Ad group policy1

1,423 views
1,355 views

Published on

MCITP

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,423
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
137
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ad group policy1

  1. 1. Active Directory Group Policy
  2. 2. Group Policy Overview <ul><li>Successor to NT policies </li></ul><ul><ul><li>Much more flexible </li></ul></ul><ul><li>Only applies to 2000 workstations </li></ul><ul><ul><li>Use old style policies for NT </li></ul></ul><ul><li>Used to manage desktop environment </li></ul><ul><li>Integrated into Active Directory </li></ul>
  3. 3. What Can Group Policy Manage? <ul><li>Administrative Templates — registry-based settings </li></ul><ul><li>Security settings </li></ul><ul><li>Software installation </li></ul><ul><li>Scripts </li></ul><ul><ul><li>Login, logout, startup, shutdown </li></ul></ul><ul><li>Folder redirection </li></ul><ul><li>Remote Installation Services </li></ul><ul><li>Internet Explorer maintenance </li></ul>
  4. 4. Registry-based Settings <ul><li>Control over desktop, control panel access, Start Menu and Taskbar, some Windows components, and more… </li></ul><ul><li>Generally three settings — Not configured, Enabled, Disabled </li></ul><ul><li>Implemented via Administrative Templates </li></ul><ul><ul><li>Text file with .adm extension </li></ul></ul><ul><ul><li>Extensible </li></ul></ul><ul><ul><li>Can create your own </li></ul></ul><ul><ul><li>Some programs ship with their own (Office) </li></ul></ul>
  5. 5. Security Policy Settings <ul><li>Account Policies — password, account, Kerberos </li></ul><ul><li>Local Policies — auditing, user rights, security options </li></ul><ul><li>Event Log — e.g. maximum size </li></ul><ul><li>Restricted Group — group membership </li></ul><ul><li>System Services — security and startup settings </li></ul><ul><li>Registry — registry key security </li></ul><ul><li>File System — file system security </li></ul><ul><li>Public Key Policies — encryped data, certificate authorities </li></ul><ul><li>IP Security Policies — IP security </li></ul>
  6. 6. Software Installation <ul><li>Use to install software </li></ul><ul><li>Use to upgrade software </li></ul><ul><li>Three methods </li></ul><ul><ul><li>Assign applications to users </li></ul></ul><ul><ul><li>Assign applications to computers </li></ul></ul><ul><ul><li>Publish applications to users </li></ul></ul><ul><ul><ul><li>Available to users, but not installed unless requested </li></ul></ul></ul>
  7. 7. Script Settings <ul><li>Assign scripts (login, logout etc.) </li></ul><ul><li>Set processing order </li></ul>
  8. 8. Folder Redirection <ul><li>Redirect special folders </li></ul><ul><ul><li>Start Menu, Desktop </li></ul></ul><ul><ul><li>My Pictures, My Documents, Application Data </li></ul></ul><ul><li>Choices </li></ul><ul><ul><li>No redirection </li></ul></ul><ul><ul><li>Direct to same location </li></ul></ul><ul><ul><li>Different locations based on security groups </li></ul></ul>
  9. 9. Parts of Group Policy Objects <ul><li>Each GPO has two sections </li></ul><ul><ul><li>Computer Configuration </li></ul></ul><ul><ul><li>User Configuration </li></ul></ul><ul><li>Each part may be disabled </li></ul><ul><ul><li>Properties of GPO/General </li></ul></ul><ul><li>Recommended — if a section is unused, disable it </li></ul><ul><ul><li>E.g. On GPO to configure user desktop, disable Computer Configuration section </li></ul></ul>
  10. 10. Creating Group Policy Objects <ul><li>AD Users and Computers </li></ul><ul><ul><li>Properties of Domain/OU </li></ul></ul><ul><ul><li>Creates new GPO linked to that domain/OU </li></ul></ul><ul><li>AD Sites and Services </li></ul><ul><ul><li>To create site GPO </li></ul></ul><ul><li>Also via MMC Group Policy Snap-in </li></ul><ul><ul><li>To create a GPO not linked to a site, domain or OU </li></ul></ul>
  11. 11. How are Group Policy Objects Applied <ul><li>GPOs may be linked to AD containers </li></ul><ul><ul><li>Sites, Domains and Organizational Units (OUs) </li></ul></ul><ul><ul><li>Apply to users and computers within container </li></ul></ul><ul><ul><ul><li>Objects in child OUs inherit GPO settings from parent OUs, domain and site unless explicitly blocked </li></ul></ul></ul><ul><ul><ul><li>No inheritance across domain boundaries </li></ul></ul></ul><ul><li>One GPO may be linked to multiple containers </li></ul><ul><li>Multiple GPOs may be linked to a container </li></ul><ul><li>GPOs are not linked to groups </li></ul>
