Chapter11 CNT117 Windows by smbutt


									CNT117 Windows 2003 Active Directory

Chapter 11: Group Policy for Corporate Policy

• Understand and describe the purpose of Group Policy • Describe how Group Policy is applied • Manage desktop computers using Group Policy • Analyze and configure security settings using Group Policy


Objectives (continued)
• Install and use the Group Policy Management Console • Troubleshoot Group Policy


Group Policy
• Introduced in Windows 2000 • Enhanced in:
• Windows XP • Windows Server 2003

• Largely collection of registry entries • Enhancements in Windows Server 2003:
• Transient policy settings • Expanded capabilities


Administrative Templates
• Files with .adm extension • Describe registry settings
• Can be configured in policy or Group Policy

• Included with Windows Server 2003:
• • • • • System.adm Inetres.adm Wmplayer.adm Conf.adm Wuau.adm

Client-side Extensions
• Allow for more advanced control and configuration • Included with Windows Server 2003 and Windows XP:
• • • • EFS (encrypting file system) recovery Folder redirection Internet Explorer maintenance IP security


Client-side Extensions (continued)
• Included with Windows Server 2003 and Windows XP:
• • • • • • Microsoft Disk Quota QoS Packet Scheduler Scripts Security Software installation Wireless


Group Policy Storage
• Stored on
• Domain controllers • Local computers

• Local policy object
• • • • Stored in hidden folder Referred to as local computer policy Applies only to local computer Great for workgroup environment


Group Policy Storage (continued)
• GPOs
• • • • Stored on domain controllers Centrally managed Single GPO typically affects many users and computers One part stored in Active Directory database
• Called group policy container (GPC)

• Other stored in SYSVOL share
• Referred to as group policy template (GPT)


Group Policy Storage (continued)
• GPT subfolders:
• • • • • Adm USER USER\applications MACHINE MACHINE\applications


Creating a Group Policy Object
• Tools for creating GPOs:
• Group Policy standalone Microsoft Management Console (MMC) snap-in • Group Policy extension in Active Directory Users and Computers


Activity 11-1: Creating a Group Policy Object Using the MMC
• Objective: Use the Group Policy Object Editor MMC snap-in to create GPOs • Follow directions to create GPOs


Group Policy Processing
• GPOs linked to sites, domains, and organizational units using GPO links
• Applies to user and computer objects that exist in container to which they are linked • Can be linked with multiple organizational units, sites, or even domains • Only stored on domain controllers in domain where created


Group Policy Priority
• Processing order:
• • • • First policy to be applied is the local computer policy Any GPOs linked to site are applied GPOs linked to domain are applied GPOs linked to organizational units are applied


Group Policy Priority (continued)
• Process is followed twice
• Once for Computer Configuration
• When computer starts up

• Once for User Configuration
• When user logs on


Default GPO Processing Order


Dealing with Conflict
• Options for policy settings
• Enabled • Disabled • Not Configured

• Policy settings from multiple GPOs can be combined
• As long as they do not conflict

• In case of conflict:
• GPO to be applied last wins

Modifying Group Policy Priority
• Modify priority by configuring settings:
• No Override • Block Policy Inheritance • Loopback Processing Mode


Controlling Group Policy Application with Permissions
• GPOs cannot be linked to groups • Application of Group Policy can be controlled through permissions


Controlling Group Policy Application with Permissions (continued)
• Standard permissions available to GPO:
• • • • • • Full Control Read Write Create All Child Objects Delete All Child Objects Apply Group Policy

Activity 11-5: Filtering Group Policy Objects Using Security Permissions
• Objective: Use security permissions to filter and control the application of policy settings • Follow instructions to stop settings in Marketing Policy GPO from applying to Administrators group


Windows Management Instrumentation Filters
• Used to restrict application of GPOs • Control GPO application based on computer configuration, such as:
• • • • Hardware configuration File existence or attributes Applications being installed Amount of free hard drive space

• Written in WMI Query Language (WQL) • Does not apply to Windows 2000

Slow Link Detection
• When working over slow link
• May be undesirable to apply parts of Group Policy

