ADM320

Managing Group Policy

BJ WhalenProgram ManagerWindows ServerMicrosoft Corporation

Agenda

Using the Group Policy Management Console (GPMC)

Best Practices for Managing Group Policy

Group Policy Sessions

ADM 222: Using Group Policy to Configure Windows

Yesterday

ADM 320: Managing Group PolicyNow!

ADM 421: Scripting Group PolicyToday, 6:15 Room 9

Managing Group PolicyExisting challenges

Group Policy was too hard to manage in the pastExisting UI confusing and limited

Core capabilities were missingReporting of GPO Settings

Backup/restore of GPOs

Import/export of GPOs

Existing capabilities were not scriptable

Understanding, assessing, and planning the impact of Group Policy was difficult

Solution: Group Policy Management Console (GPMC)

GPMC Overview

What is the GPMC?New admin tool for managing Group Policy

Set of scriptable interfaces for managing GP

MMC Snap-in, built on these interfaces

Standalone web release, available now

GPMC Design GoalsUnify management of Group Policy

Address key deployment issues

Provide better UI for visualization

Enable programmatic access to Group Policy

GPMC Feature Summary

New UI for managing Group Policy

Reporting

Search

Resultant Set of Policy (RSoP) integration

Backup/restore

Import/export, copy/paste

Scripting of GPO operations (not settings)

GPMC System Requirements

GPMC runs onWindows® Server 2003 or

Windows XP withSP1

.NET Framework

Post SP1 QFE (included with GPMC) which updates GPEdit.dll

GPMC can manage Windows 2000 domainsSome capabilities only available in Windows Server 2003 forests or domains

WMI Filters

Group Policy Modeling

Delegation of Group Policy Results

Scope And Inheritance

GPO Scope is managed byLinking GPOs to an Active Directory Container

Adding Security Filters to a GPO

Adding WMI Filters to a GPO

Group Policy inheritance can be altered byChanging GPO link order

Blocking inheritance

GPO link enforcement

Delegation

The following GP aspects can be delegatedGPO creation rights in a domain

Permissions on an individual GPO

Policy related permissions on a site/domain/OULink GPOs

Perform Group Policy Modeling analyses

Read Group Policy Results data

WMI filter creation rights in a domain

Permissions on an individual WMI filter

GPMC offers simplified security mgmt for GPReduce reliance on ACL editor

Reporting

ProblemNo read-only access to GPO settings

Difficult to identify the settings that are set in a GPO

Documentation of GPO settings and RSOP data

SolutionGPMC provides HTML reports for

GPO settings

RSOP data

Searching For GPOs

Can search for GPOs based onDisplay name

Explicit permissions

Effective permissions

WMI filter

GUID

Policy extensions set in the GPOs

Example Find all GPOs that “Policy Admins” group has effective edit rights and that have Folder Redirection policy set

UI Walkthrough

demodemo

Resultant Set Of Policy (RSoP)

Shows conflict resolution of policy settings

ExampleBoth GPO A and GPO B apply to same user

GPO A sets Wallpaper = Red Moon Desert

GPO B sets Wallpaper = Bliss

RSOP data tells youWhich setting ultimately “wins”

Which GPO set that winning setting

Precedence info (what were the losing GPOs)

Allows you to more easily plan and troubleshoot Group Policy deployments

RSoP In GPMC

All RSoP capability exposed in GPMCGPMC is the recommended way to access RSoP

Original RSoP MMC snap-ins available

GPMC adds HTML-based presentation of RSOP data

RSoP is renamed in GPMCGroup Policy Results = logging mode

Group Policy Modeling = planning mode

Group Policy Results

Previously known as Resultant Set of Policy – logging mode

Represents what actually was applied on a target machine

Queries target machine to get the data

Supported by clients running Windows XP and later

Note: to effectively delegate, you need the Windows Server 2003 AD schema

Group Policy Modeling

Previously known as Resultant Set of Policy – Planning mode

A simulation of what might be applied

“What if scenarios” based on hypothetical changes to

User, Computer location

Site, Domain, OU

Security Group membership

Simulation performed on DC that must be running Windows Server 2003

Can be used to simulate policy for Win2K clients

RSoP In GPMCRSoP In GPMC

demodemo

GPO Backup

A GPO backup transfers to the file system

Policy settings in the GPO

ACLs on the GPO

Link to the WMI filter (but not the filter itself)

