MCTS Chapter 7

Document Sample
MCTS Chapter 7 Powered By Docstoc
					  MCTS Guide to Configuring
Microsoft Windows Server 2008
       Active Directory


Chapter 7: Configuring Group Policy
                                Objectives

•   Describe the architecture and processing of GPOs
•   Configure group policy settings
•   Work with security templates
•   Manage and monitor group policies
•   Configure group policy preferences




MCTS Windows Server 2008 Active Directory              2
               Group Policy Architecture
• Group policy architecture and function involve the
  following components:
    – GPOs
         • An object containing policy settings that affect user and computer
           operating environments and security. Can be local or AD objects
    – Replication
         • Ensures that all domain controllers have a current copy of each
           GPO
    – Scope and inheritance
         • The scope of a group policy defines which users and computers
           are affected by its settings
    – Creating and linking
         • GPOs are created in the Group Policy management console and
           can be linked to one or more AD containers

MCTS Windows Server 2008 Active Directory                                       3
          Group Policy Objects (GPOs)

• A GPO contains policy settings for managing many
  aspects of domain controllers, member servers,
  member computers, and users
• Two main types of GPOs:
    – Local GPOs
    – Domain GPOs




MCTS Windows Server 2008 Active Directory        4
                              Local GPOs

• Local GPOs are stored on local computers, and are
  edited via the Group Policy Object Editor snap-in
• Settings in local GPOs that are inherited from
  domain GPOs can’t be changed on the local
  computer.
• Only settings that are undefined or not configured
  by domain GPOs can be edited locally




MCTS Windows Server 2008 Active Directory          5
   New Local GPOs in Windows Vista and
              Server 2008
• New policies allow setting of different policies
  depending on who logs on to the computer:
    – Local Administrators GPO
    – Local Non-Administrators GPO
    – User-specific GPO
• If these policies are used, they are processed in
  the above order, especially for conflict resolution
  (last policy setting takes precedence)




MCTS Windows Server 2008 Active Directory               6
                           Domain GPOs

• Domain GPOs are stored in Active Directory on
  domain controllers
• Consists of two separate parts: a group policy
  template (GPT) and a group policy container (GPC)
• GPT and GPC have naming structure and folder
  structure as common traits
• Knowing GPO structure is important for resolving
  issues



MCTS Windows Server 2008 Active Directory         7
                Group Policy Templates

• A Group Policy Template contains all the policy
  settings that make up a GPO as well as related
  files, such as scripts, and is contained in the Sysvol
  share on a domain controller
• Upon creation of a GPO, several files and
  subfolders are created (exact number may vary)
  but each GPT folder will contain at least three
  items:
    – GPT.ini
    – Machine
    – User

MCTS Windows Server 2008 Active Directory              8
                Group Policy Containers

• Stored in the System\Policies folder
• Contains GPO properties and status information
  but no policy settings
• Similar to GPT in that it uses a GPO’s GUID for a
  folder name
• Information contained in a GPC:
    –   Name of the GPO
    –   File path to GPT
    –   Version
    –   Status


MCTS Windows Server 2008 Active Directory             9
        Group Policy Containers (cont.)




MCTS Windows Server 2008 Active Directory   10
                Group Policy Replication
• GPCs are replicated with Active Directory
• GPTs are replicated by one of the following
  methods:
    – File Replication Service (FRS)
         • Used when running in a mixed environment of differing Windows
           Server operating systems
    – Distributed File System Replication (DFSR)
         • Used when all DCs are running Windows Server 2008
• DFSR is more efficient and reliable
• GPC and GPT can become out of sync
• Replication problems can be diagnosed with
  Gpotool.exe
MCTS Windows Server 2008 Active Directory                                  11
            Creating and Linking GPOs

• Primary tools for managing, creating, and editing
  GPOs are Group Policy Management Console
  (GPMC) and Group Policy Management Editor
  (GPME)
• If editing a GPO that is already linked to a
  container, changes in policy settings take effect as
  soon as clients download them
• Before introducing multiple policy changes at once,
  test them individually


