Windows Server Pro: Manage and Administer Objective 3: File Services Management

You work as the IT Administrator for a small corporate network. You have four domain controllers in your Main location: *CorpDC*, *CorpDC2*, *CorpDC3*, and *CorpDC4*. During installation, *CorpDC2* and *CorpDC3* were not made global catalog servers. You would like additional global catalog servers. Your task in this lab is to designate *CorpDC2* and *CorpDC3* as global catalog servers.
(To answer this question, complete the lab using information below.)
Active Directory Users and Computers, edit the computer account. On the General tab, click *NTDS Settings…*
In Active Directory Sites and Services, edit the NTDS Settings for the server object. Tick the “Global Catalog” option and then Apply for both *CorpDC2* and *CorpDC3* servers.c
You work as the IT Administrator for a small corporate network. You have a branch site with about 50 employees that is connected to the main site with a WAN link. A single domain controller named *BranchDC2* is configured in the branch location. Because the WAN link is slow and unreliable, you have not configured *BranchDC2* as a global catalog server. You find that when the WAN link goes down, users at the branch location cannot log on to the network. Even when the WAN link is up, users complain that logon is slow. You want to minimize Active Directory traffic across the WAN link, but you also want to let branch users log on to the network even when the WAN link is down. Your task in this lab is to use Active Directory Sites and Services to enable universal group membership caching in the branch office. To do this, edit the *NTDS Site Settings* object for the *Branch2-Site* site. Keep the default caching settings.
1. From Hyper-V Manager, click CORPSERVER. Expand the window to view all virtual machines.
2. Right-click the CorpDC server and select Connect… (maximize the window for easier viewing if desired).
3. From Server Manager, select Tools > Active Directory Sites and Services.
4. Expand the Sites node.
5. Select the site object.
6. In the right window, right-click the NTDS Site Settings object and select Properties.
7. Select the Enable Universal Group Membership Caching setting.
8. Click OK.
You work as the IT Administrator for a small corporate network. When you installed the *CorpDC* domain controller, you created a new domain in a new forest. Since then, you have added additional domain controllers. You would like to move some of the operation master roles to *CorpDC3* to provide role separation. Your task in this lab is to transfer the RID master and the PDC emulator roles to *CorpDC3*. You are currently logged on to the *CorpServer2* computer, which is the Hyper-V host for *CorpDC3*.
Use Active Directory Users and Computers to transfer the RID and PDC roles. Following are the steps an expert might take to complete this lab:

1. From Hyper-V Manager, click CORPSERVER2. Expand the window to view all virtual machines.
2. Right-click the CorpDC3 server and select Connect… (maximize the window for easier viewing if desired).
3. From Server Manager, select Tools > Active Directory Users and Computers.
4. Right-click the domain and select Operations Masters….
5. Click the tab of the master you want to transfer.
6. Click Change….
7. Click Yes to confirm the transfer.
8. Click OK.
9. Repeat steps 5 through 8 to transfer additional master roles.
10. Click Close.

As your network has grown, you have added additional domains to the forest root domain. As a result, you would like to modify the operations master configuration on your network. Your task in this lab is to:
• Transfer the domain naming master role from *CorpDC* to *CorpDC4*. This means that *CorpDC* will only host the infrastructure master role.
• Because you will be creating additional domains in the forest, remove the global catalog from *CorpDC* to follow Microsoft’s recommendation to not have the infrastructure master on a global catalog server.
You are currently logged on to the *CorpServer2* computer, which is the Hyper-V host for *CorpDC4*.
*Transfer the Domain Naming Master*
1, From Hyper-V Manager, click CORPSERVER2. Expand the window to view all virtual machines.
2. Right-click the CorpDC4 server and select Connect… (maximize the window for easier viewing if desired).
3. From Server Manager, select Tools > Active Directory Domains and Trusts.
4. Right-click the top node and select Operations Master….
5. Click Change….
6. Click Yes to confirm the transfer.
7. Click OK, and then click Close.

Note: This task must be performed from CorpDC4.

*Change a Global Catalog Server*

1. From Server Manager, select Tools > Active Directory Sites and Services.
2. Browse to the Site. Expand the Servers node, and then expand the server object.
3. Right-click the NTDS Settings object beneath the server and select Properties.
4. Select or deselect the Global Catalog option as necessary.
5. Click OK.

You work as the IT Administrator for a small corporate network. There are four domain controllers at the main location as follows:
*Domain Controller* CorpDC *Role(s)* Infrastructure master
*Domain Controller* CorpDC2 *Role(s)* None
*Domain Controller* CorpDC3 *Role(s)* PDC emulator, RID master
*Domain Controller* CorpDC4 *Role(s)* Domain naming master
Lately, you have had some problems creating new User objects in the domain. You suspect that one of your domain controllers has an intermittent problem connecting to the network. All domain controllers are currently working, but you want to prevent future problems of this nature. Your task in this lab is to identify the operations master role that could cause the symptoms explained above, and then transfer that operations master role to the *CorpDC2* domain controller.
Connect to *CorpDC2*, click *Tools*, then *Active Directory Users and Computers*
Right click *CorpNet*, click *Operations Masters*.
On the *RID* tab, click Change, Yes, then OK.
On the *PDC* tab, click Change, Yes, then OK. Close.
You work as the IT Administrator for a small corporate network. Your network currently has a main office and two branch offices. Due to a recent expansion, you will be opening a new branch office. The new office will be part of the main site, and will be connected to the main office with a WAN link. For security reasons, you plan to install a read-only domain controller in the new location. Your task in this lab is to pre-create the RODC account in Active Directory.
• Before you begin, create a global security groups named *Branch3-RODC Admins* in the Users container. Members of this group will be able to manage the read-only domain controller at the new location.
• Create the following RODC account in the Domain Controllers OU: Branch3-RODC*
• Specify your current credentials to complete the installation.
• Add the account to the *Main-Site* site.
• Make the domain controller a global catalog server and DNS server.
• Identify the *Branch3-RODC Admins* group to manage the read-only domain controller.
*Create a Group*

