Identity with Windows Server 2016 (Exam 70-742)

June 22, 2017 at 6:00 pm


My latest course at CBT Nuggets is complete:

Identity with Windows Server 2016 (Exam 70-742) – MCSA: Windows Server 2016 Microsoft Certified Solutions Associate

This course consists of the following action-packed Nuggets (NOTE: 41 of these Nuggets feature Hands On Labs to allow you to follow along, step-by-step!)

1. Course Introduction – 8 min
2. Active Directory Overview and Install – 19 min
3. Read-Only Domain Controllers and Removing DCs – 16 min
4. Install from Media and Domain Controller Upgrades – 13 min
5. Flexible Single Master Operator Roles – 15 min
6. Configure Domain Controller Cloning – 15 min
7. Troubleshooting Active Directory Installations – 8 min
8. Create, Copy, Configure, and Delete Users and Computers – 14 min
9. Automate the Creation of Active Directory Accounts – 19 min remaining
10. More Automation and Account Management – 11 min
11. Perform Bulk Active Directory Operations – 9 min
12. Configure User Rights – 5 min
13. Implement Offline Domain Join – 12 min
14. Create, Copy, Configure, and Delete Groups and OUs – 14 min
15. Automate Groups and OUs with PowerShell – 7 min
16. Manage Group Membership Using Group Policy – 4 min
17. Group Types and Group Nesting – 22 min
18. Configure Service Accounts – 11 min
19. Group Managed Service Accounts (gMSAs) – 10 min
20. Configure Kerberos Constrained Delegation (KCD) – 4 min
21. Manage Service Principal Names (SPNs) – 8 min
22. Configure Account Policies – 12 min
23. Offline AD and Defragmentation – 7 min
24. Clean Up Metadata – 7 min
25. Backup and Restore of Active Directory – 17 min
26. Replication of Active Directory – 10 min
27. Replication and PRP for RODC – 7 min
28. Multi-Domain and Multi-Forest Active Directory – 9 min
29. Configure Domain and Forest Settings – 6 min
30. Trusts – 10 min
31. Configure Sites and Subnets – 9 min
32. Create and Manage Group Policy Objects (GPOs) – 17 min
33. Configure Group Policy Processing – 13 min
34. Configure Group Policy Settings – 15 min
35. Configure Group Policy Preferences – 5 min
36. Install a Certificate Authority – 9 min
37. Installing a Subordinate CA – 23 min
38. CA Management – 10 min
39. Manage Certificates – 11 min
40. Install and Configure Active Directory Federation Services – 13 min
41. Implement Web Application Proxy (WAP) – 8 min
42. Install and Configure Active Directory Rights Management Services – 7 min

Create and Manage Group Policy Objects (GPOs) Part 2 of 2

June 7, 2017 at 3:45 pm

Group Policy

In this second post of two of basic Group Policy management, we discuss further topics involving these critical Windows management components.

Backup, Restore, Import and Copy Group Policy Objects (GPOs)

You can perform all backup and restore operations using the Group Policy Management console, or with Windows PowerShell cmdlets.

To backup all GPOs in your domain, open the Group Policy Management console and navigate to the Group Policy Objects node. Right-click the Group Policy Objects node, and then click Back Up All. You can also backup a specific object. To backup a specific GPO, in the Group Policy Objects node, click and then right-click the specific GPO you want to back up, and then click Back Up.

To restore a GPO, right-click the appropriate GPO in the Group Policy Objects node, and then click Restore from Backup.

You can also manage your backups from the Group Policy Management console. You can use the Manage Backups option to view the settings in a backup, to delete a backup, and to restore a backup. To access the Manage Backups tool, in the Group Policy Management console right-click the Group Policy Objects node, and then click Manage Backups. In the Manage Backups dialog box select the backup you want to manage, and then click Restore, Delete, or View Settings, as required.

Although you can link the same GPO to multiple containers, including domains, it is not always best to do this. Usually, it is better to import a GPO from another domain. The import process requires that you effectively restore the settings of another GPO into a newly created, empty GPO.

The process therefore starts with you creating a backup of the source GPO. To import the settings, in the Group Policy Management console on the target domain, create a new GPO in the Group Policy Objects node Right-click the new GPO, and then click Import Settings.

You can duplicate the settings in one GPO for reuse in another. An easy way to do this is to copy a GPO. In the Group Policy Management console, in the Group Policy Objects node, right-click the source GPO, and then click Copy. You can right click the Group Policy Objects node and choose Paste in order to duplicate the settings.

Create and Configure a Migration Table

There is a Migration Table Editor available inside the Group Policy Management tool that permits you to edit UNC and security principle references that might not apply to the domain where you are importing your Group Policy Object settings into. Simply reference this saved table of entries when you are following the Import Settings Wizard.

Reset Default GPOs

There is a simple tool called dcgpofix that you can use at the command prompt to reset the default GPOs back to their default settings. Remember, there is a Default Domain GPO and a Default Domain Controllers GPO. The tool features switches so that you can pic one or the other GPO to reset instead of resetting both.

Delegate Group Policy Management

Remember that you can delegate control over GPO tasks. This is done with the Delegation tab in the Group Policy Management tool, or you can delegate GPO tasks using the Active Directory Users and Computers tool.

Detect Health Issues

You can detect problems with your GPO infrastructure using the Group Policy Management console as well. This is done using the GPO Infrastructure Status page. To view the status, use the following procedure:

1. Select the domain object, and then click the Status tab.

2. To view the current status, click Detect Now.

3. Review the information in the details pane.

Create and Manage Group Policy Objects (GPOs) Part 1 of 2

May 30, 2017 at 10:34 pm


GPOs Overview

Group Policy Objects (GPOs) are one of the most powerful components in a Windows Server 2016-based environment. Thanks to GPOs, you can easily manage:

  • Windows settings
  • Application settings
  • Software deployment
  • Folder redirection (user Home folders)
  • Security settings
  • Infrastructure settings such as wireless and networking

Local GPOs

While most environments leverage the power of Active Directory (AD) and assign GPOs through the AD infrastructure, you can use local GPOs to control computers and users that are not part of an AD. Keep in mind that if you apply local GPOs to a system that is part of an AD, the AD-based GPO settings will override the local settings.

There are multiple local GPOs you can use, including:

  • Local Group Policy – this is the “classic” local Group Policy Object that contains a user and computer node with setting for each
  • Administrators and Non-Administrators Local Group Policy – this GPO allows you to control local admins versus non admins; it only has a user node as you would expect
  • User Specific Local Group Policy – these GPOs allow you to configure user-specific settings

NOTE: If you apply all of these to a local system, the priority order is as listed. For example, a user-specific setting would override a local group policy setting.

To create these local GPOs, simply log in as a local administrator and use the mmc.exe syntax in the run menu. Add a Snap In for the Group Policy Object Editor and then Browse for the local computer or users options to create the above local GPO editors.

Linking AD GPOs

When we use GPOs in the Active Directory environment, we link them to specific AD objects in order to set their scope. These objects include:

  • Sites
  • Domains
  • Organizational Units (OUs)

You can link GPOs to these AD objects using GUI tools as well as PowerShell.

Manage Starter GPOs

It is possible to create a template that contains the most common settings for your enterprise and then use this GPO as a template for customize it for certain areas. This is called a Starter GPO. There is a Starter Node in the Group Policy Management console you can use for this purpose.