• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ad group policy1

Ad group policy1







Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.docshut.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Ad group policy1 Ad group policy1 Presentation Transcript

    • Active Directory Group Policy
    • Group Policy Overview
      • Successor to NT policies
        • Much more flexible
      • Only applies to 2000 workstations
        • Use old style policies for NT
      • Used to manage desktop environment
      • Integrated into Active Directory
    • What Can Group Policy Manage?
      • Administrative Templates — registry-based settings
      • Security settings
      • Software installation
      • Scripts
        • Login, logout, startup, shutdown
      • Folder redirection
      • Remote Installation Services
      • Internet Explorer maintenance
    • Registry-based Settings
      • Control over desktop, control panel access, Start Menu and Taskbar, some Windows components, and more…
      • Generally three settings — Not configured, Enabled, Disabled
      • Implemented via Administrative Templates
        • Text file with .adm extension
        • Extensible
        • Can create your own
        • Some programs ship with their own (Office)
    • Security Policy Settings
      • Account Policies — password, account, Kerberos
      • Local Policies — auditing, user rights, security options
      • Event Log — e.g. maximum size
      • Restricted Group — group membership
      • System Services — security and startup settings
      • Registry — registry key security
      • File System — file system security
      • Public Key Policies — encryped data, certificate authorities
      • IP Security Policies — IP security
    • Software Installation
      • Use to install software
      • Use to upgrade software
      • Three methods
        • Assign applications to users
        • Assign applications to computers
        • Publish applications to users
          • Available to users, but not installed unless requested
    • Script Settings
      • Assign scripts (login, logout etc.)
      • Set processing order
    • Folder Redirection
      • Redirect special folders
        • Start Menu, Desktop
        • My Pictures, My Documents, Application Data
      • Choices
        • No redirection
        • Direct to same location
        • Different locations based on security groups
    • Parts of Group Policy Objects
      • Each GPO has two sections
        • Computer Configuration
        • User Configuration
      • Each part may be disabled
        • Properties of GPO/General
      • Recommended — if a section is unused, disable it
        • E.g. On GPO to configure user desktop, disable Computer Configuration section
    • Creating Group Policy Objects
      • AD Users and Computers
        • Properties of Domain/OU
        • Creates new GPO linked to that domain/OU
      • AD Sites and Services
        • To create site GPO
      • Also via MMC Group Policy Snap-in
        • To create a GPO not linked to a site, domain or OU
    • How are Group Policy Objects Applied
      • GPOs may be linked to AD containers
        • Sites, Domains and Organizational Units (OUs)
        • Apply to users and computers within container
          • Objects in child OUs inherit GPO settings from parent OUs, domain and site unless explicitly blocked
          • No inheritance across domain boundaries
      • One GPO may be linked to multiple containers
      • Multiple GPOs may be linked to a container
      • GPOs are not linked to groups
    • Modifying GPO Inheritance
      • Block Inheritance
        • If enabled on a container, objects in container do not receive any GPO settings from parent containers
      • No Override
        • If enabled on a GPO link, inheritance of GPO settings cannot be stopped via block inheritance
        • NB Applied to link, not the GPO itself
    • Filtering Group Policy Settings
      • GPO settings applied to all objects in container
      • Filter using security groups
        • Change default GPO permissions
          • Need Read and Apply GP ACEs to be able to apply a GPO
          • Need Read and Write GP ACEs to be able to read and modify a GPO
    • Deleting and Disabling Group Policy Objects
      • Disabling a GPO
        • Disable Computer or User sections
        • Disable both to disable GPO entirely
        • Also disable using Options button in AD Users and Computers/Container Properties
      • Deleting a GPO
        • AD Users and Computers
        • Will be offered two options
          • Remove the link from the list — deletes link but not GPO
          • Remove the link and delete the GPO permanently — deletes GPO
    • Disabling and Inheriting:— What do the Properties Belong to?
      • Properties of a given GPO
        • Disable Computer Configuration Settings
        • Disable User Configuration Settings
      • Properties of a given container
        • Block policy inheritance
      • Properties of a given link
        • No override
        • Disabled: the GPO is not applied to this container
    • Storage of Group Policy Objects
      • Group Policy Container (GPC)
        • Active Directory object storing version, status etc.
        • View by enabling Advanced Features in AD Users and Computers, then System/Policies
        • Named by GUID
      • Group Policy Template (GPT)
        • SysvolPolicies folder
        • Contains all GP) settings
        • Named by GUID
      • GPC and GPT replicated separately
      • Policies only apply if both GPC and GPT are in sync
    • Storage of Group Policy Settings
      • Stored in client registry
        • HKEY_LOCAL_MACHINE (Computer settings)
        • HKEY_CURRENT_USER (User settings)
      • Special registry keys used
        • SoftwarePolicies (preferred)
        • SoftwareMicrosoftWindowsCurrentVersionPolicies
      • Removed when GPO no longer applies
    • Order of GPO Application
      • Order of application is Site, Domain OU (SDOU)
      • Multiple OUs — order of application is according to domain hierarchy (start at top of tree and work down)
      • Multiple GPOs for same OU — processed in reverse order of list of GPOs shown for that OU
        • I.e. GPO at top of list takes precedence
        • Order can be changed
    • When are GP Settings Applied?
      • Computer settings
        • On boot
        • According to periodic refresh cycle
      • User settings
        • On user logon
        • According to periodic refresh cycle
      • If computer and user settings conflict, computer settings take precedence
    • Refreshing Group Policy
      • Default refresh intervals
