuration User Configuration Bi Policies Dl Preferences < >| \ txtended (Standard, [90]Fle Acton View Help fe | 2 SO | wewkagy Popes [7 PoverOpons [OC MYDOMAL ¥ (BE Computer Configuration | ~~ wane : } Bremen a a = ive [Delete ~ i nd sigs || rats area . oman) Qrericens | roe Biniowmen | Cowen [meteamneing ————] Files S a Ga vason Shay | nae a > Contel Pane! Sting eect (91]File Action View Help [4 => | 25 | 5 EF | eG] New Folder Options (At least Windows Vista) Properties x Power Options [DCLMYDOMAI YR Computer Configuration ‘Advanced Common (Gl Policies ‘Advanced settings: > Oy Preferences (GB fies end rolders Yi User Configuration [Ly Aivays stow iors, never thumbnails © Policies D1 Ainays stow menus Preferences Display fle ican on thumbs TB Windows Settings Display fle sze informaton in fer ts la Catia Pais Disolay simp ‘oder vew in Navigation ane [Display the fll pothin the sie bar (Claecc theme only) (Grade ties and folders ‘© Donot show hidden files and folders BI Dats Sources B devices i Folder Options © ‘Showin fies and fléers (Gj intr Settings tak tere a een fps 8G Local Users and Hide protected operating system fies (Recommerded) @) Network Options Ci Launch folder windows in a seperate orocess pany Sherer cere @ Regional Options Scheduled Tasks BU sian menu Show encrypted or compressed NTFS fils cor Restore Defauts X Cancel only Help [92]‘New Folder Options (At least Windows Vista) Properties, x ‘Advanced Common [93]‘New Internet Explorer 10 Properties General Secsty Prey Content Connection Programs Advanced common settogs Ti sccerated phir x OB Use sof rendering netead of CPU rendering B Accessbilty OL Aways expand AT text for mages LT Enable caret eromsing for new windows and tbs ODD Move system caret with focus/selection changes. OL Reset text sae to medium for new windows and tabs OL Reset zoom evel fr new windows and tabs tronsing QD Automaticaly recover from page layout errors with Cor (OD Close unused folders in History and Favorites* (OL Disable script debugging (Internet Explorer) OF Disable scrint debuoaina (Other) «< “Takes effect after you restart intemet Explorer Restore advanced settings Reset Internet Explorer settings Resets Internet Explore's settings to their default (SUEEUIY condition. You shouid only use thisif your browser isin an unusable state, [oe] cree _| tony __ten [94]New Power Plan (At least Windows 7) Properties ‘Advanced settings Common Options common to al items stop processing items in this extension if an error occurs. Cun in logged-on user's security context (user policy option). [Remove this item when itis no longer applied. DAapiy once and do not reapply. Cittemevel targeting, Description [95]‘Y Targeting Editor NeWREAS|| Ada Cotedtion | tem Option =X delete | @ Help u Battery Present Computer Name PUSpeed Date Match Disk Space Domain Environment Variable File Maich IP Address Range OPRGBS>*4# eS POR EDSCBORBIEAE Language LDAP Quey MAC Addiess Renge MSI Query Operating System Crgenizationel Unit PCMCIA Present Portable Computer Processing Made RAM Registry Match Security Group Ste Terminal Session Time Range WMI Query New Item" burton to create 8 new targeting tem OK Cancel poly Hep [96]‘Y Targeting Editor a x Gl OR the P address range is 172.16.1.1 ~ 172.16.1.254 Bl AND the IP address range i not 172.161.20 -172.16.1.30 254 [Use tre between 192.168.1.1 and 12. [An IP Address Range targeting item allows a preference item to be applied to computers or users only if the processing computer's IP address is within the range specified in the targeting item. Additional information, Foner Pan OC MNDOMEINT > Computer Contiguraon > (Bl Pots © Preferences > Wind Seton