1 / 68

Windows 2000 Deployment Conference

Windows 2000 Deployment Conference. Windows 2000 Active Directory Organizational Unit and Group Policy Planning Adam Gordon MCS Senior Consultant Microsoft Corporation. Agenda. OU concepts OU planning & design principles OU for delegation OU for Group Policy

mercer
Download Presentation

Windows 2000 Deployment Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows 2000 Deployment Conference Windows 2000 Active Directory Organizational Unit and Group Policy PlanningAdam GordonMCS Senior ConsultantMicrosoft Corporation

  2. Agenda • OU concepts • OU planning & design principles • OU for delegation • OU for Group Policy • OU for publishing (and hiding) directory objects • OU design exercise

  3. OU Concepts

  4. Forest Maggipharm.com Bioquest.com rsrch.bioquest.com sales.bioquest.com dev.bioquest.com What Is an Organization Unit? • A container inside a domain • The element of hierarchical structure within the domain

  5. OUs vs. Domains OUs are easily changed • Moved, renamed, deleted • Within a domain, objects move easily between Ous • Less impact on performance

  6. Domains vs. OUs • Replication Boundary • Boundary for Security Polices and Domain Administrators • Rights intrinsic to Domain Admins

  7. OUs: What Are They Good For • Delegating Administration • Group Policies • Organizing Published Objects in the directory

  8. OU Planning Forest plan • Create an OU plan for each domain Domain plan OU plan Site topology

  9. OU PlanningMethodology Forest plan Delegate Administration Domain plan Apply Group Policy OU plan Site topology Organize Objects

  10. OU Design Principles • Keep it simple • Think supportability • Know your customer’s organizational and political boundaries • Detach the user from the workstation • Abstract the service from the server

  11. Current Environment Analysis • Logon Scripts • “Functional” Groups (ifmember) • Current Administrative Boundaries • Current Domain Infrastructure • User Domains and Resource Domains: why are they there? • Users & Workstations • Restricted Labs, Kiosks, Factory Floors • Elevated Special Apps and Devices

  12. OUs for Delegation

  13. OUs for Delegation • You can assign permissions to directory objects on a per-attribute basis • Use OUs to “group” objects with similar needs for administrative control • Use Administrative Delegation to reduce the number of Domain Admins • Like NT 4 User and Resource Domains…only better

  14. Class-based Delegation • Delegate administrative control on a per-class basis for each OU: • Users & Groups • Computers • Note: Workstations and Member Servers are both “Computers” • Domain Controllers are a distinct class in their own OU • Folders • Printers

  15. Attribute-based Delegation • You can also assign rights to specific attributes of an object class • Example: Telecom Department

  16. Medicine Law Engineering ace (ENG Admins, Full Control) Civil Electrical ace (EE Admins, FC/Groups) ace (EE Admins, FC/Computers) OU Delegation Illustrated domain.edu

  17. Delegation Made Easy • Use the Delegation of Control Wizard • A demo…

  18. ACEs can apply to specific attributes ACE ACL DirectoryObject Delegation Made Hard • Directly modify object ACLs • Object Access Control • Go to chalk talk to discuss details

  19. OUs for Group Policy

  20. OU PlanningApply Group Policy • Group policy is used to control desktop configurations • Applied to Users and Computers • Associated with Sites, Domains, or Organizational Units • Create OUs to apply unique policy • Filter application of policy using access control

  21. Features Benefits IntelliMirror User data management Increased protection and availability of people’s data “My Documents follow me!” Software installation & maintenance Increased availability of the applications that people need “My Applications follow me!” User settings management Increased computer availability “My Personal Settings follow me!” Remote OS installation Fast recovery, setup, (re)configuration of computer and operating system Change And Configuration Management

  22. Features Technology used IntelliMirror User data management Active Directory, Group Policy, Offline Files, Synchronization Manager, Enhanced Shell Functionality, Disk Quotas Software installation & maintenance Active Directory, Group Policy, Windows installer, Application Deployment Editor, Add/Remove Programs, Dfs User settings management Active Directory, Group Policy, Offline Files, Roaming User Profiles, Enhanced Shell Functionality Remote OS installation Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy) Change And Configuration Management

  23. Features Technology Used Group Policy IntelliMirror User Document Management Active Directory, Group Policy, Offline Folders (CSC), Synchronization Manager, Enhanced Shell Functionality, Disk Quotas Group Policy Software Installation Active Directory, Group Policy, Windows installer, Software installer snap-in, Add/Remove Programs, Dfs Group Policy User Settings Management Active Directory, Group Policy, Offline Folders (CSC), Roaming User Profiles, Enhanced Shell Functionality Group Policy Remote OS Installation Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy) Change And Configuration ManagementTechnologies

