Understanding group policy on windows server 2003
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

Understanding Group Policy on Windows Server 2003 PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

Understanding Group Policy on Windows Server 2003. John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward. Agenda. Introducing Group Policy Common tasks with Group Policy Planning & Best Practices. Introducing Group Policy Basic Understanding.

Download Presentation

Understanding Group Policy on Windows Server 2003

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Understanding group policy on windows server 2003

Understanding Group Policy on Windows Server 2003

John Howard, IT Pro Evangelist, Microsoft UK

http://blogs.technet.com/jhoward


Agenda

Agenda

  • Introducing Group Policy

  • Common tasks with Group Policy

  • Planning & Best Practices


Introducing group policy basic understanding

Introducing Group PolicyBasic Understanding

  • Works with Windows 2000 and later

  • Enable one-to-many management of users and computers

  • Simplify administrative tasks

  • Implement security settings

  • Implement standard computing environments


Introducing group policy group policy terms

Introducing Group PolicyGroup Policy Terms

  • Group Policy Management Console

  • Group Policy settings

  • Group Policy Object Editor

  • Active Directory containers

    • Site

    • Domain

    • OUs

      • Child OUs


Introducing group policy group policy capabilities

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy group policy capabilities1

Security Settings

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy group policy capabilities2

Software Restrictions

Security Settings

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy group policy capabilities3

Software Distribution

Software Restrictions

Security Settings

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy group policy capabilities4

Software Distribution

Software Restrictions

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy group policy capabilities5

Software Distribution

Software Restrictions

Roaming Profiles and Redirected Folders

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy group policy capabilities6

Software Distribution

Offline Folders

Software Restrictions

Roaming Profiles and Redirected Folders

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy group policy capabilities7

Internet Explorer Maintenance

Software Distribution

Offline Folders

Software Restrictions

Roaming Profiles and Redirected Folders

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing group policy default policies

Introducing Group PolicyDefault Policies

  • Local Security Policy

  • Default Domain Policy

  • Default Domain Controllers Policy


Understanding group policy on windows server 2003 1346027

Introducing Group PolicyWhere is Group Policy Stored


Understanding group policy on windows server 2003 1346027

Introducing Group PolicyWhere is Group Policy Stored


Introducing group policy order of precedence

Introducing Group PolicyOrder of Precedence

Local Security Policy


Introducing group policy order of precedence1

Introducing Group PolicyOrder of Precedence

Site Policy

Local Security Policy


Introducing group policy order of precedence2

Introducing Group PolicyOrder of Precedence

Domain Policy

Site Policy

Local Security Policy


Introducing group policy order of precedence3

Introducing Group PolicyOrder of Precedence

Parent OU Policy

Domain Policy

Site Policy

Local Security Policy


Introducing group policy order of precedence4

Introducing Group PolicyOrder of Precedence

Child OU Policy

Parent OU Policy

Domain Policy

Site Policy

Local Security Policy


Introducing group policy group policy management console

Introducing Group PolicyGroup Policy Management Console

  • Unified, easy to use GUI

  • Backup/Restore of GPOs

  • Import/Export and Copy/Paste of GPOs

  • Simplified security

  • HTML reporting

  • Scripting of Group Policy tasks


Introducing group policy group policy objects links

Introducing Group PolicyGroup Policy Objects & Links

  • GPMC manages

    • GPO Links

    • Scope Of Management (SOM)

  • GPOs contain policy settings

  • Links define what objects the GPO will target

    • Scope Of Management (SOM)

      • Site, Domain, OU, OU,….

