Windows 2000 Deployment Conference
Download
1 / 68

Windows 2000 Deployment Conference - PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on

Windows 2000 Deployment Conference. Windows 2000 Active Directory Organizational Unit and Group Policy Planning Adam Gordon MCS Senior Consultant Microsoft Corporation. Agenda. OU concepts OU planning & design principles OU for delegation OU for Group Policy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows 2000 Deployment Conference' - mercer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows 2000 deployment conference

Windows 2000 Deployment Conference

Windows 2000 Active Directory Organizational Unit and Group Policy PlanningAdam GordonMCS Senior ConsultantMicrosoft Corporation


Agenda
Agenda

  • OU concepts

  • OU planning & design principles

  • OU for delegation

  • OU for Group Policy

  • OU for publishing (and hiding) directory objects

  • OU design exercise



What is an organization unit

Forest

Maggipharm.com

Bioquest.com

rsrch.bioquest.com

sales.bioquest.com

dev.bioquest.com

What Is an Organization Unit?

  • A container inside a domain

  • The element of hierarchical structure within the domain


Ous vs domains
OUs vs. Domains

OUs are easily changed

  • Moved, renamed, deleted

  • Within a domain, objects move easily between Ous

  • Less impact on performance


  • Domains vs ous
    Domains vs. OUs

    • Replication Boundary

    • Boundary for Security Polices and Domain Administrators

      • Rights intrinsic to Domain Admins


    Ous what are they good for
    OUs: What Are They Good For

    • Delegating Administration

    • Group Policies

    • Organizing Published Objects in the directory


    Ou planning
    OU Planning

    Forest plan

    • Create an OU plan for each domain

    Domain plan

    OU plan

    Site topology


    Ou planning methodology
    OU PlanningMethodology

    Forest plan

    Delegate

    Administration

    Domain plan

    Apply Group

    Policy

    OU plan

    Site topology

    Organize

    Objects


    Ou design principles
    OU Design Principles

    • Keep it simple

    • Think supportability

    • Know your customer’s organizational and political boundaries

    • Detach the user from the workstation

    • Abstract the service from the server


    Current environment analysis
    Current Environment Analysis

    • Logon Scripts

      • “Functional” Groups (ifmember)

    • Current Administrative Boundaries

    • Current Domain Infrastructure

      • User Domains and Resource Domains: why are they there?

    • Users & Workstations

      • Restricted Labs, Kiosks, Factory Floors

      • Elevated Special Apps and Devices



    Ous for delegation1
    OUs for Delegation

    • You can assign permissions to directory objects on a per-attribute basis

    • Use OUs to “group” objects with similar needs for administrative control

    • Use Administrative Delegation to reduce the number of Domain Admins

    • Like NT 4 User and Resource Domains…only better


    Class based delegation
    Class-based Delegation

    • Delegate administrative control on a per-class basis for each OU:

      • Users & Groups

      • Computers

        • Note: Workstations and Member Servers are both “Computers”

        • Domain Controllers are a distinct class in their own OU

      • Folders

      • Printers


    Attribute based delegation
    Attribute-based Delegation

    • You can also assign rights to specific attributes of an object class

      • Example: Telecom Department


    Ou delegation illustrated

    Medicine

    Law

    Engineering

    ace

    (ENG Admins,

    Full Control)

    Civil

    Electrical

    ace

    (EE Admins, FC/Groups)

    ace

    (EE Admins, FC/Computers)

    OU Delegation Illustrated

    domain.edu


    Delegation made easy
    Delegation Made Easy

    • Use the Delegation of Control Wizard

    • A demo…


    Delegation made hard

    ACEs can apply to specific attributes

    ACE

    ACL

    DirectoryObject

    Delegation Made Hard

    • Directly modify object ACLs

    • Object Access Control

    • Go to chalk talk to discuss details



    Ou planning apply group policy
    OU PlanningApply Group Policy

    • Group policy is used to control desktop configurations

      • Applied to Users and Computers

      • Associated with Sites, Domains, or Organizational Units

    • Create OUs to apply unique policy

      • Filter application of policy using access control


    Change and configuration management

    Features

    Benefits

    IntelliMirror

    User data management

    Increased protection and availability of people’s data

    “My Documents follow me!”

    Software installation & maintenance

    Increased availability of the applications that people need

    “My Applications follow me!”

    User settings management

    Increased computer availability

    “My Personal Settings follow me!”

