Upload
gyles-clarke
View
219
Download
4
Tags:
Embed Size (px)
Citation preview
Module 4: Module 4: Administration in Administration in Active DirectoryActive Directory
OverviewOverviewDesigning Active Directory to Delegate Designing Active Directory to Delegate
Administrative Authority Administrative Authority Identifying Business NeedsIdentifying Business Needs Characterizing the IT OrganizationCharacterizing the IT Organization Developing a Strategy for Administrative DesignDeveloping a Strategy for Administrative Design Developing a Strategy for DelegationDeveloping a Strategy for Delegation
Implementing Group PolicyImplementing Group Policy Group Policy StructureGroup Policy Structure Working with Group Policy ObjectsWorking with Group Policy Objects How Group Policy Settings Are Applied in Active How Group Policy Settings Are Applied in Active
DirectoryDirectory Modifying Group Policy InheritanceModifying Group Policy Inheritance
Designing Active Directory to Support Group Designing Active Directory to Support Group PolicyPolicy
Designing a Schema PolicyDesigning a Schema Policy
Identifying Business NeedsIdentifying Business Needs
Documenting the Administrative Process:Level of AdministrationWho Administers WhatBuild Flexibility Into Plan
Accounting
AccountsPayable
OrganizationalChart
ITInfrastructure
Infrastructure
Atlanta Seattle
NorthwestNortheastSoutheast
Charlotte
Information Technology
Portland
Information Technology
AccountsReceivable
LogisticsPurchasing
Human Resources
Production
CEO
Characterizing the IT Organization Characterizing the IT Organization
Centralized IT Centralized IT Centralized IT with Decentralized Centralized IT with Decentralized
ManagementManagementDecentralized IT Decentralized IT Outsourced ITOutsourced IT
Developing a Strategy for Developing a Strategy for Administrative DesignAdministrative Design
Designing a Hierarchy Based on LocationDesigning a Hierarchy Based on LocationDesigning a Hierarchy Based on OrganizationDesigning a Hierarchy Based on OrganizationDesigning a Hierarchy Based on FunctionDesigning a Hierarchy Based on FunctionDesigning a Hybrid Hierarchy by Location Designing a Hybrid Hierarchy by Location
then Organizationthen OrganizationDesigning a Hybrid Hierarchy by Organization Designing a Hybrid Hierarchy by Organization
then Locationthen LocationDesign GuidelinesDesign Guidelines
Designing a Hierarchy Based Designing a Hierarchy Based on Locationon Location
Is Resistant to ChangeIs Resistant to ChangeAccommodates Mergers and ExpansionsAccommodates Mergers and ExpansionsMay Compromise SecurityMay Compromise SecurityTakes Advantage of Network StrengthsTakes Advantage of Network Strengths
OUNew New
EnglandEnglandNew New
EnglandEngland
BostonBostonBostonBoston HartfordHartfordHartfordHartfordna.nwtraders.msft asia.nwtraders.msft
Domainnwtraders.msft
Reflects Business ModelReflects Business ModelIs Vulnerable to ReorganizationsIs Vulnerable to ReorganizationsMaintains Departmental AutonomyMaintains Departmental AutonomyAccommodates Mergers and ExpansionsAccommodates Mergers and ExpansionsMay Affect ReplicationMay Affect Replication
Designing a Hierarchy Based Designing a Hierarchy Based on Organizationon Organization
OUmanufacturingmanufacturingmanufacturingmanufacturing
engineeringengineeringengineeringengineering purchasingpurchasingpurchasingpurchasing
researchresearchresearchresearch
Domainnwtraders.msft
mfg.nwtraders.msftdistrib.nwtraders.msft
Designing a Hierarchy Based Designing a Hierarchy Based on Functionon Function
Is Immune to ReorganizationsIs Immune to ReorganizationsMay Require Additional LayersMay Require Additional LayersMay Affect ReplicationMay Affect Replication
salessalessalessales
consultantsconsultantsconsultantsconsultants marketingmarketingmarketingmarketing
hardwarehardwarehardwarehardware
project1project1project1project1 project2project2project2project2
Designing a Hybrid Hierarchy Designing a Hybrid Hierarchy by Location then Organization by Location then Organization
Allows for GrowthAllows for GrowthAllows for Security Allows for Security
BoundariesBoundariesLeverages Strength of Leverages Strength of
Physical Network Physical Network May Require Lower Level May Require Lower Level
Changes AfterChanges Aftera Reorganizationa Reorganization
asia.nwtraders.msft
MfgMfgMfgMfg
researchresearchresearchresearch
HRHRHRHR
recruitingrecruitingrecruitingrecruiting trainingtrainingtrainingtraining
Designing a Hybrid Hierarchy Designing a Hybrid Hierarchy by Organization then Locationby Organization then Location
Allows for Security Allows for Security BoundariesBoundaries
Allows Administration by Allows Administration by Location Location
Vulnerable to Vulnerable to ReorganizationsReorganizations