    • Filtering can be based on links to SOM

    • Better illustrates the relationship between GPOs and Links


Introducing group policy

Demo

Introducing Group Policy


Agenda1

Agenda

  • Introducing Group Policy

  • Common tasks with Group Policy

  • Planning & Best Practices


Common tasks using administrative templates

Common tasksUsing Administrative Templates

  • Enables configuration of policy settings

    • Do not actually contain policy settings

    • Used by Group Policy Object Editor

    • Policy settings are contained registry.pol

  • Windows Server 2003 contains:

    • System.adm

    • Inetres.adm

    • Conf.adm

    • Wmplayer.adm

    • Wuau.adm


Common tasks using administrative templates1

Common tasksUsing Administrative Templates

  • KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files”

  • Superset principle from WS2003 RTM onwards

  • Historical .adm files available online

  • Never edit the OS-shipped .adm files

  • Know the benefits of a “true policy” (as compared to preferences)

    • Security (local administrators)

    • Cleanup (if GPO is out of scope)


Common tasks account policies

Common TasksAccount Policies

  • Password

  • Account lockout

  • Kerberos settings

  • Domain level vs OU level setting


Common tasks software restriction policies

Common TasksSoftware Restriction Policies

  • Windows Server 2003 and Windows XP

  • Base philosophies

    • Unrestricted

      • All programs run except those I select

    • Disallowed

      • Use with care

  • Policy rules

    • Hash

    • Certificate

    • Path

    • Internet Explorer Zone


Common tasks restricted groups

Common TasksRestricted Groups

  • Membership of Active Directory security groups

    • No-one can be in Enterprise Administrators

    • Only these users are helpdesk staff

  • Membership of Local Groups

    • Helpdesk are members of local administrators


Common tasks some of the rest

Common TasksSome of the rest….

  • Additional security

    • Registry Access Control Lists (ACLs)

    • File System Access Control Lists (ACLs)

    • Service Startup Mode

  • Internet Explorer Maintenance

  • Audit Policies

    • Especially on servers


Common tasks with group policy

Demo

Common Tasks with Group Policy


Agenda2

Agenda

  • Introducing Group Policy

  • Common tasks with Group Policy

  • Planning & Best Practices


Planning best practices ou design

Planning & Best PracticesOU Design

  • Why create OU’s

  • Segment by role

    • Domain controllers

    • Computers

    • Users

  • Redirect default OU for new accounts

    • redirusr.exe and redircmp.exe

  • Use delegation of administration

    • Create/Update/Link GPOs


Planning best practices group policy objects

Planning & Best PracticesGroup Policy Objects

  • Normalise GPOs – “GP Common Scenarios”

  • Naming conventions

    • Clear purpose and intent

    • 3-segment string: Scope/Purpose/Managed By

    • e.g. WW-Outlook-OTG

  • What about the number of GPOs?

    • MYTH: Fewer GPOs=Better performance

    • FACT: Number of settings is more important


Planning best practices general guidance

Planning & Best PracticesGeneral Guidance

  • Avoid Cross-Domain GPO links

    • Performance overhead

    • Alternative - GPMC scripts

  • Use the following sparingly

    • Enforce (no override)

    • Block Inheritance

    • Loopback

  • Keep it simple


Planning best practices using wmi filters

Planning & Best PracticesUsing WMI Filters

  • XP and Windows Server 2003 Only

  • Performance hit

  • Limit to known lifetime if possible

  • Scriptomatic


Summary

Summary

  • Group Policy serves many purposes

  • If you’re not already using GPMC, why not?

  • It’s not as hard as it looks

    • …but without planning, it’s easy to make it look hard

  • http://www.microsoft.com/windowsserver2003/ technologies/management/grouppolicy


Recommended reading

Recommended Reading

“Group Policy, Profiles and Intellimirror for Windows 2003, Windows XP and Windows 2000”

By Jeremy Moskowitz

www.gpanswers.com


Understanding group policy on windows server 2003 1346027

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


Understanding group policy on windows server 2003 1346027

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


Understanding group policy on windows server 20031

Understanding Group Policy on Windows Server 2003

John Howard, IT Pro Evangelist, Microsoft UK

http://blogs.technet.com/jhoward


  • Login