    Remote OS installation

    Fast recovery, setup, (re)configuration of computer and operating system

    Change And Configuration Management


    Change and configuration management1

    Features

    Technology used

    IntelliMirror

    User data management

    Active Directory, Group Policy, Offline Files, Synchronization Manager, Enhanced Shell Functionality, Disk Quotas

    Software installation & maintenance

    Active Directory, Group Policy, Windows installer, Application Deployment Editor, Add/Remove Programs, Dfs

    User settings management

    Active Directory, Group Policy, Offline Files, Roaming User Profiles, Enhanced Shell Functionality

    Remote OS installation

    Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy)

    Change And Configuration Management


    Change and configuration management technologies

    Features

    Technology Used

    Group Policy

    IntelliMirror

    User Document Management

    Active Directory, Group Policy, Offline Folders (CSC), Synchronization Manager, Enhanced Shell Functionality, Disk Quotas

    Group Policy

    Software Installation

    Active Directory, Group Policy, Windows installer, Software installer snap-in, Add/Remove Programs, Dfs

    Group Policy

    User Settings Management

    Active Directory, Group Policy, Offline Folders (CSC), Roaming User Profiles, Enhanced Shell Functionality

    Group Policy

    Remote OS Installation

    Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy)

    Change And Configuration ManagementTechnologies


    Group policy the basics

    Group PolicyThe Basics


    What is group policy
    What Is Group Policy?

    Technology that enables you to specify requirements for your users’ environment and then rely on Windows 2000 to continually enforce them


    What is group policy1
    What Is Group Policy?

    • “Sales department will have Office 2000”

    • “Disable logoff from Start Menu for all Receptionist”

    • “Audit all failed logon attempts for all Computers in the Atlanta area, in the Peachtree office”


    Group policy requires
    Group Policy Requires…

    • Windows 2000 Active Directory

    • Windows 2000 Professional clients

    • No support for Windows NT 4.0 or earlier

    • No support for Windows 9x or earlier


    What can you do with group policy

    Administrative

    Templates

    Registry-based policy settings

    Security

    Options for local, domain, and network security

    Software

    Installation

    Central management of software installation

    Scripts

    Startup, shutdown, logon, and logoff scripts

    Folder Redirection

    Store users’ folders on the network

    What Can You Do With Group Policy?


    Where does group policy live
    Where Does Group Policy Live?

    • Within group policy objects (GPOs)

      • Created within a domain

      • Linked to any number of sites, domains, and organizational units (SDOUs)

      • Multiple GPOs can be linked to a single SDOU


    When does group policy get applied

    Applies Computer Settings from Group Policies

    Startup Scripts Run

    Applies User Settings from Group Policies

    Logon Scripts Run

    When Does Group Policy Get Applied?

    Computer Starts

    User Logs On

    …and at periodic intervals

    (more on this later)


    Where does my policy come from
    Where Does My Policy Come From?

    • Site, Domain, OU hierarchy

    • Policy is inherited

    • “Closer” settings override farther” ones

    Site

    1

    Domain

    2

    3

    OU



    Modifying inheritance
    Modifying Inheritance

    • No Override prevents child containers from overriding policies set at higher levels

    • Block Inheritance prevents inheritance of all policies from parent containers

    • Highest No Override takes precedence over lower No Overrides

    • No Override takes precedence over Block Inheritance


    What if an sdou is linked to multiple gpos
    What If An SDOU Is Linked To Multiple GPOs?

    • Higher GPOs override lower GPOs

    • GPOs are processed in the reverse order listed on the tab


    What if i don t want everyone in an ou to be affected by a gpo
    What If I Don’t Want Everyone InAn OU To Be Affected By A GPO?

    • You cannot link a GPO to a security group

    • You can “filter” GPOs by changing the default permissions on the GPO, using security groups

    • You need the Read and Apply Group Policy ACEs to have a GPO apply

    • You need Read and Write in order to read or modify a GPO


    Default gpo permissions
    Default GPO Permissions

    • Authenticated Users

      • Read

      • Apply Group Policy

    • Local System, Domain Admins, Enterprise Admins

      • All permissionsexcept AGP



    Creating a domain or ou gpo

    Delegate control…

    Add members to a Group

    Move...

    Find….

    New

    All Tasks

    View

    New Window from Here

    Delete

    Rename

    Refresh

    Export List…

    Properties

    Help

    dsa - [Active Directory Users and Computers]

    Console Window Help

    Active View

    Active Directory

    Samerica1.nwtra.

    Builtin

    Computers

    Domain Contr

    Ohio

    Properties

    Creating A Domain Or OU GPO

    New

    Properties


    Creating a site gpo
    Creating A Site GPO

    • Use Active Directory Sites and Services

    • You must be a member of Enterprise Admins

    • By default, a site GPO is stored in the enterprise root domain

      • This may be altered at creation time, by changing the DC that the ADS&S snap-in is using and then creating a new GPO


    Disabling a gpo
    Disabling A GPO

    • You can disable a GPO or just the User or Computer Settings nodes


    Deleting a gpo
    Deleting A GPO

    • “Deleting” a GPO from an SDOU gives you a choice between

      • Unlinking the GPO from the SDOU

      • Permanently deleting the GPO





    Registry based policy settings
    Registry-Based Policy Settings

    Ignore

    Implement

    Do not implement,

    remove



    Administrative templates
    Administrative Templates

    • Framework for defining registry-based policies

    • Text file with .adm extension

    • Windows 2000 ships with system.adm and inetres.adm



    Script settings

    Startup/Shutdown

    Computer

    Scripts

    Computer Configuration

    Startup/Shutdown

    User Configuration

    User

    Logon/Logoff

    Logon/Logoff

    Script Settings

    • You can assign multiple scripts and set the processing order

    • Default timeout is 10 minutes

      • Computer Configuration\Administrative Templates\System\Logon

      • “Maximum wait time for Group Policy scripts”


