Understanding group policy on windows server 2003
Download
1 / 41

Understanding Group Policy on Windows Server 2003 - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on
  • Presentation posted in: General

Understanding Group Policy on Windows Server 2003. John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward. Agenda. Introducing Group Policy Common tasks with Group Policy Planning & Best Practices. Introducing Group Policy Basic Understanding.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Understanding Group Policy on Windows Server 2003

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Understanding Group Policy on Windows Server 2003

John Howard, IT Pro Evangelist, Microsoft UK

http://blogs.technet.com/jhoward


Agenda

  • Introducing Group Policy

  • Common tasks with Group Policy

  • Planning & Best Practices


Introducing Group PolicyBasic Understanding

  • Works with Windows 2000 and later

  • Enable one-to-many management of users and computers

  • Simplify administrative tasks

  • Implement security settings

  • Implement standard computing environments


Introducing Group PolicyGroup Policy Terms

  • Group Policy Management Console

  • Group Policy settings

  • Group Policy Object Editor

  • Active Directory containers

    • Site

    • Domain

    • OUs

      • Child OUs


Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Security Settings

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Software Restrictions

Security Settings

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Software Distribution

Software Restrictions

Security Settings

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Software Distribution

Software Restrictions

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Software Distribution

Software Restrictions

Roaming Profiles and Redirected Folders

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Software Distribution

Offline Folders

Software Restrictions

Roaming Profiles and Redirected Folders

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Internet Explorer Maintenance

Software Distribution

Offline Folders

Software Restrictions

Roaming Profiles and Redirected Folders

Security Settings

Computer and User Scripts

Registry-based Policy

Introducing Group PolicyGroup Policy Capabilities


Introducing Group PolicyDefault Policies

  • Local Security Policy

  • Default Domain Policy

  • Default Domain Controllers Policy


Introducing Group PolicyWhere is Group Policy Stored


Introducing Group PolicyWhere is Group Policy Stored


Introducing Group PolicyOrder of Precedence

Local Security Policy


Introducing Group PolicyOrder of Precedence

Site Policy

Local Security Policy


Introducing Group PolicyOrder of Precedence

Domain Policy

Site Policy

Local Security Policy


Introducing Group PolicyOrder of Precedence

Parent OU Policy

Domain Policy

Site Policy

Local Security Policy


Introducing Group PolicyOrder of Precedence

Child OU Policy

Parent OU Policy

Domain Policy

Site Policy

Local Security Policy


Introducing Group PolicyGroup Policy Management Console

  • Unified, easy to use GUI

  • Backup/Restore of GPOs

  • Import/Export and Copy/Paste of GPOs

  • Simplified security

  • HTML reporting

  • Scripting of Group Policy tasks


Introducing Group PolicyGroup Policy Objects & Links

  • GPMC manages

    • GPO Links

    • Scope Of Management (SOM)

  • GPOs contain policy settings

  • Links define what objects the GPO will target

    • Scope Of Management (SOM)

      • Site, Domain, OU, OU,….

    • Filtering can be based on links to SOM

    • Better illustrates the relationship between GPOs and Links


Demo

Introducing Group Policy


Agenda

  • Introducing Group Policy

  • Common tasks with Group Policy

  • Planning & Best Practices


Common tasksUsing Administrative Templates

  • Enables configuration of policy settings

    • Do not actually contain policy settings

    • Used by Group Policy Object Editor

    • Policy settings are contained registry.pol

  • Windows Server 2003 contains:

    • System.adm

    • Inetres.adm

    • Conf.adm

    • Wmplayer.adm

    • Wuau.adm


Common tasksUsing Administrative Templates

  • KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files”

  • Superset principle from WS2003 RTM onwards

  • Historical .adm files available online

  • Never edit the OS-shipped .adm files

  • Know the benefits of a “true policy” (as compared to preferences)

    • Security (local administrators)

    • Cleanup (if GPO is out of scope)


Common TasksAccount Policies

  • Password

  • Account lockout

  • Kerberos settings

  • Domain level vs OU level setting


Common TasksSoftware Restriction Policies

  • Windows Server 2003 and Windows XP

  • Base philosophies

    • Unrestricted

      • All programs run except those I select

    • Disallowed

      • Use with care

  • Policy rules

    • Hash

    • Certificate

    • Path

    • Internet Explorer Zone


Common TasksRestricted Groups

  • Membership of Active Directory security groups

    • No-one can be in Enterprise Administrators

    • Only these users are helpdesk staff

  • Membership of Local Groups

    • Helpdesk are members of local administrators


Common TasksSome of the rest….

  • Additional security

    • Registry Access Control Lists (ACLs)

    • File System Access Control Lists (ACLs)

    • Service Startup Mode

  • Internet Explorer Maintenance

  • Audit Policies

    • Especially on servers


Demo

Common Tasks with Group Policy


Agenda

  • Introducing Group Policy

  • Common tasks with Group Policy

  • Planning & Best Practices


Planning & Best PracticesOU Design

  • Why create OU’s

  • Segment by role

    • Domain controllers

    • Computers

    • Users

  • Redirect default OU for new accounts

    • redirusr.exe and redircmp.exe

  • Use delegation of administration

    • Create/Update/Link GPOs


Planning & Best PracticesGroup Policy Objects

  • Normalise GPOs – “GP Common Scenarios”

  • Naming conventions

    • Clear purpose and intent

    • 3-segment string: Scope/Purpose/Managed By

    • e.g. WW-Outlook-OTG

  • What about the number of GPOs?

    • MYTH: Fewer GPOs=Better performance

    • FACT: Number of settings is more important


Planning & Best PracticesGeneral Guidance

  • Avoid Cross-Domain GPO links

    • Performance overhead

    • Alternative - GPMC scripts

  • Use the following sparingly

    • Enforce (no override)

    • Block Inheritance

    • Loopback

  • Keep it simple


Planning & Best PracticesUsing WMI Filters

  • XP and Windows Server 2003 Only

  • Performance hit

  • Limit to known lifetime if possible

  • Scriptomatic


Summary

  • Group Policy serves many purposes

  • If you’re not already using GPMC, why not?

  • It’s not as hard as it looks

    • …but without planning, it’s easy to make it look hard

  • http://www.microsoft.com/windowsserver2003/ technologies/management/grouppolicy


Recommended Reading

“Group Policy, Profiles and Intellimirror for Windows 2003, Windows XP and Windows 2000”

By Jeremy Moskowitz

www.gpanswers.com


© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


Understanding Group Policy on Windows Server 2003

John Howard, IT Pro Evangelist, Microsoft UK

http://blogs.technet.com/jhoward


ad
  • Login