Installing Windows Server 2008

Exercise 10 : Creating And Applying Group Policies

In this exercise you will create a new group policy and apply it to users within an organizational
unit.
Group Policies
Group policies are settings or configurations that can be applied to users, groups, organizational
units and domains. An administrator can create a group policy that configures the computer or
user settings, such as menu and desktop settings, folder locations and default password
settings.
Windows NT 4 and Windows 98 introduced system policies. Windows 2000, 2003 and 2008
extends these further using group policies.
EXERCISE 10.1
Creating a Group Policy

1. Log on server as Administrator (Figure 0269).

Figure 0269 : Administrator Login

2. Launch Group Policy Management. Click Start ► Administrative Tools ► Group Policy
Management (Figure 0270).

Figure 0270 : Launch Group Policy Management
3. Expand the Forest (Figure 0271).

Figure 0271 : Group Policy Management - Forest

4. Expand the Domains (Figure 0272).

Figure 0272 : Group Policy Management – Domains
5. Expand your domain.com (Figure 0273).

Figure 0273 : Group Policy Management – myserver.com
Now, you will create a new group policy for the Stkm OU. This new policy will apply to all
members of the Stkm OU though in another exercise that follows, you will override this.

6. Right-click the Stkm OU and select the Create a GPO in this domain, and Link it
here… (Figure 0274).

Figure 0274 : Group Policy Management – Create new GPO

7. Rename the policy as STKM Group Policy (Figure 0275).

Figure 0275 : Create New GPO
8. Click OK to continue (Figure 0275).
9. Right-click the STKM Group Policy and select Edit (Figure 0276).

Figure 0276 : Default Domain Policy - Edit
10. The group policy editor allows you to specify user and computer settings. In the

following steps, you will change some of these settings (Figure 0277).

Figure 0277 : Group Policy Management Editor

11. Expand User Configuration (Figure 0278).

Figure 0278 : Group Policy Management Editor – User Configuration
12. Expand the Policies folder (Figure 0279).

Figure 0279 : Group Policy Management Editor – Policies
13. Expand the Administrative Templates folder (Figure 0280).

Figure 0280 : Group Policy Management Editor – Administrative Templates
14. Click the Start Menu and Taskbar folder (Figure 0281).

Figure 0281 : Group Policy Management Editor – Start Menu and Taskbar

15. A large list of selections is available. Double click the option Add Logoff to the Start
Menu (Figure 0282).

Figure 0282 : Group Policy Management Editor – Add Logoff to the Start Menu
16. The Add Logoff to the Start Menu Properties appears. Click the Disabled button to

disable this setting (Figure 0283).

Figure 0283 : Add Logoff to the Start Menu Properties
17. Click OK to apply setting (Figure 0283).
18. The setting now displays as Disabled in the Group Policy Editor (Figure 0284).

Figure 0284 : Add Logoff to the Start Menu – Disabled

19. Configure the following settings.
Remove Run menu from Start Menu – Enabled
Remove Clock from the system notification area – Enabled
Desktop\Desktop\Enable Active Desktop – Enabled
Desktop Wallpaper – Enabled
Wallpaper Name : C:\WINDOWS\Web\Wallpaper\Autumn.jpg
Wallpaper Style : Stretch
(This uses wallpaper from the Windows XP Pro installed on C drive of client PC)

20. Close the group policy editor.
21. Refresh the Group Policy Management. On the Menubar; click Action ► Refresh (Figure

0285).

Figure 0285 : Group Policy Management – Refresh
22. Close the Group Policy Management windows.

Update Group Policy
23. Launch the Run application. Click Start ► Run… (Figure 0286).

Figure 0286 : Launch the Run Application
24. Key-in gpupdate in the Open : box (Figure 0287).

Figure 0287 : Run Windows
25. Click OK to run the gpupdate (Figure 0288).

Figure 0288 : Updating Policy

26. Log off the server.

EXERCISE 10.2

Test the Group Policy

The group policy has been applied to members of the Stkm Organizational Unit. There are two
members; Zul Zcomby and Ocah Blue. You will now test this policy to see if it works.

