10

Special Program for Technical Vocational Education

COMPUTER SYSTEMS
SERVICING

LEARNING MATERIAL
Quarter 2

Developed by: School Year:

DIANA P. CUIZON 2020 – 2021
 TANZA NATIONAL TRADE SCHOOL
Technical Vocational Education
SPTVE Computer Systems Servicing
Weekly Learning Activity Sheets

Table of Contents Pages Date/Duration

Introduction 4
PRE-TEST 5
Quarter 2: SETTING UP COMPUTER SERVERS
LO 2: Configure network services
Lesson 1 Setting up Client/User Security 10 Week 1
Activity Sheet 1.1 10
Pre-Test 1.1 11
Information Sheet 1.1 12
Operation Sheet 1.1 15
Activity Sheet 1.3 19
Self-Check 1.1 19

Lesson 2 Creating Users to Domain 20 Week 2

Activity Sheet 2.1 20
Pre-Test 2.1 21
Information Sheet 2.1 22
Information Sheet 2.2 31
Operation Sheet 2.1 32
Self-Check 2.1 35

Lesson 3 Designing a Group Policy Infrastructure 36 Week 3

Activity Sheet 3.1 36
Pre-Test 3.1 37
Information Sheet 3.1 38
Operation Sheet 3.1 42
Activity Sheet 3.3 47
Self-Check 3.1 47

LO 3: Perform testing, documentation, and pre-deployment procedures

Lesson 4 Using Folder Redirection 48 Week 4 - 5
Activity Sheet 4.1 48

2
Pre-Test 4.1 49
Information Sheet 4.1 50
Operation Sheet 4.1 56
Self-Check 4.1 62

Lesson 5 Print and Document Services Deployment 63 Week 6 -7

Activity Sheet 5.1 64
Pre-Test 5.1 64
Information Sheet 5.1 65
Information Sheet 5.2 72
Activity Sheet 5.3 85
Self-Check 5.1 85

Lesson 6 Configuring and Testing Remote Desktop Sharing 86 Week 8

Activity Sheet 6.1 86
Pre-Test 6.1 87
Information Sheet 6.1 88
Operation Sheet 6.1 89
Self-Check 6.1 97

PRE-TEST Answer Key 98

References 99

3
 Introduction

In this learning material, there will be two (2) most essential learning competencies that
you will encounter: (1) Configure network services and (2) Perform testing, documentation,
and pre-deployment procedures. The two most essential learning competencies contain sub-
topics that discuss the details on setting up computer servers.

The competencies for this learning material are:

LO 2: Configure network services

2.1 Check normal server function in accordance with manufacturer’s instructions
2.2 Install and update required modules/add-ons on NOS installation procedures
2.3 Confirm network services based on user/system requirements
2.4 Check operation of network services based on user/system requirements
2.5 Respond to unplanned events or conditions in accordance with established
procedures

LO 3: Perform testing, documentation, and pre-deployment procedures

3.1 Undertake pre-deployment procedures based on enterprise policies and
procedures
3.2 Undertake operation and security check based on end-user requirements
3.3 Prepare reports according to enterprise policies and procedures
3.4 Complete reports according to enterprise policies and procedures

4
 Pre-Test

Direction: Choose the correct answer from the given choices. Write your answer on a separate
sheet of paper.

1. This involves setting up and maintaining account information for users and computers.
A. Authentication C. Confidentiality
B. Identification D. Integrity
2. Used to determine the access rights of a user or computer during the current session.
A. Authentication C. Confidentiality
B. Identification D. Integrity
3. Encryption as data crosses exposed portions of a network.
A. Authentication C. Confidentiality
B. Identification D. Integrity
4. Help to ensure that the content of a message or data file has not been modified when it
travels over a network.
A. Authentication C. Confidentiality
B. Identification D. Integrity
5. Used to prove that the message was sent, that it was delivered, and that it was received.
A. Trust C. Nonrepudiation
B. Computer name D. Audit entries
6. Allows or disallows authentication traffic to flow between two or more domains.
A. Trust C. Nonrepudiation
B. Computer name D. Audit entries
7. Used to identify system use and misuse, and to diagnose system behavior.
A. Trust C. Nonrepudiation
B. Computer name D. Audit entries
8. A unique name that identifies the computer to a computer network.
A. Trust C. Nonrepudiation
B. Computer name D. Audit entries
9. Microsoft's term for a peer-to-peer local area network.
A. Domain C. Forest Owners
B. OU Owners D. Workgroup
10. Collection of administratively defined objects that share a common directory database.
A. Domain C. Forest Owners
B. OU Owners D. Workgroup
11. Responsible for creating organizational unit (OU) designs for their domains.

5
A. Domain C. Forest Owners
B. OU Owners D. Workgroup
12. Data managers who control a subtree of objects in Active Directory Domain Services.
A. Domain C. Forest Owners
B. OU Owners D. Workgroup
13. Provide administrative autonomy and the means to control visibility of objects in the
directory.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU
14. Contain user, group, and computer objects.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU
15. Contain resources and the accounts that are responsible for managing those resources.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU
16. Understands the business value of the deployment, supports the project at the executive
level, and can help resolve conflicts across the organization.
A. Account OU C. Executive Sponsor
B. Organizational Unit D. Resource OU
17. Provides technical expertise to assist with the process of designing and deploying AD DS.
A. Administrators C. Architect
B. Owners D. Project Manager
18. Facilitates cooperation across business units and between technology management
groups.
A. Administrators C. Architect
B. Owners D. Project Manager
19. Responsible for communicating to administrators the tasks required for the
implementation of the Active Directory design such as the creation of new domain
controllers within the forest.
A. Administrators C. Architect
B. Owners D. Project Manager
20. Responsible for implementing the design on the network according to the design
specifications.
A. Administrators C. Architect
B. Owners D. Project Manager
21. Responsible for planning and long-term maintenance of the Active Directory infrastructure
A. Site Topology Owner C. Service Owners
B. DNS For AD DS Owner D. Data Owners

6
22. Responsible for the maintenance of the information stored in the directory.
A. Site Topology Owner C. Service Owners
B. DNS For AD DS Owner D. Data Owners
23. Individual who has a thorough understanding of the existing DNS infrastructure and the
existing namespace of the organization.
A. Site Topology Owner C. Service Owners
B. DNS For AD DS Owner D. Data Owners
24. Familiar with the physical structure of the organization network, including mapping of
individual subnets, routers, and network areas that are connected by means of slow links.
A. Site Topology Owner C. Service Owners
B. DNS For AD DS Owner D. Data Owners
25. Enables Active Directory–based change and configuration management of user and
computer settings on computers running a member of the Microsoft® Windows® Server
or Microsoft Windows® families of operating systems.
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
26. Used to create a Group Policy object
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
27. Used to edit a new Group Policy object.
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
28. Includes technologies that help you set up and manage one or more file servers, which
are servers that provide central locations on your network where you can store files and
share them with users.
A. File and Storage Services C. Group Policy
B. Group Policy Management Console D. Group Policy Object Editor
29. Enables you to redirect the location of specific folders within user profiles to a new location,
such as a shared network location.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection
30. Where you can configure Folder Redirection to redirect specific user profile folders, as
well as edit Folder Redirection policy settings.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection
31. Hardware requirements for folder redirection.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection

7
32. Enables you to select the location of the redirected folder on a network or in the local user
profile.
A. x64-based or x86-based computer C. Target tab
B. Group Policy Management Console D. Folder Redirection
33. This setting enables you to redirect everyone's folder to the same location and will be
applied to all users included in the Group Policy object.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
34. This option will use an explicit path to the redirection location.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
35. This option will move the location of the folder to the local user profile under
the Users folder.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
36. This setting enables you to specify redirection behavior for the folder based on the security
group memberships for the GPO.
A. Advanced—Specify locations for various user groups
B. Basic—Redirect everyone's folder to the same location
C. Redirect to the following location
D. Redirect to the local user profile location
37. No changes are being made to the current location of this folder.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management
38. This snap-in enables you to manage printers, print queues, printer drivers, and printer
connections.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management
39. This snap-in enables you to manage scanners and scan processes. Scan processes allow
you to define how to process scanned documents, and then route them to network folders,
SharePoint sites, and to e-mail recipients.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management

8
40. This snap-in enables you to configure fax devices for incoming and outgoing fax traffic,
specify who can use a fax device, set routing rules for incoming and outgoing faxes, and
configure a fax archiving policy.
A. Fax Service Manager C. Not configured
B. Print Management D. Scan Management

9
 LESSON 1 Setting Up Client/User Access and Security

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Identify users in the network.
b. Setup Client/User security
c. Understand the importance of Client/ User security

ACTIVITY SHEET 1.1

Technical Terms

Direction: Try to find ten terminologies related to the lesson.

10
 Pre-Test 1.1

Direction: Choose the correct answer from the given choices. Write your answer on a separate
sheet of paper.

A. Audit entries F. Identification

B. Authentication G. Integrity
C. Computer name H. Nonrepudiation
D. Confidentiality I. Trust
E. Domain J. Workgroup

1. A unique name that identifies the computer to a computer network.

2. Allows or disallows authentication traffic to flow between two or more domains.
3. Collection of administratively defined objects that share a common directory database.
4. Encryption as data crosses exposed portions of a network.
5. Help to ensure that the content of a message or data file has not been modified when
it travels over a network.
6. Microsoft's term for a peer-to-peer local area network.
7. This involves setting up and maintaining account information for users and
computers.
8. Used to determine the access rights of a user or computer during the current session.
9. Used to identify system use and misuse, and to diagnose system behavior.
10. Used to prove that the message was sent, that it was delivered, and that it was
received.

11
 INFORMATION SHEET 1.1
Security information for Active Directory

Active Directory® provides a secure directory environment for your organization

using built-in logon authentication and user authorization, which are core features of the
Local Security Authority (LSA). Logon authentication and user authorization are available by
default and provide immediate protection for network access and network resources.
Protecting access to the network

Active Directory requires confirmation of the identity of a user before allowing access
to the network, a process known as authentication. Users only need to provide a single sign-
on to the domain (or to trusted domains) to gain access to the network. Once Active Directory
confirms the identity of the user, the LSA on the authenticating domain controller generates
an access token that determines what level of access that user has on network resources.
Active Directory supports a number of secure Internet-standard protocols and
authentication mechanisms used to prove identity upon logon, including Kerberos V5, X.509
v3 certificates, smart cards, public key infrastructure (PKI) and Lightweight Directory Access
Protocol (LDAP) using Secure Sockets Layer (SSL).

Authentication between domains occurs through trusts. A trust is a relationship

established between two or more domains to allow users in one domain to be authenticated
by a domain controller in another domain.

Trust relationships can be transitive or nontransitive but must always be present in order for
users in one domain to access shared resources in another domain.

In addition to securing network access through authentication, Active Directory helps to

protect shared resources by facilitating user authorization. Once a user logon has been
authenticated by Active Directory, the user rights assigned to the user through security groups
and the permissions assigned on the shared resource will determine if the user will be
authorized to access that resource. This authorization process protects shared resources
from unauthorized access and permits access to only authorized users or groups.

12
Windows Security Collection

As organizations expand the availability of network data, applications, and systems, it

becomes more challenging to ensure the security of the network infrastructure. Security
technologies in the Microsoft Windows Server operating system enable organizations to
better protect their network resources and organizational assets in increasingly complex
environments and business scenarios.
Fundamental Security Principles

Windows Server security technologies address fundamental security requirements

that help meet the complex security needs of organizations of all types and sizes. Windows
Server security is based on the following fundamental principles:

• Identification. To help ensure that only the appropriate users and computers have access
to resources, it is first necessary to identify users and computers on the network. This
involves setting up and maintaining account information for users and computers,
preferably in a single, easy-to-access location so that it is easy to set up, modify, and
maintain. The user name generally is a unique identifier.

• Authentication. The authentication process validates the authentication data of a user or

computer against the information in a database. This authentication data can include the user
name, logon domain, password, and other credentials. After a user or computer has been
authenticated, the operating system examines the privileges that are assigned to the user
account. The information relating to the user in the account database is used to create an
access token, which is then used to determine the access rights of a user or computer during
the current session.

• Authorization and access control. Access rights to a given resource are validated based
on access control lists (ACLs) associated with the resource. The contents of the access token
are compared to the contents of the ACL in order to determine the rights of the user in regard
to the resource.

• Confidentiality. Confidentiality helps prevent the intentional or unintentional disclosure of

data or of the actions that a user is performing on the data — for example, a withdrawal from
a bank account. Confidentiality is typically accomplished by means of encryption as data
crosses exposed portions of a network.

• Integrity. Integrity services help to ensure that the content of a message or data file has not
been modified when it travels over a network.

• Nonrepudiation. Nonrepudiation, an extension of authentication and integrity, prevents a

user from denying, after the fact, that they sent a message or signed a document. It can also

13
be used to prove that the message was sent, that it was delivered, and that it was received.

• Trusts. Logical relationships are established between domains, by means of trusts, to allow
pass-through authentication, in which one domain accepts the logon authentications of the
other domain. A trust either allows or disallows authentication traffic to flow between two or
more domains.

• Audit entries. Audit entries represent data that is recorded in the security event log of a
server or workstation when specified system, application, and security-related events take
place. Audit entries provide valuable data about system operations, which can be used to
identify system use and misuse, and to diagnose system behavior.
Security Architecture
The Windows Server security infrastructure consists of the following components:

• Logon and authentication technologies. Logon and authentication technologies include

a variety of protocols, including Kerberos version 5 authentication, NTLM, Secure Sockets
Layer/Transport Layer Security (SSL/TLS), and Digest; as well as features such as Stored
User Names and Passwords that enable single sign-on (SSO) and reduced sign-on (RSO).

• Authorization and access control technologies. The ACL-based impersonation model

and a new roles-based protected subsystem model enable extremely flexible and
manageable authorization and access control strategies.

• Data security technologies. Encrypting File System (EFS), Internet Protocol security
(IPSec), system key utility (Syskey), and Routing and Remote Access Services (RRAS)
provide additional security for data under a variety of special circumstances.

• Group Policy technologies. Group Policy options that can enhance security management
include security policy and software restriction policies.

• Trust technologies. Trusts can be established between domains and across forests to
improve security and business processes for complex organizations.

• Public key infrastructure (PKI) technologies. Certificates, Certificate Services, and

certificate policy-enabled qualified subordination can be used to support a variety of
application-specific security solutions.
Each of these sets of technologies can be used in conjunction with the other sets of
technologies — such as networking and storage — to enable secure network-enabled
business processes.

14
 OPERATION SHEET 1.1
Join Computer to Domain

1. To get started Save all work and close all programs first.

2. Click the Start button, right click the mouse over Computer and select Properties.

3. In Computer Name, Domain and Workgroup Settings, select Change Settings.

4. Select the Computer Name tab in the System Properties dialog box then add a
Computer description.

15
5. Next to 'To rename this computer...', click Change.

6. Change the Computer Name and press OK.

16
7. Select Member of Domain or Workgroup - enter the name and press OK.

8. Click OK at the Restart Computer dialog box.

9. Enter the Windows Security permission requirement.

17
10. To apply changes click OK, then select 'Restart Now'.

18
 ACTIVITY SHEET 1.3
How Do I Change A Computer Name And Domain
Or Workgroup In Windows 7?
Direction: Arrange the following procedures in their proper order. Use the ALPHABET to
arrange them correctly.
1. Select the Computer Name tab in the System Properties dialog box then add a
Computer description.
2. Select Member of Domain or Workgroup - enter the name and press OK.
3. Save all work and close all programs first.
4. Next to 'To rename this computer...', click Change.
5. In Computer Name, Domain and Workgroup Settings, select Change Settings.
6. To apply changes click OK, then select 'Restart Now'.
7. Click OK at the Restart Computer dialog box.
8. Enter the Windows Security permission requirement.
9. Click the Start button, right click the mouse over Computer and select Properties.
10. Change the Computer Name and press OK.

SELF CHECK 1.1

Direction: Choose the correct answer from the given options. Write your answers on a
separate sheet of pad paper.

A. Workgroup F. Domain
B. Trust G. Confidentiality
C. Nonrepudiation H. Computer name
D. Integrity I. Authentication
E. Identification J. Audit entries

1. This involves setting up and maintaining account information for users and
computers.
2. Used to determine the access rights of a user or computer during the current session.
3. Encryption as data crosses exposed portions of a network.
4. Help to ensure that the content of a message or data file has not been modified when

19
 it travels over a network.
5. Used to prove that the message was sent, that it was delivered, and that it was
received.
6. Allows or disallows authentication traffic to flow between two or more domains.
7. Used to identify system use and misuse, and to diagnose system behavior.
8. A unique name that identifies the computer to a computer network.
9. Microsoft's term for a peer-to-peer local area network.
10. Collection of administratively defined objects that share a common directory database.

LESSON 2 Creating Users to Domain

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Identify the deployment project participants
b. Create an Organizational Unit Design
c. Know the importance of creating organizational unit for the application of Group
Policy

ACTIVITY SHEET 2.1

Technical Terms

Direction: Try to find ten terminologies related to our lesson.

20
 Pre-Test 2.1

Direction: Choose the correct answer from the given choices. Write your answer on a separate
sheet of paper.

