Exam Ref 70-411 Administering Windows Server 2012 R2 (2014)
Chapter 5. Configure and manage Active Directory
Active Directory Domain Services (AD DS) is the fundamental building block for building Windows enterprise networks, so it plays a crucial role in Windows Server exams. The basic installation and administration of AD DS is covered in Exam 70-410, but the configuration and management of AD DS is covered in Exam 7-411, including service accounts, read-only domain controllers, domain controller cloning, backup and restore, and account policies.
Objectives in this chapter:
Objective 5.1: Configure service authentication
Objective 5.2: Configure domain controllers
Objective 5.3: Maintain Active Directory
Objective 5.4: Configure account policies
Objective 5.1: Configure service authentication
Since their introduction in Windows Server 2003, service accounts have played an important role in isolating services and their authentication. Service accounts are user accounts used to provide authentication and authorization for services or applications running on the Windows server. Service accounts were originally only available as local accounts that required significant ongoing maintenance and administrative effort. Service accounts have matured and now include group Managed Service Accounts (MSAs) and virtual accounts that provide simplified service principal name (SPN) management and automatic password management.
This objective covers how to:
Create and configure service accounts
Create and configure Managed Service Accounts (MSAs)
Create and configure group Managed Service Accounts (gMSAs)
Configure Kerberos delegation
Configure virtual accounts
Manage service principal names (SPNs)
Creating and configuring service accounts
You create a service account exactly the same way as you create any user account. You can create a service account as a local account or as an Active Directory account. Service accounts should be created with user-level permissions and should not be members of the Domain Admins group or the local Administrators group on the server they are for.
Windows Server 2008 R2 introduced Managed Service Accounts (MSAs), and Windows Server 2012 introduced group Managed Service Accounts (gMSAs). Both are preferable to using a regular user account for services and are described later in this objective.
To create a local service account, use Computer Management and select the Users folder of Local Users And Groups in the console tree. Or open the Local Users And Groups console directly by typing lusrmgr.msc at a command prompt. Then follow these steps:
1. Right-click Users in the console tree and select New User from the Action menu.
2. Enter a User Name, Full Name, and Description for the account.
3. Enter a Password and Confirm the password.
4. Clear the User Must Change Password At Next Logon check box. Set any additional options and then click Create to create the account.
To create a domain service account, use Active Directory Users and Computers to create the account by following these steps:
1. Right-click the organizational unit (OU) where you want the service account created and select New, User from the Action menu.
2. Enter a Full Name and User Logon Name and then click Next.
3. Enter and confirm a password and then clear the User Must Change Password At Next Logon check box. Set any additional options, click Next, and then click Finish to create the account.
Services or applications that require a service account typically configure the associated application permissions to run the application and associated services with the minimum and appropriate permissions to start and run the service. SQL Server, for example, sets different permissions on the service accounts it uses, depending on exactly which features and capabilities of SQL Server are installed.
Creating and configuring Managed Service Accounts
Managed Service Accounts (MSAs) were introduced in Windows Server 2008 R2 and Windows 7. MSAs are Active Directory accounts that are tied to a specific computer. MSAs have long complex passwords, and they are maintained automatically. MSA passwords are changed on the same schedule as the computer account and through the same mechanism.
In addition to complex passwords that are automatically maintained, MSAs can’t be used for interactive logon, nor can they be locked out. Normally, the MSA password is generated and set automatically, but it can be set to an explicit value by an administrator. However, they can be reset on demand to a new generated value.
Exam Tip
The password associated with an MSA is automatically updated every 30 days. This is likely to find its way into the conditions for an exam question, so it’s good to remember that number.
Creating an MSA
MSAs are created in the Manage Service Accounts container of Active Directory and have an object class of msDS-ManagedServiceAccount. MSAs require a minimum Active Directory domain functional level of Windows Server 2008 R2 to allow for automatic management of the Service Principal Name and password of the MSA, and can be installed only on Windows Server 2008 R2, Windows 7, and later releases of Windows and Windows Server. If your domain is not at least Windows Server 2008 R2 level, but your schema is updated to Windows Server 2008 R2, automatic password management works, but automatic SPN management does not.
MSAs can be created only by using the ActiveDirectory module of Windows PowerShell. This module requires Windows PowerShell version 2.0 or later and can be installed on Windows Server 2008 R2 or later servers, or Windows 7 or later clients with Remote Server Administration Tools (RSAT) installed.
You can create an MSA by following these steps:
1. Open a Windows PowerShell prompt with elevated privilege.
2. Import the ActiveDirectory module. (This step is required only on Windows Server 2008 R2 and Windows 7. Later releases automatically load the module.)
Import-Module ActiveDirectory
3. Create the MSA account (Windows Server 2012 R2).
New-ADServiceAccount -Name <MSAAccountName> -RestrictToSingleComputer -Enabled $True
4. Associate the MSA with the computer on which you want to use it.
Add-ADComputerServiceAccount -Identity <computername> -ServiceAccount <MSAName>
5. Log on to the computer where the MSA will be used and install the MSA to the target computer with this:
Install-ADServiceAccount -Identity <MSAName>
Note: Dependencies
This requires installing the ActiveDirectory Windows PowerShell module and .NET Framework 3.5 or later on the target computer.
Associating an MSA with a service
After the MSA has been assigned to a computer, you can associate it with a service account by using either the GUI or Windows PowerShell. To use the GUI, open services.msc and edit the properties of the service you want to associate with the MSA. Set the Log On value for the service toDOMAIN\MSA$, where MSA is the account name you installed on the local computer. Make sure that the Password and Confirm Password boxes are empty.
To do the same with Windows PowerShell requires a bit of scripting. You need to use Windows Management Instrumentation (WMI) to set the account for a service:
SetMSA.ps1
$MSA = "TREYRESEARCH\TestMSA$"
$SvcName = "MSATestSvc"
$Password = $Null
$Svc = Get-WMIObject Win32_Service -filter "Name=$SvcName"
$InParams = $Svc.psbase.getMethodParameters("Change")
$InParams["StartName"] = $MSA
$InParams["StartPassword"] = $Password
$Svc.invokeMethod("Change",$InParams,$null)
You can edit the preceding script to change the values of $MSA and $SvcName as appropriate to your environment.
Removing an MSA
You can remove an MSA from a computer by using Windows PowerShell. You can remove it from the current computer by using the Uninstall-ADServiceAccount cmdlet on the local computer where it was installed. Then remove the assignment to the computer by using the Remove-ADComputerServiceAccount cmdlet. This process leaves the MSA in place in Active Directory but not assigned to a specific computer, allowing you to reuse the account on another computer. To remove the MSA entirely from Active Directory, use the Remove-ADServiceAccount cmdlet.
Exam Tip
The cmdlet names and interaction between the two sets of Windows PowerShell nouns, ADServiceAccount and ADComputerServiceAccount, are the sorts of sound-alike cmdlets that lend themselves to tempting distracters for exam questions. Plus, if you remove the MSA from Active Directory without first modifying any services that rely on it, bad things will happen.
Creating and configuring group Managed Service Accounts (gMSAs)
The group Managed Service Account (gMSA), introduced in Windows Server 2012, takes the functionality of the stand-alone MSA and extends that functionality across multiple servers. This change allows gMSAs to be used for services that span multiple hosts and also extends the basic MSA to allow it to be used for scheduled tasks, Internet Information Services (IIS) application pools, SQL 2012, and Microsoft Exchange.
To enable automatic password management across multiple computers, gMSAs use the Key Distribution Services (KDS) running on a Windows Server 2012 or Windows Server 2012 R2 domain controller to distribute keys.
Creating a gMSA
Before you can create a gMSA, you need to create the KDS root key. This step is required only once per domain. Use the following command:
Add-KDSRootKey –EffectiveImmediately
Even though you specified that the root key should be effective immediately, it actually takes 10 hours before the key is effective, which ensures that the key is fully deployed to all domain controllers in the domain.
Exam Tip
In the heat of the exam, it’s easy to forget that not only do you need to create the KDS root key but also that it isn’t effective for 10 hours. Read the question carefully and see whether there’s a time-sensitive clue. It could be an indicator.
To simplify managing a gMSA and the computers that can use it, it’s useful to have the computers that will use the gMSA in a security group. However, if you create a new security group and assign computers to it, you have to restart the computers before the group membership is recognized.
To create a gMSA, you need to use the New-ADServiceAccount cmdlet. For a gMSA, you need to specify the -Name parameter and the -DNSHostName parameter at a minimum. For example:
New-ADServiceAccount -Name ServiceAccount1 -DNSHostName ServiceAccount1.treyresearch.net
The list of available options you can specify when creating a gMSA is long. For full details, see http://go.microsoft.com/fwlink/p/?linkid=291076. You can also use an existing gMSA as a template to create a new gMSA, setting only the changed properties for the new instance of the gMSA. For example:
$svcAcct1 = Get-ADServiceAccout -Identity ServiceAccount1
New-ADServiceAccount -Name SvcAcct2 `
-DNSHostName SvcAcct2.treyresearch.net `
-PrincipalsAllowedToDelegateToAccount "Domain Controllers" `
-Instance $svcAcct1
Installing a gMSA
You install a gMSA on a host just as you install an MSA on a host: with the Install-ADServiceAccount cmdlet. Before you can install a gMSA on a host, however, you need to set the -PrincipalsAllowedToRetrieveManagedPassword value for the gMSA to include the host. This process is usually done by adding the hosts that will be allowed to install the gMSA to a security group and then using the Set-ADServiceAccount cmdlet. So, for example:
Set-ADServiceAccount -Identity $svcAcct1 `
-PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers"
Install-ADServiceAccount -Identity #svcAcct1
You can test whether the gMSA has successfully been installed to the host with the Test-ADServiceAccount cmdlet:
Test-ADServiceAccount ServiceAccount1
Test-ADServiceAccount returns $True if the gMSA has been installed, and returns $False if it is not installed on the host.
Using a gMSA to run a scheduled task
One of the useful improvements of Group Managed Service Accounts as compared with stand-alone Managed Service Accounts is the ability to use the account to run a scheduled task. You can run the task with administrative privileges without creating an account that needs to be managed. So, for example, you can use the gMSA to run a routine backup task:
$bkAction = New-ScheduledTaskAction \\server\scriptshare\backup.ps1
$bkTrigger = New-ScheduledTaskTrigger -At 21:00 -Weekly -DaysOfWeek Friday
$bkAcct = NewScheduledTaskPrincipal -UserID ServiceAccount1$ -LogonType Password
Configuring Kerberos delegation
Windows Server implements Kerberos v5 with the authentication client implemented as a security support provider (SSP). Initial user authentication is integrated with the Winlogon single sign-on (SSO) architecture. The Kerberos Key Distribution Center (KDC) is integrated in the domain controller. The KDC uses AD DS as its security account database. In Windows 8x and Windows Server 2012 and Windows Server 2012 R2, Kerberos authentication is proxied through DirectAccess or Remote Desktop Services.
New Group Policy settings
Windows Server 2012 and Windows Server 2012 R2 include a new Kerberos administrative template policy with GPO settings to configure Kerberos. These settings are shown in Table 5-1.
TABLE 5-1 New administrative template policy settings
In Windows Server 2012 and Windows Server 2012 R2, resource–based Kerberos constrained delegation can be used to provide constrained delegation when front-end services and back-end resources are not in the same domain. Constrained delegation restricts a server to act on behalf of a user for only specific services. To configure a resource service to allow a front-end server to act on behalf of users, use the -PrincipalsAllowedToDelegateToAccount parameter of the New and Set verbs of the ADComputer, ADServiceAccount, and ADUser cmdlets. Use the Get verb for the cmdlets with the -PrincipalsAllowedToDelegateToAccount parameter to retrieve a list of principals.
Configuring virtual accounts
Another kind of service account is the virtual account. Virtual accounts require no configuration to access local resources. To use a virtual account for a service, simply enter NT SERVICE\<ServiceName> for the account name, and leave the password blank.
Virtual accounts can be used for services that require network access, but it isn’t recommended. To give the virtual accounts access to network resources, you need to give the computer account for the computer where the service is located permission to access the resource. Instead, it’s recommended to use gMSAs for services that require network access.
You can use virtual accounts with IIS. The user is called IIS AppPool\<apppoolname> (for example, IIS AppPool\DefaultAppPool).
Managing service principal names
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If there are multiple instances of a service on computers throughout a forest, each instance must have its own SPN. One service instance can have multiple SPNs where there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
SPNs are of the format: serviceclass/host:port servicename where serviceclass and host are required, but port and service name are optional. The colon between host and port is only required when a value for port is present.
The elements of an SPN are described in Table 5-2.
TABLE 5-2 The elements of an SPN
Some examples of SPN registrations include:
HTTP/www.treyresearch.net:8080 Any page on the website on the non-standard TCP port 8080 forr www.treyresearch.net, that is http://www.treyresearch.net.
HOST/WORKSTATION5 Any service running on the computer with NetBIOS name WORKSTATION5
HOST/SERVER7.treyresearch.net Any service running on the computer with hostname SERVER7.treyresearch.net
TERMSRV/FRONTRM.treyresearch.net The Remote Desktop Protocol (RDP) service running on the computer with hostname FRONTRM.treyresearch.net
MSSQLSvc/SQLSERVER2.tailspintoys.com:1433 The SQL Server listening on SQLSERVER2.tailspintoys.com, port 1433.
cifs/KHWIN7.tailspintoys.com The file share on the computer with hostname KHWIN7.tailspintoys.com
When creating an SPN for a well-known service, you do not need to specify the port for the SPN when the service uses the default port. The default SPNs are registered by the NetLogon service. They are refreshed every 22 minutes after startup.
Thought experiment: Running batch jobs as an administrator
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. Your environment requires administrative privilege to perform periodic backup and cleanup operations. You want to automate these operations without adding an administrative account that could create a potential security exposure. You create a Windows PowerShell script, Start-myDailyCleanup.ps1, to run the tasks. and it works when run interactively by an administrator.
1. What kind of account should you use to run the script automatically?
A. Regular user account with Run as Batch permissions
B. MSA
C. Virtual account
D. gMSA
2. Which commands do you use to initialize the environment for your chosen account?
3. What other considerations are there for running the script as a scheduled task?
Objective summary
Service accounts are local or domain accounts created for and used by local applications and services.
MSAs are Active Directory accounts that are tied to a specific computer.
MSAs use a complex generated password that is maintained automatically.
gMSAs extend MSAs to support multiple servers with a single account.
gMSAs can be used for scheduled tasks, IIS application pools, SQL Server, and Microsoft Exchange.
Kerberos delegation is improved in Windows Server 2012 and Windows Server 2012 R2 to provide resource–based Kerberos delegation.
Virtual accounts are automatically created when you assign them to a service or IIS AppPool. They require no additional management and are a good solution for services that don’t require network access to resources.
Objective review
1. What tool or command do you use to create a MSA?
A. Computer management with the Users folder of Local Users and Groups
B. Active Directory Users and Computers
C. New-ADServiceAccount
D. Install-ADServiceAccount
E. Add-ADComputerServiceAccount
2. What command should you use to add a gMSA on a computer?
A. Add-ADGroupMember
B. Install-ADServiceAccount
C. Add-ADServiceAccount
D. Install-ADComputerServiceAccount
3. You want to use a virtual account for the TestService on computer Server1. What commands or tools would you use? (Choose all that apply.)
A. Set-Service -computername Server1
B. Services.msc
C. Lusrmgr.msc
D. Add-ADComputerServiceAccount
Objective 5.2: Configure domain controllers
The core of the Windows domain system is the domain controller. Exam 70-410 covered the basics of installing and configuring Active Directory and domain controllers. Exam 70-411 covers more advanced topics for domain controllers and Active Directory.
This objective covers how to:
Configure universal group membership caching (UGMC)
Transfer and seize operations master
Install and configure a read-only domain controller (RODC)
Configure domain controller cloning
Configuring universal group membership caching
When a user logs on to a domain in a multidomain forest, the user’s group membership is ascertained by querying a global catalog server. Only global catalog servers store the memberships of universal groups in the forest. If a global catalog is not available in the local site, the domain controller needs to contact a global catalog in another site. When a global catalog is not available at the local site, universal group membership caching (UGMC) can be used to reduce the load on slow (wide area network) WAN connections and speed up user logons.
When UGMC is enabled, the user’s initial logon to the domain requires contacting a global catalog, but for subsequent logons, the local domain controller stores (caches) the user’s universal group memberships.
To enable universal group members caching for a site, follow these steps:
1. Open Active Directory Sites And Services (dssite.msc) and select the site on which you want to enable UGMC.
2. Right-click NTDS Site Settings in the details pane and select Properties.
3. In the NTDS Site Settings Properties dialog box, shown in Figure 5-1, select Enable Universal Group Membership Caching and then specify the Refresh Cache From setting.
FIGURE 5-1 The NTDS Site Settings Properties dialog box
Transferring and seizing operations master
Windows Server domains have five operations master roles (also known as flexible single master operations or FSMO) that support the operations of the domain. Each role resides on only a single domain controller. You can transfer one or more roles to a different server in the domain to balance the operations across available domain controllers. Transferring a role requires both the original domain controller and the target domain controller to be online and able to communicate.
If a domain controller is permanently unavailable, you can seize any operations master roles that it held to another domain controller. You should seize roles only when the original holder of the role is not available and can’t be restored. After a role has been seized from a domain controller, that domain controller should never be reintroduced into the domain.
Two of the operations master roles are forest-wide roles, and the remaining three are domain-wide roles, as follows:
Schema master Responsible for performing updates to the AD DS schema. The schema master role is a forest-wide role. The domain controller that holds the schema master role is the only domain controller that can perform write operations to the directory schema. Transferring or seizing the schema master role requires the Change Schema Master right. By default, only members of the Schema Administrators group have this right.
Domain naming master Responsible for the addition and removal of all domains and directory partitions in the forest. The domain naming master role is a forest-wide role. Transferring or seizing the domain naming master role requires the Change Domain Master right. By default, only members of the Enterprise Admins group have this right.
RID master Allocates blocks of relative identifiers (RIDs) to each domain controller in the domain. The RID master role is a domain-wide role. When a domain controller creates a new security principal, such as a user, group, or computer object, the object is assigned a globally unique security identifier (SID). The SID is a combination of the domain SID plus an RID for the object. Transferring or seizing the RID master role requires the Change RID Master right. By default, only members of the Domain Admins group have this right.