Conta Panel ene I oma souree BR Dnscee GF Folder Options 1 Local Users and ¢ Newt Options Pons Optone Boies Ne) Power Opton Windows 35) Gh scheced 1s at Tate over Scheme Window 30) 4 Senice Jv sb Use Contguaton Niew > (5 Pos i > Bl Preterences ane Parte Onder Action “Thete arene temeto showin the view. [97]Power Plan (At least Windows 7) Properties Advanced settings Common 4 Select the power plan that you want to custanze, and then choose setings that reiect how you want your computer to manage power. Acton: [Update z Balonced =] Liset as the active poner plan @ PCLExpress [98]File Action View Help © (El Computer Configuration 1 Policies wv Ol Preferences © [5] Windows Settings iaeeeeene 3 Files Gi Folders @) iniFiles Wf Registry 6B Network Shares 2 Shortcuts Control Pane! Settings © § User Configuration © Poticies Preferences 4= © | 2 [ES] By El | we Bl NewErvironment Propeties Power Plan [DCI.MYDOMAIN.LOG Gereral_Cemmon [9%] Action: Update Olser Variable @ system Variable Name: Value: [¢:\Windows\System32,C: Windows;C:\CustonFoder Details ‘The PATH variable contains a Ist of senicolan delimited fader paths that Vindows uses hen locating files. Update wil eplece the specified part ofthe path varieble, This willaveno ret effect onthe path wih the possible exception of chanaina the text case ofthe specfied segment. Multiple segments are not supported by this opton, OK ance Apply Hep [99]New Registry Properties General Common 20 ‘Action: [Update uz Hive: HKEY_LOCAL MACHINE v Key Path: 'SYSTEM\CurrentControlSet\Services\Tepip6 Fi |... Value name Didefeuit DisabledComponents: Value type: REG WORD v Value data: 00000010 Base @texadecimal Odecmal [100]BB Registry Editor File Edit View Favorites Help | Computer\HKEV_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ Tcpip6\Parameters Name Type 2) (Default) REG_SZ DhepvéDUID REG BINARY SUR! REG_OwoRD Data (value not set) 0001 00 01 22 9 86 51 09] ‘000000010 (16) [101]New Drive Properties General Common SB rn: EE Ouse first available, starting at: @ use: Location: \PCr\sales Reconnect: [] Labelas: | Sales Drive Letter es Connect as (optional) Hide/Show this drive Hide/Show all drives ON change No change Obie this drive Otide al drives @©show this drive Oshow al drives Ca) Cert) [reat [102]wane he ox © > + % > tise > VO) | SearchTh.. “ = oe Quick acess Ti buieop | ~ Devices and drives (3) Downloade Fel Frepey Disk Drive v4) so [2 Documents ~ SH 0 Ge hee of 2568 E Pictures # DvD Drive») 2D Mase = BH Videos ” Network locations (1) & Onedive Sates (6) a thisPc x RP i Giiree B J ‘tems item selected [103]New Shered Printer Properties General | Common GB vce ae : Delete all shared printer connections Shared printer Share path: —_ [\\PrintServer\AccountingLaserJet ‘ Set this printer as the defauit printer. L2...only if local printer is not present. Map to local port (optional) Local port: Reconnect Unmap al local ports (Feet | ty || oe [104]Proxy Server [DC1.MYDOMAIN.LOCAL] Polic] 'v ( Computer Configuration a i > lil Poices g Internet Settings > 0) Preferences vB User Configuration > OB Policies v OD Preferences (5 Windows Settings © GB Control Pare Setings ® Data Sources B Devices GF Folder Options Gf Intemet Settings G local Usersand New =) Intemet Explorer Sand 6 NeneorOptiog Internet Explorer 7 oo Internet Explore and 9 © spel Intemet Explore 19 (GI Scheduled Tasks By star Menu [105]New Internet Explorer 10 Properties, Programs Advanced Common General Security Privacy ——Content~—Connections. Home page To create home page tabs, type each address on its own line. | ‘Use current Use default Use new tab sterup @: start nth home page Tabs Change how webpages are