OU Structure Creation

• Open up Active Directory Users and Computers (Server Manager -> Tools(right-click))

Create an organizational unit called "SYS255" and add the OU's for Accounts, Computers, Groups within this OU

Create Users and Groups

Right click to create users, groups, and other domain objects.

When creating accounts for users, have them change the password at logon normally, but for this lab, you don't have to.

Within the SYS255\Accounts OU, create users alice, bob, and charlie

Drag WKSO1 from the morgan.local\Computers Folder to the SYS255\Computers OU. This will allow us to treat SYS255 OU Computers differently than others.

Within the SYS255\Groups OU, add a global security group called custom-desktop with users Alice and Bob (not Charlie) as members. - To do this right-click on custom-desktop, go to properties, and under the Members tab hit add

Group Policy - User

Create a group policy that defines some User level settings (Server Manager -> Tools (RC) -> Group Policy manager)

Creating a User Policy

Select the SYS255 OU and create a new group policy object (GPO) called sys255-desktop. Then right click the object and select Edit.

Step 1: Add the custom-desktop group created earlier to the Security Filter.

Step 2: Remove Authenticated Users from the Security Filter (a pop up will appear just hit ok)

Step 3: Add Domain Controllers

Step 4: Delegation tab -> Advanced(Uncheck Apply Group Policy, Select Deny)

Nuking the Recycle Bin

Find the Remove Recycle Bin icon setting under User Configuration, and click Edit Policy Setting in the group policy editor.

Enable the Remove Recycle Bin icon from Desktop setting

Click Apply. Ok, and close the Group Policy Editor

Creating a Computer Policy

Computer policies are applied before login and affect the entire system and thus any logged in users

Disble Last Login

Create and Link a new GPO within the SYS255\Computers OU called DisableLastLogin

The Security Filter on this policy should be applied to Domain Computers(not Authenticated Users). Edit the policy so that the "Do not display last user name" is enabled