PDC emulator master Receives preferential replication of password changes in the domain and is the definitive source for password information. The primary domain controller (PDC) emulator in the forest root domain is the Windows Time Service time source for the forest. The PDC emulator master role is a domain-wide role. Transferring or seizing the PDC emulator role requires the Change PDC right. By default, only members of the Domain Admins group have this right.
Infrastructure master Responsible for updating object references in its domain to objects in another domain and replicating changed references to other domain controllers in the domain. The infrastructure master role is a domain-wide role. Transferring or seizing the infrastructure master role requires the Change Infrastructure Master right. By default, only members of the Domain Admins group have this right.
There are three methods for transferring operations master roles in Windows Server 2012 and Windows Server 2012 R2, and two of them can be used for seizing operations master roles if it is required. The three methods are as follows:
Graphical Only for transferring roles; requires three different consoles to transfer the five roles.
Ntdsutil.exe Can be used for both transferring and seizing roles; supported on all versions of Windows Server.
Move-ADDirectoryServerOperationMasterRole Can be used for both transferring and seizing roles; supported on Windows Server 2012 and Windows Server 2012 R2, and on Windows 8.x with RSAT installed.
Transferring roles graphically
Three different consoles are required to transfer all five roles:
Active Directory Users and Computers is used to change the three domain-wide roles.
Active Directory Domains And Trusts is used to change the forest-wide domain naming master role.
Active Directory Schema is used to change the forest-wide schema master role.
Before you can use the Active Directory Schema console, you need to register the schema management DLL. Follow these steps to transfer the schema master role:
1. Open an elevated command or Windows PowerShell window with an account that has the Change Schema Master right. By default, only members of the Schema Admins group have this right.
2. Type regsvr32 schmmgmt.dll to register the schema management dll.
3. Type mmc to open a blank management console and select Add/Remove Snap-in from the File menu.
4. Select Active Directory Schema from the Available Snap-ins list, as shown in Figure 5-2.
FIGURE 5-2 The Add Or Remove Snap-ins dialog box
5. Click Add and then click OK to open the Active Directory Schema console.
6. Select Active Directory Schema in the console tree and right-click.
7. Select Operations Master from the Action menu to open the Change Schema Master dialog box shown in Figure 5-3.
FIGURE 5-3 The Change Schema Master dialog box
8. Click Change to move the schema master role from to the new domain controller.
To transfer the domain naming operations master role, open the Active Directory Domains And Trusts console. Right-click Active Directory Domains And Trusts and select Operations Master from the Action menu.
To transfer the three domain-wide roles, open Active Directory Users And Computers, right-click the domain in the console tree, and select Operations Masters to open the Operations Masters dialog box. This dialog box has three tabs, one each for RID, PDC, and Infrastructure.
Transferring roles by using Ntdsutil.exe
The Ntdsutil.exe utility is the legacy way to transfer or seize roles with Windows Server domains. If your current operations master roles reside on versions of Windows Server prior to Windows Server 2012, you must use Ntdsutil.exe to transfer or seize the role. The steps to transfer the PDC Emulator role from trey-dc-02.TreyResearch.net to trey-dc-04.TreyResearch.net are the following:
1. Log on to the target domain controller (trey-dc-04) with an account that has the Change PDC right. By default, members of the Domain Admins group have this right.
2. Open a command or Windows PowerShell window with Run As Administrator.
3. At the elevated prompt, type Ntdsutil to open the Ntdsutil.exe shell.
4. Type Roles to move to the fsmo maintenance prompt.
5. Type Connections to move to the server connections prompt.
6. Type connect to domain treyresearch.net to bind to the domain and the local server.
7. Type Quit to return to the fsmo maintenance prompt.
8. Type Transfer PDC and click Yes on the Role Transfer Confirmation Dialog shown in Figure 5-4.
FIGURE 5-4 The Role Transfer Confirmation Dialog
9. Type Quit to return to the Ntdsutil.exe prompt, and then Quit again to exit Ntdsutil. Figure 5-5 shows the complete sequence.
FIGURE 5-5 The Ntdsutil.exe sequence for transferring the PDC role
Note: Use correct server and domain names for your environment
The example shown in Figure 5-5 and in the steps immediately preceding uses a domain of TreyResearch.net and the target server of trey-dc-04.TreyResearch.net. Substitute the correct values for your environment.
The steps to transfer the other roles are the same as for transferring the PDC Emulator role.
Transferring by using Windows PowerShell ActiveDirectory module
Beginning with Windows Server 2012 (and Windows 8 with RSAT), you can use the Move-ADDirectoryServerOperationMasterRole cmdlet to transfer or seize the FSMO roles. Unlike ntdsutil.exe, you can transfer multiple roles with a single command. For example, to transfer the PDC and RID FSMO roles from trey-dc-04 to trey-dc-02, use the following command:
Move-ADDirectoryServerOperationMasterRole -Identity trey-dc-02 -OperationMasterRole RIDMaster,PDC
To seize the roles when the original holder is no longer available, use the -Force parameter with the Move-ADDirectoryServerOperationMasterRole cmdlet.
Installing and configuring a read-only domain controller
Windows Server 2008 introduced the read-only domain controller (RODC), which hosts read-only partitions of the AD DS database. Because changes can’t be made to the RODC, it is an appropriate solution for deployment to sites in which physical security is less able to be controlled, such as branch offices. Deploying an RODC to sites connected with poor network bandwidth improves the logon time and the time required to access network resources when password caching is configured.
To simplify deployment of RODCs to remote sites, you can stage the deployment of the RODC. A staged deployment creates the account for the RODC; when the computer is actually deployed, it is promoted to an RODC. To reduce the network load, a staged deployment can be done with the AD DS database on physical media, enabling the RODC deployment to use the Install from Media (IFM) feature.
When using a prestaged RODC account, the server that will become the RODC should not be joined to the domain where it will be an RODC prior to attaching to the RODC account. If you use the Active Directory Domain Services Installation Wizard or begin the deployment from the Active Directory Administrative Center, you have to prepare the domain with adprep.exe /rodcprep.
Installing an RODC by using Windows PowerShell
Follow these steps to first stage the RODC and then install it on the target computer:
1. From an elevated Windows PowerShell prompt, create the staging account for the RODC. The basic command is this:
Add-ADDSReadOnlyDomainControllerAccount `
-DomainControllerAccountName "trey-rodc-03" `
-DomainName "TreyResearch.net" `
-SiteName "Default-First-Site-Name"
For a full list of available options, see http://go.microsoft.com/fwlink/?LinkId=291137.
2. On the target server, complete the installation of Windows Server 2012 R2. You can use a full installation or a core installation.
3. Set the name of the target server to the name used to create the staging account.
4. Assign static IPv4 and IPv6 addresses to all adapters on the target server.
5. On the target server, install AD DS by using this command:
Install-WindowsFeature `
-Name AD-Domain-Services `
-IncludeAllSubFeature `
-IncludeManagementTools
6. Connect to the domain and promote the RODC by using the following commands:
$myCred = Get-Credential -Message "Enter your domain credentials"
Install-ADDSDomainController `
-DomainName "TreyResearch.net" `
-Credential $myCred `
-UseExistingAccount:$True
7. You’ll be prompted for the SafeModeAdministrorPassword on the command line and then to confirm the password. Make sure that you enter a password that meets the length and complexity requirements for the domain.
When the domain controller promotion completes, the new RODC restarts.
If the RODC is not prestaged, you can still install it by using Windows PowerShell. Follow these steps:
1. Install Windows Server 2012 R2, either full or core installation.
2. Install the AD DS server role, including the management tools and Windows PowerShell cmdlets, by using this command:
Install-WindowsFeature `
-Name AD-Domain-Services `
-IncludeAllSubFeature `
-IncludeManagementTools
3. Assign the server fixed IPv4 and IPv6 addresses for all network adapters and set the server’s name.
4. Promote the server to an RODC and install DNS with the following commands:
$myCred = Get-Credential -Message "Enter your domain credentials"
Install-ADDSDomainController `
-DomainName "TreyResearch.net" `
-Credential $myCred `
-InstallDNS `
-ReadOnlyReplica:$True
5. You’ll be prompted for the SafeModeAdministrorPassword on the command line and then to confirm the password. Make sure that you enter a password that meets the length and complexity requirements for the domain.
When the domain controller promotion completes, the new RODC restarts.
For the full syntax and options for the Install-ADDSDomainController cmdlet, see http://go.microsoft.com/fwlink/?LinkId=291139.
Installing a RODC graphically
You can install an RODC graphically, whether it is prestaged or not. If the first RODC you install is not a staged RODC, you don’t need to prepare the domain for the RODC because the wizard does it for you. However, if the first RODC is a staged RODC, you have to manually run adprep.exe /rodcprep one time to prepare the domain.
To stage an RODC, follow these steps:
1. Open the Active Directory Administrative Center. You can select it from the Tools menu of Server Manager or by typing dsac.exe in a shell.
2. In the left pane, select the domain in which you want to create the RODC and click Domain Controllers, as shown in Figure 5-6.
FIGURE 5-6 The Active Directory Administrative Center Domain Controllers page
3. In the Tasks pane, under Domain Controllers, click Pre-create A Read-only Domain Controller Account.
4. On the Welcome page, select Use Advanced Mode Installation and then click Next.
5. On the Network Credentials page, select My Current Logged On Credentials or select Alternate Credentials. The credentials you use must be a member of the Domain Admins or Enterprise Admins groups. Click Next.
6. On the Specify The Computer Name page, shown in Figure 5-7, enter the computer name you want to use for the RODC and then click Next.
FIGURE 5-7 The Specify The Computer Name page
7. On the Select A Site page, specify the site in which the new RODC will reside and click Next.
8. On the Additional Domain Controller Options page shown in Figure 5-8, specify whether the new RODC will be a DNS Server and a Global Catalog server. The default in domains with AD-integrated DNS is for both to be selected. Click Next.
FIGURE 5-8 The Additional Domain Controller Options page
9. On the Delegation Of RODC Installation And Administration page, specify a group or individual user to have local administrative access to the RODC, as well as be able to attach the RODC to the account you’re creating. If you don’t specify any additional names or groups, only a member of the Domain Admins group can attach the RODC to the account. Click Next.
10. On the Summary page, you see all the settings of the wizard and you can then export the settings to an answer file for use with unattended installations. Click Next and then click Finish to close the wizard.
After the account is created, you can attach a server to the account either graphically or by using the Install-ADDSDomainServer cmdlet, as described earlier. To attach it graphically, follow these steps:
1. Install Windows Server 2012 R2 on the target computer.
2. Open Server Manager and click Configure This Local Server.
3. Assign fixed IPv4 and IPv6 addresses for all adapters and set the Computer Name value to the name chosen when you prestaged the RODC.
4. Select Add Roles And Features from the Manage menu. Click Next, Select Role-based Or Feature-based Installation, and click Next twice.
5. On the Select Server Roles page, select Active Directory Domain Services. Click Add Features when the Add Features That Are Required For Active Directory Domain Services page opens. Click Next and then click Next again on the Select Features page.
6. Read the Active Directory Domain Services page and click Next.
7. On the Confirm Installation Selections page, click Install and then Close.
8. In Server Manager, select AD DS in the console tree, as shown in Figure 5-9.
FIGURE 5-9 The AD DS section of Server Manager
9. Click More in the Configuration Required For Active Directory Domain Services At warning bar.
10. In the All Server Task Details And Notifications dialog box, shown in Figure 5-10, click Promote This Server To A Domain Controller.
FIGURE 5-10 The All Servers Task Details And Notifications page
11. In the Active Directory Domain Services Configuration Wizard shown in Figure 5-11. Specify the domain to connect to and the credentials to use to attach to the RODC domain account.
FIGURE 5-11 The Deployment Configuration page
12. Click Next to display the Domain Controller Options page, as shown in Figure 5-12. The precreated RODC account is identified as shown by the yellow banner. Complete the options, including a Directory Services Restore Mode (DSRM) password. Click Next and complete the wizard to attach the RODC to the computer account you prestaged in AD DS.
FIGURE 5-12 The Domain Controller Options page
13. On the Prerequisites Check page shown in Figure 5-13, verify that all prerequisites have been met. If there are anomalies identified, correct them and click Rerun Prerequisites Check until you get a green check mark. Then click Install to promote the RODC.
FIGURE 5-13 The Prerequisites Check page
14. Click Install; the computer is promoted to an RODC and restarts to complete the promotion.
The steps for installing an RODC that you haven’t prestaged are essentially similar, except that you need to specify the information that you specified during the staging process.
RODC prerequisites
The prerequisites for installing an RODC in your AD DS domain are the following:
Forest functional level of Windows Server 2003 or higher.
Domain and forest prep steps (once only per domain or forest).
adprep /forestprep
adprep /domainprep /gpprep
adprep /rodcprep
AD DS installed.
At least one writable domain controller running Windows Server 2008 or higher. The domain controller must also be a DNS server and have a registered name server (NS) resource record.
Installing a domain controller from media
When deploying a domain controller at a remote location, you can speed up the process of initial replication by installing the AD DS database from disk: IFM. When combined with staging, IFM enables the deployment of a remote RODC possible even over a slow link and without any specialized knowledge at the remote site.
To create the media, use the Ntdsutil.exe ifm command. You can also create the installation media by restoring a critical-volume backup of a domain controller in the same domain. The requirements for IFM are these:
You can’t use IFM to create the first domain controller in a domain; there must be a Windows Server 2008 or later domain controller.
The IFM media must be taken from the same domain as the new domain controller.
If you’re creating a global catalog server, the IFM must be from a domain controller that is also a global catalog.
To install a domain controller that is also a DNS server, the IFM must be from a domain controller that is also a DNS server.
To create installation media for a writable domain controller, you must create the IFM on a writeable domain controller that is running Windows Server 2008 or later.
To create installation media for an RODC, you can create the IFM on either a writeable domain controller or an RODC.
To create installation media that includes SYSVOL, you must create the IFM on a domain controller running Windows Server 2008 Service Pack 2 or later.
To create the installation media, open a command shell or Windows PowerShell window with Run As Administrator. In the shell, use the following commands to create the media:
Ntdsutil
activate instance ntds
ifm
create [Sysvol] <full/RODC> <pathtomediafolder>
The installation media can be saved to a network shared folder or to removable media. For example, to create RODC installation media that includes the SYSVOL on the D:\IFM folder, use create sysvol RODC "D:\IFM" to replace the last command in the preceding sequence.
After you have the installation media, create a new domain controller by specifying the media source as part of the Install-ADDSDomainController cmdlet. Use the -InstallationMediaPath parameter. For example:
$myCred = Get-Credential -Message "Enter your domain credentials"
Install-ADDSDomainController `
-DomainName "TreyResearch.net" `
-Credential $myCred `
-InstallDNS `
-InstallationMediaPath "D:\IFM" `
-ReadOnlyReplica:$True
Exam Tip
The -InstallationMediaPath parameter is quite fussy. The path must be on a local drive, not a mounted remote share. The path must not include a trailing “\”, and should not include the final “Active Directory” portion of the path. So, “D:\IFM” is acceptable, but “D:\IFM\” or “D:\IFM\Active Directory” is not.
Configuring domain controller cloning
Windows Server does not support cloning of virtualized domain controllers by simply copying the .vhd or .vhdx files (virtual hard disk [VHD] files). You need to follow the supported cloning process to ensure that domain integrity and data are maintained. The process for cloning a domain controller is the following:
1. Verify that the environment meets the requirements.
2. Prepare the source domain controller.
3. Create the cloned domain controller.
Verifying the environment
The support for cloning a virtualized domain controllerwas introduced with Windows Server 2012. The environment for cloning must meet the following requirements:
PDC emulator FSMO role hosted on Windows Server 2012 or Windows Server 2012 R2 domain controller
PDC emulator available during the cloning operation
Clone source and target of Windows Server 2012 or Windows Server 2012 R2
Virtualization host platform supports VM-Generation ID (VMGID)
Supported Microsoft virtualization host platforms:
Microsoft Windows Server 2012 with Hyper-V feature
Microsoft Windows Server 2012 R2 with Hyper-V feature
Microsoft Windows Server 2012 Hyper-V Server
Microsoft Windows Server 2012 R2 Hyper-V Server
Microsoft Windows 8 with Hyper-V client feature
Microsoft Windows 8.1 with Hyper-V client feature
Important: Unsupported restores
Virtualized domain controllers do not support safe restores or cloning by manual copying of VHDs over existing files or by VHD file restore using file backup or full disk backup software.
Preparing the source domain controller
After you verify that the environment meets the minimum requirements, you need to prepare the source domain controller. The domain controller needs to be authorized for cloning by making it a member of the Cloneable Domain Controllers security group in Active Directory. You can use the Active Directory Administrative Center console, Active Directory Users and Computers, or the Windows PowerShell ActiveDirectory module to assign the source domain controller to the security group. The Windows PowerShell for this is the following:
Get-ADComputer <sourcedc> | Foreach-Object `
{Add-ADGroupMember -Identity "Cloneable Domain Controllers" $_.SamAccountName }
Identify any applications that will prevent cloning by running the Get-ADDCCloningExclusionApplicationList cmdlet. Any applications or services identified must be either removed or added to the CustomDCCloneAllowList.xml file. After you remove any services or applications that don’t support cloning, you can use the -GenerateXML parameter to create the CustomDCCloneAllowList.xml file. For example, on trey-rodc-03, I got the following:
Get-ADDCCloningExcludedApplicationList
Name Type
---- ----
Vim 7.3 Program
HyperSnap 7 WoW64Program
Both programs are simple utilities used in writing this chapter: one to edit files and the other to take screen shots. Neither one poses an issue with cloning, so I know I’m safe to add them to the CustomDCCloneAllowList.xml file. So I ran the cmdlet again:
Get-ADDCCloningExcludedApplicationList -GenerateXML
The inclusion list was written to 'C:\Windows\NTDS\CustomDCCloneAllowList.xml'.
For applications that are flagged by the Get-ADDCCloningExcludedApplicationList cmdlet, a good rule of thumb is that if they are Microsoft applications or services, such as the DHCP Server role, they really should be removed, not added to the CustomDCCloneAllowList.xml file. For third-party applications, such as the two on my server, verify with the vendor or remove them to be safe.
Remove any stand-alone MSAs from the source server. Group MSAs (gMSAs) support cloning, but stand-alone ones do not. Use Get-ADComputerServiceAccount to identify any MSAs and use Uninstall-ADServiceAccount to remove the accounts. You can read the accounts after you finish the offline cloning operation by using the Install-ADServiceAccount cmdlet.