    Security policy settings

    Account Policies

    Configure password, account,

    and Kerberos policies (domain only)

    Local Policies

    Configure auditing, user rights,

    and security options

    Event Log

    Configure settings for application logs, system logs, and security logs

    Restricted Group

    Configure group memberships for security sensitive groups

    System Services

    Configure security and startup settings for services running on a computer

    Registry

    Configure security on registry keys

    File System

    Configure security on specific file paths

    Public Key Policies

    Configure encrypted data recovery agents, domain roots,

    trusted certificate authorities

    IP Security Policies

    Configure IP security on a network

    Security Policy Settings


    Software installation and maintenance

    • Assigning Applications to ComputersAssign applications to computers if the applicationsare required by anyone using a specific computer

    • Publishing ApplicationsPublish applications that are not required by users, but might be useful to them

    Software Installation And Maintenance


    Folder redirection settings
    Folder Redirection Settings

    • You can redirect

      • Application Data

      • Desktop

      • My Documents

      • My Pictures

      • Start Menu

    • …To reduce logon time and increase availability


    Folder redirection options
    Folder Redirection Options

    • For each folder, you can choose between

      • No policy

      • Basic, which redirects all users to the same place

      • Advanced, which allows you to specify different locations for users based on security group membership


    Group policy best practices
    Group Policy Best Practices

    • Limit how often group policy is updated (to reduce replication)

    • Limit the number of admins who can edit GPOs (to reduce possibility of simultaneous editing)

    • Limit inheritance modification, filtering, and loopback (to simplify troubleshooting)

    • Limit the number of GPOs that apply to an SDOU (to improve logon performance)

    • Test! (to reduce Help desk calls)

    • Use the Support Tools



    Published objects
    Published Objects

    • Shared Folders

    • Printers

    • Users & Groups

    • Application-Specific


    Shared folder objects

    OU

    OU

    OU

    OU

    Shared Folder Objects

    Domain

    • A shared folder directory object abstracts a shared folder or Dfs volume

      • A UNC path points to the resource


    Printer objects
    Printer Objects

    Domain

    • A printer directory object abstracts a shared printer

      • The printer object attributes include:

        • The printer’s UNC path

        • Printer model and capabilities

    OU

    OU

    OU


    Locating resources
    Locating Resources

    • Resources are located by searching or walking the directory

    • A search of the entire directory sends a LDAP query to the global catalog

    • Use UI, ADSI or LDAP

    • Search by:

      • Name

      • Class (e.g. Printer)

      • Attribute (e.g. location)


    Organize objects into ous
    Organize Objects into OUs

    • May help users to find resources

      • Avoid too much granularity

      • There are other ways…

    • Apply ACLs on OUs to collectively apply visibility to objects with the same visibility requirements

      • Example: Chargeback Printers

      • Note: ACLs on directory objects do not equate to ACLs on their referenced resources


    Ou review
    OU Review

    • Use OUs for:

      • Delegating Administration

      • Group Policy

      • Publishing, organizing and hiding directory objects

    • You can apply a variety of access controls to OUs and the various classes of objects therein

    • OU hierarchies support inheritance and filtering of inheritance


    Ou design principles1
    OU Design Principles

    • Keep it simple

    • Think supportability

    • Know your customer’s organizational and political boundaries

    • Detach the user from the workstation

    • Abstract the service from the server


    And some more
    And Some More

    • Balance between the Enterprise and its business units (division, departments, whatever)

    • Where possible, align administrative delegation, group policies and resource publication

      • If you can’t, consider parallel hierarchies (instead of OU spaghetti)

    • Focus on reuse of GPOs

      • Leverage those links

    • The “Chutes and Ladders” School of Active Directory Design


    Keep in mind
    Keep in Mind

    • There’s no one right answer

      • Understand the technologies

      • Understand your administrative hierarchy

      • Create the simplest design possible that meets your needs

      • Think about future reorganization

      • Ask the question “How will I troubleshoot this?”

      • Document the design


    Some design approaches
    Some Design Approaches

    • Shallow and Wide

    • Deep

      • Advantage: Inheritance & Filtering

      • Disadvantage: Inheritance & Filtering

    • Parallel Hierarchies

    • Separate OUs for Users and Workstations


    For more information
    For More Information

    • Introduction to Windows 2000 Group Policy http://www.microsoft.com/windows2000/library/howitworks/management/grouppolicyintro.asp

    • Group Policy Scenarioshttp://www.microsoft.com/windows2000/library/howitworks/management/grouppolicy.asp

    • Group Policy Step-by-Step http://www.microsoft.com/windows2000/library/planning/management/groupsteps.asp



    Where

    Windows 2000 Deployment Conference

    do

    you

    want

    to

    go

    today?

    Where