(ITI310). 2008. By Eng. BASSEM ALSAID. SESSIONS 9- 10 -11. “Active Directory – S 9 Revision”.
By Eng. BASSEM ALSAID
AD Logical Components: Object, Organizational Unit (OU), Domain, Tree, Forest.
AD Physical Components: Domain Controller (DC), Site, Link.
Local vs. Domain User Accounts:Local user account is controlled and managed by the computer logged on and has access to this computer resources only. Domain user account is controlled and managed by the domain controller and has access to all network resources depending on permissions and policies.
OU vs. GROUP:Groups are mainly defined for assigning permissions to shared folders. Organizational Unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority .
2 types of groups:distribution group, security group.
SID vs. GUID
Session 10: Introducing Group Policies
PART I: Implementing Group Policy
PART II: Managing Group Policy Scope
What is Configuration Management?
Configuration management is a centralized approach of applying one or more changes to one or more users or computers.
The key elements of configuration management are:
Group Policy: a framework within Windows that allows you to centrally manage configuration in an AD domain.
Group Policy Object: Policy settings are defined and exist within a Group Policy object (GPO). A GPO is an object that contains one or more policy settings and thereby applies one or more configuration settings for a user or computer.
Group Policy Management Editor (GPME): helps you to configure policy settings (enable/disable, parameterize).
User configuration settings: affect a user, regardless of the computer to which the user logs on (ex: prevent access to registry editing tools).
Computer configuration settings: affect a computer, regardless of which user logs on to that computer (ex: rename the Administrator account).
GPO Scope: collection of computers/users to which the GPO applies.
Methods to determine the scope of GPOs:
How are the policy settings applied?
When a Group Policy refresh begins, a service running on all Windows systems (called the Group Policy Client) determines which GPOs apply to the computer or user. It downloads any GPOs that it does not already have cached. Then a series of processes called client-side extensions (CSEs) do the work of interpreting the settings in a GPO and making appropriate changes to the local computer or the currently logged-on user.
One of the more important concepts to remember about Group Policy is that it is client driven. The Group Policy Client pulls the GPOs from the domain, triggering the CSEs to apply settings locally. Group Policy is not a “push” technology.
Note I: You can configure CSEs to reapply policy settings, even if the GPO has not changed, at a background refresh.
Note II:When are policies applied?
The application of policies is called Group Policy refresh.
You can also force a policy refresh by using the GPUpdate command.
Each computer has several GPOs stored locally on the system—local GPOs— and can be (the computer) within the scope of any number of domain-based GPOs.
local GPOs are designed for non domain environments.
Computers running Windows 2000, Windows XP, and Windows Server 2003 each have one local GPO, which can manage configuration of that system.
Windows Vista and Windows Server 2008 and later systems have multiple local GPOs.
Domain-Based GPOs: Domain-based GPOs are created in Active Directory and stored on domain controllers. They are used to manage configuration centrally for users and computers in the domain.
Copy: This command copies the GPO between domains.
Back Up: Back Up command pulls all GPO pieces (files, objects, permissions, and links) into a single place and makes restore easy.
Restore From Backup: This command restores an entire GPO, including its files, objects, permissions, and links, into the same domain in which the GPO originally existed.
Import Settings: This command imports only the settings from a backed up GPO, it does not import permissions or links; it can be useful for transferring GPOs between non-trusted domains.
Save Report: Use this to save an HTML report of the GPO settings.
Delete: This command deletes the GPO. All links to the GPO are also deleted.
Rename: This command changes the name of the GPO.
GPO consist of two components:
Like all Active Directory objects, each GPC includes a GUID attribute that uniquely identifies the object within Active Directory.
When you make changes to the settings of a GPO, the changes are saved to the GPT of the server from which the GPO was opened.
Describe the default Group Policy processing behavior, including refresh intervals and CSE application of policy settings.
Every 90 to 120 minutes, the Group Policy Client service determines which GPOs are scoped to the user or computer and downloads any GPOs that have been updated, based on the GPOs’ version numbers. CSEs process the policies in the GPOs according to their policy processing configuration. By default, most CSEs apply policy settings only if a GPO has been updated. Some CSEs also do not apply settings if a slow link is detected.
The two parts of a GPO are replicated between domain controllers by using distinct mechanisms. The GPC in Active Directory is replicated by the Directory Replication Agent (DRA), using a topology generated by the Knowledge Consistency Checker (KCC) that can be refined or defined manually. The result is that the GPC is replicated within seconds to all domain controllers in a site, and between sites based on your inter-site replication configuration.
The GPT in the SYSVOL is replicated by using one of two technologies. The File Replication Service (FRS) is used to replicate SYSVOL. If all domain controllers are running Windows Server 2008 or later, you can configure SYSVOL replication to use Distributed File System Replication (DFS-R), a much more efficient and robust mechanism.
You are an administrator at MTN Co. at a recent conference, you had a conversation with administrators at Syriatel Co. You discussed a particularly successful set of configurations you have deployed using a GPO. Syriatel administrators have asked you to copy the GPO to their domain. Which steps can you and Syriatel administrators perform?
The GPO’s scope determines which computers’ CSEs will receive and process the GPO, and only the computers or users within the scope of a GPO apply the settings in that GPO.
Several mechanisms are used to scope a GPO:
In this part, you learn each of the mechanisms with which you can scope a GPO and, in the process, master the concepts of Group Policy application, inheritance, and precedence.
GPO Links: A GPO can be linked to one or more Active Directory sites, domains, or OUs. After a policy is linked to a site, domain, or OU, the users or computers and users in that container are within the scope of the GPO, including computers and users in child OUs.
A site, domain, or OU can have more than one GPO linked to it.
GPO Inheritance and Precedence: A policy setting can be configured in more than one GPO, and GPOs can be in conflict with one another.
A GPO with higher precedence prevails over a GPO with lower precedence. Precedence is shown as a number in the GPMC.
Default domain policy processing order: site, domain, OU.
Remember that domain policy settings are applied after—and therefore take precedence over—settings in local GPOs.
Modify GPO Scope using Security Filtering: you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO.
Filtering a GPO to Exclude Specific Groups.
WMI Filters: Windows Management Instrumentation (WMI) is a management infrastructure technology that allows administrators to monitor and control managed objects in the network.
Enabling or Disabling GPOs and GPO Nodes: You can prevent the settings in the Computer Configuration or User Configuration nodes from being processed during policy refresh by changing GPO Status.
GPOs are applied in an order (site, domain, and OU), and that GPOs applied later in the order have higher precedence; their settings, when applied, override settings applied earlier.
The following sequence describes the process through which settings in a domain-based GPO are applied to affect a computer or user:
Practice II: you had a conversation with administrators at Syriatel Co. You discussed a particularly successful set of configurations you have deployed using a GPO. Syriatel administrators have asked you to copy the GPO to their domain. Which steps can you and Syriatel administrators perform?
C9: Saturday 12-Jul-2014 12:00
C10: Saturday 12-Jul-2014 13:30
Title: “ACTIVE DIRECTORY – PART 3” + Revision