sales.nwtraders.msft
New EnglandNew EnglandNew EnglandNew England
BostonBostonBostonBoston HartfordHartfordHartfordHartford
Design GuidelinesDesign Guidelines
Hierarchy Hierarchy LocationLocation OrganizationOrganization FunctionFunction
Hybrid Hierarchy Hybrid Hierarchy By Location then OrganizationBy Location then Organization By Organization then LocationBy Organization then Location
Developing a Strategy for Developing a Strategy for DelegationDelegation
Determining Delegation MethodsDetermining Delegation MethodsDetermining Object OwnershipDetermining Object OwnershipCreating a Strategy for Object-Based and Creating a Strategy for Object-Based and
Task-Based DelegationTask-Based DelegationCreating a Strategy for Delegating Creating a Strategy for Delegating
AuthorityAuthorityCreating Strategies for Inheritance of Creating Strategies for Inheritance of
PermissionsPermissionsDesign Choice GuidelinesDesign Choice Guidelines
Determining Delegation Determining Delegation MethodsMethods
Delegating Authority Includes:Delegating Authority Includes: Changing Container PropertiesChanging Container Properties Creating, Changing, and Deleting Child Creating, Changing, and Deleting Child
ObjectsObjects Updating Object AttributesUpdating Object Attributes Creating New Users or GroupsCreating New Users or Groups Managing Small Groups of Users or GroupsManaging Small Groups of Users or Groups
Creating a Strategy for Delegating Creating a Strategy for Delegating AuthorityAuthority
Domain-Level Delegation Affects All Objects in the Domain
OU-Level Delegation Can Affect Parent OU Only, or Parent and All Child OUs
Site-Level Delegation May Affect Multiple Domains
Creating Strategies for Creating Strategies for Inheritance of PermissionsInheritance of Permissions
Full ControlOU
OU
OU
Full Control
Full Control
Objects Inherit Existing PermissionsObjects Inherit Existing PermissionsInheritance Can Be BlockedInheritance Can Be Blocked
Design GuidelinesDesign Guidelines
Assign Permissions at the OU Level When Assign Permissions at the OU Level When PossiblePossible
Avoid Assigning Permissions at Property Avoid Assigning Permissions at Property or Task Level or Task Level
Use a Small Number of Domain Use a Small Number of Domain AdministratorsAdministrators
Assign Access Permissions to GroupsAssign Access Permissions to Groups
OverviewOverviewDesigning Active Directory to Delegate Designing Active Directory to Delegate
Administrative Authority Administrative Authority Identifying Business NeedsIdentifying Business Needs Characterizing the IT OrganizationCharacterizing the IT Organization Developing a Strategy for Administrative DesignDeveloping a Strategy for Administrative Design Developing a Strategy for DelegationDeveloping a Strategy for Delegation
Implementing Group PolicyImplementing Group Policy Group Policy StructureGroup Policy Structure Working with Group Policy ObjectsWorking with Group Policy Objects How Group Policy Settings Are Applied in Active How Group Policy Settings Are Applied in Active
DirectoryDirectory Modifying Group Policy InheritanceModifying Group Policy Inheritance
Designing Active Directory to Support Group Designing Active Directory to Support Group PolicyPolicy
Designing a Schema PolicyDesigning a Schema Policy
Introduction to Group PolicyIntroduction to Group Policy
Group Policy Enables You to:Group Policy Enables You to: Set centralized and decentralized policiesSet centralized and decentralized policies Ensure users have their required environmentsEnsure users have their required environments Lower total cost of ownership by controlling Lower total cost of ownership by controlling
user and computer environmentsuser and computer environments Enforce corporate policiesEnforce corporate policies
SiteSite
DomainDomain
OUOU
Windows 2000 Applies ContinuallyWindows 2000 Applies Continually
UsersUsers
ComputersComputers
Administrator Sets Group Policy OnceAdministrator Sets Group Policy Once
Group PolicyGroup Policy
Group Policy StructureGroup Policy Structure
Types of Group Policy SettingsTypes of Group Policy SettingsGroup Policy ObjectsGroup Policy ObjectsGroup Policy Settings for Computers and Group Policy Settings for Computers and
UsersUsersGroup Policy Objects and Active Directory Group Policy Objects and Active Directory
ContainersContainers
Types of Group Policy SettingsTypes of Group Policy Settings
Types of Group Policy SettingsTypes of Group Policy SettingsTypes of Group Policy SettingsTypes of Group Policy Settings
AdministrativeTemplates
AdministrativeTemplates Registry-based Group Policy settingsRegistry-based Group Policy settings
SecuritySecurity Settings for local, domain, and network securitySettings for local, domain, and network security
