Building a CM Lab - Configuration Settings (AD / GPO) [5]

Series Post 5, setting up AD & GPO items for your lab

Along the way when you setup your lab, you'll need to create accounts, groups, gpos, and other things to make life easier. While you want to keep it fairly clean and lean, if you plan to keep this lab around awhile, you'll want a few of these setup

  • AD Accounts - MS DOCS
  •  ConfigMgr Admin (Both Admin in ConfigMgr & on ConfigMgr Servers)
  •  CM_DJ (Domain Join Account, I followed these instructions to create it.
  •  CM_NA (Network Access Account, depending on your setup, you might not need this. I'm hoping to leverage Enhanced HTTP)
  •   CM_CP_Workstations & CM_CP_Servers (Client Push Accounts, added to the groups below to be local admins on respective devices)
  •   CM_SSRS (add to SQL_Admins, used for the Reporting Services Role)
  • AD Groups
  •  ConfigMgr_Servers (This will contain a list of all ConfigMgr Servers you build, for now just the MEMCM server, used for targeting GPO & Security Rights)
  •   SQL_Admins. (Used during the SQL Install to specfy the admin rights to the SQL install)
  •  ConfigmgrAdmins (This group will be added to the Local Administrators group of all CM Servers)
  •  Workstation_LocalAdmins (This group will be added to the Local Administrator group on all Workstations)
  •  Server_LocalAdmins (This group will be added to the local Administrators group on all Servers
  •   CM_App_DeployUsers (This group is used as my default group I deploy Apps to.  Any users who are added to this will then see these apps in their software center)
  •      I typically add all normal user accounts to this, skipping service accounts.
  • Group Policies
  •  Domain Machine Policy (Applies to all Machines in Domain)
  •    Currently used to enable ICMP (Ping) on all Machines
  •    Enable Remote Desktop & Open Corresponding Firewall Ports (See Below)
  •  ConfigMgr Servers
  •    Used to add ConfigMgrAdmins to Local Administrator Group
  •    Used to add file to C & D Drives NO_SMS_ON_DRIVE.SMS
  •   All Servers
  •     Used to add Server_LocalAdmins to Local Administrator Group
  •  All Workstations
  •     Used to add Workation_LocalAdmins to Local Administrator Group

Sample of how the GPOs look and how a couple basic settings are scoped to the CM Server Group
You'll want to confirm that the ConfigMgr_Servers has full Control of the System Management OU (and that your CM Server is in this group)

Enable Remote Desktop & Firewall Ports for RDC

Computer Configuration -> Admin Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> Allow users to connect remotely using Remote Desktop Services = Enabled
Computer Configuration ->  Windows Settings -> Security Settings -> Windows Defender Firewall... -> Inbound Rules: Right Click New Rule -> Predefined: Remote Desktop

Blog Post List

Series Introduction - Building a CM Lab from Scratch

  1. Domain Controller - Setting up your Domain Controller
  2. Gateway Virtual Machine - Creating a Router for your Lab using Windows Server
  3. Certificate Authority - On Domain Controller [Optional]
  4. ConfigMgr Server Pre-Reqs (Windows Features)
  5. Configuration Settings (AD & GPOs)
  6. Source Server (File Share)
  7. ConfigMgr SQL Install
  8. ConfigMgr Install
  9. ConfigMgr Basic Settings
  10. ConfigMgr Collections & App Deployment
  11. ConfigMgr OSD
  12. ConfigMgr Reporting Services