Logging into the Group Policy Management Console
To open the Group Policy Management Console, click on the Start button and then click on Control Panel (alternatively, type Control Panel and then click on the Control Panel application or press the Enter key)
Once in Control Panel, in the "Search Control Panel" field, type in Admin, in the results, click on Administrative Tools.
From the list of Administrative Tools, locate Group Policy Management.
Press and hold the shift key, and right click Group Policy Management. Click on Run as different user on the dialog box that comes up.
In the "Run as different user" dialog, enter the following:
- username: GPOAdmin
- password: <GPO Password> (provided by Tehama Customer Support)
- Click OK
A second dialogue (Microsoft Management Console) should appear, disregard the username/password fields that first appear
- Click on More Choices
- Click on "use a different account"
In the new username/password field:
- username: GPOAdmin
- password: <GPO Password> (provided by Tehama Customer Support)
- Click Yes
Working with Starter GPOs
While in the Group Policy Editor, click on the Starter GPOs folder on the left panel
Note:
if the tree is not expanded, you can locate Starter GPOs under:
> Forrest: 1
> Domains
> <roomid>-<room ip address>-<room name>.vela.com
> Starter GPOs
The first time the "Group Policy Management" Console is launched, the Starter GPOs folder might be empty. If prompted to "Create a New Starter GPO" Click OK
Tehama will automatically build out custom GPOs for use on your Tehama Desktop(s)
Default Domain Policy Enforcement
Before configuring the Default policies, please ensure that Domain Policy enforcement is enabled
To enable Domain Policy enforcement:
- Right-click Default Domain Policy Folder on the left panel
- Ensure "Enforced" has a checkmark beside it
- Inside the policy (right panel), ensure that <roomid>-<room ip address>-<room name>.vela.com is enforced
- if not, repeat the last step and place a checkmark beside "Enforced" by clicking it with the left mouse button
Note:
if the tree is not expanded you can locate "Default Domain Policy" under:
> Forrest: <roomid>-<room ip address>-<room name>.vela.com
> Domains
> <roomid>-<room ip address>-<room name>.vela.com
> Default Domain Policy
Desktop Policy Configuration
Policies that have been created for you can be accessed under Group policy Objects, and new policies can be added as necessary.
Note:
if the tree is not expanded you can locate the two folders under:
> Forrest: <roomid>-<room ip address>-<room name>.vela.com
> Domains
> <roomid>-<room ip address>-<room name>.vela.com
> Group Policy Objects
> Starter GPOs
Create a New Policy:
- Right click on the Starter GPOs folder, and choose New
- Enter a name for the new policy when prompted and press OK
- A new policy object will be created in the Starter GPOs folder
To Create the new policy object:
- Right click on the newly created Starter Policy Object and choose New GPO from Starter GPO
- Enter a name for the GPO when prompted and press OK [--eg acme-test]
- The new GPO will appear above under Group Policy Objects
Configure the new GPO:
- Right-Click on the GPO Object created in the previous step (under Group Policy Objects) and click on ‘Edit’ on the Menu.
A new window (Group Policy Management Editor) will pop-up
Note:
(In the Group Policy Management Editor window, there are no Security Settings under the Windows Settings. Under Windows Settings, you have environment, Files, Folders, Ini Files, Registry, Network Sharing, and Shortcuts)
The common audit policies requested by you, the customer, will be found by navigating to the following folder (using the above example policy name acme-test)
> name of GPO created [Domain Controller of the room DC01.<roomid>-<room ip address>-<room name>.vela.com] Policy
> Computer Configuration
> Policies
> Windows Settings
> Security Settings
> Advanced Audit Policy Configuration
> Audit Policies
The common audit policies are found at:
name of GPO -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies
Under Audit Policies on the left pane will be a list of configurable Policy Objects
The right side will display the most popular auditing policies for each Policy Object
Your Audit Policy Objects will all need to be activated
After expanding Audit Policies in the previous step:
- Click on each desired Policy Object Group - one by one (Account Login, Account Management, Detailed Tracking....etc)
In the right pane:
-
- Double click on each of the desired policy objects (one by one)
- In each of the Audit properties popup box(es), navigate to the Policy tab
- Place a checkmark in:
- Configure the following audit events
- Success
- Failure
- Press Apply, then click OK
- Configure the following audit events
This must be repeated for each of the (desired) Audit Policy Groups/Audit Policy Objects
A Note about Global Object Access Auditing Objects...
The Global Object Access Auditing Objects are configured slightly differently from above…
To find the File System Policy Object: on the Group Policy Management Editor go to GPO -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Global Object Access Auditing
File System Policy Object
Once inside the File System Properties dialogue:
-
- Navigate to the Policy tab
- Place a checkmark beside Define this policy setting
- Click on the Configure button
In the Advanced Security Settings for Global File SACL window
-
- Click Add
In the Auditing Entry for Global File SACL window
-
- Click on Select a principal link (near the top of the window)
In the Select User, Computer, Service Account, or Group window
-
- In the “Enter the object name to select” box, type in Domain Users
- Click OK
When returned to the Advanced Security Settings for Global File SACL window
-
- Set "Type" to All (default is ‘Success’)
- ensure all checkboxes are selected
- Press OK
- Keep clicking OK , if prompted, until you are back to the Group Policy Management Editor window
Registry Policy Object
Repeat the same steps as above in the File System Policy Object
Backup (Export) GPOs
- Locate the Policy group you wish to export:
- For example:
> Forrest: <roomid>-<room ip address>-<room name>.vela.com
> Domains
> <roomid>-<room ip address>-<room name>.vela.com
> Group Policy Objects
> <GPO name>
- For example:
- Right Click on the Group Policy Group
- Click on Back Up...
- In the resulting Back Up Group Policy Object window
- Click on Browse to select the folder you want the backup stored in
- When Windows Explorer pops up
- choose the location you wish to save the backup policy
- Eg: D:\Users\<username>\Desktop
- enter a description if required
- choose the location you wish to save the backup policy
- click the Back Up button