480 likes | 653 Views
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy. Objectives. Understand and describe the purpose of Group Policy Describe how Group Policy is applied Manage desktop computers using Group Policy
E N D
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 11: Group Policy for Corporate Policy
Objectives • Understand and describe the purpose of Group Policy • Describe how Group Policy is applied • Manage desktop computers using Group Policy • Analyze and configure security settings using Group Policy Guide to MCSE 70-294, Enhanced
Objectives (continued) • Install and use the Group Policy Management Console • Troubleshoot Group Policy Guide to MCSE 70-294, Enhanced
Group Policy • Introduced in Windows 2000 • Enhanced in: • Windows XP • Windows Server 2003 • Largely collection of registry entries • Enhancements in Windows Server 2003: • Transient policy settings • Expanded capabilities Guide to MCSE 70-294, Enhanced
Administrative Templates • Files with .adm extension • Describe registry settings • Can be configured in policy or Group Policy • Included with Windows Server 2003: • System.adm • Inetres.adm • Wmplayer.adm • Conf.adm • Wuau.adm Guide to MCSE 70-294, Enhanced
Client-side Extensions • Allow for more advanced control and configuration • Included with Windows Server 2003 and Windows XP: • EFS (encrypting file system) recovery • Folder redirection • Internet Explorer maintenance • IP security Guide to MCSE 70-294, Enhanced
Client-side Extensions (continued) • Included with Windows Server 2003 and Windows XP: • Microsoft Disk Quota • QoS Packet Scheduler • Scripts • Security • Software installation • Wireless Guide to MCSE 70-294, Enhanced
Group Policy Storage • Stored on • Domain controllers • Local computers • Local policy object • Stored in hidden folder • Referred to as local computer policy • Applies only to local computer • Great for workgroup environment Guide to MCSE 70-294, Enhanced
Group Policy Storage (continued) • GPOs • Stored on domain controllers • Centrally managed • Single GPO typically affects many users and computers • One part stored in Active Directory database • Called group policy container (GPC) • Other stored in SYSVOL share • Referred to as group policy template (GPT) Guide to MCSE 70-294, Enhanced
Group Policy Storage (continued) • GPT subfolders: • Adm • USER • USER\applications • MACHINE • MACHINE\applications Guide to MCSE 70-294, Enhanced
Creating a Group Policy Object • Tools for creating GPOs: • Group Policy standalone Microsoft Management Console (MMC) snap-in • Group Policy extension in Active Directory Users and Computers Guide to MCSE 70-294, Enhanced
Activity 11-1: Creating a Group Policy Object Using the MMC • Objective: Use the Group Policy Object Editor MMC snap-in to create GPOs • Follow directions to create GPOs Guide to MCSE 70-294, Enhanced
Group Policy Processing • GPOs linked to sites, domains, and organizational units using GPO links • Applies to user and computer objects that exist in container to which they are linked • Can be linked with multiple organizational units, sites, or even domains • Only stored on domain controllers in domain where created Guide to MCSE 70-294, Enhanced
Group Policy Priority • Processing order: • First policy to be applied is the local computer policy • Any GPOs linked to site are applied • GPOs linked to domain are applied • GPOs linked to organizational units are applied Guide to MCSE 70-294, Enhanced
Group Policy Priority (continued) • Process is followed twice • Once for Computer Configuration • When computer starts up • Once for User Configuration • When user logs on Guide to MCSE 70-294, Enhanced
Default GPO Processing Order Guide to MCSE 70-294, Enhanced
Dealing with Conflict • Options for policy settings • Enabled • Disabled • Not Configured • Policy settings from multiple GPOs can be combined • As long as they do not conflict • In case of conflict: • GPO to be applied last wins Guide to MCSE 70-294, Enhanced
Modifying Group Policy Priority • Modify priority by configuring settings: • No Override • Block Policy Inheritance • Loopback Processing Mode Guide to MCSE 70-294, Enhanced
Controlling Group Policy Application with Permissions • GPOs cannot be linked to groups • Application of Group Policy can be controlled through permissions Guide to MCSE 70-294, Enhanced
Controlling Group Policy Application with Permissions (continued) • Standard permissions available to GPO: • Full Control • Read • Write • Create All Child Objects • Delete All Child Objects • Apply Group Policy Guide to MCSE 70-294, Enhanced
Activity 11-5: Filtering Group Policy Objects Using SecurityPermissions • Objective: Use security permissions to filter and control the application of policy settings • Follow instructions to stop settings in Marketing Policy GPO from applying to Administrators group Guide to MCSE 70-294, Enhanced
Windows Management Instrumentation Filters • Used to restrict application of GPOs • Control GPO application based on computer configuration, such as: • Hardware configuration • File existence or attributes • Applications being installed • Amount of free hard drive space • Written in WMI Query Language (WQL) • Does not apply to Windows 2000 Guide to MCSE 70-294, Enhanced
Slow Link Detection • When working over slow link • May be undesirable to apply parts of Group Policy • Client pings domain controller several times • To determine link speed • 500 Kbps or less is considered slow Guide to MCSE 70-294, Enhanced
Default Slow Link Behavior Guide to MCSE 70-294, Enhanced
