CST8342 WEEK 03

LAB-03
By Doug Dacey

Do not open or run packages.zip until you are told to do so in the lab.
Creating the Information Technology
Services OU and Child Objects:
• You will be doing the following steps on your DM^^??? domain. Logon as your user and
create the following OU structure for ITS directly under your domain.
ITS
______________|________________
| | |
HelpDesk Development CustSupport
• Save all screen shots in a folder called “Screen Shots”, this folder should be located under
“C:\CST8342” on your “virtual machine”, not on the host machine. C:\CST8342 would
disappear on the host machine if using the lab computers.
• After creating the folder, right click on it and select “Send to”, “Desktop”, a shortcut
should appear on your desktop. Create a sub folder under “Screen Shots” called
“ABCD0123 Lab 03”. Substitute ‘ABCD0123’ for your College username. Create a text
document called “Lab 03.txt” to save the # answers.
Create user accounts with passwords = (P@ssw0rd) in each OU as follows:
• ITS OU: ITSAdmin (ITS firstname, Admin lastname, ITS Admin fullname and login names)
• HelpDesk OU: HDUser (HD firstname, User lastname, HD User fullname and login names)
• Development OU: DevUser (Dev firstname, User lastname, Dev User fullname and login names)
• CustSupport OU: CSUser (CS firstname, User lastname, CS User fullname and login names)
Users cannot change password, and password never expires.
Create a shortcut to Active Directory Users and Computers on your desktop.
Modifying Group Policy to allow user to logon locally.

Open Group Policy Management in Administrative Tools.

Right click on Default Domain Controllers Policy. Choose Edit. Make sure you don’t edit Default
Domain Policy.
Create a shortcut to Group Policy Management on your desktop.
• Modify Allow log on locally. Add Domain Users. Restart computer after completing this,
or simply run gpupdate..
• Check that all your user accounts work properly by successfully logging on as each one.
Logon again as your username and open Active Directory Users and Computers
(ADUC). Expand your OU structure and take a screen shot, call it lab03-00.jpg.
• All labs require that images and text answers end up in a word processor and be stored
as one file.
• You may do this as you work through the lab. Make sure you label all pictures with the
name of the screen shot. The lab must be converted to PDF before submitting. It must be
called ABCD0123_Lab_03.pdf (Substitute ABCD0123 for your username). pdf files with
incorrect names will not be accepted.
Take a snapshot in VMware before you begin lab 3.
See instructions below.
• You should have demoed lab 2 before starting this lab.
• You should have a backup of your virtual machine on an external drive. This should be a
different drive then your drive that has your virtual machine on.
• Name your snapshot, Before Lab 3.
This is what a captured screen dialog box should look
like.

Good Bad
Lab 3 –Software Deployment Using Group Policy
Please read these Lab Instructions completely before starting the Lab.

General Instructions:
• While doing the lab, record the date, along with all the procedures and
installation/configuration decisions you make. This should be recorded in a text file.
Answer all lab questions and record answers. Screen shots should be stored for later
submission. Include answer reference numbers (#), in your text file so that it will be
easier for you to study the lab exercises later, as well as facilitate the evaluation of your
lab work by your Professor. Lab work should be available for inspection at any time.
• This lab assumes that the previous labs have been completed successfully. In addition you
have installed Windows Server 2019 Datacenter in a 60G partition. Windows Server
2019 has all the latest service packs installed as well as all critical and optional updates
from the Microsoft Windows Update web site.
• This lab assumes Lab 2 has been completed successfully. Hence you have configured a
static IP address and installed Windows Server 2019 DNS and Active Directory on your
Windows Server 2019 Datacenter machine.Your Default Domain Controller Policy has
been configured to allow ordinary users to “logon locally”.
• You should have a complete set of screen shots and answers for lab 3 onwards. Answer
all # questions in one text file. Screen shots must be stored as .jpg with lab03-08.jpg for
screen shot 8 as an example. Naming is important.
Lab Overview:
• In this lab, you will use Windows 2019 Group Policy to manage the deployment of
desktop software for users in your domain.
• Ensure that you have completed all the steps in Lab 02 before starting this lab.
Scenario:
• As the Administrator of your company’s domain you have been tasked to ensure that the
“Green” application is available to all employees in the ITS department and the Red and
Blue applications are also available to the Help Desk employees.
This is just an overview.
Do not do any steps until a later slide.
The ITS OU structure is:
ITS
______________|________________
| | |
HelpDesk Development CustSupport
Do not do anything yet