27. Log on the server as zul.zcomby.

27.1. Press Ctrl + Alt + Del.

27.2. Click Switch User button (Figure 0289).

Figure 0289 : Switch User button

27.3. Click Other User button (Figure 0290).

Figure 0290 : Other User button

27.4. Enter user as zul.zcomby and password as comby (Figure 0291).

Figure 0291 : Logon to server using user account

27.5. Press ENTER.

28. Do you have the RUN command on the Start Menu?

YES / NO
29. Do you have Clock on the system notification area?

YES / NO
Now verify that the settings are also applied to the client computer. Log on to the Client
computer as ocah.blue.
30. Press CTRL+ALT+DEL to display the logon dialog box (Figure 0292).

Figure 0292 : Windows XP Logon
31. Log on the client computer as ocah.blue and ocah as password (Figure 0293).

Figure 0293 : Log On To Server Using Client Workstation
32. Do you have the RUN command on the Start Menu?

YES / NO
33. Do you have Clock on the system notification area?

YES / NO
34. Were the wallpaper displayed on the client computer?

YES / NO
35. All the group policy setting should be applied (Figure 0294).

Figure 0294 : Client Computer – Ocah Blue
36. Log off the client computer.
37. Log off the Server.
Log on to client computer as zul.akmal

38. Press CTRL+ALT+DEL to display the logon dialog box (Figure 0295).

Figure 0295 : Windows XP Logon
39. Log on the Windows XP Professional as zul.akmal and akmal as password (Figure

0296).

Figure 0296 : Log On To Server Using Client Workstation
40. Were the group policy setting applied?

YES / NO
41. If not, why do you think this is so?

Because zul.akmal not a member of the Stkm OU. The group policy applied only to the
members of the Stkm OU.
42. Log off the client computer.
EXERCISE 10.3

Disabling The Group Policy
In this exercise you will disable the group policy of Stkm OU.
43. Log on server as Administrator (Figure 0297).

Figure 0297 : Administrator Login
44. Launch Group Policy Management. Click Start ► Administrative Tools ► Group Policy

Management (Figure 0298).

Figure 0298 : Launch Group Policy Management

45. Expand the Forest (Figure 0299).

Figure 0299 : Group Policy Management - Forest
46. Expand the Domains (Figure 0300).

Figure 0300 : Group Policy Management – Domains
47. Expand your domain.com (Figure 0301).

Figure 0301 : Group Policy Management – myserver.com

You are now going to disable the policy of Stkm OU. This is a better option than removing the
policy, as if you decide to re-implement the policy at a later date, it will still be there.

48. Expand the Stkm OU (Figure 0302).

Figure 0302 : Group Policy Management – Stkm
49. Click the Stkm Group Policy (Figure 0303).

Figure 0303 : Group Policy Management – STKM Group Policy
50. A warning box appears. The Group Policy Management remind you that you have

selected a link to a GPO and changes you make will impact all other locations linked
with the GPO (Figure 0304).

Figure 0304 : Group Policy Management Console – Warning
51. Click OK to continue (Figure 0304).
52. Right-click the Stkm Group Policy and select Link Enabled (Figure 0305).

Figure 0305 : STKM Group Policy – Details
53. Now you can see under Link Enabled; the status Yes have changed to No (Figure

0306).

Figure 0306 : STKM Group Policy – GPO Status
54. Close the Group Policy Management windows.

Update Group Policy

55. Launch the Run application. Click Start ► Run… (Figure 0307).

Figure 0307 : Launch the Run Application
56. Key-in gpupdate in the Open : box (Figure 0308).

Figure 0308 : Run Windows
57. Click OK to run the gpupdate (Figure 0309).

Figure 0309 : Updating Policy

58. Log off the server.

Now verify that the group policy is disabled. Log on to the Client computer as zul.zcomby.

59. Press CTRL+ALT+DEL to display the logon dialog box (Figure 0310).

Figure 0310 : Windows XP Logon
60. Log on the Windows XP as zul.zcomby and comby as password (Figure 0311).

Figure 0311 : Log On To Server Using Client Workstation
61. Were the policies now disabled?

YES / NO
62. Log off the client computer.
Summary
In this exercise you created a group policy and applied it to an organizational unit. Only a
fraction of the available settings were explored. Applying a group policy is a way of
controlling security and configuring groups of users with common settings. This can help
reduce the cost of ownership and the level of administrator support by restricting what users
can do or change on their computers.

