480 likes | 694 Views
Group Policy in Windows Vista. Andy Malone MCSE, MCT Andrew.mlaone@quality-training.co.uk. What Will We Cover?. Group Policy Administration Group Policy with Windows Vista QoS Policies. Helpful Experience. Understanding of Group Policy Administering Windows. Level 200. Agenda.
E N D
Group Policy in Windows Vista Andy Malone MCSE, MCT Andrew.mlaone@quality-training.co.uk
What Will We Cover? • Group Policy Administration • Group Policy with Windows Vista • QoS Policies
Helpful Experience • Understanding of Group Policy • Administering Windows Level 200
Agenda • Understanding Group Policy • Reviewing New Infrastructure Features • Using Policy Settings
GPO Infrastructure Policy Enforcement Active Directory Policy Targeting Policy Troubleshooting Policy Definition GPMC and GPEdit – GPO Management and Operations
GPO Infrastructure – Customer Pains ADM File format and storage issues Sysvol bloat Ping Issues, VPN scenarios Kiosk Scenarios Error Messages Complicated Diagnostic log (Userenv) Difficult to locate settings Lack of best practice knowledge What and Where is GPMC? Change Management, Auditing and Workflow Policy Enforcement AD Policy Targeting Policy Troubleshooting Policy Definition GPMC and GPEdit – GPO Management and Operations
File Format Policy Definition Policy Enforcement Policy Troubleshooting • Network Traffic • End-to-end performance • WAN performance • ADM file format and languages • Storage • Difficult to locate settings • Lack of best practice knowledge • Ping issues • VPN scenarios • Error messages • Complicated diagnostic log Group Policy Pain Points What and Where is GPMC?
Windows Vista Improvements In Group PolicyMore settings, applied more reliably, easier to use Category Key Features and Enhancements • Extended Group Policy to cover new Windows Vista features • Improved coverage in key areas like Security and Desktop management Extending the Coverage • More secure, stable infrastructure (Group Policy Service) • Responsiveness to changing network conditions for GP processing • Enhanced troubleshooting experience • Multiple Local GPOs Reliable and Efficient Application of Policy • GPMC integration into the operating system • Improved syntax and multilingual support for Admin Templates policy settings (ADMX files) • A solution to “sysvol bloat” • Searching, Filtering and Templates (SP1) Ease of Use
Demo • Preparing Active Directory • Install Group Policy Management Console • Copy AdPrep Folder • Run ForestPrep
Agenda • Understanding Group Policy • Reviewing New Infrastructure Features • Using Policy Settings
Hello Hola SYSVOL Windows Vista Improvements Reliable and Efficient Application of Policy Extended Coverage Ease of Use
Group Policy Service Winlogon • More efficient • Service has been hardened
Network AwarenessProblems today Policy application is not network sensitive VPN Scenario Laptop Hibernate/Standby recovery Slow Link detection failures ICMP turned off at routers Failures in high bandwidth high latency (Satellite connection) scenarios
Improved Network Awareness More Responsive to Network Changes No longer just 90 minutes or so If previous policy application cycle was skipped or failed then it retries whenever network connectivity (Ability to reach DC) is available Leverages NLA v2.0 (Network Location Awareness) Subscribe for DC availability notification Removal of dependence on ICMP (no more Ping!) Improved bandwidth determination (through NLA) Note: Network Quarantine scenario needs additional configuration
Customer Request: Set different configurations for different users with local GPOs Multiple Local GPOs
Local GPOCustomer request Local GPOs are primarily used Non AD environments for non-domain joined, shared-use machines like Kiosks, Task stations Customer Request: Ability to set different configurations for different users using just Local GPO Common example is where local admins need a less locked down configuration than regular users Cannot accomplish this today since there is not concept of ‘Security Filtering’ on LGPOs
Multiple Local GPOs Supports having different policy settings for different local users LGPOs for The machine (same LGPO as today) NEW: Local groups (Admin or Non-Admin) NEW: Individual local users Application Order is same as above Note: Any single user receives either the Admin or the Non-Admin LGPO (not both) Domain GPOs still have greater precedence than LGPOs (as today) New policy setting – ability to exclude all local GPO processing