1. From Hyper-V Manager, click CORPSERVER. Expand the window to view all virtual machines.
2. Right-click the CorpDC server and select Connect… (maximize the window for easier viewing if desired).
3. From Server Manager, select Tools > Active Directory Users and Computers.
4. Browse the Active Directory structure to the Users container.
5. Right-click the container and select New > Group.
6. Type a name for the group (a pre-Windows 2000 group name will be created automatically, but can be changed).
7. Select a group scope and a group type, then click OK.
8. Close Active Directory Users and Computers.

*Pre-create an RODC Account*

1. From Server Manager, select Tools > Active Directory Administrative Center.
2. Browse to CorpNet (local) > Domain Controllers.
3. Right-click the Domain Controllers OU and select Pre-create Read-only Domain Controller Account….
4. Click Next to start the wizard.
5. Specify the credentials used to complete the installation. To accept the current credentials, click Next.
6. Type the computer name for the RODC. Click Next.
7. Select the site for the new account and click Next.
8. Select the additional options for the domain controller, then click Next.
9. To configure a group to manage the RODC, click Set….
• Type the name of the group or click Advanced… to search for the group.
• Click OK.
10. Click Next.
11. Click Next to create the account.
12. Click Finish.

You work as the IT Administrator for a small corporate network. You would like to back up the System State of your Domain Controllers to ensure a good backup of Active Directory in the event of a disaster. You want to configure regular backups on *CorpDC4*. Your task in this lab is to use Windows Server Backup on *CorpDC4* to do the following:
• Create a regular backup schedule for the *CorpDC4* server using the following settings:
• Items to back up: *System State*
• Backup schedule: *Once a day* at *1:00 AM*
• Backup location: *\CorpFiles12Backup*
• After you have created the schedule, take an immediate backup. Use custom settings as follows:
• Items to back up: *System State* and *C: drive*.
• Backup location: *\CorpFiles12Backup*.
*Create a Backup Schedule*

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC4* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Windows Server Backup*.
4. In the Console Tree, click *Local Backup*.
5. In the Actions pane, click *Backup Schedule….*
6. Click *Next* to begin the wizard.
7. Select the backup type, and then click *Next*. If the *Custom* type was selected:
• Click *Add items*.
• Check boxes for the items to include the backup. Click *OK*.
• Click *Next*.
8. Select the backup frequency and time(s). Click *Next*.
9. Select *Back up to a shared network folder*, and then click *Next*.
10. Click *OK*.
11. Enter the location of the shared folder, and then click *Next*.
12. Click *Finish*.
13. Click *Close*.

*Perform a Backup Once*

1. From the Windows Server Backup Actions pane, click Backup Once….
2. If you have previously created a backup schedule, you can choose to perform the backup using the schedule settings. To use other settings, select Different options and click Next.
3. Select the backup type, and then click Next. If the Custom type was selected:
• Click *Add items*.
• Check boxes for the items to include the backup. Click *OK*.
• Click *Next*.
4. Select the destination type backup. Click *Next*.
5. Enter or select the backup location and click *Next*.
6. Click *Backup* to start the backup.
7. Click *Close*.

You work as the IT Administrator for a small corporate network. Earlier, you created the *SecureWS* GPO with policy settings intended to apply to workstations in the domain. You defined the policy and linked it to the domain. Now you find that the GPO settings are affecting domain controllers and member servers, but it should only apply to workstations that are in various OUs. Your task in this lab is to modify GPO inheritance to prevent the *SecureWS* GPO from applying to domain controllers and member servers. Complete the following tasks:
• Block inheritance on the *Domain Controllers* OU.
• Block inheritance on the *Servers* OU.
• Enforce the *Default Domain Policy* so it can’t be blocked.
By blocking inheritance on the Domain Controllers and Servers OUs, you prevent the *SecureWS* GPO from affecting objects in those OUs. However, you also prevent the Default Domain Policy GPO from taking effect. To make sure this policy still applies, even when OUs are blocking inheritance, enforce the policy.

Following are steps that an expert might take to perform the tasks in this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…*(maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. To block inheritance, browse to the OU then right-click the OU and select *Block Inheritance*.
5. To enforce a GPO so that it can’t be blocked, right-click the GPO or GPO link and select *Enforced*.

You work as the IT Administrator for a small corporate network. Earlier, you created the *SecureWS* GPO with policy settings intended to apply to workstations in the domain. You defined the policy and linked it to the domain. Now you find that the GPO settings are affecting domain controllers. The policy should apply to all other computers, but not domain controllers. Your task in this lab is to modify GPO permissions to prevent the *SecureWS* GPO from applying to domain controllers.
• Add the *Domain Controllers* group to the access control list for the GPO.
• Deny the *Read* and *Apply group policy* permissions.
To prevent a GPO from applying to specific users or computers, you can edit the permissions for the GPO. Deny the *Read* and *Apply group policy* permissions.

Following are steps that an expert might take to perform the tasks in this lab.