Exercise 11

Creating And Sharing
Resources

Exercise 11 : Creating And Sharing Resources

One important aspect of a Windows Domain is the ability to share applications, files, printers
and other resources on the network. Resources created on Windows Server computers are
available to all users in the domain, and it is a simple administration task to allocate permissions
to users.
Preliminary Setup
Add zul.akmal, ocah.blue and ain.syahmi to the Intranet Users group.

1. Log on server as Administrator (Figure 0312).

Figure 0312 : Administrator Login
2. Launch Active Directory Users and Computers. Click Start ► Administrative Tools ►

Active Directory Users and Computers (Figure 0313).

Figure 0313 : Launch Active Directory Users and Computers

3. Click myserver.com (your domain.com) and double-click the Intranet Users group from
the list (Figure 0314).

Figure 0314 : Active Directory Users and Computers – Intranet Users Group
4. Click the Members tab (Figure 0315).

Figure 0315 : Active Directory Users and Computers – Intranet Users Properties
5. Add Ocah Blue as a member of Intranet Users.

5.1 Click Add … button (Figure 0316).
Figure 0316 : Add button

5.2 Click Advanced … button (Figure 0317).
Figure 0317 : Select Users, Contacts, Computers, or Group box

5.3 Click Find Now button (Figure 0318).

Figure 0318 : Select Users, Contacts, Computers, or Group - Advanced

5.4 Select Ocah Blue user account (Figure 0319).

Figure 0319 : Select Users, Contacts, Computers, or Group – Find Now
5.5 Cick OK (Figure 0319).
5.6 Cick OK (Figure 0320).

Figure 0320 : Select Users, Contacts, Computers, or Group

5.7 You can see Ocah Blue is added as a member of Intranet Users group (Figure
0321).

Figure 0321 : Intranet Users Properties
6. Now repeat steps 5 to add zul.akmal and ain.syahmi as a member of Intranet Users

group.
7. After finish adding all the user to Intranet Users group, your Intranet Users properties

should be same as figure below (Figure 0322).

Figure 0322 : Active Directory Users and Computers – Intranet Users Properties
8. Cick OK to finish added members to Intranet Users group (Figure 0322).

EXERCISE 11.1
Creating and Sharing a Resource Using Windows Explorer
In this exercise, you will use Windows Explorer to create a folder and verify the NTFS file
permissions. The folder will then be shared and permissions assigned. You will then access this
shared resource from the client computer.

1. Log on to the server as Administrator (Figure 0323).

Figure 0323 : Administrator Login
2. Launch Windows Explorer. Click Start ► Right-click Computer ► select Explore

(Figure 0324).

Figure 0324 : Launch Windows Explorer

3. Access D: drive (Figure 0325).
(Make sure your D drive are NTFS formatted. If not, you have to convert or format it to
NTFS)

Figure 0325 : Windows Explorer – D Drive
4. Create a folder named tempSN (SN represents you’re Station Number).

In previous exercise I use number 21 as my Station Number. So in this exercise my
folder named will be temp21.
4.1. Right-click D drive ► select New ► Folder (Figure 0326).

Figure 0326 : Windows Explorer – Create New Folder

4.2. Rename the folder as temp21 (Figure 0327).

Figure 0327 : Rename Folder
5. Open the temp21 folder properties. Right-click temp21 folder ► select Properties

(Figure 0328).

Figure 0328 : Open the temp21 folder properties
6. Click the Security tab. A list of security permissions is displayed. Note that the group

Administrators is given Full Control access at the folder level (Figure 0329).

Figure 0329 : temp21 Folder Properties

When users access a folder across the network, both the share and NTFS permission
lists define the user permissions.
7. Click the Sharing tab (Figure 0330).

Figure 0330 : temp21 Folder Properties - Sharing
8. Click Advanced Sharing… button (Figure 0331).

Figure 0331 : Advanced Sharing… button
9. Enable the Share this folder option (Figure 0332).

Figure 0332 : Advanced Sharing

10. Specify the share name as Common (Figure 0333).

Figure 0333 : Advanced Sharing – Share name
11. Click the Permissions button (Figure 0334).