MCTS Windows Server 2008 Active Directory            12
                Editing an Existing GPO

• To edit, right click the GPO in GPMC and click Edit,
  which will open the GPO in GPME
• It is possible to make changes to the Default
  Domain Policy, but not advisable
• Recommended method for making changes to
  domain policies is creating a new GPO and linking
  it to the domain
• GPOs are applied to objects in reverse of the
  specified link order


MCTS Windows Server 2008 Active Directory           13
                    Creating a New GPO

• Two ways to create a new GPO with the GPMC:
    – Right click the container you’re linking the GPO to and select
      “Create a GPO in this domain, and Link it here”
    – Right click the Group Policy Objects folder and click New
• Best practice is to create GPOs that focus on a
  category of settings, then name the GPO
  accordingly




MCTS Windows Server 2008 Active Directory                              14
                     Using Starter GPOs
• A Starter GPO is a template for creating GPO’s
  (Not a GPT)
• New GPO wizard includes option to use a Starter
  GPO
• Stored in the Starter GPOs folder in GPMC
• To use a Starter GPO, select one in the Source
  Starter GPO list box in the New GPO Wizard, or
  right click a starter GPO in the starter GPOs folder
  and click New GPO from Starter GPO
• To create a Starter GPO, right click the Starter
  GPOs folder and click New
MCTS Windows Server 2008 Active Directory                15
  Group Policy Scope and Inheritance

• The scope of a group policy defines which objects
  in AD are affected by settings in the policy
• If two GPOs are applied to an object, and a setting
  is configured on one GPO but not the other, the
  configured setting is applied
• Policies are applied in this order:
    –   Local policies
    –   Site-linked GPOs
    –   Domain-linked GPOs
    –   OU-linked GPOs


MCTS Windows Server 2008 Active Directory           16
     Understanding Site-Linked GPOs

• GPOs linked to a site object affect all users and
  computers physically located at the site
• Can be used to set up different policies for mobile
  users
• In a singular site and domain environment, it is
  better to use domain GPOs
• Site GPOs can be confusing for mobile users if
  policy changes are drastic enough between sites



MCTS Windows Server 2008 Active Directory               17
 Understanding Domain-Linked GPOs

• GPOs at domain level should contain settings that
  apply to all objects in the domain
• Account policies can be defined only at the domain
  level
• Best practices suggest setting account policies and
  a few critical security policies at the domain level




MCTS Windows Server 2008 Active Directory            18
      Understanding OU-Linked GPOs

• Fine-tuning of group policies should be done at the
  OU level
• Users and computers with similar policy
  requirements should be located in the same OU
• Since OUs can be nested, so can GPOs
• GPOs applied to nested OUs should be used for
  exceptions to policies set at a higher level




MCTS Windows Server 2008 Active Directory           19
        Changing Default GPO Inheritance
                   Behavior
• GPO inheritance is enabled by default
• To see where policies are inherited from, select a
  container in the left pane of GPMC and click the
  group policy inheritance tab in the right pane
• There are several ways to affect GPO inheritance:
    –   Blocking inheritance
    –   Enforcing inheritance
    –   GPO filtering
    –   Loopback policy processing




MCTS Windows Server 2008 Active Directory              20
              Blocking GPO Inheritance

• Prevents GPOs linked to parent containers from
  affecting child containers
• To block GPO inheritance, in GPMC, right click the
  child domain or OU and click Block Inheritance
• If blocking is enabled, the OU or domain object is
  displayed with a blue exclamation point
• Frequent blocking implies a possible flawed OU
  design



MCTS Windows Server 2008 Active Directory          21
             Enforcing GPO Inheritance