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse and select a GPO link or the GPO object in the Group Policy Objects node.
5. On the right pane, click the Delegation tab.
Click *Advanced…*.
To add a group:
• Click *Add…*.
• Type the name of the group. Click *OK*.
8. To modify permissions assigned to a group:
• In the top box, select the group.
• Assigned permissions show in the bottom box. Check and uncheck permissions as desired.
9. Click *OK*.
Since you assigned Deny permissions, click *Yes* to continue.

You work as the IT Administrator for a small corporate network. The corporate office has directed that a specific set of policies be in place for all Domain Controllers and has provided you with a policy that must be applied. You copied the policy object called *Corp Domain Controllers*, which will be used for the new policies. Complete the following tasks:
• Import the corporate policy into the *Corp Domain Controllers*policy object. The policy is located at *\CorpFiles08AdminCorpPolicy*.
• As you import, make a backup of the current policy settings. store the backup in *\CorpFiles12BackupGPOs*.
• Copy references directly from the corporate policy.
• Link the Corp Domain Controllers policy to the Domain Controllers container and move it first in the Link Order.
Use Group Policy Management to import the corporate policy from *\CorpFiles08AdminCorpPolicy* into the *Corp Domain Controllers* policy and link it to the Domain Controllers OU.

Following are steps that an expert might take to perform the tasks in this lab:

*Import GPO Settings*

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the *Group Policy Objects* container.
5. To import settings for a GPO, right-click the GPO and select *Import Settings…*.
6. Click *Next* to begin the wizard.
7. To create a backup of the current GPO settings, click *Backup…*.
• Click *Browse…*, and then browse to the backup location. Select the folder, and then click *OK*.
• Click *Back Up*.
• Upon completion of the backup, click *OK*.
8. Click *Next*.
9. Click *Browse…*, and then browse to folder where the GPO policy backup is located. Select the folder, click *OK*, and then click *Next*.
10. Select the desired backup to import, and then click *Next*.
11. Click *Next*.
12. Select desired migration setting, and then click *Next*.
13. Click *Finish* to import the GPO settings.
14. Click *OK* when complete.

*Link a GPO*

1, In Group Policy Management, right-click the Domain Controllers container and select *Link an Existing GPO…*.
2. Select the GPO and click *OK*.
3. To change the Link Order of the GPO, select the GPO and use the Up and Down arrows to move it up or down in the list.

You work as the IT Administrator for a small corporate network. Users in the accounting department use a custom software package. You want to use Group Policy to distribute the software so that it is installed on all accounting computers when they start up. You have copied the *AcctMagic.msi* installer package to the *SharedSoftware* directory, which is shared on *CorpFiles12*. Complete the following tasks on the *CorpDC* server:
1. Create a GPO called *Computers-Accounting Software* and link it to the Accounting OU.
2. Configure the GPO to assign the AcctMagic.msi software to all computers. The installer package is located in: *\CorpFiles12SharedSoftwareAcctMagic.msi*. Do not change the default name for the software package.
3. Configure the package to be automatically uninstalled when the computer account is moved from the Accounting OU.
*Create and Link a GPO*

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…*(maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the OU.
5. Right-click the OU and select *Create a GPO in this domain, and link it here…*.
6. Type the GPO name and select a starter GPO if required. Click *OK*.

*Create a Software Distribution Policy*

1. In Group Policy Management, browse to the GPO where you want to create the software distribution policy.
2. Right-click the GPO and select *Edit…*.
3. Under Computer Configuration, browse to *PoliciesSoftware Settings*.
4. Right-click the *Software installation* node and select *New > Package…*.
5. Browse the network to locate and select the installer package file. Click *Open*.
6. Select *Advanced* to assign or publish the software package with deployment options. Click *OK*.
7. On the Deployment tab, modify deployment options as necessary. Click *OK*.

You work as the IT Administrator for a small corporate network. You have purchased a site license for a spreadsheet program. You have copied the *Spreadsheet.msi* installer package to the *SharedSoftware* directory, which is shared on *CorpFiles12*. Create the software installation package on *CorpDC* to meet the following requirements:
• The software will be installed through a new GPO that is to be named *Spreadsheet Software*.
• The software should be available for all users in the Accounting and the Research and Development departments, regardless of which computer they use for logon.
• The software should not be installed automatically. It should only be installed when users manually install it through Add or Remove Programs.
Create the GPO, configure its settings, and link it to the appropriate object(s) to meet the scenario requirements.
*Create and Link a GPO*

1. From Hyper-V Manager, click CORPSERVER. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the OU.
5. Right-click the OU and select *Create a GPO in this domain, and link it here…*.
6. Type the GPO name and select a starter GPO if required. Click *OK*.
7. To link the GPO to additional objects, right-click the object and select *Link an Existing GPO…*.
8. Select the GPO from the list, and then click *OK*.

*Create a Software Distribution Policy*

1. In Group Policy Management, browse to the GPO where you want to create the software distribution policy.
2. Right-click the GPO and select *Edit…*.
3. Under User Configuration, browse to *PoliciesSoftware Settings*.
4. Right-click the *Software installation* node and select *New > Package…*.
5. Browse the network to locate and select the installer package file. Click *Open*.
6. Select whether to assign or publish the software package. Click *OK*.
7. To modify the package properties, right-click the package and select *Properties*.
8. On the Deployment tab, modify deployment options as necessary. Click *OK*.