Software Installation
Software Installation Settings for central management of software installationSettings for central management of software installation
ScriptsScripts Startup, shutdown, logon, and logoff scriptsStartup, shutdown, logon, and logoff scripts
Remote Installation Services
Remote Installation Services
Settings that control the options available to users when running the Client Installation wizard used by RIS
Settings that control the options available to users when running the Client Installation wizard used by RIS
Internet Explorer Maintenance
Internet Explorer Maintenance
Settings to administer and customize Microsoft Internet Explorer on Windows 2000–based computers
Settings to administer and customize Microsoft Internet Explorer on Windows 2000–based computers
Folder RedirectionFolder Redirection Settings for storing of users’ folders on a network serverSettings for storing of users’ folders on a network server
Group Policy ObjectsGroup Policy Objects
Group Policy Object
Contains Group Policy settings
Content stored in two locations
Located in domain controller shared Sysvol folder
Provides Group Policy settings that computers running Windows 2000 obtain and apply
Located in Active Directory Provides version information
used by domain controllers
Group Policy Template (GPT)
Group Policy Container (GPC)
Group Policy Settings for Group Policy Settings for Computers and UsersComputers and Users
Group Policy Settings for Computers:Group Policy Settings for Computers: Specify oSpecify operating system behavior, desktop perating system behavior, desktop
behavior, security settings, computer startup and behavior, security settings, computer startup and shutdown scripts, computer-assigned application shutdown scripts, computer-assigned application options, and application settingsoptions, and application settings
Apply when the operating system initializes and Apply when the operating system initializes and during the periodic refresh cycle during the periodic refresh cycle
Group Policy Settings for Users:Group Policy Settings for Users: Specify oSpecify operating system behavior, desktop perating system behavior, desktop
settings, security settings, assigned and settings, security settings, assigned and published application options, application published application options, application settings, folder redirection options, and user settings, folder redirection options, and user logon and logoff scriptslogon and logoff scripts
Apply when users log on to the computer and Apply when users log on to the computer and during the periodic refresh cycleduring the periodic refresh cycle
UsersUsers
ComputersComputers
Group Policy Objects and Group Policy Objects and Active Directory ContainersActive Directory Containers
GPO Settings Affect User and Computer Objects GPO Settings Affect User and Computer Objects Within Sites, Domains, and OUs to Which a GPO Is Within Sites, Domains, and OUs to Which a GPO Is LinkedLinked You can link one GPO to multiple sites, domains, or OUsYou can link one GPO to multiple sites, domains, or OUs You can link multiple GPOs to one site, domain, or OUYou can link multiple GPOs to one site, domain, or OU
You Cannot Link GPOs to Default Active Directory You Cannot Link GPOs to Default Active Directory ContainersContainers
SiteSite
DomainDomain
OUOU
OUOUOUOU
OU GPOOU GPO OU GPOOU GPO
Site GPOSite GPODomain GPODomain GPO
Working with Group Policy Working with Group Policy ObjectsObjects
Creating Linked Group Policy ObjectsCreating Linked Group Policy ObjectsCreating Unlinked Group Policy ObjectsCreating Unlinked Group Policy ObjectsLinking an Existing Group Policy ObjectLinking an Existing Group Policy ObjectSpecifying a Domain Controller for Specifying a Domain Controller for
Managing Group Policy ObjectsManaging Group Policy Objects
Creating Linked Group Policy Creating Linked Group Policy ObjectsObjects
To Apply Group Policy to To Apply Group Policy to a Container, Create a a Container, Create a GPO Linked to the GPO Linked to the Container:Container: Create GPOs linked to Create GPOs linked to
domains and OUs by domains and OUs by using Active Directory using Active Directory Users and ComputersUsers and Computers
Create GPOs linked to Create GPOs linked to sites by using Active sites by using Active Directory Sites and Directory Sites and ServicesServices
contoso.msft Properties
General Managed By Object Security Group Policy
Current Group Policy Object Links for contoso.msft
Group Policy Object Links No Override DisabledDefault Domain PolicyAccount Lockout Policy
Passwords Policy
Group Policy Objects higher in the list have the highest priority. This list obtained from: London.contoso.msft
New
Options...
