Upload
gibson
View
123
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Active Directory Group Policy. Group Policy Overview. Successor to NT policies Much more flexible Only applies to 2000 workstations Use old style policies for NT Used to manage desktop environment Integrated into Active Directory. What Can Group Policy Manage?. - PowerPoint PPT Presentation
Citation preview
Active Directory Group Policy
Group Policy Overview
Successor to NT policies Much more flexible
Only applies to 2000 workstations Use old style policies for NT
Used to manage desktop environment Integrated into Active Directory
What Can Group Policy Manage?
Administrative Templates — registry-based settings Security settings Software installation Scripts
Login, logout, startup, shutdown Folder redirection Remote Installation Services Internet Explorer maintenance
Registry-based Settings
Control over desktop, control panel access, Start Menu and Taskbar, some Windows components, and more…
Generally three settings — Not configured, Enabled, Disabled Implemented via Administrative Templates
Text file with .adm extension Extensible Can create your own Some programs ship with their own (Office)
Security Policy Settings
Account Policies — password, account, Kerberos Local Policies — auditing, user rights, security options Event Log — e.g. maximum size Restricted Group — group membership System Services — security and startup settings Registry — registry key security File System — file system security Public Key Policies — encryped data, certificate authorities IP Security Policies — IP security
Software Installation
Use to install software Use to upgrade software Three methods
Assign applications to users Assign applications to computers Publish applications to users
Available to users, but not installed unless requested
Script Settings
Assign scripts (login, logout etc.) Set processing order
Folder Redirection
Redirect special folders Start Menu, Desktop My Pictures, My Documents, Application Data
Choices No redirection Direct to same location Different locations based on security groups
Parts of Group Policy Objects
Each GPO has two sections Computer Configuration User Configuration
Each part may be disabled Properties of GPO/General
Recommended — if a section is unused, disable it E.g. On GPO to configure user desktop, disable
Computer Configuration section
Creating Group Policy Objects
AD Users and Computers Properties of Domain/OU Creates new GPO linked to that domain/OU
AD Sites and Services To create site GPO
Also via MMC Group Policy Snap-in To create a GPO not linked to a site, domain or OU
How are Group Policy Objects Applied
GPOs may be linked to AD containers Sites, Domains and Organizational Units (OUs) Apply to users and computers within container
Objects in child OUs inherit GPO settings from parent OUs, domain and site unless explicitly blocked
No inheritance across domain boundaries One GPO may be linked to multiple containers Multiple GPOs may be linked to a container GPOs are not linked to groups
Modifying GPO Inheritance
Block Inheritance If enabled on a container, objects in container do not
receive any GPO settings from parent containers No Override
If enabled on a GPO link, inheritance of GPO settings cannot be stopped via block inheritance
NB Applied to link, not the GPO itself
Filtering Group Policy Settings
GPO settings applied to all objects in container Filter using security groups
Change default GPO permissions Need Read and Apply GP ACEs to be able to apply a GPO Need Read and Write GP ACEs to be able to read and
modify a GPO
Deleting and Disabling Group Policy Objects
Disabling a GPO Disable Computer or User sections Disable both to disable GPO entirely Also disable using Options button in AD Users and
Computers/Container Properties Deleting a GPO
AD Users and Computers Will be offered two options
Remove the link from the list — deletes link but not GPO Remove the link and delete the GPO permanently — deletes GPO
Disabling and Inheriting:— What do the Properties Belong to?
Properties of a given GPO Disable Computer Configuration Settings Disable User Configuration Settings
Properties of a given container Block policy inheritance
Properties of a given link No override Disabled: the GPO is not applied to this container
Storage of Group Policy Objects
Group Policy Container (GPC) Active Directory object storing version, status etc. View by enabling Advanced Features in AD Users and Computers,
then System/Policies Named by GUID
Group Policy Template (GPT) Sysvol\Policies folder Contains all GP) settings Named by GUID
GPC and GPT replicated separately Policies only apply if both GPC and GPT are in sync
Storage of Group Policy Settings
Stored in client registry HKEY_LOCAL_MACHINE (Computer settings) HKEY_CURRENT_USER (User settings)
Special registry keys used \Software\Policies (preferred) \Software\Microsoft\Windows\CurrentVersion\Policies
Removed when GPO no longer applies
Order of GPO Application
Order of application is Site, Domain OU (SDOU) Multiple OUs — order of application is according to
domain hierarchy (start at top of tree and work down) Multiple GPOs for same OU — processed in reverse
order of list of GPOs shown for that OU I.e. GPO at top of list takes precedence Order can be changed
When are GP Settings Applied?