A. Site Topology Owner I. Forest Owner

B. Service Owners J. Executive Sponsor
C. Resource OU K. DNS For AD DS Owner
D. Project Manager L. Data Owners
E. Owners M. Architect
F. OU Owners N. Administrators
G. OU O. Account OU
H. Forest Owner

1. Responsible for creating organizational unit (OU) designs for their domains.
2. Data managers who control a subtree of objects in Active Directory Domain Services.

21
 3. Provide administrative autonomy and the means to control visibility of objects in the
directory.
4. Contain user, group, and computer objects.
5. Contain resources and the accounts that are responsible for managing those
resources.
6. Understands the business value of the deployment, supports the project at the
executive level, and can help resolve conflicts across the organization.
7. Provides technical expertise to assist with the process of designing and deploying AD
DS.
8. Facilitates cooperation across business units and between technology management
groups.
9. Responsible for communicating to administrators the tasks required for the
implementation of the Active Directory design such as the creation of new domain
controllers within the forest.
10. Responsible for implementing the design on the network according to the design
specifications.
11. Responsible for planning and long-term maintenance of the Active Directory
infrastructure
12. Responsible for the maintenance of the information stored in the directory.
13. Senior information technology (IT) manager in the organization who is responsible for
the Active Directory deployment process
14. Individual who has a thorough understanding of the existing DNS infrastructure and
the existing namespace of the organization.
15. Familiar with the physical structure of the organization network, including mapping of
individual subnets, routers, and network areas that are connected by means of slow
links.

INFORMATION SHEET 2.1

Identifying the Deployment Project Participants

The first step in establishing a deployment project for Active Directory Domain Service
(AD DS) is to establish the design and deployment project teams that will be responsible for
managing the design phase and deployment phase of the Active Directory project cycle. In
addition, you must identify the individuals and groups who will be responsible for owning and
maintaining the directory after the deployment is completed.

22
 • Defining project-specific roles

• Establishing owners and administrators

• Building project teams
Defining project-specific roles

An important step in establishing the project teams is to identify the individuals who are to
hold project-specific roles. These include the executive sponsor, the project architect, and the
project manager. These individuals are responsible for running the Active Directory
deployment project.
After you appoint the project architect and project manager, these individuals establish
channels of communication throughout the organization, build project schedules, and identify
the individuals who will be members of the project teams, beginning with the various owners.
Executive sponsor
Deploying an infrastructure such as AD DS can have a wide-ranging impact on an
organization. For this reason, it is important to have an executive sponsor who understands
the business value of the deployment, supports the project at the executive level, and can
help resolve conflicts across the organization.

Project architect
Each Active Directory deployment project requires a project architect to manage the
Active Directory design and deployment decision-making process. The architect provides
technical expertise to assist with the process of designing and deploying AD DS.

Note

If no existing personnel in your organization have directory design experience, you might want
to hire an outside consultant who is an expert in Active Directory design and deployment.

The responsibilities of the Active Directory project architect include the following:
• Owning the Active Directory design
• Understanding and recording the rationale for key design decisions
• Ensuring that the design meets the business needs of the organization
• Establishing consensus between design, deployment, and operations teams
• Understanding the needs of AD DS–integrated applications

23
The final Active Directory design must reflect a combination of business goals and technical
decisions. Therefore, the project architect must review design decisions to ensure that they
align with business goals.
Project manager

The project manager facilitates cooperation across business units and between technology
management groups. Ideally, the Active Directory deployment project manager is someone
from within the organization who is familiar with both the operational policies of the IT group
and the design requirements for the groups that are preparing to deploy AD DS. The project
manager oversees the entire deployment project, beginning with design and continuing
through implementation, and makes sure that the project stays on schedule and within budget.
The responsibilities of the project manager include the following:
• Providing basic project planning such as scheduling and budgeting
• Driving progress on the Active Directory design and deployment project
• Ensuring that the appropriate individuals are involved in each part of the design
process
• Serving as single point of contact for the Active Directory deployment project
• Establishing communication between design, deployment, and operations teams
• Establishing and maintaining communication with the executive sponsor throughout
the deployment project

Establishing owners and administrators

In an Active Directory deployment project, individuals who are owners are held accountable
by management to make sure that deployment tasks are completed and that Active Directory
design specifications meet the needs of the organization. Owners do not necessarily have
access to or manipulate the directory infrastructure directly. Administrators are the individuals
responsible for completing the required deployment tasks. Administrators have the network
access and permissions necessary to manipulate the directory and its infrastructure.

The role of the owner is strategic and managerial. Owners are responsible for communicating
to administrators the tasks required for the implementation of the Active Directory design such
as the creation of new domain controllers within the forest. The administrators are responsible
for implementing the design on the network according to the design specifications.
In large organizations, different individuals fill owner and administrator roles; however, in
some small organizations, the same individual might act as both the owner and the
administrator.
Service and data owners

24
Managing AD DS on a daily basis involves two types of owners:

• Service owners who are responsible for planning and long-term maintenance of the
Active Directory infrastructure and for ensuring that the directory continues to function
and that the goals established in service level agreements are maintained

• Data owners who are responsible for the maintenance of the information stored in the
directory. This includes user and computer account management and management of
local resources such as member servers and workstations.

It is important to identify the Active Directory service and data owners early so that they can
participate in as much of the design process as possible. Because the service and data
owners are responsible for the long-term maintenance of the directory after the deployment
project is finished, it is important for these individuals to provide input regarding organizational
needs and to be familiar with how and why certain design decisions are made. Service owners
include the forest owner, the Active Directory Domain Naming System (DNS) owner, and the
site topology owner. Data owners include organizational unit (OU) owners.

Service and data administrators

The operation of AD DS involves two types of administrators: service administrators and data
administrators. Service administrators implement policy decisions made by service owners
and handle the day-to-day tasks associated with maintaining the directory service and
infrastructure. This includes managing the domain controllers that are hosting the directory
service, managing other network services such as DNS that are required for AD DS,
controlling the configuration of forest-wide settings, and ensuring that the directory is always
available.

Service administrators are also responsible for completing ongoing Active Directory
deployment tasks that are required after the initial Windows Server 2008 Active Directory
deployment process is complete. For example, as demands on the directory increase, service
administrators create additional domain controllers and establish or remove trusts between
domains, as needed. For this reason, the Active Directory deployment team needs to include
service administrators.

You must be careful to assign service administrator roles only to trusted individuals in the
organization. Because these individuals have the ability to modify the system files on domain
controllers, they can change the behavior of AD DS. You must ensure that the service
administrators in your organization are individuals who are familiar with the operational and

25
security policies that are in place on your network and who understand the need to enforce
those policies.
Data administrators are users within a domain who are responsible both for maintaining data
that is stored in AD DS such as user and group accounts and for maintaining computers that
are members of their domain. Data administrators control subsets of objects within the
directory and have no control over the installation or configuration of the directory service.
Data administrator accounts are not provided by default. After the design team determines
how resources are to be managed for the organization, domain owners must create data
administrator accounts and delegate them the appropriate permissions based on the set of
objects for which the administrators are to be responsible.

It is best to limit the number of service administrators in your organization to the minimum
number required to ensure that the infrastructure continues to function. The majority of
administrative work can be completed by data administrators. Service administrators require
a much wider skill set because they are responsible for maintaining the directory and the
infrastructure that supports it. Data administrators only require the skills necessary to manage
their portion of the directory. Dividing work assignments in this way results in cost savings for
the organization because only a small number of administrators need to be trained to operate
and maintain the entire directory and its infrastructure.
For example, a service administrator needs to understand how to add a domain to a forest.
This includes how to install the software to convert a server into a domain controller and how
to manipulate the DNS environment so that the domain controller can be merged seamlessly
into the Active Directory environment. A data administrator only needs to know how to
manage the specific data that they are responsible for such as the creation of new user
accounts for new employees in their department.

Deploying AD DS requires coordination and communication between many different groups

involved in the operation of the network infrastructure. These groups should appoint service
and data owners who are responsible for representing the various groups during the design
and deployment process.
Once the deployment project is complete, these service and data owners continue to be
responsible for the portion of the infrastructure managed by their group. In an Active Directory
environment, these owners are the forest owner, the DNS for AD DS owner, the site topology
owner, and the OU owner. The roles of these service and data owners are explained in the
following sections.

Forest owner

26
The forest owner is typically a senior information technology (IT) manager in the organization
who is responsible for the Active Directory deployment process and who is ultimately
accountable for maintaining service delivery within the forest after the deployment is
complete. The forest owner assigns individuals to fill the other ownership roles by identifying
key personnel within the organization who are able to contribute necessary information about
network infrastructure and administrative needs. The forest owner is responsible for the
following:

• Deployment of the forest root domain to create the forest

• Deployment of the first domain controller in each domain to create the domains
required for the forest
• Memberships of the service administrator groups in all domains of the forest
• Creation of the design of the OU structure for each domain in the forest
• Delegation of administrative authority to OU owners
• Changes to the schema
• Changes to forest-wide configuration settings
• Implementation of certain Group Policy policy settings, including domain user account
policies such as fine-grained password and account lockout policy
• Business policy settings that apply to domain controllers
• Any other Group Policy settings that are applied at the domain level

The forest owner has authority over the entire forest. It is the forest owner’s responsibility to
set Group Policy and business policies and to select the individuals who are service
administrators. The forest owner is a service owner.

DNS for AD DS owner

The DNS for AD DS owner is an individual who has a thorough understanding of the existing
DNS infrastructure and the existing namespace of the organization.

The DNS for AD DS owner is responsible for the following:

• Serving as a liaison between the design team and the IT group that currently owns the
DNS infrastructure

• Providing the information about the existing DNS namespace of the organization to
assist in the creation of the new Active Directory namespace
• Working with the deployment team to make sure that the new DNS infrastructure is
deployed according to the specifications of the design team and that it is working
properly
• Managing the DNS for AD DS infrastructure, including the DNS Server service and
DNS data

27
The DNS for AD DS owner is a service owner.

Site topology owner

The site topology owner is familiar with the physical structure of the organization network,
including mapping of individual subnets, routers, and network areas that are connected by
means of slow links. The site topology owner is responsible for the following:
• Understanding the physical network topology and how it affects AD DS
• Understanding how the Active Directory deployment will impact the network
• Determining the Active Directory logical sites that need to be created
• Updating site objects for domain controllers when a subnet is added, modified, or
removed
• Creating site links, site link bridges, and manual connection objects
The site topology owner is a service owner.
OU owner

The OU owner is responsible for managing data stored in the directory. This individual needs
to be familiar with the operational and security policies that are in place on the network. OU
owners can perform only those tasks that have been delegated to them by the service
administrators, and they can perform only those tasks on the OUs to which they are assigned.
Tasks that might be assigned to the OU owner include the following:
• Performing all account management tasks within their assigned OU

• Managing workstations and member servers that are members of their assigned OU
• Delegating authority to local administrators within their assigned OU
The OU owner is a data owner.

Building project teams

Active Directory project teams are temporary groups that are responsible for completing
Active Directory design and deployment tasks. When the Active Directory deployment project
is complete, the owners assume responsibility for the directory, and the project teams can
disband.
The size of the project teams varies according to the size of the organization. In small
organizations, a single person can cover multiple areas of responsibility on a project team
and be involved in more than one phase of the deployment. Large organizations might require
larger teams with different individuals or even different teams covering the different areas of
responsibility. The size of the teams is not important as long as all areas of responsibility are
assigned, and the design goals of the organization are met.

28
Identifying potential forest owners

Identify the groups within your organization that own and control the resources necessary to
provide directory services to users on the network. These groups are considered potential
forest owners.

The separation of service and data administration in AD DS makes it possible for the
infrastructure IT group (or groups) of an organization to manage the directory service while
local administrators in each group manage the data that belongs to their own groups. Potential
forest owners have the required authority over the network infrastructure to deploy and
support AD DS.
For organizations that have one centralized infrastructure IT group, the IT group is generally
the forest owner and, therefore, the potential forest owner for any future deployments.
Organizations that include a number of independent infrastructure IT groups have a number
of potential forest owners. If your organization already has an Active Directory infrastructure
in place, any current forest owners are also potential forest owners for new deployments.
Select one of the potential forest owners to act as the forest owner for each forest that you
are considering for deployment. These potential forest owners are responsible for working
with the design team to determine whether or not their forest will actually be deployed or if an
alternate course of action (such as joining another existing forest) is a better use of the
available resources and still meets their needs. The forest owner (or owners) in your
organization are members of the Active Directory design team.
Establishing a design team
The Active Directory design team is responsible for gathering all the information needed to
make decisions about the Active Directory logical structure design.
The responsibilities of the design team include the following:

• Determining how many forests and domains are required and what the relationships
are between the forests and domains
• Working with data owners to ensure that the design meets their security and
administrative requirements
• Working with the current network administrators to ensure that the current network
infrastructure supports the design and that the design will not adversely affect existing
applications deployed on the network
• Working with representatives of the security group of the organization to ensure that
the design meets established security policies
• Designing OU structures that permit appropriate levels of protection and the proper
delegation of authority to the data owners

29
 • Working with the deployment team to test the design in a lab environment to ensure
that it functions as planned and modifying the design as needed to address any
problems that occur
• Creating a site topology design that meets the replication requirements of the forest
while preventing overload of available bandwidth.
• Working with the deployment team to ensure that the design is implemented correctly

The design team includes the following members:

• Potential forest owners
• Project architect
• Project manager
• Individuals who are responsible for establishing and maintaining security policies on
the network
•
During the logical structure design process, the design team identifies the other owners.
These individuals must start participating in the design process as soon as they are identified.
After the deployment project is handed off to the deployment team, the design team is
responsible for overseeing the deployment process to ensure that the design is implemented
correctly. The design team also makes changes to the design based on feedback from testing.

Establishing a deployment team

The Active Directory deployment team is responsible for testing and implementing the
Active Directory logical structure design. This involves the following tasks:
• Establishing a test environment that sufficiently emulates the production environment
• Testing the design by implementing the proposed forest and domain structure in a lab
environment to verify that it meets the goals of each role owner
• Developing and testing any migration scenarios proposed by the design in a lab
environment
• Making sure that each owner signs off on the testing process to ensure that the correct
design features are being tested
• Testing the deployment operation in a pilot environment
When the design and testing tasks are complete, the deployment team performs the following
tasks:

• Creates the forests and domains according to the Active Directory logical structure
design
• Creates the sites and site link objects as needed based on the site topology design
• Ensures that the DNS infrastructure is configured to support AD DS and that any new
namespaces are integrated into the existing namespace of the organization

30
The Active Directory deployment team includes the following members:
• Forest owner
• DNS for AD DS owner
• Site topology owner
• OU owners
The deployment team works with the service and data administrators during the deployment
phase to ensure that members of the operations team are familiar with the new design. This
helps to ensure a smooth transition of ownership when the deployment operation is
completed. At the completion of the deployment process, the responsibility for maintaining
the new Active Directory environment passes to the operations team.

Documenting the design and deployment teams

Document the names and contact information for the people who will participate in the design
and deployment of AD DS. Identify who will be responsible for each role on the design and
deployment teams. Initially, this list includes the potential forest owners, the project manager,
and the project architect. When you determine the number of forests that you will deploy, you
might need to create new design teams for additional forests. Note that you will need to update
your documentation as team memberships change and as you identify the various
Active Directory owners during the design process.

INFORMATION SHEET 2.2

Creating an Organizational Unit Design

Forest owners are responsible for creating organizational unit (OU) designs for their domains.
Creating an OU design involves designing the OU structure, assigning the OU owner role,
and creating account and resource OUs.

Initially, design your OU structure to enable delegation of administration. When the OU design
is complete, you can create additional OU structures for the application of Group Policy to the
users and computers and to limit the visibility of objects.

OU owner role
The forest owner designates an OU owner for each OU that you design for the domain. OU
owners are data managers who control a subtree of objects in Active Directory Domain

31
Services (AD DS). OU owners can control how administration is delegated and how policy is
applied to objects within their OU. They can also create new subtrees and delegate
administration of OUs within those subtrees.
Because OU owners do not own or control the operation of the directory service, you can
separate ownership and administration of the directory service from ownership and
administration of objects, reducing the number of service administrators who have high levels
of access.

OUs provide administrative autonomy and the means to control visibility of objects in the
directory. OUs provide isolation from other data administrators, but they do not provide
isolation from service administrators. Although OU owners have control over a subtree of
objects, the forest owner retains full control over all subtrees. This enables the forest owner
to correct mistakes, such as an error in an access control list (ACL), and to reclaim delegated
subtrees when data administrators are terminated.

Account OUs and resource OUs

Account OUs contain user, group, and computer objects. Forest owners must create an OU
structure to manage these objects and then delegate control of the structure to the OU owner.
If you are deploying a new AD DS domain, create an account OU for the domain so that you
can delegate control of the accounts in the domain.