The specific requirements for deploying the applications are:

• (i) All ITS department employees will automatically see an item for the “Green” application in
the Programs menu/Start Menu (Both refer to the same menu) no matter which computer
they logon at. In addition, all Help Desk ITS employees will automatically see items for the
“Red” and “Blue” applications in the Program Menu as well, no matter which computer they
logon at.
• (ii) If an any employee should double click any of the displayed “Green”, “Red” or “Blue”
applications in the Program menu and the selected application is not already installed for that
user on the computer, it will be automatically installed and then run. Note, only certain
applications will be available for some employees. Green (ITSAdmin), Red/Blue (HDUser) as
an example.
• What type of software deployment policy will be required to implement the above
scenario? (Assigned or Published) This answer will be recorded in the file Lab 03.txt that
you created previously. Number it as follows: #1
• Where would you create GPOs to implement this scenario? Record answer as #2
Creating a Software Deployment Group Policy:

In the following steps, you will be creating/managing/using objects in your dm^^$$$ domain.
These steps will now be done on your virtual machine.
• Logon to your domain as your user.
• A number of sample application packages (e.g. Green, Red, Blue, Cosmo1 and Cosmo2, created
specifically for use in this lab, are stored on Brightspace, copy the Packages.zip file from Brightspace to
the root directory of drive C: on your virtual machine.
• Extract the packages zip file, it will create a folder called Packages. Delete the zip file after extracting.
• Share the Packages folder from the C: drive of your server with the default share of Everyone Read and
default NTFS permissions.
• Verify that your Packages share is visible on the network by typing \\YourServerName\Packages.
• Take a screen shot to show this. (lab03-03.jpg)
OUR FOLDER WILL BE CST8342
• Run Group Policy Management. Open the Group Policy property page of your ITS OU.
• Create a new Group Policy object called “Green Application Policy” for the ITS OU.
• Edit the Green Application Policy. Under User Configuration, policies, expand Software
Settings and then click Software Installation. Right click Software Installation, then select
New and then Package.
• In the File name: box type the location of the software packages which is:
• \\YourServerName\PACKAGES
• Make sure you use UNC naming convention, do not use a drive letter.
• Find the Green.msi package located in COLORFUL\VER1. Select Green.msi and click
Open. What options do you have available here for deploying software? (lab03-04.jpg)
• Select the second software deployment option (Assigned) and click OK. Take a screen
shot of the Group Policy window showing the deployment state of the Green package.
(lab03-05.jpg)
• Create two Group Policy objects linked to the HelpDesk OU called “Red Application
Policy” and “Blue Application Policy”. Deploy the Red and Blue .msi packages respectively
with the appropriate deployment option (“Assigned”). User Configuration. Execute
GPUPDATE at a command prompt before proceeding.
• Logon as CSUser. Examine the Programs menu. What changes if any do you notice? (#6)
Do NOT launch any programs yet!
• Open the Control Panel and double click “Programs and Features / Install a program
from the network”. Do you notice any new “installed” programs? If so, what is (are) the
name(s)? (#7)
• Click “Install a program from the Network” in the left part of the window. Are any new
programs available from the network? If so, what are they? (lab03-08.jpg) Do NOT
install any programs yet! Close “Programs and Features” and the Control Panel if
open.
• Examine the Programs menu again. Watch carefully as you click to execute Green. What
happens? Why? (#9)
• Take a screen shot of the Green program executing on your desktop. (lab03-10.jpg) Log
off as CSUser (Sign out).
• Logon as HDUser. Examine the Programs menu. What changes if any do you notice? (#11) Do
NOT launch any programs yet!
• Open the Control Panel and double click on “Programs and Features / Install a program from
the network”. Are any new programs available from the network? If so, what are they? (#12)
• Select Red and then install to install Red. Close Programs and Features. Try running Red from
the Programs menu. Is Red already installed? (#13) Watch carefully as you try running Blue. Is
Blue already installed for this user? (#14)
• Important: Do not click to install Green at this time. Log off as HDUser.
Publishing Applications:
• Logon to your domain as your user. Create a new Group Policy Object for the ITS OU
called Cosmo Application Policy. Edit the settings of this GPO. Under User Configuration,
policies, expand Software Settings and then click Software Installation. Right click
Software Installation, then select New and then Package. Select the Cosmo1.msi package
located at:
• \\YourServerName\PACKAGES\COSMO1
• Verify that the Published option is selected. Then click OK. Take a screen shot of the
Group Policy settings showing that Cosmo1 is published. (lab03-15.jpg) Close all open
windows.
• Execute GPUPDATE.
• Logon as CSUser. Examine the Programs menu. Does Cosmo1 appear on the Programs
menu? Why or why not? (#16)
• Open the Control Panel and double click “Programs and Features / Install a program
from the network”. Do you notice any new “installed” programs? If so, what is (are) the
name(s) ? (#17)
• Are any new programs available from the network? If so, what are they? (lab03-18.jpg)
• Do NOT install any programs yet!
• Close Programs and Features.
• Using the Run command on the Start menu, open the PACKAGES share on your server
(i.e. type \\YourServerName\PACKAGES). Is the file COSMO.CS00 associated with any
Windows application? How can you tell? (#19)