Add...
Delete...
Edit
Properties
Up
DownDown
Block Policy inheritance
Close CancelCancel ApplyApply
To create a GPOTo create a GPO
Name of linked GPO
Name of linked GPO
Creating Unlinked Group Policy Creating Unlinked Group Policy ObjectsObjects
Select Group Policy Object
Local Computer
Browse…
Allow the focus of the Group Policy Snap-in to be changed when launching from the command line. This only applies if you save the console.
View
Arrange Icons
Line up Icons
Refresh
NewTo create an unlinked GPOTo create an
unlinked GPO
Browse for a Group Policy Object
Domains/OUs Sites Computers All
Look in: contoso.msft
All Group Policy Objects stored in this domain:Name
Application DeploymentDefault Domain Controllers PolicyDefault Domain PolicyNew Group Policy ObjectNew Group Policy ObjectNew Group Policy ObjectNew Group Policy ObjectTest
How Group Policy Settings Are How Group Policy Settings Are Applied in Active DirectoryApplied in Active Directory
Group Policy InheritanceGroup Policy InheritanceHow Group Policy Settings Are ProcessedHow Group Policy Settings Are ProcessedControlling the Processing of Group PolicyControlling the Processing of Group PolicyGroup Policy and Slow Network Group Policy and Slow Network
Connections (Links)Connections (Links)Resolving Conflicts Between Group Policy Resolving Conflicts Between Group Policy
SettingsSettingsClass Discussion: How Group Policy Is Class Discussion: How Group Policy Is
Applied Applied
Group Policy InheritanceGroup Policy Inheritance
Windows 2000 Applies GPO Windows 2000 Applies GPO Settings in a Specific OrderSettings in a Specific Order
SiteSite
DomainDomain
OUOU
Child Containers Inherit Child Containers Inherit GPO Settings from Parent GPO Settings from Parent ContainersContainers
Computers
Users
Payroll
Domain
Domain GPODomain GPO
How Group Policy Settings Are How Group Policy Settings Are ProcessedProcessed
Computer starts
User logs on
Computer settings applied
Startup scripts run
User settings applied Logon scripts run
The GetGPOList Function Executes on the Client Computer During:
Computer startup to determine which GPOs contain computer configurations settings to be applied
User logon to determine which GPOs contain user configurations settings to be applied
Controlling the Processing of Controlling the Processing of Group PolicyGroup Policy
Synchronous and Asynchronous Synchronous and Asynchronous ProcessingProcessing By default, the processing of Group Policy is By default, the processing of Group Policy is
synchronoussynchronous You can change the processing of Group Policy You can change the processing of Group Policy
to asynchronous by using a Group Policy setting to asynchronous by using a Group Policy setting for both computers and usersfor both computers and users
Refreshing Refreshing Group Policy at Established Group Policy at Established Intervals of:Intervals of: 90 minutes for computers running Windows 2000 90 minutes for computers running Windows 2000
Professional and for member servers running Professional and for member servers running Windows 2000 ServerWindows 2000 Server
5 minutes for domain controllers5 minutes for domain controllers Processing Unchanged Group Policy Processing Unchanged Group Policy
SettingsSettings You can configure each client-side extension to You can configure each client-side extension to
process all applicable Group Policy settings process all applicable Group Policy settings
Resolving Conflicts Between Resolving Conflicts Between Group Policy SettingsGroup Policy Settings
All Group Policy Settings Apply Unless All Group Policy Settings Apply Unless There Are ConflictsThere Are Conflicts
The Last Setting Processed AppliesThe Last Setting Processed Applies When settings from different GPOs in the When settings from different GPOs in the
Active Directory hierarchy conflict, the Active Directory hierarchy conflict, the child container GPO settings applychild container GPO settings apply
When settings from GPOs linked to the When settings from GPOs linked to the same container conflict, the settings for same container conflict, the settings for the GPO highest in the GPO list apply the GPO highest in the GPO list apply
A Computer Setting Applies When It A Computer Setting Applies When It Conflicts with a User SettingConflicts with a User Setting
Modifying Group Policy Modifying Group Policy InheritanceInheritance
Enabling Block InheritanceEnabling Block InheritanceEnabling No OverrideEnabling No OverrideFiltering Group Policy SettingsFiltering Group Policy SettingsClass Discussion: Changing Group Policy Class Discussion: Changing Group Policy