Resource OUs contain resources and the accounts that are responsible for managing those
resources. The forest owner is also responsible for creating an OU structure to manage these
resources and for delegating control of that structure to the OU owner. Create resource OUs
as needed based on the requirements of each group within your organization for autonomy
in the management of data and equipment.
Documenting the OU design for each domain

Assemble a team to design the OU structure that you use to delegate control over resources
within the forest. The forest owner might be involved in the design process and must approve
the OU design. You might also involve at least one service administrator to ensure that the
design is valid. Other design team participants might include the data administrators who will
work on the OUs and the OU owners who will be responsible for managing them.
It is important to document your OU design. List the names of the OUs that you plan to create.
And, for each OU, document the type of OU, the OU owner, the parent OU (if applicable), and
the origin of that OU.

32
 OPERATION SHEET 2.1
Creating User to Domain

Here are the procedures:

1. Open Server Manager, click Roles, select ADDS, select ADS as computer.
2. Right click your Domain.
3. Select New, Organizational Unit. Assign the name for Organizational Unit object.

4. Assign the name for Organizational Unit object.

OU: Student

5. Right click Organizational Unit, select New, User.

33
 Note: Right click OU: Student, not User. Your User must be inside your created OU.
The image shows that the User OU is selected not the Student OU.

6. Type First name, Last name, Full name and User logon name. Click Next. Remember
not to forget your User logon name.

7. Assign password, then on the checkbox select Password Never Expires, click Next,
then Finish. Remember not to forget your Password.

34
 SELF CHECK 2.1

Direction: Choose the letter of the correct answer. Write your answer on a separate sheet of
paper.

A. Account OU I. Organizational Unit

B. Administrators J. OU Owners
C. Architect K. Owners
D. Data Owners L. Project Manager
E. DNS For AD DS Owner M. Resource OU
F. Executive Sponsor N. Service Owners
G. Forest Owner O. Site Topology Owner
H. Forest Owners

1. Contain resources and the accounts that are responsible for managing those
resources.
2. Contain user, group, and computer objects.
3. Data managers who control a subtree of objects in Active Directory Domain Services.
4. Facilitates cooperation across business units and between technology management
groups.
35
 5. Familiar with the physical structure of the organization network, including mapping of
individual subnets, routers, and network areas that are connected by means of slow
links.
6. Individual who has a thorough understanding of the existing DNS infrastructure and
the existing namespace of the organization.
7. Provide administrative autonomy and the means to control visibility of objects in the
directory.
8. Provides technical expertise to assist with the process of designing and deploying AD
DS.
9. Responsible for communicating to administrators the tasks required for the
implementation of the Active Directory design such as the creation of new domain
controllers within the forest.
10. Responsible for creating organizational unit (OU) designs for their domains.
11. Responsible for implementing the design on the network according to the design
specifications.
12. Responsible for planning and long-term maintenance of the Active Directory
infrastructure
13. Responsible for the maintenance of the information stored in the directory.
14. Senior information technology (IT) manager in the organization who is responsible for
the Active Directory deployment process
15. Understands the business value of the deployment, supports the project at the
executive level, and can help resolve conflicts across the organization.

LESSON 3 Designing a Group Policy Infrastructure

Learning Objectives

At the end of the lesson, the learner should be able to:

a. Describe Group Policy
b. Design an OU that supports Group Policy
c. Define Group Policy Objectives
d. Recognize Group Policy Management Console

36
 ACTIVITY SHEET 3.1
Technical Terms

Direction: Try to identify the words related to our lesson.

1. UORGP IYOLCP
2. JTECOB
3. ITNTEGSS
4. TMGENENMAA LENOCSO
5. UTUFNCATSRERIR
6. LINANNGP
7. IDGENS
8. ESETBOIJCV
9. ELOUAATIVN
10. CATCSIEPR

Pre-Test 3.1

Direction: Read each statement carefully. Write whether the statement is TRUE or the
statement is FALSE in a separate sheet of pad paper.

1. Define your objectives for deploying Group Policy.

2. Determine the Number of GPOs to use in defining objectives.
3. Determine the purpose of each GPO
4. Determine the types of policy settings contained in each GPO, and the appropriate
policy settings for users and computers
5. Ensure that your Active Directory design supports the application of Group Policy.
for the Microsoft Management Console (MMC), which you can start from GPMC
6. Group Policy enables Active Directory–based change and configuration management
of user and computer settings on computers running a member of the Microsoft®
Windows® Server or Microsoft Windows® families of operating systems.
7. Group Policy to help manage server computers, by configuring many server-specific
operational and security settings.
8. The Group Policy settings that you create are contained in a Group Policy object
9. To create a GPO, use the Group Policy Object Editor snap-in.
10. To edit a new GPO, use the Group Policy Management Console

37
 11. Use GPMC to make backups of your GPOs on an annual basis.
12. Use GPMC to manage Group Policy across the organization.
13. Do not modify the default domain policy or default domain controller policy unless
necessary. Instead, create a new GPO at the domain level and set it to override the
default settings in the default policies.
14. Define a meaningful naming convention for GPOs that clearly identifies the purpose of
each GPO.
15. Designate only one administrator per GPO. This prevents one administrator’s work
from being overwritten by another’s.

INFORMATION SHEET 3.1

Group Policy Infrastructure

Group Policy enables Active Directory–based change and configuration management of user
and computer settings on computers running a member of the Microsoft® Windows® Server
or Microsoft Windows® families of operating systems. You use Group Policy to define
configurations for groups of users and computers, including policy settings for registry-based
policies, software installation, scripts, folder redirection, Remote Installation Services, Internet
Explorer maintenance, and security. You can also use Group Policy to help manage server
computers, by configuring many server-specific operational and security settings.

The Group Policy settings that you create are contained in a Group Policy object (GPO). To
create a GPO, use the Group Policy Management Console (GPMC). To edit a new GPO, use
the Group Policy Object Editor snap-in for the Microsoft Management Console (MMC), which
you can start from GPMC. By using GPMC to link a GPO to selected Active Directory system
containers — sites, domains, and organizational units (OUs) — you apply the policy settings
in the GPO to the users and computers in those Active Directory containers.

To guide your Group Policy design decisions, you need a clear understanding of your
organization’s business needs, service level agreements, and security, network, and IT
requirements. By analyzing your current environment and users’ requirements, defining the
business objectives you want to meet by using Group Policy, and following this chapter’s
guidelines for designing a Group Policy infrastructure, you can establish the approach that
best supports your organization’s needs.

38
Planning your Group Policy Design
When you plan your Group Policy design, ensure that your Active Directory design supports
the application of Group Policy. Then you need to clearly define your objectives for deploying
Group Policy. Specifically, understand any service-level agreements and administrative
issues that pertain to Group Policy and consider your business requirements and how Group
Policy can help you achieve them. Finally, incorporate any operational, interoperability and
software installation considerations into your plan. Figure 3.1 illustrates the steps in the Group
Policy planning process.

Figure 3.1 Group Policy Planning

Designing an OU Structure that Supports Group Policy

In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites,
domains, or organizational units (OUs). Typically, most GPOs are assigned at the
organizational unit level, so be sure your OU structure supports your Group Policy-based
client-management strategy. You might also apply some Group Policy settings at the domain
level, particularly those such as password policies, which only take effect if applied at the
domain level. Very few policy settings are likely to be applied at the site level. A well-designed
OU structure, reflecting the administrative structure of your organization and taking advantage
of GPO inheritance, simplifies the application of Group Policy. For example, it can prevent
needing to duplicate certain policies so that the policies can be applied to different parts of
the organization, or having to link the same GPO to multiple Active Directory containers to
achieve your objectives. If possible, create OUs to delegate administrative authority as well
as to help implement Group Policy.

39
OU design requires balancing requirements for delegating administrative rights – independent
of Group Policy needs – and the need to scope the application of Group Policy. The following
OU design recommendations address delegation and scope issues:

Delegating administrative authority You can create OUs within a domain and delegate
administrative control for specific OUs to particular users or groups. Your OU structure might
be affected by requirements to delegate administrative authority. For more information about
planning for delegation of Active Directory administrative authority, see "Designing the Active
Directory Logical Structure" in Designing and Deploying Directory and Security Services of
this kit.

Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings.

Think primarily about the objects you want to manage when you approach the design of an
OU structure. You might want to create a structure that has OUs organized by workstations,
servers, and users near the top level. Depending on your administrative model, you might
consider geographically based OUs either as children or parents of the other OUs, and then
duplicate the structure for each location to avoid replicating across different sites. Add OUs
below these only if doing so makes the application of Group Policy clearer, or if you need to
delegate administration below these levels.

By using a structure in which OUs contain homogeneous objects, such as either user or
computer objects but not both, you can easily disable those sections of a GPO that do not
apply to a particular type of object. This approach to OU design, illustrated in Figure 3.2,
reduces complexity and improves the speed at which Group Policy is applied. Keep in mind
that GPOs linked to the higher layers of the OU structure are inherited by default, which
reduces the need to duplicate GPOs or to link a GPO to multiple containers.

Note that the default Users and Computers containers cannot have Group Policy applied to
them until you use the new Redirusr.exe and Redircomp.exe tools. When designing your
Active Directory structure, the most important considerations are ease of administration and
delegation.

Figure 3.2 Example OU Structure

40
Defining Your Group Policy Objectives
When you plan the deployment of Group Policy, identify your specific business requirements
and how Group Policy can help achieve them. You can then determine the most appropriate
policy settings and configuration options to meet your requirements.

The objectives for each Group Policy implementation vary depending on user location, job
needs, computer experience, and corporate security requirements. For example, in some
cases, you might remove functionality from users’ computers to prevent them from modifying
system configuration files (which might disrupt computer performance), or you might remove
applications that are not essential for users to perform their jobs. In other cases, you might
use Group Policy to configure operating system options, specify Internet Explorer
maintenance settings, or establish a security policy.
Having a clear understanding of your current organizational environment and requirements
helps you design a plan that best meets your organization’s requirements. Collecting
information about the types of users (such as process workers and data entry workers) and
existing and planned computer configurations is essential. Based on this information, you can
define your Group Policy objectives.

Evaluating Existing Corporate Practices

To help you identify the appropriate Group Policy settings to use, begin by evaluating current
practices in your corporate environment, including such things as:
• User requirements for various types of users.
• Current IT roles, such as the various administrative duties divided amongst
administrator groups.
• Existing corporate security policies.
• Other security requirements for your server and client computers.
• Software distribution model.
• Network configuration.
• Data storage locations and procedures.
• Current management of users and computers.

Defining Group Policy Objectives

Next, as part of defining the goals for Group Policy, determine the following:
• Purpose of each GPO
• Owner of each GPO – the person who requested the policy and who is responsible for
it
• Number of GPOs to use
• Appropriate container to link each GPO (site, domain, or OU)

41
 • Types of policy settings contained in each GPO, and the appropriate policy settings for
users and computers
• When to set exceptions to the default processing order for Group Policy
• When to set filtering options for Group Policy
• The software applications to install and their locations
• What network shares to use for redirecting folders
• The location of logon, logoff, startup, and shutdown scripts to execute
Establishing Group Policy Operational Guidelines
As you design and implement your Group Policy solution, it is also important to plan for the
ongoing administration of Group Policy.
Establishing administrative procedures to track and manage GPOs can ensure that all
changes are implemented in a prescribed manner.
To simplify and regulate ongoing management of Group Policy, it is recommended that
administrators:
• Always stage Group Policy deployments using the following pre-deployment process:
1. Use Group Policy Modeling to understand how a new GPO will interoperate with
existing GPOs.
2. Deploy new GPOs in a test environment modeled after your production
environment.
3. Use Group Policy Results to understand which GPO settings actually are
applied in your test environment.
• Use GPMC to make backups of your GPOs on a regular basis.
• Use GPMC to manage Group Policy across the organization.
• Do not modify the default domain policy or default domain controller policy unless
necessary. Instead, create a new GPO at the domain level and set it to override the
default settings in the default policies.
• Define a meaningful naming convention for GPOs that clearly identifies the purpose of
each GPO.
• Designate only one administrator per GPO. This prevents one administrator’s work
from being overwritten by another’s.
Windows Server 2003 and GPMC allow you to delegate permission to edit and link GPOs to
different groups of administrators. Without adequate GPO control procedures in place,
delegated administrators can duplicate GPO settings, or create GPOs that conflict with
settings set by another administrator or that are not in accordance with corporate standards.
Such conflicts might adversely affect the users’ desktop environment, generate increased
support calls, and make troubleshooting GPOs more difficult.

42
 OPERATION SHEET 3.1
Using Group Policy Management Console

A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to

manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2
with Service Pack 1 (SP1) and Windows Server 2012 R2.
Why use the GPMC?
The GPMC lets you:
• Import, export, copy, paste, backup and restore GPOs.
• Search for existing GPOs.
• Create reports, including providing the Resultant Set of Policy (RSoP) data in HTML
reports that you can save and print.
• Use simulated RSoP data to prototype your Group Policy before implementing it in the
production environment.
• Obtain RSoP data to view your GPO interactions and to troubleshoot your Group Policy
deployment.
• Create migration tables to let you import and copy GPOs across domains and across
forests. Migration tables are files that map references to users, groups, computers, and
Universal Naming Convention (UNC) paths in the source GPO to new values in the
destination GPO.
• Create scriptable interfaces to support all of the operations available within the GPMC.
You can't use scripts to edit individual policy settings in a GPO.

Here's a list of the policy settings you can use, based on the configuration type.

43
You can start Group Policy Management Console (GPMC) using one of two methods.
To start GPMC
Do either of the following:
• Press the Windows logo key + R to open the RUN dialog box. Type
gpmc.msc in the text box, and then click OK or press ENTER.
• Click Start, click All Programs, click Accessories, and then click Run.
Type gpmc.msc in the text box, and then click OK or press ENTER.
You can use the Group Policy Management Console (GPMC) to create and edit Group Policy
objects (GPOs)

Every AD domain has two default GPOs:

• Default Domain Policy, which is linked to the domain
• Default Domain Controllers Policy, which is linked to the domain controller’s OU
You can see all the GPOs in a domain by clicking the Group Policy Objects container in the
left pane of GPMC.

Figure 3.3. Interface of the Group Policy Management Console

Create a New Group Policy Object

Don’t change either the Default Domain Controllers Policy or the Default Domain Policy. The
best way to add your own settings is to create a new GPO. There are two ways to create a
new GPO:
• Right-click the domain, site or OU to which you want to link the new GPO and
select Create a GPO in this domain, and Link it here… When you save the new
GPO, it will be linked and enabled immediately.
• Right-click the Group Policy Objects container and select New from the menu. You will
need to manually link the new GPO by right-click a domain, site or OU and
selecting Link an Existing GPO. You can do this at any time.

44
Regardless of how you create a new GPO, in the New GPO dialog you must give the GPO a
name, and you can choose to base it on an existing GPO. See the next section for information
about the other options.

Edit a Group Policy Object

To edit a GPO, right click it in GPMC and select Edit from the menu. The Active Directory
Group Policy Management Editor will open in a separate window.

Figure 3.4. Interface of the Group Policy Management Editor

GPOs are divided into computer and user settings. Computer settings are applied when
Windows starts, and user settings are applied when a user logs in. Group Policy background
processing applies settings periodically if a change is detected in a GPO.
Policies vs Preferences
User and computer settings are further divided into Policies and Preferences:
• Policies do not tattoo the registry — when a setting in a GPO is changed or the GPO
falls out of scope, the policy setting is removed and the original value is used instead.
Policy settings always supersede an application’s configuration settings and will be
greyed out so that users cannot modify them.
• Preferences tattoo the registry by default, but this behavior is configurable for each
preference setting. Preferences overwrite an application’s configuration settings but
always allow users to change the configuration items. Many of the configurable items
in Group Policy Preferences are those that might have been previously configured
using a login script, such as drive mappings and printer configuration.
You can expand Policies or Preferences to configure their settings. These settings will then
be applied to computer and user objects that fall into the GPO’s scope. For example, if you
link your new GPO to the domain controller’s OU, the settings will be applied to computer and

45
user objects located in that OU and any child OUs. You can use the Block Inheritance setting
on a site, domain or OU to stop GPOs that are linked to parent objects from being applied to
child objects. You can also set the Enforced flag on individual GPOs, which overrides the
Block Inheritance setting and any configuration items in GPOs that have higher precedence.

GPO Precedence
Multiple GPOs can be linked to domains, sites and OUs. When you click on one of these
objects in GPMC, a list of linked GPOs will appear on the right on the Linked Group Policy
Objects tab. If there is more than one linked GPO, GPOs with a higher link order number take
priority over settings configured in GPOs with a lower number.
You can change the link order number by clicking on a GPO and using the arrows on the left
to move it up or down. The Group Policy Inheritance tab will show all applied GPOs, including
those inherited from parent objects.

Figure 3.5. Information about all applied GPOs in GPMC

Advanced Group Policy Management

Advanced Group Policy Management (AGPM) is available as part of the Microsoft Desktop
Optimization Pack (MDOP) for Software Assurance customers. Unlike GPMC, AGPM is a
client/server application where the server component stores GPOs offline, including a history
for each GPO. GPOs managed by AGPM are called controlled GPOs because they are
managed by the AGPM service and administrators can check them in and out, much like you
might check files or code in and out of GitHub or a document management system.
AGPM provides greater control over GPOs than is possible with GPMC. In addition to
providing version control, it enables you to assign roles like Reviewer, Editor and Approver to
Group Policy administrators, which helps you implement strict change control throughout the
entire GPO lifecycle. AGPM auditing also gives greater insight into Group Policy changes.