Report of the settings in the GPO

Backup is same as Export

Requires read access to the GPO

GPO Restore

Restores all attributes of the GPOPolicy settings in the GPO

Uses same GPO GUID

ACLs on the GPO

Link to the WMI filter (but not the filter itself)

GPO must be in the same domainUse import or copy to transfer settings across domains

Does not modify/restore links to the GPOThis is an attribute of the OU/Site/Domain

Required permissionsExisting GPO: edit/delete/modify security

Deleted GPO: GPO creation rights

Managing GPO Backups

Multiple backups can be stored in the same file system location

Multiple GPOs

Multiple versions of the same GPO

Each backed up GPO can be identified by

Name, description, domain, timestamp, GPO GUID

Can be viewed and managed using GPMC

GPO Import And Copy Overview

Enables “templatization” of managed configuration

Transfers policy settings, does not modify links to the GPO

Can be used same domain, cross domain, or cross forestCross domain/forest enabled via Migration Tables

Key differences between import and copyCopy requires simultaneous access to source and destination domains (e.g., trust)

Import does not require simultaneous access

Source/destination behavior Import: from file system to existing GPO

Copy: from live GPO to new GPO

GPO ImportDetails

Import source: any backed up GPO in the file system

Import destination: an existing GPO in Active Directory

Erases existing settings in the GPO

Import operation does not modify these items on the existing GPO

GUID

ACLs

Links on OUs/domains/sites to this GPO

Link to WMI filter

Permissions: requires edit rights on existing GPO

GPO CopyDetails

Copy source: a live GPO in Active Directory

Copy destination: creates a new GPONew GUID

Two choices for handling ACL on the GPOUse the default ACL on the GPO

Preserve the existing ACL from the source GPO

WMI Filter handlingLink is preserved in same domain copy operations

Link is dropped in cross-domain copy operations

PermissionsRequires GPO creation rights in target domain

Requires read access to source GPO

Cross Domain/Forest MigrationOverview

Key challenge – some GPO settings are domain/forest specific

References to users, groups and computers

References to UNC paths

Solution: Migration TableMaps a reference in the source GPO to a new reference in the destination GPO

Migration tables are created using Migration Table Editor

Cross Domain/Forest Migration Details

Users, groups, computers referenced in GPOsReferences possible in these settings

Folder redirection, GP-based software deployment

Security Settings: (User Rights, Restricted Groups, System Services, File System, Registry)

IssuesDomain local groups not valid in other domains, even if there is trust

Users, groups not usable if X-forest and no trust

Even if there is trust, you may want to use different groups in target domain, especially for production to production scenarios

UNC paths referenced in GPOsReferences possible in these settings

Software Distribution points, Folder redirection shares, and pointers to externally stored scripts

Issue: Users in destination domain may not have access to source path

Scenario: Test to production migration

CC BB

AA DD

FF EE

Test ForestTest Forest Production ForestProduction Forest

GPO XGPO X

User rightsUser rightsB\PilotUsersGroupB\PilotUsersGroupB\AdminGroupB\AdminGroupA\PilotUserRemoteGroupA\PilotUserRemoteGroupC\SpecialGroupC\SpecialGroup

Copy of GPO XCopy of GPO X

User rightsUser rightsE\RedmondUsersE\RedmondUsersE\AdminGroupE\AdminGroupD\RemoteUsersGroupD\RemoteUsersGroupF\VerySpecialGroupF\VerySpecialGroup

Scenario: Production to Production Migration

CC BB

AA

GPO XGPO X

User rightsUser rightsB\JapanUsersB\JapanUsersB\STDB\STDA\GPAdminsA\GPAdmins

Copy of GPO XCopy of GPO X

User rightsUser rightsC\EuropeUsersC\EuropeUsersC\STDC\STDA\GPAdminsA\GPAdmins

Production ForestProduction Forest

Migration Tables

What is a migration table?An XML file created by the admin using the migration table editor (MTE)

Maps security principals and UNC paths tonew values

Used during import and copy operations

Choices for using Migration Tables with Import and Copy

No migration table – copy as is

Use migration table

Use migration table exclusively

Deploying From Test To Deploying From Test To ProductionProduction

demodemo

Scripting

All operations in this tool are scriptableScriptability achieved via COM objects

GPMC UI uses same interfaces

Caveat: cannot script settings within a GPO

GPMC includes 32 sample scripts

For more details on scripting, seeGPMC SDK (link at end of presentation)

