1 / 48

Objectives

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy. Objectives. Understand and describe the purpose of Group Policy Describe how Group Policy is applied Manage desktop computers using Group Policy

jolene
Download Presentation

Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 11: Group Policy for Corporate Policy

  2. Objectives • Understand and describe the purpose of Group Policy • Describe how Group Policy is applied • Manage desktop computers using Group Policy • Analyze and configure security settings using Group Policy Guide to MCSE 70-294, Enhanced

  3. Objectives (continued) • Install and use the Group Policy Management Console • Troubleshoot Group Policy Guide to MCSE 70-294, Enhanced

  4. Group Policy • Introduced in Windows 2000 • Enhanced in: • Windows XP • Windows Server 2003 • Largely collection of registry entries • Enhancements in Windows Server 2003: • Transient policy settings • Expanded capabilities Guide to MCSE 70-294, Enhanced

  5. Administrative Templates • Files with .adm extension • Describe registry settings • Can be configured in policy or Group Policy • Included with Windows Server 2003: • System.adm • Inetres.adm • Wmplayer.adm • Conf.adm • Wuau.adm Guide to MCSE 70-294, Enhanced

  6. Client-side Extensions • Allow for more advanced control and configuration • Included with Windows Server 2003 and Windows XP: • EFS (encrypting file system) recovery • Folder redirection • Internet Explorer maintenance • IP security Guide to MCSE 70-294, Enhanced

  7. Client-side Extensions (continued) • Included with Windows Server 2003 and Windows XP: • Microsoft Disk Quota • QoS Packet Scheduler • Scripts • Security • Software installation • Wireless Guide to MCSE 70-294, Enhanced

  8. Group Policy Storage • Stored on • Domain controllers • Local computers • Local policy object • Stored in hidden folder • Referred to as local computer policy • Applies only to local computer • Great for workgroup environment Guide to MCSE 70-294, Enhanced

  9. Group Policy Storage (continued) • GPOs • Stored on domain controllers • Centrally managed • Single GPO typically affects many users and computers • One part stored in Active Directory database • Called group policy container (GPC) • Other stored in SYSVOL share • Referred to as group policy template (GPT) Guide to MCSE 70-294, Enhanced

  10. Group Policy Storage (continued) • GPT subfolders: • Adm • USER • USER\applications • MACHINE • MACHINE\applications Guide to MCSE 70-294, Enhanced

  11. Creating a Group Policy Object • Tools for creating GPOs: • Group Policy standalone Microsoft Management Console (MMC) snap-in • Group Policy extension in Active Directory Users and Computers Guide to MCSE 70-294, Enhanced

  12. Activity 11-1: Creating a Group Policy Object Using the MMC • Objective: Use the Group Policy Object Editor MMC snap-in to create GPOs • Follow directions to create GPOs Guide to MCSE 70-294, Enhanced

  13. Group Policy Processing • GPOs linked to sites, domains, and organizational units using GPO links • Applies to user and computer objects that exist in container to which they are linked • Can be linked with multiple organizational units, sites, or even domains • Only stored on domain controllers in domain where created Guide to MCSE 70-294, Enhanced

  14. Group Policy Priority • Processing order: • First policy to be applied is the local computer policy • Any GPOs linked to site are applied • GPOs linked to domain are applied • GPOs linked to organizational units are applied Guide to MCSE 70-294, Enhanced

  15. Group Policy Priority (continued) • Process is followed twice • Once for Computer Configuration • When computer starts up • Once for User Configuration • When user logs on Guide to MCSE 70-294, Enhanced

  16. Default GPO Processing Order Guide to MCSE 70-294, Enhanced

  17. Dealing with Conflict • Options for policy settings • Enabled • Disabled • Not Configured • Policy settings from multiple GPOs can be combined • As long as they do not conflict • In case of conflict: • GPO to be applied last wins Guide to MCSE 70-294, Enhanced

  18. Modifying Group Policy Priority • Modify priority by configuring settings: • No Override • Block Policy Inheritance • Loopback Processing Mode Guide to MCSE 70-294, Enhanced

  19. Controlling Group Policy Application with Permissions • GPOs cannot be linked to groups • Application of Group Policy can be controlled through permissions Guide to MCSE 70-294, Enhanced

  20. Controlling Group Policy Application with Permissions (continued) • Standard permissions available to GPO: • Full Control • Read • Write • Create All Child Objects • Delete All Child Objects • Apply Group Policy Guide to MCSE 70-294, Enhanced

  21. Activity 11-5: Filtering Group Policy Objects Using SecurityPermissions • Objective: Use security permissions to filter and control the application of policy settings • Follow instructions to stop settings in Marketing Policy GPO from applying to Administrators group Guide to MCSE 70-294, Enhanced

  22. Windows Management Instrumentation Filters • Used to restrict application of GPOs • Control GPO application based on computer configuration, such as: • Hardware configuration • File existence or attributes • Applications being installed • Amount of free hard drive space • Written in WMI Query Language (WQL) • Does not apply to Windows 2000 Guide to MCSE 70-294, Enhanced

  23. Slow Link Detection • When working over slow link • May be undesirable to apply parts of Group Policy • Client pings domain controller several times • To determine link speed • 500 Kbps or less is considered slow Guide to MCSE 70-294, Enhanced

