In this step, we'll set up user accounts and make some policies for the computers belonging to our domain. Fortunately, there are only a few non-intuitive parts of this process.
One of the big benefits of being on a domain is that the administrator can set all kinds of policies to control how the computers work - if it's usually configurable by a user, it's probably able to have a policy set on it to override it. It sounds like policies are about removing control from the user, but in reality, they're mostly used to customize the computer so that they don't have go to EVERY computer and set hundreds of little options. For instance, one of my major policies specifies that the "Offline Files" feature should be turned on, with appropriate folders automatically made always available offline, without any user interaction at all.
There are two kinds of policies: computer policies (which apply to any user logging on to that particular computer) and user policies (which apply to a user, no matter which computer they log on to). As with everything else in Windows, it uses the "folder" model - policies are applied to a folder, and anything in it (including sub-folders and their contents) get the policy applied. However, if two policies conflict, the "lowest" policy will overrule the "higher one". So if I apply a policy turning on Offline Files to the folder containing all the domain computers, but then make a sub-folder and apply a policy that turns offline files off, any computers in the sub-folder will have offline files turned off.
OK, let's get started.
Open up your Server Manager window, and under "Roles", expand "Active Directory Domain Services", "Active Directory Users and Computers", and finally expand the item named with your domain name.
Among the folders (here, they're actually OUs - Organizational Units) are one named "Computers" and another named "Users". This is the default place where new users and new computers will go. Unfortunately, for reasons I can't begin to imagine, you can't apply policies to these folders. So I actually go in and create new OUs called "EmployeeComputers" and "EmployeeUsers".
It will work if you left it like this, but you'll have to manually go in every time you add a user or computer to the domain and drag them into the correct folder - which is a pain. It's much better to actually make those the default containers.
Now, go up to the top of the window and in the "View" menu, check "Advanced Features". Now right-click on each of those OUs you created and choose "Properties". Go over to the "Attribute Editor" and scroll down to "distinguishedName". It'll look something like
OU=EmployeeComputers,DC=domain,DC=com. Write that down or copy-n-paste it into notepad or something. Do the same thing for the EmployeeUsers too. When you're done, go back to "view" and un-check "Advanced Features".
Now, if I haven't lost you yet, here's the other part that you'd never be able to logic through - to set them as the default containers for those object types, you need to drop out to the commandline.
Click start, type
cmdand hit enter. You'll get a black console window with a C:\ prompt. Yes, seriously.
Go to system32:
cd c:\windows\system32I know it's a 64-bit OS, all the critical tools are still in System32. The commands you need are "redirusr" and "redircmp", followed by a space and the appropriate distinguishedName of the OU. For instance:
redirusr OU=EmployeeUsers,DC=domain,DC=com
redircmp OU=EmployeeComputers,DC=domain,DC=com
Each command should say it completed sucessfully, then you can close the console.
Now, onto actually making policies for the domain.
Click Start, and under "Administrative Tools", open "Group Policy Management".
This window will look fairly similar due to the fact that it shows (most of) the same OUs as the "Users and Computers". There are a few more object scattered among the OUs however - they look like little script document icons. These are policies. By default, there's a "Default Domain Policy" applied just under your Domain, and expanding the "Domain Controllers" OU will show you the other default policy, "Default Domain Controllers Policy". Click these and go to the "Settings" tab to see what all they do. (It's a lot).
Now, it is possible to just edit these policies and just have one massive policy (well, two, since the Domain Controllers do need to be more locked down than any other computers on the network) with ALL the settings you want to set in it, but I find it much easier to make lots of policies that pretty much do one thing each, and apply them as appropriate.
To make a policy, right-click the "Group Policy Objects" icon and choose "New". Name it according to what you want it to do, then poke around the settings to make it do what you want. Once you close it, you'll see it's now a little icon under "Group Policy Objects" - drag it from here up to whatever OU you want it to apply to.
For instance, I've got a policy that changes the password requirements. (Those settings are in Computer Configuration\Policies\Windows Settings\Security Settings\AccountPolicies\Password Policy). That policy is applied to the whole domain, right under Default Domain Policy so it overrides whatever settings I apply in it.
Turning on Offline files has to happen at the computer level, so I create a policy called "Offline Files On", set Computer Configuration\Policies\Administrative Templates\Network\Offline Files as I want, then put that on my "EmployeeComputers" OU. Setting specific offline files happens at the user level, so I make another policy, set User Configuration\Policies\Administrative Templates\Network\Offline Files\Administratively Assigned Offline Files as I wish, and link that on my "EmployeeUsers" OU.
Other policies I set include Disabling EFS so no data can be lost if I have to reset someone's password, adding Domain Users to the Administrators group of the client machines, enabling Remote Desktop and allowing it through the firewall, etc. You can even use policies to set the wallpaper, screensaver, homepage, etc...like I said, if it's Microsoft software and configurable, there's probably a policy for it.
Once your policies are all set, go back to Active Directory Users and Computers, right-click your "EmployeeUsers" OU and start adding "New" "User"s. You'll be able to specify their first password, whether they have to change it the first time they log on, their name, etc. On the "Profile" tab of their properties, pay special attention to the "Home Folder" option - here's where you can automatically map Z:\ (for instance) to your DFS share at \\domain.tld\root
Once you've got one user set up like you want, you can also right-click their name and choose "Copy" to make an identical user - it will only prompt you for a different name, password and username.
OK, I think we're ready - let's start getting computers on the domain!
No comments:
Post a Comment