InheritanceInheritance
Enabling Block InheritanceEnabling Block Inheritance
Block Inheritance:Block Inheritance: Stops inheritance Stops inheritance
of all GPOs from all of all GPOs from all parent containersparent containers
Cannot selectively Cannot selectively choose which choose which GPOs are blockedGPOs are blocked
Cannot stop No Cannot stop No OverrideOverride
GPOs GPOs
Sales
Production
Domain
No GPO settings apply
No GPO settings apply
Enabling No OverrideEnabling No Override
No Override:No Override: Overrides Block Overrides Block
Inheritance and GPO Inheritance and GPO conflictsconflicts
Should be set high in the Should be set high in the Active Directory treeActive Directory tree
Is applicable to links and Is applicable to links and not to GPOsnot to GPOs
Enforces corporate-wide Enforces corporate-wide rulesrules
Sales
Production
Domain
Domain GPO settings applyDomain GPO settings apply
Conflicting GPO Settings
Conflicting GPO Settings
No Override GPO SettingsNo Override GPO Settings
Filtering Group Policy SettingsFiltering Group Policy Settings
Domain
Sales
Mengph
Kimyo
Group Deny Apply Group Policy
Deny Apply Group Policy
Allow Read and Apply Group
Policy
Allow Read and Apply Group
Policy
Filter Group Policy Settings by:
Explicitly denying the Apply Group Policy permission
Omitting an explicit Apply Group Policy permission
Delegating Administrative Delegating Administrative Control of Group PolicyControl of Group Policy
Enable a User to Manage Group Policy Links for a Enable a User to Manage Group Policy Links for a Site, Domain, or OU by:Site, Domain, or OU by: Assigning the user read and write permissions to the gPLink Assigning the user read and write permissions to the gPLink
and gPOptions attributes of the site, domain, or OUand gPOptions attributes of the site, domain, or OU Using the Delegation of Control wizard Using the Delegation of Control wizard
Enable a User or Group to Create GPOs by:Enable a User or Group to Create GPOs by: Adding the user or group to the Group Policy Creator Owners Adding the user or group to the Group Policy Creator Owners
groupgroup Enable a User to Edit GPOs by:Enable a User to Edit GPOs by:
Assigning the user read and write permissions to the GPOAssigning the user read and write permissions to the GPO Making the user a member of either Domain Admins, Making the user a member of either Domain Admins,
Enterprise Admins, or GPO Creator Owners groupsEnterprise Admins, or GPO Creator Owners groups Granting the user access to the GPO by using the Security Granting the user access to the GPO by using the Security
tab in the GPO Properties dialog boxtab in the GPO Properties dialog box
Group Policy Troubleshooting Group Policy Troubleshooting ToolsTools
Windows 2000 Support Tools for Windows 2000 Support Tools for Group Policy TroubleshootingGroup Policy Troubleshooting:: Netdiag.exe Netdiag.exe Replmon.exeReplmon.exe
Windows 2000 Resource Kit Windows 2000 Resource Kit Tools for Group Policy Tools for Group Policy Troubleshooting:Troubleshooting: Gpotool.exe Gpotool.exe Gpresult.exe Gpresult.exe
Best PracticesBest Practices
Limit the Use of Blocking, No Override, and Filtering of GPOs Limit the Use of Blocking, No Override, and Filtering of GPOs
Limit the Number of GPOs That Affect Any Computer or User Limit the Number of GPOs That Affect Any Computer or User
Group Related Settings in a Single GPOGroup Related Settings in a Single GPO
Delegate Administrative Control of a GPO to One or Two UsersDelegate Administrative Control of a GPO to One or Two Users
Avoid Linking GPOs to a Site with Multiple Domains Avoid Linking GPOs to a Site with Multiple Domains
Plan and Test GPOs Before You Implement ThemPlan and Test GPOs Before You Implement Them
OverviewOverviewDesigning Active Directory to Delegate Designing Active Directory to Delegate
Administrative Authority Administrative Authority Identifying Business NeedsIdentifying Business Needs Characterizing the IT OrganizationCharacterizing the IT Organization Developing a Strategy for Administrative DesignDeveloping a Strategy for Administrative Design Developing a Strategy for DelegationDeveloping a Strategy for Delegation
Implementing Group PolicyImplementing Group Policy Group Policy StructureGroup Policy Structure Working with Group Policy ObjectsWorking with Group Policy Objects How Group Policy Settings Are Applied in Active How Group Policy Settings Are Applied in Active
DirectoryDirectory Modifying Group Policy InheritanceModifying Group Policy Inheritance
Designing Active Directory to Support Group Designing Active Directory to Support Group PolicyPolicy