Create the DCCloneConfig.xml file by using the New-ADDCCloneConfig cmdlet, which creates the XML file based on the options you specify in the command. Table 5-3 shows the arguments to New-ADDCCloneConfig.
TABLE 5-3 New-ADDCCloneConfig parameters
Exam Tip
Domain controller cloning is a new feature that is likely to get solid coverage in the exam. Make sure you know the file names and commands for the clone process; and which items will definitely prevent a successful clone, such as DHCP.
The results of running New-ADDCCloneConfigFile on trey-rodc-03 are shown in Figure 5-14.
FIGURE 5-14 The results of the New-ADDCCloneConfigFile cmdlet
The final step to prepare the source computer for cloning is to gracefully shut it down. You can use the GUI, the legacy shutdown.exe command, the Stop-Computer cmdlet, or the Stop-VM cmdlet.
Creating the cloned domain controller
After the source domain controller is gracefully shut down, you can copy its VHDs by using File Explorer, Xcopy.exe, or Robocopy.exe to the new location; or use Hyper-V export. Whichever method you use, you should remove any snapshots prior to cloning, and merge any differencing disks prior to importing or creating the clone domain controller. After the files for the cloned domain controller are copied, you can restart the source domain controller.
Create the new target virtual machine (VM) by using whatever method you prefer. For single-disk VMs with a single network adapter, it’s probably easiest to rename the copied VHD and create a new VM that uses it.
Start the target cloned VM, and the cloning operation automatically completes (see Figure 5-15), based on the settings in the DCCloneConfig.xml file.
FIGURE 5-15 The Virtual Machine Connection to a domain controller being cloned
When the cloning is complete, both the original source domain controller and the new cloned domain controller are in the Cloneable Domain Controllers security group. They should be removed from this group except during active cloning operations.
Thought experiment: Supporting a new branch office
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net, and the company has decided to expand operations to include an East Coast branch office. Initially, this office will be in shared space and be limited to sales and administrative staff, with no full–time IT staff onsite and only a limited bandwidth connection to the main data center.
1. Should you create a separate subdomain for the new office?
2. Does the office need a domain controller? If it does, what kind should it have?
3. Should one of the administrative staff be assigned as a Domain Administrator to support the operations at the new office?
Objective summary
UGMC can speed up local user logons and reduce loads on slow WAN connections where a global catalog server isn’t available.
AD DS uses five operations master roles to support the operation of the forest and domain.
FSMO roles can be transferred to a different domain controller if both the source and target domain controllers are available and communicating.
When a domain controller that holds an operations master role becomes permanently unavailable, the role can be seized by another domain controller.
RODCs enable an improved user experience at remote sites.
RODCs can be prestaged for deployment, allowing them to be automatically promoted without administrator intervention.
In virtual environments, domain controllers can be cloned to quickly create multiple domain controllers that have a known and consistent configuration.
Objective review
1. What commands should you use to prepare a clone of domain controller trey-dc-03? (Choose all that apply.)
A. Get-ADDCCloningExcludedApplicationList -GenerateXML
B. Get-ADDCCloningAllowedList -GenerateXML
C. Get-ADComputer trey-dc-03 | Foreach-Object {Add-ADGroupMember -Identity “Cloneable Domain Controllers” $_.SamAccountName }
D. Get-ADDomainController trey-dc-03 | Foreach-Object {Add-ADGroupMember -Identity “Cloneable Domain Controllers” $_.SamAccountName }
E. New-ADDCCloneConfigFile
2. Server trey-dc-02 hosts all the forest-wide operations master roles. You want to transfer the roles to server trey-dc-04, and are logged in to trey-dc-04 with an account that is a member of the Schema Admins group. What commands can you use to transfer the roles?
A. Move-ADDirectoryServerOperationMasterRole -Identity trey-dc-02 -OperationMasterRole SchemaMaster,InfrastuctureMaster
B. Move-ADDirectoryServerOperationMasterRole -Identity trey-dc-04 -OperationMasterRole SchemaMaster,DomainNamingMaster
C. Move-ADDirectoryServerOperationMasterRole -Identity trey-dc-02 -OperationMasterRole SchemaMaster,DomainNamingMaster
D. Move-ADDirectoryServerOperationMasterRole -Identity trey-dc-04 -OperationMasterRole SchemaMaster,InfrastructureMaster
3. What command can you use to stage an RODC?
A. New-ADDSDomainControllerAccount
B. Install-ADDSDomainController
C. Add-ADDSReadOnlyDomainControllerAccount
D. New-ADDSReadOnlyDomainControllerAccount
Objective 5.3: Maintain Active Directory
Like most features of Windows Server, Active Directory requires routine maintenance to ensure that it performs optimally and is recoverable. This objective covers basic maintenance and backup procedures that are likely to be on the exam.
This objective covers how to:
Back up Active Directory and SYSVOL
Manage Active Directory offline
Optimize an Active Directory database
Clean up metadata
Configure Active Directory snapshots
Perform object- and container-level recovery
Perform Active Directory restore
Configure and restore objects by using the Active Directory Recycle Bin
Backing up Active Directory and SYSVOL
Use the standard Windows Server Backup and the backup command-line tools to create backups that can restore Active Directory and the SYSVOL folder. Windows Server 2012 and Windows Server 2012 R2 support system state, critical-volumes, and full-server backups from the following:
GUI with the Windows Server Backup (wbadmin.msc)
Command line with the wbadmin.exe utility
Windows PowerShell with the WindowsServerBackup module
The Windows Server Backup feature is not installed by default. Use Add Roles And Features in Server Manager or the Install-WindowsFeature cmdlet to add the Windows Server Backup feature. The three key backup types are these:
System state backup A system state backup can be used to recover registry and directory service configuration and data, along with the SYSVOL.
Critical-volumes backup A critical-volumes backup or bare-metal backup can be used to restore in a fail-to-boot scenario as well as to recover Active Directory and the SYSVOL.
Full server backup A full server backup can be used to fully restore a failed server to new hardware. It can also be used for Active Directory restore and SYSVOL restore.
The Wbadmin.exe command line and the WindowsServerBackup Windows PowerShell commands can be used to configure and initiate backups, including system state backups. The Wbadmin.exe syntax is this:
wbadmin.exe /?
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2013 Microsoft Corporation. All rights reserved.
---- Commands Supported ----
ENABLE BACKUP -- Creates or modifies a daily backup schedule.
DISABLE BACKUP -- Disables the scheduled backups.
START BACKUP -- Runs a one-time backup.
STOP JOB -- Stops the currently running backup or recovery
operation.
GET VERSIONS -- Lists details of backups that can be recovered
from a specified location.
GET ITEMS -- Lists items contained in a backup.
START RECOVERY -- Runs a recovery.
GET STATUS -- Reports the status of the currently running
operation.
GET DISKS -- Lists the disks that are currently online.
GET VIRTUALMACHINES -- Lists current Hyper-V virtual machines.
START SYSTEMSTATERECOVERY -- Runs a system state recovery.
START SYSTEMSTATEBACKUP -- Runs a system state backup.
DELETE SYSTEMSTATEBACKUP -- Deletes one or more system state backups.
DELETE BACKUP -- Deletes one or more backups.
The Windows Server Backup Windows PowerShell cmdlets can also be used to configure a backup by creating a WBPolicy object and then modifying it. For a list of the commands in the WindowsServerBackup module, run this:
Get-Command -Mod WindowsServerBackup | Sort Noun,Verb | ft -auto Verb,Noun
Managing Active Directory offline
Some Active Directory tasks can be performed offline, including offline promotion to domain controller and offline defragmentation of the AD DS database. Offline defragmentation is covered in the following “Optimizing an Active Directory database” section.
You can promote a server to be a domain controller by using the Install From Media (IFM) option. First, create the installation media by using Ntdsutil.exe:
Ntdsutil
activate instance ntds
ifm
create [Sysvol] <full/RODC> <pathtomediafolder>
Run the previous commands from an elevated shell with Domain Admin privileges. You can create installation media for an RODC from either a full domain controller or another RODC. However, you can create installation media for a full domain controller only from a full domain controller. You must create the installation media from the same version of Windows Server as the version you want to promote to a domain controller.
After you have the installation media for the IFM option, use the following to promote the server to a domain controller:
$myCred = Get-Credential -Message "Enter your domain credentials"
Install-ADDSDomainController `
-DomainName "TreyResearch.net" `
-Credential $myCred `
-InstallDNS `
-InstallationMediaPath "D:\IFM"
If you are logged in with an account that has Domain Admin privileges, you can skip the credentials. If you are promoting a domain controller that is also a DNS server, the installation media has to be created on a domain controller that is also a DNS server.
Optimizing an Active Directory database
You can optimize an Active Directory database by defragmenting it. Normally, defragmentation automatically occurs online. However, you can do an offline defragmentation to recover space in the AD DS database and optimize it. The tool for offline defragmentation is Ntdsutil.exe. Use the following sequence from an elevated command prompt with Domain Admin credentials on the domain controller where you want to defragment the database:
Net stop NTDS
Ntdsutil.exe
activate instance ntds
files
compact to "<location>"
quit
quit
If the compaction occurred without error, ntdsutil reports success and lists the remaining steps, as shown in Figure 5-16.
FIGURE 5-16 The Ntdsutil.exe sequence for database defragmentation
Once back at the command prompt, copy the existing C:\Windows\ntds\ntds.dit file to a temporary location, just in case, and then delete the log files, as described by the Ntdsutil.exe shell, and copy the compacted ntds.nit file back to C:\Windows\ntds. Use the following Ntdsutil.exe sequence to verify the integrity of the compacted database:
Ntdsutil.exe
activate instance ntds
files
Integrity
If there are no integrity problems with the Active Directory database, ntdsutil.exe reports success and you can type quit and then quit again to exit Ntdsutil.exe. Restart the ntds service by typing net start NTDS.
Cleaning up metadata
With each new version of Windows Server, Active Directory has gotten better at cleaning up lingering metadata from decommissioned domain controllers. With Windows Server 2012 R2, deleting a domain controller that is no longer available usually doesn’t leave any lingering server metadata, but this cleanup requires intervention in some circumstances.
Using Active Directory Users and Computers
If you have to forcibly remove a domain controller that is no longer available, you can use Active Directory Users and Computers to do metadata cleanup. To clean up metadata with Active Directory Users and Computers, follow these steps:
1. Select Domain Controllers in the console tree, right-click the computer object of the domain controller for which you want to clean up the metadata, and click Delete.
2. Click Yes to confirm the deletion.
3. The Deleting Domain Controller dialog box (see Figure 5-17) warns you that you should run the Remove Roles And Features Wizard in Server Manager to remove the domain controller from the domain.
FIGURE 5-17 The Deleting Domain Controller dialog box
4. If the domain controller is no longer available and can’t be restored, select the Delete The Domain Controller Anyway. It Is Permanently Offline And Can No Longer Be Removed Using The Removal Wizard box and click Delete.
5. If the domain controller is a global catalog, you are warned again. Click Yes.
6. If one or more FSMO roles is hosted on the server, you are warned that the roles will be moved to a specific domain controller, as shown in Figure 5-18. You can’t change where the role will be moved to during this process. If you want the role on a different domain controller, transfer the role after the domain controller deletion is complete.
FIGURE 5-18 The Delete Domain Controller dialog box, showing that the Infrastructure master role will be moved
7. Click OK; the domain controller is gone, along with its metadata.
Using Active Directory Sites and Services
You can also use the Active Directory Sites and Services console to clean up metadata. To clean up metadata with ADSS, follow these steps:
1. In the Active Directory Sites and Services console, expand the site where the server is located; then expand the Servers container and select the server name you want to remove.
2. Expand the server name container. If there is an NTDS Settings container, select the container and right-click.
3. Select Delete. In the Active Directory Domain Services dialog box, click Yes to confirm the NTDS Settings deletion.
4. In the Deleting Domain Controller dialog box, if the domain controller is no longer available and can’t be restored, select the Delete The Domain Controller Anyway. It Is Permanently Offline And Can No Longer Be Removed Using The Removal Wizard box and click Delete.
5. If the domain controller is a global catalog server, click Yes to confirm the deletion.
6. If the domain controller currently holds one or more operations master roles, click OK to move the role to the domain controller that is shown.
7. Right-click the domain controller that was forcibly removed and click Delete.
8. In the Active Directory Domain Services dialog box, shown in Figure 5-19, click Yes to confirm the deletion.
FIGURE 5-19 The Active Directory Domain Services dialog box
Using Ntdsutil.exe
The third way to clean up metadata is by using the Ntdsutil.exe shell. The exact steps will depend on exactly what vestiges remain and what you’re trying to clean up, but the basic process is this:
1. Start Ntdsutil.exe with an account that has Domain Admin privileges.
2. Enter metadata cleanup to change to the metadata cleanup: prompt.
3. Enter connections to change to the server connections: prompt where you can set the server and domain you’re connected to.
4. Enter connect to domain <fqdn> where <fqdn> is replaced with the fully qualified domain name (FQDN), such as TreyResearch.net.
5. Enter quit to return to the metadata cleanup: prompt.
6. Enter select operation target to change to the select operation target: prompt.
7. From this point on, your path will vary depending on what you’re trying to clean up. You can see a list of current commands at any level of Ntdsutil.exe by pressing ?. And you can exit the current level and return to the previous one by typing quit or simply q.
Configuring Active Directory snapshots
Active Directory snapshots are a point-in-time view of Active Directory, which are created by using the Volume Shadow Copy Service (VSS). You can create a snapshot by using Ntdsutil.exe and then mount it to view the objects and their properties.
To create a snapshot, run the following command from an elevated cmd or Windows PowerShell prompt:
ntdsutil snapshot "activate instance ntds" create "list all" quit quit
This command creates a snapshot of the ntds database and then lists all available snapshots (see Figure 5-20).
FIGURE 5-20 The elevated Windows PowerShell showing Active Directory snapshot creation
You can mount a specific snapshot from its GUID or its index number by using the following command:
Ntdsutil snapshot "activate instance ntds" "list all" "mount 2" quit quit
The result of this command shows that the database was mounted on the C drive at: C:\$SNAP_datetime_VOLUMEC$ where datetime is the date and time of the snapshot you’re mounting. You can now connect to the mounted database using the Dsamain.exe utility:
Dsamain -dbpath "C:\$SNAP_201402251635_VOLUMEC$\Windows\NTDS\ntds.dit" -ldapport 45000
You can now use Active Directory Users and Computers and other tools to view the content of the snapshot and have a view into Active Directory at the moment it was taken. To connect with Active Directory Users and Computers, for example, follow these steps:
1. Open Active Directory Users And Computers.
2. Select the Active Directory Users And Computers [servername].
3. Right-click and select Change Domain Controller from the context menu.
4. In the Change Directory Server dialog box, click <Type a Directory Server name[port] here> and enter the name of the domain controller and the ldap port number you used with Dsamain (see Figure 5-21). Click OK.
FIGURE 5-21 The Change Directory Server dialog box
5. You now have a complete view of Active Directory Users and Computers at the moment of the snapshot.
Performing object- and container-level recovery
You can use the Ldp.exe utility or Windows PowerShell ADObject cmdlets to restore deleted objects in Active Directory.
To restore a deleted object using Ldp.exe, follow these steps:
1. Open Ldp.exe from an elevated prompt.
2. Select Connect from the Connection menu and enter the name of the server that hosts the forest root domain of your Active Directory. Use port 389.
3. Select Bind from the Connections menu and click OK.
4. Select Controls from the Options menu to open the Controls dialog box shown in Figure 5-22.
FIGURE 5-22 The Controls dialog box of Ldp.exe
5. Select Return Deleted Objects in the Load Predefined list and click OK.
6. Select Tree from the View menu and select the BaseDN from the list, as shown in Figure 5-23. Click OK.
FIGURE 5-23 The Tree View dialog box of Ldp.exe
7. In the console tree, navigate to CN=Deleted Objects and expand it.
8. Select the deleted object you want to recover and select Modify from the Browse menu.
9. In the Modify dialog box, do the following:
A. In the Edit Entry Attribute box, type isDeleted (see Figure 5-24).
FIGURE 5-24 The Modify dialog box
B. Select Delete in the Operation area.
C. Click Enter to move the [Delete]isDeleted item to the Entry List box.
D. In the Edit Entry Attribute box, type distinguishedName.
E. In the Values box, type the original DN of the Active Directory Object.
F. Select Replace in the Operation area and select Extended.
G. Click Enter and then click Run to restore the deleted object.
To restore an object with Windows PowerShell, use the Get-ADObject and Restore-ADObject cmdlets. Use Get-ADObject with the -IncludeDeletedObjects parameter to find and restore deleted objects.
Performing Active Directory restore
There are two types of Active Directory restore: authoritative and non-authoritative. In an authoritative restore, the Active Directory that you restore becomes the authoritative AD for the domain. In a non-authoritative restore, the Active Directory you restore accepts replication changes from the other domain controllers in the domain. The restored Active Directory acts as a seed rather than as the final result. Both types of restore follow a similar set of steps, but in an authoritative restore, the version number of the restored database is set higher than that on other domain controllers.
Performing an authoritative restore
An authoritative restore recovers the Active Directory database to a specific point in time. You can restore the entire database, an entire container, or a single object. Once restored, that data is replicated to all other domain controllers in the domain. Usually an authoritative restore is used to recover from a serious mistake or corruption. In all cases of an authoritative restore, any changes to Active Directory since the snapshot was taken are lost.
Another concern with authoritative restores is the domain trust relationships between workstations and the domain. Computer account passwords are changed automatically every seven days, and a restoration to a snapshot older than seven days can result in workstations being unable to connect to the domain.
To perform an authoritative restore, follow these steps:
1. Power on the domain controller you want to restore and interrupt the boot process to boot to the Advanced Boot Options menu. Or from an elevated prompt on the running domain controller, type bcdedit /set safeboot dsrepair and then reboot the server. This will cause the server to boot into Directory Services Repair mode until changed.
2. Choose Directory Services Repair mode. Windows Server restarts in Safe mode without loading Active Directory.
3. Log on to the Administrator account with the Directory Services Repair mode password and open an elevated command or Windows PowerShell window.
4. Identify the version of backup you want to restore with:
Wbadmin get versions -backuptarget:<backupdrive> -machine:<DCName>
5. After you identify the version identifier for the version you want to restore, use the following command to restore the system state:
Wbadmin start systemstaterecovery -version:<versionID> -backuptarget:<backupdrive> -machine:<DCName>
6. After the restore is complete, open Ntdsutil.exe and type activate instance ntds; then type authoritative restore.
To restore the entire database, type restore database.
