1 / 41

Understanding Group Policy on Windows Server 2003

Understanding Group Policy on Windows Server 2003. John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward. Agenda. Introducing Group Policy Common tasks with Group Policy Planning & Best Practices. Introducing Group Policy Basic Understanding.

margaux
Download Presentation

Understanding Group Policy on Windows Server 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward

  2. Agenda • Introducing Group Policy • Common tasks with Group Policy • Planning & Best Practices

  3. Introducing Group PolicyBasic Understanding • Works with Windows 2000 and later • Enable one-to-many management of users and computers • Simplify administrative tasks • Implement security settings • Implement standard computing environments

  4. Introducing Group PolicyGroup Policy Terms • Group Policy Management Console • Group Policy settings • Group Policy Object Editor • Active Directory containers • Site • Domain • OUs • Child OUs

  5. Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  6. Security Settings Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  7. Software Restrictions Security Settings Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  8. Software Distribution Software Restrictions Security Settings Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  9. Software Distribution Software Restrictions Security Settings Computer and User Scripts Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  10. Software Distribution Software Restrictions Roaming Profiles and Redirected Folders Security Settings Computer and User Scripts Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  11. Software Distribution Offline Folders Software Restrictions Roaming Profiles and Redirected Folders Security Settings Computer and User Scripts Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  12. Internet Explorer Maintenance Software Distribution Offline Folders Software Restrictions Roaming Profiles and Redirected Folders Security Settings Computer and User Scripts Registry-based Policy Introducing Group PolicyGroup Policy Capabilities

  13. Introducing Group PolicyDefault Policies • Local Security Policy • Default Domain Policy • Default Domain Controllers Policy

  14. Introducing Group PolicyWhere is Group Policy Stored

  15. Introducing Group PolicyWhere is Group Policy Stored

  16. Introducing Group PolicyOrder of Precedence Local Security Policy

  17. Introducing Group PolicyOrder of Precedence Site Policy Local Security Policy

  18. Introducing Group PolicyOrder of Precedence Domain Policy Site Policy Local Security Policy

  19. Introducing Group PolicyOrder of Precedence Parent OU Policy Domain Policy Site Policy Local Security Policy

  20. Introducing Group PolicyOrder of Precedence Child OU Policy Parent OU Policy Domain Policy Site Policy Local Security Policy

  21. Introducing Group PolicyGroup Policy Management Console • Unified, easy to use GUI • Backup/Restore of GPOs • Import/Export and Copy/Paste of GPOs • Simplified security • HTML reporting • Scripting of Group Policy tasks

  22. Introducing Group PolicyGroup Policy Objects & Links • GPMC manages • GPO Links • Scope Of Management (SOM) • GPOs contain policy settings • Links define what objects the GPO will target • Scope Of Management (SOM) • Site, Domain, OU, OU,…. • Filtering can be based on links to SOM • Better illustrates the relationship between GPOs and Links

  23. Demo Introducing Group Policy

  24. Agenda • Introducing Group Policy • Common tasks with Group Policy • Planning & Best Practices

  25. Common tasksUsing Administrative Templates • Enables configuration of policy settings • Do not actually contain policy settings • Used by Group Policy Object Editor • Policy settings are contained registry.pol • Windows Server 2003 contains: • System.adm • Inetres.adm • Conf.adm • Wmplayer.adm • Wuau.adm

  26. Common tasksUsing Administrative Templates • KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files” • Superset principle from WS2003 RTM onwards • Historical .adm files available online • Never edit the OS-shipped .adm files • Know the benefits of a “true policy” (as compared to preferences) • Security (local administrators) • Cleanup (if GPO is out of scope)

  27. Common TasksAccount Policies • Password • Account lockout • Kerberos settings • Domain level vs OU level setting

  28. Common TasksSoftware Restriction Policies • Windows Server 2003 and Windows XP • Base philosophies • Unrestricted • All programs run except those I select • Disallowed • Use with care • Policy rules • Hash • Certificate • Path • Internet Explorer Zone

  29. Common TasksRestricted Groups • Membership of Active Directory security groups • No-one can be in Enterprise Administrators • Only these users are helpdesk staff • Membership of Local Groups • Helpdesk are members of local administrators

  30. Common TasksSome of the rest…. • Additional security • Registry Access Control Lists (ACLs) • File System Access Control Lists (ACLs) • Service Startup Mode • Internet Explorer Maintenance • Audit Policies • Especially on servers

  31. Demo Common Tasks with Group Policy

  32. Agenda • Introducing Group Policy • Common tasks with Group Policy • Planning & Best Practices

  33. Planning & Best PracticesOU Design • Why create OU’s • Segment by role • Domain controllers • Computers • Users • Redirect default OU for new accounts • redirusr.exe and redircmp.exe • Use delegation of administration • Create/Update/Link GPOs

  34. Planning & Best PracticesGroup Policy Objects • Normalise GPOs – “GP Common Scenarios” • Naming conventions • Clear purpose and intent • 3-segment string: Scope/Purpose/Managed By • e.g. WW-Outlook-OTG • What about the number of GPOs? • MYTH: Fewer GPOs=Better performance • FACT: Number of settings is more important

  35. Planning & Best PracticesGeneral Guidance • Avoid Cross-Domain GPO links • Performance overhead • Alternative - GPMC scripts • Use the following sparingly • Enforce (no override) • Block Inheritance • Loopback • Keep it simple

  36. Planning & Best PracticesUsing WMI Filters • XP and Windows Server 2003 Only • Performance hit • Limit to known lifetime if possible • Scriptomatic

  37. Summary • Group Policy serves many purposes • If you’re not already using GPMC, why not? • It’s not as hard as it looks • …but without planning, it’s easy to make it look hard • http://www.microsoft.com/windowsserver2003/ technologies/management/grouppolicy

  38. Recommended Reading “Group Policy, Profiles and Intellimirror for Windows 2003, Windows XP and Windows 2000” By Jeremy Moskowitz www.gpanswers.com

  39. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

  40. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

  41. Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward

More Related