  12. 12. Modifying GPO Inheritance <ul><li>Block Inheritance </li></ul><ul><ul><li>If enabled on a container, objects in container do not receive any GPO settings from parent containers </li></ul></ul><ul><li>No Override </li></ul><ul><ul><li>If enabled on a GPO link, inheritance of GPO settings cannot be stopped via block inheritance </li></ul></ul><ul><ul><li>NB Applied to link, not the GPO itself </li></ul></ul>
  13. 13. Filtering Group Policy Settings <ul><li>GPO settings applied to all objects in container </li></ul><ul><li>Filter using security groups </li></ul><ul><ul><li>Change default GPO permissions </li></ul></ul><ul><ul><ul><li>Need Read and Apply GP ACEs to be able to apply a GPO </li></ul></ul></ul><ul><ul><ul><li>Need Read and Write GP ACEs to be able to read and modify a GPO </li></ul></ul></ul>
  14. 14. Deleting and Disabling Group Policy Objects <ul><li>Disabling a GPO </li></ul><ul><ul><li>Disable Computer or User sections </li></ul></ul><ul><ul><li>Disable both to disable GPO entirely </li></ul></ul><ul><ul><li>Also disable using Options button in AD Users and Computers/Container Properties </li></ul></ul><ul><li>Deleting a GPO </li></ul><ul><ul><li>AD Users and Computers </li></ul></ul><ul><ul><li>Will be offered two options </li></ul></ul><ul><ul><ul><li>Remove the link from the list — deletes link but not GPO </li></ul></ul></ul><ul><ul><ul><li>Remove the link and delete the GPO permanently — deletes GPO </li></ul></ul></ul>
  15. 15. Disabling and Inheriting:— What do the Properties Belong to? <ul><li>Properties of a given GPO </li></ul><ul><ul><li>Disable Computer Configuration Settings </li></ul></ul><ul><ul><li>Disable User Configuration Settings </li></ul></ul><ul><li>Properties of a given container </li></ul><ul><ul><li>Block policy inheritance </li></ul></ul><ul><li>Properties of a given link </li></ul><ul><ul><li>No override </li></ul></ul><ul><ul><li>Disabled: the GPO is not applied to this container </li></ul></ul>
  16. 16. Storage of Group Policy Objects <ul><li>Group Policy Container (GPC) </li></ul><ul><ul><li>Active Directory object storing version, status etc. </li></ul></ul><ul><ul><li>View by enabling Advanced Features in AD Users and Computers, then System/Policies </li></ul></ul><ul><ul><li>Named by GUID </li></ul></ul><ul><li>Group Policy Template (GPT) </li></ul><ul><ul><li>SysvolPolicies folder </li></ul></ul><ul><ul><li>Contains all GP) settings </li></ul></ul><ul><ul><li>Named by GUID </li></ul></ul><ul><li>GPC and GPT replicated separately </li></ul><ul><li>Policies only apply if both GPC and GPT are in sync </li></ul>
  17. 17. Storage of Group Policy Settings <ul><li>Stored in client registry </li></ul><ul><ul><li>HKEY_LOCAL_MACHINE (Computer settings) </li></ul></ul><ul><ul><li>HKEY_CURRENT_USER (User settings) </li></ul></ul><ul><li>Special registry keys used </li></ul><ul><ul><li>SoftwarePolicies (preferred) </li></ul></ul><ul><ul><li>SoftwareMicrosoftWindowsCurrentVersionPolicies </li></ul></ul><ul><li>Removed when GPO no longer applies </li></ul>
  18. 18. Order of GPO Application <ul><li>Order of application is Site, Domain OU (SDOU) </li></ul><ul><li>Multiple OUs — order of application is according to domain hierarchy (start at top of tree and work down) </li></ul><ul><li>Multiple GPOs for same OU — processed in reverse order of list of GPOs shown for that OU </li></ul><ul><ul><li>I.e. GPO at top of list takes precedence </li></ul></ul><ul><ul><li>Order can be changed </li></ul></ul>
  19. 19. When are GP Settings Applied? <ul><li>Computer settings </li></ul><ul><ul><li>On boot </li></ul></ul><ul><ul><li>According to periodic refresh cycle </li></ul></ul><ul><li>User settings </li></ul><ul><ul><li>On user logon </li></ul></ul><ul><ul><li>According to periodic refresh cycle </li></ul></ul><ul><li>If computer and user settings conflict, computer settings take precedence </li></ul>