You work as the IT Administrator for a small corporate network. You want to use Group Policy to distribute a database application called *Hot Leads* to all users in the sales department. You have copied the *HotLeads.msi* installer package to the *SharedSoftware* directory, which is shared on *CorpFiles12*. Create the software installation package on *CorpDC* to meet the following requirements:
• The software will be installed through a new GPO that is to be named *Hot Leads Software*.
• The software should be available only for users in the sales department, regardless of which computer they use for logon.
• The software should be installed automatically at logon.
• The software should not appear in Add/Remove Programs in the Control Panel.
• The software should be uninstalled automatically if the user account moves to a different department.
Create the GPO, configure its settings, and link it to the appropriate objects(s) to meet the scenario requirements.
*Create and Link a GPO*

1. From Hyper-V Manager, click (CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…*(maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the OU.
5. Right-click the OU and select *Create a GPO in this domain, and link it here…*.
6. Type the GPO name and select a starter GPO if required. Click *OK*.

*Create a Software Distribution Policy*

1. In Group Policy Management, browse to the GPO where you want to create the software distribution policy.
2. Right-click the GPO and select *Edit…*.
3. Under User Configuration, browse to *PoliciesSoftware Settings*.
4. Right-click the *Software installation* node and select *New > Package…*.
5. Browse the network to locate and select the installer package file. Click *Open*.
6. Select whether to assign or publish the software package. Click *OK*.
7. To modify the package properties, right-click the package and select *Properties*.
8. On the Deployment tab, modify deployment options as necessary. Click *OK*.

You work as the IT Administrator for a small corporate network. After a security review, you have decided to take steps to improve network security. You are configuring security options using Group Policy on the *CorpDC* server. Complete the following tasks:
• Edit the *Default Domain Policy* GPO and configure the following settings:
• Prevent logon with the Guest local account by disabling the *Accounts: Guest account status* policy.
• Change the local administrator username to *skycaptain* by enabling the *Accounts: Rename administrator account* policy.
• Prevent hackers from seeing valid usernames by enabling the *Interactive logon: Do not display last user name* policy.
• Prevent an anonymous user from requesting SID on behalf of another user by disabling the *Network access: Allow anonymous SID/Name translation* policy.
• Enable the *Network access: Do not allow anonymous enumeration of SAM accounts* policy.
• Enable the *Network access: Do not allow anonymous enumeration of SAM accounts and shares* policy.

• Edit the *SupportGPO* GPO linked to the Support OU. Configure the following settings:
• Prevent the computer from using cached credentials for logon by configuring the *Interactive logon: Number of previous logons to cache* policy to 0.
• Prevent the computer from using cached credentials to unlock by enabling the *Interactive logon: Require Domain Controller authentication to unlock workstation* policy.
• Prevent users from accessing the network outside designated hours by enabling the *Network security: Force logoff when logon hours expire* policy.
• Allow only users who can log on to the system to shut the system down by disabling the *Shutdown: Allow system to be shut down without having to log on* policy.
• Because all GPO settings in the *SupportGPO* GPO are in the Computer Configuration portion, disable the User Configuration portion of the GPO.

*Edit Security Options*

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the domain or OU where the GPO is linked.
5. Right-click the GPO and select *Edit…*.
6. Browse to *Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies* and select *Security Options*.
7. Right-click the rights assignment you want to edit and select *Properties*.
8. Select *Define this policy setting*.
9. Select *Enabled* or *Disabled*, or configure additional values for the policy.
10. Click *OK*.
11. Repeat steps 7 through 10 as needed for additional options.
12. Close the Group Policy.

*Edit the GPO Status*

1. In the Group Policy Management console, browse to the *Group Policy Objects* folder.
2. Right-click the GPO you want to modify and select *GPO Status*, then select:
• *Enabled* to enable both computer and user settings
• *User Configuration Settings Disabled*
• *Computer Configuration Settings Disabled*
• *All Settings Disabled*

You work as the IT Administrator for a small corporate network. You are configuring a password policy for the domain. Your task in this lab is to edit the Default Domain Policy on *CorpDC* using Group Policy Management and configure the Account Policy settings to meet the following requirements:
• Passwords must be at least 10 characters long.
• Passwords must contain uppercase letter, lowercase letter, number, and symbol characters.
• Users must change passwords every 90 days.
• Users cannot change a new password for at least 14 days.
• Any new password must be different than the previous 10 passwords.
• If five incorrect passwords are entered within a ten minute interval, lock the account.
• Keep accounts locked for 1 hour. Then, unlock the account automatically.
1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the domain. Right-click the Default Domain Policy and select *Edit…*.
5. In the Group Policy Management Editor, browse to *Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount Policies*.
6. Click either the *Password Policy* or *Account Lockout Policy* node.
7. On the right, right-click the policy you want to edit and select *Properties*.
8. If the policy is currently undefined, select *Define this policy setting*.
9. Edit the value for the policy, and then click *OK*.
10. Repeat steps 4 through 7 for additional policies.
You have recently implemented Account Policies for the domain to configure password and account lockout settings. However, the manager of the Accounting department has requested that her department be assigned a more restrictive policy set. You decide to implement a fine-grained password policy. Your task in this lab is to create a new password settings object with the following settings:
• Name: *AccountingPasswords*
• Precedence: *1*
• Enforce a minimum password length of *12* characters.
• Enforce password history with the last *15* passwords remembered.
• Password should meet complexity requirements.
• Do not store passwords using reversible encryption.
• Protect the object from accidental deletion
• Enforce a minimum password age of *2* days.
• Enforce a maximum password age of *30* days
• Enforce an account lockout policy:
• Failed attempts allowed: *3*
• Reset failed attempt count after *30* minutes
• Keep the account locked until an administrator unlocks it
• Assign the object to members of the Accounting department
*Note*: All users in the Accounting OU are members of the Accounting security group.
Following are steps that an expert might take to perform the tasks in this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Active Directory Administrative Center*.
4. In the left panel, select *CorpNet (local)*. Then, in the center panel, browse to and select *SystemPassword Settings Container*.
5. Right-click the *Password Settings Container* and select *New > Password Settings*.
6. Enter the password settings as required by the scenario.
7. To assign the object, scroll down to the Directly Applies To panel and click *Add…*.
8. Enter the name of the user or group, and then click *OK*.
9. Click *OK*.

