Upload
anissa-oconnor
View
215
Download
1
Embed Size (px)
Citation preview
Group Policy Sessions
ADM 222: Using Group Policy to Configure Windows
Yesterday
ADM 320: Managing Group PolicyNow!
ADM 421: Scripting Group PolicyToday, 6:15 Room 9
Managing Group PolicyExisting challenges
Group Policy was too hard to manage in the pastExisting UI confusing and limited
Core capabilities were missingReporting of GPO Settings
Backup/restore of GPOs
Import/export of GPOs
Existing capabilities were not scriptable
Understanding, assessing, and planning the impact of Group Policy was difficult
Solution: Group Policy Management Console (GPMC)
GPMC Overview
What is the GPMC?New admin tool for managing Group Policy
Set of scriptable interfaces for managing GP
MMC Snap-in, built on these interfaces
Standalone web release, available now
GPMC Design GoalsUnify management of Group Policy
Address key deployment issues
Provide better UI for visualization
Enable programmatic access to Group Policy
GPMC Feature Summary
New UI for managing Group Policy
Reporting
Search
Resultant Set of Policy (RSoP) integration
Backup/restore
Import/export, copy/paste
Scripting of GPO operations (not settings)
GPMC System Requirements
GPMC runs onWindows® Server 2003 or
Windows XP withSP1
.NET Framework
Post SP1 QFE (included with GPMC) which updates GPEdit.dll
GPMC can manage Windows 2000 domainsSome capabilities only available in Windows Server 2003 forests or domains
WMI Filters
Group Policy Modeling
Delegation of Group Policy Results
Scope And Inheritance
GPO Scope is managed byLinking GPOs to an Active Directory Container
Adding Security Filters to a GPO
Adding WMI Filters to a GPO
Group Policy inheritance can be altered byChanging GPO link order
Blocking inheritance
GPO link enforcement
Delegation
The following GP aspects can be delegatedGPO creation rights in a domain
Permissions on an individual GPO
Policy related permissions on a site/domain/OULink GPOs
Perform Group Policy Modeling analyses
Read Group Policy Results data
WMI filter creation rights in a domain
Permissions on an individual WMI filter
GPMC offers simplified security mgmt for GPReduce reliance on ACL editor
Reporting
ProblemNo read-only access to GPO settings
Difficult to identify the settings that are set in a GPO
Documentation of GPO settings and RSOP data
SolutionGPMC provides HTML reports for
GPO settings
RSOP data
Searching For GPOs
Can search for GPOs based onDisplay name
Explicit permissions
Effective permissions
WMI filter
GUID
Policy extensions set in the GPOs
Example Find all GPOs that “Policy Admins” group has effective edit rights and that have Folder Redirection policy set
Resultant Set Of Policy (RSoP)
Shows conflict resolution of policy settings
ExampleBoth GPO A and GPO B apply to same user
GPO A sets Wallpaper = Red Moon Desert
GPO B sets Wallpaper = Bliss
RSOP data tells youWhich setting ultimately “wins”
Which GPO set that winning setting
Precedence info (what were the losing GPOs)
Allows you to more easily plan and troubleshoot Group Policy deployments
RSoP In GPMC
All RSoP capability exposed in GPMCGPMC is the recommended way to access RSoP
Original RSoP MMC snap-ins available
GPMC adds HTML-based presentation of RSOP data
RSoP is renamed in GPMCGroup Policy Results = logging mode
Group Policy Modeling = planning mode
Group Policy Results
Previously known as Resultant Set of Policy – logging mode
Represents what actually was applied on a target machine
Queries target machine to get the data
Supported by clients running Windows XP and later
Note: to effectively delegate, you need the Windows Server 2003 AD schema
Group Policy Modeling
Previously known as Resultant Set of Policy – Planning mode
A simulation of what might be applied
“What if scenarios” based on hypothetical changes to
User, Computer location
Site, Domain, OU
Security Group membership
Simulation performed on DC that must be running Windows Server 2003
Can be used to simulate policy for Win2K clients
GPO Backup
A GPO backup transfers to the file system
Policy settings in the GPO
ACLs on the GPO
Link to the WMI filter (but not the filter itself)
Report of the settings in the GPO
Backup is same as Export
Requires read access to the GPO
GPO Restore