46
 ACTIVITY SHEET 3.3

Direction: Use the ALPHABET to arrange the procedures in their proper order. Write your
answers on a separate sheet of pad paper.

To create a Group Policy object

1. In the New GPO dialog box, specify a name for the new GPO, and then click OK.
2. In the GPMC console tree, right-click Group Policy Objects in the forest and domain in
which you want to create a GPO.
3. Click New.
To edit a Group Policy object
4. Right-click the GPO, and then click Edit.
5. In the GPMC console tree, double-click Group Policy Objects in the forest and domain
containing the GPO that you want to edit.
6. In the console tree, edit the settings as appropriate.
To delete a GPO
7. When prompted to confirm the deletion, click OK.
8. Right-click the GPO, and then click Delete.
9. In the Group Policy Management Console (GPMC) console tree, double-click Group
Policy Objects in the forest and domain containing the Group Policy object (GPO) that
you want to delete.
10. How to start a GPMC?

SELF CHECK 3.1

Direction: Read each statement carefully. Write whether the statement is TRUE or the
statement is FALSE in a separate sheet of pad paper.
1. Group Policy enables Active Directory–based change and configuration management
of user and computer settings on computers running a member of the Microsoft®
Windows® Server or Microsoft Windows® families of operating systems.
2. Group Policy to help manage server computers, by configuring many server-specific
operational and security settings.
3. To create a GPO, use the Group Policy Object Editor snap-in.
4. To edit a new GPO, use the Group Policy Management Console
for the Microsoft Management Console (MMC), which you can start from GPMC

47
 5. The Group Policy settings that you create are contained in a Group Policy object
6. Ensure that your Active Directory design supports the application of Group Policy.
7. Define your objectives for deploying Group Policy.
8. Determine the Number of GPOs to use in defining objectives.
9. Determine the purpose of each GPO
10. Determine the types of policy settings contained in each GPO, and the appropriate
policy settings for users and computers
11. Use GPMC to make backups of your GPOs on an annual basis.
12. Use GPMC to manage Group Policy across the organization.
13. Do not modify the default domain policy or default domain controller policy unless
necessary. Instead, create a new GPO at the domain level and set it to override the
default settings in the default policies.
14. Define a meaningful naming convention for GPOs that clearly identifies the purpose of
each GPO.
15. Designate only one administrator per GPO. This prevents one administrator’s work
from being overwritten by another’s.

LESSON 4 Using Folder Redirection

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Understand Folder Redirection
b. Specify the Location of Folders in a User Profile
c. Deploy Folder Redirection

ACTIVITY SHEET 4.1

Technical Terms

Direction: Try to identify the words related to our lesson.

1. EILF 6. OEPRTPERIS
2. ERTOSAG 7. UCFNRGEOI
3. RELOFD 8. SITETNG
4. RODEEITCINR 9. YLIOPC
5. NATILOOC 10. LFPOEIR

48
 Pre-Test 4.1

Direction: Choose the correct answer from the given choices. Write your answers on a
separate sheet of paper.

A. x64-based or x86-based computer G. Folder Redirection

B. Target tab
C. Redirect to the local user profile
location
D. Redirect to the following location
E. Not configured
F. Group Policy Management Console
H. File and Storage Services
I. Basic—Redirect everyone's folder
to the same location
J. Advanced—Specify locations for
various user groups

1. Includes technologies that help you set up and manage one or more file servers, which
are servers that provide central locations on your network where you can store files
and share them with users.
2. Enables you to redirect the location of specific folders within user profiles to a new
location, such as a shared network location.
3. Where you can configure Folder Redirection to redirect specific user profile folders, as
well as edit Folder Redirection policy settings.
4. Hardware requirements for folder redirection.
5. Enables you to select the location of the redirected folder on a network or in the local
user profile.
6. This setting enables you to redirect everyone's folder to the same location and will be
applied to all users included in the Group Policy object
7. This option will use an explicit path to the redirection location.
8. This option will move the location of the folder to the local user profile under
the Users folder.
9. This setting enables you to specify redirection behavior for the folder based on the
security group memberships for the GPO.
10. No changes are being made to the current location of this folder.

49
 INFORMATION SHEET 4.1
Folder Redirection Overview

File and Storage Services includes technologies that help you set up and manage one or
more file servers, which are servers that provide central locations on your network where you
can store files and share them with users. If your users need access to the same files and
applications, or if centralized backup and file management are important to your organization,
you should set up one or more servers as a file server by installing the File and Storage
Services role and the appropriate role services.

Practical applications
• Folder Redirection, Offline Files, and Roaming User Profiles - Use to redirect the
path of local folders (such as the Documents folder) or an entire user profile to a
network location, while caching the contents locally for increased speed and
availability.
Folder Redirection enables you to redirect the location of specific folders within user profiles
to a new location, such as a shared network location. Folder redirection is used in the process
of administering user profiles and roaming user profiles. You can configure Folder Redirection
using the Group Policy Management Console to redirect specific user profile folders, as well
as edit Folder Redirection policy settings.
Hardware requirements
Folder Redirection, Offline Files, and Roaming User Profiles require an x64-based or x86-
based computer, and they are not supported by Windows on ARM (WOA)-based computers.
Software requirements
To designate primary computers, your environment must meet the following requirements:
• The Active Directory Domain Services (AD DS) schema must be updated to include of
up to Windows Server 2012 schema additions
• Client computers must run Windows 7, Windows 10, Windows 8.1, Windows 8,
Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2012 and be
joined to the Active Directory domain that you are managing.

User settings and user files are normally stored in the local user profile, under
the Users folder. The files in local user profiles are accessible only from the current computer,
which makes it difficult for users who use more than one computer to work with their data and
synchronize settings between multiple computers. Two different technologies exist to address
this problem: Roaming Profiles and Folder Redirection. Both of these technologies have their
advantages, and they can be used separately or together to create a seamless user

50
experience from one computer to another. They also provide additional options for
administrators managing user data.
Folder Redirection allows administrators to redirect the path of a folder to a new location. The
location can be a folder on the local computer or a directory on a network file share. Users
have the ability to work with documents on a server as if the documents were based on a
local drive. The documents in the folder are available to the user from any computer on the
network. Folder Redirection is located under Windows Settings in the console tree when
editing domain-based Group Policy using the Group Policy Management Console (GPMC).
The path is [Group Policy Object Name]\User Configuration\Policies\Windows
Settings\Folder Redirection.

You can use the Group Policy Management Console to redirect folders in Windows Vista and
folders in earlier Windows operating systems:

Windows 7 Equivalent Folder in Earlier Windows Operating System

AppData/Roaming Application Data
Contacts N/A
Desktop Desktop
Documents My Documents
Downloads N/A
Favorites N/A
Links N/A
Music N/A
Pictures My Pictures
Saved Games N/A
Searches N/A
Start Menu Start Menu
Videos N/A
Advantages of Folder Redirection
• Even if a user logs on to various computers on the network, their data is always
available.
• Offline File technology (which is turned on by default) gives users access to the folder
even when they are not connected to the network. This is particularly useful for people
who use portable computers.
• Data that is stored in a network folder can be backed up as part of routine system
administration. This is safer because it requires no action on the part of the user.

51
 • If you use Roaming User Profiles, you can use Folder Redirection to reduce the total
size of your Roaming Profile and make the user logon and logoff process more efficient
in terms of time for the end user. When you deploy Folder Redirection with Roaming
User Profiles, the data synchronized via Folder Redirection is not part of the roaming
profile and is synchronized in the background using Offline Files after the user has
logged on. As a result the user does not need to wait for this data to be synchronized
at logon/logoff as is the case with Roaming User Profiles.
• Data that is specific to a user can be redirected to a different hard disk on the user's
local computer from the hard disk that holds the operating system files, making the
user's data safer in case the operating system has to be reinstalled.
• As an administrator, you can use Group Policy to set disk quotas, limiting the amount
of space that is taken up by user profile folders.

Selecting a Folder Redirection target

The Target tab of the folder's Properties box enables you to select the location of the
redirected folder on a network or in the local user profile. You can choose between the
following settings:
• Basic—Redirect everyone's folder to the same location. This setting enables you
to redirect everyone's folder to the same location and will be applied to all users
included in the Group Policy object (GPO). For this setting you have the following
options in specifying a target folder location:
o Create a folder for each user under the root path. This option will create a
folder in the form \\server\share\User Account Name\Folder Name. Each
user will get a unique path to their redirected folder.
• Redirect to the following location. This option will use an explicit path to the
redirection location. This can cause multiple users to share the same path to the
redirected folder.
• Redirect to the local user profile location. This option will move the location of the
folder to the local user profile under the Users folder.
• Advanced—Specify locations for various user groups. This setting enables you to
specify redirection behavior for the folder based on the security group memberships
for the GPO.
• Follow the Documents folder. This option is available only for the Music, Pictures,
and Videos folders. This option resolves any issues related to naming and folder
structure differences between Windows Vista and earlier Windows operating systems.
If you choose this option, you will not be able to configure any additional redirection
options or policy removal options for these folders and settings will be inherited from
the Documents folder.
• Not configured. This is the default setting. This setting specifies that policy-based
folder redirection has been removed for that GPO and the folders will be redirected to

52
 the local user profile location or stay where they are based on the redirection options
selected if any existing redirection policies have been set. No changes are being made
to the current location of this folder.

Configuring additional settings for the redirected folder

In the Settings tab in the Properties box for a folder, you can enable these settings:
• Grant the user exclusive rights. This setting is enabled by default and is a
recommended setting. This setting specifies that the administrator and other users to
not have permissions to access this folder.
• Move the contents of [FolderName] to the new location. This setting moves all the
data the user has in the local folder to the shared folder on the network.
• Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows
XP, and Windows Server 2003 operating systems. This enables folder redirection
to work with both Windows Vista and earlier Windows operating systems. This option
applies only to redirectable folders in earlier Windows operating systems, which are
the Application Data, Desktop, My Documents, My Pictures, and Start
Menu folders.
• Policy Removal. The following table summarizes the behavior of redirected folders
and their contents when the GPO no longer applies, based on your selections for policy
removal. The following policy removal options are available in the Settings tab,
under Policy Removal.

Policy Removal option Selected setting Result

Redirect the folder back Enabled • The folder returns to its user profile location.
to the user profile
location when policy is • The contents are copied, not moved, back to
removed the user profile location.

• The contents are not deleted from the

redirected location.

• The user continues to have access to the

contents, but only on the local computer.

Redirect the folder back Disabled • The folder returns to its user profile location.
to the user profile
location when policy is • The contents are not copied or moved to the
removed user profile location.

53
Policy Removal option Selected setting Result

Note
If the contents of a folder are not copied to the user
profile location, the user cannot see them.
Leave the folder in the Either Enabled or Disabled • The folder remains at its redirected location.
new location when policy
is removed • The contents remain at the redirected location.

• The user continues to have access to the

contents at the redirected folder.

Specify the Location of Folders in a User Profile

You can use Group Policy to specify another location (in other words, "redirect" the location)
for folders within user profiles. You can redirect folders either to one location for everyone or
to various locations based on the security group membership of users. You can also configure
additional settings for the redirected folder. The settings you can configure include whether to
grant exclusive user rights to the folder, move the contents of the folder to the new location,
apply redirection policy to earlier Windows operating systems, or specify system behavior if
the policy is removed.

To specify the location of folders in a user profile

1. In the Group Policy Management Console (GPMC) tree, right-click the Group Policy
object (GPO) that is linked to the site, domain, or organizational unit that contains the
users whose user profile folders you want to redirect, and then click Edit.
2. In the Group Policy Management Editor window, right-click the user profile folder you
want to redirect. The path to the user profile folder is User
Configuration\Policies\Windows Settings\Folder
Redirection\UserProfileFolderName
3. In the Target tab, under Settings, choose one of the following settings, follow the
steps for that setting, and then click OK:
Basic—Redirect everyone's folder to the same location
1. Under Target folder location, select a location.
2. If you want to redirect the folder to a specific location, select Create a folder for
each user under the root path or Redirect to the following location, and
then click Browse to specify a location.
3. If you want to specify additional redirection settings for the folder, click
the Settings tab to configure any of the following settings, and then click OK:
4. Grant the user exclusive rights to the folder (selected by default).
5. Move the contents of the folder to the new location (selected by default).

54
 6. Apply redirection policy from Windows Vista to earlier Windows operating
systems.
7. Specify policy removal settings (Leave the folder in the new location when
policy is removed is selected by default).
Advanced—Specify locations for various user groups
a. Under Security Group Membership, click Add.
b. Under Security Group Membership, click Browse to find the security group.
c. Under Target folder location, select a location.
d. If you want to redirect the folder to a specific location, select Create a folder for
each user under the root path or Redirect to the following location, and
then click Browse to specify a location.
e. If you want to specify additional redirection settings for the folder, click
the Settings tab to configure any of the following settings, and then click OK:
8. Grant the user exclusive rights to [FolderName] (selected by default).
9. Move the contents of [FolderName] to the new location (selected by default).
10. Also apply redirection policy to Windows 2000, Windows 2000 Server,
Windows XP, and Windows Server 2003 operating systems.
11. Specify Policy Removal settings (Leave the folder in the new location when
policy is removed is selected by default).

Follow the documents folder

This option is available only for the Music, Pictures, and Videos folders. This selection will
follow any settings you make for the Documents folder, and resolves any issues related to
naming and folder structure differences between Windows Vista and earlier Windows
operating systems. If you choose this option, you will not be able to configure any additional
redirection options or policy removal options for these folders and settings will be inherited
from the Documents folder.
Not configured
This is the default setting. No changes will be made to the current location of this folder.
Additional considerations
• To complete this procedure, you must be logged on as a member of the Domain
Administrators security group, the Enterprise Administrators security group, or the
Group Policy Creator Owners security group.
• You can also use the Group Policy Management Console to configure the following
Folder Redirection policy settings:
o Use localized subfolder names when redirecting Start and My
Documents—This policy is located in the following paths: Computer
Configuration\Policies\Administrative Templates\System\Folder

55
 Redirection, or User Configuration\Policies\Administrative
Templates\System\Folder Redirection.
o Do not automatically make redirected folders available offline—This policy
is located in the following path: User Configuration\Policies\Administrative
Templates\System\Folder Redirection.

OPERATION SHEET 4.1

Deploy Folder Redirection

Prerequisites
Hardware requirements
Folder Redirection requires an x64-based or x86-based computer; it is not supported by
Windows® RT.
Software requirements
Folder Redirection has the following software requirements:
• To administer Folder Redirection, you must be signed in as a member of the Domain
Administrators security group, the Enterprise Administrators security group, or the
Group Policy Creator Owners security group.
• Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7,
Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or
Windows Server 2008.
• Client computers must be joined to the Active Directory Domain Services (AD DS) that
you are managing.
• A computer must be available with Group Policy Management and Active Directory
Administration Center installed.
• A file server must be available to host redirected folders.
o If the file share uses DFS Namespaces, the DFS folders (links) must have a
single target to prevent users from making conflicting edits on different servers.
o If the file share uses DFS Replication to replicate the contents with another
server, users must be able to access only the source server to prevent users
from making conflicting edits on different servers.
o When using a clustered file share, disable continuous availability on the file
share to avoid performance issues with Folder Redirection and Offline Files.
Additionally, Offline Files might not transition to offline mode for 3-6 minutes
after a user loses access to a continuously available file share, which could
frustrate users who aren’t yet using the Always Offline mode of Offline Files.

56
Step 1: Create a folder redirection security group

If your environment is not already set up with Folder Redirection, the first step is to create a
security group that contains all users to which you want to apply Folder Redirection policy
settings.

To create a security group for Folder Redirection

1. Open Server Manager on a computer with Active Directory Administration Center

installed.
2. On the Tools menu, click Active Directory Administration Center. Active Directory
Administration Center appears.
3. Right-click the appropriate domain or OU, click New, and then click Group.
4. In the Create Group window, in the Group section, specify the following settings:
o In Group name, type the name of the security group, for example: Folder
Redirection Users.
o In Group scope, click Security, and then click Global.
5. In the Members section, click Add. The Select Users, Contacts, Computers, Service
Accounts or Groups dialog box appears.
6. Type the names of the users or groups to which you want to deploy Folder
Redirection, click OK, and then click OK again.

Step 2: Create a file share for redirected folders

If you do not already have a file share for redirected folders, use the following procedure to
create a file share on a server running Windows Server 2012.

To create a file share on Windows Server 2012

1. In the Server Manager navigation pane, click File and Storage Services, and then
click Shares to display the Shares page.
2. In the Shares tile, click Tasks, and then click New Share. The New Share Wizard
appears.
3. On the Select Profile page, click SMB Share – Quick. If you have File Server
Resource Manager installed and are using folder management properties, instead
click SMB Share - Advanced.
4. On the Share Location page, select the server and volume on which you want to
create the share.
5. On the Share Name page, type a name for the share (for example, Users$) in
the Share name box.