You work as the IT Administrator for a small corporate network. As part of your ongoing program to improve security, you would like to implement an audit policy for all workstations. You want to audit for any user who logs on or attempts to log on to a workstation. You also want to audit other critical events recommended by Microsoft. Your task is to configure the following Audit policy settings in the WorkstationGPO on *CorpDC*:
Policy Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled
Audit: Shut down system immediately if unable to log security audits Enabled
Retention method for security log Enabled: Do not overwrite events (clear log manually)
Audit Policies: Account Logon: Audit Credential Validation Success and Failure
Audit Policies: Account Management: Audit User Account Management Success and Failure
Audit Policies: Account Management: Audit Security Group Management Success and Failure
Audit Policies: Account Management: Audit Other Account Management Events Success and Failure
Audit Policies: Account Management: Audit Computer Account Management Success
Audit Policies: Detailed Tracking: Audit Process Creation Success
Audit Policies: Logon-Logoff: Audit Logon Success and Failure
Audit Policies: Logon-Logoff: Audit Logoff Success
Audit Policies: Policy Change: Audit Authentication Policy Change Success
Audit Policies: Policy Change: Audit Audit Policy Change Success and Failure
Audit Policies: Privilege Use: Audit Sensitive Privilege Use Success and Failure
Audit Policies: System: Audit System Integrity Success and Failure
Audit Policies: System: Audit Security System Extension Success and Failure
Audit Policies: System: Audit Security State Change Success and Failure
Audit Policies: System: Audit IPsec Driver Success and Failure
Remember to not use the old Audit Policies located in *Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policies*.

Following are steps that an expert might take to perform the tasks in this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the policy. Right-click the policy and select *Edit…*.
5. In the Group Policy Management Editor, browse to the location of the policy settings.
6. On the right, right-click the policy you want to edit and select *Properties* (or double-click).
7. For the Security Options and Event Log policies, select *Define this policy setting*. Select additional settings as required.
For the Advanced Audit Policy Configuration policies, select *Configure the following audit events*. Select the type of auditing as required.
8. Click *OK*.
9. Repeat steps 5 through 8 for additional policy settings.

You work as the IT Administrator for a small corporate network. As part of your ongoing program to improve security, you would like to enable auditing for removable storage devices on all workstations. You want an audit event each time a user accesses or attempts to access a file system object on a removable storage device. Your task is to add Object Access auditing for removable storage to the *WorkstationGPO* policy object on *CorpDC*.
Use Group Policy Management to edit the *WorkstationGPO* object and configure the *Audit Removable Storage* policy in the Object Access category. Configure audit events for both *Success* and *Failure* to access a file system object on removable storage. To find the policy, browse to:

*Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesObject Access*

Following are steps that an expert might take to perform the tasks in this lab:
1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the policy. Right-click the policy and select *Edit….*
5. In the Group Policy Management Editor, browse to the location of the policy settings.
6. On the right, right-click the policy you want to edit and select *Properties* (or double-click).
7. Select *Configure the following audit events*. Select the type of auditing as required.
8. Click *OK*.

You work as the IT Administrator for a small corporate network. The Sales department would like to make sure that all users of Internet Explorer are using the Corporate intranet website for their home page regardless of which computer they use. You need to enforce these preferences along with a few changes to Internet Explorer security settings. All computers are running Internet Explorer 10. Your task is to configure the following Internet Explorer preference settings in the *SalesGPO*:
• Set the Home page to the company intranet: *www.corpnet.local*
• Set Internet Explorer to start with the specified homepage
• Set the Security level for the Local intranet zone to *Low*
• Prevent websites from requesting your physical location.
1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the GPO. Then, right-click and select *Edit…*.
5. Browse to the category for *Internet Settings*.
6. Right-click *Internet Settings* and select *New > Internet Explorer 10*.
7. On the General tab, enter the home page and select the specified startup option.
8. On the Security tab, select *Local intranet*, and then move the slider to *Low*.
9. On the Privacy tab, select *Never allow websites to request your physical location*.
10. Click *OK*.
You are the IT Administrator for a small corporate network. You have noticed that several computer monitors are still on late at night, long after employees have left. You would like to use Group Policy to set consistent power options for computers throughout the company. All workstations are either Windows 7 or Windows 8 and reside in the Workstations OU. Your task is to configure the following Power Option policy settings in the *WorkstationGPO* policy:
• Set the policy Action to *Update*
• Set the Balanced power plan as the active power plan for all workstations
• Set the following Advanced Settings:
• *Setting*; Hard disk > Turn off hard disk after *On battery* 60 Minutes *Plugged in* 120 Minutes
• *Setting*; Display > Turn off display after *On battery* 30 Minutes *Plugged in* 60 Minutes
Use Group Policy Management to edit the WorkstationGPO. To find the necessary policies, browse to:

*Computer ConfigurationPreferencesControl Panel SettingsPower Options*

Following are steps that an expert might take to perform the tasks in this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC2* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the GPO.
5. Right-click the GPO and select *Edit…*.
6. Browse to *Computer ConfigurationPreferencesControl Panel SettingsPower Options*.
7. Right-click Power Options and select *New > Power Plan (At least Windows 7)*.
8. Select the required settings for this Power Plan and click *OK*.

