1 / 27

Microsoft Server 2008 R2

Active Directory and Group Policies. Microsoft Server 2008 R2. Active Directory Review/Updates. Now called Active Directory Domain Services in the 2008/R2 world Big database of objects and is used to centrally manage all objects of an organization. DNS is required or ADDS

kolina
Download Presentation

Microsoft Server 2008 R2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory and Group Policies Microsoft Server 2008 R2

  2. Active Directory Review/Updates • Now called Active Directory Domain Services in the 2008/R2 world • Big database of objects and is used to centrally manage all objects of an organization. • DNS is required or ADDS • DNS SRV records are used to locate domain controllers running specific services • 70% of AD problems are directly related to DNS

  3. Active Directory Review/Updates • 2008 R2 supports fine-grained password policies • 2008 R2 Function level is required to support the Active Directory Recycle Bin

  4. AD User Management • New GUI called Active Directory Administrative Center • Administrative Tools on Server 2008 • Available on Windows 7 by installing Remote Server Administration Tools • Native PowerShell support for managing users and groups

  5. AD with PowerShell • Creating users • Command: new-aduser “Joe Smith” • Getting help • Command: help new-aduser • Command: get-help new-aduser –examples • Command: get-help new-aduser -detailed

  6. AD with PowerShell • Creating many users • ADUC? • ADAC? • PowerShell at a time? • CSVDE? (sorta) • Command: import-csv c:\users.csv | foreach {new-aduser –Name $_.Name –SamAccountName $_.SamAccountName …etc …etc}

  7. AD with PowerShell • Unlocking user accounts • Command: unlock-adaccount –identity jsmith • Resetting passwords • Command: set-adaccountpassword –identity jsmith –reset –newpassword (read-host “Please enter the new password” –assecurestring) • Display user attributes • Command: get-aduser “joe smith” • -properties * | more • Command: get-aduser “joe smith” –properties homedirectory

  8. Group Policies • Policies are “all or nothing” • Only policy settings that are enabled are read. • If you choose to filter permissions, none of the GPO settings will apply, it is all or nothing. • Policies are inherited and cumulative • Policies are refreshed ever 90 minutes with a 30 minute randomization • DC’s are refreshed every 5 minutes

  9. Benefits • Publish or assign software • Assign startup, shutdown, logon, logoff scripts • Define password, lockout and audit policies • Standardize user settings • Define and enforce Internet Explorer Settings • Define and enforce restrictions on desktops • Redirect folders • Configure and standardize settings such as offline folders, quotas, etc.

  10. GPO Concepts • Policies are applied from the bottom up. Rules that apply. • Listen to the last policy you heard from • Execute policies from the bottom up as they appear in the GUI • Account Policies cannot be applied at the OU’s, they can only be applied on the domains.

  11. GPO PlanningOU Design • Create separate OUs for computers and users • Segment machines/users into roles by OU; Examples • Servers: Exchange Servers, Terminal Servers, Web Servers, File and Print, etc • Workstations: Desktops; Laptops, task stations etc. • Domain Controllers: Leave in Domain Controllers OU (with Default Domain Controllers Policy GPO linked) • Users: IT Staff, Engineers, Shop Floor, Laptop Users, etc. • By default, all new accounts are created in cn=Users or cn=Computers (cannot link these to GPO’s). However, if you have a Windows Server 2003 domain: • Run “RedirUsr.exe” and “RedirCmp.exe” in your domain to specify the new default OU’s in which all new user / computer accounts will be created • Allows you to manage new accounts through Group Policy when you don’t specify an OU at account creation1 • Limit who can create / update / link GPOs (delegation)

  12. GPO PlanningGPO Design • GPO naming conventions – make it consistent and easy to interpret • Simply use a clear name to describe intent of the GPO • How significant is the number of GPOs applied? • 999 is the maximum number of GPOs applied

  13. Planning: DeploymentTest, Stage, And Production • It’s a “good thing” if you: Test -> Stage -> Test -> Deploy -> Validate • Group Policy Modeling (more elegant face on RSoP Planning) • Backup/Copy/Import (including migration tables) • Documentation: HTML or XML Reports

  14. PlanningDisaster Recovery • GPMC Backup / Restore handles GPO as a logical entity • Automate GPO backup using GPMC scripts - BackupAllGPOs or BackupGPO • Regularly test GPO restore in your environment – RestoreAllGPOs or RestoreGPO • Think about building/rebuilding your staging environment

  15. PlanningDisaster Recovery • Be aware of what is NOT included in a backup of a GPO and plan accordingly • IPSec Settings, which live in CN=IP Security, CN=System,DC=xxxx (AD backup handles this); The GPO includes just the link to this data • WMI Filter (only the filter link is backed up); The filter itself is stored in AD so your AD backup covers this • GPO links from sites, domains or OUs, since they are not an attribute of the GPO (again, AD backup covers this) • Don’t rely on DCGPOFix (last resort tool!) DCGPOFix returns default GPOs to the clean install state (not an upgrade) and they are unlinked; Use your own backup instead

  16. PlanningGroup Policy Dependencies • DNS: Many “Group Policy problems” turn out to be related to DNS misconfiguration • Don’t touch the Policies directory in Sysvol (including playing with ACLs) – manage through supported tools only; If you plan to delete Sysvol – well, don’t!

