Upload
griselda-brown
View
257
Download
0
Tags:
Embed Size (px)
Citation preview
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
Chapter 8Configuring Group Policies
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
2© Cengage Learning 2015
Objectives
• Describe the architecture and processing of group policies
• Configure group policy settings, and manage and monitor group policies
• Work with security templates• Configure Windows Firewall with Group Policy
3© Cengage Learning 2015
Introducing Group Policies
• A Group Policy Object (GPO) is a list of settings that administrators use to configure user and computer operating environments remotely
• The GPO scope defines which objects a GPO affects
• Installing Active Directory creates two GPO’s by default:– Default Domain Policy– Default Domain Controllers Policy
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
4© Cengage Learning 2015
Introducing Group Policies
• You can view, create, and manage GPO’s by using the Group Policy Management console (GPMC)
• Each GPO has two main nodes in GPMC:– Computer Configuration - Used to set policies that
apply to computers within the GPO’s scope– User Configuration - Used to set policies that apply
to all users within the GPO’s scope• Each node contains a Policies folder and
Preferences folder
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
5© Cengage Learning 2015
Figure 6-31 The Group Policy Management console
6© Cengage Learning 2015
The Computer Configuration Node
• Three folders under the Policies folder contain the following information:– Software Settings - enables Administrators to install
and manage applications remotely– Windows Settings - contains Name Resolution Policy
node, Scripts extension, Security Settings node, and the Policy-based QoS node
– Administrative Templates - contains the Control Panel, Network, Printers, System, and Windows Components folders.
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
7© Cengage Learning 2015
The User Configuration Node
• Policies folder contains the same three folders as in the Computer Configuration node, but policies defined here affect domain users within the GPO’s scope:– Software Settings - can assign or publish application
packages– Windows Settings – Contains four items:
• Scripts extension• Security Settings node• Folder Redirection node• Policy based QoS node
– Administrative templates - contains settings that enable administrators to control users’ computer and network environments
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
8© Cengage Learning 2015
How Group Policies Are Applied
• GPO’s can be applied in four places:– Local Computer– Site– Domain– Organizational Unit
• Policies are applied in the above order– Policies that are not defined or configured are not
applied at all– Last policy to be defined takes precedence
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
9© Cengage Learning 2015
Group Policy Architecture
• Group policy architecture and function involve the following components:– GPOs - an object containing policy settings that
affect user and computer operating environments and security. Can be local or AD objects
– Replication - ensures that all domain controllers have a current copy of each GPO
– Scope and inheritance - the scope of a group policy defines which users and computers are affected by its settings
– Creating and linking - GPOs are created in the Group Policy management console and can be linked to one or more AD containers
10© Cengage Learning 2015
Group Policy Objects
• A GPO contains policy settings for managing many aspects of domain controllers, member servers, member computers, and users
• Two main types of GPOs:– Local GPOs– Domain GPOs
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
11© Cengage Learning 2015
Local GPOs
• Local GPOs are stored on local computers, and are edited via the Group Policy Object Editor snap-in
• Settings in local GPOs that are inherited from domain GPOs can’t be changed on the local computer.
