• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ad group policy1
 

Ad group policy1

on

  • 1,159 views

MCITP

MCITP

Statistics

Views

Total Views
1,159
Views on SlideShare
1,158
Embed Views
1

Actions

Likes
1
Downloads
106
Comments
0

1 Embed 1

http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ad group policy1 Ad group policy1 Presentation Transcript

    • Active Directory Group Policy
    • Group Policy Overview
      • Successor to NT policies
        • Much more flexible
      • Only applies to 2000 workstations
        • Use old style policies for NT
      • Used to manage desktop environment
      • Integrated into Active Directory
    • What Can Group Policy Manage?
      • Administrative Templates — registry-based settings
      • Security settings
      • Software installation
      • Scripts
        • Login, logout, startup, shutdown
      • Folder redirection
      • Remote Installation Services
      • Internet Explorer maintenance
    • Registry-based Settings
      • Control over desktop, control panel access, Start Menu and Taskbar, some Windows components, and more…
      • Generally three settings — Not configured, Enabled, Disabled
      • Implemented via Administrative Templates
        • Text file with .adm extension
        • Extensible
        • Can create your own
        • Some programs ship with their own (Office)
    • Security Policy Settings
      • Account Policies — password, account, Kerberos
      • Local Policies — auditing, user rights, security options
      • Event Log — e.g. maximum size
      • Restricted Group — group membership
      • System Services — security and startup settings
      • Registry — registry key security
      • File System — file system security
      • Public Key Policies — encryped data, certificate authorities
      • IP Security Policies — IP security
    • Software Installation
      • Use to install software
      • Use to upgrade software
      • Three methods
        • Assign applications to users
        • Assign applications to computers
        • Publish applications to users
          • Available to users, but not installed unless requested
    • Script Settings
      • Assign scripts (login, logout etc.)
      • Set processing order
    • Folder Redirection
      • Redirect special folders
        • Start Menu, Desktop
        • My Pictures, My Documents, Application Data
      • Choices
        • No redirection
        • Direct to same location
        • Different locations based on security groups
    • Parts of Group Policy Objects
      • Each GPO has two sections
        • Computer Configuration
        • User Configuration
      • Each part may be disabled
        • Properties of GPO/General
      • Recommended — if a section is unused, disable it
        • E.g. On GPO to configure user desktop, disable Computer Configuration section
    • Creating Group Policy Objects
      • AD Users and Computers
        • Properties of Domain/OU
        • Creates new GPO linked to that domain/OU
      • AD Sites and Services
        • To create site GPO
      • Also via MMC Group Policy Snap-in
        • To create a GPO not linked to a site, domain or OU
    • How are Group Policy Objects Applied
      • GPOs may be linked to AD containers
        • Sites, Domains and Organizational Units (OUs)
        • Apply to users and computers within container
          • Objects in child OUs inherit GPO settings from parent OUs, domain and site unless explicitly blocked
          • No inheritance across domain boundaries
      • One GPO may be linked to multiple containers
      • Multiple GPOs may be linked to a container
      • GPOs are not linked to groups
    • Modifying GPO Inheritance
      • Block Inheritance
        • If enabled on a container, objects in container do not receive any GPO settings from parent containers
      • No Override
        • If enabled on a GPO link, inheritance of GPO settings cannot be stopped via block inheritance
        • NB Applied to link, not the GPO itself
    • Filtering Group Policy Settings
      • GPO settings applied to all objects in container
      • Filter using security groups
        • Change default GPO permissions
          • Need Read and Apply GP ACEs to be able to apply a GPO
          • Need Read and Write GP ACEs to be able to read and modify a GPO
    • Deleting and Disabling Group Policy Objects
      • Disabling a GPO
        • Disable Computer or User sections
        • Disable both to disable GPO entirely
        • Also disable using Options button in AD Users and Computers/Container Properties
      • Deleting a GPO
        • AD Users and Computers
        • Will be offered two options
          • Remove the link from the list — deletes link but not GPO
          • Remove the link and delete the GPO permanently — deletes GPO
    • Disabling and Inheriting:— What do the Properties Belong to?
      • Properties of a given GPO
        • Disable Computer Configuration Settings
        • Disable User Configuration Settings
      • Properties of a given container
        • Block policy inheritance
      • Properties of a given link
        • No override
        • Disabled: the GPO is not applied to this container
    • Storage of Group Policy Objects
      • Group Policy Container (GPC)
        • Active Directory object storing version, status etc.
        • View by enabling Advanced Features in AD Users and Computers, then System/Policies
        • Named by GUID
      • Group Policy Template (GPT)
        • SysvolPolicies folder
        • Contains all GP) settings
        • Named by GUID
      • GPC and GPT replicated separately
      • Policies only apply if both GPC and GPT are in sync
    • Storage of Group Policy Settings
      • Stored in client registry
        • HKEY_LOCAL_MACHINE (Computer settings)
        • HKEY_CURRENT_USER (User settings)
      • Special registry keys used
        • SoftwarePolicies (preferred)
        • SoftwareMicrosoftWindowsCurrentVersionPolicies
      • Removed when GPO no longer applies
    • Order of GPO Application
      • Order of application is Site, Domain OU (SDOU)
      • Multiple OUs — order of application is according to domain hierarchy (start at top of tree and work down)
      • Multiple GPOs for same OU — processed in reverse order of list of GPOs shown for that OU
        • I.e. GPO at top of list takes precedence
        • Order can be changed
    • When are GP Settings Applied?
      • Computer settings
        • On boot
        • According to periodic refresh cycle
      • User settings
        • On user logon
        • According to periodic refresh cycle
      • If computer and user settings conflict, computer settings take precedence
    • Refreshing Group Policy
      • Default refresh intervals