57
 6. On the Other Settings page, clear the Enable continuous availability checkbox, if
present, and optionally select the Enable access-based enumeration and Encrypt
data access checkboxes.
7. On the Permissions page, click Customize permissions…. The Advanced Security
Settings dialog box appears.
8. Click Disable inheritance, and then click Convert inherited permissions into
explicit permission on this object.
9. Set the permissions as described Table 1 and shown in Figure 1, removing
permissions for unlisted groups and accounts, and adding special permissions to the
Folder Redirection Users group that you created in Step 1.

Figure 4.1 Setting the permissions for the redirected folders share

10. If you chose the SMB Share - Advanced profile, on the Management
Properties page, select the User Files Folder Usage value.
11. If you chose the SMB Share - Advanced profile, on the Quota page, optionally select
a quota to apply to users of the share.
12. On the Confirmation page, click Create.

Table 4.1 Required permissions for the file share hosting redirected folders

User Account Access Applies to

System Full control This folder,
subfolders and files
Administrators Full Control This folder only
Creator/Owner Full Control Subfolders and files
only

58
Security group of users needing to put data on List folder / read This folder only
share (Folder Redirection Users) data1

Create folders /
append data1

Read attributes1

Read extended
attributes1

Read permissions1
Other groups and accounts None (remove)

Step 3: Create a GPO for Folder Redirection

If you do not already have a GPO created for Folder Redirection settings, use the following
procedure to create one.
To create a GPO for Folder Redirection
1. Open Server Manager on a computer with Group Policy Management installed.
2. From the Tools menu click Group Policy Management. Group Policy Management
appears.
3. Right-click the domain or OU in which you want to setup Folder Redirection and then
click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, type a name for the GPO (for example, Folder
Redirection Settings), and then click OK.
5. Right-click the newly created GPO and then clear the Link Enabled checkbox. This
prevents the GPO from being applied until you finish configuring it.
6. Select the GPO. In the Security Filtering section of the Scope tab,
select Authenticated Users, and then click Remove to prevent the GPO from being
applied to everyone.
7. In the Security Filtering section, click Add.
8. In the Select User, Computer, or Group dialog box, type the name of the security
group you created in Step 1 (for example, Folder Redirection Users), and then
click OK.
9. Click the Delegation tab, click Add, type Authenticated Users, click OK, and then
click OK again to accept the default Read permissions

59
Step 4: Configure folder redirection with Offline Files
After creating a GPO for Folder Redirection settings, edit the Group Policy settings to enable
and configure Folder Redirection, as discussed in the following procedure.
To configure Folder Redirection in Group Policy
1. In Group Policy Management, right-click the GPO you created (for example, Folder
Redirection Settings), and then click Edit.
2. In the Group Policy Management Editor window, navigate to User Configuration,
then Policies, then Windows Settings, and then Folder Redirection.
3. Right-click a folder that you want to redirect (for example, Documents), and then
click Properties.
4. In the Properties dialog box, from the Setting box click Basic - Redirect everyone’s
folder to the same location.
5. In the Target folder location section, click Create a folder for each user under the
root path and then in the Root Path box, type the path to the file share storing
redirected folders, for example: \\fs1.corp.contoso.com\users$
6. Click the Settings tab, and in the Policy Removal section, optionally click Redirect
the folder back to the local userprofile location when the policy is removed (this
setting can help make Folder Redirection behave more predictably for adminisitrators
and users).
7. Click OK, and then click Yes in the Warning dialog box.

Step 5: Enable the Folder Redirection GPO

Once you have completed configuring the Folder Redirection Group Policy settings, the next
step is to enable the GPO, permitting it to be applied to affected users.
To enable the Folder Redirection GPO
1. Open Group Policy Management.
2. Right-click the GPO that you created, and then click Link Enabled. A checkbox
appears next to the menu item.
Step 6: Test Folder Redirection

To test Folder Redirection, sign in to a computer with a user account configured for Folder
Redirection. Then confirm that the folders and profiles are redirected.

To test Folder Redirection

1. Sign in to a primary computer (if you enabled primary computer support) with a user
account for which you have enabled Folder Redirection.
2. If the user has previously signed in to the computer, open an elevated command
prompt, and then type the following command to ensure that the latest Group Policy
settings are applied to the client computer:

60
 Copy
gpupdate /force

3. Open File Explorer.

4. Right-click a redirected folder (for example, the My Documents folder in the
Documents library), and then click Properties.
5. Click the Location tab, and confirm that the path displays the file share you specified
instead of a local path.

Appendix A: Checklist for deploying Folder Redirection

APPENDIX A: CHECKLIST FOR DEPLOYING FOLDER REDIRECTION

1. Prepare domain

- Join computers to domain

- Create user accounts

2. Create security group for Folder Redirection

- Group name:

- Members:

3. Create a file share for redirected folders

- File share name:

4. Create a GPO for Folder Redirection

- GPO name:

5. Configure Folder Redirection and Offline Files policy settings

- Redirected folders:

- Windows 2000, Windows XP, and Windows Server 2003 support enabled?

- Offline Files enabled? (enabled by default on Windows client computers)

- Always Offline Mode enabled?

61
- Background file synchronization enabled?

- Optimized Move of redirected folders enabled?

6. (Optional) Enable primary computer support

- Computer-based or User-based?

- Designate primary computers for users

- Location of user and primary computer mappings:

- (Optional) Enable primary computer support for Folder Redirection

- (Optional) Enable primary computer support for Roaming User Profiles

7. Enable the Folder Redirection GPO

8. Test Folder Redirection

SELF CHECK 4.1

Direction: Choose the correct answer from the given choices. Write your answers on a
separate sheet of paper.

A. Advanced—Specify locations for F. Not configured

various user groups G. Redirect to the following location
B. Basic—Redirect everyone's folder H. Redirect to the local user profile
to the same location location
C. File and Storage Services I. Target tab
D. Folder Redirection J. x64-based or x86-based computer
E. Group Policy Management Console

11. Includes technologies that help you set up and manage one or more file servers, which
are servers that provide central locations on your network where you can store files
and share them with users.
12. Enables you to redirect the location of specific folders within user profiles to a new
location, such as a shared network location.

62
 13. Where you can configure Folder Redirection to redirect specific user profile folders, as
well as edit Folder Redirection policy settings.
14. Hardware requirements for folder redirection.
15. Enables you to select the location of the redirected folder on a network or in the local
user profile.
16. This setting enables you to redirect everyone's folder to the same location and will be
applied to all users included in the Group Policy object
17. This option will use an explicit path to the redirection location.
18. This option will move the location of the folder to the local user profile under
the Users folder.
19. This setting enables you to specify redirection behavior for the folder based on the
security group memberships for the GPO.
20. No changes are being made to the current location of this folder.

LESSON 5 Print and Document Services Deployment

Learning Objectives
At the end of the lesson, the learner should be able to:

a. Describe Print and Document Services

b. Describe how to install and configure Print Server
c. Manage printers and printer server in a network

63
 ACTIVITY SHEET 5.1
Technical Terms

Direction: Try to identify the words related to our lesson.

Pre-Test 5.1

Direction: Choose carefully from the given options. Write the correct letter of your answer on
a separate sheet of paper.

A. Server Manager F. Print Services Tools

B. Scan Management G. Print queue
C. Printer driver H. Print Management
D. Printer I. Fax Service Manager
E. Print Services role J. Deploy with Group Policy

1. This snap-in enables you to manage printers, print queues, printer drivers, and printer
connections.

64
 2. This snap-in enables you to manage scanners and scan processes. Scan processes
allow you to define how to process scanned documents, and then route them to
network folders, SharePoint sites, and to e-mail recipients.
3. This snap-in enables you to configure fax devices for incoming and outgoing fax traffic,
specify who can use a fax device, set routing rules for incoming and outgoing faxes,
and configure a fax archiving policy.
4. Server Manager to install the Print Services server role, optional role services, and
features
5. This installs the Print Management snap-in and configures the server to be a print
server.
6. Installs the Print Management snap-in, but it does not configure the server to be a print
server.
7. To deploy printer connections to users or computers by using Group Policy in Print
Management.
8. Software on a computer that converts the data to be printed to a format that
a printer can understand.
9. List of printer output jobs held in a reserved memory area. It maintains the most current
status of all active and pending print jobs.
10. Device that accepts text and graphic output from a computer and transfers the
information to paper, usually to standard size sheets of paper.

INFORMATION SHEET 5.1

Print, Scan, Fax Server Installation Guide

This guide describes how to install and configure Print Server, Distributed Scan
Server, and Fax Server on a single computer running Windows Server 2008 R2. Print Server
and Distributed Scan Server are role services included in the Print and Document Services
server role, and Fax Server is a role. You can use Print Server, Distributed Scan Server, and
Fax Server to help you automate document processes in your organization and provide a
central administration point for sharing and managing network printers, scanners, and fax
devices.
You can install these features using the Add Roles Wizard. However, after you
complete the wizard, you must add, share, and configure network printers, scanners, and fax
devices separately. As part of installation, associated Microsoft Management Console (MMC)
snap-ins, services, and other tools are installed. You can use these tools to perform the
additional sharing and configuration tasks.

To perform all tasks described in this topic, you must be a member of the
Administrators group, or you must have been delegated the appropriate permissions.

65
This guide contains the following sections:
• Step 1: Installing software components
• Step 2: Configuring the server
• Step 3: Adding and sharing print, scan, and fax devices
Step 1: Installing software components

You can use the Add Roles Wizard in Server Manager to install the Print and Document
Services role (needed for the Print Server and Distributed Scan Server role services), the
Fax Server role, associated role services, MMC snap-ins, and tools.

The following MMC snap-ins are installed:

• Print Management. This snap-in enables you to manage printers, print queues, printer
drivers, and printer connections.

• Scan Management. This snap-in enables you to manage scanners and scan
processes. Scan processes allow you to define how to process scanned documents,
and then route them to network folders, SharePoint sites, and to e-mail recipients.
• Fax Service Manager. This snap-in enables you to configure fax devices for incoming
and outgoing fax traffic, specify who can use a fax device, set routing rules for
incoming and outgoing faxes, and configure a fax archiving policy.

You can also use these snap-ins to define user and group security permissions for
accessing and using network printers, scan processes, and fax devices.

Important

You must install Print Server first before you can install Fax Server.

This section contains the following instructions:

• To install the Print and Document Services role

• To install the Fax Server role

To install the Print and Document Services role

1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In the left pane of Server Manager, right-click Roles, and then click Add Roles.
3. In the Add Roles Wizard, on the Select Server Roles page, select the check box
for Print and Document Services.
4. On the Add Role Services page, select the Distributed Scan Server check box.
Follow the instructions in the wizard to configure the scan server service account, e-
66
 mail server information, temporary scan folder and size, and server authentication
certificate. This installs the Distributed Scan Server role service and Scan
Management snap-in, and configures the server to be a scan server.
5. On the same page, select the Print Server check box. This installs the Print Server
role service and Print Management snap-in, and configures the server to be a print
server.
6. If you want to allow users to manage print jobs on this server, also check the Internet
Printing check box. This creates a Web site hosted by Internet Information Services
(IIS) that users can access with a Web browser.
7. If you want to allow non-Windows-based users to print to shared printers on this
server, also check the LPD Service check box.
8. Follow the detailed instructions in the Add Roles Wizard to configure the print server
and scan server service accounts, storage folders, certificates, and user security
permissions.

You will now need to run the Add Roles Wizard again to install the Fax Server role. (If you
have not installed the Print and Document Services role yet, you must follow the prior
procedure before you install the Fax Server role.)

Before you begin installing the Fax Server role, make sure that any modem devices have
been installed on the server. If you plan to install a new modem device, you can save time
by installing it before you set up the Fax Server role. We recommend that you install the Fax
Server role locally—not by using a Remote Desktop connection. (You can install the Fax
Server role remotely, but you need to make sure that local resource sharing is turned off.)

To install the Fax Server role

1. In the left pane of Server Manager, right-click Roles, and then click Add Roles.
2. In the Add Roles Wizard, on the Select Server Roles page, select the Fax
Server check box. This installs the Fax Server role page, Fax Service Manager, the
Fax service, and the Fax printer.
3. Follow the instructions in the wizard to set up the Fax Server service account and fax
users.
4. Continue through the wizard until you reach the Confirm Installation
Selections page and review the choices that you made. Click Install.
5. After the wizard closes, to confirm the installation of the Fax printer, click Start,
click Run, and then type: control printers.
6. Confirm that a printer named Fax exists. If it does not, then restart the computer. (Or,
if you cannot restart the computer, stop and restart the Print Spooler service instead.
To do this, in Services, in the right pane, right-click Print Spooler, and click Stop.
Then right-click Print Spooler again, and click Start.)

67
Step 2: Configuring the server

Part of the configuration of the server takes place during installation. However, there are a
few issues that might apply to your environment that involve post-configuration, including
the following:

• In order to support client computers that use different processor architectures than
Print Server, you must install additional printer drivers. For example, if your server is
running a 64-bit version of Windows and you want to support client computers
running 32-bit versions of Windows, you must install x86-based drivers for each
printer.
• To detect Web Services on Devices (WSD) printers and scanners to view and
monitor them on your network, network discovery must be enabled. To detect WSD
printers, the PnP-X IP Bus Enumerator service must also be running.
• Write and List permissions are needed to run scan processes. The Read permission
is needed to read scan processes stored in Active Directory Domain Services (AD
DS). You should consider removing any unneeded permissions from the Distributed
Scan Server service account.
• For the fax server, you may need to configure phone and modem settings.

This section contains the following instructions:

• To add client printer drivers to the print server

• To detect WSD printers and scanners on the network
• To configure settings for the scan server
• To configure phone and modem settings for the fax server

To add client printer drivers to the print server

1. Click Start, point to Administrative Tools, and then click Print Management.
2. In the left pane, click Print Servers, click the print server object, and then
click Printers.
3. In the center pane, right-click the printer you want to add additional printer drivers to,
and then click Manage Sharing.
4. Click Additional Drivers. The Additional Drivers dialog box appears.
5. Select the check box of the processor architecture for the drivers that you want to
add.
6. If the print server does not already have the appropriate printer drivers in its driver
store, Windows prompts you for the location of the driver files. Download and extract
the appropriate driver files, and then in the dialog box that appears, specify the path
to the .inf file of the driver.

68
To detect WSD printers and scanners on the network

1. To enable network discovery of printers and scanners, click Start, click Control
Panel, and then click Network and Internet.
2. On the Network and Internet page, click Network and Sharing Center.
3. On the Network and Sharing Center page, click Change advanced sharing
settings.
4. On the Advanced sharing settings page, click the Domain drop-down arrow,
click Turn on network discovery, and then click Save changes.
5. Then, to start the PnP-X IP Bus Enumerator service, click Start, click Administrative
Tools and then click Services.
6. In the center pane, right-click PnP-X IP Bus Enumerator, and then click Start.

To configure settings for the scan server

1. To open Server Manager, click Start, point to Administrative Tools, and then
click Server Manager.
2. In the left pane, click Roles and then click Print and Document Services.
3. In the right pane, click Scan Server Configuration Wizard.
4. Follow the instructions in the Scan Server Configuration Wizard to change the scan
server service account, e-mail server information, temporary scan folder and size,
server authentication certificate, and the scan server security option.
5. After the scan server is configured, download the Active Directory Schema Extensions
LDF file to your domain controller if you have a Windows Server 2003 or Windows
Server 2008 domain environment. This LDF file extends the AD DS schema to include
scan process container objects. Scan process information is stored in AD DS. After
you apply this schema, the scan servers you set up in the domain will work with the
new schema.

To configure phone and modem settings for the fax server

1. To open Phone and Modem Options, click Start, click Run, and then type: control
telephony.
2. In the Location Information dialog box, enter information for your country/region,
area/city code, carrier code, dialing an outside line, and whether you use tone or
pulse dialing.

Step 3: Adding and sharing print, scan, and fax devices

Now you are ready to add and share devices.

69
You can use the MMC snap-ins to manage printers, scanners, and fax devices that are
located on the same subnet as your server.

This section contains the following instructions:

• To add a network printer to the print server

• To add a network scanner to the scan server
• To add and share a fax printer for network users

To add a printer by IP address or host name, you must be a member of the local
Administrators group or must be granted the Manage Server and View Server permissions.

To add a network printer to the print server

1. Click Start, point to Administrative Tools, and then click Print Management.
2. In left pane, click Print Servers, click the print server object, right-click Printers, and
then click Add Printer.
3. On the Printer Installation page of the Network Printer Installation Wizard,
click Search the network for printers, and then click Next. If prompted, specify
which driver to install for the printer.

You can use the Scan Management snap-in to add scanners that you want to manage on
your network.

To add a network scanner to the scan server

1. Click Start, point to Administrative Tools, and then click Scan Management.
2. In the left pane, click Scan Management, right-click Managed Scanners, and then
click Manage.
3. To add a scanner, in the Add or Remove Scanners dialog box, type the host name,
IP address, or URI of the scanner, and then click Add.

When you install the Fax Server role, a local fax printer connection, Fax, is automatically
created in the Printers folder in Control Panel. If you have installed the Fax Server role and
already have a fax printer installed, you should follow the steps in the following procedure to
share the printer so that users can connect to it.