• Only settings that are undefined or not configured by domain GPOs can be edited locally
• When you run gpedit.msc, you open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
12© Cengage Learning 2015
Local GPOs
• Local GPOs that allow different policy settings depending on who logs on to the computer:– Local Administrators GPO– Local Non-Administrators GPO– User-specific GPO
• To access these GPOs, add the Group Policy Object Editor snap-in to an MMC– Browse to open the dialog box, click the Users tab,
and select one of the GPOs
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
13© Cengage Learning 2015
Figure 8-2 Viewing local GPOs
14© Cengage Learning 2015
Domain GPOs
• Domain GPOs are stored in Active Directory on domain controllers
• Consists of two separate parts: a Group Policy Template (GPT) and a Group Policy Container (GPC)
• GPT and GPC have the following common traits:– Naming structure– Folder structure
• Knowing GPO structure is important for resolving issues
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
15© Cengage Learning 2015
Group Policy Templates
• A Group Policy Template (GPT) contains all the policy settings that make up a GPO as well as related files, such as scripts, and is contained in the Sysvol share on a domain controller
• Upon creation of a GPO, several files and subfolders are created (exact number may vary) but each GPT folder will contain at least three items:– GPT.ini– Machine– User
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
16© Cengage Learning 2015
Group Policy Containers• A Group Policy Container (GPC) is stored in the
System\Policies folder• Contains GPO properties and status information
but no policy settings• Similar to GPT in that it uses a GPO’s GUID for a
folder name• Information contained in a GPC:
– Name of the GPO– File path to GPT– Version– Status
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
17© Cengage Learning 2015
Figure 8-4 Viewing GPC attributes
18© Cengage Learning 2015
Group Policy Replication
• GPCs are replicated with Active Directory• GPTs are replicated by one of the following
methods:– File Replication Service (FRS) - used when running
in a mixed environment of differing Windows Server operating systems
– Distributed File System Replication (DFSR) - used when all DCs are running Windows Server 2008
• DFSR is more efficient and reliable• GPC and GPT can become out of sync• Replication problems can be diagnosed with gpotool.exe
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
19© Cengage Learning 2015
Creating and Linking GPOs
• Primary tools for managing, creating, and editing GPOs are Group Policy Management Console (GPMC) and Group Policy Management Editor (GPME)
• If editing a GPO that is already linked to a container, changes in policy settings take effect as soon as clients download them– There’s no Save option in the GPME; changes are
saved immediately• Before introducing multiple policy changes at once,
test them individuallyMCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
20© Cengage Learning 2015
Editing an Existing GPO
• To edit, right click the GPO in GPMC and click Edit, which will open the GPO in GPME
• It is possible to make changes to the default Domain Policy, but not advisable
• Recommended method for making changes to domain policies is creating a new GPO and linking it to the domain
• GPOs are applied to objects in reverse of the specified link order
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
21© Cengage Learning 2015
Figure 8-8 Multiple GPOs linked to a container
22© Cengage Learning 2015
Creating a New GPO
• Two ways to create a new GPO with the GPMC:– Right click the container you’re linking the GPO to
and select “Create a GPO in this domain, and Link it here”
– Right click the Group Policy Objects folder and click New
• Best practice is to create GPOs that focus on a category of settings, then name the GPO accordingly
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
23© Cengage Learning 2015
Using Starter GPOs
• A Starter GPO is a template for creating GPO’s (not a GPT)
• New GPO wizard includes an option to use a Starter GPO
• Stored in the Starter GPOs folder in GPMC• To use a Starter GPO, select one in the Source
Starter GPO list box in the New GPO Wizard, or right click a starter GPO in the starter GPOs folder and click New GPO from Starter GPO
• To create a Starter GPO, right click the Starter GPOs folder and click New
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
24© Cengage Learning 2015
Group Policy Scope• The scope of a group policy defines which objects in
AD are affected by settings in the policy• If two GPOs are applied to an object, and a setting is
configured on one GPO but not the other, the configured setting is applied
• Policies are applied in this order:– 1. Local policies– 2. Site-linked GPOs– 3. Domain-linked GPOs– 4. OU-linked GPOs
• The last policy applied takes precedence over policies applied earlier
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
25© Cengage Learning 2015
Understanding Site-Linked GPOs
• GPOs linked to a site object affect all users and computers physically located at the site
• Can be used to set up different policies for mobile users
• In a singular site and domain environment, it is better to use domain GPOs
• Site GPOs can be confusing for users if policy changes are drastic enough between sites
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
26© Cengage Learning 2015
Understanding Domain-Linked GPO
• GPOs at the domain level should contain settings that apply to all objects in the domain
• Account policies can be defined only at the domain level
• Active Directory folders, such as Computers and Users, are not OUs and can’t have a GPO linked to them
• Best practices suggest setting account policies and a few critical security policies at the domain level
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
27© Cengage Learning 2015
Understanding OU-Linked GPOs
• Fine-tuning of group policies should be done at the OU level
• OU-linked policies are applied last– They take precedence over site and domain policies