You work as the IT Administrator for a small corporate network. The Support department uses a call center application that runs from the network. They would like to make sure that all support computers have a shortcut to this application on the desktop for all users. Your task is to deploy a shortcut to all computers using preference settings in the *SupportGPO* policy object as follows:
*Setting* Action; *Value* Update
*Setting* Name; *Value* CallStart
*Setting* Target Type; *Value* File System Object
*Setting* Location; *Value* All Users Desktop
*Setting* Target Path; *Value* \CorpFiles12CallCenterCallStart.exe
Following are steps that an expert might take to perform the tasks in this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Group Policy Management*.
4. Browse to the GPO, and then right-click and select *Edit…*.
5. Browse to the category for *Shortcuts*.
6. Right-click *Shortcuts* and select *New > Shortcut*.
7. Enter the information for the shortcut as specified in the scenario.
8. Click *OK*.

You work as the IT Administrator for a small corporate network. You have configured the *WorkstationGPO* group policy object with all of the settings needed for management of the workstations on your network. To make sure that these settings can’t be lost, you would like to make a backup of the GPO. Your task is to create a backup of the *WorkstationGPO* policy object. Save the backup to *\CorpFiles12BackupGPOs*.
Use Group Policy Management to back up the WorkstationGPO policy object.

Following are steps that an expert might take to perform the tasks in this lab.

From Hyper-V Manager, click CORPSERVER. Expand the window to view all virtual machines.
Right-click the CorpDC server and select Connect… (maximize the window for easier viewing if desired).
From Server Manager, select Tools > Group Policy Management.
Browse to the Group Policy Objects container. Right-click WorkstationGPO and select Back Up….
Enter the backup location or click Browse… to select the network folder where the backup will be stored.
Enter a description for the backup. Click Back Up.
Click OK.

You work as the IT Administrator for a small corporate network. You have made several changes to the security settings for workstations in the WorkstationGPO policy object. Unfortunately, several of the changes you made did not work as expected. You need to return to settings which you know are good. Your task is to restore the settings of the *WorkstationGPO* from a recent backup in *\CorpFiles12BackupGPOs*.
Use Group Policy Management to restore a backup of WorkstationGPO from \CorpFiles12BackupGPOs.

Following are steps that an expert might take to perform the tasks in this lab:

From Hyper-V Manager, click CORPSERVER. Expand the window to view all virtual machines.
Right-click the CorpDC server and select Connect… (maximize the window for easier viewing if desired).
From Server Manager, select Tools > Group Policy Management.
Browse to the Group Policy Objects container.
To restore settings for a GPO, right-click the GPO and select Restore from Backup….
Click Next to begin the wizard.
Click Browse…, and then browse to folder where the GPO backup is located. Select the folder, click OK, and then click Next.
Select the desired backup, and then click Next.
Click Finish to restore the GPO settings.

You work as the IT Administrator for a small corporate network. As the company continues to grow, you realize that you will need assistance with managing group policy. You would like to create a group that has the ability to manage group policy so you can assign assistants to the group as needed. Your task in this lab is to delegate group policy management as follows:
• Create a Global Security Group called *GPOAdmins* in the Admins container.
• Delegate the ability to create Group Policy Objects in the domain to the new *GPOAdmins* group.
To delegate GPO management, create the GPOAdmins group and add it to the Delegation tab of the Group Policy Objects container in Group Policy Management.

Following are steps that an expert might take to perform the tasks in this lab:

Create a Group

From Hyper-V Manager, click CORPSERVER. Expand the window to view all virtual machines.
Right-click the CorpDC server and select Connect… (maximize the window for easier viewing if desired).
From Server Manager, select Tools > Active Directory Users and Computers.
Browse the Active Directory structure to the Admins container.
Right-click the container and select New > Group.
Type a name for the group (a pre-Windows 2000 group name will be created automatically).
Select a group scope and a group type, and then click OK.
Close Active Directory Users and Computers.

Delegate Group Policy Management

From Server Manager, select Tools > Group Policy Management.
Browse to and select the Group Policy Objects container.
In the right pane, select the Delegation tab.
Click Add….
Type the name of the group, and then click OK.

You are the IT Administrator for a small corporate network. As your network grows, you need to delegate common administrative tasks. You have defined the following administrative roles:
• *PasswordAdmins* will be able to reset passwords for any user in the domain.
• *ComputerAdmins* will be able to join computers to the domain for the entire domain.
• *GPOLinkAdmins* will be able to manage GPO links for departmental OUs (Accounting, Marketing, Research-Dev, Sales, and Support).
Your task in this lab is to delegate administrative roles on *CorpDC* to accomplish the following:
• Create Global security groups in the Users container for each of the administrative roles listed. Use the role name for the group name (do not include a space in the group name).
• Use the Delegation of Control Wizard to delegate the necessary permissions at the correct level to each group. In the wizard, use the common tasks option for delegating control.
*Create a Group and Modify Group Membership*

1. From Hyper-V Manager, click CORPSERVER. Expand the window to view all virtual machines.
2. Right-click the CorpDC server and select Connect… (maximize the window for easier viewing if desired).
3. From Server Manager, select Tools > Active Directory Users and Computers.
4. Browse the Active Directory structure to the parent domain or OU.
5. Right-click the domain, OU, or other container in which the new group must be created (the group context). From the pop-up menu, click New, then click Group.
6. Type a name for the group (a pre-Windows 2000 group name will be created automatically, but can be changed).
7. Select a group scope and a group type, then click OK.
8. To modify the group membership, right-click the newly-created group and select Properties.
9. Click the Members tab.
10. To add a group member (user account, computer account, or other group), use the following steps (repeat to add other group members):
12. Click Add….
13. Type the name of the object that you want to add.
14. Click OK to add the new group member.
15. To remove a group member, select the member and click Remove.
16. Click OK to apply the changes.