  24. Group PolicyThe Basics

  25. What Is Group Policy? Technology that enables you to specify requirements for your users’ environment and then rely on Windows 2000 to continually enforce them

  26. What Is Group Policy? • “Sales department will have Office 2000” • “Disable logoff from Start Menu for all Receptionist” • “Audit all failed logon attempts for all Computers in the Atlanta area, in the Peachtree office”

  27. Group Policy Requires… • Windows 2000 Active Directory • Windows 2000 Professional clients • No support for Windows NT 4.0 or earlier • No support for Windows 9x or earlier

  28. Administrative Templates Registry-based policy settings Security Options for local, domain, and network security Software Installation Central management of software installation Scripts Startup, shutdown, logon, and logoff scripts Folder Redirection Store users’ folders on the network What Can You Do With Group Policy?

  29. Where Does Group Policy Live? • Within group policy objects (GPOs) • Created within a domain • Linked to any number of sites, domains, and organizational units (SDOUs) • Multiple GPOs can be linked to a single SDOU

  30. Applies Computer Settings from Group Policies Startup Scripts Run Applies User Settings from Group Policies Logon Scripts Run When Does Group Policy Get Applied? Computer Starts User Logs On …and at periodic intervals (more on this later)

  31. Where Does My Policy Come From? • Site, Domain, OU hierarchy • Policy is inherited • “Closer” settings override farther” ones Site 1 Domain 2 3 OU

  32. SDOU Ordering

  33. Modifying Inheritance • No Override prevents child containers from overriding policies set at higher levels • Block Inheritance prevents inheritance of all policies from parent containers • Highest No Override takes precedence over lower No Overrides • No Override takes precedence over Block Inheritance

  34. What If An SDOU Is Linked To Multiple GPOs? • Higher GPOs override lower GPOs • GPOs are processed in the reverse order listed on the tab

  35. What If I Don’t Want Everyone InAn OU To Be Affected By A GPO? • You cannot link a GPO to a security group • You can “filter” GPOs by changing the default permissions on the GPO, using security groups • You need the Read and Apply Group Policy ACEs to have a GPO apply • You need Read and Write in order to read or modify a GPO

  36. Default GPO Permissions • Authenticated Users • Read • Apply Group Policy • Local System, Domain Admins, Enterprise Admins • All permissionsexcept AGP

  37. The Mechanics

  38. Delegate control… Add members to a Group Move... Find…. New All Tasks View New Window from Here Delete Rename Refresh Export List… Properties Help dsa - [Active Directory Users and Computers] Console Window Help Active View Active Directory Samerica1.nwtra. Builtin Computers Domain Contr Ohio Properties Creating A Domain Or OU GPO New Properties

  39. Creating A Site GPO • Use Active Directory Sites and Services • You must be a member of Enterprise Admins • By default, a site GPO is stored in the enterprise root domain • This may be altered at creation time, by changing the DC that the ADS&S snap-in is using and then creating a new GPO

  40. Disabling A GPO • You can disable a GPO or just the User or Computer Settings nodes

  41. Deleting A GPO • “Deleting” a GPO from an SDOU gives you a choice between • Unlinking the GPO from the SDOU • Permanently deleting the GPO

  42. Group Policy Snap-In

  43. Registry-Based Policies

  44. Registry-Based Policy UI

  45. Registry-Based Policy Settings Ignore Implement Do not implement, remove

  46. The Explain Tab

  47. Administrative Templates • Framework for defining registry-based policies • Text file with .adm extension • Windows 2000 ships with system.adm and inetres.adm

  48. Other Policy Types

  49. Startup/Shutdown Computer Scripts Computer Configuration Startup/Shutdown User Configuration User Logon/Logoff Logon/Logoff Script Settings • You can assign multiple scripts and set the processing order • Default timeout is 10 minutes • Computer Configuration\Administrative Templates\System\Logon • “Maximum wait time for Group Policy scripts”

  50. Account Policies Configure password, account, and Kerberos policies (domain only) Local Policies Configure auditing, user rights, and security options Event Log Configure settings for application logs, system logs, and security logs Restricted Group Configure group memberships for security sensitive groups System Services Configure security and startup settings for services running on a computer Registry Configure security on registry keys File System Configure security on specific file paths Public Key Policies Configure encrypted data recovery agents, domain roots, trusted certificate authorities IP Security Policies Configure IP security on a network Security Policy Settings

More Related