        • 2000 professional and member servers — very 90 minutes with randomized 30 minutes offset
        • Domain controllers — every five minutes
      • Changed by altering administrative template settings for user or computers
      • Exception — software installation and folder redirection policies only applied on boot or user logon, not periodically
    • Conflicts
      • Where settings for GPO of parent container conflict with those for GPO of child, child container settings win
      • Where settings from different GPOs linked to same container conflict, settings of GPO highest in list are win
        • Use Up/Down to change position
      • Exception — where computer and user settings conflict, computer settings win
        • Except IP Security and User Rights settings
    • Managing Group Policy Objects
      • Creating or editing GPOs controlled by PDC emulator by default
        • Minimise conflicts
      • To change
        • Group Policy mmc snap-in/View/DC Options
        • Or use Group Policy
      • Recommended that this is left unchanged
      • NB By default, only Domain Admins, Enterprise Admins, Group Policy Creator Owners and System account can create and edit GPOs
    • Loopback Processing
      • Computer settings part of GPO linked to OU apply only to computers within OU
      • Similarly, user settings apply only to users within OU
      • Therefore, normally, user in OU A logging on to computer in OU B gets combination of user settings from OU A GPOs and computer settings from OU B GPOs (and any inherited etc.)
    • Loopback Processing cont.
      • May want to apply same user settings to any user logging on to a given workstation, regardless of user OU
        • E.g. classroom, public area workstations
      • Loopback processing does this
        • Merge mode applies normal GPOs for user as well (but those from computer take precedence)
        • Replace mode does not apply normal GPOs for user
    • Local Group Policy
      • Computers also have a single Local Group Policy Object (LGPO)
      • Only supports Security Settings, Administrative Templates and Scripts
      • Processed before AD GPOs
        • Block inheritance does not stop its application
      • Generally unused in an AD setup
        • Most useful for configuring standalone computers
    • Delegation
      • It is possible to delegate responsibility for the following tasks
        • Managing links
        • Creating GPOs
        • Editing GPOs
    • DomainExceptions for Domain Controllers
      • Some settings only from GPOs linked to domain
        • Domain controllers share same account database so some settings must be the same
        • Not applied to Domain Controllers OU because DCs may be moved out of this OU
      • NB Can change these settings in other GPOs but will have no effect on domain policy
        • Will affect local logons (i.e. non-domain) if they apply to workstations or member servers
    • Exceptions for Domain Controllers cont.
      • Domain-wide settings
        • All account policies (Computer Configuration/Windows Settings/Security Settings)
          • I.e. Password, Account lockout and Kerberos policies)
        • Some settings from Computer Configuration/Windows Settings/Local Policies/Security Options
          • Automatically log off users when logon time expires
          • Rename administrator account
          • Rename guest account
    • Common Desktop Management Scenarios
      • Package containing GPOs developed for six different scenarios that can be loaded into AD
        • Includes white paper describing scenarios
        • Excel spreadsheet documenting all GPO settings
      • Scenarios are for the following
        • Lightly Managed Desktop (e.g. power user)
        • Mobile User
        • Multi-User Desktop
        • AppStation (Highly Managed Desktop) (e.g. admin user)
        • TaskStation (e.g. single task)
        • Kiosk (e.g. public workstation)
    • Common Desktop Management Scenarios
      • NB Loading GPOs into AD does not mean they take immediate effect
        • Not linked to any container
      • Use as starting points
      • Use Excel spreadsheet to document GPO changes
    • Common Desktop Management Scenarios
      • White paper
        • http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/deploy/grppolsc.asp
      • All files
        • http://www.microsoft.com/windows2000/zipdocs/grouppolscen.exe
    • OU Design Issues
      • Deep OU structure
        • Easier to apply GPOs without filtering
        • More likely to require inheritance modifications
      • Flat OU structure
        • More likely to need filtering
        • Easier to troubleshoot (less inheritance issues)
    • Number of GPOs Required
      • Few comprehensive GPOs
        • Less to manage
        • Shorter logon times
      • Many narrowly focussed GPOs
        • More to manage
        • Likely to need to more filtering
        • Increased logon times
      • In theory, up to 20 GPOs applying to a user should not have major impact on logon times
    • Recommendations
      • Disable unused parts of GPO (computer, user settings)
      • Limit use of inheritance blocking, no override, loopback processing and filtering
        • Simplifies troubleshooting
      • Limit total number of GPOs that apply to a user or computer
        • Improves logon times
    • Recommendations cont.
      • Limit the number of admins who can edit GPOs
      • Test thoroughly before applying to users/computers
      • Document settings
        • Use spreadsheets from Common Desktop Management Scenarios package
    • References
      • Windows 2000 Group Policy
        • http://www.microsoft.com/windows2000/docs/grouppolwp.doc
      • Loopback Processing of Group Policy
        • http://support.microsoft.com/support/kb/articles/Q231/2/87.ASP
      • How to Use Group Policy Objects to Deploy SP1 for Windows 2000
        • http://support.microsoft.com/support/kb/articles/Q260/3/01.ASP
    • References
      • Group Policy Application Rules for Domain Controllers
        • http://support.microsoft.com/support/kb/articles/Q259/5/76.ASP
      • Domain Security Policy in Windows 2000
        • http://support.microsoft.com/support/kb/articles/Q221/9/30.ASP
      • Configuring Account Policies in Active Directory
        • http://support.microsoft.com/support/kb/articles/Q255/5/50.ASP
    • Diagnosing Problems
      • Resource kit
        • Gpotool.exe
        • Gpresult.exe
      • FAZAM 2000
        • Help to see end results of applying a number of GPOs
        • http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/fazam2000-o.asp
          • Reduced functionality version
        • http://www.fullarmor.com/solutions/group/
          • Full, commercial version