Chapter11 CNT117 Windows

							CNT117 Windows 2003 Active Directory

Chapter 11: Group Policy for Corporate Policy

Objectives
• Understand and describe the purpose of Group Policy • Describe how Group Policy is applied • Manage desktop computers using Group Policy • Analyze and configure security settings using Group Policy

2

Objectives (continued)
• Install and use the Group Policy Management Console • Troubleshoot Group Policy

3

Group Policy
• Introduced in Windows 2000 • Enhanced in:
• Windows XP • Windows Server 2003

• Largely collection of registry entries • Enhancements in Windows Server 2003:
• Transient policy settings • Expanded capabilities

4

Administrative Templates
• Files with .adm extension • Describe registry settings
• Can be configured in policy or Group Policy

• Included with Windows Server 2003:
• • • • • System.adm Inetres.adm Wmplayer.adm Conf.adm Wuau.adm
5

Client-side Extensions
• Allow for more advanced control and configuration • Included with Windows Server 2003 and Windows XP:
• • • • EFS (encrypting file system) recovery Folder redirection Internet Explorer maintenance IP security

6

Client-side Extensions (continued)
• Included with Windows Server 2003 and Windows XP:
• • • • • • Microsoft Disk Quota QoS Packet Scheduler Scripts Security Software installation Wireless

7

Group Policy Storage
• Stored on
• Domain controllers • Local computers

• Local policy object
• • • • Stored in hidden folder Referred to as local computer policy Applies only to local computer Great for workgroup environment

8

Group Policy Storage (continued)
• GPOs
• • • • Stored on domain controllers Centrally managed Single GPO typically affects many users and computers One part stored in Active Directory database
• Called group policy container (GPC)

• Other stored in SYSVOL share
• Referred to as group policy template (GPT)

9

Group Policy Storage (continued)
• GPT subfolders:
• • • • • Adm USER USER\applications MACHINE MACHINE\applications

10

Creating a Group Policy Object
• Tools for creating GPOs:
• Group Policy standalone Microsoft Management Console (MMC) snap-in • Group Policy extension in Active Directory Users and Computers

11

Activity 11-1: Creating a Group Policy Object Using the MMC
• Objective: Use the Group Policy Object Editor MMC snap-in to create GPOs • Follow directions to create GPOs

12

Group Policy Processing
• GPOs linked to sites, domains, and organizational units using GPO links
• Applies to user and computer objects that exist in container to which they are linked • Can be linked with multiple organizational units, sites, or even domains • Only stored on domain controllers in domain where created

13

Group Policy Priority
• Processing order:
• • • • First policy to be applied is the local computer policy Any GPOs linked to site are applied GPOs linked to domain are applied GPOs linked to organizational units are applied

14

Group Policy Priority (continued)
• Process is followed twice
• Once for Computer Configuration
• When computer starts up

• Once for User Configuration
• When user logs on

15

Default GPO Processing Order

16

Dealing with Conflict
• Options for policy settings
• Enabled • Disabled • Not Configured

• Policy settings from multiple GPOs can be combined
• As long as they do not conflict

• In case of conflict:
• GPO to be applied last wins
17

Modifying Group Policy Priority
• Modify priority by configuring settings:
• No Override • Block Policy Inheritance • Loopback Processing Mode

18

Controlling Group Policy Application with Permissions
• GPOs cannot be linked to groups • Application of Group Policy can be controlled through permissions

19

Controlling Group Policy Application with Permissions (continued)
• Standard permissions available to GPO:
• • • • • • Full Control Read Write Create All Child Objects Delete All Child Objects Apply Group Policy
20

Activity 11-5: Filtering Group Policy Objects Using Security Permissions
• Objective: Use security permissions to filter and control the application of policy settings • Follow instructions to stop settings in Marketing Policy GPO from applying to Administrators group

21

Windows Management Instrumentation Filters
• Used to restrict application of GPOs • Control GPO application based on computer configuration, such as:
• • • • Hardware configuration File existence or attributes Applications being installed Amount of free hard drive space

• Written in WMI Query Language (WQL) • Does not apply to Windows 2000
22

Slow Link Detection
• When working over slow link
• May be undesirable to apply parts of Group Policy