  24. Default Slow Link Behavior Guide to MCSE 70-294, Enhanced

  25. Desktop Management with Group Policy • Desktop management • One of primary goals that can be accomplished with Group Policy Guide to MCSE 70-294, Enhanced

  26. Restricting Windows • Can protect users from their own mistakes • Remove access to features such as: • Configuring proxy settings • Setting desktop wallpaper Guide to MCSE 70-294, Enhanced

  27. Folder Redirection • Allows administrator change location of default Windows folders • Locate on server: • Allows users to access information from any computer on network Guide to MCSE 70-294, Enhanced

  28. Folder Redirection (continued) • Folders that can be redirected are: • Application data • Desktop • My Documents • Start menu Guide to MCSE 70-294, Enhanced

  29. Scripts • GPOs can contain scripts for: • Logon • Logoff • Startup • Shutdown • Can be written in languages such as • VBScript (.vbs) • JScript (.js) • Must store scripts in location accessible to users running them Guide to MCSE 70-294, Enhanced

  30. Security Management with Group Policy • Security policy • Collection of security-related settings • Located in all GPOs • Majority of security policy settings apply to computers • Found in Computer Configuration section Guide to MCSE 70-294, Enhanced

  31. Account Policies • Includes configuration settings that may be the initial step to securing computer network • Must be configured in GPO linked to domain • Subcategories: • Password Policy • Account Lockout Policy • Kerberos Policy Guide to MCSE 70-294, Enhanced

  32. Local Policies • Wide variety of settings • Very flexible • Categories: • Audit policy • User rights assignment • Security options Guide to MCSE 70-294, Enhanced

  33. Restricted Groups • Define users that are allowed membership to specific groups • When group policy applied: • Any member of restricted group not listed in restricted group’s member list removed • Prevents administrators from accidentally adding users to sensitive groups Guide to MCSE 70-294, Enhanced

  34. System Services • Define which services are started, stopped, or disabled on computers • Can also configure security for services • Effective way to disable unnecessary services on: • Client computers • Servers Guide to MCSE 70-294, Enhanced

  35. Registry Settings • Define security permissions for registry entries • Applied to all computers affected by GPO Guide to MCSE 70-294, Enhanced

  36. File System • Defines NTFS permissions applied to local hard drives of computers affected by GPO • Enhance security by removing permissions to files and folders Guide to MCSE 70-294, Enhanced

  37. Wireless Network Policies • Define settings for wireless network connectivity • Configure which wireless networks’ workstations can connect to and automatically configure Wireless Encryption Protocol (WEP) Guide to MCSE 70-294, Enhanced

  38. Public Key Policies • Define configuration settings relating to use of different public key-based applications such as: • Encrypting file system (EFS) • Automatic certificate enrolment settings • Certificate Authority (CA) trusts • Autoenrollment • New feature • Allows computers and users to request version 2 certificate templates automatically Guide to MCSE 70-294, Enhanced

  39. Software Restriction Policies • Define security settings related to what programs are allowed to run on system • Individual rules can be based on: • File’s hash • Digital certificate used to sign executable • File’s path • Internet zone Guide to MCSE 70-294, Enhanced

  40. IP Security Policies • Define IPSec settings • Can enable IPSec for entire network with little effort Guide to MCSE 70-294, Enhanced

  41. Security Templates • Used to: • Define, edit, and save baseline security settings • Applied to computers with common security requirements • Meet organizational security standards • Help ensure • Consistent setting can be applied to multiple machines • Easily maintained • Stored in .inf files Guide to MCSE 70-294, Enhanced

  42. Security Templates (continued) • Setup Security.inf. • Default template • Provides single file in which all original computer security settings are stored • Incremental templates • Only apply to machines already running default security settings • Use Security Templates snap-into create custom templates Guide to MCSE 70-294, Enhanced

  43. Analyzing Security • Security Configuration and Analysis utility • Compare current system settings to previously configured security template • Identifies • Changes to original security configurations • Possible security weaknesses Guide to MCSE 70-294, Enhanced

  44. Using the Group Policy Management Console • Available as free download for Windows Server 2003 customers • Brings together tools and options accessible from number of different tools • Adds new functionality • Highly recommended • Especially in large deployments Guide to MCSE 70-294, Enhanced

  45. Troubleshooting Group Policy • Most important thing is interaction of: • Links to containers • Priority ordering by administrators • No Override • Block Inheritance • ACL permissions • Loopback Processing Mode • WMI filters Guide to MCSE 70-294, Enhanced

  46. Troubleshooting Tools • Resultant Set of Policy (RSoP) • Gpresult • Gpupdate • Dcgpofix Guide to MCSE 70-294, Enhanced

  47. Summary • Group Policy applies settings to users and computers in: • Site • Domain • Organizational unit • Order of application for GPOs is: • Local • Site • Domain • Organizational unit Guide to MCSE 70-294, Enhanced

  48. Summary (continued) • User or computer must have Read and Apply Group Policy permissions on a GPO in order for the policy to apply • To affect domain accounts, account policies must be set at the domain level • Security management using Group Policy is accomplished with security templates Guide to MCSE 70-294, Enhanced

More Related