ConfigMgr Console

Building a ConfigMgr Lab from Scratch: Step 5 – Configuration Settings (AD / GPO)

Topics: ConfigMgr Console

Building a ConfigMgr Lab from Scratch: Step 5

Configuration Settings (AD / GPO)

Along the way when you setup your lab, you’ll need to create accounts, groups, gpos, and other things to make life easier. While you want to keep it fairly clean and lean, if you plan to keep this lab around while, you’ll want a few of this setup.

AD Accounts – MS DOCS

  • ConfigMgr Admin (Both Admin in ConfigMgr & on ConfigMgr Servers)
  • CM_DJ (Domain Join Account, I followed these instructions to create it.
  • CM_NA (Network Access Account, depending on your setup, you might not need this. I’m hoping to leverage Enhanced HTTP)
  • CM_CP_Workstations & CM_CP_Servers (Client Push Accounts, added to the groups below to be local admins on respective devices)
  • CM_SSRS (add to SQL_Admins, used for the Reporting Services Role)

AD Groups

  • ConfigMgr_Servers (This will contain a list of all ConfigMgr Servers you build, for now just the MEMCM server, used for targeting GPO & Security Rights)
  • SQL_Admins. (Used during the SQL Install to specify the admin rights to the SQL install)
  • ConfigmgrAdmins (This group will be added to the Local Administrators group of all CM Servers)
  • Workstation_LocalAdmins (This group will be added to the Local Administrator group on all Workstations)
  • Server_LocalAdmins (This group will be added to the local Administrators group on all Servers
  • CM_App_DeployUsers (This group is used as my default group I deploy Apps to.  Any users who are added to this will then see these apps in their software center)
  •  I typically add all normal user accounts to this, skipping service accounts.

Group Policies

  • Domain Machine Policy (Applies to all Machines in Domain)
  • Currently used to enable ICMP (Ping) on all Machines
  • Enable Remote Desktop & Open Corresponding Firewall Ports (See Below)
  • ConfigMgr Servers
  • Used to add ConfigMgrAdmins to Local Administrator Group
  • Used to add the file to C & D Drives NO_SMS_ON_DRIVE.SMS
  • All Servers
  • Used to add Server_LocalAdmins to Local Administrator Group
  • All Workstations
  • Used to add Workation_LocalAdmins to Local Administrator Group

ConfigMgr Servers
Sample of how the GPOs look and how a couple of basic settings are scoped to the CM Server Group
Active Directory USers and COmputers
You’ll want to confirm that the ConfigMgr_Servers have full Control of the System Management OU (and that your CM Server is in this group)

Enable Remote Desktop & Firewall Ports for RDC

Remore Desktop and Firewall RDC
Computer Configuration -> Admin Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> Allow users to connect remotely using Remote Desktop Services = Enabled
Remote Desktop
Computer Configuration ->  Windows Settings -> Security Settings -> Windows Defender Firewall… -> Inbound Rules: Right Click New Rule -> Predefined: Remote Desktop

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

  1. Setting up your Domain Controller
  2. Creating a Router for your Lab using Windows Server 
  3. Certificate Authority – On Domain Controller [Optional]
  4. ConfigMgr Server Pre-Reqs (Windows Features)
  5. Configuration Settings (AD & GPOs) – You are Here
  6. Source Server (File Share)
  7. ConfigMgr SQL Install
  8. ConfigMgr Install
  9. ConfigMgr Basic Settings
  10. ConfigMgr Collections & App Deployment
  11. ConfigMgr OSD
  12. ConfigMgr Reporting Services
  13. Cloud Management Gateway (CMG) – Certs PreReq
  14. Cloud Management Gateway (CMG) – Azure Subscription
  15. Azure Services Connection
  16. Setting up CMG in the Console
  17. Cloud Management Gateway (CMG) – Post CMG Config
  18. Cloud Management Gateway – Client CMG Endpoints
Back to Top