• Client pings domain controller several times
• To determine link speed • 500 Kbps or less is considered slow

23

Default Slow Link Behavior

24

Desktop Management with Group Policy
• Desktop management
• One of primary goals that can be accomplished with Group Policy

25

Restricting Windows
• Can protect users from their own mistakes • Remove access to features such as:
• Configuring proxy settings • Setting desktop wallpaper

26

Folder Redirection
• Allows administrator change location of default Windows folders • Locate on server:
• Allows users to access information from any computer on network

27

Folder Redirection (continued)
• Folders that can be redirected are:
• • • • Application data Desktop My Documents Start menu

28

Scripts
• GPOs can contain scripts for:
• • • • Logon Logoff Startup Shutdown

• Can be written in languages such as
• VBScript (.vbs) • JScript (.js)

• Must store scripts in location accessible to users running them
29

Security Management with Group Policy
• Security policy
• • • • Collection of security-related settings Located in all GPOs Majority of security policy settings apply to computers Found in Computer Configuration section

30

Account Policies
• Includes configuration settings that may be the initial step to securing computer network • Must be configured in GPO linked to domain • Subcategories:
• Password Policy • Account Lockout Policy • Kerberos Policy

31

Local Policies
• Wide variety of settings • Very flexible • Categories:
• Audit policy • User rights assignment • Security options

32

Restricted Groups
• Define users that are allowed membership to specific groups • When group policy applied:
• Any member of restricted group not listed in restricted group’s member list removed • Prevents administrators from accidentally adding users to sensitive groups

33

System Services
• Define which services are started, stopped, or disabled on computers • Can also configure security for services • Effective way to disable unnecessary services on:
• Client computers • Servers

34

Registry Settings
• Define security permissions for registry entries • Applied to all computers affected by GPO

35

File System
• Defines NTFS permissions applied to local hard drives of computers affected by GPO • Enhance security by removing permissions to files and folders

36

Wireless Network Policies
• Define settings for wireless network connectivity • Configure which wireless networks’ workstations can connect to and automatically configure Wireless Encryption Protocol (WEP)

37

Public Key Policies
• Define configuration settings relating to use of different public key-based applications such as:
• Encrypting file system (EFS) • Automatic certificate enrolment settings • Certificate Authority (CA) trusts

• Autoenrollment
• New feature • Allows computers and users to request version 2 certificate templates automatically

38

Software Restriction Policies
• Define security settings related to what programs are allowed to run on system • Individual rules can be based on:
• • • • File’s hash Digital certificate used to sign executable File’s path Internet zone

39

IP Security Policies
• Define IPSec settings • Can enable IPSec for entire network with little effort

40

Security Templates
• Used to:
• Define, edit, and save baseline security settings • Applied to computers with common security requirements • Meet organizational security standards

• Help ensure
• Consistent setting can be applied to multiple machines • Easily maintained

• Stored in .inf files
41

Security Templates (continued)
• Setup Security.inf.
• Default template • Provides single file in which all original computer security settings are stored

• Incremental templates
• Only apply to machines already running default security settings

• Use Security Templates snap-in to create custom templates
42

Analyzing Security
• Security Configuration and Analysis utility • Compare current system settings to previously configured security template • Identifies
• Changes to original security configurations • Possible security weaknesses

43

Using the Group Policy Management Console
• Available as free download for Windows Server 2003 customers • Brings together tools and options accessible from number of different tools • Adds new functionality • Highly recommended
• Especially in large deployments

44

Troubleshooting Group Policy
• Most important thing is interaction of:
• • • • • • • Links to containers Priority ordering by administrators No Override Block Inheritance ACL permissions Loopback Processing Mode WMI filters

45

Troubleshooting Tools
• • • • Resultant Set of Policy (RSoP) Gpresult Gpupdate Dcgpofix

46

Summary
• Group Policy applies settings to users and computers in:
• Site • Domain • Organizational unit

• Order of application for GPOs is:
• • • • Local Site Domain Organizational unit
47

Summary (continued)
• User or computer must have Read and Apply Group Policy permissions on a GPO in order for the policy to apply • To affect domain accounts, account policies must be set at the domain level • Security management using Group Policy is accomplished with security templates

48