  20. 20. Refreshing Group Policy <ul><li>Default refresh intervals </li></ul><ul><ul><li>2000 professional and member servers — very 90 minutes with randomized 30 minutes offset </li></ul></ul><ul><ul><li>Domain controllers — every five minutes </li></ul></ul><ul><li>Changed by altering administrative template settings for user or computers </li></ul><ul><li>Exception — software installation and folder redirection policies only applied on boot or user logon, not periodically </li></ul>
  21. 21. Conflicts <ul><li>Where settings for GPO of parent container conflict with those for GPO of child, child container settings win </li></ul><ul><li>Where settings from different GPOs linked to same container conflict, settings of GPO highest in list are win </li></ul><ul><ul><li>Use Up/Down to change position </li></ul></ul><ul><li>Exception — where computer and user settings conflict, computer settings win </li></ul><ul><ul><li>Except IP Security and User Rights settings </li></ul></ul>
  22. 22. Managing Group Policy Objects <ul><li>Creating or editing GPOs controlled by PDC emulator by default </li></ul><ul><ul><li>Minimise conflicts </li></ul></ul><ul><li>To change </li></ul><ul><ul><li>Group Policy mmc snap-in/View/DC Options </li></ul></ul><ul><ul><li>Or use Group Policy </li></ul></ul><ul><li>Recommended that this is left unchanged </li></ul><ul><li>NB By default, only Domain Admins, Enterprise Admins, Group Policy Creator Owners and System account can create and edit GPOs </li></ul>
  23. 23. Loopback Processing <ul><li>Computer settings part of GPO linked to OU apply only to computers within OU </li></ul><ul><li>Similarly, user settings apply only to users within OU </li></ul><ul><li>Therefore, normally, user in OU A logging on to computer in OU B gets combination of user settings from OU A GPOs and computer settings from OU B GPOs (and any inherited etc.) </li></ul>
  24. 24. Loopback Processing cont. <ul><li>May want to apply same user settings to any user logging on to a given workstation, regardless of user OU </li></ul><ul><ul><li>E.g. classroom, public area workstations </li></ul></ul><ul><li>Loopback processing does this </li></ul><ul><ul><li>Merge mode applies normal GPOs for user as well (but those from computer take precedence) </li></ul></ul><ul><ul><li>Replace mode does not apply normal GPOs for user </li></ul></ul>
  25. 25. Local Group Policy <ul><li>Computers also have a single Local Group Policy Object (LGPO) </li></ul><ul><li>Only supports Security Settings, Administrative Templates and Scripts </li></ul><ul><li>Processed before AD GPOs </li></ul><ul><ul><li>Block inheritance does not stop its application </li></ul></ul><ul><li>Generally unused in an AD setup </li></ul><ul><ul><li>Most useful for configuring standalone computers </li></ul></ul>
  26. 26. Delegation <ul><li>It is possible to delegate responsibility for the following tasks </li></ul><ul><ul><li>Managing links </li></ul></ul><ul><ul><li>Creating GPOs </li></ul></ul><ul><ul><li>Editing GPOs </li></ul></ul>
  27. 27. DomainExceptions for Domain Controllers <ul><li>Some settings only from GPOs linked to domain </li></ul><ul><ul><li>Domain controllers share same account database so some settings must be the same </li></ul></ul><ul><ul><li>Not applied to Domain Controllers OU because DCs may be moved out of this OU </li></ul></ul><ul><li>NB Can change these settings in other GPOs but will have no effect on domain policy </li></ul><ul><ul><li>Will affect local logons (i.e. non-domain) if they apply to workstations or member servers </li></ul></ul>
  28. 28. Exceptions for Domain Controllers cont. <ul><li>Domain-wide settings </li></ul><ul><ul><li>All account policies (Computer Configuration/Windows Settings/Security Settings) </li></ul></ul><ul><ul><ul><li>I.e. Password, Account lockout and Kerberos policies) </li></ul></ul></ul><ul><ul><li>Some settings from Computer Configuration/Windows Settings/Local Policies/Security Options </li></ul></ul><ul><ul><ul><li>Automatically log off users when logon time expires </li></ul></ul></ul><ul><ul><ul><li>Rename administrator account </li></ul></ul></ul><ul><ul><ul><li>Rename guest account </li></ul></ul></ul>