• Watch carefully as you double click COSMO.CS00. What happens (if anything)? Why?
(#20) Take a screen shot of any new application running on your desktop. (lab03-21.jpg)
• Close all open windows. Check the Programs menu. Is Cosmo1 available? (#22)
• Log off as CSUser.
• Log on as HDUser. Examine the Programs menu. Does Cosmo1 appear on the Programs
menu? Why or why not? (#23)
• Open the Control Panel and double click Programs and Features / Install a program from
the network..
• Install Cosmo1 by clicking Add. Verify that Cosmo1 is available on the Start menu and will
execute properly.
• Close all open windows and log off as HDUser.
Deploying an Application Upgrade:
• Scenario: Currently all ITS employees are using Cosmo1 in their day to day work.
Cosmo Inc. has recently released a new version, Cosmo2, which has several new features
that will save money. Hence it is desired to implement a mandatory upgrade to Cosmo2.
However you want to test the new version on users in the CustSupport OU before
requiring the upgrade for the whole department. Hence, we want to make the upgrade
optional for these users until you are satisfied that the new version is working OK.
• Logon as your self. Open the Group Policy for the CustSupport OU. Create a new GPO
called “Cosmo Optional Upgrade Policy”.
• Edit the GPO User Configuration > policies > Software Settings > Software Installation.
• Select New Package and Browse \\YourServerName\PACKAGES\COSMO2 for
COSMO2.MSI. Select COSMO2.MSI and click Open.
• Select Advanced and click OK.
• Click the Upgrades tab and click Add. Select A specific GPO and click the Browse button.
• Browse to the ITS OU in your domain. Select the Cosmo Application Policy and click OK.
• In the Package to upgrade list ensure that Cosmo1 (Cosmo Application Policy) is selected.
• Click OK. Ensure that the Required Upgrade for existing packages checkbox is NOT checked.
• Click OK. Take a screen shot of the Group Policy Software
• Installation settings showing the upgrade to Cosmo 2. (lab03-24.jpg) Close the Group Policy
windows and execute GPUPDATE at the command prompt.
• Log off as your user and log on as CSUser. Can CSUser still run Cosmo1? (#25)
• Open Programs and Features / Install a program from the network in Control Panel. Is
Cosmo2 available? (lab03-26.jpg)
• Install Cosmo2. Is Cosmo1 still available on the Programs menu? Why or why not? (#27)
• Can you run Cosmo2 successfully from the Programs menu? (#28)
• Close all open windows and log off as CSUser.
• Assuming that the testing of Cosmo2 by the CSUser produced satisfactory results, we
now want to implement a mandatory upgrade for all ITS users.
• Log on to your domain as your user and open Group Policy Management.
• Edit the Cosmo Application Policy at the ITS OU.
• Under User Configuration > policies > Software Settings, click on Software Installation.
• Right click Software Installation and select New Package.
• Browse to locate the COSMO2.MSI package, select it and click Open.
• In the Deploy Software dialog box, select Advanced and click OK.
• Click the Upgrades tab, then click Add.
• Under Package to upgrade, select Cosmo1.
• Before clicking OK, take a screen shot. (lab03-29.jpg)
• On the Upgrades tab check “Required upgrade for existing packages”. Take a screen. (lab03-30.jpg)
• Click OK to close the Cosmo2 Properties.
• Take a screen shot of the Group Policy settings screen showing Cosmo1 and Cosmo2. (lab03-31.jpg)
• Close the Cosmo Application Policy at the ITS OU.
• Open the Group Policy for the CustSupport OU.
• Select the Cosmo Optional Upgrade Policy and click the Delete button.
• Take a screen shot of any message received. (lab03-32.jpg) It will only delete the link.
• Go to Group Policy Objects. Select and delete the GPO as it is no longer required.
• Close all open windows and then run GPUPDATE at the command prompt. Log off as your user.
• Log on as HDUser and watch the logon process carefully.
• Recall that this user had previously installed Cosmo1.
• Is Cosmo1 still available on the Programs menu? Why or why not? (#33)
• What happens when Cosmo2 is selected from the Programs menu? (#34)
• Close all open windows and log off as HDUser.
• Automatically Removing Deployed Software:
• Scenario: Because of a serious software bug, the use of Cosmo2 must immediately
cease in the ITS department.
• Also, we wish to prevent any new installations of Green, but still allow users, who have
already installed Green, to continue using it.
• Logon as your username and edit the Cosmo Application Policy at the ITS OU.
• View the Software Installation settings.
• Right click the entry for Cosmo2, select All Tasks > Remove.
• What options are available? (lab03-35.jpg)
• Ensure that the first option Immediately uninstall the software from users and computers is
selected and click OK.
• What happens to the Cosmo2 entry in the Software Installation settings? (#36)
• Save and close the changes to the Cosmo Application Policy.
• Edit the Green Application Policy at the ITS OU.
• In the Software Installation settings, right click Green and select All Tasks > Remove.
• Select the option Allow users to continue to use the software, but prevent new
installations and click OK.
• What happens to the Green entry in the Green Application Policy? (#37)
• Close all open windows. Execute GPUPDATE and then log off as your username.
• Log on as CSUser. Recall that this user had previously installed Green and Cosmo2.
• Is Cosmo2 still available?
• Why or why not? (#38)
• Is Green still available?
• Why or why not? (#39)
• Does not work like it should, bug in Microsoft’s software.
• Log on as HDUser. Recall that this user had previously installed Cosmo2 but had not
installed Green even though it was “advertised” on the Programs menu.
• Is Cosmo2 still available? Why or why not? (#40)
• Is Green still available? Why or why not? (#41)
• Close all open windows and log off.
Report Submission

