Differences

This shows you the differences between two versions of the page.

--- windows:windowsserver:activedirectory:gpo [2017/12/08 17:08] – created lunetikk
+++ windows:windowsserver:activedirectory:gpo [2017/12/08 17:08] (current) – lunetikk
@@ Line 1: / Line 1: @@
-__false__
+===== GPO =====
+I chose some policies just for a test:
+- Group1 gets a red background
+- Group2 has no rights to select "Systemcontrol"
+- Group3 is the only group with remotedesktoprights
+- Group4 has %%www.google.com%% for the startingpage (Internet Explorer)
+- Group5 will be connected to a network share which will be opened automatically.
+- All will have a disabled firewall and when they login or out their profiles will be synchronized.
+==== Set Group Policies ====
+To set the red backgroundcolor I created a new share with the name wallpaper$. The "$" will make this share invisible in the local network.
+You can only reach it when you open it directly. In the directory you have to add a picture with a single red dot named "red.jpg".
+In GroupPolicyAdministration under OU "Group1" you have to add a new Policy. Rightclick -> edit opens the GroupPolicyEditor.
+Under Userconfiguration -> Policies -> Administrative Templates -> Desktop you have to activate "Active Desktop" (enable HTML- and JPG as backgroundpicture) and Desktopbackground.
+In Desktopbackground you have to set the UNC-PATH %%\\dc\wallpaper$\red.jpg%% and as style "stretching".
+Back in the GroupPolicyAdministration you add an OU for "Group2".
+In "edit" you can find the option to disable the Systemcontrol under Userconfiguration -> Policies -> Administrative Templates -> Systemcontrol. There you have to enable "disable access to Systemcontrol".
+Next step you add a Policy for the "Group3" or "computers". In this you have to add Computerkonfiguration -> Policies -> Windows-Options -> Securitysettings -> RestrictedGroups , the group "RDPUsers".
+To change the startpage of the browser for "Group4" you have to add another policy. There you go to Userconfiguration -> Policies -> Window-Options -> Internet Explorer -> URLs/Important URLs and set %%www.google.com%% as the startingpage.
+For adding the share you have to write a small script. Just open a .txt file and add the following:
+<code batch netuse.bat>
+net use v: \\dc \vw-share /persistent:no
+start explorer.exe "v:\"
+</code>
+Save this file as *.bat or *.cmd. Add a policy and under Userconfiguration -> Policies -> Windows-Options -> Scripts -> Login click on add and browse.
+Move the script to the defined folder (User-Scripts-Logon) and add.
+To deactivate the firewall you need another script. Just as before open a .txtfile and add:
+<code batch firewall.bat>
+net stop "MpsSvc"
+</code>
+You have to add a policy under "computer". In Computerconfiguration -> Windows -> Options -> Scripts -> Start you have do add and browse just like before and move the file to "Machine-Scripts-Startup".
+Additionally you have to disable the service "MpsSvc" under Computerconfiguration -> Options -> Systemcontroloptions -> Services.
+At last you realise the profile synchronization. To do this you need another "share" with the name of the user under the share "profile$".
+Rightclick -> Options -> tab Enabling  -> Cache you should select the option "No Data or Programms from the enabled directory should be availiable offline".
+Now you have to edit the users once again. Rightclick an user, open Options and tab Profile. Add as Profilepath %%"\\dc\profile$\%username%"%%. "%username%" is a wildcard to add the username automatically.
+This way you dont need to add the username manually.
+=>Continue with [[windows:windowsserver:activedirectory:trust|Trust]]

Lunetikk's IT Wiki

User Tools

Site Tools

Differences

Page Tools