To restore a container, type restore subtree <ObjectDN> where <ObjectDN> is the distinguished name of the container to restore,
To restore an individual object, type restore object <ObjectDN> where <ObjectDN> is the distinguished name of the object to restore.
7. Quit out of Ntdsutil.exe, change the bcdedit sequence with bcdedit /deletevalue safeboot if you altered it, and restart the server.
Performing a non-authoritative restore
The steps to perform a non-authoritative restore are the same as the authoritative restore, except that you don’t run Ntdsutil.exe. All your items will now be restored, but any items that have been modified since the time of the backup are overwritten when replication occurs. The primary use case for a non-authoritative restore is when there has been a hardware or software failure on the server, and you need to restore the server and the Active Directory database. In this case, the restored Active Directory database acts as a seed, reducing the amount of replication that has to occur from other domain controllers.
Configuring and restoring objects by using the Active Directory Recycle Bin
Before you can use the Recycle Bin to recover deleted Active Directory objects, you need to first enable the Recycle Bin. The AD DS Recycle Bin requires a Forest functional level of at least Windows Server 2008 R2.
Enabling the Active Directory Recycle Bin is a one-way, one-time process and is not reversible. Enabling the feature requires membership in the Enterprise Admins group or equivalent. You can enable the Recycle Bin by using the Active Directory Administrative Center, by using Ldp.exe, or by using the Enable-ADOptionalFeature cmdlet. The Windows PowerShell command to enable it on the TreyResearch.net domain is the following:
Enable-ADOptionalFeature `
–Identity "Recycle Bin Feature" `
–Scope ForestOrConfigurationSet `
–Target "TreyResearch.net"
To enable it in the Active Directory Administrative Center, select the domain in the left pane and then click Enable Recycle Bin in the right Tasks pane. When prompted, click OK.
To restore a deleted object in the Recycle Bin, select it in the Deleted Objects container of the Active Directory Administrative Center, and select Restore from the Tasks menu, as shown in Figure 5-25.
FIGURE 5-25 The Active Directory Administrative Center
Alternately, you can use Windows PowerShell to locate and restore a deleted object. To restore that same David Hamilton user shown in Figure 5-25, use the following:
Get-ADObject -Filter {Name -like "David*"} -IncludeDeletedObjects | Restore-ADObject
As shown in Figure 5-26, if you search for the David Hamilton object, you don’t find it until you use the -IncludeDeletedObjects parameter. After you restore it with Restore-ADObject, the user object is found.
FIGURE 5-26 The Windows PowerShell Restore-ADObject
Thought experiment: Developing a comprehensive Active Directory backup and recovery plan
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. You have been asked to develop a comprehensive Active Directory backup and recovery plan for the company. You need to include recommendations on backup types and details on how to restore backups in a variety of use cases.
After a series of meetings, you’ve identified several recovery use cases, including major disaster recovery to a new location; total failure of a domain controller, including one holding one or more operations master roles; inadvertent or deliberate deletion of a major portion of Active Directory; and inadvertent or deliberate deletion of individual objects in Active Directory.
1. What solutions would you propose for the total failure of a domain controller that doesn’t hold operations master roles?
2. What solutions would you propose for the recovery of an entire Active Directory container?
3. What solutions would you propose for the recovery of individual objects in Active Directory?
Objective summary
Windows Server Backup can be used to create system state backups as well as critical files and full server backups. All three types can be used to restore Active Directory.
The legacy command line for Windows Server Backup is wbadmin.exe, and there is a full set of Windows PowerShell cmdlets as well.
Use Install From Media to do an offline domain controller promotion. Create the media in Ntdsutil.exe and use Install-ADDSDomainController with the -InstallationMediaPath parameter.
Use offline defragmentation to optimize the Active Directory database.
Use Active Directory snapshots to take a point-in-time view of Active Directory.
Use Ldp.exe or the ADObject cmdlets to perform an object-level or container-level recovery.
Use an authoritative Active Directory restore to recover to a specific point in time.
Use a non-authoritative Active Directory restore to recover from hardware or software failure.
Enable and use the Active Directory Recycle Bin to restore deleted objects or containers.
Objective review
1. What command or tool do you use to enable the Active Directory Recycle Bin?
A. Ntdsutil.exe
B. Active Directory Users and Computers
C. Active Directory Sites and Services
D. Enable-ADOptionalFeature
2. What tools or commands do you use to create and mount an Active Directory snapshot? (Choose two.)
A. ntdsutil snapshot “activate instance ntds” create “list all” quit quit
B. ntdsutil create snapshot “activate instance ntds” “list all” quit quit
C. Ntdsutil snapshot “activate instance ntds” “list all” “mount 2” quit quit
D. Ntdsutil snapshot “activate instance ntds” “mount 2” quit quit
3. You accidentally delete a user account in Active Directory. What can you do to correct the problem and provide the user full access to their files?
A. Do a non-authoritative restore of Active Directory.
B. Enable the Active Directory Recycle Bin and restore the deleted user object.
C. Re-create the user with the exact same name, email, and SAM account name.
D. Restore the deleted object with Ldp.exe.
Objective 5.4: Configure account policies
Windows Server has traditionally had a single password policy and a single account lockout policy for an entire domain, but with Windows Server 2008, Microsoft introduced fine-grained account policies, making it possible to assign different policies to different sets of users in a domain. In Windows Server 2012, these policies can be set by using the graphical Active Directory Administrative Center or by using Windows PowerShell.
This objective covers how to:
Configure domain user password policy
Configure and apply Password Settings Objects (PSOs)
Delegate password settings management
Configure local user password policy
Configure account lockout settings
Configure Kerberos policy settings
Configuring domain user password policy
The domain user password policy applies to all users in the domain except where specific Password Settings Objects (PSOs) have been assigned. You can set the Default Domain Password Policy by using the Group Policy Management Console (GPMC) or the Set-ADDefaultDomainPasswordPolicy cmdlet.
To set the Default Domain Password Policy by using the GPMC, follow these steps:
1. Open the GPMC and select Default Domain Policy in the Group Policy Objects container for the domain.
2. Click the Settings tab to see the current settings.
3. Right-click the Default Domain Policy and select Edit from the menu to open the Group Policy Management Editor.
4. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Settings.
The six settings are shown in Table 5-4.
TABLE 5-4 Default Domain Password Policy settings
To set the Default Domain Password Policy by using Windows PowerShell, use the Set-ADDefaultDomainPasswordPolicy cmdlet. For example, to set the Default Domain Password Policy to a minimum of 10 characters without changing other policies, use this:
Get-ADDefaultDomainPasswordPolicy `
| Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 10
Configuring and applying Password Settings Objects
Password Settings Objects (PSOs) are part of the fine-grained account policies introduced in Windows Server 2008. The Active Directory Administrative Center was introduced in Windows Server 2008 R2 and provides a graphical way to configure and apply PSOs. PSOs can also be configured and applied by using the ADFineGrainedPasswordPolicy and ADFineGrainedPasswordPolicySubject sets of cmdlets.
Creating a PSO
To create a PSO by using the Active Directory Administrative Center, follow these steps:
1. Select the Domain (Local) node in the console tree and then double-click the System object in the details pane.
2. Select the Password Settings Container in the System details pane and then click New, Password Settings (as shown in Figure 5-27).
FIGURE 5-27 The Active Directory Administrative Center
3. On the Create Password Settings page, shown in Figure 5-28, enter the specific settings for this password policy. The items that are required are identified by large asterisks.
FIGURE 5-28 The Create Password Settings page
4. Optionally, click Add to apply the new PSO to one or more specific security groups.
5. Click OK to create the PSO.
To see the Windows PowerShell for the PSO creation, click Windows PowerShell History at the bottom of the Active Directory Administrative Center. The Windows PowerShell for the PSO creation shown in Figure 5-28 is the following:
New-ADFineGrainedPasswordPolicy `
-ComplexityEnabled:$true `
-description:"Set minimum 12 character passwords for all Finance users, with a
minimum 2 days between changes." `
-LockoutDuration:"00:30:00" `
-LockoutObservationWindow:"00:30:00" `
-LockoutThreshold:"0" `
-MaxPasswordAge:"42.00:00:00" `
-MinPasswordAge:"2.00:00:00" `
-MinPasswordLength:"12" `
-Name:"Finance Users Pwd Policy" `
-PasswordHistoryCount:"24" `
-Precedence:"10" `
-ReversibleEncryptionEnabled:$false `
-Server:"trey-dc-02.TreyResearch.net"
Note that when capturing the Windows PowerShell used for an action in the Active Directory Administrative Center, a verbose version of the command is captured. You can use the New-ADFineGrainedPasswordPolicy cmdlet by setting only the items you want to change from the Default Domain Policy. So, for example, you could create a new “Domain Admins Policy” with the following command:
New-ADFineGrainedPasswordPolicy `
-Name "Domain Admins Policy" `
-MinPasswordLength 10 `
-Precedence 20 `
-LockoutThreshold 5
If you want to use an existing PSO as a template for a new policy, use Get-ADFineGrainedPasswordPolicy and pipe it to New-ADFineGrainedPasswordPolicy.
Applying a PSO
After you have a PSO, you can apply it to sets of users as appropriate. For example, I created a Domain Admins Policy previously, but it doesn’t actually apply the policy to Domain Admins. For that you have to use the Active Directory Administrative Center or the Add-ADFineGrainedPasswordPolicySubject cmdlet.
To add a group to an existing PSO, follow these steps:
1. Open the Active Directory Administrative Center and select Domain (Local) in the left pane.
2. Navigate to the container or OU where the group resides and then double-click the container or OU.
3. Select the group in the details pane and then click Properties in the Tasks pane to open the page for the group.
4. Click Password Settings in the left pane, as shown in Figure 5-29, and then click Assign.
FIGURE 5-29 The Domain Admins page of the Active Directory Administrative Center
5. Click Assign to open the Select Password Settings Object dialog box and enter the PSO to assign to the group, or click Advanced to search for the PSO.
6. Click OK and then click OK again to add the PSO to the group.
To add a policy called “Domain Users Policy” to the global security group “Domain Users”, use the following command:
Add-ADFineGrainedPasswordPolicySubject `
-Subjects "Domain Users" `
-Identity (Get-ADFineGrainedPasswordPolicy `
-Filter {name -eq "Domain Users Policy" }).DistinguishedName
Resultant password settings
You can view the results of fine-grained password policies by selecting the user in the Active Directory Administrative Center and clicking View Resultant Password Settings, or us the Get-ADUserResultantPasswordPolicy cmdlet. This cmdlet accepts a variety of forms for the -Identity parameter, or you can use Get-ADUser and pipe the result to the Get-ADUserResultantPasswordPolicy cmdlet:
Get-ADUser -Identity "Charlie" | Get-ADUserResultantPasswordPolicy
AppliesTo : {CN=Domain Admins,CN=Users,DC=TreyResearch,DC=net}
ComplexityEnabled : True
DistinguishedName : CN=Domain Admins Policy,CN=Password Settings Container,CN=
System,DC=TreyResearch,DC=net
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 5
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 10
Name : Domain Admins Policy
ObjectClass : msDS-PasswordSettings
ObjectGUID : 89a03866-756d-4bd1-9835-5553b6e221de
PasswordHistoryCount : 24
Precedence : 20
ReversibleEncryptionEnabled : False
The lower the precedence of the PSO, the higher the priority. If a user is subject to two PSOs, one with a precedence of 50 and one with a precedence of 100, the PSO with a precedence of 50 will be the password setting that is applied to the user.
Removing a PSO
You can remove a PSO with Remove-ADFineGrainedPasswordPolicy or by using the Active Directory Administrative Center. When you remove a policy, any groups that have the policy assigned to them revert to the appropriate GPO policy (usually the Default Domain Policy) or to the lowest-precedence PSO if the group had multiple PSOs assigned to it.
Delegating password settings management
To delegate the ability to set passwords, follow these steps:
1. Open Active Directory Users and Computers.
2. Select the OU or container for which you want to delegate control.
3. Right-click and choose Delegate Control to open the Delegation of Control Wizard.
4. Click Next on the opening screen and then click Add on the Users Or Groups page.
5. In the Select Users, Computers, Or Groups dialog box, enter the group to which you want to delegate control. Click Check Names to verify that it is typed correctly, or click Advanced to search for the user or group of users.
6. Click OK to return to the Users Or Groups page of the Delegation Of Control Wizard.
7. Click Next to open the Tasks To Delegate page, as shown in Figure 5-30.
FIGURE 5-30 The Tasks To Delegate page of the Delegation of Control Wizard
8. Select Reset User Passwords And Force Password Change At Next Logon, click Next, and then click Finish.
Configuring local user password policy
The local user password policy is inherited from the Default Domain Policy and can’t be overridden for domain joined computers. If you have to set a different local user password policy for a subset of computers, place those computers in a separate OU and define the password policy for that OU. For example, TreyResearch.net has an OU named Win81 with two computers in it. I defined a password policy and linked it to that OU, as shown in Figure 5-31.
FIGURE 5-31 The Group Policy Management console
The Win81 Password Policy has a more relaxed password policy with a Maximum Password Age of 70 days, a Minimum Password Age of 0 days, and a Minimum Password Length of 7 characters. All other settings it inherits from the Default Domain Policy. As shown in Figure 5-32, this policy has been set on computers in the Win81 OU.
FIGURE 5-32 The Local Group Policy Editor on Trey-Win81-21
The password policies set on the computer trey-win81-21, a member of the Win81 OU, are a combination of the Default Domain Policy (where the policy is Not Defined in the Win81 Password Policy) and the policies of the Win81 Password Policy (where they were Enabled).
Configuring account lockout settings
You configure the default account lockout settings as part of the Default Domain Policy. The domain account lockout policy applies to all users in the domain except where specific PSOs have been assigned. You can set the Default Domain Account Lockout Policy by using the GPMC or the Set-ADDefaultDomainPasswordPolicy cmdlet.
To set the Default Domain Password Policy by using GPMC, follow these steps:
1. Open the GPMC and select Default Domain Policy in the Group Policy Objects container for the domain.
2. Click the Settings tab to see the current settings.
3. Right-click the Default Domain Policy and select Edit from the menu to open the Group Policy Management Editor.
4. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. The three policies are these:
Account Lockout Duration Sets the duration of lockout before an account automatically unlocks.
Account Lockout Threshold Configures the number of failed logon attempts before the account is locked. When set to 0, the account will never be locked out.
Reset Lockout Counter The time before the failed account logon counter is reset to 0. Must be set to less than or equal to the account lockout duration.
To set the Default Domain Account Lockout Policy by using Windows PowerShell, use the Set-ADDefaultDomainPasswordPolicy cmdlet. For example, to set the Default Domain Account Lockout Policy to a threshold of 10 failed logon attempts to lockout accounts, use this command:
Get-ADDefaultDomainPasswordPolicy `
| Set-ADDefaultDomainPasswordPolicy -LockoutThreshold 10
You can also set fine-grained account lockout policies as part of creating and applying PSOs.
Configuring Kerberos policy settings
The default Kerberos policy settings are set as part of the Default Domain Policy. There are five Kerberos policy settings:
Enforce User Logon Restrictions When enabled, the Kerberos V5 Key Distribution Center (KDC) validates every session ticket request against the user rights policy. The default value is Enabled.
Maximum Lifetime For Service Ticket The maximum time (in minutes) that a service ticket is valid to access a particular service. The default is 600 minutes.
Maximum Lifetime For User Ticket The maximum time (in hours) that a ticket granting ticket is valid. The default is 10 hours.
Maximum Lifetime for User Ticket Renewal The maximum amount of time (in days) that a ticket granting ticket can be renewed. The default is seven days.
Maximum Tolerance For Computer Clock Synchronization The maximum difference (in minutes) between a client clock and a domain controller clock that is allowed before a timestamp is considered not authentic. The default is five minutes.
Thought experiment: Enabling fine-grained password policies
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. The Default Domain Password Policy is for a minimum 8-character password with enforced complexity that is changed at least once per quarter. Management determines that this policy is insufficient for users with access to sensitive information, including Human Resources, Finance, and Administration users, as well as key management personnel in Engineering. It has mandated that a minimum password length of 15 characters and a maximum age of 35 days is necessary and appropriate while further research is done on the cost and suitability of moving to two-factor authentication (TFA). You need to implement these changes without affecting other users.
1. What options do you have for giving these users password policies different from the default policy?
2. How would you implement this change?
Objective summary
The Default Domain Policy sets the baseline for all other password policies.
Individual PSOs can be assigned to security groups in Active Directory.
You can see the resultant password setting for an object with the Active Directory Administrative Center.
Account lockout policies are set with the Default Domain Policy and any additional PSOs that apply.
Use the Delegation of Control Wizard in the Active Directory Users and Computers to delegate password resetting permission.
Objective review
1. What commands or tools would you use to set a default lockout setting?
A. From an elevated prompt on the PDC Emulator, type GPEdit.msc.
B. From an elevated prompt on the client computer, type GPEdit.msc.
C. From an elevated Windows PowerShell prompt, run Set-ADDefaultDomainPasswordPolicy.
D. From an elevated Windows PowerShell prompt, run Set-ADAccountExpiration.
2. Some users are reporting that they can’t log on to the domain. You suspect a Kerberos issue. What settings can you change to temporarily alleviate the problem?
A. Set the Default Domain Policy for Maximum Tolerance For Computer Clock Synchronization to 10.
B. Set the Default Domain Policy for Maximum Tolerance For Computer Clock Synchronization to 0.
C. Change the Enforce User Logon Restrictions policy to Disabled.
D. Change the Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Lockout Threshold to 0.
3. Remote sales users complain that they frequently need to run with a local account on their laptops, but they are still subject to the Domain Password Policy that requires them to change their password every 40 days. Upon consultation with management, there is agreement that a 70-day policy for salespeople is appropriate. How would you implement this new policy? (Choose all that apply.)
A. Create a Sales OU and then use the Set-ADAccountExpiration cmdlet.
B. Create a Sales OU and then use the Set-ADFineGrainedPasswordPolicy cmdlet
C. Create a Sales security group and then use the Set-ADFineGrainedPasswordPolicy cmdlet.
D. Create a Sales security group and then use the New-ADFineGrainedPasswordPolicy and Add-ADFineGraintPasswordPolicySubject cmdlets.
Answers
This section contains the solutions to the thought experiments and answers to the lesson review questions in this chapter.