*Delegate Administrative Control*

1. From Active Directory Users and Computers, browse the Active Directory structure to the level where you want to delegate control (the domain or an OU).
2. Right-click the domain or OU and select Delegate Control….
3. Click Next.
4. Click Add… to add users or groups.
5. Type the name of the user or group, then click OK.
6. Click Next.
7. To delegate common tasks, select the checkbox(es) next to the task(s) you want to delegate. Click Next.
8. Click Finish.

You are the IT Administrator for a small corporate network. Users on your network have started saving music and video files to your file server. These files are using up a lot of resources. You need to prevent these files from being saved to the server and set quotas on users’ directories. Your task is to add the role service to the *CorpFiles12* server that will provide you with the required features.
Use the Add Roles and Features wizard in Server Manager to add the File Server Resource Manager role service to the server. The role service is located under the File and Storage Services role in *File and Storage Services > File and iSCSI Services*.

Following are the steps an expert might use to complete this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpFiles12* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Manage > Add Roles and Features*.
4. Click *Next* to begin the Add Roles and Features Wizard.
5. Select *Role-based or feature-based installation* and click *Next*.
6. Select the desired server from the Server Pool and click *Next*.
7. Expand *File and Storage Services > File and iSCSI Services*.
8. Select the File Server Resource Manager role service. Click *Add Features* to include management tools, and then click Next.
9. Click *Next*.
10. Click *Install* to add the role.
11. Click *Close*.
12. From Server Manager, select *Tools > File Server Resource Manager* to verify the role was installed.

You are the IT Administrator for a small corporate network. Users on your network have started saving a lot of files to the file server. These files are using up a lot of resources. You need to set quotas on the *CorpFiles12* server. Create the following quotas:
• Create a Quota Template called *500 MB Hard Limit* with the following properties:
• 500 MB Hard quota
• Notification e-mail sent to the user at 80% usage
• Notification e-mail sent to the user and an event log entry at 90% usage.
• Notification e-mail sent to both the user and the Administrator along with an event log entry at 95% usage.
• Create a quota on *D:Users* using the properties of the 250 MB Extended Limit* template.
• Create a quota on *H:Projects* using the properties of the *Monitor 500 MB Share* template.
Following are the steps an expert might use to complete this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpFiles12* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Files Server Resource Manager*.
4. Expand *Quota Management* and select *Quota Templates*.
5. To create a Quota Template, right-click and select *Create Quota Template…*.
• Enter template name, space limits, and quota type.
• To create notification thresholds, click *Add…*.
• Enter the usage percentage to generate notification.
• Click *OK*.
• Click *OK*.
6. To create a Quota from a Quota template, right-click Quotas and select *Create Quota…*.
• Enter or browse to select the Quota path.
• Verify that *Derive properties from this quota template (recommended)* is selected, and then select the specified template.
• Click *Create*.
7. Repeat step 6 as needed to create additional Quotas from Quota Templates.

You are the IT Administrator for a small corporate network. Users on your network have started saving a lot of files to the file server. These files are using up a lot of resources. You need to create file screens on the *CorpFiles12* server. Create the following file screens:
• Create a file screen template called *Monitor Audio and Video* that monitors Audio and Video files. Send an e-mail to the Administrator and write an event to the event log if files matching the screen are saved.
• Create a file screen that monitors audio and video files being saved to the *D:Users* directory. Use the *Monitor Audio and Video* template you just created.
• Create a file screen that prevents Executable files from being saved to the *H:Projects* directory. Use the *Block Executable Files* template.
• Create a file screen exception that allows Executable files in *H:ProjectsProject1Software*.
Following are the steps an expert might use to complete this lab:

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpFiles12* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Tools > Files Server Resource Manager*.
4. Expand *File Screen Management* and select *File Screen Templates*.
5. To create a File Screen Template, right-click and select *Create File Screen Template…*.
• Enter template name and select screening type.
• Select the file groups to block.
• On the E-mail Message tab, select notification recipients as required.
• On the Event Log tab, select to send a warning to the event log as required.
• Click *OK*.
6. To create a File Screen from a File Screen Template, right-click File Screens and select *Create File Screen…*.
• Enter or browse to select the File Screen path.
• Verify that *Derive properties from this file screen template (recommended)* is selected, and then select the specified template.
• Click *Create*.
7. Repeat step 6 as needed to create additional File Screens from File Screen Templates.
8. To create a File Screen Exception, right-click *File Screens* and select *Create File Screen Exception…*.
• Enter or browse to select the Exception path.
• Select the file groups to exclude from screening.
• Click *OK*.

