1 / 17

Microsoft Server 2008 R2

Microsoft Server 2008 R2. Group Policies & AD. Group Policies-Refresher. Policies are “all or nothing” You cannot selectively choose within a policy Only policy settings that are enabled are read. Not configured are ignored. Policies are inherited and cumulative LSDOU

shaun
Download Presentation

Microsoft Server 2008 R2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microsoft Server 2008 R2 Group Policies & AD

  2. Group Policies-Refresher • Policies are “all or nothing” • You cannot selectively choose within a policy • Only policy settings that are enabled are read. • Not configured are ignored. • Policies are inherited and cumulative • LSDOU • Policies are refreshed ever 90 minutes with a 30 minute randomization • DC’s are refreshed every 5 minutes

  3. GPO Concepts • Policies are applied from the bottom up. Rules that apply. • Listen to the last policy you heard from • Execute policies from the bottom up as they appear in the GUI

  4. GPO PlanningOU Design • Create separate OUs for computers and users • Segment machines/users into roles by OU; Examples • Servers: Exchange Servers, Terminal Servers, Web Servers, File and Print, etc • Workstations: Desktops; Laptops, task stations etc. • Prestage computers/servers • Users: IT Staff, Engineers, Shop Floor, Laptop Users, etc.

  5. GPO PlanningOU Design • Pre-staging PC/Servers • Create computer objects before joining to domain. • Allows for immediate GPO application to the system.

  6. GPO Planning • GPO naming conventions – make it consistent and easy to interpret • Simply use a clear name to describe intent of the GPO • How significant is the number of GPOs applied? • 999 is the maximum number of GPOs applied

  7. Planning: DeploymentTest, Stage, And Production • It’s a “good thing” if you: Test -> Stage -> Test -> Deploy -> Validate • Backup/Copy/Import (including migration tables) • Documentation: HTML or XML Reports • Save Report…

  8. PlanningDisaster Recovery • GPMC Backup / Restore handles GPO as a logical entity • Automate GPO backup using GPMC scripts - BackupAllGPOs or BackupGPO • Regularly test GPO restore in your environment – RestoreAllGPOs or RestoreGPO • Think about building/rebuilding your staging environment

  9. PlanningDisaster Recovery • Be aware of what is NOT included in a backup of a GPO and plan accordingly • IPSec Settings, which live in CN=IP Security, CN=System,DC=xxxx (AD backup handles this); The GPO includes just the link to this data • WMI Filter (only the filter link is backed up); The filter itself is stored in AD so your AD backup covers this • GPO links from sites, domains or OUs, since they are not an attribute of the GPO (again, AD backup covers this) • Don’t rely on DCGPOFix (last resort tool!) DCGPOFix returns default GPOs to the clean install state (not an upgrade) and they are unlinked; Use your own backup instead

  10. PlanningGroup Policy Dependencies • DNS: Many “Group Policy problems” turn out to be related to DNS misconfiguration • Don’t touch the Policies directory in Sysvol (including playing with ACLs) – manage through supported tools only; If you plan to delete Sysvol – well, don’t!

  11. GPO and 2008 R2 & Windows 7 • Group Policy Preferences (GPP) • Extensions or “new settings” • Adds more than 3000 policy settings! • Modify the local administrator password on every desktop • Different than normal GPO settings as they are duplicate under user and computer settings • Multiple Local Group Policies • Improvements to existing policies • Folder redirection • Cleaner

  12. GPO and 2008 R2 & Windows 7 • Multiple Local Group Policy Objects (MLGPO) • Different Local Group Policies for different folks

  13. GPO and 2008 R2 & Windows 7

  14. Folder Redirection • Cleaner view and handles most profile folders.

  15. Troubleshooting • Know where you GPOs live • Local GPOs%windir%\system32\grouppolicy • MLGPOs%windir%\system32\grouppolicyusers • Domain GPOsDC%windir%\sysvol\sysvol • Know your reporting options • Group Policy Modeling • Group Policy Results • Event Log (exposed through GPMC) • Know your tools • With Operating System: GPUpdate.exe • GPResults.exe • WS 2003 Resource Kit: GPOTool, GPMonitor • Download Center: GPInventory • Know your log files • UserEnv (Core Engine), WinLogon (Security), FDeploy (Folder Redirection), Appmgmt.log (software installation), Gpmgmt (GPMC), GPedit (GPEdit), GPText (CSE-specific)

  16. Troubleshooting • Using the Local GPO (LGPO) • A good option if you don’t have access to change GPOs in a domain (not all settings will be available – software installation and folder redirection, for example) • Updating the LGPO on a domain-joined PC has no impact when using cached credentials • Read the Explain Text for Admin Templates and Help for Security Settings • Use the “force”…. gpupdate.exe /force switch • Forces the policy update. • If you move a user/computer to a new OU, the change will not take place immediately. Reboot/Logon/Force • Consider using a Virtualization - especially helpful for tattooing security settings; Undo when done!

  17. Reference • http://www.microsoft.com

More Related