Objective 5.1: Thought experiment
1. Correct answer: D. Because you want to run this as a scheduled task, it needs to run as a gMSA, not a stand-alone MSA. Virtual accounts would not have access to network resources without giving the entire computer account access.
2. Because you’re running a gMSA, you have to initialize the KDS root key with Add-KDSRootKey, if it hasn’t been done already. If it has been done, no additional initialization needs to be done.
3. Because the script will run as a scheduled job, it won’t have access to the console. You need to ensure that output is redirected appropriately and that no user input is required. Also, ensure that you explicitly set any necessary environmental variables inside the script.
Objective 5.1: Review
1. Correct answer: C
A. Incorrect. This tool could be used to create a local service account only.
B. Incorrect. This tool could be used to create a domain service account.
C. Correct. This command creates a new MSA with the -Standalone parameter.
D. Incorrect. This command installs the service account on a computer, but doesn’t create it.
E. Incorrect. This command assigns a service account to a computer, but doesn’t create it.
2. Correct answer: B
A. Incorrect. This command adds an object to an Active Directory group.
B. Correct. This command installs the service account onto the computer that will use it.
C. Incorrect. This command doesn’t exist. Instead of simply adding the account, you’re actually installing it.
D. Incorrect. This command doesn’t exist. There is a Windows PowerShell Add-ADComputerServiceAccount cmdlet, but it only assigns the account as available to the computer; it doesn’t actually install it on the computer.
3. Correct answer: B
A. Incorrect. The Set-Service cmdlet does not allow you to set the account that the service runs as.
B. Correct. In the Services console, you can set the Log On As property for the service.
C. Incorrect. You do not need to create an account; it already virtually exists.
D. Incorrect. You don’t need to assign an account to the computer; it already virtually exists.
Objective 5.2: Thought experiment
1. No. Creating a separate subdomain would increase the administrative overhead for a small office. Without local IT support, you’d also likely need to assign a Domain Administrator in the branch office, increasing the security risks.
2. Maybe. Depending on the number of users, the level of connectivity, and the users’ tolerance for delays, there are several possible scenarios for the branch office running in shared space, including using a Remote Desktop Session Host (RDSH) server. But in most cases, having a local domain controller improves the overall responsiveness perception of the users. The domain controller should be configured as an RODC because of the shared space and lack of a local administrator.
3. No. You can give delegated authority to manage the RODC to one of the administrative staff without promoting them to a Domain Administrator. They can log on locally to the RODC to perform maintenance operations, but any Active Directory write operations are redirected to the domain controllers in the main datacenter.
Objective 5.2: Review
1. Correct answers: A, C, E
A. Correct. This command generates the CustomDCCloneAllowList.xml file.
B. Incorrect. This command doesn’t exist. The Windows PowerShell Get-ADDCCloningExcludedApplicationList cmdlet is used to identify applications to exclude from testing by adding to the CustomDCCloneAllowList.xml file.
C. Correct. This command adds the computer account to the Cloneable Domain Controllers group, allowing it to be cloned.
D. Incorrect. The Get-ADDomainController command does not provide the correct input object to the Add-ADGroupMember cmdlet.
E. Correct. This command generates the DCCloneConfig.xml file that is used to control the cloning of the domain controller.
2. Correct answer: B
A. Incorrect. This command has the source domain controller in the Identity parameter; it should be the target. And it is moving the Infrastructure Master role, which is a domain-wide role.
B. Correct. This command moves the two forest-wide roles to server trey-dc-04.
C. Incorrect. This command has the source domain controller in the Identity parameter, it should be the target.
D. Incorrect. This command has the correct target domain controller, but is moving the Infrastructure master role, which is a domain-wide role, not a forest-wide role.
3. Correct answer: C
A. Incorrect. This command doesn’t exist.
B. Incorrect. This command is used to do an online install of a domain controller, including an RODC controller. It is not used with a staged RODC.
C. Correct. This is the correct command to create a new staging account for an RODC.
D. Incorrect. This command doesn’t exist.
Objective 5.3: Thought experiment
1. The full server backup of a domain controller can be restored as a non-authoritative restore when it doesn’t hold the operations master roles. You can do a full, bare-metal restore of the server and let normal replication complete the restoration by updating any Active Directory objects that have changed since the backup was made. If the server holds operations master roles, especially if you have had to seize the roles since the backup was made, you should rebuild the server from scratch and promote it to a domain controller again. You should never try to restore a server that has had the roles seized.
2. The easiest solution is an authoritative restore of the domain controller, in which you restore the subtree of Active Directory that was deleted. Alternately, restoring from the Active Directory Recycle Bin is a good alternative if it is enabled.
3. For individual objects, using the Active Directory Recycle Bin is the easiest solution if you’ve enabled it in your environment. If you haven’t enabled the Recycle Bin, you can use Ldp.exe or the ADObject cmdlets. Use Get-Help ADObject to get a list of the available ADObject cmdlets.
Objective 5.3: Review
1. Correct answer: D
A. Incorrect. Ntdsutil.exe can’t be used to enable the Active Directory Recycle Bin.
B. Incorrect. Active Directory Users and Computers can’t be used to enable the Active Directory Recycle Bin.
C. Incorrect. ADSS can’t be used to enable the Active Directory Recycle Bin.
D. Correct. Enable-ADOptionalFeature can be used to enable the Active Directory Recycle Bin. Ldp.exe and Active Directory Administrative Center at the other two ways to enable it.
2. Correct answers: A, C
A. Correct. This command will create a new snapshot and list all of the snapshots of the ntds database.
B. Incorrect. This command doesn’t work because you can’t create a snapshot until you are in the snapshot context.
C. Correct. This command enters the snapshot context, activates the NTDS instance, lists the available snapshots, and then mounts the most recent with “mount 2”. The list command is required to establish the index number.
D. Incorrect. This command doesn’t work because the mount command doesn’t know what the index is to mount without a list command.
3. Correct answer: D
A. Incorrect. A non-authoritative restore sees the restored object overwritten by the deleted object because the current update sequence number (USN) of the restored object is lower than the current objects.
B. Incorrect. If the Recycle Bin were already enabled, you could use it to restore the deleted object. But the Recycle Bin doesn’t know about deleted objects that were deleted before it was enabled.
C. Incorrect. The re-created user will be a new user with a different SID.
D. Correct. You can use Ldp.exe or Windows PowerShell to restore the deleted object.
Objective 5.4: Thought experiment
1. You have two ways to accomplish the mandated change.
You could create a new domain with a new Default Domain Policy. But doing this creates significant additional overhead and requires additional server resources. It is also likely to be more than a little disruptive.
Create a PSO and apply it to the users.
2. Assuming that the users are currently each in their own security groups based on their department, you could simply apply the PSO to each of the security groups. But a cleaner solution might be to create an Enhanced Password Security group with the users in it. You then have a single place to manage this policy and the users, and it gives you a good test group for the new TFA policy if that’s what you decide to implement.
Objective 5.4: Review
1. Correct answer: C
A. Incorrect. This command enables you to change the local security policy on the domain controller.
B. Incorrect. This command enables you to change the local security policy on the local computer.
C. Correct. This command enables you to change the Default Domain Policy for the domain.
D. Incorrect. Controls account expiration for an individual account; it has nothing to do with domain lockout policies.
2. Correct answer: A
A. Correct. This changes the amount of time a client computer can be out of sync with the domain controller to 10 minutes instead of 5 minutes. That should be enough time to resolve the issue temporarily, but you have to determine what the root cause is for computers getting out of sync.
B. Incorrect. This makes the problem worse. Setting to 0 doesn’t disable the policy.
C. Incorrect. This doesn’t affect the clock settings.
D. Incorrect. This has nothing to do with the Kerberos settings and only sets the number of failed logon attempt before the account is locked out.
3. Correct answer: D
A. Incorrect. Creating a Sales OU is a possible first step, but then you would need to create a specific password expiration policy that was linked to that OU.
B. Incorrect. Creating a Sales OU is a possible first step, but then you would need to create a specific password expiration policy that was linked to that OU.
C. Incorrect. Creating a Sales security group is a possible first step, but you can’t attach a fine-grained password policy by using the New-ADFineGrainedPasswordPolicy, and then Set-ADFineGrainedPasswordPolicy.
D. Correct. After you create the Sales security group and assign the Sales users to the group, you can create a new fine-grained password policy with New-ADFineGrainedPasswordPolicy and then assign the Sales security group to that policy with Add-ADFineGraintPasswordPolicySubject.
Chapter 6. Configure and manage Group Policy
Group Policy is at the core of computer and user management in the Active Directory domain environment. With each release of Windows Server, the options and flexibility of Group Policy have improved. This chapter covers the configuration and management of Group Policy and how to ensure that it does what you want it to.
Objectives in this chapter:
Objective 6.1: Configure Group Policy processing
Objective 6.2: Configure Group Policy settings
Objective 6.3: Manage Group Policy Objects (GPOs)
Objective 6.4: Configure Group Policy Preferences (GPP)
Objective 6.1: Configure Group Policy processing
The processing order and the filtering of Group Policy control which policies are applied to which users and computers. By understanding and controlling the processing order, you can understand and control which policies have the final impact on a given Active Directory object. Local Group Policy is processed first; then each Active Directory level is processed from the farthest away from the object (the site) to the closest to the object (the organizational unit [OU]). This processing order is known as LSDOU: Local, Site, Domain, Organizational Unit.
This objective covers how to:
Configure processing order and precedence
Configure blocking of inheritance
Configure enforced policies
Configure security filtering and Windows Management Instrumentation (WMI) filtering
Configure loopback processing
Configure and manage slow-link processing and Group Policy caching
Configure client-side extension (CSE) behavior
Force Group Policy updates
Configuring processing order and precedence
Multiple Group Policy Objects (GPOs) can be linked to the same site, domain, or organizational unit (OU), and OUs inherit GPOs from higher-level containers. GPOs are processed serially, with local computer Group Policy processed first. Inherited GPOs are then processed, unless they are blocked or enforced (see the sections entitled “Configuring blocking of inheritance” and “Configuring enforcement of inheritance” later in this chapter). The GPOs linked directly to the domain or OU are processed in the order they are linked; then enforced GPOs are processed. Where multiple GPOs are configuring the same Group Policy setting, the last one processed controls the setting. You can control the order of linking for an OU or domain, as well as controlling inheritance to some extent. You can block inheritance at the domain or OU level, but where the higher-level link to the GPO is set to Enforced, the inheritance can’t be blocked and enforced links are the last processed—again, in the reverse link order.
To see the order of linked GPOs, use the Group Policy Management Console (GPMC). Select the domain or OU for which you want to see the link order in the console tree, and then select the Linked Group Policy Objects tab in the details pane, as shown in Figure 6-1.
FIGURE 6-1 The Group Policy Management Console
To change the link order, select a link in the Linked Group Policy Objects pane and then use the arrow buttons on the left to move the order up or down, as desired. Move a linked GPO to a lower Link Order number to have it processed later. Thus a GPO with a Link Order of 1 will be processed after a GPO with a Link Order of 2; and if both GPOs have a policy configuration for the same setting, the GPO with a Link Order of 1 will be the controlling GPO.
Remember that policy settings can also be inherited. To see all the GPOs that affect a given OU or domain, use the GPMC and follow these steps:
1. Expand the console tree of the GPMC and select the OU or domain for which you want to see the GPOs.
2. In the details pane, select the Group Policy Inheritance tab, as shown in Figure 6-2.
FIGURE 6-2 The Group Policy Management Console showing the Group Policy Inheritance tab
3. The GPOs are shown in the order of precedence, with the inherited but not enforced GPO at the bottom of the list, and the enforced GPO at the top of the list.
Configuring blocking of inheritance
Normally, organizational units (OUs) inherit Group Policy from higher sites, domains, or OUs. However, you can block this inheritance in the GPMC by following these steps:
1. Open the GPMC and expand the console tree to display the domain for which you want to change inheritance.
2. To block inheritance for the entire domain and all its OUs, right-click the domain name and select Block Inheritance from the menu.
3. To block inheritance for an OU, expand the domain and then right-click the OU and select Block Inheritance from the context menu, as shown in Figure 6-3.
FIGURE 6-3 Blocking inheritance
Note: Enforced GPOs
GPO links that are set to Enforced can’t be blocked from inheritance. When you block inheritance to a domain or OU, unenforced GPOs are not inherited by the domain or OU, but GPOs that are set to Enforced are still inherited.
Configuring enforced policies
Typically, GPOs are processed in their link order, and if two GPOs configure the same setting, the GPO that is processed last will control the setting. But when a GPO is set to Enforced, it is always processed and can’t be blocked.
To set a GPO to Enforced, select the link in the GPMC, either in the console tree or in the Linked Group Policy Objects tab in the details pane, and select Enforced from the context menu, as shown in Figure 6-4.
FIGURE 6-4 Selecting the Enforced option
Configuring security filtering and Windows Management Instrumentation filtering
A GPO usually applies to all members of the object it is linked to, but you can filter which objects are affected by the GPO by using a security filter or by using a WMI filter. The filter is applied to the GPO, not to the link.
To apply a security filter to a GPO, follow these steps:
1. Open the GPMC and expand the console tree to display the domain for which you want to set a security filter on a GPO.
2. Select the GPO to which you want to apply the filter.
3. In the details pane, select the Scope tab.
4. Click Add in the Security Filtering section to open the Select User, Computer, Or Group dialog box.
5. Enter the object names to select or click Advanced to search for them, as shown in Figure 6-5.
FIGURE 6-5 The Select User, Computer, Or Group dialog box
6. Click OK after you enter the security group, user, or computer to apply the filter to.
7. Select Authenticated Users and click Remove.
To link a WMI filter to a GPO, follow these steps:
1. Open the GPMC and expand the console tree to display the domain for which you want to link a WMI filter to a GPO.
2. Select the GPO you want to filter.
3. Select the WMI filter from the This GPO Is Linked To The Following WMI Filter drop-down list.
Before you can use a WMI filter, you need to create it. You can do the following:
Create a new filter You can create a new filter by following these steps:
1. In the GPMC, expand the console tree for the domain and forest in which you want to create the filter.
2. Right-click the WMI Filters container and select New from the menu.
3. Type a name and description for the new WMI filter and then click Add.
4. Enter the Namespace to use or Browse to select one.
5. Type the query you want to use, as shown in Figure 6-6. Click OK and then click Save to save the WMI filter.
FIGURE 6-6 The WMI Query dialog box
Export a filter You can export a WMI filter by right-clicking the filter and selecting Export from the menu. Filters are saved as .mof files.
Import a filter You can import a previously saved filter by right-clicking the WMI Filters container of the domain where it resides in the console tree of the GPMC and selecting Import from the menu.
Copy a filter You can use Copy and Paste with WMI filters by selecting the filter, right-clicking, and selecting Copy. Then right-click the WMI Filters container for the domain you want to copy the filter to and selecting Paste from the menu.
Configuring loopback processing
Normal GPO processing follows the LSDOU rule—Local, Site, Domain, OU. Loopback pro-cessing allows different GPO user settings to apply based on which computer the user logs on to.
You can enable loopback processing of user mode settings by setting the Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure User Group Policy Loopback Processing Mode policy. When set to Enabled, you can choose one of two modes:
Merge mode When set, user settings in the Computer Configuration section of the GPO are combined with settings in the User Configuration section of the GPO. When there is a conflict, the Computer Configuration setting takes precedence.
Replace mode When set, user settings in the Computer Configuration section of the GPO replace any user settings normally applied to the user in the User Configuration section.
Configuring and managing slow-link processing and Group Policy caching
When you log on to a domain-joined computer and a network is present, the computer contacts a domain controller to get the latest GPOs. If the computer is connected by a typical fast network connection, all the GPO settings are processed by the client. However, if the client detects that the link to the domain controller is a slow link, only the most important GPO settings are processed. By default, a slow link is defined as a connection speed of 500 Kbps per second or less. You can configure this threshold by setting the Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure Group Policy Slow Link Detection setting.
Exam Tip
There is a related slow-link setting of Disable Detection Of Slow Network Connections that is at a slightly different path in Group Policy at Computer Configuration/Policies/Administrative Templates/System/User Profiles. When this policy is enabled, slow links are not detected, changes you make to the link detection threshold are ignored, and all Group Policy settings are processed. Just the sort of thing exam writers love to leverage.
The settings that are not downloaded when a slow link is detected are these:
Disk quotas
Scripts
Folder redirection
Software installation
Network policies for wired and wireless networks
Internet Explorer maintenance extension
Not included in this list in Windows 8.1 and Windows Server 2012 R2 are drive mappings. They used to be processed as foreground client-side extensions (CSEs), but are now processed in the background, allowing logon to occur without all the Group Policy drive mapping preferences being completed before the logon is allowed to complete.
Group Policy caching is new in Windows Server 2012 R2 and Windows 8.1, and is enabled by default. Group Policy caching stores a copy of policies on the local machine to speed up synchronous foreground processing of GPOs. Caching affects only Windows 8.1; it does not change processing in Windows Server 2012 R2. Windows Server always processes synchronously and never caches unless the Computer Configuration/Administrative Templates/System/Group Policy/Enable Group Policy Caching For Servers policy is enabled.
Group Policy caching doesn’t affect asynchronous or background processing. You can disable Group Policy caching by setting the Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure Group Policy Caching policy to Disabled. If left Not Configured, caching is enabled. If set to Enabled, you can set the value to detect a slow link, and the timeout value before Group Policy will decide that you’re not connected to the domain network.
Configuring client-side extension (CSE) behavior
CSEs run on the Windows computer to interpret some of the Group Policy Preferences. CSEs (typically .dll files) do the actual processing and applying of preferences at the destination computer. You can configure the processing of CSEs by configuring the applicable policies in Computer Configuration/Policies/Administrative Templates/System/Group Policy. The policies that control CSEs are shown in Table 6-1.
TABLE 6-1 Group Policy settings for CSEs
Forcing Group Policy updates
New in Windows Server 2012 is the capability to force a Group Policy update on a remote computer without having to log on to that computer. You can do this from Windows PowerShell with the Invoke-GPUpdate cmdlet or directly in the GPMC.
The Invoke-GPUpdate cmdlet accepts a -Computer parameter that enables you to specify the specific computer on which to force the update. So to force a synchronous update at the next user logon of only the User Configuration preferences on server trey-wds-11, for example, use the following command:
Invoke-GPUpdate -Computer trey-wds-11 -Target User -Sync -LogOff
To force a Group Policy update from the GPMC, right-click the OU for which you want to trigger the update and select Group Policy Update from the menu, as shown in Figure 6-7.