Designing a Schema PolicyDesigning a Schema Policy
Identifying Business NeedsIdentifying Business Needs
Group Policy Is Applied: Group Policy Is Applied: Frequently in Highly Managed IT NetworksFrequently in Highly Managed IT Networks Infrequently in Minimally Managed IT NetworksInfrequently in Minimally Managed IT Networks
Group Policy Is Used to:Group Policy Is Used to: Enforce SecurityEnforce Security Create Common ConfigurationsCreate Common Configurations Simplify Computer Build ProcessSimplify Computer Build Process Limit Distribution of ApplicationsLimit Distribution of Applications
Applying Group Policy in Applying Group Policy in Active DirectoryActive Directory
Applying Group Policy at the Site LevelApplying Group Policy at the Site LevelApplying Group Policy at the Domain LevelApplying Group Policy at the Domain LevelApplying Group Policy at the OU LevelApplying Group Policy at the OU LevelDesign GuidelinesDesign Guidelines
Applying Group Policy at the Applying Group Policy at the Site LevelSite Level
Single Site GPOs Affect All Single Site GPOs Affect All Domains Within the SiteDomains Within the Site
Site Level GPOs Can Cross Site Level GPOs Can Cross Domain BoundariesDomain Boundaries
Site
Domains
Applying Group Policy at the Applying Group Policy at the Domain LevelDomain Level
In Single Domain, GPOs Affect In Single Domain, GPOs Affect Entire Domain and Cannot Be Entire Domain and Cannot Be DelegatedDelegated
In Multiple Domains, Domain In Multiple Domains, Domain Level GPOs Do Not Affect Level GPOs Do Not Affect Other Domains Unless LinkedOther Domains Unless Linked
Parent Domain
Child Domain
Single Domain
Multiple Domains
At OU Level, GPOs At OU Level, GPOs Are Inherited from Are Inherited from Parent to Child OUParent to Child OU
Applying Group Policy at the Applying Group Policy at the OU LevelOU Level
Same Group Policy Inherited from GPO of Parent OU
GPO Linked to Parent OUs
OU Specifically Created for Group Policy
OU
OUOU
OUOU
OUOU OU
Design GuidelinesDesign Guidelines
Create As Few GPOs As PossibleCreate As Few GPOs As PossibleMap Each GPO to a Single Site, Domain, or Map Each GPO to a Single Site, Domain, or
OU ContainerOU ContainerAvoid Linking GPOs Between DomainsAvoid Linking GPOs Between DomainsMinimize the Number of GPOs Applied to a Minimize the Number of GPOs Applied to a
User or ComputerUser or Computer
Planning for Group PolicyPlanning for Group Policy
Designing Group Policy to Meet Designing Group Policy to Meet Administrative NeedsAdministrative Needs
Prioritizing Application of Group Policy Prioritizing Application of Group Policy ObjectsObjects
Filtering Group Policy ObjectsFiltering Group Policy ObjectsGroup Policy Inheritance and BlockingGroup Policy Inheritance and BlockingOptimizing Group Policy PerformanceOptimizing Group Policy PerformanceTesting and Documenting the Group Policy Testing and Documenting the Group Policy
PlanPlanDesign GuidelinesDesign Guidelines
Designing Group Policy to Meet Designing Group Policy to Meet Administrative NeedsAdministrative Needs
StrategyStrategyStrategyStrategy
Delegate the Right to Create New GPOs Throughout Active Directory
Delegate the Right to Create New GPOs Throughout Active Directory
Delegate the Right to Modify an Existing GPO
Delegate the Right to Modify an Existing GPO
Delegate the Right to Link GPOs to a Site, Domain, or OU
Delegate the Right to Link GPOs to a Site, Domain, or OU
Filtering Group Policy ObjectsFiltering Group Policy Objects Roanoke OU
__Apply Group Policy to Roanoke Admins
__Apply Group Policy to Roanoke Admins
Users
Roanoke Admins
DENY
Filtering Prevents Group Policy from Being Applied
Group Policy Inheritance and Group Policy Inheritance and BlockingBlocking
When Blocked, GPO Does Not Apply to Child OU
GPO Linked to Parent OU
OUOU
OUOU
OU OUOUOUOU
Inheritance BlockedOU
Optimizing Group Policy Optimizing Group Policy PerformancePerformance
Optimize Group Policy Performance Over Optimize Group Policy Performance Over Slow Connections by Adjusting:Slow Connections by Adjusting: Slow Link ProcessingSlow Link Processing Periodic Refresh ProcessingPeriodic Refresh Processing Client Side ExtensionsClient Side Extensions
Testing and Documenting the Testing and Documenting the Group Policy PlanGroup Policy Plan
When Testing Group Policy:When Testing Group Policy: Use an Off-Line Test EnvironmentUse an Off-Line Test Environment Test During Off-Peak Hours if Testing Test During Off-Peak Hours if Testing
Environment Is Not AvailableEnvironment Is Not AvailableWhen Documenting Group Policy:When Documenting Group Policy:
