Group Policies (the day after) Group Policy Preferences Powershell

How can we keep track of what we have done or changed? We can name the policy appropriately based on function or grouping of settings – Interactive_Logon_Policy – Internet_Explorer_Policy The GPMC allows us to make comments regarding a particular policy.

What should we comment on? – Who’s in charge of the GPO – Who to call if there is a problem? – Who is supposed to be affected by this GPO? – Detailed information about what this GPO should do – Who will get fired if this doesn’t work

Comments… GPMC  Select Policy  Edit  Right click on Policy name (see below)  Properties

Comments…

Controlling how GPO’s run – Disable local GPOs from applying CC  Policies  Admin Templates  System  Group Policy

Controlling how GPO’s run – Disable Link Enabled Status – Disable “half” of a Group Policy Will speed up processing (not very noticeable)

Controlling how GPO’s run – The Enforced Function Guarantees that policy settings within a GPO from a higher level are always inherited by lower levels Right click on Policy and choose Enforce

Group Policy Preferences (GPP) are essentially an extension DLL (dynamic link library) that does a bunch of stuff. Can be “undone” by the user

Computer Configuration  Preferences  Windows Settings Environment: – Set user and system environment variables – Change the Windows system path variable Files – Copy files from point A to point B Server share to %Documents% on the local system Folders – Create, delete or empty folders

Network Shares – Create shares on workstations or servers Shorcuts – Place program or URL on desktops, startup folder, Programs folders, etc etc.

Computer/User Configuration  Preferences  Control Panel

Common Control Panel Settings Local users and groups – Create/change local users – Modify local user passwords – Change local user group membership Power Options – Create power options for XP – Create power plans for Vista and later

Printers – Computer  Local/IP – User  Local/IP/Shared

Microsoft ® shell environment Gives administrators more power and command in the shell environment – Hence…PowerShell? Active Directory Module for Windows® Powershell allows for Active Directory specific command-line and scripted operations Only available in Windows ® Server R2 and Windows ® 7

First, we need to understand naming formats – Distinguished name  cn=John Doe, OU=Sale_OU, DC=MS1, DC=local – RDN  Relative Distinguished Name CN  Common Name DC  Domain Component OU  Organizational Unit – Fully Qualified Domain Name (FQDN)  SVBlue1.ms1.local

Growing resources daily – us/scriptcenter/powershell.aspx us/scriptcenter/powershell.aspx – – us/library/dd378937(WS.10).aspx us/library/dd378937(WS.10).aspx

Creating an Active Directory user account: – New-aduser How do I use it? Get HELP! No seriously get- help – Get-help new-aduser – Get-help new-aduser –examples – Get-help new-aduser –detailed new-aduser jdoe New-aduser “John Doe” –samaccountname “jdoe” –Givenname “John” –Surname ……..

Setting Passwords – Set-ADAccountPassword –Identity jdoe -Reset - NewPassword (ConvertTo-SecureString - AsPlainText –Force) Change attributes for multiple users – Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Sale_OU,DC=MS1, DC=Local" | Set-ADUser - Description "Member of the Sales Department"

Display user attributes – Get-aduser jdoe – Get-aduser jdoe –properties * | more Add groups and members – Add-adgroupmember “Sale_Group” – Add-adgroupmember “Sale_Group” –member jdoe A great deal more online

You can add comments to help document GPOs Enforced Function overrules blocking of inheritance You can disable “half” of a GPO GPP’s can be undone by the users Active Directory Module for Windows® Powershell allows for command-line and scripted operations