Configuring the User
and Computer
Environment Using
Group Policy
Lesson 8
Technology Skill
Objective Domain
Objective #
Configuring Account
Policies
Configure account
policies
4.6
Planning and Configuring
an Audit Policy
Configure Audit Policy by
using GPOs
4.7
Skills Matrix
Defining a Domain-Wide Account
Policy

Open the GPMC. Click Forest: <Forest Name>.

Click Domains, click <Domain Name>, and then
click Group Policy Objects.

Right-click the Default Domain Policy, and click
Edit.
Lesson 8
Defining a Domain-Wide Account
Policy (cont.)

In the left window pane, expand the Computer
Configuration node, and then expand the
Windows Settings folder.

Expand the Security Settings node.

In the Security Settings node, expand Account
Policies, and select Password Policy.
Lesson 8
Defining a Domain-Wide Account
Policy (cont.)

To modify a setting, double-click the setting in
the right window pane to open the Properties
dialog box for the setting. Then, make the
desired value changes.

Click OK to close the setting's Properties dialog
box.

Close the Group Policy Management Editor
window for this policy.
Lesson 8
Configuring a Domain-Wide
Account Lockout Policy

Open the GPMC. Click Forest: <Forest Name>.

Click Domains, click <Domain Name>, and then
click Group Policy Objects.

Right-click the Default Domain Policy, and click
Edit. A Group Policy Management Editor window
for this policy is displayed.
Lesson 8
Configuring a Domain-Wide
Account Lockout Policy (cont.)

In the left window pane, expand the
Computer Configuration node, and then
expand the Windows Settings folder.

Expand the Security Settings node.

In the Security Settings node, expand
Account Policies, and select Account Lockout
Policy.
Lesson 8
Configuring a Domain-Wide
Account Lockout Policy (cont.)

In the right window pane, double-click the
Account lockout duration policy setting to view
the Properties dialog box.

Select the Define This Policy Setting checkbox.
If you want to change the account lockout
duration, you may do so here.
Lesson 8
Configuring a Domain-Wide
Account Lockout Policy (cont.)

Click OK to accept the specified lockout
duration.

Click OK to automatically enable these other
settings, or click Cancel to go back to the
Account Lockout Duration Properties dialog box.

Click OK to accept the additional setting
defaults.
Lesson 8
Configuring a Domain-Wide
Account Lockout Policy (cont.)

Make any additional changes, as necessary, to
the other individual Account Lockout Policy
settings.

Close the Group Policy Management Editor
window for this policy.
Lesson 8
Configuring the Kerberos Policy

Open the GPMC. Click Forest: <Forest Name>.

Click Domains, click <Domain Name>, and then
click Group Policy Objects.

Right-click the Default Domain Policy, and click
Edit. A Group Policy Management Editor window
for this policy is displayed.
Lesson 8
Configuring the Kerberos Policy
(cont.)

In the left window pane, expand the Computer
Configuration node, and then expand the
Windows Settings folder.

Expand the Security Settings node.

In the Security Settings node, expand Account
Policies, and select Kerberos Policy.
Lesson 8
Configuring the Kerberos Policy
(cont.)

To modify a setting, double-click the setting in
the right window pane to open the Properties
dialog box for the setting. Make the desired
value changes.

Click OK to close the setting's Properties dialog
box.

Close the Group Policy Management Editor
window for this policy.
Lesson 8
Configuring an Audit Policy

Open the GPMC. Click Forest: <Forest Name>.

Click Domains, click <Domain Name>, and then
click Group Policy Objects.

Right-click the Default Domain Policy, and click
Edit.
Lesson 8
Configuring an Audit Policy (cont.)

In the left window pane, expand the Computer
Configuration node, and then expand the
Windows Settings folder.

Expand the Security Settings node.

In the Security Settings node, expand Local
Policies, and select Audit Policy.
Lesson 8
Configuring an Audit Policy (cont.)

In the right window pane, double-click the Audit
Policy setting you want to modify. The Properties
dialog box for the chosen setting is displayed.

Select the Define This Policy Setting checkbox.
Lesson 8
Configuring an Audit Policy (cont.)

Select the appropriate checkboxes to audit
Success, Failure, or both under the Audit These
Attempts heading.

Click OK to close the setting's Properties dialog
box.

Close the Group Policy Management Editor
window for this policy.
Lesson 8
Configuring Files and Folders for
Auditing

In Windows Explorer, right-click the file or folder
you want to audit.

Select Properties.

On the Security tab in the Properties dialog box
for the selected file or folder, click Advanced.
Lesson 8
Configuring Files and Folders for
Auditing (cont.)

In the Advanced Security Settings dialog box for
the file or folder, select the Auditing tab, and
then click Add.