displayed in tabs. “Tabs Browsing history Delete temporary files, history, cookies, saved passwords, and web form information. [106]New Internet Explorer 10 Properties Programs Advanced Common General Security Privacy Content Connections To setup an Internet connection, dick sel setup. Dial-up and Virtual Private Network setings Ad add VEN, Choose Settings if you need to configure @ proxy Settings server fora connection Never dial a connection ‘baal whenever a network connecton is not present O.Aiways dial my default connection Curent None defaut Loca Area Network LAN) settings LAN Settings donot apply to dalup comectons. | LANsetings Choose Settings above for dial-up settings. [oo] [cone only Hee [107]Local Area Network (LAN) Settings ‘Automatic configuration ‘Automatic configuration may override manual settings. To ensure the use of ‘manual settings, disable automatic configuration. Cla 8. Use automatic configuration script Address: Proxy server AU 8 Proxy server for your LAN (These settings wl nat pot to —Gial-up or VPN connectons), Adress pro ] rece [Bo [1B ypass proxy server for local [108]| tino commirasot.com fwink/p Link ~ || Search, [eS The pony seria’ repo Local Area Network (LAN) Settings ‘Automatic configuration ‘Automatic configuration may override manual settings. Te ensure the Use of menual settings, dseble automatic configuration, Jutoratealy detect settings (se autematic configuration sero Fyou are four web] Proxy server py] useaaroxy server for your LAN (These setings llnct apply to dal-up o: VEN connection) address: [proxy port: [3080 || Advanced (Cla ypass proxy server for lncal adresses Local Ares Network (LAN) settings LAN Seting: do not apply to dia-un comectione, _LANetting= CChoase Settings above for dial-up settings. ok. cancel ah [109]Chapter 07: Group Policy as a Security Mechanism TF Group Poi Management Editor File Action View Help jo =>| 2X s| Bm I Securty Settings [DCL MYDOMAINLOCALI| Name © (BE Computer Configuration BaAccount Poticies ¥ Policies 3 yee Local Potiies = i EventLog Windows Setings cS — (Resticted Groups [5] Nome Resolution Policy Serits Startup/ Shutdown) || System Sevices tm Deployed Printers GResity 5, Sect Stings GF Sytem a Poy bosed os Wired Network EE 202.) Poticie 2 Ramin Templstes Poi] Windows Freval wth Advanced Security 1 Preferences SDnetwor it Manager Policies sh User Coniguation Ea Wireless Newer (EEE 8211) Poices Poles Public Key Poticies 5 Preferences "Sota Restriction Plies “S Aepicaben Control Pokies 3° secrty Poison Active Directory Avance Aus Poly Coniguaton ac, Desciption Pazeword and account lockout policies ‘Auditing, user ights and security options pot. Event Log Restricted Groups System sevice stings Registry security setings Fie sytem secutity settings Wired Network Plicy Administration. Manage Windows Firewall with Advanced Securty Network name, icon and location group policies Wireless Nebrrk Policy Administration. Mana Applicaton Control Policies Internet Protocol Secuty (Psec)Adminstatio. ‘Advanced Audi Pelcy Configuration ba [110]|? Windova Dende Frenallwith vanced Sealy |e => | fos] Ge 123 Outbound Rules a Connection Sear les We ta en tytn way il a 9 Demin Pafleis Ace @ Windone Defender Frenal ion, @ rhounscarmectors that do pt mach enue ae Hacked @ obo.0d cermoctinathat donot match 3s a slowed Prvate Poe (© Windows Defender Frenal ton, © rbouns connectors that do nt ach au are ached. @ Otbcund comectinsthat do not meth andere slowed Boe Public Profile © Wirdone Onde Fenalien, © and cxmecr tt drt mich ane a Hoke @ oradound cernectinstat do notmach a nde a slowed. > | Windowe Defender Freya Inport Pet por el, View » Properties {111]