Desktop Management with Group Policy • Desktop management • One of primary goals that can be accomplished with Group Policy Guide to MCSE 70-294, Enhanced
Restricting Windows • Can protect users from their own mistakes • Remove access to features such as: • Configuring proxy settings • Setting desktop wallpaper Guide to MCSE 70-294, Enhanced
Folder Redirection • Allows administrator change location of default Windows folders • Locate on server: • Allows users to access information from any computer on network Guide to MCSE 70-294, Enhanced
Folder Redirection (continued) • Folders that can be redirected are: • Application data • Desktop • My Documents • Start menu Guide to MCSE 70-294, Enhanced
Scripts • GPOs can contain scripts for: • Logon • Logoff • Startup • Shutdown • Can be written in languages such as • VBScript (.vbs) • JScript (.js) • Must store scripts in location accessible to users running them Guide to MCSE 70-294, Enhanced
Security Management with Group Policy • Security policy • Collection of security-related settings • Located in all GPOs • Majority of security policy settings apply to computers • Found in Computer Configuration section Guide to MCSE 70-294, Enhanced
Account Policies • Includes configuration settings that may be the initial step to securing computer network • Must be configured in GPO linked to domain • Subcategories: • Password Policy • Account Lockout Policy • Kerberos Policy Guide to MCSE 70-294, Enhanced
Local Policies • Wide variety of settings • Very flexible • Categories: • Audit policy • User rights assignment • Security options Guide to MCSE 70-294, Enhanced
Restricted Groups • Define users that are allowed membership to specific groups • When group policy applied: • Any member of restricted group not listed in restricted group’s member list removed • Prevents administrators from accidentally adding users to sensitive groups Guide to MCSE 70-294, Enhanced
System Services • Define which services are started, stopped, or disabled on computers • Can also configure security for services • Effective way to disable unnecessary services on: • Client computers • Servers Guide to MCSE 70-294, Enhanced
Registry Settings • Define security permissions for registry entries • Applied to all computers affected by GPO Guide to MCSE 70-294, Enhanced
File System • Defines NTFS permissions applied to local hard drives of computers affected by GPO • Enhance security by removing permissions to files and folders Guide to MCSE 70-294, Enhanced
Wireless Network Policies • Define settings for wireless network connectivity • Configure which wireless networks’ workstations can connect to and automatically configure Wireless Encryption Protocol (WEP) Guide to MCSE 70-294, Enhanced
Public Key Policies • Define configuration settings relating to use of different public key-based applications such as: • Encrypting file system (EFS) • Automatic certificate enrolment settings • Certificate Authority (CA) trusts • Autoenrollment • New feature • Allows computers and users to request version 2 certificate templates automatically Guide to MCSE 70-294, Enhanced
Software Restriction Policies • Define security settings related to what programs are allowed to run on system • Individual rules can be based on: • File’s hash • Digital certificate used to sign executable • File’s path • Internet zone Guide to MCSE 70-294, Enhanced
IP Security Policies • Define IPSec settings • Can enable IPSec for entire network with little effort Guide to MCSE 70-294, Enhanced
Security Templates • Used to: • Define, edit, and save baseline security settings • Applied to computers with common security requirements • Meet organizational security standards • Help ensure • Consistent setting can be applied to multiple machines • Easily maintained • Stored in .inf files Guide to MCSE 70-294, Enhanced
Security Templates (continued) • Setup Security.inf. • Default template • Provides single file in which all original computer security settings are stored • Incremental templates • Only apply to machines already running default security settings • Use Security Templates snap-into create custom templates Guide to MCSE 70-294, Enhanced
Analyzing Security • Security Configuration and Analysis utility • Compare current system settings to previously configured security template • Identifies • Changes to original security configurations • Possible security weaknesses Guide to MCSE 70-294, Enhanced
Using the Group Policy Management Console • Available as free download for Windows Server 2003 customers • Brings together tools and options accessible from number of different tools • Adds new functionality • Highly recommended • Especially in large deployments Guide to MCSE 70-294, Enhanced
Troubleshooting Group Policy • Most important thing is interaction of: • Links to containers • Priority ordering by administrators • No Override • Block Inheritance • ACL permissions • Loopback Processing Mode • WMI filters Guide to MCSE 70-294, Enhanced
Troubleshooting Tools • Resultant Set of Policy (RSoP) • Gpresult • Gpupdate • Dcgpofix Guide to MCSE 70-294, Enhanced
Summary • Group Policy applies settings to users and computers in: • Site • Domain • Organizational unit • Order of application for GPOs is: • Local • Site • Domain • Organizational unit Guide to MCSE 70-294, Enhanced
Summary (continued) • User or computer must have Read and Apply Group Policy permissions on a GPO in order for the policy to apply • To affect domain accounts, account policies must be set at the domain level • Security management using Group Policy is accomplished with security templates Guide to MCSE 70-294, Enhanced