Computer settings On boot According to periodic refresh cycle
User settings On user logon According to periodic refresh cycle
If computer and user settings conflict, computer settings take precedence
Refreshing Group Policy
Default refresh intervals 2000 professional and member servers — very 90
minutes with randomized 30 minutes offset Domain controllers — every five minutes
Changed by altering administrative template settings for user or computers
Exception — software installation and folder redirection policies only applied on boot or user logon, not periodically
Conflicts
Where settings for GPO of parent container conflict with those for GPO of child, child container settings win
Where settings from different GPOs linked to same container conflict, settings of GPO highest in list are win Use Up/Down to change position
Exception — where computer and user settings conflict, computer settings win Except IP Security and User Rights settings
Managing Group Policy Objects
Creating or editing GPOs controlled by PDC emulator by default Minimise conflicts
To change Group Policy mmc snap-in/View/DC Options Or use Group Policy
Recommended that this is left unchanged NB By default, only Domain Admins, Enterprise Admins,
Group Policy Creator Owners and System account can create and edit GPOs
Loopback Processing
Computer settings part of GPO linked to OU apply only to computers within OU
Similarly, user settings apply only to users within OU Therefore, normally, user in OU A logging on to
computer in OU B gets combination of user settings from OU A GPOs and computer settings from OU B GPOs (and any inherited etc.)
Loopback Processing cont.
May want to apply same user settings to any user logging on to a given workstation, regardless of user OU E.g. classroom, public area workstations
Loopback processing does this Merge mode applies normal GPOs for user as well (but
those from computer take precedence) Replace mode does not apply normal GPOs for user
Local Group Policy
Computers also have a single Local Group Policy Object (LGPO)
Only supports Security Settings, Administrative Templates and Scripts
Processed before AD GPOs Block inheritance does not stop its application
Generally unused in an AD setup Most useful for configuring standalone computers
Delegation
It is possible to delegate responsibility for the following tasks Managing links Creating GPOs Editing GPOs
DomainExceptions for Domain Controllers
Some settings only from GPOs linked to domain Domain controllers share same account database so some settings
must be the same Not applied to Domain Controllers OU because DCs may be moved
out of this OU
NB Can change these settings in other GPOs but will have no effect on domain policy Will affect local logons (i.e. non-domain) if they apply to
workstations or member servers
Exceptions for Domain Controllers cont.
Domain-wide settings All account policies (Computer Configuration/Windows
Settings/Security Settings) I.e. Password, Account lockout and Kerberos policies)
Some settings from Computer Configuration/Windows Settings/Local Policies/Security Options
Automatically log off users when logon time expiresRename administrator accountRename guest account
Common Desktop Management Scenarios
Package containing GPOs developed for six different scenarios that can be loaded into AD Includes white paper describing scenarios Excel spreadsheet documenting all GPO settings
Scenarios are for the following Lightly Managed Desktop (e.g. power user) Mobile User Multi-User Desktop AppStation (Highly Managed Desktop) (e.g. admin user) TaskStation (e.g. single task) Kiosk (e.g. public workstation)
Common Desktop Management Scenarios
NB Loading GPOs into AD does not mean they take immediate effect Not linked to any container
Use as starting points Use Excel spreadsheet to document GPO changes
Common Desktop Management Scenarios
White paper http://www.microsoft.com/technet/treeview/default.asp?
url=/TechNet/prodtechnol/windows2000serv/deploy/grppolsc.asp
All files http://www.microsoft.com/windows2000/zipdocs/
grouppolscen.exe
OU Design Issues
Deep OU structure Easier to apply GPOs without filtering More likely to require inheritance modifications
Flat OU structure More likely to need filtering Easier to troubleshoot (less inheritance issues)
Number of GPOs Required
Few comprehensive GPOs Less to manage Shorter logon times
Many narrowly focussed GPOs More to manage Likely to need to more filtering Increased logon times
In theory, up to 20 GPOs applying to a user should not have major impact on logon times
Recommendations
Disable unused parts of GPO (computer, user settings)
Limit use of inheritance blocking, no override, loopback processing and filtering Simplifies troubleshooting
Limit total number of GPOs that apply to a user or computer Improves logon times
Recommendations cont.
Limit the number of admins who can edit GPOs Test thoroughly before applying to users/computers Document settings
Use spreadsheets from Common Desktop Management Scenarios package
References
Windows 2000 Group Policy http://www.microsoft.com/windows2000/docs/
grouppolwp.doc Loopback Processing of Group Policy
http://support.microsoft.com/support/kb/articles/Q231/2/87.ASP
How to Use Group Policy Objects to Deploy SP1 for Windows 2000 http://support.microsoft.com/support/kb/articles/
Q260/3/01.ASP
References
Group Policy Application Rules for Domain Controllers http://support.microsoft.com/support/kb/articles/
Q259/5/76.ASP Domain Security Policy in Windows 2000
http://support.microsoft.com/support/kb/articles/Q221/9/30.ASP
Configuring Account Policies in Active Directory http://support.microsoft.com/support/kb/articles/
Q255/5/50.ASP
Diagnosing Problems
Resource kit Gpotool.exe Gpresult.exe
FAZAM 2000 Help to see end results of applying a number of GPOs http://www.microsoft.com/windows2000/techinfo/reskit/tools/
existing/fazam2000-o.asp Reduced functionality version
http://www.fullarmor.com/solutions/group/ Full, commercial version