• This is the first lab that is being graded. It is not graded until it is demonstrated. I will be
looking at group policy editor to make sure tasks are done, as well as your folder with
answers and screen shots. The report is due on Sunday of week 5 at 11:30 pm but don’t leave
it until the last minute. See date on schedule. Each day late deducts 1 mark. No excused for
being late as you have weeks to submit.
• The report must have a title page, your answers with # in front for each written answer. Your
screen shots with the name of the screen shot shown below it.
• It must be in pdf format when submitted.
• The title page must have the following:
• Your full name as shown on Brightspace.
• Your college e-mail address.
• The Lab #. Lab 03 for this one.
• Your lab professors name.
• Your computer name.
• Your IP address.
• Date of completion.
• What type of objects are "ITS, HelpDesk, Development, and CustSupport" in ADUC?
• Under what existing policy were you told to modify, to allow users to login locally on the server? Default
Domain Policy or Default Domain Controllers Policy.
• Under what existing policy section were you told to modify, to allow users to login locally on the server?
Computer Configuration or User Configuration.
• What is the policy name, that you have to open to allow a user to login locally on the server?
• What path do we need to open to get to the policy to allow users to login locally on the server?
• What is the difference between Assigned applications and Published Applications?
• What is a Source Starter GPO?
• What type of naming convention is "\\ServerName\ShareName"?