After you install the Fax Server role, you can access the Windows Fax and Scan feature by
clicking Start, and then clicking All Programs. On a fax server, you can use Windows Fax
and Scan to send faxes, add accounts, and to monitor the incoming fax queue, the inbox, and
the outbox. Users who are using computers running Windows Vista Business, Windows Vista

70
Enterprise, Windows Vista Ultimate, and certain versions of Windows 7 can use this feature
to send faxes and configure fax receipts.

To add and share a fax printer for network users

1. Click Start, click All Programs, and then click Windows Fax and Scan.
2. Click Tools, and then click Fax Accounts.
3. In Fax Accounts, click Add to open Fax Setup.
4. On the Choose a fax modem or server page, click Connect to a fax modem.
5. You may be asked to install a modem. To do this, follow the instructions in the Add
Hardware Wizard.
6. On the Choose a modem name page, type a name for the fax modem, and then
click Next. The default name is Fax Modem.
7. On the Choose how to receive faxes page, click the option that you prefer.
8. The new fax modem should appear in Fax Accounts, under Account Name.
9. Then, to share the printer that has been created, click Start, and then click Control
Panel.
10. Under Hardware, click View devices and printers.
11. In the list of printers, right-click Fax, click Printer properties, click the Sharing tab,
select Share this printer, and then type a name for the printer that you want your
network users to see.
12. If you want to enable users with computers running different versions of Windows to use
this printer, click Additional Drivers to install the needed drivers.
13. In Additional Drivers, select the check box for the architecture that you want to support.
You are prompted to provide a path to the driver. Provide the path to
the %Systemdrive%\Windows\System32\DriverStore\FileRepository\prnms002.inf*
file on a computer for the architecture that you want to support.
14. To confirm that the files were copied properly, in Windows Explorer, navigate
to %Systemdrive%\Windows\System32\spool\drivers\ and look for the folder that
contains the files for the selected architectures.

71
 INFORMATION SHEET 5.2
Print Management Step-by-Step Guide

There are two primary tools that you can use to administer a Windows print
server in Windows Server® 2008: Server Manager and Print Management. You can use
Server Manager to install the Print Services server role, optional role services, and features.
Server Manager also displays print-related events from Event Viewer and includes an
instance of the Print Management snap-in, which can administer the local server only.
Print Management provides a single interface that administrators can use to
efficiently administer multiple printers and print servers and is the primary focus of this
document. You can use Print Management to manage printers on computers that are running
Microsoft® Windows® 2000, Windows XP, Windows Server® 2003, Windows Vista®, or
Windows Server 2008.

What Is Print Management?

The Print Management snap-in is available in the Administrative Tools folder on
computers running Windows Vista Business, Windows Vista Enterprise, Windows Vista
Ultimate and Windows Server 2008. You can use it to install, view, and manage all of the
printers and Windows print servers in your organization.
Print Management provides current details about the status of printers and print
servers on the network. You can use Print Management to install printer connections to a
group of client computers simultaneously and to monitor print queues remotely. Print
Management can help you find printers that have an error condition by using filters. It can also
send e-mail notifications or run scripts when a printer or print server needs attention. On
printers that provide a Web-based management interface, Print Management can display
more data, such as toner and paper levels.
Note
To manage a remote print server, you must be a member of the Print Operators or Server
Operators groups, or the local Administrators group on the remote print server. You do not
need these credentials to monitor remote print servers, though some functionality will be
disabled.
Who Should Use Print Management?
This guide is targeted at the following audiences:
• Print Administrators and Help Desk professionals.
• Information Technology (IT) planners and analysts who are evaluating the product.
• Enterprise IT planners and designers.

72
Benefits of Print Management
Print Management saves the print administrator a significant amount of time installing printers
on client computers and managing and monitoring printers. Tasks that can require up to 10
steps on individual computers now can be accomplished in 2 or 3 steps on multiple computers
simultaneously and remotely.
By using Print Management with Group Policy, you can automatically make printer
connections available to users and computers in your organization. In addition, Print
Management can automatically search for and install network printers on the local subnet of
your local print servers.
In This Guide
• Requirements for Print Management
• Security Requirements
• Deploying Printers and Print Servers
• Managing Printers and Print Servers
• Additional Resources
Requirements for Print Management
To use Print Management on Windows Server 2008, you must install the print server role on
the computer where you want to use Print Management. On computers running
Windows Vista, the Print Management snap-in is automatically installed and available through
Microsoft Management Console (MMC).
To deploy printer connections by using Group Policy, your environment must meet the
following requirement:
• The Active Directory Domain Services (AD DS) schema must use a Windows
Server 2003 R2 or Windows Server 2008 schema version.
We recommend that you first use the steps provided in this guide in a test lab environment.
Use this step-by-step guide along with accompanying documentation to implement Windows
server features. For more information, see Additional Resources later in this guide.

Security Requirements
To manage a remote print server, you must be a member of the Print Operators or Server
Operators groups, or the local Administrators group on the remote print server. You do not
need these credentials to monitor remote print servers, though some functionality will be
disabled.
To use Print Management (Printmanagement.msc) with Group Policy, you must be a member
of the local Administrators group and have write access to Group Policy objects (GPOs) in
the AD DS domain or the organizational unit (OU) to which you want to deploy printer
connections.
It is good practice for administrators to use an account with restrictive permissions to perform
routine, non-administrative tasks and to use an account with broader permissions only when
performing specific administrative tasks.

73
Deploying Printers and Print Servers
The following sections provide information about how to deploy printers and print servers:
1. Step 1: Install and Open Print Management
2. Step 2: Add and Remove Print Servers
3. Step 3: Migrate Print Servers
4. Step 4: Add Network Printers Automatically
5. Step 5: Deploy Printers by Using Group Policy
6. Step 6 List and Remove Printers from Active Directory Domain Services
Step 1: Install and Open Print Management

Print Management is installed by default on computers running Windows Vista Business,

Windows Vista Enterprise, and Windows Vista Ultimate, but it is not installed on computers
running Windows Server 2008. Use one of the following methods to install the Print
Management snap-in on a computer running Windows Server 2008:

• From Server Manager, use the Add Roles Wizard to install the Print Services role.
This installs the Print Management snap-in and configures the server to be a print
server.
• From Server Manager, use the Add Features Wizard to install the Print Services
Tools option of the Remote Server Administration Tools feature. The Print
Services Tools option installs the Print Management snap-in, but it does not configure
the server to be a print server.

To open Print Management on a computer running Windows Vista or Windows Server 2008,
in the Administrative Tools folder, double-click Print Management.

Step 2: Add and Remove Print Servers

Print Management (Printmanagement.msc) allows you to manage printers that are running
on print servers running Windows 2000 or later.
Note
The print server role must be installed and you must be a member of the Administrators group
to perform these procedures.
To add print servers to Print Management
1. Open the Administrative Tools folder, and then double-click Print Management.
2. In the Print Management tree, right-click Print Management, and then
click Add/Remove Servers.
3. In the Add/Remove Servers dialog box, under Specify print server, in Add server,
do one of the following:
o Type the name.
o Click Browse to locate and select the print server.

74
 4. Click Add to List.
5. Add as many print servers as you want, and then click OK.

To remove print servers from Print Management

1. Open the Administrative Tools folder, and then double-click Print Management.
2. In the Print Management tree, right-click Print Management, and then
click Add/Remove Servers.
3. In the Add/Remove Servers dialog box, under Print servers, select one or more
servers, and click Remove.
Step 3: Migrate Print Servers
You can use the Printer Migration Wizard or the Printbrm.exe command-line tool to export
print queues, printer settings, printer ports, and language monitors, and then import them on
another print server running a Windows operating system. This is an efficient way to
consolidate multiple print servers or replace an older print server.
Note
The Printer Migration Wizard and the Printbrm.exe command-line tool were introduced in
Windows Vista. They replace Print Migrator 3.1.

Migrating print servers

• Migrate print servers using Print Management
• Migrate print servers using a command prompt
To migrate print servers by using Print Management
1. Open the Administrative Tools folder, and then click Print Management.
2. In the Print Management tree, right-click the name of the computer that contains the
printer queues that you want to export, and then click Export printers to a file. This
launches the Printer Migration Wizard.
3. On the Select the file location page, specify the location to save the printer settings,
and then click Next to save the printers.
4. Right-click the destination computer on which you want to import the printers, and then
click Import printers from a file. This launches the Printer Migration Wizard.
5. On the Select the file location page, specify the location of the printer settings file,
and then click Next.
6. On the Select import options page, specify the following import options:
o Import mode. Specifies what to do if a specific print queue already exists on the
destination computer.
o List in the directory. Specifies whether to publish the imported print queues in
the Active Directory Domain Services.
o Convert LPR Ports to Standard Port Monitors. Specifies whether to convert
Line Printer Remote (LPR) printer ports in the printer settings file to the faster
Standard Port Monitor when importing printers.

75
 7. Click Next to import the printers.
To migrate print servers by using a command prompt
1. To open a Command Prompt window, click Start, click All Programs,
click Accessories, right-click Command Prompt, and then click Run as
administrator.
2. Type:
Copy
CD %WINDIR%\System32\Spool\Tools
Printbrm -s \\<sourcecomputername> -b -f <filename>.printerExport
3. Type:
Copy
Printbrm -s \\<destinationcomputername> -r -f <filename>.printerExport
TO MIGRATE PRINT SERVERS BY USING A COMMAND PROMPT
Value Description
<sourcecomputername> The Universal Naming Convention (UNC) name of the source
or destination computer.
<destinationcomputername> The Universal Naming Convention (UNC) name of the
destination computer.
<filename> The file name for the printer settings file. Use the .printerExport
or .cab file extensions.

Additional considerations
• The Printer Migration Wizard and Printbrm.exe can import custom forms and color
profiles to the local computer only, and they do not support printer settings that are
exported using the Print Migrator tool.
• The Printer Migration Wizard and Printbrm.exe can import and export printers on
computers running Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, or Windows Server 2008. However, some drivers might not import
properly on some operating systems. For example, computers running Windows 2000
do not support x64-based printer drivers.
• You can use the Task Scheduler feature of Windows to schedule the Printbrm.exe tool
to regularly export or import printers. You can use this feature to supplement system
backups.
Step 4: Add Network Printers Automatically
Print Management (Printmanagement.msc) can automatically detect all the printers that are
located on the same subnet as the computer on which you are running Print Management,
install the appropriate printer drivers, set up the queues, and share the printers.
To automatically add network printers to a printer server
1. Open the Administrative Tools folder, and then double-click Print Management.

76
 2. In the Printer Management tree, right-click the appropriate server, and then click Add
Printer.
3. On the Printer Installation page of the Network Printer Installation Wizard,
click Search the network for printers, and then click Next. If prompted, specify which
driver to install for the printer.
Note
To detect network printers on the same subnet as a remote server, use Remote Desktop to
log on to the print server, open Print Management and add the network printer.
Step 5: Deploy Printers by Using Group Policy
You can use Print Management (Printmanagement.msc) with Group Policy to automatically
deploy printer connections to users or computers and install the appropriate printer drivers.
This method of installing a printer is useful in a laboratory, classroom, or branch office setting
where most computers or users need to access the same printers. It is also a useful method
for deploying printer drivers to users who are not members of the local Administrators group
and are running Windows Vista.
To deploy printer connections by using Group Policy, your environment must meet the
following requirement:
• The Active Directory Domain Services (AD DS) schema must use a Windows
Server 2003 R2 or Windows Server 2008 schema version.
To deploy printer connections by using Group Policy, use the following sections:
• Deploy printer connections
• Change driver installation security for printers deployed using Group Policy
Deploy printer connections
To deploy printer connections to users or computers by using Group Policy, use the Deploy
with Group Policy dialog box in Print Management. This adds the printer connections to a
Group Policy object (GPO).
To deploy printers to users or computers by using Group Policy
1. Open the Administrative Tools folder, and then double-click Print Management.
2. In the Print Management tree, under the appropriate print server, click Printers.
3. In the Results pane, right-click the printer that you want to deploy, and then
click Deploy with Group Policy.
4. In the Deploy with Group Policy dialog box, click Browse, and then choose or create
a new GPO for storing the printer connections.
5. Click OK.
6. Specify whether to deploy the printer connections to users, or to computers:
o To deploy to groups of computers so that all users of the computers can access
the printers, select the The computers that this GPO applies to (per
machine) check box.

77
 o To deploy to groups of users so that the users can access the printers from any
computer they log onto, select the The users that this GPO applies to (per
user) check box.
7. Click Add.
8. Repeat steps 3 through 6 to add the printer connection setting to another GPO, if
necessary.
9. Click OK.
Note
For per-computer connections, Windows adds the printer connections when the user logs on.
For per-user connections, Windows adds the printer connections during background policy
refresh. If you remove the printer connection settings from the GPO, Windows removes the
corresponding printers from the client computer during the next background policy refresh or
user logon.
Change driver installation security settings for printers deployed using Group Policy
The default security settings for Windows Vista and Windows Server 2008 allow a user who
is not a member of the local Administrators group to install only trustworthy printer drivers,
such as those provided with Windows operating systems or in digitally signed printer-driver
packages.
To allow users who are not members of the local Administrators group to install printer
connections that are deployed using Group Policy and include printer drivers that are not
digitally signed, you must configure the Point and Print Restrictions Group Policy settings. If
you do not configure these Group Policy settings, users might need to provide the credentials
of someone who belongs to the local Administrators group.
Note
The following procedure assumes that you are using the version of the Group Policy
Management Console (GPMC) that is included with Windows Server 2008. To install GPMC
on Windows Server 2008, use the Add Features Wizard in Server Manager. If you are using
a different version of GPMC, the steps might vary slightly.
To change driver installation security settings for printers that are deployed by using
Group Policy
1. Open the GPMC.
2. Open the GPO where the printer connections are deployed, and navigate to User
Configuration, Policies, Administrative Templates, Control Panel, and
then Printers.
3. Right-click Point and Print Restrictions, and then click Properties.
4. Click Enabled.
5. Clear the following check boxes:
o Users can only point and print to these servers
o Users can only point and print to machines in their forest

78
 6. In the When installing drivers for a new connection box, select Do not show
warning or elevation prompt.
7. Scroll down, and in the When updating drivers for an existing connection box,
select Show warning only.
8. Click OK.
After configuring these settings, all users are able to receive printer connections and the
drivers to their user accounts by using Group Policy, without prompts or warning. Users
receive a warning before updated drivers from the print server are installed, but they do not
need to belong to the local Administrators group to install the updated drivers.
Step 6 List and Remove Printers from Active Directory Domain Services
Listing printers in Active Directory Domain Services (AD DS) makes it easier for users to
locate and install printers. After you install printers on a printer server, you can use Print
Management to list them in AD DS.
You can list more than one printer simultaneously. You may want to set up a filter to show all
of the printers that you want to list or remove, so that you can easily select all of the printers
at the same time.
To list or remove printers in AD DS
1. Open the Administrative Tools folder, and then double-click Print Management.
2. In the Print Management tree, under the appropriate print server, click Printers.
3. In the Results pane, right-click the printer that you want to list or remove, and then
click List in Directory or Remove from Directory.
Managing Printers and Print Servers
The following sections provide information about how to manage printers and print servers by
using Print Management:
• Update and Manage Printer Drivers
• Control Printer Driver Installation Security
• Create a New Printer Filter
• View Extended Features for Your Printer
You can perform bulk operations on all the printers on a particular server or all the printers
under a particular filter. You can perform the following actions on multiple printers
simultaneously:
• Pause or resume printing
• Cancel all jobs
• List or remove printers from AD DS
• Delete printers
You can also export a list of drivers, forms, ports, or printers by clicking More Actions in the
Actions pane, and then clicking Export List.
Update and Manage Printer Drivers
The following sections provide information about how to perform a variety of tasks when you
update or manage printer drivers on a print server:

79
 • Add drivers for client computers running 32-bit or 64-bit versions of Windows
• Update or change printer drivers
• Remove drivers
Add drivers for client computers running 32-bit or 64-bit versions of Windows
To support client computers that use different processor architectures than the print server,
you must install additional drivers. For example, if your print server is running a 64-bit version
of Windows and you want to support client computers running 32-bit versions of Windows,
you must add x86-based drivers for each printer.
To add client printer drivers to the print server
1. Right-click the printer to which you want to add additional printer drivers, and then
click Manage Sharing.
2. Click Additional Drivers. The Additional Drivers dialog box appears.
3. Select the check box of the processor architecture for which you want to add drivers.
For example, if the print server is running an x64-based edition of Windows, select
the x86 check box to install 32-bit version printer drivers for client computers running 32-bit
versions of Windows.
4. If the print server does not already have the appropriate printer drivers in its driver
store, Windows prompts you for the location of the driver files. Download and extract
the appropriate driver files, and then in the dialog box that appears, specify the path to
the .inf file of the driver.
Note
You might not be able to extract some printer drivers without installing them. If this is the case,
log on to a client computer that uses the same processor architecture as the printer drivers
that you want to add to the print server, and install those printer drivers. Then use Print
Management from the client computer to connect to the print server, and add the additional
drivers from the Additional Drivers dialog box. Windows automatically uploads the drivers
from the client computer to the print server.
Update or change printer drivers
To update or change the printer drivers for a printer, use the following procedure. Client
computers automatically download and install the updated printer drivers the next time they
attempt to print to the printer.
Note
When installing printer drivers that are provided by the device manufacturer, follow the
instructions provided with the printer driver instead of using this procedure.
To update or change printer drivers for a printer
1. Right-click the printer with the driver that you want to change or update, and then
click Properties.
2. Click the Advanced tab.
3. Select a new driver from the Driver box, or click New Driver to install a new printer
driver.