• Forcing GPO Inheritance overrides any conflicting
  configurations at a deeper level
• If multiple GPOs are enforced, the GPO at the
  highest level is enforced in a conflict
• Example: If a GPO linked to an OU and a GPO
  linked to a domain are both set to be enforced, the
  GPO linked to the domain takes stronger
  precedence



MCTS Windows Server 2008 Active Directory           22
                            GPO Filtering
• GPO filtering allows changing inheritance on an
  object by object basis
• Two types of GPO filtering:
    – Security filtering
    – Windows Management Instrumentation (WMI) filtering
• Security filtering uses permissions to restrict
  objects from accessing a GPO
• WMI filtering uses queries to select a group of
  computers based on certain attributes, and then
  applies or doesn’t apply policies based on the
  query’s results

MCTS Windows Server 2008 Active Directory                  23
           Loopback Policy Processing

• Normally, the policies that affect user settings
  follow users to whichever computer they log on to
• Loopback policy processing allows settings in the
  User Configuration node of the GPO to be applied
  to all users who log on to the computer
• To use, enable the “User group policy loopback
  processing mode” policy in the Computer
  Configuration\Policies\Administrative
  Templates\System\Group Policy node


MCTS Windows Server 2008 Active Directory             24
                   Group Policy Settings

• Settings in Computer configuration take
  precedence over settings in User Configuration,
  should there be a conflict
• Three folders under the Policies folder:
    – Software Settings
    – Windows Settings
    – Administrative Templates
• Policy settings can be managed or unmanaged
    – Managed policies reset to ‘not configured’ when the object falls
      outside of the policy’s scope
    – Unmanaged policies are persistent

MCTS Windows Server 2008 Active Directory                            25
     Policies in the Computer Configuration
                      Node
• Applies to computers regardless of who logs on to
  the computer
• Contains most of the security related settings in the
  Account Policies, User Rights Assignment, Audit
  Policy, and Security Options nodes
• Computer configuration policies are uploaded to a
  computer when the OS starts and are updated
  every 90 minutes thereafter
• Some policy changes may require a restart


MCTS Windows Server 2008 Active Directory             26
Computer Configuration: Software Settings

• Contains the Software Installation extension, which
  can be configured to install software packages
  remotely
• Applications are deployed with the Windows
  Installer service, which uses MSI files
• Software packages are assigned to target
  computers, making installation mandatory next time
  the computer starts



MCTS Windows Server 2008 Active Directory          27
Advanced Application Deployment Options

• When deploying applications, click the Advanced
  option button in the Deploy Software dialog box.
  This will open a Properties box with the following
  tabs:
    –   Deployment tab
    –   Upgrades tab
    –   Categories tab
    –   Modifications tab
• If changes are made to a package, it is not installed
  again by default. However, the package can easily
  be redeployed
MCTS Windows Server 2008 Active Directory              28
Computer Configuration: Windows Settings

• The Windows Settings folder contains four
  subnodes:
    – Scripts (Startup/Shutdown)
         • Allows the creation of scripts to be run during startup or shutdown
    – Deployed Printers
         • Can deploy printers to computer by specifying the UNC path to a
           shared printer
    – Security Settings
         • Contains nodes for setting security policies, such as those related
           to accounts
    – Policy-based QoS
         • Enables administrators to manage the use of network bandwidth


MCTS Windows Server 2008 Active Directory                                    29
       Security Settings Subnode: Account
                      Policies
• Account policies must be linked to the domain to have any
  effect
• Account Policies contains three subnodes:
    – Password Policy
         •   Enforce password history
         •   Maximum password age
         •   Minimum password age
         •   Minimum password length
         •   Password must meet complexity requirements
         •   Store passwords using reversible encryption
    – Account lockout policy
         •   Account lockout duration
         •   Account lockout threshold
         •   Reset account lockout counter after
         •   Kerberos Policy

MCTS Windows Server 2008 Active Directory                     30
 Security Settings Subnode: Local Policies

