migrate to git.charlotte.sh

sysadmin-ii-sys265/labs/lab06-ad-gpo-sw-deployment.md

@@ -0,0 +1,69 @@
+# AD Group Policy & SW Deployment
+
+
+## Prepare an OU, user & workstation
+Before we get into configuring a Group Policy Object (GPO) within Active Directory (AD), let’s set the AD stage to deploy a software package. Via AD Users & Computers, create a “Test OU”.
+
+![image](../../assets/a5a9d811-0e27-48e2-b25d-97cb9e345e56.png)
+
+Use Powershell on AD01 via MGMT01 to create another OU called “Software Deploy”, move WKS01 and your regular named account into it, and then delete the Test OU.
+```powershell
+# Create another OU called Software Deploy under charlotte.local
+# Move WKS01 and your regular named account into it, and then
+# Delete the Test OU 
+
+# Get the domain Distinguished Name (DN)
+$domainDN = (Get-ADDomain).DistinguishedName
+
+# Create the "Software Deploy" OU
+$swDeployOUDN = "OU=Software Deploy,$domainDN"
+$swDeployOU = Get-ADOrganizationalUnit -Identity $swDeployOUDN
+if($swDeployOU){
+    Write-Host "'Software Deploy' OU already exists at $swDeployOUDN"
+}else{
+    New-ADOrganizationalUnit -Name "Software Deploy" -Path $domainDN -Description "Software Deployment OU"
+    Write-Host "Created $swDeployOUDN"
+}
+
+# Move WKS01 computer to new OU
+$computerDN = (Get-ADComputer -Identity "WKS01-CHARLOTTE").DistinguishedName
+$targetOUDN = "OU=Software Deploy,$domainDN"
+Move-ADObject -Identity $computerDN -TargetPath $targetOUDN
+Write-Host "Computer $computerDN added to $targetOUDN"
+
+# Move charlotte.croce-adm to new OU
+$userDN = (Get-ADUser -Identity "charlotte.croce-adm").DistinguishedName
+Move-ADObject -Identity $userDN -TargetPath $targetOUDN
+Write-Host "User $userDN added to $targetOUDN"
+
+# Remove the "Protect from accidental deletion" flag from Test OU and delete
+$testOU = Get-ADOrganizationalUnit -Filter {Name -eq "Test OU"}
+if($testOU){
+    Set-ADObject -Identity $testOU -ProtectedFromAccidentalDeletion $false
+    Remove-ADOrganizationalUnit -Identity $testOU -Confirm:$false
+    Write-Host "Deleted $testOU"
+}
+```
+
+## Deploying Software via GPO
+
+- On MGMT01, download the current Putty x64-bit Windows Installer Package.
+- Next, create a Share on MGMT01 named ‘Software’ and place Putty’s .msi in it, so users and computers (via GPO) can access & install it shortly.
+  - see SYS255 file share docs [here](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/sysadmin-i-sys255/lab07-lab-server-core-and-remote-administrator-tools.md#use-rsat-to-add-to-fs01-and-create-a-sales-users-share). No need to map drive to letter
+- Via Group Policy Management feature on MGMT (You need to install this), create a new GPO named ‘Deploy SW’ within the Software Deploy OU. \
+![image](../../assets/64d738b7-1b8e-45ea-9f7d-474fc6679cfb.png)
+![image](../../assets/dccadcee-10f4-4fce-ac7b-0f7b9b87f0cd.png)
+- Edit the new GPO by creating a new Software installation, and assign Putty’s .msi package to deploy. \
+![image](../../assets/45ad5e35-665c-4861-a8be-e9aa17d6b676.png)
+- With the new GPO setting, run `gpupdate /force` on WKS01, and then allow the restart when prompted. PuTTY should now be installed
+
+> [!Note]
+> An extremely common issue you’ll encounter in MS Window environments are the differences between Local Permissions vs. Share Permissions: 
+>
+> Local Permissions (also called NTFS Permissions): Permissions that are applied only Locally (and not Remotely) on the OS, and affects both Local (i.e. via keyboard) and Remote (i.e. via network) account access.
+>
+> Share Permissions: Permissions that are applied only Remotely (and not Locally) to the OS, and affects only Remote (i.e. via network shares) account access.
+>
+> If both Shared & Local Permissions are set, then MOST RESTRICTIVE PERMISSION WINS. #LeastPriledgeRules -- summary [here](https://blog.netwrix.com/ntfs-vs-share-permissions)
+
+