        • 2000 professional and member servers — very 90 minutes with randomized 30 minutes offset
        • Domain controllers — every five minutes
      • Changed by altering administrative template settings for user or computers
      • Exception — software installation and folder redirection policies only applied on boot or user logon, not periodically
    • Conflicts
      • Where settings for GPO of parent container conflict with those for GPO of child, child container settings win
      • Where settings from different GPOs linked to same container conflict, settings of GPO highest in list are win
        • Use Up/Down to change position
      • Exception — where computer and user settings conflict, computer settings win
        • Except IP Security and User Rights settings
    • Managing Group Policy Objects
      • Creating or editing GPOs controlled by PDC emulator by default
        • Minimise conflicts
      • To change
        • Group Policy mmc snap-in/View/DC Options
        • Or use Group Policy
      • Recommended that this is left unchanged
      • NB By default, only Domain Admins, Enterprise Admins, Group Policy Creator Owners and System account can create and edit GPOs
    • Loopback Processing
      • Computer settings part of GPO linked to OU apply only to computers within OU
      • Similarly, user settings apply only to users within OU
      • Therefore, normally, user in OU A logging on to computer in OU B gets combination of user settings from OU A GPOs and computer settings from OU B GPOs (and any inherited etc.)
    • Loopback Processing cont.
      • May want to apply same user settings to any user logging on to a given workstation, regardless of user OU
        • E.g. classroom, public area workstations
      • Loopback processing does this
        • Merge mode applies normal GPOs for user as well (but those from computer take precedence)
        • Replace mode does not apply normal GPOs for user
    • Local Group Policy
      • Computers also have a single Local Group Policy Object (LGPO)
      • Only supports Security Settings, Administrative Templates and Scripts
      • Processed before AD GPOs
        • Block inheritance does not stop its application
      • Generally unused in an AD setup
        • Most useful for configuring standalone computers
    • Delegation
      • It is possible to delegate responsibility for the following tasks
        • Managing links
        • Creating GPOs
        • Editing GPOs
    • DomainExceptions for Domain Controllers
      • Some settings only from GPOs linked to domain
        • Domain controllers share same account database so some settings must be the same
        • Not applied to Domain Controllers OU because DCs may be moved out of this OU
      • NB Can change these settings in other GPOs but will have no effect on domain policy
        • Will affect local logons (i.e. non-domain) if they apply to workstations or member servers
    • Exceptions for Domain Controllers cont.
      • Domain-wide settings
        • All account policies (Computer Configuration/Windows Settings/Security Settings)
          • I.e. Password, Account lockout and Kerberos policies)
        • Some settings from Computer Configuration/Windows Settings/Local Policies/Security Options
          • Automatically log off users when logon time expires
          • Rename administrator account
          • Rename guest account
    • Common Desktop Management Scenarios
      • Package containing GPOs developed for six different scenarios that can be loaded into AD
        • Includes white paper describing scenarios
        • Excel spreadsheet documenting all GPO settings
      • Scenarios are for the following
        • Lightly Managed Desktop (e.g. power user)
        • Mobile User
        • Multi-User Desktop
        • AppStation (Highly Managed Desktop) (e.g. admin user)
        • TaskStation (e.g. single task)
        • Kiosk (e.g. public workstation)
    • Common Desktop Management Scenarios
      • NB Loading GPOs into AD does not mean they take immediate effect
        • Not linked to any container
      • Use as starting points
      • Use Excel spreadsheet to document GPO changes
    • Common Desktop Management Scenarios
      • White paper
        • http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/deploy/grppolsc.asp
      • All files
        • http://www.microsoft.com/windows2000/zipdocs/grouppolscen.exe
    • OU Design Issues
      • Deep OU structure
        • Easier to apply GPOs without filtering
        • More likely to require inheritance modifications
      • Flat OU structure
        • More likely to need filtering
        • Easier to troubleshoot (less inheritance issues)
    • Number of GPOs Required
      • Few comprehensive GPOs
        • Less to manage
        • Shorter logon times
      • Many narrowly focussed GPOs
        • More to manage
        • Likely to need to more filtering
        • Increased logon times
      • In theory, up to 20 GPOs applying to a user should not have major impact on logon times
    • Recommendations
      • Disable unused parts of GPO (computer, user settings)
      • Limit use of inheritance blocking, no override, loopback processing and filtering
        • Simplifies troubleshooting
      • Limit total number of GPOs that apply to a user or computer
        • Improves logon times
    • Recommendations cont.
      • Limit the number of admins who can edit GPOs
      • Test thoroughly before applying to users/computers
      • Document settings
        • Use spreadsheets from Common Desktop Management Scenarios package
    • References
      • Windows 2000 Group Policy
        • http://www.microsoft.com/windows2000/docs/grouppolwp.doc
      • Loopback Processing of Group Policy
        • http://support.microsoft.com/support/kb/articles/Q231/2/87.ASP
      • How to Use Group Policy Objects to Deploy SP1 for Windows 2000
        • http://support.microsoft.com/support/kb/articles/Q260/3/01.ASP
    • References
      • Group Policy Application Rules for Domain Controllers
        • http://support.microsoft.com/support/kb/articles/Q259/5/76.ASP
      • Domain Security Policy in Windows 2000
        • http://support.microsoft.com/support/kb/articles/Q221/9/30.ASP
      • Configuring Account Policies in Active Directory
        • http://support.microsoft.com/support/kb/articles/Q255/5/50.ASP
    • Diagnosing Problems
      • Resource kit
        • Gpotool.exe
        • Gpresult.exe
      • FAZAM 2000
        • Help to see end results of applying a number of GPOs
        • http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/fazam2000-o.asp
          • Reduced functionality version
        • http://www.fullarmor.com/solutions/group/
          • Full, commercial version