• Applies to what users can and can’t do on the local
  computer to which they log on
• Usually defined in GPOs linked to OUs containing
  computer accounts
• Three subnodes of Local Policies:
    – Audit Policy
    – User Rights Assignment
    – Security Options




MCTS Windows Server 2008 Active Directory           31
                 Auditing Object Access

• Two steps for auditing objects:
    – Enable the Audit object access policy for success, failure, or
      both
    – Enable auditing on target objects for success, failure, or both
• Auditing involves considerable overhead. A single
  object access can create several log entries.
• Windows Server 2008 logs successful logon events
  and certain other events by default, even if auditing
  is off.



MCTS Windows Server 2008 Active Directory                               32
       Fine-Grained Password Policies

• Fine-grained password policies allow setting
  different password and account lockout policies for
  targeted users and groups.
• Created by defining a Password Settings Object
  (PSO) in the Password Settings Container (PSC)
• Two tools can be used to create a PSO:
    – ADSI Edit
    – LDIFDE




MCTS Windows Server 2008 Active Directory           33
Additional Security Settings Subnodes
• 13 more subnodes under Security Settings:
    –   Event Log
    –   Restricted Groups
    –   System Services
    –   Registry
    –   File System
    –   Wired Network (IEEE 802.3) Policies
    –   Windows Firewall with Advanced Security
    –   Network List Manager Policies
    –   Wireless Network (IEEE 802.11) Policies
    –   Public Key Policies
    –   Software Restriction Policies
    –   Network Access Protection
    –   IP Security Policies on Active Directory

MCTS Windows Server 2008 Active Directory          34
    Computer Configuration: Administrative
                Templates
• Affects the HKEY_LOCAL_MACHINE section of the
  computer’s registry
• Administrative template files are XML format files that define
  policies in the Administrative Templates Folder in a GPO
• Uses file format .admx or .adml for language specific
• All ADMX and ADML files are under
  %systemroot%\PolicyDefinitions
• Administrative Templates folder has the following subnodes:
    –   Control Panel
    –   Network
    –   Printers
    –   System
    –   Windows Components

MCTS Windows Server 2008 Active Directory                      35
    Policies in the User Configuration Node

• Policies set under the User Configuration node
  follow a user wherever he or she logs on
• Lacks most of the security settings and account
  policies
• Policies under User Configuration node are more
  focused on the user’s environment, such as
  Windows features that can and can’t be accessed




MCTS Windows Server 2008 Active Directory           36
User Configuration: Software Settings

• Performs the same function as in Computer
  Configuration, but with important differences in
  options and execution
• Software package can only be assigned to a
  computer, but there are two options:
    – Published
         • Isn’t installed automatically; includes a link to the application in
           Programs and Features or Add/Remove Programs
    – Assigned
         • Applications are advertised as a link on the start menu




MCTS Windows Server 2008 Active Directory                                         37
User Configuration: Windows Settings

• Windows Settings contains seven subnodes:
    –   Remote Installation Services
    –   Scripts (Logon/Logoff)
    –   Security Settings
    –   Folder Redirection
    –   Policy-based QoS
    –   Deployed Printers
    –   Internet Explorer Maintenance




MCTS Windows Server 2008 Active Directory     38
        Security Settings Subnode: Software
                 Restriction Policies
• Designed to prevent users from running certain applications, or to
  allow users to only be able to run specific applications
• Security Levels folder contains three rules:
    – Disallowed
    – Basic User
    – Unrestricted
• Additional rules folder is for exceptions, and contains four ways to
  identify exceptions:
    –   Hash
    –   Certificate
    –   Path
    –   Network zone
• Three policies can be configured:
    – Enforcement
    – Designated File Types
    – Trusted Publishers


MCTS Windows Server 2008 Active Directory                              39
      The Folder Redirection Subnode

• Allows the redirection of one or more folders in a
  user’s profile directory
• Useful in ensuring that a user’s documents are
  backed up to a server with little to no intervention
  required from the user
• Can help decrease bandwidth usage when roaming
  profiles are in use