Troubleshooting Group Policy Some challenges Cryptic Error messages No consistent diagnosis or resolution information Error help link broken Not Actionable Userenv.log Not many users aware of this option Not IT Admin friendly Each GP extension has a different format and location of its log No consolidated centralized reporting
GPMC Integration GPMC is the one-stop shop for managing Group Policy (has been our recommendation for almost 3 years) Why Integrate GPMC Into The Operating System? The perception is… “It’s just a little utility” “Great, but it’s not part of the Operating System” “What’s GPMC?” Will be available on client and server – no need to download/install No major feature updates; Just bug fixes and localization Some feature updates will be available in “Longhorn” Server (Vista SP1)
userenv.log Admin Events Multiple Logs Operational Events Cryptic Error Messages Events and Logging
Demo • Using Group Policy Features • Run DomainPrep • Access the Vista GPMC • Use Internet Explorer 7.0 Group Policy • Use Events and Logging
%windir%\policydefinitions • Printing.admx • inetres.admx • … • %windir%\policydefinitions \en-us • Printing.adml • inetres.adml Windows Vista Administrative Computer (English) <sysvol>\policies\policydefinitions Printing.admx inetres.admx .. \en-us Printing.adml inetres.adml \fr Printing.adml inetres.adml \ .. Windows Vista Administrative Computer (French) • %windir%\policydefinitions • Printing.admx • inetres.admx • … • %windir%\policydefinitions \fr • Printing.adml • inetres.adml Administrative Template Files
Windows Vista Interop Scenarios (ADMX/ADM Co-Existence) Windows Vista does not ship with any ADM files. ADMX files are superset of older ADM files Both ADMX and ADM files can co-exist. You can use “Add/Remove Templates” dialog for ADM files You can leverage this feature in existing Win2k3/Win2k environments. Just Admin workstations need to run Vista Note: No plan currently to ship ADM to ADMX conversion tool
ADM Templates – Usability ImprovementsWindows Vista SP1/“Longhorn” Server Comments Enable per GPO and per setting comments Search/Filter – locate settings based on Text search of setting title, explain text and comments Platform and applications “supported on” Managed (true GP policy setting) Configured (enabled or disabled) Results of search is a filtered GPedit view Templates Encapsulation of best practices/scenarios Will contain recommended Policy settings and values Microsoft will ship some initial scenario-based templates Anyone can create and share new custom templates Create new GPOs based on a template GPMC will provide ‘Template management’ support
Prototype UI For Templates And Search And Filter Features Filter Options Dialog GPMC Template Integration
Demo • Editing Domain-based GPOs Using ADMX Files • Create ADMX Central Store
ADM File ADMX File DFS Replication and SYSVOL SYSVOL * Remote Differential Compression RDC)
Agenda • Understanding Group Policy • Reviewing New Infrastructure Features • Using Policy Settings
Examples of Expanded Policy Settings: Choosing the Right Settings Client Help BITS Disk Failure Diagnostics DVD Video Burning Shell Application Management MMTP Network Quarantine Security Protection UAC
Security Pain Points Users over-privileged Spyware and viruses Lost productivity Administrative cost Secure by default
IPSec Windows Firewall and IPSec
Windows Defender Wireless and Wired Configuration Version 7.0 Network Access Protection Public Key Policy Configuration Integrated IE 7.0 Policy Settings Security Enhancements
Power Management Printer Management Windows Shell Management Desktop Management
Device Driver Device Driver Device Installation Policy Settings • Device Identification Strings • Device Setup Classes
Demo • Installing Devices with Group Policy • Block the Installation of a USB Device
A/V Traffic QoS Policies • Source IPv4/IPv6 addresses • Destination IPv4/IPv6 addresses • Protocol • Source or destination ports
Demo • Configuring QoS Policy • Create a QOS Policy for Web Traffic • Create a QOS Policy for VoIP Traffic
Session Summary • Better Group Policy administration • Restricting device installation • Managing network traffic
Microsoft Press Publications For the latest titles, visit www.microsoft.com/learning/books/itpro/
Non-Microsoft Publications These books can be found and purchased at all major book stores and online retailers