Figure 0334 : Permissions button
Now you will restrict permissions at the share level. Remember that user permissions to a
network resource are made up of the share permissions and the NTFS permissions.
12. Remove the Everyone group.

12.1. Select the Everyone group from the list (Figure 0335).

Figure 0335 : Permissions for Common
12.2. Click the Remove button (Figure 0336).

Figure 0336 : Remove button
13. Click the Add… button (Figure 0337).

Figure 0337 : Add… button
14. Add the Tech Support group with permissions of Full Control.

14.1. Click the Advanced… button (Figure 0338).
Figure 0338 : Advanced… button

14.2. Click the Find Now button (Figure 0339).
Figure 0339 : Find Now button

14.3. Select the Technical Support from the list of Search results (Figure 0340).

Figure 0340 : Search Results
14.4. Click OK button (Figure 0340).

14.5. Click OK button to add Technical Support (Figure 0341).

Figure 0341 : Select Users, Contacts, Computers, or Group
14.6. Click the Full Control allow box to enable the Full Control permission (Figure

0342).

Figure 0342 : Permission for Common – Full Control
15. Repeat steps 13 to 14 to add the Intranet Users group with Read permissions.
16. The share permissions should look like same as figure below (Figure 0343).

Figure 0343 : Permission for Common

17. Once you have set the permissions as describe, click OK button to close the dialog box
(Figure 0343).

18. Click OK to close the advanced sharing dialog box for folder temp21 (Figure 0344).

Figure 0344 : Advanced Sharing
19. Click Close button to close temp21 properties (Figure 0345).

Figure 0345 : temp21 Properties

20. In the Explorer window you will note a small double head icon on the folder
D:\temp21, which indicates the folder is now shared (Figure 0346).

Figure 0346 : Windows Explorer – temp21 Folder
21. Log off the server.
22. Log on the client computer as ali.zul and ali as password (Figure 0347).

Figure 0347 : Log On To Server Using Client Workstation
23. Launch My Computer. Start  My Computer (Figure 0348).

Figure 0348 : Launch My Computer
24. Click the My Network Places (Figure 0349).

Figure 0349 : My Computer
25. Click the Entire Network (Figure 0350).

Figure 0350 : Entire Network Link
26. Double-click the Microsoft Windows Network (Figure 0351).

Figure 0351 : Entire Network
27. Double-click the Myserver workgroup (Figure 0352).

Figure 0352 : Microsoft Windows Network
28. Double-click the Server21 and view the available resources (Figure 0353).

Figure 0353 : Myserver Workgroup
29. You should see the Common resource listed (Figure 0354).

Figure 0354 : Server21 Resources
30. Double-click the Common resources so that you are connected to it (Figure 0354).
31. A new window will open up and display the contents of the folder (it will be empty as

there are no files in the folder) (Figure 0355).

Figure 0355 : Common Folder on Server21
32. Attempt to create a new text file.

32.1. Right-click in the windows and select New  Text Document (Figure 0356).

Figure 0356 : Create New Text Document
32.2. Could you create the file? YES / NO
32.3. Log off the client computer.
33. Log on the client computer as ocah.blue (Figure 0357).

Figure 0357 : Log On To Server Using Client Workstation
34. Launch My Computer. Start  My Computer (Figure 0358).

Figure 0358 : Launch My Computer
35. Click the My Network Places (Figure 0359).

Figure 0359 : My Computer
36. Click the Entire Network (Figure 0360).

Figure 0360 : Entire Network Link
37. Double-click the Microsoft Windows Network (Figure 0361).

Figure 0361 : Entire Network
38. Double-click the Myserver workgroup (Figure 0362).

Figure 0362 : Microsoft Windows Network
39. Double-click the Server21 and view the available resources (Figure 0363).

Figure 0363 : Myserver Workgroup
40. You should see the Common resource listed (Figure 0364).

Figure 0364 : Server21 Resources
41. Double-click the Common resources so that you are connected to it (Figure 0364).
42. A new window will open up and display the contents of the folder (Figure 0365).

Figure 0365 : Common Folder on Server21
43. Attempt to create a new text file.

43.1. Right-click in the windows and select New  Text Document (Figure 0366).

Figure 0366 : Create New Text Document
43.2. Could you create the file?