80
This option is provided for the following situations:
• To change a driver to a compatible driver designed specifically for the same printer
• To set up a queue prior to hardware arrival
• For troubleshooting purposes
For example, you can sometimes use this option to create additional queues using drivers
that try to detect the device on queue creation if the device isn’t yet available. If you already
have the driver installed on the computer, you can sometimes do this by creating the
additional queue(s) using a very basic placeholder driver such as the ‘generic / text only’
driver, then swap the queue to the new driver.
However, if a non-compatible driver is selected using this method, it is possible that some
printer features may not work correctly until the correct driver is returned.
When you switch the driver for a printer, the system and driver (if it is designed to do so)
attempts to merge the printer preference settings for the old printer driver with the printer
preference settings for the new printer driver. This is to try to preserve the user's printing
preference settings. However, if some settings from the old printer driver are not supported
by the new printer driver, this approach can lead to inconsistencies.
Upgrading a driver on a queue from one version to the next version of the same driver is the
recommended approach, since the newer version of the same driver is expected to be
compatible with its older versions. Changing drivers within a family (for example, Model 1000
pro to Model 1000 pro plus) also should work fine, but it is not guaranteed in every case.
Some settings could be lost, or the default settings could be different on the new queue. If
you need to change the driver completely, either to a different vendor, class of device, or even
from an in-box driver to an IHV-provided driver, the recommended method is to create a new
queue and then delete the old one.
Remove printer drivers
When you install a printer driver on a computer that is running Windows Vista or Windows
Server 2008, Windows first installs the printer driver to the local driver store, and then installs
it from the driver store.
When removing printer drivers, you have the option to delete only the printer driver or remove
the entire printer-driver package. If you delete the printer driver, Windows uninstalls the printer
driver, but leaves the printer-driver package in the driver store to allow you to reinstall the
driver at some point. If you remove the printer-driver package, Windows removes the package
from the driver store, completely removing the printer driver from the computer.

To remove printer drivers from a server, use the following procedure:

To remove printer drivers
1. Delete any printers on the print server that use the driver that you want to delete, or
change the driver that is used by each printer to another driver.
2. In the Print Management tree, click Drivers.

81
 3. Remove only the driver (which leaves the driver .inf file and related files on the server),
or remove the printer-driver package:
o To delete only the installed driver files, right-click the driver and then
click Delete.
o To remove the driver package from the driver store, completely removing the
driver from the computer, right-click the driver and then click Remove driver
package.
Control Printer Driver Installation Security
The default security settings for Windows Vista and Windows Server 2008 allow users who
are not members of the local Administrators group to install only trustworthy printer drivers,
such as those provided with Windows or in digitally signed printer-driver packages. This helps
ensure that users do not install untested or unreliable printer drivers or drivers that have been
modified to contain malicious code (malware). However, it means that sometimes users
cannot install the appropriate driver for a shared printer, even if the driver has been tested
and approved in your environment.
The following sections provide information about how to allow users who are not members of
the local Administrators group to connect to a print server and install printer drivers that are
hosted by the server:
• Installing printer-driver packages on the print server
• Using Group Policy to deploy printer connections to users or computers
• Using Group Policy to modify printer driver security settings
Installing printer-driver packages on the print server
Printer-driver packages are digitally signed printer drivers that install all the components of
the driver to the driver store on client computers (if the server and the client computers are
running Windows Vista or Windows Server 2008). Additionally, using printer-driver packages
on a print server that is running Windows Vista or Windows Server 2008 enables users who
are not members of the local Administrators group to connect to the print server and install
or receive updated printer drivers.
To use printer-driver packages, on a print server that is running Windows Server 2008 or
Windows Vista, download and install the appropriate printer-driver packages from the printer
vendor.
Note
You can also download and install printer-driver packages from a print server to client
computers that are running Windows Server 2003, Windows XP, and Windows 2000.
However, the client computers do not check the driver's digital signature or install all
components of the driver into the driver store because the client operating system does not
support these features.
Using Group Policy to deploy printer connections to users or computers
Print Management can be used with Group Policy to automatically add printer connections to
the Printers folder, without the user requiring local Administrator privileges.

82
Using Group Policy to modify printer driver security settings
You can use the Point and Print Restrictions Group Policy setting to control how users can
install printer drivers from print servers. You can use this setting to permit users to connect to
only specific print servers that you trust. Because this prevents users from connecting to other
print servers that could potentially host malicious or untested printer drivers, you can disable
printer driver installation warning messages without adversely compromising security.
Carefully evaluate your users' printing needs before limiting which print servers they can
connect to. If users occasionally need to connect to shared printers in a branch office or
another department, make sure to include those printer servers on the list (if you trust the
printer drivers that are installed on the servers).
You can also use the Point and Print Restrictions setting to disable warning prompts entirely,
although this disables the enhanced printer driver installation security of Windows Vista and
Windows Server 2008 for these users.
Note
The following procedure assumes that you are using the version of the Group Policy
Management Console (GPMC) that is included with Windows Server 2008. To install GPMC
on Windows Server 2008, use the Add Features Wizard of Server Manager. If you are using
a different version of GPMC, the steps might vary slightly.

To modify the Point and Print Restrictions setting

1. Open the Group Policy Management Console (GPMC).
2. In the GPMC console tree, navigate to the domain or organizational unit (OU) that
stores the user accounts for which you want to modify printer driver security settings.
3. Right-click the appropriate domain or OU, click Create a GPO in this domain, and
Link it here, type a name for the new GPO, and then click OK.
4. Right-click the GPO that you created and then click Edit.
5. In the Group Policy Management Editor tree, click User Configuration, click Policies,
click Administrative Templates, click Control Panel, and then click Printers.
6. Right-click Point and Print Restrictions, and then click Properties.
To permit users to connect only to specific print servers that you trust:
1. In the Point and Print Restrictions dialog box, click Enabled.
2. Select the Users can only point and print to these servers check box if it is not
already selected.
3. In the text box, type the fully qualified server names to which you want to allow users
to connect. Separate each name with a semi-colon.
4. In the When installing drivers for a new connection box, choose Do not show
warning or elevation prompt.
5. In the When updating drivers for an existing connection box, choose Show
warning only.
6. Click OK.

83
 Note
To disable driver installation warning messages and elevation prompts on computers that are
running Windows Vista and Windows Server 2008, in the Point and Print
Restrictions dialog box, click Disabled, and then click OK. This disables the enhanced
printer driver installation security of Windows Vista and Windows Server 2008.
Create a New Printer Filter
Filters display only those printers that meet a certain set of criteria. For example, it might be
helpful to filter for printers with certain error conditions or those printers in a group of buildings
regardless of the print server they use. Filters are stored in the Custom Printer Filters folder
in the Print Management tree and are dynamic, so the data is always current.
Four default filters are provided with Print Management (Printmanagement.msc). For each
filter that you create, you have the option to set up an e-mail notification or to run a script
when the conditions of the filter are met. This is useful when you want to be alerted about
printer problems, particularly in an organization with multiple buildings and administrators.
For example, you can set up a filter of all printers managed by a particular print server where
the status does not equal Ready. Then, if a printer changes from the Ready status to any
other status, the administrator could receive a notification e-mail from Print Management.
Note
The print server role must be installed and you must be a member of
the Administrators group to perform these procedures.
To set up and save a filtered view
1. Open the Administrative Tools folder, and then double-click Print Management.
2. In the Print Management tree, right-click the Custom Printer Filters folder, and then
click Add New Printer Filter. This will launch the New Printer Filter Wizard.
3. On the Printer Filter Name and Description wizard page, type a name for the printer
filter. The name will appear in the Custom Printer Filters folder in the Print
Management tree.
4. In Description, type an optional description.
5. To display the number of printers that satisfy the conditions of a filter, select
the Display the total number of printers next to the name of the printer filter check
box
6. Click Next.
7. On the Define a printer filter wizard page, do the following:
1. In the Field list, click the print queue or printer status characteristic.
2. In the Condition list, click the condition.
3. In the Value box, type a value.
4. Continue adding criteria until your filter is complete, and then click Next.
8. On the Set Notifications (Optional) wizard page, do one or both of the following:
1. To set an e-mail notification, select the Send e-mail notification check box, and
type one or more recipient and sender e-mail addresses. An SMTP server must

84
 be specified to route the message. Use the format account@domain and
semicolons to separate multiple accounts.
2. To set a script to run, select the Run script check box, and then type the path
where the script file is located. To add more arguments, type them in Additional
arguments.
9. Click Finish.

ACTIVITY SHEET 5.3

Direction: Arrange the following in their proper order by using the alphabet. Write your
answers on a separate sheet of pad paper.

1. At CLIENT: go to server→ double click printer→ print a document using share printer
2. Check deployment printer
3. Devices and Printers→ Add local printer→ share printer
4. Right click printer→ deploy with group policy→ browse→ locate domain→ browse for
GPO→ deploy with group policy→ check the 2 boxes→ add→ apply→ ok→ ok
5. Server Manager→ Roles→ Print and Document Services→ Custom Filters→ All
printers

SELF CHECK 5.1

Direction: Choose carefully from the given options. Write the correct letter of your answer on
a separate sheet of paper.

A. Deploy with Group Policy F. Print Services role

B. Fax Service Manager G. Printer
C. Print Management H. Printer driver
D. Print queue I. Scan Management
E. Print Services Tools J. Server Manager

1. This snap-in enables you to manage printers, print queues, printer drivers, and printer connections.
2. This snap-in enables you to manage scanners and scan processes. Scan processes allow you to
define how to process scanned documents, and then route them to network folders, SharePoint
sites, and to e-mail recipients.

85
3. This snap-in enables you to configure fax devices for incoming and outgoing fax traffic, specify
who can use a fax device, set routing rules for incoming and outgoing faxes, and configure a fax
archiving policy.
4. Server Manager to install the Print Services server role, optional role services, and features
5. This installs the Print Management snap-in and configures the server to be a print server.
6. Installs the Print Management snap-in, but it does not configure the server to be a print server.
7. To deploy printer connections to users or computers by using Group Policy in Print Management.
8. Software on a computer that converts the data to be printed to a format that a printer can
understand.
9. List of printer output jobs held in a reserved memory area. It maintains the most current status of
all active and pending print jobs.
10. Device that accepts text and graphic output from a computer and transfers the information to
paper, usually to standard size sheets of paper.

Configuring and Testing Remote Desktop

LESSON 6 Sharing

Learning Objectives
At the end of the lesson, the learner should be able to:
a. Recognize Remote Desktop Services
b. Familiarize with Remote Desktop deployment
c. Understand Remote Desktop connection

ACTIVITY SHEET 6.1

Technical Terms

Direction: Try to identify the words related to our lesson.

1. OEMRET 6. HSTO
2. TECNOIONNC 7. OLREORTNCL
3. TSKPEOD 8. NAOCCTU
4. LRWAFIEL 9. NRNTEETI
5. NOESISS 10. OOOLCTPR
11.

86
 Pre-Test 6.1

Direction: Choose carefully from the given options. Write the correct answers on a separate
sheet of paper.

A. Administrative Tools F. Performance

B. Cost G. Remote Desktop Connection
C. Domain Controller H. Remote Desktop Services
D. Fault Tolerance I. Security
E. Network and Sharing Center J. Windows Firewall

1. Provides technologies that enable users to access Windows-based programs that are
installed on a Remote Desktop Session Host (RD Session Host) server, or to access
the full Windows desktop.
2. The initial setup and sustained cost of this scenario.
3. How the scenario supports the resiliency of the infrastructure, which ultimately affects
the availability of the system.
4. How the scenario affects the performance of the infrastructure.
5. Security application created by Microsoft and built into Windows, designed to filter
network data transmissions to and from your Windows system and block harmful
communications and/or the programs that are initiating them.
6. Whether the scenario has a positive or negative impact on overall infrastructure
security.
7. Server that responds to authentication requests and verifies users on computer
networks.
8. Folder in Control Panel that contains tools for system administrators and advanced
users.
9. The control panel from which most of the networking settings and tasks can be
launched in Windows 7, Windows 8.1 and Windows 10.
10. Microsoft technology that allows a local computer to connect to and control a remote
PC over a network or the Internet.

87
 INFORMATION SHEET 6.1
Remote Desktop Services in Windows Server

Remote Desktop Services in Windows Server® 2008 R2 provides technologies that enable
users to access Windows-based programs that are installed on a Remote Desktop Session
Host (RD Session Host) server, or to access the full Windows desktop. With Remote Desktop
Services, users can access an RD Session Host server from within a corporate network or
from the Internet.

Remote Desktop Services: Deployment

Remote Desktop Services in Windows Server 2008 R2, formerly Terminal Services in
Windows Server 2008, lets you efficiently deploy and maintain software in an enterprise
environment. You can easily deploy programs from a central location. Because you install
the programs on the RD Session Host server and not on the client computer, programs are
easier to upgrade and to maintain. Use the following resources to design, deploy, or migrate
Remote Desktop Services.

Remote Desktop Services Design Guide

• Understanding the Remote Desktop Session Host Design Process
• Understanding the RemoteFX Design Process
• Mapping Your Deployment Goals to a Remote Desktop Session Host Design
• Mapping Your Deployment Goals to a RemoteFX Design
• Evaluating RemoteFX Design Examples
Remote Desktop Services Deployment Guide
• Planning to Deploy Remote Desktop Services
• Implementing Your Remote Desktop Services Design Plan
• Checklist: Implementing a Virtual Desktop Infrastructure Design
• Checklist: Implementing a Session-based Design
• Deploying Remote Desktop Session Host
• Deploying a Simple Virtual Desktop Infrastructure
• Configuring Publishing
• Accessing Remote Desktop Services from the Internet
• Deploying Remote Desktop Connection Broker
• Deploying Remote Desktop Licensing
• Deploying Microsoft RemoteFX
Remote Desktop Services Migration Guide
• Remote Desktop Services Migration: Overview
• Remote Desktop Session Host Role Service Migration
• Remote Desktop Virtualization Host Role Service Migration

88
 • Remote Desktop Connection Broker Role Service Migration
• Remote Desktop Web Access Role Service Migration
• Remote Desktop Licensing Role Service Migration
• Remote Desktop Gateway Role Service Migration
Related resources
• Remote Desktop Protocol Performance Improvements in Windows Server 2008 R2
and Windows 7
• Deploying a Virtualized Session-Based Remote Desktop Services Solution
• Remote Desktop Services in Windows Server 2008 R2
Implementing Your Remote Desktop Services Design Plan
Consider the following factors before you implement your design plan:
• Complexity: The complexity of the scenario relative to other scenarios.
• Cost: The initial setup and sustained cost of this scenario.
• Fault tolerance: How the scenario supports the resiliency of the infrastructure, which
ultimately affects the availability of the system.
• Performance: How the scenario affects the performance of the infrastructure.
• Scalability: The impact that the scenario has on the scalability of the infrastructure.
• Security: Whether the scenario has a positive or negative impact on overall
infrastructure security.
How to implement your Remote Desktop Services design by using this guide
The next step in implementing your design is to determine in what order each of the
deployment tasks must be performed. This guide uses checklists to help you walk through
the various server and application deployment tasks that are required to implement your
design plan. Parent and child checklists are used as necessary to represent the order in
which tasks for a specific Remote Desktop Services design must be performed.
Use the following parent checklists in this section of the guide to become familiar with the
deployment tasks for implementing your organization's Remote Desktop Services design:
• Checklist: Implementing a Virtual Desktop Infrastructure Design
• Checklist: Implementing a Session-based Design
To implement Microsoft® RemoteFX™, use the checklists for deploying a Virtual Desktop
Infrastructure (VDI), or Remote Desktop Services with session-based desktops and perform
the tasks for RemoteFX.