List Name of GPOList Name of GPO List Site, Domain, or OU Where AppliedList Site, Domain, or OU Where Applied List Individual SettingsList Individual Settings List Special SettingsList Special Settings
Design GuidelinesDesign Guidelines
Disable Unused Parts of a GPODisable Unused Parts of a GPO Reduce Need for Filtering By Creating Reduce Need for Filtering By Creating
Additional OUsAdditional OUsUse the Block Policy Inheritance and No Use the Block Policy Inheritance and No
Override Features SparinglyOverride Features Sparingly
OverviewOverviewDesigning Active Directory to Delegate Designing Active Directory to Delegate
Administrative Authority Administrative Authority Identifying Business NeedsIdentifying Business Needs Characterizing the IT OrganizationCharacterizing the IT Organization Developing a Strategy for Administrative DesignDeveloping a Strategy for Administrative Design Developing a Strategy for DelegationDeveloping a Strategy for Delegation
Implementing Group PolicyImplementing Group Policy Group Policy StructureGroup Policy Structure Working with Group Policy ObjectsWorking with Group Policy Objects How Group Policy Settings Are Applied in Active How Group Policy Settings Are Applied in Active
DirectoryDirectory Modifying Group Policy InheritanceModifying Group Policy Inheritance
Designing Active Directory to Support Group Designing Active Directory to Support Group PolicyPolicy
Designing a Schema PolicyDesigning a Schema Policy
Identifying Business NeedsIdentifying Business Needs
Primary Reasons for Schema Primary Reasons for Schema Modification:Modification:
Enabling Schema to Address Enabling Schema to Address Business NeedsBusiness Needs
Installing Directory-Enabled Installing Directory-Enabled ApplicationsApplications
Schema
Schema FundamentalsSchema Fundamentals
Schema ComponentsSchema ComponentsModifying the SchemaModifying the SchemaObtaining and Extending Object IdentifiersObtaining and Extending Object IdentifiersDeactivating Schema ComponentsDeactivating Schema Components
Schema ComponentsSchema ComponentsClass-SchemaClass-Schema
ObjectsObjectsExamples:Examples:
UsersUsers
ComputersComputers
Some possible User ClassSome possible User ClassAttributes :Attributes :Some possible User ClassSome possible User ClassAttributes :Attributes :
accountExpiresbadPasswordTimemailname
accountExpiresbadPasswordTimemailname
Attribute Definition Attribute Definition includesincludesAttribute Definition Attribute Definition includesincludes
Object NameObject IdentifierSyntaxOptional Range Limits
Object NameObject IdentifierSyntaxOptional Range Limits
Class Definition includesClass Definition includesClass Definition includesClass Definition includes
Object NameObject Identifier“May Contain” Attributes“Must Contain” Attributes
Object NameObject Identifier“May Contain” Attributes“Must Contain” Attributes
List of AttributesList of AttributesList of AttributesList of Attributes
accountExpiresbadPasswordTimemailcAConnectdhcpTypeeFSPolicyfromServergovernsIDName…
accountExpiresbadPasswordTimemailcAConnectdhcpTypeeFSPolicyfromServergovernsIDName…
Attribute-Schema Attribute-Schema Objects Examples:Objects Examples:
ServersServers
Modifying the SchemaModifying the Schema
Schema Modification Occurs When You:Schema Modification Occurs When You: Use the Active Directory Schema to create, Use the Active Directory Schema to create,
modify, or deactivate classes or attributesmodify, or deactivate classes or attributes Write scripts to automate schema Write scripts to automate schema
modificationmodification Install software applications that add classes Install software applications that add classes
or attributesor attributes
To Control Membership of Schema To Control Membership of Schema Admins Group:Admins Group: Control Membership of Local Admins, Domain Control Membership of Local Admins, Domain
Admins, and Enterprise Admins GroupsAdmins, and Enterprise Admins Groups
Obtaining and Extending Obtaining and Extending Object IdentifiersObject Identifiers
Object IdentifiersObject Identifiers Unique identifiers for class and object Unique identifiers for class and object
attributesattributes Obtained from an ISO issuing authorityObtained from an ISO issuing authority Extend to accommodate your Extend to accommodate your
enterpriseenterprise
Object Identifier Format, Object Identifier Format, 1.2.840.x.w.y.z1.2.840.x.w.y.z 1.2.840, issuing authority1.2.840, issuing authority x.w.y.z for extensionx.w.y.z for extension
Deactivating Schema Deactivating Schema ComponentsComponents
Classes and Attributes Are Not Classes and Attributes Are Not Deleted, but Deactivated.Deleted, but Deactivated.