• Client pings domain controller several times
• To determine link speed • 500 Kbps or less is considered slow


Default Slow Link Behavior


Desktop Management with Group Policy
• Desktop management
• One of primary goals that can be accomplished with Group Policy


Restricting Windows
• Can protect users from their own mistakes • Remove access to features such as:
• Configuring proxy settings • Setting desktop wallpaper


Folder Redirection
• Allows administrator change location of default Windows folders • Locate on server:
• Allows users to access information from any computer on network


Folder Redirection (continued)
• Folders that can be redirected are:
• • • • Application data Desktop My Documents Start menu


• GPOs can contain scripts for:
• • • • Logon Logoff Startup Shutdown

• Can be written in languages such as
• VBScript (.vbs) • JScript (.js)

• Must store scripts in location accessible to users running them

Security Management with Group Policy
• Security policy
• • • • Collection of security-related settings Located in all GPOs Majority of security policy settings apply to computers Found in Computer Configuration section


Account Policies
• Includes configuration settings that may be the initial step to securing computer network • Must be configured in GPO linked to domain • Subcategories:
• Password Policy • Account Lockout Policy • Kerberos Policy


Local Policies
• Wide variety of settings • Very flexible • Categories:
• Audit policy • User rights assignment • Security options


Restricted Groups
• Define users that are allowed membership to specific groups • When group policy applied:
• Any member of restricted group not listed in restricted group’s member list removed • Prevents administrators from accidentally adding users to sensitive groups


System Services
• Define which services are started, stopped, or disabled on computers • Can also configure security for services • Effective way to disable unnecessary services on:
• Client computers • Servers


Registry Settings
• Define security permissions for registry entries • Applied to all computers affected by GPO


File System
• Defines NTFS permissions applied to local hard drives of computers affected by GPO • Enhance security by removing permissions to files and folders


Wireless Network Policies
• Define settings for wireless network connectivity • Configure which wireless networks’ workstations can connect to and automatically configure Wireless Encryption Protocol (WEP)


Public Key Policies
• Define configuration settings relating to use of different public key-based applications such as:
• Encrypting file system (EFS) • Automatic certificate enrolment settings • Certificate Authority (CA) trusts

• Autoenrollment
• New feature • Allows computers and users to request version 2 certificate templates automatically


Software Restriction Policies
• Define security settings related to what programs are allowed to run on system • Individual rules can be based on:
• • • • File’s hash Digital certificate used to sign executable File’s path Internet zone


IP Security Policies
• Define IPSec settings • Can enable IPSec for entire network with little effort


Security Templates
• Used to:
• Define, edit, and save baseline security settings • Applied to computers with common security requirements • Meet organizational security standards

• Help ensure
• Consistent setting can be applied to multiple machines • Easily maintained

• Stored in .inf files

Security Templates (continued)
• Setup Security.inf.
• Default template • Provides single file in which all original computer security settings are stored

• Incremental templates
• Only apply to machines already running default security settings

• Use Security Templates snap-in to create custom templates

Analyzing Security
• Security Configuration and Analysis utility • Compare current system settings to previously configured security template • Identifies
• Changes to original security configurations • Possible security weaknesses


Using the Group Policy Management Console
• Available as free download for Windows Server 2003 customers • Brings together tools and options accessible from number of different tools • Adds new functionality • Highly recommended
• Especially in large deployments


Troubleshooting Group Policy
• Most important thing is interaction of:
• • • • • • • Links to containers Priority ordering by administrators No Override Block Inheritance ACL permissions Loopback Processing Mode WMI filters


Troubleshooting Tools
• • • • Resultant Set of Policy (RSoP) Gpresult Gpupdate Dcgpofix


• Group Policy applies settings to users and computers in:
• Site • Domain • Organizational unit

• Order of application for GPOs is:
• • • • Local Site Domain Organizational unit

Summary (continued)
• User or computer must have Read and Apply Group Policy permissions on a GPO in order for the policy to apply • To affect domain accounts, account policies must be set at the domain level • Security management using Group Policy is accomplished with security templates


To top