OPERATION SHEET 6.1

Installing Remote Desktop Session Host Step-by-Step Guide

This step-by-step guide walks you through the process of setting up a working Remote
Desktop Services infrastructure in a test environment. During this process, you create an

89
Active Directory® domain, install the Remote Desktop Session Host (RD Session Host) role
service, and configure the Remote Desktop Connection client computer.
After you’ve completed this process, you can use the test lab environment to learn about
Remote Desktop Services technology on Windows Server® 2008 R2 and assess how it might
be deployed in your organization.
This guide includes the following topics:
• Step 1: Setting Up the Infrastructure
• Step 2: Installing and Configuring Remote Desktop Session Host
• Step 3: Verifying Remote Desktop Session Host Functionality
The goal of a Remote Desktop Session Host (RD Session Host) server is to host Windows-
based programs or the full Windows desktop for Remote Desktop Services clients. Users can
connect to an RD Session Host server to run programs, to save files, and to use resources
on that server.
Step 1: Setting Up the Infrastructure
Applies To: Windows 7, Windows Server 2008 R2
To prepare your Remote Desktop Services test environment in the CONTOSO domain, you
must complete the following tasks:
• Install and configure the domain controller (CONTOSO-DC)
• Install and configure the RD Session Host server (RDSH-SRV)
• Install and configure the Remote Desktop Connection client computer (CONTOSO-
CLNT)
Use the following table as a reference when setting up the appropriate computer names,
operating systems, and network settings that are required to complete the steps in this guide.
Computer Operating system IP settings DNS settings
name requirement
CONTOSO-DC Windows Server® 2008 R2 IP address: Configured by DNS server
10.0.0.1 role
Subnet mask:
255.255.255.0
RDSH-SRV Windows Server 2008 R2 IP address: Preferred:
10.0.0.2 10.0.0.1
Subnet mask:
255.255.255.0
CONTOSO- Windows® 7 IP address
CLNT 10.0.0.3
Subnet mask:
255.255.255.0

90
Install and configure the domain controller (CONTOSO-DC)
To configure the domain controller CONTOSO-DC by using Windows Server 2008 R2, you
must:
• Install Windows Server 2008 R2.
• Configure TCP/IP properties.
• Install and configure Active Directory Domain Services (AD DS).
First, install Windows Server 2008 R2 on a stand-alone server.
To install Windows Server 2008 R2
1. Start your computer by using the Windows Server 2008 R2 product CD.
2. When prompted for a computer name, type CONTOSO-DC.
3. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that CONTOSO-DC has an IPv4 static IP address of
10.0.0.1.
To configure TCP/IP properties
1. Log on to CONTOSO-DC with the CONTOSO-DC\Administrator account.
2. Click Start, click Control Panel, click Network and Internet, click Network and
Sharing Center, click Change adapter settings, right-click Local Area Connection,
and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then
click Properties.
4. Click Use the following IP address. In the IP address box, type 10.0.0.1. In
the Subnet mask box, type 255.255.255.0 and then click OK.
5. On the Networking tab, click OK, and then close the Local Area Connection
Properties dialog box.
Next, configure the computer as a domain controller by using Windows Server 2008 R2.
To configure CONTOSO-DC as a domain controller by using Windows Server 2008 R2
1. Click Start, and then click Run. In the Run box, type dcpromo and then click OK.
2. On the Welcome to the Active Directory Domain Services Installation
Wizard page, click Next.
3. On the Operating System Compatibility page, click Next.
4. On the Choose a Deployment Configuration page, click Create a new domain in a
new forest, and then click Next.
5. On the Name the Forest Root Domain page, in the FQDN of the forest root
domain box, type contoso.com and then click Next.
6. On the Set Forest Functional Level page, in the Forest functional level box,
select Windows Server 2008 R2, and then click Next.
7. On the Additional Domain Controller Options page, ensure that the DNS
server check box is selected, and then click Next.
8. Click Yes to create a delegation for this DNS server, and then continue.
9. On the Location for Database, Log Files, and SYSVOL page, click Next.

91
 10. In the Password and Confirm password boxes, type a strong password, and then
click Next.
11. On the Summary page, review your selections, and then click Next to start the
installation.
12. When the installation is complete, click Finish, and then click Restart Now.

Configure user accounts

In this section you create the user accounts and groups in the CONTOSO domain.
First, create a user account named Morgan Skinner in Active Directory Domain Services.
To create a user account
1. Log on to CONTOSO-DC as the domain administrator account,
CONTOSO\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory Users
and Computers.
3. In the console tree, expand contoso.com.
4. Right-click Users, point to New, and then click User.
5. In the New Object – User dialog box, type Morgan Skinner in the Full name box
and mskinner in the User logon name box, and then click Next.
6. In the New Object – User dialog box, type a password of your choice in
the Password and Confirm password boxes. Clear the User must change
password at next logon check box, click Next, and then click Finish.
Install and configure the RD Session Host server (RDSH-SRV)
To configure the member server, RDSH-SRV, you must:
• Install Windows Server 2008 R2.
• Configure TCP/IP properties.
• Join RDSH-SRV to the contoso.com domain.
First, install Windows Server 2008 R2 as a stand-alone server.
To install Windows Server 2008 R2
1. Start your computer by using the Windows Server 2008 R2 product CD.
2. When prompted for a computer name, type RDSH-SRV.
3. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that RDSH-SRV has a static IP address of 10.0.0.2. In
addition, configure the DNS server by using the IP address of CONTOSO-DC (10.0.0.1).
To configure TCP/IP properties
1. Log on to RDSH-SRV with the RDSH-SRV\Administrator account or another user
account in the local Administrators group.
2. Click Start, click Control Panel, double-click Network and Sharing Center,
click Change adapter settings, right-click Local Area Connection, and then
click Properties.

92
 3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then
click Properties.
4. Click Use the following IP address. In the IP address box, type 10.0.0.2, and in
the Subnet mask box, type 255.255.255.0.
5. Click Use the following DNS server addresses. In the Preferred DNS server box,
type 10.0.0.1.
6. Click OK, and then close the Local Area Connection Properties dialog box.
Next, join RDSH-SRV to the contoso.com domain.
To join RDSH-SRV to the contoso.com domain
1. Log on to the RDSH-SRV computer as the CONTOSO\Administrator user account.
2. Click Start, right-click Computer, and then click Properties.
3. Under Computer name, domain, and workgroup settings, click Change settings.
4. On the Computer Name tab, click Change.
5. In the Computer Name/Domain Changes dialog box, click Domain, and then
type contoso.com.
6. Click More, and in the Primary DNS suffix of this computer box, type contoso.com.
7. Click OK, and then click OK again.
8. When a Computer Name/Domain Changes dialog box appears prompting you for
administrative credentials, provide the credentials for CONTOSO\Administrator, and
then click OK.
9. When a Computer Name/Domain Changes dialog box appears welcoming you to the
contoso.com domain, click OK.
10. When a Computer Name/Domain Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click Close.
11. Click Restart Now.
Install and configure the Remote Desktop Connection client computer (CONTOSO-
CLNT)
To configure CONTOSO-CLNT, you must:
• Install Windows 7.
• Configure TCP/IP properties.
• Join CONTOSO-CLNT to the contoso.com domain.
To install Windows 7
1. Start your computer by using the Windows 7 product CD.
2. Follow the instructions that appear on your screen, and when prompted for a computer
name, type CONTOSO-CLNT.
Next, configure TCP/IP properties so that CONTOSO-CLNT has a static IP address of
10.0.0.3. In addition, configure the DNS server of CONTOSO-DC (10.0.0.1).
To configure TCP/IP properties
1. Log on to CONTOSO-CLNT with a user account that is a member of the local
Administrators group.

93
 2. Click Start, click Control Panel, click Network and Internet, and then click Network
and Sharing Center.
3. Click Change adapter settings, right-click Local Area Connection, and then
click Properties.
4. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then
click Properties.
5. Click Use the following IP address. In the IP address box, type 10.0.0.3, and in
the Subnet mask box, type 255.255.255.0.
6. Click Use the following DNS server addresses. In the Preferred DNS server box,
type 10.0.0.1.
7. Click OK, and then close the Local Area Connection Properties dialog box.
Next, join CONTOSO-CLNT to the contoso.com domain.
To join CONTOSO-CLNT to the contoso.com domain
1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change settings.
3. On the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, click Domain, and then
type contoso.com.
5. Click More, and in the Primary DNS suffix of this computer box, type contoso.com.
6. Click OK, and then click OK again.
7. When a Computer Name/Domain Changes dialog box appears prompting you for
administrative credentials, provide the CONTOSO\Administrator credentials, and then
click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming you to the
contoso.com domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click Close.
10. Click Restart Now.
Step 2: Installing and Configuring Remote Desktop Session Host
To install and configure a Remote Desktop Session Host (RD Session Host) server, you must
add the RD Session Host role service. Windows Server® 2008 R2 includes the option to
install the RD Session Host role service by using Server Manager. This topic covers the
installation and configuration of the RD Session Host role service on the RDSH-SRV
computer in the CONTOSO domain.
Membership in the local Administrators group, or equivalent, on the RD Session Host server
that you plan to configure, is the minimum required to complete this procedure. Review details
about using the appropriate accounts and group memberships at Local and Domain Default
Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

94
To install the RD Session Host role service
1. Log on to RDSH-SRV as CONTOSO\Administrator.
2. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
3. Under Roles Summary, click Add Roles.
4. On the Before You Begin page of the Add Roles Wizard, click Next.
5. On the Select Server Roles page, select the Remote Desktop Services check box,
and then click Next.
6. On the Introduction to Remote Desktop Services page, click Next.
7. On the Select Role Services page, select the Remote Desktop Session Host check
box, and then click Next.
8. On the Uninstall and Reinstall Applications for Compatibility page, click Next.
9. On the Specify Authentication Method for Remote Desktop Session Host page,
click Require Network Level Authentication, and then click Next.
Note
If client computers that are running Windows® XP will use this RD Session Host server,
select Do not require Network Level Authentication.
10. On the Specify Licensing Mode page, select Configure later, and then click Next.
Note
For the purposes of this guide, a Remote Desktop licensing mode is not configured. For use
in a production environment, you must configure a Remote Desktop licensing mode. For more
information about configuring a Remote Desktop Licensing (RD Licensing) server, see
the Deploying Remote Desktop Licensing Step-by-Step
Guide (https://go.microsoft.com/fwlink/?LinkId=141175).
11. On the Select User Groups Allowed Access To This Remote Desktop Session
Host Server page, click Next.
12. On the Configure Client Experience page, click Next.
13. On the Confirm Installation Selections page, verify that the RD Session Host role
service will be installed, and then click Install.
14. On the Installation Results page, you are prompted to restart the server to finish the
installation process. Click Close, and then click Yes to restart the server.
15. After the server restarts and you log on to the computer as CONTOSO\Administrator,
the remaining steps of the installation finish. When the Installation Results page
appears, confirm that installation of the RD Session Host role service succeeded, and
then click Close to close the RD Session Host configuration window. Also, close
Server Manager.
Note
You may see warnings on the Installation Results page. For the purposes of this guide, these
warnings can be ignored.

95
The RD Session Host role service is now installed. For users to be able to connect to this
server, you must add the user accounts to the local Remote Desktop Users group on RDSH-
SRV. For the purposes of this guide, we will add Morgan Skinner to the local Remote Desktop
Users group. In a production environment, you should create an Active Directory Domain
Services (AD DS) group, add this group to the Remote Desktop Users group, and then add
the user accounts that should have access to the RD Session Host server to the AD DS
group.
Membership in the local Administrators group, or equivalent, on the RD Session Host server
that you plan to configure, is the minimum required to complete this procedure. Review details
about using the appropriate accounts and group memberships at Local and Domain Default
Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To add Morgan Skinner to the Remote Desktop Users group
1. Log on to RDSH-SRV as CONTOSO\Administrator.
2. Click Start, point to Administrative Tools, and then click Computer Management.
3. Expand Local Users and Groups, and then click Groups.
4. Right-click Remote Desktop Users, and then click Add to Group.
5. In the Remote Desktop Users dialog box, click Add.
6. In the Select Users, Computers, Service Accounts, or Groups dialog box, in
the Enter the object names to select box, type mskinner and then click OK.
7. Click OK to close the Remote Desktop Users dialog box.
Step 3: Verifying Remote Desktop Session Host Functionality
To verify the functionality of the RD Session Host deployment, log on to CONTOSO-CLNT as
Morgan Skinner and use Remote Desktop Connection (RDC) to connect to the RD Session
Host server (RDSH-SRV).
To connect to RDSH-SRV by using RDC
1. Log on to CONTOSO-CLNT as Morgan Skinner.
2. Click Start, point to All Programs, point to Accessories, and then click Remote
Desktop Connection.
3. When the Remote Desktop Connection dialog box appears, type rdsh-srv in
the Computer box, and then click Connect.
4. In the Windows Security dialog box, type the password for contoso\mskinner, and
then click OK.
5. If the connection is successful, a Windows desktop will appear on the screen for
RDSH-SRV.
You have successfully deployed and demonstrated the functionality of RD Session Host on
Remote Desktop Services by using the simple scenario of connecting to an RD Session Host
server with a standard user account by using Remote Desktop Connection. You can also use
this deployment to explore some of the additional capabilities of Remote Desktop Services
through additional configuration and testing.

96
 SELF CHECK 6.1

Direction: Choose carefully from the given options. Write the correct answers on a separate
sheet of paper.

Windows Firewall Network and Sharing Center

Security Fault Tolerance
Remote Desktop Services Domain Controller
Remote Desktop Connection Cost
Performance Administrative Tools

1. Provides technologies that enable users to access Windows-based programs that are
installed on a Remote Desktop Session Host (RD Session Host) server, or to access the full
Windows desktop.
2. The initial setup and sustained cost of this scenario.
3. How the scenario supports the resiliency of the infrastructure, which ultimately affects the
availability of the system.
4. How the scenario affects the performance of the infrastructure.
5. Security application created by Microsoft and built into Windows, designed to filter network
data transmissions to and from your Windows system and block harmful communications
and/or the programs that are initiating them.
6. Whether the scenario has a positive or negative impact on overall infrastructure security.
7. Server that responds to authentication requests and verifies users on computer networks.
8. Folder in Control Panel that contains tools for system administrators and advanced users.
9. The control panel from which most of the networking settings and tasks can be launched in
Windows 7, Windows 8.1 and Windows 10.
10. Microsoft technology that allows a local computer to connect to and control a remote PC
over a network or the Internet.

97
PRE-TEST ANSWER KEY 21. C
1. B 22. D
2. A 23. B
3. C 24. A
4. D 25. C
5. C 26. B
6. A 27. D
7. D 28. A
8. B 29. D
9. D 30. B
10. A 31. A
11. C 32. C
12. B 33. B
13. B 34. C
14. A 35. D
15. D 36. A
16. C 37. C
17. C 38. B
18. D 39. D
19. B 40. A
20. A

98
REFERENCES:

LO1 Client to Domain

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc728372(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759279(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779033(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784886(v=ws.10)
https://helpdeskgeek.com/how-to/windows-join-domain/
https://www.thinlabs.com/faq/windows-7-change-computer-domain-workgroup-name
https://www.youtube.com/watch?v=jUUjAkjzV9U
https://www.varonis.com/blog/active-directory-domain-
services/#:~:text=Active%20Directory%20Domain%20Services%20(AD%20DS)%20are%20the%20core%20fu
nctions,%2C%20LDAP%2C%20and%20rights%20management.
https://thewordsearch.com/puzzle/1318632/user-access-and-security/

LO2 Users to Domain

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-
2008/cc732532(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-
2008/cc770377(v=ws.10)
http://puzzlemaker.discoveryeducation.com/code/BuildWordSearch.asp
https://www.youtube.com/watch?v=O04m3yz2lJ0

LO3 Group Policy

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-
2003/cc786524(v=ws.10)?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786212(v=ws.10)
https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-
console-ie11
https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-
editor-ie11
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779159(v=ws.10)
https://blog.netwrix.com/2019/04/18/group-policy-
management/#:~:text=The%20Group%20Policy%20Management%20Console,of%20Microsoft%20Windows%
20Server%20Manager.
https://blog.netwrix.com/wp-content/uploads/2019/04/Group-Policy-Management-Interface-of-the-Group-
Policy-Management-Console.png
https://blog.netwrix.com/wp-content/uploads/2019/04/Group-Policy-Management-Interface-of-the-Group-
Policy-Management-Editor.png
https://blog.netwrix.com/wp-content/uploads/2019/04/Group-Policy-Management-Information-about-all-
applied-GPOs-in-GPMC.png
https://www.education.com/worksheet-generator/reading/word-scramble/
LO4 Configuring and Testing Folder Redirection
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-
2012/hh831487(v=ws.11)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-
2008/dd463985(v=ws.10)

99
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-
2008/gg277982(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/cc732275(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/cc771969(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-
2012/jj649074(v=ws.11)
https://www.education.com/worksheet-generator/reading/word-scramble/
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-
2012/jj649078(v=ws.11)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-
2012/images/jj649078.6e9f23c0-4ba6-4442-8b71-b0abad741a15(ws.11).jpeg

LO5 Configuring and Testing File and Printer Sharing Deployment

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/cc731636(v=ws.10)#getting-started-and-deployment
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/ee791910(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/cc753109(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/ee524015(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/cc766474(v=ws.10)
https://en.wikipedia.org/wiki/Printer_driver
https://www.techopedia.com/definition/8966/print-queue
https://whatis.techtarget.com/definition/printer

LO6 Configuring and Testing Remote Desktop Sharing

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/ff710421(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd647502(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/ff710489(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd883274(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd883253(v=ws.10)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd883266(v=ws.10)
https://docs.microsoft.com/en-us/windows/client-management/administrative-tools-in-windows-
10#:~:text=Administrative%20Tools%20is%20a%20folder,of%20Windows%20you%20are%20using.
https://www.digitalcitizen.life/what-network-and-sharing-
center#:~:text=Simply%20put%2C%20the%20Network%20and,holds%20a%20very%20important%20place.
https://www.varonis.com/blog/domain-controller/
https://www.techopedia.com/definition/27731/remote-desktop-connection-rdc-microsoft-windows
https://www.education.com/worksheet-generator/reading/word-scramble/

100
101