FIGURE 6-7 Invoking a Group Policy update
Click Yes at the confirmation screen, and the policy will be updated on the computers in that OU.
Thought experiment: Configuring drive maps
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. Mobile users have a mix of Windows 7, Windows 8, and Windows 8.1 computers. The company has a legacy application that is used by the entire sales force, as well as selected others. The application is configured to expect sales data to be located on drive S:\, although it can work from cached data. Updates to the cached data have previously required trips to the main office or one of the branch offices.
At your suggestion, TreyResearch implemented DirectAccess to improve the overall experience of remote users, especially the sales team. It has generally worked well, but users complain that they still sometimes need to come into one of the offices to update their cached data for the legacy application.
1. Your first attempt to correct the issue is to enable the Change Group Policy Processing To Run Asynchronously When A Slow Network Connection Is Detected Group Policy setting. Doing so makes the problem worse, however. Why does that happen?
2. You quickly disable the problem setting in Group Policy. What other Group Policy settings might improve the situation?
3. After enabling the Configure Direct Access Connections As A Fast Network Connection setting, some users report the problem resolved, whereas others complain that they are still experiencing intermittent problems. Why?
Objective summary
Although the basic order of GPO processing is LSDOU: Local, Site, Domain, and OU, you can control the order of linked policies.
You can block inheritance of policies, but Enforced policies can’t be blocked.
You can fine-tune which computers or users a policy is applied to by using security or WMI filters.
To ensure a consistent and predictable user experience in lab or kiosk environments, use loopback processing.
Some policies are not processed over slow links.
Group Policy caching is a new feature of Windows 8.1 and Windows Server 2012 R2 designed to improve logon times for some instances.
Beginning in Windows Server 2012 and Windows 8, you can now force a remote Group Policy update.
Objective review
1. You need to configure training lab computers to allow users to log on with their own accounts, but still provide a consistent look and experience for the lab, regardless of departments the users are normally in. What Group Policy settings should you use?
A. Set Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure User Group Policy Loopback Processing Mode to Merge Mode. and configure the Computer Configuration/Preferences/Windows Settings and Control Panel Settings.
B. Set Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure User Group Policy Loopback Processing Mode to Merge Mode, and configure the User Configuration/Preferences/Windows Settings and Control Panel Settings.
C. Set Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure User Group Policy Loopback Processing Mode to Replace Mode, and configure the Computer Configuration/Preferences/Windows Settings and Control Panel Settings.
D. Set Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure User Group Policy Loopback Processing Mode to Replace Mode, and configure the User Configuration/Preferences/Windows Settings and Control Panel Settings.
2. How do you force a remote Group Policy update on the Computer Configuration of Trey-Srv-12?
A. Force-GPUpdate -Computer -Sync -Target Trey-Srv-12
B. Force-GPUpdate -Computer Trey-Srv-12 -Target Computer
C. Invoke-GPUpdate -Computer -Sync -Target Trey-Srv-12
D. Invoke-GPUpdate -Computer Trey-Srv-12 -Target Computer
3. You are the network administrator for TreyResearch.net. You have to enforce special policies on the Engineering OU in which the users work with highly sensitive information while ensuring that the Domain Password Policy is used. What Group Policy settings should you use?
A. Configure Block Inheritance on the OU and set the Domain Password Policy to Enforced.
B. Configure Block Inheritance on the Domain and configure an OU Password Policy.
C. Configure Block Inheritance on the Domain, and add a link to the Domain Password Policy to the OU.
D. Configure Block Inheritance off at the OU, and set the Domain Password Policy to Enforced.
Objective 6.2: Configure Group Policy settings
The basic aim of Group Policy is to configure the settings that control users and computers. By using these settings, you can control what software is installed, where folders are located, what the startup and shutdown experience is, and which individual settings control access and rights to a wide variety of Windows objects.
This objective covers how to:
Configure settings, including software installation, folder redirection, scripts, and administrative template settings
Import security templates
Import custom administrative template files
Configure property filters for administrative templates
Configuring settings
You can use Group Policy to configure the settings for users and computers to provide a predictable experience for all users. The settings you can configure include these:
Software installation
Folder redirection
Scripts
Administrative template settings
More Info: Policy settings
For a complete list of policy settings included in the Administrative template files for Windows Server 2003 SP2 through Windows Server 2012 R2, see http://www.microsoft.com/en-us/download/details.aspx?id=25250.
Software Installation
You can use Group Policy to deploy software to groups of users based on their needs and roles, or to deploy software to specific computers. The steps for deploying software are these:
Create a shared folder A shared folder accessible by all users or computers you want to distribute the software to.
Create a GPO Using the GPMC, create a GPO for the software distribution.
Assign the software package Edit the GPO to assign the software package to the computers or users covered by the GPO. This process causes the software to be automatically installed.
Publish the software package Edit the GPO to publish the software package to the computers or users covered by the GPO. This process causes the software to be listed as available to be installed from the network.
Using Group Policy to deploy software has some limitations. The most basic limitation is that you can deploy only software that uses Microsoft Installer (.msi) or Zero Administration for Windows Downlevel Application Package (.zap) files. Software that uses an executable file (.exe) can’t be installed directly from Group Policy, although you can use startup scripts to install the software or use third-party products to package .exe installations as .msi installations.
You can edit the GPO that installs the software to specify whether it is assigned or published to computers or users. If you want the software to be assigned to computers, edit the Computer Configuration/Policies/Software Settings policy. To assign or publish the software to users, edit the User Configuration/Policies/Software Settings policy.
When you add software to the user or computer configuration, you need to specify the location from which the software is being installed. Always use a Universal Naming Convention (UNC) path, not a drive letter path. For example, to add the MyApp application as a published application for users in the HR security group, follow these steps:
1. Open the GPMC and create a new HR Software Deployment GPO.
2. Set the Security Filtering to TREYRESEARCH\HR Users, as shown in Figure 6-8.
FIGURE 6-8 The HR Software Deployment GPO in the GPMC
3. Right-click the HR Software Deployment policy and select Edit.
4. In the Group Policy Management Editor, expand the Policies container in the User Configuration section and then expand Software Settings.
5. Right-click Software Installation and select New and then Package.
6. In the Open dialog box enter \\trey-dc-02\software\myapp.msi, as shown in Figure 6-9, and click Open.
FIGURE 6-9 The Open dialog box
7. In the Deploy Software dialog box, select Published and click OK.
Now the application will appear in the list of applications that are available to be installed from the network in the Control Panel Programs and Features (appwiz.cpl).
Folder redirection
You can use Group Policy to redirect the folders of user profiles. To modify the user profile folders, follow these steps:
1. In the GPMC, right-click the GPO in which you want to configure folder redirection. It can be an existing GPO linked to the site, domain, or OU containing the users you want to target; or it can be a new GPO you create for folder redirection.
2. Select Edit to open the Group Policy Management Editor.
3. Expand the User Configuration node and navigate to User Configuration/Policies/Windows Settings/Folder Redirection.
4. Right-click the folder you want to redirect and select Properties from the menu.
5. On the Target tab, choose Basic to redirect the folder of every user for whom the GPO applies in the same way. Select Advanced to create multiple redirection rules depending on security group membership. The choices for Target Folder Location are these:
Create A Folder For Each User Under The Root Path Each user’s profile folder is in a user-specific path below a common root folder (for example, Documents would be \\server\root\%USERNAME%\Documents).
Redirect Everyone’s Folder To The Same Location All the profile folders are located beneath the same root path.
Redirect To The Local Userprofile Location The profile folder is redirected back to the local location.
Follow The Documents Folder Applies only to Music, Pictures, and Videos. When this setting is specified, the relocation of these folders is beneath the Documents folder.
6. On the Settings tab, you can specify the following:
Grant The User Exclusive Rights To <foldername> Only the user has access to the redirected folder.
Move The Contents Of <foldername> To The New Location If selected, all the current contents are moved to the new location when implementing the policy.
Also Apply Redirection Policy To Windows 2000, Windows 2000 Server, Windows XP, And Windows Server 2003 Operating Systems When selected, the equivalent folder for the specified operating systems are redirected.
Policy Removal By default, folders are left in the redirected location when the policy is removed. You can specify that the folders revert to the local userprofile location when the policy is removed.
7. Click OK to close the Folder Properties dialog box.
8. Exit the Group Policy Management Editor.
Scripts
You can run four types of scripts from Group Policy, triggered by the following:
Computer startup
Computer shutdown
User logon
User logoff
The scripts run by Group Policy can be Windows PowerShell or any other scripting language supported on the client computers. Any Windows Script Host (WSH) language is supported. You can set up the scripts on a domain controller and then copy them to the Netlogon shared folder on the domain controller. You can also specify the scripts in the Group Policy Management Editor. Logon and logoff scripts are located in User Configuration/Policies/Windows Settings/Scripts. Startup and shutdown scripts are located in Computer Configuration/Policies/Windows Settings/Scripts.
You can have multiple scripts for each of the four scripts folders, both PowerShell and non-PowerShell scripts. You can specify the order in which the scripts run and you can specify that all PowerShell scripts run first or last.
Administrative template settings
Administrative templates are used to edit registry-based policies for users and computers. By default, all language-neutral administrative templates (.admx files) are stored in %systemroot%\PolicyDefinitions, with language-specific templates (.adml files) stored in the appropriate subdirectory (%systemroot%\PolicyDefinitions\en-us for U.S. English). When you add a template to the store, it is available for use in the Group Policy Management Editor. If you’re on a local computer and you run gpedit.msc, you’re editing the local Group Policy, and it will read from that location.
By default, when you run GPMC and edit a GPO, it opens the Group Policy Management Editor and automatically loads the administrative templates located on the local computer, as shown in Figure 6-10. This process can create a problem if you have different versions of Windows on the network and different sets of Administrative templates. Plus, if there’s an update to a template, it might not be migrated to every computer in the network.
FIGURE 6-10 The Group Policy Management Editor running on a Windows 8.1 domain-joined computer with local policy definitions
You can create a central store of administrative templates that are replicated throughout the domain. When you do, the Group Policy Management Editor loads those files instead of the local store, as shown in Figure 6-11.
FIGURE 6-11 The Group Policy Management Editor running on Windows 8.1 domain-joined computer with centralized policy definitions.
Importing security templates
You can import security templates directly into a GPO by using the Group Policy Management Editor. Security templates are .inf files that contain specific security settings. One way to create security templates is to create a template policy by configuring the security settings you want to be part of the template and then export the template by using secpol.msc. Another way is to use one of the starter GPOs to create a new policy and then export it.
To import a policy, follow these steps:
1. In the GPMC, right-click the policy that you want to apply the template to and select Edit to open the Group Policy Management Editor.
2. Expand the Computer Configuration node in the console tree and select Computer Configuration/Policies/Windows Settings/Security Settings.
3. Right-click Security Settings and select Import Policy. (The default location for security template policies is in the Documents\Security\Templates folder of the logged-on user.)
4. Select the policy you want to import and click Open.
Importing custom administrative template files
Windows includes a full set of administrative templates, and these templates are automatically available. However, you can install additional administrative templates for other versions of Windows, available from the Microsoft Download Center; for Microsoft Office, also available from the Microsoft Download Center; or for non-Microsoft Windows hardware and software, available from other vendors.
Configuring property filters for administrative templates
You can filter which administrative templates are visible in the Group Policy Management Editor by using filters on the administrative templates. These filters affect only Administrative templates. There are three basic property filters:
Managed Managed settings are those that the Group Policy Client service governs, and the settings are removed when they fall out of scope for a computer or user.
Configured There are three states for administrative template settings: Not Configured, Enabled, or Disabled. When you filter by Configured, only those changed from Not Configured are shown.
Commented When set to Yes, only those settings that have comments are shown. When set to No, only those settings without comments are shown. The default is Any, which doesn’t filter on comments.
You can also filter by keyword, as shown in Figure 6-12. For example, you could search on the keyword “Password” and see only policies that related to password policies.
FIGURE 6-12 The Filter Options dialog box
The filtered view of the administrative template settings, as shown in Figure 6-13, shows only settings that are related to passwords.
FIGURE 6-13 The Group Policy Management Editor with filtering on
Finally, you can filter by specific product by selecting the Enable Requirements Filters check box and then selecting the product and versions you want to filter on.
You can combine any combination of these filters to get a view of the administrative templates that makes it easy to isolate what you’re looking for.
Thought experiment: Configuring folder redirection
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. Company policy allows users to work remotely two days per week; to facilitate, users are issued laptops for working remotely, and DirectAccess is configured and working for all remote computers. You need to ensure that users have access to their work-related documents, including Corporate templates, across both their desktop computers and their remote laptops. You need to do this in a way that minimizes data storage and backup requirements, while recognizing that the remote laptop will likely get used for at least some personal use. Users’ computers are running a mix of Windows 7 and Windows 8.1, although the goal is to move all users to 8.1 by the end of the year.
1. One suggestion is to implement Roaming Profiles. Will this meet the needs? If so, what are the key implementation considerations? If not, explain why not.
2. A second suggestion is to implement Folder Redirection. Will this meet the needs? If so, what are the key implementation considerations? If not, explain why not.
3. What other solutions can you think of, and what are the pluses and minuses of each?
4. What Group Policy settings can you use to implement the solution you’ve decided on?
Objective summary
Use Group Policy settings to manage software installation and folder redirection.
Control the four stages of startup and shutdown with Group Policy scripts: Startup, Logon, Logoff, and Shutdown.
Use Administrative templates to control registry-based policies for users and computers.
Use security templates to jump-start the configuration of various Administrative template settings and to ensure a consistent experience across multiple GPOs.
Custom templates can aid in the management of third–party hardware and software, as well as other versions of Windows.
Manage the view of Group Policy to show only those Administrative settings that you want to see, simplifying the management process by using property filters on Administrative templates.
Objective review
1. You need to ensure that the ABC software application is deployed to all users in the HR department. The installer for ABC is AbcInstall.msi. What steps should you take? (Choose all that apply.)
A. Create a GPO specifically for Software Distribution.
B. Use the Default Domain Policy and add Software Distribution to the policy.
C. Create a distribution point of C:\Software on Trey-Srv-12. Create a share of Software and give Read privileges to all HR users.
D. Publish the software package to all HR users.
E. Assign the software package to all HR users.
F. Configure the GPO to use c:\Software\AbcInstall.msi as the Package.
G. Configure the GPO to use \\Trey-Srv-12\Software\AbcInstall.msi as the Package.
2. You need to limit the HR Device Use policy that is linked to the Domain. The policy should apply only to HR Users who are part of the HR OU. What should you do?
A. Use the Set-GPPermission cmdlet with the -Replace and -Target parameters to limit the GPO to HR Users only.
B. Use the Set-GPLink cmdlet with the -Enforced and the -Target parameters to link the HR Device Policy to the Domain.
C. Configure Property Filters to block the Computer Configuration container.
D. Configure Security Filtering on the HR Device Policy by removing Authenticated Users and adding HR Users.
3. You need to ensure that GPOs are consistent across the domain and that new versions of Administrative Templates are fully propagated. What should you do?
A. Configure the Startup script to include Gpupdate /force.
B. Configure Logon script to include Gpupdate /force.
C. Configure a central store of Administrative templates and copy updated templates to that store.
D. Configure the Startup scripts to copy the .admx files to \\trey-dc-02\Policies, where trey-dc-02 holds the PDC Emulator role.
Objective 6.3: Manage Group Policy Objects (GPOs)
Because Group Policy is critical to the way computers and users can do their work in your enterprise, you need to be able to back up and restore GPOs to known good states. And when things go really wrong, you can reset the default GPOs to their shipping state. When you want to copy GPOs to a new domain environment, use a Migration Table to manage the changes. Finally, you can delegate management of portions of Group Policy to users who are not full domain administrators.
This objective covers how to:
Back up, import, copy, and restore GPOs
Create and configure a Migration Table
Reset default GPOs
Delegate Group Policy management
Backing up, importing, copying, and restoring GPOs
You can back up and restore GPOs as well as make copies of them. You can also import the settings from a backed-up GPO without changing the other settings of the GPO, and you can copy GPOs, either within a domain or across domain boundaries.
Backing up and restoring GPOs
When you back up a GPO, the GPO is saved, but the settings that are external to the GPO, such as WMI filters, are not saved. To back up a GPO, open the GPMC and right-click the GPO you want to back up. Select Back Up from the menu to open the Back Up Group Policy Object dialog box shown in Figure 6-14.
FIGURE 6-14 The Back Up Group Policy Object dialog box
The location you use to store backed-up GPOs should have permissions set to prevent unauthorized access to the GPOs.
To back up all GPOs in the domain, right-click the Group Policy Objects container in the console tree and select Back Up All from the menu.
If you have a backup of a GPO, you can quickly recover if you modified the GPO and the results were not quite what you expected. You can restore the backup of the GPO by following these steps:
1. Open the GPMC and navigate to the Group Policy Objects container that hosts the GPO you want to restore.
2. Right-click the GPO and select Restore From Backup.
3. Read the Welcome screen in the Restore Group Policy Object Wizard and then click Next.
4. Specify the location of the backed-up GPO on the Backup Location page and click Next.
5. Select the version of the GPO you want to restore, as shown in Figure 6-15.
FIGURE 6-15 The Source GPO page of the Restore Group Policy Object Wizard
6. You can view the settings of any version shown in the Source GPO page to ensure that you are restoring the correct version by clicking View Settings.
7. Select the version of the GPO you want to restore, click Next, and then click Finish.
8. When the GPO is restored, click OK.
You can manage your backed-up GPOs. Right-click the Group Policy Objects container in the GPMC and select Manage Backups from the menu to open the Manage Backups dialog box (see Figure 6-16).
FIGURE 6-16 The Manage Backups dialog box
In the Manage Backups dialog box, you can select a backup to restore, you can delete a backup, or you can view the backup settings. You can also browse for other locations where GPOs are backed up.
You can use the GroupPolicy module of Windows PowerShell to back up and restore GPOs. Use the Backup-GPO cmdlet to back up GPOs. To back up all the GPOs in the domain of the current user, use the following command:
Backup-GPO -All -Path <path to GPO backups>
To restore a previously backed–up GPO, use the Restore-GPO cmdlet. To restore the most recently backed-up version of the Default Domain Policy, use the following command:
Restore-GPO -Name "Default Domain Policy" -path <path to GPO backups>
Importing GPO settings
You can import the settings from a backed-up GPO into any other GPO. When you import the settings of a GPO, you import only the settings. The existing attributes of the target GPO, such as security filtering, delegation, links, and WMI filtering, are left untouched. To import GPO settings, follow these steps:
1. Open the GPMC and navigate to the Group Policy Objects container for the domain you want to import settings to.
2. Right-click the target GPO and select Import Settings.
3. Click Next on the Welcome page.
4. On the Backup GPO page, click Backup to make a backup of the current GPO before you make changes to it.
5. Enter the backup location if the correct one isn’t already entered, click Back Up, and then click OK when the backup completes.