YES / NO
If NO, why do you think this happened?
Before we begin this exercise, we have done some preliminary setup. We add
mad.akmal, ocah.blue and ain.syahmi to the Intranet Users group and we set
permissions to the folder temp21 as Read only for Intranet Users. But for Tech
Support group, we set Full Control permissions.
In the earlier exercise, we add ali.zul as member of the Tech Support group.
That’s why user ali.zul can create new text document in the Common folder on
the Server21.
44. Log off the client computer.

EXERCISE 11.2

Creating Network Drive Mapping
Instead of using My Network Places, you can map a drive letter to the resource. This is an
alternative way of accessing the resource, but requires that you know the location of the
resource (you can use My Network Places to view the available resources, so you don’t really
need to know the location)

45. Log on the client computer as ali.zul and ali as password (Figure 0367).

Figure 0367 : Log On To Server Using Client Workstation
46. Launch Map Network Drive wizard.

Start  right-click My Computer  Map Network Drive… (Figure 0368).

Figure 0368 : Launch Map Network Drive Wizard

47. Select Z as drive and enter the location of the network resource in the Folder: box
(Figure 0369).
You must specify the name of the server and the share name.
In this exercise, it is \\Server21\Common.

Figure 0369 : Map Network Drive Wizard
48. Click Finish button to apply.
49. A new window will open up and display the contents of the Common folder (Figure

0370).

Figure 0370 : Common Folder on ‘Server 21’

50. Attempt to create a new test file (Figure 0371).
50.1. Right-click in the windows and select New  Text Document (Figure 0371).

Figure 0371 : Create New Text Document
50.2. Could you create the file?

YES / NO
51. Log off the client computer.

EXERCISE 11.3

Publishing a Shared Resource in Active Directory
One of the problems of publishing shares in the way you have just done (which is the way they
done in NT 4 or 98) is that you have to browse the network or know which server the resource is
located on in order to find it. This can be time-consuming and frustrating for users.
Resources can be published in Active Directory, making them easy to find. In the next exercise
you will publish the resource into Active Directory.

52. Log on to the server as Administrator (Figure 0372).

Figure 0372 : Administrator Login
53. Launch Active Directory Users and Computers. Click Start ► Administrative Tools ►

Active Directory Users and Computers (Figure 0373).

Figure 0373 : Launch Active Directory Users and Computers
54. Right-click domain (myserver.com) and select New ► Shared Folder (Figure 0374).

Figure 0374 : Launch Shared Folder Wizard
55. Enter the name as Common Files and the Network path as your server name and

share name – in this exercise it is \\Server21\Common (Figure 0375).

Figure 0375 : Shared Folder Wizard
56. Click OK button to finish.
57. The new shared folder appears in the right windows pane of Active Directory (Figure

0376).

Figure 0376 : Active Directory Users and Computer
58. Close Active Directory Users and Computer windows.
EXERCISE 11.4

Locating a Shared Resource in Active Directory
Now that the shared folder is published in Active Directory, it is easy for users to locate and
connect to the resource.

59. Log on to the client computer as ocah.blue (Figure 0377).

Figure 0377 : Log On To Server Using Client Workstation
60. Launch My Computer. Start  My Computer (Figure 0378).

Figure 0378 : Launch My Computer
61. Click the My Network Places (Figure 0379).

Figure 0379 : My Computer
62. Click the Search Active Directory (Figure 0380).

Figure 0380 : My Network Places
63. In the Find drop box, select Shared Folders and in the In drop box, select you domain

- myserver (Figure 0381).

Figure 0381 : Find Shared Folders
64. Click Find Now button (Figure 0382).

Figure 0382 : Find Now button
65. A list of shared folders available is displayed (Figure 0383).

Figure 0383 : Find Shared Folders – Find Now
66. Right-slick the Common Files shared folder from the list and select Map Network

Drive (Figure 0384).

Figure 0384 : Find Shared Folders - Map Network Drive
67. Select U as drive and enter the location of the network resource in the Folder: box

(Figure 0385).
Note how the location for the server share is filled in automatically.

Figure 0385 : Map Network Drive Wizard
68. Click Finish button to apply.
69. Close all remaining windows.

70. Launch My Computer. Start  My Computer (Figure 0386).