• Users and computers with similar policy requirements should be located in the same OU
• Since OUs can be nested, so can GPOs• GPOs applied to nested OUs should be used for
exceptions to policies set at a higher level
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
28© Cengage Learning 2015
Changing Default GPO Inheritance Behavior
• GPO inheritance is enabled by default• To see where policies are inherited from, select a
container in the left pane of GPMC and click the group policy inheritance tab in the right pane
• There are several ways to affect GPO inheritance:– Blocking inheritance– Enforcing inheritance– GPO filtering
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
29© Cengage Learning 2015
Blocking GPO Inheritance
• Prevents GPOs linked to parent containers from affecting child containers
• To block GPO inheritance, in GPMC, right click the child domain or OU and click Block Inheritance
• If blocking is enabled, the OU or domain object is displayed with a blue exclamation point
• Inheritance blocking should be used sparingly– Frequent blocking implies a possible flawed OU
design
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
30© Cengage Learning 2015
Enforcing GPO Inheritance
• Forcing GPO Inheritance overrides any conflicting configurations at a deeper level– A GPO that’s enforced has the strongest
precedence of all GPOs in its scope• If multiple GPOs are enforced, the GPO at the
highest level is enforced in a conflict• Example: If a GPO linked to an OU and a GPO
linked to a domain are both set to be enforced, the GPO linked to the domain has stronger precedence
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
31© Cengage Learning 2015
Figure 8-11 The Active Directory Structure for GPO inheritance examples
32© Cengage Learning 2015
GPO Filtering• GPO filtering - a method to alter the normal scope
of a GPO and exclude certain objects from being affected by its settings
• Two types of GPO filtering:– Security filtering– Windows Management Instrumentation (WMI)
filtering• Security filtering uses permissions to restrict
objects from accessing a GPO• Use the Security Filtering dialog box in the GPMC
to add or remove security principals from the GPO access list
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
33© Cengage Learning 2015
Figure 8-12 Viewing security filtering settings
34© Cengage Learning 2015
GPO Filtering
• Another way to use security filtering is to edit the GPO’s DACL directly– In the GPMC, click the GPO in the Group Policy
Objects folder, and click the Delegation tab in the right pane to see a complete list of ACEs for the GPO
• WMI filtering uses queries to select a group of computers based on certain attributes, and then applies or doesn’t apply policies based on the query’s results
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
35© Cengage Learning 2015
Group Policy Settings• Settings in Computer Configuration take
precedence over settings in User Configuration, should there be a conflict
• Three folders under the Policies folder:– Software Settings– Windows Settings– Administrative Templates
• Policy settings can be managed or unmanaged– Managed policies reset to ‘Not configured’ when
the object falls outside of the policy’s scope– Unmanaged policies are persistent
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
36© Cengage Learning 2015
Policies in the Computer Configuration Node
• The Computer Configuration node applies policies to computers regardless of who logs on to the computer
• Contains most of the security related settings in the Account Policies, User Rights Assignment, Audit Policy, and Security Options nodes
• Computer configuration policies are uploaded to a computer when the OS starts and are updated every 90 minutes thereafter
• Some policy changes may require a restart
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
37© Cengage Learning 2015
Computer Configuration: Software Settings
• Contains the Software Installation extension, which can be configured to install software packages remotely
• Applications are deployed with the Windows Installer service, which uses MSI files– An MSI file is a collection of files packaged into a
single file with an .msi extension– Contains the instructions Windows Installer needs to
install the application correctly
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
38© Cengage Learning 2015
Computer Configuration: Windows Settings
• The Windows Settings folder contains four subnodes:– Name Resolution Policy - used to deploy DNS
security (DNSSEC) policies to clients– Scripts (Startup/Shutdown) - allows the creation of
scripts to be run during startup or shutdown– Security Settings - contains subnodes for setting
security policies– Policy-based QoS - enables administrators to
manage the use of network bandwidth and prioritize network packets based on type of data in the packet
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
39© Cengage Learning 2015
Security Settings
• There are over 100 policies under Security Settings– Some of the most important are under Account
Policies and Local Policies• Many of the important policies are covered in the
following sections
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
40© Cengage Learning 2015
Local Policies: Audit Policy
• Applies to what users can and can’t do on the local computer to which they log on
• Administrators can audit events such as logon and logoff, file and folder access, Active Directory access, and system and process events– Can be enabled for successful events, failed events,
or both• Creates a lot of system overhead so it should be
used sparingly • Events created by auditing are listed in the Security
log
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
41© Cengage Learning 2015
Auditing Object Access
• There are two steps for auditing objects:– Enable the “Audit object access” policy for success,
failure, or both– Enable auditing on target objects for success, failure,
or both• After object access is enabled in Group Policy, you
need to enable auditing on the target object– Do this by changing the system access control list