6. Click Next, enter the GPO Backup location if it isn’t shown correctly, and click Next again.
7. Select the source GPO backup whose settings you want to import.
8. On the Scanning Backup page, read the Scan Results. You might have references that you need to address. If not, skip the next step.
9. On the Migrating References page, you can choose to copy the references or use a Migration Table. (See the section, “Creating and configuring a Migration Table” for details on how to make a Migration Table.)
10. Click Next and then Finish to import the settings.
Important: Import Overwrites Existing Settings
When you import settings from a backed-up GPO, the imported settings overwrite any existing settings in the target GPO. Make sure this is what you want before you commit and always make a backup of the target GPO before you do the import.
To import a GPO, use the Import-GPO cmdlet. The command to import a ClientBackupGPO from the TreyResearch.net domain using a Migration Table is this:
Import-GPO -Domain TreyResearch.net`
-BackupGpoName ClientBackupGPO `
-TargetName "Client Backup" `
-Path "D:\GPOs" `
-MigrationTable "D:\MigTables\ClientBackupToTailspinToys.migtable" `
-CreateIfNeeded
This command imports the most recent backup of the ClientBackupGPO to a new GPO called “Client Backup” in the TailspinToys.com domain. The target GPO is created if it doesn’t already exist, and a migration table is used to migrate domain specific settings in the source GPO backup.
Copying GPOs
You can copy an existing GPO within a domain, preserving the existing permissions, or giving the target GPO the default permissions for a new GPO. Or you can copy a GPO across domain boundaries by using the Cross-Domain Copying Wizard. To copy a GPO within a domain, follow these steps:
1. Open the GPMC and navigate to the Group Policy Objects container for the domain you want copy a GPO of.
2. Right-click the source GPO and select Copy.
3. Right-click the Group Policy Objects container and select Paste.
4. In the Copy GPO dialog box, select Use The Default Permissions For New GPOs or choose Preserve The Existing Permissions.
5. Click OK and then OK again.
6. Rename the GPO as appropriate.
To copy a GPO across domain boundaries, follow these steps:
1. Open the GPMC and navigate to the Group Policy Objects container for the domain you want copy a GPO of.
2. Right-click the source GPO and select Copy.
3. In the target domain, right-click the Group Policy Objects container and select Paste.
4. In the Cross-Domain Copying Wizard, click Next on the Welcome page.
5. On the Specifying Permissions page, select Use The Default Permissions For New GPOs or chose Preserve The Existing Permissions.
6. Click Next. On the Scanning Original GPO page, read the Scan Results. You might have references that you need to address. If not, skip the next step.
7. On the Migrating References page, you can choose to copy the references or use a Migration Table. (See the following section, “Creating and configuring a Migration Table” for details on how to make a Migration Table.) In most cases, you have to create or edit a Migration Table to address differences between the two domains.
8. On the Migrating References page, if you choose to use a migration table, you can use one you already created as is, edit it to adjust any settings, or select New to create a new Migration Table from scratch.
9. Click Next, click Finish, and then click OK.
To copy a GPO, use the Copy-GPO cmdlet from the GroupPolicy module. As with other GPO commands, you can specify a Migration Table if copying across domain boundaries.
Creating and configuring a Migration Table
A Group Policy Migration Table is used to migrate GPOs from one domain to another. You generally can’t directly copy GPOs from one domain to another without creating problems because GPOs contain domain-specific information. Instead, you create a Migration Table that enables you to map a domain-specific item in the source domain to its equivalent item in the target domain.
To create a Migration Table, follow these steps:
1. Right-click Domains in the GPMC console tree for the source forest.
2. Select Populate From GPO from the Tools menu to populate the source table from the currently active GPOs or select Populate From Backup from the Tools menu to populate the source table.
3. You see three columns in the Migration Table Editor, as shown in Figure 6-17:
Source Name The name of the source item that needs to be migrated.
Source Type The type of source item. It can be a user- or group name, DNS address, security ID (SID), or free text.
Destination Name The equivalent name in the target domain. Edit this value as appropriate for the new domain.
FIGURE 6-17 The Migration Table Editor
4. Select Validate from the Tools menu to validate the migration table entries.
5. After you finish editing the table, select Save from the File menu to save the Migration Table. Make sure that you save it with a name that clearly identifies the source, target and GPOs being migrated.
Note: Migration Tables
Migration Tables are XML files with a .migtable extension. You can create them in your favorite XML editor, but the easiest way is to initially create them in the Migration Table Wizard and then do any customization with your favorite ASCII editor.
Resetting default GPOs
It is generally not recommended to edit or modify the Default Domain Policy or the Default Domain Controller Policy, but if you ever need to restore them back to their original state, you can do so with the Dcgpofix.exe command. The syntax for this command is the following:
Dcgpofix [/ignoreschema] [/target: {Domain | DC | Both }
Without the /ignoreschema switch, dcgpofix works only if the domain controller is the same level of operating system as the domain schema version.
Important: Dcgpofix is powerful
Dcgpofix is for disaster recovery scenarios only. You should use the steps shown in the previous section, “Backing up and restoring GPOs,” before you reset the default policies.
Exam Tip
Dcgpofix is a simple utility, but a powerful and important one. Given that this subobjective is explicitly called out in the objective domain for this exam, you can expect that there will be at least one question about resetting the default GPOs for a domain.
Delegating Group Policy management
By default, members of the Domain Admins and Enterprise Admins groups have full permissions to manage Group Policy. However, you can delegate permissions on specific GPOs or OUs to non-administrators to manage. The permissions you can delegate are these:
Permissions on a GPO
Permissions to link a GPO
Permissions to generate Group Policy modeling data
Permissions to generate Group Policy results
Permissions on a WMI filter
All these permissions are delegated in the GPMC. The steps are similar for each set of permissions, so start with granting delegated permissions on a GPO:
1. Expand the console tree of the GPMC and navigate to the Group Policy Objects container of the domain for which you want to delegate permissions.
2. Select the GPO you want to delegate and click the Delegation tab in the details pane (see Figure 6-18).
FIGURE 6-18 The Delegation tab of the GPMC
3. Click Add to open the Select User, Computer Or Group dialog box; enter the user or group to whom you want to delegate permissions.
4. Click OK and then select the Permissions from the drop-down list in the Add Group Or User dialog box (see Figure 6-19).
FIGURE 6-19 The Add Group Or User dialog box
5. Click OK; the user is added to the Delegation list.
You can delegate permissions to create GPOs in the domain by either adding the users to the Group Policy Creator Owners security group, or adding the user or group to the Delegation tab as described previously for individual GPOs.
You can delegate permissions to Link GPOs, to Perform Group Policy Modeling Analyses, or to Read Group Policy Results Data to a site, domain, or OU by selecting the site, domain, or OU in the console tree and then clicking the Delegation tab in the details pane. Select the permission you want to delegate and then click Add to add the user or group. You can restrict the delegation to the specific container or include child containers.
Thought experiment: Creating a comprehensive GPO management policy
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. The Engineering group works out of a separate campus with its own support staff who are not currently members of the Domain Admins group. You need to create a comprehensive GPO management policy that enable the Engineering support staff to manage Group Policy for Engineering while also ensuring that you can quickly recover if they make a change that has unanticipated consequences.
1. What changes do you need to make to allow Engineering support staff to manage the Group Policy?
2. How can you ensure that you can quickly recover if there are problems with a GPO?
Objective summary
Back up GPOs to provide an easy recovery scenario.
Use Import Settings to copy the settings from a backed-up GPO to a new or existing GPO.
Copy GPOs within the domain or across domain boundaries.
Use Migration Tables to copy or import GPOs from another domain.
Reset the Default Domain Policy or the Default Domain Controller Policy to return to an as-installed condition for these critical GPOs.
Use the Delegation tab in GPMC to delegate authority to edit GPOs.
Objective review
1. After thorough troubleshooting of problems with the behavior of client computers in the TreyResearch.net domain, you determine that the Default Domain Policy has significant issues and the best way to correct the problems is to restore the default GPO. What command should you use?
A. Invoke-GPO | New-GPO -Name “Default Domain Policy”
B. New-GPO -Name “Default Domain Policy” -StarterGPOName <startername>
C. Dcgpofix /ignoreschema /target Domain
D. Dcgpofix /ignoreschema /target DC
2. You need to restore the Client Backup GPO from the most recent backup. What command should you use?
A. Restore-GPO -Name “Client Backup GPO”
B. Restore-GPO -All -Path \\Server\BackupGPOs
C. Import-GPO -BackupGpoName “Client Backup GPO” -TargetName “Restored Client Backup GPO” -Path \\Server\BackupGPOs
D. Restore-GPO -Name “Client Backup GPO” -Path \\Server\BackupGPOs
3. You want to copy the settings from the TreyResearch.net “Client Backup GPO” to the “ClientBackupGPO” in the TailspinToys.com domain. What command should you use?
A. Use the GPMC’s Restore From Backup command to restore the GPO in the TailspinToys.com domain, specifying the Migration Table.
B. Use the GPMC’s Restore From Backup command to restore the GPO from the TreyResearch.net domain.
C. Use the GPMC’s Copy command to copy the “Client Backup GPO” from the TreyResearch.net domain and then paste the GPO into the TailspinToys.com domain.
D. Use the GPMC’s Import Settings command to import the settings from the most recent backup of the “Client Backup GPO” from the TreyResearch.net domain into the “ClientBackupGPO” in the TailspinToys.com domain, specifying the Migration Table.
Objective 6.4: Configure Group Policy Preferences
Group Policy Preferences (GPPs) is a set of CSEs to Group Policy that enable preference settings on domain-joined computers. Unlike policy settings, preference settings can be altered by the user, but provide a starting point for configuration. You use the GPMC to set preference items and you can do specific targeting to configure settings appropriate to the user or group. There are both Computer Configuration and User Configuration preference settings.
This objective covers how to:
Configure preferences with Windows settings
Configure preferences with Control Panel settings
Configuring Windows settings
You can set Group Policy Preferences with two different sets of settings: Windows settings and Control Panel settings. Windows settings are detailed in Table 6-2.
TABLE 6-2 Windows settings
In the following sections, you will learn more about printer preferences, network drive mapping preferences, custom registry settings, and file and folder deployment preferences. I will also use the Group Policy Printer preference to detail how item-level targeting works because I expect item-level targeting to definitely be a part of this exam, even though it’s not explicitly identified in the objective as a separate item.
Configuring printers
The Group Policy Printers extension is used to configure local, shared, and TCP/IP printers without having to create and maintain logon scripts. You can create, replace, update, and delete printers. Printers can be set in either the Computer mode or the User mode of Group Policy. To create a Printer preference for users in the Canada OU, create a Preferences GPO, link it to the Canada OU, and then set the preferences in that GPO. Follow these steps:
1. Open the GPMC and locate the Canada OU in the console tree.
2. Right-click the Canada OU and select Create A GPO In This Domain, And Link It Here.
3. In the New GPO dialog box, enter Canada Preferences in the Name box and click OK.
4. Right-click the Canada Preferences GPO link and select Edit from the menu.
5. Expand the User Configuration node and click Printers in the Preferences/Control Panel Settings container, as shown in Figure 6-20.
FIGURE 6-20 The Printer Preferences container of User Configuration
6. Right-click Printers, select New, and then select Shared Printer. The New Shared Printer Properties dialog box displays (see Figure 6-21).
FIGURE 6-21 The New Shared Printer Properties dialog box
7. Select Replace as the Action and enter the path to the shared printer in the Share Path box.
8. Specify whether this printer is to be the default and whether that default setting should apply only if there isn’t a local printer present.
9. Click OK; the new preference settings will be propagated to the linked OU.
When you use preferences to map a printer, you have four choices for an action, as follows:
Create Creates a new local printer. If a local printer with the same name already exists, it makes no changes.
Delete Removes a local printer of the same name if it exists without removing the printer driver. No action is taken if the printer doesn’t exist.
Replace Combines the actions of Delete and Create.
Update Similar to Replace, but also updates the settings defined for the printer.
Configuring item-level targeting
Before you go any further to cover other preference items, let’s cover item-level targeting, introduced in Windows Server 2012 and Windows 8. You can use item-level targeting to narrow the scope of preference items to only certain computers or users within the overall scope of the GPO.
The targeting items that you can configure and use are these:
Battery Present
Computer Name
CPU Speed
Date Match
Disk Space
Domain
Environment Variable
File Match
IP Address Range
Language
LDAP Query
MAC Address Range
MSI Query
Network Connection
Operating System
Organizational Unit
PCMCIA Present
Portable Computer
Processing Mode
RAM
Registry Match
Security Group
Site
Terminal Session
Time Range
User
WMI Query
To use item-level targeting, select the Item-Level Targeting check box on the Common tab of the preference setting, as shown in Figure 6-22.
FIGURE 6-22 The Common tab of the HP_ColorLJ Properties dialog box
To see how it works, restrict the Printer preference created previously to apply only to Terminal Sessions that are not displaying on computers with a battery. To do that, follow these steps:
1. Open the GPMC and locate the Canada OU in the console tree.
2. Right-click the Canada Preferences GPO link and select Edit from the menu.
3. Expand the User Configuration node and click Printers in the Preferences/Control Panel Settings container.
4. Double-click the Printer preference that you created to open the Properties dialog box for it.
5. Click the Common tab, select the Item-Level Targeting check box, and click Targeting to open the Targeting Editor dialog box (see Figure 6-23).
FIGURE 6-23 The Targeting Editor dialog box
6. Click New Item and scroll your mouse down to Terminal Session to add The Terminal Session Is Any to the targeting query.
7. Select Remote Desktop Services from the Type Or Protocol drop-down list and leave the Parameter value set to Any (see Figure 6-24).
FIGURE 6-24 The Targeting Editor showing a condition
8. At this point, you could add additional parameters or reverse the logic by clicking Item Options and choosing Is Not. Or you could add additional targeting items and combine them with Remote Desktop Services in any combination of AND or OR logical statements. You have to restrict this to computers that don’t have a battery, so continue by clicking Item Options and selecting AND.
9. Click New Item and select Battery Present.
10. Click Item Options and select Is Not. The targeting query should now look like Figure 6-25.
FIGURE 6-25 The Targeting Editor showing two conditions
11. Click OK to close the Targeting Editor and OK again to close the Properties dialog box.
12. Exit the Group Policy Management Editor, and the revised preference is enabled.
13. To see the settings in GPMC, click the Settings tab of the Canada Preferences GPO link, as shown in Figure 6-26.
FIGURE 6-26 The Canada Preferences GPO Settings tab
You can use the Targeting Editor to create item-specific targeting to ensure that a specific preference item applies only to the users or computers that it is appropriate for.
Exam Tip
Item-level targeting is an obvious way for exam writers to ask detailed questions that require you to clearly understand what the targeting options are and how to implement them. The combination of possible options means you need to clearly think through the logic of the question to make sure you choose the answer that correctly matches that logic. Given that item-level targeting is new in Windows Server 2012, you can definitely expect there to be one or more questions that require item-level targeting to satisfactorily meet the question criteria.
Configuring network drive mappings
Preference settings for network drive mappings enable you to set standard drive maps for groups of users or computers. When combined with item-level targeting, you can also ensure that the maps aren’t enabled when a covered laptop or mobile device is off the domain network. To create or replace a drive map that maps the S drive to the Software share on server trey-dc-02 when a computer is on the 192.168.10/24 domain network, follow these steps:
1. Open the GPMC and navigate to the Group Policy Objects container for the TreyResearch.net domain.
2. Right-click the Group Policy Objects container and select New. In the Name box, enter Drive Preference and click OK.
3. Right-click the TreyResearch.net domain in the console tree and select Link An Existing GPO. Select Drive Preference from the list of Group Policy Objects and click OK.
4. Right-click Drive Preference and select Edit to open the Group Policy Management Editor.
5. Expand the User Configuration container and select Drive Maps from the Preferences/Windows Settings container.
6. Right-click and select New and then Mapped Drive to open the New Drive Properties dialog box,
7. Select Create from the Action drop-down list, and enter \\trey-dc-02\software in the Location box.
8. Select Reconnect and enter Software Distribution Point in the Label As box.
9. Select S from the Use drop-down list in the Drive Letter section, as shown in Figure 6-27.
FIGURE 6-27 The New Drive Properties dialog box
10. Click the Common tab and select Item-Level Targeting.
11. Click Targeting to open the Targeting Editor.
12. Click New Item and select IP Address Range from the drop-down list.
13. Enter 192.168.10.1 in the Between box and 192.168.10.254 in the And box, as shown in Figure 6-28.
FIGURE 6-28 The Targeting Editor with an IP Address range target
14. Click OK to close the Targeting Editor and OK again to close the New Drive Properties dialog box.
Exam Tip
Item-level targeting for IP Address Range targets doesn’t support IPv6 addresses in Windows Server 2012 and Windows 8. Support was added in Windows Server 2012 R2 and Windows 8.1.
Configuring file deployment
The Group Policy File preference extension enables you to use Group Policy to do the following:
Copy a file or files in one folder to another while configuring the attributes of those files
Delete a file or files in one folder, replacing them with copies from a source folder
Modify the attributes of one or more files in a folder
Modify the attributes of, replace, or delete all the files in a folder that have a specified extension
Modify the attributes of, replace, or delete all the files in a folder
The actions available with the File preference extension are these:
Create Copies a file or files from a source location to a target location if the file or files don’t already exist and configures the attributes of the target files.
Delete Removes a file or files from a single folder.
Replace Combines the actions of Delete and Create. It overwrites any files that already exist at the target location or copies ones that don’t exist. Sets the attributes of the files at the target location.
Update Modifies attributes of existing file or files, changing only those attributes specified in the Group Policy Preference. If a file doesn’t exist at the target location, the file is copied from the source location.
The settings that can be configured for files include these:
Source file(s) The source location, which can be a UNC path, or a local or mapped drive path from the perspective of the client. Variables and wildcards are accepted.
Destination file The target location for the file if creating, replacing, or updating a single file. It can be a UNC path, or a local or mapped drive path from the perspective of the client. It can have the same file name as the source file, or can change the name of the target file.