  29. 29. Common Desktop Management Scenarios <ul><li>Package containing GPOs developed for six different scenarios that can be loaded into AD </li></ul><ul><ul><li>Includes white paper describing scenarios </li></ul></ul><ul><ul><li>Excel spreadsheet documenting all GPO settings </li></ul></ul><ul><li>Scenarios are for the following </li></ul><ul><ul><li>Lightly Managed Desktop (e.g. power user) </li></ul></ul><ul><ul><li>Mobile User </li></ul></ul><ul><ul><li>Multi-User Desktop </li></ul></ul><ul><ul><li>AppStation (Highly Managed Desktop) (e.g. admin user) </li></ul></ul><ul><ul><li>TaskStation (e.g. single task) </li></ul></ul><ul><ul><li>Kiosk (e.g. public workstation) </li></ul></ul>
  30. 30. Common Desktop Management Scenarios <ul><li>NB Loading GPOs into AD does not mean they take immediate effect </li></ul><ul><ul><li>Not linked to any container </li></ul></ul><ul><li>Use as starting points </li></ul><ul><li>Use Excel spreadsheet to document GPO changes </li></ul>
  31. 31. Common Desktop Management Scenarios <ul><li>White paper </li></ul><ul><ul><li>http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/deploy/grppolsc.asp </li></ul></ul><ul><li>All files </li></ul><ul><ul><li>http://www.microsoft.com/windows2000/zipdocs/grouppolscen.exe </li></ul></ul>
  32. 32. OU Design Issues <ul><li>Deep OU structure </li></ul><ul><ul><li>Easier to apply GPOs without filtering </li></ul></ul><ul><ul><li>More likely to require inheritance modifications </li></ul></ul><ul><li>Flat OU structure </li></ul><ul><ul><li>More likely to need filtering </li></ul></ul><ul><ul><li>Easier to troubleshoot (less inheritance issues) </li></ul></ul>
  33. 33. Number of GPOs Required <ul><li>Few comprehensive GPOs </li></ul><ul><ul><li>Less to manage </li></ul></ul><ul><ul><li>Shorter logon times </li></ul></ul><ul><li>Many narrowly focussed GPOs </li></ul><ul><ul><li>More to manage </li></ul></ul><ul><ul><li>Likely to need to more filtering </li></ul></ul><ul><ul><li>Increased logon times </li></ul></ul><ul><li>In theory, up to 20 GPOs applying to a user should not have major impact on logon times </li></ul>
  34. 34. Recommendations <ul><li>Disable unused parts of GPO (computer, user settings) </li></ul><ul><li>Limit use of inheritance blocking, no override, loopback processing and filtering </li></ul><ul><ul><li>Simplifies troubleshooting </li></ul></ul><ul><li>Limit total number of GPOs that apply to a user or computer </li></ul><ul><ul><li>Improves logon times </li></ul></ul>
  35. 35. Recommendations cont. <ul><li>Limit the number of admins who can edit GPOs </li></ul><ul><li>Test thoroughly before applying to users/computers </li></ul><ul><li>Document settings </li></ul><ul><ul><li>Use spreadsheets from Common Desktop Management Scenarios package </li></ul></ul>
  36. 36. References <ul><li>Windows 2000 Group Policy </li></ul><ul><ul><li>http://www.microsoft.com/windows2000/docs/grouppolwp.doc </li></ul></ul><ul><li>Loopback Processing of Group Policy </li></ul><ul><ul><li>http://support.microsoft.com/support/kb/articles/Q231/2/87.ASP </li></ul></ul><ul><li>How to Use Group Policy Objects to Deploy SP1 for Windows 2000 </li></ul><ul><ul><li>http://support.microsoft.com/support/kb/articles/Q260/3/01.ASP </li></ul></ul>
  37. 37. References <ul><li>Group Policy Application Rules for Domain Controllers </li></ul><ul><ul><li>http://support.microsoft.com/support/kb/articles/Q259/5/76.ASP </li></ul></ul><ul><li>Domain Security Policy in Windows 2000 </li></ul><ul><ul><li>http://support.microsoft.com/support/kb/articles/Q221/9/30.ASP </li></ul></ul><ul><li>Configuring Account Policies in Active Directory </li></ul><ul><ul><li>http://support.microsoft.com/support/kb/articles/Q255/5/50.ASP </li></ul></ul>
  38. 38. Diagnosing Problems <ul><li>Resource kit </li></ul><ul><ul><li>Gpotool.exe </li></ul></ul><ul><ul><li>Gpresult.exe </li></ul></ul><ul><li>FAZAM 2000 </li></ul><ul><ul><li>Help to see end results of applying a number of GPOs </li></ul></ul><ul><ul><li>http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/fazam2000-o.asp </li></ul></ul><ul><ul><ul><li>Reduced functionality version </li></ul></ul></ul><ul><ul><li>http://www.fullarmor.com/solutions/group/ </li></ul></ul><ul><ul><ul><li>Full, commercial version </li></ul></ul></ul>

×