Restores all attributes of the GPOPolicy settings in the GPO
Uses same GPO GUID
ACLs on the GPO
Link to the WMI filter (but not the filter itself)
GPO must be in the same domainUse import or copy to transfer settings across domains
Does not modify/restore links to the GPOThis is an attribute of the OU/Site/Domain
Required permissionsExisting GPO: edit/delete/modify security
Deleted GPO: GPO creation rights
Managing GPO Backups
Multiple backups can be stored in the same file system location
Multiple GPOs
Multiple versions of the same GPO
Each backed up GPO can be identified by
Name, description, domain, timestamp, GPO GUID
Can be viewed and managed using GPMC
GPO Import And Copy Overview
Enables “templatization” of managed configuration
Transfers policy settings, does not modify links to the GPO
Can be used same domain, cross domain, or cross forestCross domain/forest enabled via Migration Tables
Key differences between import and copyCopy requires simultaneous access to source and destination domains (e.g., trust)
Import does not require simultaneous access
Source/destination behavior Import: from file system to existing GPO
Copy: from live GPO to new GPO
GPO ImportDetails
Import source: any backed up GPO in the file system
Import destination: an existing GPO in Active Directory
Erases existing settings in the GPO
Import operation does not modify these items on the existing GPO
GUID
ACLs
Links on OUs/domains/sites to this GPO
Link to WMI filter
Permissions: requires edit rights on existing GPO
GPO CopyDetails
Copy source: a live GPO in Active Directory
Copy destination: creates a new GPONew GUID
Two choices for handling ACL on the GPOUse the default ACL on the GPO
Preserve the existing ACL from the source GPO
WMI Filter handlingLink is preserved in same domain copy operations
Link is dropped in cross-domain copy operations
PermissionsRequires GPO creation rights in target domain
Requires read access to source GPO
Cross Domain/Forest MigrationOverview
Key challenge – some GPO settings are domain/forest specific
References to users, groups and computers
References to UNC paths
Solution: Migration TableMaps a reference in the source GPO to a new reference in the destination GPO
Migration tables are created using Migration Table Editor
Cross Domain/Forest Migration Details
Users, groups, computers referenced in GPOsReferences possible in these settings
Folder redirection, GP-based software deployment
Security Settings: (User Rights, Restricted Groups, System Services, File System, Registry)
IssuesDomain local groups not valid in other domains, even if there is trust
Users, groups not usable if X-forest and no trust
Even if there is trust, you may want to use different groups in target domain, especially for production to production scenarios
UNC paths referenced in GPOsReferences possible in these settings
Software Distribution points, Folder redirection shares, and pointers to externally stored scripts
Issue: Users in destination domain may not have access to source path
Scenario: Test to production migration
CC BB
AA DD
FF EE
Test ForestTest Forest Production ForestProduction Forest
GPO XGPO X
User rightsUser rightsB\PilotUsersGroupB\PilotUsersGroupB\AdminGroupB\AdminGroupA\PilotUserRemoteGroupA\PilotUserRemoteGroupC\SpecialGroupC\SpecialGroup
Copy of GPO XCopy of GPO X
User rightsUser rightsE\RedmondUsersE\RedmondUsersE\AdminGroupE\AdminGroupD\RemoteUsersGroupD\RemoteUsersGroupF\VerySpecialGroupF\VerySpecialGroup
Scenario: Production to Production Migration
CC BB
AA
GPO XGPO X
User rightsUser rightsB\JapanUsersB\JapanUsersB\STDB\STDA\GPAdminsA\GPAdmins
Copy of GPO XCopy of GPO X
User rightsUser rightsC\EuropeUsersC\EuropeUsersC\STDC\STDA\GPAdminsA\GPAdmins
Production ForestProduction Forest
Migration Tables
What is a migration table?An XML file created by the admin using the migration table editor (MTE)
Maps security principals and UNC paths tonew values
Used during import and copy operations
Choices for using Migration Tables with Import and Copy
No migration table – copy as is
Use migration table
Use migration table exclusively
Scripting
All operations in this tool are scriptableScriptability achieved via COM objects
GPMC UI uses same interfaces
Caveat: cannot script settings within a GPO