Classes and Attributes Can Be Classes and Attributes Can Be ReactivatedReactivated
Implications of Modifying the Implications of Modifying the SchemaSchema
Schema Modification Can Impact:Schema Modification Can Impact:Validity of Existing ObjectsValidity of Existing ObjectsReplication LatencyReplication LatencyNetwork Performance During ReplicationNetwork Performance During Replication
Planning for Schema Planning for Schema ModificationModification
Deciding when to Modify the SchemaDeciding when to Modify the SchemaPlanning for Directory-Enabled Planning for Directory-Enabled
ApplicationsApplicationsAnticipating Microsoft Exchange 2000Anticipating Microsoft Exchange 2000Testing Schema ModificationsTesting Schema ModificationsDeveloping a Schema Modification PolicyDeveloping a Schema Modification PolicyDesign GuidelinesDesign Guidelines
Deciding when to Modify the Deciding when to Modify the SchemaSchema
SituationSituationSituationSituation Suggested SolutionsSuggested SolutionsSuggested SolutionsSuggested Solutions
No existing class meets needsNo existing class meets needsNo existing class meets needsNo existing class meets needs
Existing class needs attributes but Existing class needs attributes but otherwise meets needsotherwise meets needsExisting class needs attributes but Existing class needs attributes but otherwise meets needsotherwise meets needs
Need a new set of unique attributes, Need a new set of unique attributes, but not a new classbut not a new classNeed a new set of unique attributes, Need a new set of unique attributes, but not a new classbut not a new class
Existing classes or attributes no Existing classes or attributes no longer neededlonger neededExisting classes or attributes no Existing classes or attributes no longer neededlonger needed
Create a new classCreate a new classCreate a new classCreate a new class
Create new attributes, derive a new child Create new attributes, derive a new child class, or create an auxiliary classclass, or create an auxiliary class
Create new attributes, derive a new child Create new attributes, derive a new child class, or create an auxiliary classclass, or create an auxiliary class
Create auxiliary classCreate auxiliary classCreate auxiliary classCreate auxiliary class
Deactivate existing class or Deactivate existing class or attributeattributeDeactivate existing class or Deactivate existing class or attributeattribute
Planning for Directory-Enabled Planning for Directory-Enabled ApplicationsApplications
Directory-Enabled Applications Modify the Directory-Enabled Applications Modify the Schema in Two Phases:Schema in Two Phases:1. Schema Admins Perform the Schema 1. Schema Admins Perform the Schema
Components Phase of the InstallComponents Phase of the Install2. Any Authorized Individual Can Complete the 2. Any Authorized Individual Can Complete the
InstallInstall
Anticipating Exchange 2000Anticipating Exchange 2000
Integration of Exchange 2000 and Active Integration of Exchange 2000 and Active Directory Improves PerformanceDirectory Improves Performance Separate Databases No Longer NecessarySeparate Databases No Longer Necessary
Initial Configuration of Exchange 2000 May Initial Configuration of Exchange 2000 May Take Extra Time to CompleteTake Extra Time to Complete LDIF Files ReplicatedLDIF Files Replicated Global Catalog ReplicationGlobal Catalog Replication
Testing Schema ChangesTesting Schema Changes
When Testing Schema Modifications, When Testing Schema Modifications, Always:Always: Test Changes in a Non-Production Test Changes in a Non-Production
EnvironmentEnvironment Use Thoroughly Tested ScriptsUse Thoroughly Tested Scripts Remember that Objects and Attributes Can Remember that Objects and Attributes Can
Only Be DeactivatedOnly Be Deactivated
Design GuidelinesDesign Guidelines
Plan and Implement with CarePlan and Implement with CarePrevent ConfusionPrevent ConfusionPrevent Unauthorized Schema Prevent Unauthorized Schema
ModificationsModifications