You are the IT Administrator for a small corporate network. You would like to simplify file access for various departments using the Distributed File System (DFS). Your implementation will be configured as follows:
• The *CorpDC2* server will host a domain namespace and several replicated folders.
• The server will replicate with other servers running DFS.
Your task in this lab is to add the necessary role services to provide the required features.
After adding the role services, create the DFS structure as follows:
• Create a namespace on server *CorpDC2*. Users will use *\CorpNetSharedFiles* to access the namespace. Create the namespace so that you can use access-based enumeration.
• Create folders with targets as follows:
*Folder name* Accounting. *Target* \CorpFiles12Accounting
*Folder name* Marketing. *Target* \CorpFiles08Marketing
*Folder name* Sales. *Target* \CorpFiles08Sales
*Add DFS Role Services*

1. From Hyper-V Manager, click *CORPSERVER*. Expand the window to view all virtual machines.
2. Right-click the *CorpDC2* server and select *Connect…* (maximize the window for easier viewing if desired).
3. From Server Manager, select *Manage > Add Roles and Features*.
4. Click *Next* to begin the Add Roles and Features Wizard.
5. Select *Role-based or feature-based installation* and click *Next*.
6. Select the desired server from the Server Pool and click *Next*.
7. Expand *File and Storage Services > File and iSCSI Services*.
8. Select the DFS Namespaces role service. Click *Add Features* to include management tools.
9. Select the DFS Replication role service. Click *Next*.
10. Click *Next*.
11. Click *Install*.
12. Click *Close*.

*Create a Domain-based DFS Namespace*

1. From Server Manager, select *Tools > DFS Management*.
2. Right-click *Namespaces* and select *New Namespace…*.
3. Enter the server name that will host the namespace. Click *Next*.
4. Enter a name for the namespace and click *Next*.
5. Make sure *Domain-based namespace* is selected. To allow access-based enumeration, select *Enable Windows Server 2008 mode*. Click *Next*.
6. Click *Create*.
7. Click *Close*.
8. To add folders, right-click the namespace and select *New Folder…*.
9. Enter the folder name and click *Add…*.
10. Enter the path or browse to the target folder. Click *OK*.
11. Click *OK*.
12. Repeat steps 8 through 11 as necessary to add additional folders.

You work as the IT Security Administrator for a small corporate network. You have placed several documents that are used only by administrators in a folder on *CorpServer*. You need to secure the contents of the *C:Admins* folder so that unauthorized users cannot view the documents in the folder. You also need to allow Susan access to the latest password file in the folder. Complete the following tasks:
• Encrypt the *C:Admins* folder and all of its contents.
• Add the *Susan* user account as an authorized user for the *C:AdminsPasswords.xls* file.
To encrypt the folder, edit the folder properties. Use the Advanced… button to view and set the encryption attribute.

Complete the following steps:

1. Click *File Explorer* in the task bar.
2. Select the *C:* volume.
3. Right-click the *Admins* folder and select *Properties*.
4. Click *Advanced…*.
5. Select *Encrypt contents* to secure data. Click *OK*.
6. Click *OK*.
7. Select the setting to apply encryption to the entire folder and its contents. Click *OK*.
8. To authorize additional users for a file, open the *Admins* folder.
9. Right-click the file and choose *Properties*.
10. Click *Advanced…*.
11. Click *Details*.
12. Click *Add…*.
13. Select the user and click *OK*.
14. Click *OK*.
15. Click *OK*.
16. Click *OK*.

You work as the IT Administrator for a small corporate network. Employees in Branch Office 1 are working on a very sensitive project. Files for the project are store on the *BranchFiles12* server. Management is concerned that if the hard drive in the server were to be stolen, sensitive information could be compromised. As a result, you have been asked to encrypt the entire System volume. The *BranchFiles12* server has a built-in TPM on the motherboard. Your task in this lab is to configure BitLocker drive encryption as follows:
• Turn on BitLocker for the *System (C:)* drive.
• Turn on and activate the TPM.
• Save the recovery key to *\CorpFiles12Backup*.
• Encrypt the entire drive.
• Perform a BitLocker system check.
*Note*: To activate the TPM, restart the server and press the *Delete* key to enter setup.
*Complete the following steps:*

1. Move the mouse to the lower left-hand corner and click *Start* when it appears.
2. Click *Control Panel > System and Security > BitLocker Drive Encryption*.
3. Click *Turn On BitLocker* next to System (C:). Windows indicates that a TPM was not found.
4. Restart *BranchFiles12* and press *Delete* to enter Setup.
• To restart the server, move the mouse to the lower right corner to activate the charms menu.
• Click *Settings*.
• Click *Power*, and then select *Restart*.
5. Expand *Security*, select *TPM Security*, and press *Enter*.
6. Turn the TPM device *On* and press *Enter*.
7. Press *Esc*, select *Save/Exit*, and then press *Enter*.
8. Move the mouse to the lower left-hand corner and click *Start* when it appears.
9. Click *Control Panel > System and Security > BitLocker Drive Encryption*.
10. Click *Turn On BitLocker* next to System (C:). Now Windows is able to begin Drive Encryption setup.
11. Click *Next*.
12. Click *Restart*.
13. When prompted, select *Modify*, and then press *Enter* to change the TPM configuration.
14. Click *Next* to proceed with drive encryption.
15. Click *Save to a file*.
16. Browse the Network to *\CorpFiles12Backup* and click *Save*.
17. Click *Next*.
18. Select how much of the drive to encrypt and click *Next*.
19. Select *Run BitLocker system check*, and then click *Continue*.
20. Click *Restart now*.
21. Upon restart, move the mouse to the lower left-hand corner and click *Start* when it appears.
22. Click *Control Panel > System and Security > BitLocker Drive Encryption* and verify that Bitlocker is on and the drive is encrypted.
23. Move the mouse to the lower left-hand corner and click *Start* when it appears.
24. Click *Computer* to verify that the System (C:) drive shows the lock icon.