Destination folder The target location for the file or files. This can be a UNC path, or a local or mapped drive path from the perspective of the client. This option is available only if the Source File(s) options includes wildcards.
Delete file(s) The target file path from the perspective of the client. Wildcards are accepted.
Suppress errors on individual file actions If selected, individual errors are ignored, and the rest of the actions continue.
Attributes Configures the file system attributes for target files. By default, the Archive attribute is selected.
Configuring folder deployment
The Folder preference GPO extension allows you to create, modify, or remove a folder on a client computer. With this extension, you can do the following:
Create or modify a folder and then configure its attributes
Delete a folder and its contents, or delete it only if it is empty
Delete all the files in folder without deleting the folder
Delete all the files in a folder without deleting subfolders
The actions available with the Folder preference extension are these:
Create Creates a new folder if the folder doesn’t exist, setting the attributes of the folder.
Delete Removes a folder if it exists or the files within the folder.
Replace Combines the actions of Delete and Create, replacing any existing files or subfolders if they were included. It overwrites any existing folder and re-creates it with the specified attributes, or creates a new folder if it doesn’t exist.
Update Modifies an existing folder without deleting it and re-creating it. It does not overwrite existing settings except those explicitly set in the preference, but creates a new folder if the folder doesn’t exist.
Configuring custom registry settings
The Group Policy Registry preference extension enables you to manipulate registry settings for computers (HKLM) or Users (HKLU). With this extension, you can do the following:
Copy registry settings from a source computer and apply them to target computers
Create, replace, or delete an individual registry value
Create an empty key, delete a key, or delete all values and subkeys in a key
Create collections of Registry preference items in the GPMC and apply the collections to multiple registry items
Create collections in the GPMC based on the registry of a source computer
You can use the Registry Wizard to create multiple registry items by following these steps:
1. Open the GPMC and right-click the GPO you want to add Registry preference items to.
2. Select Edit to open the Group Policy Management Editor. Expand the Computer Configuration or User Configuration container and select Registry from the Preferences/Windows Settings container.
3. Right-click Registry and select New and then Registry Wizard to open the Registry Browser. If the settings you want to copy are on the local computer, click Next. If they’re on a different computer, enter the computer name in the Another Computer box (or use the Browse button to locate it) and then click Next.
4. On the Select Any Registry Item By Checking Its Check Box To The Left page of the Registry Browser (see Figure 6-29), expand the registry hive where the settings you want to copy are located and select the check box for the folder that contains the settings.
FIGURE 6-29 The Registry Browser
5. After you select the registry entries you want to make part of this preference, click Finish. The values are added to the Registry Wizard Values folder, as shown in Figure 6-30.
FIGURE 6-30 The Registry Wizard Values folder of the Group Policy Management Editor
6. Add any additional items you want and then close the Group Policy Management Editor to return to the GPMC.
You can also create collections of registry settings by selecting New and then Collection Item in the Group Policy Management Editor. Collections can contain other collections, or items added individually or by using the Registry Wizard.
Configuring shortcut deployment
The Shortcut preference extension enables you to deploy standard shortcuts to users and computers. Shortcuts can be deployed in either the Computer mode or the User mode of Group Policy. The Shortcut preference GPO extension allows you to create, modify, or remove a shortcut on a client computer. Shortcuts that include drive mappings can only be made in the User mode of Group Policy. Shortcuts can point to:
URL A webpage, website or other location that can be addressed with a URL, such as an FTP site.
File system object A Windows path, including a file, folder, share or computer. If the path includes a mapped drive, it is only available in User mode.
Shell object An object within the Windows shell, such as a printer, desktop or Control Panel item. Can also be any file system object.
The actions available with the Shortcut preference extension are these:
Create Creates a shortcut if the shortcut doesn’t already exist.
Delete Removes a shortcut if it exists.
Replace Combines the actions of Delete and Create, replacing an existing shortcut with a new one, or creating a new one if it doesn’t exist.
Update Modifies an existing shortcut without deleting it and re-creating it. It does not overwrite existing settings except those explicitly set in the preference, but creates a new shortcut if the shortcut doesn’t exist.
Exam Tip
By default, variables in the Target path of a shortcut preference are resolved by Group Policy before it is created, replaced or updated. This is usually not what was intended and can lead to a compelling, but incorrect, answer. You need to use unresolved variable syntax for variables to allow them to be resolved in the environment of the user or computer. So, for example, %USERNAME% will resolve to the user creating the preference. This likely was not what was intended. Instead, use %<USERNAME>% to cause the username of the logged on user to be used.
Configuring Control Panel settings
The Control Panel settings in Table 6-3 are available for both Computer Configuration preferences and User Configuration preferences.
TABLE 6-3 Control Panel settings
Configuring power options
A typical Control Panel setting uses the Power Options preference extension. Using this extension, you can create a new domain power plan and deploy it to selected users and computers by using Group Policy Preferences. The four actions for the preference extension are:
Create Creates a new power plan configuration. If an existing power plan has the same name, the plan isn’t changed.
Delete Removes a power plan of the same name; it does not remove built-in power plans.
Replace Deletes and then re-creates a power plan. If the named power plan exists, it overwrites all existing settings for the plan. If the plan doesn’t exist, it creates it.
Update Updates an existing plan without removing settings that aren’t part of the defined preference item. If the plan doesn’t exist, it creates it.
You can create a power plan preference in either the Computer Configuration container or the User Configuration container. User power plans process after computer power plans, and users who are local administrators or Power Users can change their power settings in Control Panel. Power plan preferences are subject to item-level targeting.
Configuring Internet Explorer settings
You can set Internet Explorer (IE) settings by using the Internet Settings Group Policy preference extension. To set preferences, follow these steps:
1. Open the GPMC and right-click the GPO for which you want to set IE preferences.
2. Select Edit from the menu to open the Group Policy Management Editor.
3. Expand the User Configuration container and select the Preferences/Control Panel Settings/Internet Settings node.
4. Right-click Internet Settings and select the version of IE for which you want to create settings. Select Internet Explorer 10 for both Internet Explorer 10 and Internet Explorer 11.
5. Use the New Internet Explorer 10 Properties dialog box to configure options for IE 10 and IE 11. For example, you can set a default home page and have IE always starting on that home page (see Figure 6-31).
FIGURE 6-31 The New Internet Explorer 10 Properties dialog box
6. After you make all the settings changes, click OK to close the dialog box. Exit the Group Policy Management Editor to return to the GPMC.
Thought experiment: Using Group Policy Preferences
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. You want to provide new users with a consistent experience that provides them access to resources to facilitate their transition. You opt to use Group Policy Preferences to provide them with that experience during their first 90 days with the company.
1. One of the most important resources is an electronic New Employee Handbook that is regularly updated with new content. How can you ensure that employees have access to the latest version?
2. How could you ensure that the preference is only applied to employees during their initial 90 probationary period?
3. There are several intranet web sites that have employee related resources, offers and forms. A consistent feedback from new employees is that they don’t know where to find all of these resources, which are on multiple, unconnected sites. How can you make it easier for them to find what they need?
Objective summary
Use Group Policy Preferences to configure Windows Settings and Control Panel settings.
Use item-level targeting to provide fine-grained control of which users or computers the preference targets.
Group Policy Preferences have four actions: Create, Delete, Replace and Update.
The Replace action is a combination of Delete and Create; it removes any existing settings.
The Update action leaves the existing Windows or Control Panel settings in place and changes only the specific settings in the preference item.
Some preferences, such as Drive Mappings, are applied only during a Synchronous Group Policy update. Over slow links, they typically are not processed.
Use Group Policy Preferences to deploy standardized template files to all computers covered by the GPO.
Objective review
1. You want to provide all users in the Training Department with the same default printer. It should not delete any existing printers. How can you do that?
A. Create a GPO linked to the Training OU and specify a Printer preference with the Replace action.
B. Create a GPO linked to the Training OU and specify a Printer preference with the Create action.
C. Create a GPO linked to the Training OU and specify a Printer preference with the Update action.
D. Create a GPO linked to the Training Department security group and specify a Printer preference with the Create action.
2. You need to provide a default power plan for all laptop users running Windows 8. The plan should be applied only to laptop users. How can you do that?
A. Create a GPO linked to the Win8 OU and specify a User Configuration Power Options preference with the Create action. Specify item-level targeting of a Battery Present.
B. Create a preference linked to the Win8 OU and specify a Computer Configuration Power Options GPP with the Create action. Specify item-level targeting of a Portable Computer.
C. Create a preference linked to the Win8 OU and specify a User Configuration Power Options GPP with the Update action. Specify item-level targeting of a Portable Computer.
D. Create a GPO linked to the Win8 OU and specify a Computer Configuration Power Options preference with the Update action. Specify item-level targeting of a Battery Present.
3. You need to ensure that all domain computers currently on the local network are using a special version of the Hosts file. You create a network share of \\server\ConfigFiles that has Read permissions for Everyone. You configure a Hosts GPO and link it to the Domain. What settings do you need to add to the GPO?
A. Configure the Computer Configuration Files preference to have a source file of \\server\ConfigFiles\hosts and a target of C:\Windows\System32\Drivers\Etc\Hosts. Set the attributes of the file to read-only and set the IP Address item-level targeting of the local network.
B. Configure the User Configuration Files preference to have a source file of \\server\ConfigFiles\hosts and a target of C:\Windows\System32\Drivers\Etc\Hosts. Set the attributes of the file to read-only and set the IP Address item-level targeting of the local network.
C. Configure the Computer Configuration Files preference to have a source file of \\server\ConfigFiles\hosts and a target of C:\Windows\System32\Drivers\Etc\Hosts. Set the attributes of the file to read-only and set the Domain item-level targeting of the target domain.
D. Configure the User Configuration Files preference to have a source file of \\server\ConfigFiles\hosts and a target of C:\Windows\System32\Drivers\Etc\Hosts. Set the attributes of the file to read-only and set the Domain item-level targeting of the target domain.
Answers
This section contains the solutions to the thought experiments and answers to the lesson review questions in this chapter.
Objective 6.1: Thought experiment
1. The Administrative Template for mapping drives is never run when Group Policy is running asynchronously. By forcing a slow connection to always run asynchronously, you block the drive map from happening on any slow link.
2. There are several settings that could improve the policy, including these:
Configure Direct Access Connections As A Fast Network Connection
Configure Drive Maps Preference Extension Policy Processing
Configure Group Policy Slow Link Detection
3. This Group Policy setting applies only to Windows 8 and later, Windows Server 2012 and later, and Windows RT. Any users still running Windows 7 aren’t affected by this policy.
Objective 6.1: Review
1. Correct answer: C
A. Incorrect: In Merge mode, some settings from users’ normal GPOs are still visible.
B. Incorrect: In Merge mode, some settings from users’ normal GPOs are still visible. Also, when you use Loopback mode, you use the Computer Configuration container, not the User Configuration container.
C. Correct: In Replace mode, all the settings come from the Computer Configuration container.
D. Incorrect: Replace mode is correct, but configuration settings can only be done in the Computer container, not in the User container when running in Loopback mode.
2. Correct answer: D
A. Incorrect: The correct verb is Invoke.
B. Incorrect: The correct verb is Invoke.
C. Incorrect: You need to specify the computer name, the Computer parameter, and Computer for the Target parameter.
D. Correct: The -Computer parameter points to the correct computer to force the GPO update, and the Target mode is set to Computer.
3. Correct answer: A
A. Correct: Blocking inheritance at the OU enables you to set separate policies on the OU, but by enforcing the Domain Password Policy, it will pass through.
B. Incorrect: Blocking inheritance at the domain won’t allow you to set separate policies on the OU, and the requirement is for the Default Domain Policy to be used.
C. Incorrect. Blocking inheritance at the domain won’t allow you to set separate policies on the OU.
D. Incorrect: You need to block inheritance at the OU level to allow you to use separate policies.
Objective 6.2: Thought experiment
1. Roaming Profiles don’t meet the needs. Forcing a Roaming Profile to a remote computer is not the best experience for the user, and it doesn’t recognize the partial personal use nature of that remote computer.
2. Folder redirection can be used to meet the needs. You have to not redirect Music, Pictures, and Video folders to meet the backup and data storage requirements, especially because these are areas in which users are more likely to use the remote computer for personal storage, and you don’t want their entire MP3 collection on your server. You have to redirect AppData to ensure that corporate templates are available.
3. Rather than folder redirection, you can also implement User folders on a corporate server and direct users to save to that folder for company documents. It has limitations, however, because it requires user education and will inevitably miss some documents. Also, if DirectAccess goes down for any reason, items can’t be saved to the corporate servers.
Another possibility is OneDrive for Business. After all computers are moved to Windows 8.1 and Office 365, OneDrive gives them a secure storage solution that is well integrated into Windows and Microsoft Office.
4. User Configuration/Policies/Windows Settings/Folder Redirection. Don’t redirect the Music, Videos or Pictures folders, but do redirect AppDataRoaming and Documents.
Objective 6.2: Review
1. Correct answers: A, C, E, G
A. Correct: You need to create a policy for the HR software distribution or use an existing HR-specific GPO.
B. Incorrect: The software is to go only to the HR department, not company-wide.
C. Correct: You need a software distribution point, and users in HR need Read privileges on that distribution point.
D. Incorrect: Choose Publish for software packages that are optional.
E. Correct: Choose Assign for mandatory software packages.
F. Incorrect: Always use a UNC as the package location. The package location is from the perspective of the client, not the server.
G. Correct: Always use a UNC as the package location. The package location is from the perspective of the client, not the server.
2. Correct answer: D
A. Incorrect: Set-GPPermission doesn’t limit the GPO to the HR users.
B. Incorrect: This would link the GPO to the Domain level, not the OU level.
C. Incorrect: Property filters limit the view of settings, but don’t block their use.
D. Correct: You can use security filters to limit the policy to only those users who are part of a security group.
3. Correct answer: C
A. Incorrect. The problem is consistent versions of the templates (and computers read Group Policy when they start up, anyway).
B. Incorrect: The problem is consistent versions of the templates (and user policies are updated at logon, regardless).
C. Correct: By configuring a central store, all users of GPMC and GPEdit automatically read that store on SYSVOL.
D. Incorrect: There is no special value to a share of policies, regardless of which computer on which it is located.
Objective 6.3: Thought experiment
1. In the GPMC, configure the Engineering OU to block inheritance, which enables Engineering to maintain its own policies, while you can still set any critical policies to Enforced so that they are propagated to Engineering. Next, create a new GPO for Engineering and link it to the OU. Then delegate permissions on that GPO to the Engineering Support security group and give them Edit Settings permissions. What you don’t want to do is make them Domain Admins, which would give them the permissions they need, but would have all sorts of security implications in other areas of the company.
2. You need to set a regular GPO backup for the Engineering OU GPOs. (Actually, you should be doing this for the entire domain.) Use the Backup-GPO cmdlet as part of a regularly scheduled task and use a Group Managed Service Account to run the task. (See Chapter 5, “Configure and manage Active Directory,” for details on Group Managed Service Accounts.) Make sure that the GPOs are backed up to a location that is available only to Domain Admins. If you need to recover a GPO to its previous state, you can use the Restore-GPO cmdlet, or use the GPMC and restore by selecting Manage Backups from the context menu of the Group Policy Objects container.
Objective 6.3: Review
1. Correct answer: C
A. Incorrect: You can’t use Windows PowerShell to restore the default GPOs.
B. Incorrect: You can’t use Windows PowerShell to restore the default GPOs.
C. Correct: This command restores the Default Domain Policy, even if the schema doesn’t match.
D. Incorrect: This command restores the Default Domain Controller Policy, but does not restore the Default Domain Policy.
2. Correct answer: D
A. Incorrect: The Restore-GPO command requires a path to the GPO to be restored.
B. Incorrect: This restores all GPOs in the domain.
C. Incorrect: This imports the GPO to a new GPO, but leaves the original GPO intact.
D. Correct: This is the correct command line to restore the most recent backup version of the GPO.
3. Correct answer: D
A. Incorrect: You can’t restore a backup across domain boundaries; you need to import the backup.
B. Incorrect: This restores the backup to the original domain.
C. Incorrect: This copies everything, not just the settings, and does not bring the settings into the correct GPO, even with a Migration Table.
D. Correct: This is the correct procedure for importing just the settings from the backup of the source GPO to the target GPO.
Objective 6.4: Thought experiment
1. Use a File preference with the Replace option to place this document in the user’s Documents\HR folder. By using replace, it will automatically replace the file with the latest version.
2. One way to accomplish this would be to use item-level targeting preferences with an Item of User Is A Member Of The Security Group and place all probationary employees in the security group. When they pass their probationary period, they come out of the security group and the preference item setting no longer applies.
3. There are at least two ways to accomplish this, but think of other ways too. One is to use URL shortcut preferences to the individual websites. This, however, requires managing individual shortcuts. Another possibility is to create an Intranet Resources folder that is deployed to their desktop via a Folder deployment preference. Then you simply add the URL shortcuts to the source folder for the Group Policy Preference. You’ll want to use the Update or Create option, not Replace. Users are quite likely to add their own shortcuts to the folder as they discover items they use.
Objective 6.4: Review
1. Correct answer: C
A. Incorrect: Using the Replace action deletes any current settings for printers with the same name.
B. Incorrect: This would work if the printer didn’t yet exist, but would not set the printer as the default if it already existed.
C. Correct: This would create the printer if it didn’t exist and would modify it to make it the default if it did.
D. Incorrect: You can’t link a GPO to a security group; you can use a security filter to a GPO.
2. Correct answer: D
A. Incorrect: This needs to be a Computer Configuration item so it is enforced during startup.
B. Incorrect: The Portable Computer item-level targeting checks to see only whether a computer is docked or undocked.
C. Incorrect: This needs to be a Computer Configuration item so that it is enforced during startup, and Portable Computer item-level targeting checks to see only whether a computer is docked or undocked.
D. Correct: This sets the power options for the computer based on it having a battery, which is a good way to target laptop users.
3. Correct answer: A
A. Correct: The domain linking ensures that all domain computers are targeted and the setting is in the Computer Configuration, ensuring that it happens whether the user logs on as a domain user or local user. And the IP Address targeting ensures that it is enforced only on the local network.
B. Incorrect: With the User Configuration, this will not work if the user logs on locally.
C. Incorrect: Domain item targeting causes the file to be enforced even when the computer is not on the local network.
D. Incorrect: With the User Configuration, this will not work if the user logs on locally. Domain item targeting causes the file to be enforced even when the computer is not on the local network.