“Scripting Group Policy Operations” ADM421

Creating A Staging Creating A Staging EnvironmentEnvironment

demodemo

GPMC Availability

Web download, available now

Requires one licensed copy of Windows Server 2003 in your org

www.microsoft.com/windowsserver2003/gpmc

Agenda

Using the Group Policy Management Console (GPMC)

Best Practices for ManagingGroup Policy

General Guidelines

Limit who can create and modify GPOs

Fewer GPOs per user/computer are better

Avoid using Deny for GPO security

Consider using loopback for lab, server and shared machines

Use Block Inheritance and Enforce sparingly

DC Issues

Avoid modifying the default GPOsDefault Domain Policy

Default Domain Controllers policy Exceptions

Account Policy should be set only in the Default Domain Policy, not in any other GPO at the domain level

User rights for DCs should only be contained in the Default DC Policy

As required for app compat if you install apps on DCs (avoid this)

Avoid installing apps on DCs that modify security policy automatically

Ensure all DCs receive consistent policy settingsDo not filter policy settings on individual DCs

All DCs should remain in the Domain Controllers OU

OU Design Considerations

Don’t plan your OU design without considering Group Policy issues

Users and Computers ObjectsDon’t mix users and computers in the same OU

Define roles for users and computers and create OUs corresponding to those roles

User account must have read access up the OU tree to get Group Policy

OperationsSYSVOL

Don’t mess with the policies directory in the SYSVOL!

Don’t adjust ACLs on the SYSVOL

Only manage the SYSVOL and AD via Group Policy tools (GPEdit, GPMC, AD Users and Computers)

GPMC checks ACL consistency of GPO between AD and SYSVOL

BackupBackup your GPOs on a regular basis (GPMC includes sample script for this)

Ensure that the GPO backup directory is secured

Performance Considerations

Fewer GPOs per user/computer is better

Use WMI Filters sparingly

Avoid cross-domain GPO linking

Deployment

Stage policy deployments in a test environment, prior to production deployment

Staging domain is easy to build using GPMC!

Roll out major changes to Group Policy incrementally

Win2K domains & upgrades

In any Win2000 domain created prior to SP4:ACLs on Default Domain Policy and Default GPOs slightly mismatchedGPMC will prompt you to clean up. Do this!In this case, it sets the DACL protect bit on sysvol

In any Windows 2003 domain that was upgraded from Win2000:

Need to adjust permissions on all GPOs created prior to upgrade, in order for cross domain Group Policy Modeling to workYou will get the ACL-mismatch popupRun script “GrantPermissionOnAllGPOs.wsf” – See Help for details.

Managing New AccountsDifficult to apply Group Policy to newly created accounts

Default locations are not OUs:CN=users

CN=computers

GPOs can only be linked to OUs, site, domains

In Windows 2003, these default locations can be redirected to OUs

Tools at %windir%\ system32:RedirUsr.exe

RedirComp.exe

Allows GP management of new accounts

See KB 324949

Troubleshooting

Your primary tools to troubleshoot Group Policy are all exposed in GPMC:

Event Log

Group Policy Modeling (RSoP Planning)

Group Policy Results (RSoP Logging)

Many Group Policy issues are due to improperly configured DNS

Group Policy client must be able to ping the DC

Read the Troubleshooting Group Policy white paper!

Best Practices

Use The GPMC!

#1 Recommendation?#1 Recommendation?

Resources

GPMC Web sitewww.microsoft.com/windowsserver2003/gpmc/

Link to download

GPMC White Paper

Migrating GPOs Technical article

Scripting resourcesThirty two sample scripts included with the product

%programfiles%\gpmc\scripts

GPMC SDKInstalled to %programfiles%\gpmc\scripts\gpmc.chm

Also in Platform SDK

Group Policy Web siteswww.microsoft.com/grouppolicy

www.microsoft.com/technet/grouppolicy

NewsgroupMicrosoft.public.windows.group_policy

The tools you need to put technology to work!The tools you need to put technology to work!

Suggested Reading And Resources

TITLETITLE AvailableAvailable

TodayTodayActive Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Technical Windows® Server 2003 Technical Reference: 0-7356-1577-2Reference: 0-7356-1577-2

Microsoft® Windows® Server Microsoft® Windows® Server 2003 Administrator's Companion: 2003 Administrator's Companion: 0-7356-1367-2 0-7356-1367-2

TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.