Greetings, I'm Professor Kay. And in this short video presentation, we're going to see how we can use group policy to configure client machines to automatically trust a self signed certificate. In our last two videos, we saw how we could take a certificate and manually install it into the correct certificate store on the clients machine. But what do you have to do if you have hundreds of users, you don't want to have to go around and touch every machine and manually import that certificate to overcome this obstacle, and to reduce the administrative burden of dealing with this self signed certificate not being trusted. We can create a Group Policy Object that will allow us to to automatically push the certificate out to every machine on the domain, and have it placed in the correct certificate store of the user. Now this lab will work on both server 2012 and server 2016.
For this demonstration, I'm using a full install of server 2016 configured as a domain controller. If we create a certificate, a script, or anything that needs to be accessible by everyone on the network, we can take that item and place it into the server's net logon folder. And that's what we're going to do next. So the first thing we got to do is take our certificate called application testing and place it inside of our servers. NET log on folder. And to do this, we're just going to hold down the window key and press R that brings up the run line.
Now we're going to type in the network path to our server. In my case, it's backslash backslash, DC one I'm gonna go ahead and hit OK, that brings up all the shares that are available on this server. There's a couple of different ways we can get this certificate over inside of the net logon folder, but I'm just going to pick my mouse, and I'm just going to drag it on over there and copy it into the folder. If we open up the folder, we can verify that the certificate is in place. For this next part of the lab, we're going to use Server Manager. We're going to go to Tools.
From here, we're going to scroll on down till we come to Group Policy Management. We're going to open that up. I've gone fullscreen with my Group Policy Management Console. And if we look at the top here, you'll see we have the name of our course if we open that up, you'll see we have some folders here. One of them is called domains. And if we expand that, you will see the name of your domain.
And if you expand that, you will see some group policy objects that are already available to you my expression has been, if you don't have to create an object, don't, if you can use an existing Group Policy Object up inside of this Management Console, do it. Some individuals will want to go ahead and create a new Group Policy Object. And you can do that just by going up here to name your domain, right clicking and create a GPO in this domain and link it here. Or you can use one of these existing group policy objects. My experience has been that if you need a policy, a group policy, object or setting to touch every user or machine on the domain, you can use the default domain policy. If you need to push out specific settings for everyone's browser, you can use the default domain policy.
If you need to set everyone's machine to use the correct net time, you can use the default domain policy and for this lab, since we need to get this certificate out to every machine on the domain, we can use the default domain policy. To do this, we're just going to modify or edit our current default domain policy. And we do this just by going to the default domain policy, right clicking and selecting Edit from the context menu. Let's go ahead and make this full screen. When a computer starts up, it contacts the domain controller for that domain. And then it begins to pull down all of the group policy objects for the computer.
Once the computer is done, user can log on. And that's when all the user configurations that are configured up inside a group policy are applied for that user. To begin, we're going to expand policies just beneath the computer configuration option. From here, we're going to go to Windows settings. And next we're going to click on security settings. From here, we're going to scroll Hold down till we come to public key policies, we're going to expand that.
From here, we're going to find the trusted root certification authorities container. And we're going to right click on that, and we're going to click on Import, which brings up the certificate import wizard. On this first window, we can just click Next. And from here, we're going to click on the Browse button. On this next window up at the top where you can type in the location that you want to look in, you're going to type in the network path to your domain controller. In this case, mine is backslash backslash DC one.
Now when I hit Enter, I am showing all my network shares. And now I will have access to the net logon folder. And if I go down here, and I choose all files, I can now find and choose the correct certificate that I need to complete this file name requirement. It's important that everyone understand why we use it now. Work path, a machine that is somewhere on the network cannot communicate with a C colon backslash or a local path. If we type in C colon, backslash net log on backslash application dot p FX, that machine will not be able to access it, but it will look locally on its machine for that path.
But it's not going to be able to use network. So that's why we have to make sure we use a network path. When we're wanting a machine or a user to be able to locate something on our server remotely. We can now click Next. And here we have to type in the password we created. When we first built this certificate.
We also need to check the box to mark this key as exportable. When we're done, we can click Next. On this next window, we can browse or we can accept the default location and that's what we're going to do To place this certificate inside of the trusted root Certification Authority store, we're going to go ahead and click Next. Here we can confirm all of our settings. And we can click finish, we're given the import was successful message. And we can click OK to that.
And if we go back over to the left window pane, and if we click on the trusted root certification authorities container, over in the right pane, you will see that our certificate is present. Once group policy has refreshed, and it has pushed out the certificate to every machine on the network, anytime a user opens up their browser and needs to access the server that is going to issue this certificate, it will see that it is valid and that it is present up inside of the user's trusted root certification authorities container. The exception to this rule is Firefox. Firefox does not access the windows stores. Therefore, it will create The security warning and the user will have to go in to Firefox and make an exception for that website. So in this short video presentation, we got to see how we can use group policy to push out a certificate to every machine on the network.
That's going to conclude this short video presentation. So if you have any questions or concerns, please do not hesitate to reach out and contact your instructor and I'll see you in my next video.