GPMC includes 32 sample scripts
For more details on scripting, seeGPMC SDK (link at end of presentation)
“Scripting Group Policy Operations” ADM421
GPMC Availability
Web download, available now
Requires one licensed copy of Windows Server 2003 in your org
www.microsoft.com/windowsserver2003/gpmc
General Guidelines
Limit who can create and modify GPOs
Fewer GPOs per user/computer are better
Avoid using Deny for GPO security
Consider using loopback for lab, server and shared machines
Use Block Inheritance and Enforce sparingly
DC Issues
Avoid modifying the default GPOsDefault Domain Policy
Default Domain Controllers policy Exceptions
Account Policy should be set only in the Default Domain Policy, not in any other GPO at the domain level
User rights for DCs should only be contained in the Default DC Policy
As required for app compat if you install apps on DCs (avoid this)
Avoid installing apps on DCs that modify security policy automatically
Ensure all DCs receive consistent policy settingsDo not filter policy settings on individual DCs
All DCs should remain in the Domain Controllers OU
OU Design Considerations
Don’t plan your OU design without considering Group Policy issues
Users and Computers ObjectsDon’t mix users and computers in the same OU
Define roles for users and computers and create OUs corresponding to those roles
User account must have read access up the OU tree to get Group Policy
OperationsSYSVOL
Don’t mess with the policies directory in the SYSVOL!
Don’t adjust ACLs on the SYSVOL
Only manage the SYSVOL and AD via Group Policy tools (GPEdit, GPMC, AD Users and Computers)
GPMC checks ACL consistency of GPO between AD and SYSVOL
BackupBackup your GPOs on a regular basis (GPMC includes sample script for this)
Ensure that the GPO backup directory is secured
Performance Considerations
Fewer GPOs per user/computer is better
Use WMI Filters sparingly
Avoid cross-domain GPO linking
Deployment
Stage policy deployments in a test environment, prior to production deployment
Staging domain is easy to build using GPMC!
Roll out major changes to Group Policy incrementally
Win2K domains & upgrades
In any Win2000 domain created prior to SP4:ACLs on Default Domain Policy and Default GPOs slightly mismatchedGPMC will prompt you to clean up. Do this!In this case, it sets the DACL protect bit on sysvol
In any Windows 2003 domain that was upgraded from Win2000:
Need to adjust permissions on all GPOs created prior to upgrade, in order for cross domain Group Policy Modeling to workYou will get the ACL-mismatch popupRun script “GrantPermissionOnAllGPOs.wsf” – See Help for details.
Managing New AccountsDifficult to apply Group Policy to newly created accounts
Default locations are not OUs:CN=users
CN=computers
GPOs can only be linked to OUs, site, domains
In Windows 2003, these default locations can be redirected to OUs
Tools at %windir%\ system32:RedirUsr.exe
RedirComp.exe
Allows GP management of new accounts
See KB 324949
Troubleshooting
Your primary tools to troubleshoot Group Policy are all exposed in GPMC:
Event Log
Group Policy Modeling (RSoP Planning)
Group Policy Results (RSoP Logging)
Many Group Policy issues are due to improperly configured DNS
Group Policy client must be able to ping the DC
Read the Troubleshooting Group Policy white paper!
Resources
GPMC Web sitewww.microsoft.com/windowsserver2003/gpmc/
Link to download
GPMC White Paper
Migrating GPOs Technical article
Scripting resourcesThirty two sample scripts included with the product
%programfiles%\gpmc\scripts
GPMC SDKInstalled to %programfiles%\gpmc\scripts\gpmc.chm
Also in Platform SDK
Group Policy Web siteswww.microsoft.com/grouppolicy
www.microsoft.com/technet/grouppolicy
NewsgroupMicrosoft.public.windows.group_policy
The tools you need to put technology to work!The tools you need to put technology to work!
Suggested Reading And Resources
TITLETITLE AvailableAvailable
TodayTodayActive Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Technical Windows® Server 2003 Technical Reference: 0-7356-1577-2Reference: 0-7356-1577-2
Microsoft® Windows® Server Microsoft® Windows® Server 2003 Administrator's Companion: 2003 Administrator's Companion: 0-7356-1367-2 0-7356-1367-2
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.