(SACL) for the object in the Auditing tab of the Advanced Security Settings dialog box for the object
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
42© Cengage Learning 2015
Figure 8-15 The Auditing tab for a folder
43© Cengage Learning 2015
Changing Default Auditing
• Windows Server 2012/R2 logs successful logon events and certain other events by default
• You must use the auditpol.exe command-line tool to have more control over the types of events that are audited
• To clear all audit policy subcategories so that auditing is controlled only by Group Policy, type:– auditpol /clear
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
44© Cengage Learning 2015
Local Policies: User Rights Assignment
• User rights define the actions users can take on a computer
• More than 40 user rights polices can be assigned• The Default Domain Controllers Policy specifies
User Rights Assignment policies that define actions users can take on domain controllers
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
45© Cengage Learning 2015
Local Policies: Security Options
• This subnode includes almost 100 settings• One category of security policies to configure right
away is User Account Control– Determine what happens on a computer when a
user attempts to perform an action that requires elevation
– Elevation - a process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
46© Cengage Learning 2015
Local Policies: Security Options• Additional settings that are commonly configured:
– Accounts: Administrator account status– Accounts: Guest account status– Accounts: Limit local account use of blank
passwords to console logon only– Accounts: Rename administrator account– Accounts: Rename guest account– Interactive logon: Do not display last user name– Interactive logon: Do not require CTRL+ALT+DEL– Microsoft network server: Disconnect clients when
logon hours expire
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
47© Cengage Learning 2015
Computer Configuration: Administrative Templates
• Administrative Templates folder has the following subnodes:– Control Panel– Network– Printers– Server– Start Menu and Taskbar– System– Windows Components
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
48© Cengage Learning 2015
Policies in the User Configuration Node
• Policies set under the User Configuration node follow a user wherever he or she logs on
• User Configuration node lacks most of the security settings and account policies than Computer Configuration node
• Policies under User Configuration node are more focused on the user’s environment, such as Windows features that can and can’t be accessed
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
49© Cengage Learning 2015
User Configuration: Software Settings
• Performs the same function as in Computer Configuration
• Because it’s defined in the User Configuration node of a GPO, it affects users in the scope of the GPO no matter where they log on
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
50© Cengage Learning 2015
User Configuration: Windows Settings
• Windows Settings contains four subnodes:– Scripts (Logon/Logoff) - identical to Scripts policy,
except scripts specified here are run only by users in the GPO’s scope
– Security Settings - contains two folders: Public Key Policies and Software Restriction Policies
– Folder Redirection - controls which folders in a user’s profile are redirected to a location outside the user’s profile folder
– Policy-based QoS - the same function as in the Computer Configuration node but applied to users
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
51© Cengage Learning 2015
User Configuration: Administrative Templates
• Affects the HKEY_CURRENT_USER section of the computer’s Registry
• Very similar to the Administrative Templates in the Computer Configuration node
• Contain the Control Panel, Network, Start Menu and Taskbar, System, and Windows Components subnodes as well as the following subnodes:– Desktop– Shared Folders
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
52© Cengage Learning 2015
Managing GPO Status and Link Status
• After a GPO is created, it can be in one of the following states:– Link status: unlinked– Link status: enabled– Link status: disabled– GPO status: Enabled– GPO status: User Configuration Settings Disabled– GPO status: Computer Configuration Settings
Disabled– GPO status: All Settings Disabled
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
53© Cengage Learning 2015
Summary• Group policy architecture and function involves three
components: GPOs, replication, scope and inheritance, and creating and linking GPOs
• GPO replication is handled by Active Directory replication for GPCs and by FRS or DFSR for GPTs
• You use the Group Policy Management console to create, link, and manage GPOs and the Group Policy Management Editor to edit GPOs
• Starter GPOs are like template files for GPOs• GPOs can be linked to sites, domains, and OUs• Default GPO inheritance can be changed by using
inheritance blocking, enforcement, and GPO filtering
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
54© Cengage Learning 2015
Summary• The Computer Configuration and User Configuration
nodes contain three subnodes: Software Settings, Windows Settings, and Administrative Templates
• The Security Settings node in Computer Configuration contains the Account Policies subnode with settings that affect all domain users
• The Local Policies subnode in the Security Settings node contains Audit Policy, User Rights Assignment, and Security Options
• Administrative Templates can control hundreds of settings on computers and for users
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410
55© Cengage Learning 2015
Summary• Security templates are used to transfer security settings
easily from one GPO or computer to another and can be used to analyze a computer’s current settings against a security database created from one or more security templates
• The ADMX central store can be created to ensure that ADMX files are synchronized among all computers where group policies are managed