Select the users and groups to be audited for
file or folder access, and then click OK.
Lesson 8
Configuring Files and Folders for
Auditing (cont.)

Select Successful, Failed, or both checkboxes for
the events you wish to audit.

In the Apply Onto list, specify which objects are
to be audited.

Click OK to return to the Advanced Security
Settings dialog box for the object.
Lesson 8
Configuring Files and Folders for
Auditing (cont.)

Choose whether you wish auditing entries from
parent objects to be inherited to this object by
selecting or deselecting the Allow Inheritable
Auditing Entries From Parent To Propagate To
This Object And All Child Objects checkbox.

Click OK to complete this process.

Close the Group Policy Management Editor
window for this policy.
Lesson 8
Customizing Event Log Policies

From the Administrative Tools menu, open Event
Viewer.

Right-click the log for which you want to view or
modify the settings, and select Properties.

Modify the desired settings, and click OK.
Lesson 8
Configuring Folder Redirection

Create a GPO or modify an existing GPO with
the necessary Folder Redirection Policy setting.

Using the Group Policy Management Editor for
the desired GPO, locate the Folder Redirection
policy extension in the User
Configuration/Windows Settings/node.

Right-click the Documents folder in the left
window pane, and select Properties.
Lesson 8
Configuring Folder Redirection
(cont.)

Use the Setting dropdown box of the
Target tab to select
one of the options in
the My Documents
Properties dialog box.
Lesson 8
Configuring Folder Redirection
(cont.)

If you choose Basic–Redirect Everyone's Folder
To The Same Location, you must specify the
Target folder location in the Settings dialog box.

If you choose Advanced–Specify Locations For
Various User Groups, you must specify the
target folder location for each group that you
add in the Settings dialog box.
Lesson 8
Configuring Folder Redirection
(cont.)

The Settings tab of the Documents Properties
dialog box provides several additional
selections.

Select from the options in the Policy Removal
box of the Settings tab.

Click OK.
Lesson 8
Optimizing Group Policy
Processing

Open the Group Policy Management Console
(GPMC). Click Forest: <Forest Name>.

Click Domains, click <Domain Name>, and then
click Group Policy Objects.

Select the Default Domain Policy, and click Edit.
Lesson 8
Optimizing Group Policy
Processing (cont.)

Right-click the Default Domain Policy node at
the top of the left window pane.

Click GPO Status, and place a checkmark next
to User Configuration Settings Disabled,
Computer Configuration Settings Disabled, or
All Settings Disabled.
Lesson 8
You Learned

Most security-related settings are found within
the Windows Settings node of the Computer
Configuration node of a GPO.

Policy settings that you wish to apply to all
computers or users within a domain should be
made within the Default Domain Policy GPO.
Generally, domain-wide account policies, such
as Password Policies, Account Lockout, and
Kerberos settings, are modified here.
Lesson 8
You Learned (cont.)

Windows Server 2008 provides the ability to
configure Fine-Grained Password Policies, which
allow multiple password and account lockout
policies within a single domain.

Local Policy settings govern the actions users
can perform on a specific computer and
determine whether the actions are recorded in
an event log. Create Audit Policies here.
Lesson 8
You Learned (cont.)
 Auditing can be configured to audit successes,
failures, or both. Plan auditing carefully before
implementation. Events that are not important
to your documentation and information needs
can cause unnecessary overhead when audited.
Auditing can be a very important security tool
when used prudently.
Lesson 8
You Learned (cont.)
 Because audited events are recorded in the
appropriate event log, it is necessary to
understand the Event Log Policy setting area.
This area allows control over maximum log
sizes, log retention, and access rights to each
log.
Lesson 8
You Learned (cont.)
 Restrictions on group memberships can be
accomplished using the Group Restriction Policy
setting. Implementing this policy removes
group members who are not part of the
configured group membership list or adds group
members according to a preconfigured list.
Lesson 8
You Learned (cont.)
 Folder Redirection can be configured for folders
located on a local computer within the
Documents And Settings folder. The Offline
Files settings allow redirected folders to be
available when a network connection is not
present. These two setting areas complement
each other.
Lesson 8
You Learned (cont.)
 Disk quotas can be used to control storage
space on a network drive. Implementing disk
quotas allows administrators to have tighter
control over drive usage, which can affect tape
backup and restore functionality.
Lesson 8
You Learned (cont.)
 Computer configuration group policies are
refreshed every 90 minutes by default. Domain
controller group policies are refreshed every 2
minutes. These settings can be altered based
on the frequency in which policy changes occur.
 Disabling unused portions of a GPO decreases
the time it takes to complete policy processing.
Lesson 8