MCTS Windows Server 2008 Active Directory           40
         User Configuration: Administrative
                    Templates
• Affects the HKEY_CURRENT_USER section of the
  computer’s registry
• Very similar to the Administrative Templates in the
  Computer Configuration node
• Contains the following additional subnodes:
    – Desktop
    – Shared Folders
    – Start Menu and Taskbar




MCTS Windows Server 2008 Active Directory          41
              Using Security Templates

• Security templates are text files with an .inf
  extention that contain information to define policy
  settings in the Security Settings node
• Can be used to verify current security settings on a
  computer against the settings in a template
• Three tools for working with security templates
    – Security Templates snap-in
    – Security Configuration and Analysis snap-in
    – Secedit.exe



MCTS Windows Server 2008 Active Directory            42
            Security Templates Snap-in

• Can be used to create security templates for use
  with computers that require different security
  settings, such as servers with different roles
• When a user creates a template, it is stored under
  the user’s Documents folder in Security\Templates




MCTS Windows Server 2008 Active Directory          43
    Security Templates Snap-in (cont.)




MCTS Windows Server 2008 Active Directory   44
 Security Configuration and Analysis Snap-
                     in
• Useful for checking a computer’s existing security settings
  against the known settings in security template files
• Can also apply a security template to a computer
• Analyzing current security settings against a template
  creates a report. For each policy setting, there are five
  possible results:
    – An X in a red circle indicates a mismatch
    – A check mark in green indicates a match
    – A question mark in a white circle indicates that the policy wasn’t
      defined or the user doesn’t have permission to access the policy
    – An exclamation point in a white circle indicates the policy doesn’t exist
      on that computer
    – No indicator indicates the policy wasn’t defined in the template

MCTS Windows Server 2008 Active Directory                                    45
                               Secedit.exe

• Command-line program that performs many of the
  same functions as the Security Configuration and
  Analysis snap-in
• Can be automated with scripts and batch files
• Can import or export some of or all the settings
  between a security database and a template file
• Can compare settings between a security database
  and a computers current settings or apply a
  database to a computer


MCTS Windows Server 2008 Active Directory       46
        GPO Management with GPMC

• GPO Delegation – 8 possible permissions can be
  applied to GPOs and the container objects to which
  they’re linked through delegation:
    –   Create GPOs
    –   Link GPOs
    –   Perform Group Policy Modeling Analyses
    –   Read Group Policy Results Data
    –   Read
    –   Read (from Security Filtering)
    –   Edit settings, delete, modify security
    –   Edit Settings


MCTS Windows Server 2008 Active Directory         47
GPO Management with GPMC (cont.)

• After a GPO is created, it can be in one of the
  following states:
    –   Link status: unlinked
    –   Link status: enabled
    –   Link status: disabled
    –   GPO status: Enabled
    –   GPO status: User Configuration Settings Disabled
    –   GPO status: Computer Configuration Settings Disabled
    –   GPO status: All Settings Disabled




MCTS Windows Server 2008 Active Directory                      48
              GPO Backup and Restore

• Backing up a GPO backs up policy settings, but
  also backs up security filtering settings, delegation
  settings, and WMI filter links
• Does not back up WMI filter files, IPSec policies,
  and GPO container links
• The procedure for restoring a GPO varies
  depending on whether you wish to:
    – Restore a previous version
    – Restore a deleted GPO
    – Import settings


MCTS Windows Server 2008 Active Directory                 49
                           GPO Migration

• Migration is useful if multiple domains have similar
  policy requirements, or if you wish to set up a test
  environment
• GPOs can be migrated across domains in the
  same or different forests by adding the domain to
  GPMC
• GPOs can also be migrated using the backup and
  import procedure



MCTS Windows Server 2008 Active Directory                50
   Group Policy Results and Modeling

• Group Policy Results Wizard creates a report to
  show Administrators which policy settings apply to
  a user, computer, or both
• Provides same information as Resultant Set of
  Policy (RSoP) snap-in
• Once the wizard finishes, the report has three tabs:
    – Summary
    – Settings
    – Policy Events



MCTS Windows Server 2008 Active Directory            51
 Group Policy Results and Modeling (cont.)