  17. PlanningGroup Policy Dependencies • ICMP, at network routers or in TCP/IP configuration (clients or DCs) • Used to validate connectivity to a DC and for slow link detection (uses Ping) • Policy not applied if client cannot reach DC • If you absolutely must disable ICMP, disable slow link detection; But then a “fast link” is assumed – consider impact on software installation and folder redirection • With no connectivity to a DC at logon (i.e. a remote machine) policy will not process, unless you check the “Logon using dial-up connection” check box at the logon prompt

  18. So Many Policy SettingsWhere Do I Start? • Know the Policy Settings Reference Spreadsheet and use its filters • http://go.microsoft.com/fwlink/?linkid=22031 • PolicySettings.xls • Consider the Group Policy Common Scenarios • Iterative deployment. Start small and build… • Security • Operating System/Application Configuration • IE Maintenance • Software Installation

  19. Group PoliciesAdministrative Templates • Know the benefits of a “true policy” (as compared to preferences) • Security – only local administrators can edit true policy settings • No tattooing – if the GPO goes out of scope its settings are removed • Respect for user preferences – after a policy setting is removed/unlinked, the original user preference remains

  20. Group PoliciesMachine/User Scripts • Async logon/Logoff scripts finish in a non-deterministic order; Don’t rely on one script completing before another • Startup scripts run in the security context of the computer (requires access to script and referenced resources) • Computer needs access to scripts and referenced resources over network at boot time • If script uses only local machine resources then you can copy scripts to local hard disk and reference accordingly in the GPO (consider use of environment variables such as %windir% for machine differences)

  21. Group PoliciesFolder Redirection • Do not pre-create folders (ACL issues) • If server is Windows 2000, do not redirect folders to same machine used for Roaming User Profiles (fixed in Windows Server 2003) • Do not redirect Application Data folder (particularly if logged on from multiple computers) • Exclusive locks • Absolute paths • Network latency • You cannot redirect to a mapped drive (folder redirection occurs before mapping of drives)

  22. Group PoliciesRSoP • No Group Policy Results data available for • IPSec, Wireless, and Disk Quota • Windows 2000 (but you can simulate using Group Policy Modeling) • Group Policy Modeling can only simulate the following • Slow links status • Loopback • Also, Modeling doesn’t know about the LGPO

  23. Group PoliciesSoftware Installation • For machine assignment a reboot is necessary (to initiate the install); An application that should be installed through machine assignment is GPMC (since it’s an MMC snap-in) • When assigning apps, keep async policy processing in mind. In some cases, two logons or reboots may be necessary; Consider the “Wait For Network At Computer Startup and Logon” policy setting (this extends boot and logon times) • Limit use of security filtering with software distribution GPO’s; Filtered out users may include users who need to have application admin rights

  24. Troubleshooting • Know your reporting options • Group Policy Modeling • Group Policy Results • Event Log (exposed through GPMC) • Know your tools • With Operating System: GPUpdate • WS 2003 Resource Kit: GPOTool, GPMonitor • Download Center: GPInventory • Know your log files • UserEnv (Core Engine), WinLogon (Security), FDeploy (Folder Redirection), Appmgmt.log (software installation), Gpmgmt (GPMC), GPedit (GPEdit), GPText (CSE-specific)

  25. Troubleshooting • Using the Local GPO (LGPO) • A good option if you don’t have access to change GPOs in a domain (not all settings will be available – software installation and folder redirection, for example) • Updating the LGPO on a domain-joined PC has no impact when using cached credentials • Read the Explain Text for Admin Templates and Help for Security Settings • Remember the gpupdate /force switch • If you move a user/computer to a new OU, the change will not take place immediately. Reboot/Logon to resolve • Consider using a Virtualization - especially helpful for tattooing security settings; Undo when done!

  26. GPO and 2008 • Group Policy Preferences (GPP) • Extensions or “new settings” • Adds more than 3000 policy settings! • Modify the local administrator password on every desktop • Different than normal GPO settings as they are duplicate under user and computer settings

  27. Reference • http://www.microsoft.com

More Related