220 likes | 428 Views
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy. Understanding Group Policy Concepts . Group Policy Objects (GPOs) Local GPOs are stored on each Windows 2000+ clients and servers
E N D
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 9:Implementing and Using Group Policy
Understanding Group Policy Concepts • Group Policy Objects (GPOs) • LocalGPOs are stored on each Windows 2000+ clients and servers • Non-local GPOs are stored at the domain level within AD
Introduction to Group Policy • Group policy centralizes management of user and computer configuration settings throughout a network • A group policy object is an Active Directory object used to configure policy settings for user and computer objects • There are two default Group Policy Objects: • Default Domain Policy (linked to domain container) • Default Domain Controllers Policy (linked to domain controller OU)
Introduction to Group Policy (continued) • You can modify default GPOs • You can create new GPOs and link them to particular sites, domains, and OUs • Policy settings will be propagated to all users and computers in container including child OUs • Group policy can only be applied to computers running Windows Server 2003, Windows 2000, and Windows XP
Creating a Group Policy Object • Two ways to create a GPO: • Group Policy standalone Microsoft Management Console (MMC) snap-in • Group Policy extension in Active Directory Users and Computers
Group Policy • Desktop settings • Security • Scripts • Computer • User • Folder redirection • Software deployment
Editing a GPO • Computer or User Configuration
Editing a GPO (continued) • Two tabs in Properties of each setting: • Setting allows you to enable or disable the setting • Explain provides information about the setting • GPO content is stored in 2 locations: • Group Policy container (GPC) • An AD container • Stores info such as GUID and Version • System\Policies • Group Policy template (GPT) • Stores GPO settings • Registry changes stored in Registry.pol • %systemroot%\sysvol\<domain name>\Policies • A GPO is identified by a 128-bit globally unique identifier (GUID)
Understanding Group Policy Concepts • Group Policy template information
Understanding Group Policy Concepts • Group Policy template subfolders
Understanding Group Policy Concepts • Group Policy template subfolders • GPT.INI • In root folder of each template • Enabled/Disabled • Version
Application of Group Policy • Two main categories to a Group Policy • Computer configuration (settings apply to computers in the container) • User configuration (settings apply to users in the container) • Upon computer startup (or user logon) • Computer queries domain controller for GPOs. Domain controller finds applicable GPOs. • Domain controller presents list of GPOs. The client gets Group Policy templates, applies the settings and runs the scripts. • Same basic process happens for user logons
Group Policies • Computer settings take precedence over user settings • Computer settings take effect • After refresh interval 90+ minutes • When OS restarted • User setting • After refresh interval 90+ minutes • When new logon
Group Policies • Policy settings • Not Configured • Processed • Enabled • Processed • Disabled • Not Processed • Local Computer policy settings • Applied as soon as they are saved
Controlling User Desktop Settings • Administrative templates • Used to limit user manipulation of user desktop and computer configurations • Aim is to reduce administrative costs • Seven main categories of configuration settings can be applied to either computer or user section of a GPO
Managing Security Settings with Group Policy • Password Policy, Account Policy, and Kerberos Policy settings are only applicable to domain objects • Other nodes in Security Settings category can be applied at both domain and OU levels • Local Policies – applies to local account database • Maybe Overwritten by Domain or OU policies • Audit Policy • User Rights Assignment • Security Options
Understanding Group Policy Concepts • Password Policy settings, under Windows settings • Password History • Password age • Min Length • Complexity • Encryption
Understanding Group Policy Concepts • Account Lockout Policy under Windows settings • Duration • Threshold • Reset • Zero must manually reset
Managing Security Settings with Group Policy (continued) • Event Log • Restricted Groups –controls group membership • System Services • Registry • File System • Wireless Network Policies • Public Key Policies • Software Restriction Policies • IP Security Policies on Active Directory
Assigning Scripts • Windows Server 2003 can run scripts during: • User logon or logoff • User section of GPO • Computer startup and shutdown • Computer section of GPO • Default is for scripts to run synchronously from top to bottom • Can specify script time-outs, asynchronous execution, and hiding of scripts