Resources Group Policy on Microsoft.com http://www.microsoft.com/GroupPolicy Group Policy FAQ http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx What's New in Group Policy in Windows Vista and Windows Server "Longhorn" http://www.microsoft.com/technet/windowsvista/library/a8366c42-6373-48cd-9d11-2510580e4817.mspx Managing ADMX Files Step by Step Guide http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx Group Policy Feature Suggestions, New Policy Setting Ideas, etc. http://www.WindowsServerFeedback.com
Find all these support options at www.microsoft.com/technet/supportMicrosoft offers a progressive series of support options starting with no-charge online support and developing through subscription, incident, and contract support. 1. No-Charge Online Support Knowledge BaseSearch a vast database of articles to pinpoint the information you need. NewsgroupsAccess over 20,000 active newsgroups on scores of topics. Product Support CentersGet answers to frequently asked questions, plus how-to articles and step-by-step instructions organized by product. DLL Help Database Search here to identify the software used to install a specific DLL version. Events and Errors Message CenterResolve event and error messages fast with explanations, recommendations, and links to support and resources. Support WebcastsTune in to live technical presentations by Microsoft experts and take part in real-time Q&A. ChatsChat online with Microsoft specialists or search the transcript archives. User Group ProgramAccess information and support for IT and other interest-specific user groups. TechNet Security Resource CenterGet ahead of security risks with resources that keep you current, including security newsletters and the Microsoft notification service. 2. Subscription-Based Support TechNet Subscription Subscribe to TechNet for a personal library of articles, service packs, how-to’s, resource kits, tools, utilities, and more. Your subscription includes monthly updates delivered on CD or DVD, so you always have the latest information, straight from the source. Upgrade to a TechNet Plus subscription and add all this: 1. Full-version evaluation software, including Microsoft Office System and Windows Server System™ products, without time restrictions. 2. Free support — two complimentary incidents, plus a discount on other support calls. 3. Unlimited, next-business-day access to reliable answers from the IT community and Microsoft Support Professionals through Managed Newsgroups (English only). 4. Contract-Based Support Premier SupportGet the flexibility to match support options to your organization and enjoy direct access to Microsoft technical experts at any time, day or night. Premier Support delivers customized options for businesses with complex needs, including dedicated technical professionals to oversee your support, 24x7 problem resolution, and training and workshops that keep your IT staff up to date. Essential SupportEssential Support offers prepackaged options specifically designed to meet the fundamental support requirements of any business, large or small. Includes account management, problem resolution, and information services. 3. Assisted Incident Support E-mail SupportGet online incident help via e-mail from a Microsoft Support Professional. Phone SupportGet incident help over the phone from a Microsoft Support Professional. Phone Support ContractSave with a discounted 5-Pack Phone Support contract. Advisory ServicesAdd remotely delivered consultation options from Microsoft Advisory Services for proactive support that goes far beyond routine product maintenance.
Where Else Can I Get Help? • Free chats and webcasts • List of newsgroups • Microsoft community sites • Community events and columns www.microsoft.com/technet/community
What else does TechNet give you? • FREE TechNet Newsletter” • FREE Events and Webcasts • FREE quarterly “TechNet” magazine • FREE comprehensive technical website • FREE TechNet Radio, Security Centre, Learning Paths and Virtual Labs • TechNet Plus Subscription DVD A range of tools and resources for IT professionals that let you plan, manage ,deploy To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet
Thank you for attending this TechNet Event http://www.microsoft.com/uk/technet PS (The evaluation form is now sent out electronically with your thank you e-mail. This can take up to 5 working days. Please do feedback as we read all the comments and use them to shape future event content)
Thanks For Attending! Andrew.malone@quality-training.co.uk Thanks for Attending!