MCTS Windows Server 2008 Active Directory   52
 Group Policy Results and Modeling (cont.)

• Gpresult.exe performs a similar task as the Group
  Policy Results Wizard
• Group Policy Modeling allows an Administrator to
  examine the results of policy settings without
  actually applying anything
• Instead of a Policy Events tab, it has a Query tab
  that shows the choices made to produce the report
  in Group Policy Modeling



MCTS Windows Server 2008 Active Directory          53
               The ADMX Central Store

• ADMX Central Store is a centralized location for
  maintaining ADMX files
• To create a central store, create a folder named
  PolicyDefinitions in the
  %systemroot%\SYSVOL\sysvol\domainname\polici
  es folder, then create a language specific folder
  that uses the two character ISO standard for
  languages. Lastly, copy ADMX files to the store
  location


MCTS Windows Server 2008 Active Directory         54
              Group Policy Preferences
• Creates a standardized environment while simultaneously
  allowing users to make changes to configured settings
• With group policy preferences, you can perform tasks such
  as:
    –   Create and modify local users and groups
    –   Enable and disable devices on a computer
    –   Create drive mappings
    –   Manage power options
    –   Create and manage files, folders, and shortcuts
    –   Create and modify printers
    –   Customize application settings
• Can use item-level targeting, which enables administrators
  to target users or computers for each preference based on a
  set of criteria
MCTS Windows Server 2008 Active Directory                     55
                       Chapter Summary

• Group policy architecture and function involves
  these components: GPOs, replication, scope and
  inheritance, and creating and linking GPOs.
  Domain GPOs consist of a GPT stored in the
  Sysvol share and a GPC stored in Active Directory
• GPO replication is handled by Active Directory
  replication for GPC and by FRS or DFSR for GPTs
• You use the GPMC to create, link, and manage
  GPOs and the GPME to edit GPOs


MCTS Windows Server 2008 Active Directory         56
               Chapter Summary (cont.)
• Starter GPOs are like template files
• GPOs can be linked to sites, domains, and OUs.
  Policies are applied in this order, and the last policy
  setting applied takes precedence when conflicts
  exists
• Default GPO inheritance can be changed by using
  inheritance blocking, enforcement, GPO filtering,
  and loopback policy processing
• Computer Configuration and User Configuration
  nodes contain three subnodes: Software Settings,
  Windows Settings, and Administrative Templates

MCTS Windows Server 2008 Active Directory              57
               Chapter Summary (cont.)

• The Security Settings node in Computer
  Configuration contains the Account Policies sub-
  node with settings that affect all domain users.
• The Local Policies subnode in the Security Settings
  node contains Audit Policy, User Rights
  Assignment, and Security Options.
• Fine-grained password policies, new in Windows
  Server 2008, make it possible for admin- istrators
  to define different password policies for select
  groups of users.

MCTS Windows Server 2008 Active Directory          58
               Chapter Summary (cont.)
• Administrative Templates can control hundreds of settings
  on computers and for users.
• Security templates are used to transfer security settings
  easily from one GPO or computer to another and can be
  used to analyze a computer’s current settings against a
  security database created from one or more security
  templates.
• Group policy management involves managing GPO
  delegation and GPO status as well as GPO backup and
  migration.
• Group policy preferences, new in Windows Server 2008,
  enable administrators to set up user and computer
  environments with preferred settings, but these settings can
  be changed, unlike policy settings.
MCTS Windows Server 2008 Active Directory                    59

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:44
posted:2/8/2012
language:English
pages:59