Group Policy for Corporate Policy

1
Group Policy for Corporate Policy

• Chapter Eleven

2
Controlling the User Environment through
Administrative Templates

• ADM files
• Computer templates
• User templates

3
Administrative Templates

• Files with .adm extension
• Describe registry settings
• Can be configured in policy or Group Policy
• Included with Windows Server 2003
• System.adm (security settings and desktop
  restriction)
• Inetres.adm (Internet Explorer)
• Wmplayer.adm (Windows Media Player)
• Conf.adm (Microsoft NetMeeting)
• Wuau.adm (Windows Update Service)

4
Client-side Extensions

• Allow for more advanced control and configuration
• Included with Windows Server 2003 and Windows XP
• EFS (encrypting file system) recovery
• Folder redirection
• Internet Explorer maintenance
• IP security

5
Client-side Extensions (continued)

• Included with Windows Server 2003 and Windows XP
• Microsoft Disk Quota
• QoS Packet Scheduler
• Scripts
• Security
• Software installation
• Wireless

6
ADM Files

• Administrative templates are text files that
  define Registry settings containing the desired
  configurations
• These templates also define hoe GP settings are
  displayed under the Admin Templates nodes in the
  Group Policy Editor

7
ADM Files
8
ADM Files

• Features of the ADM file
• CLASS
• CATEGORY (USER and MACHINE)
• POLICY
• EXPLAIN
• STRING
• PART
• PartTypes
• NUMERIC

9
ADM Files
10
Computer Configuration

• The default nodes within the Computer
  Configuration Administrative Templates
• Windows Components
• System
• Network
• Printers

11
Computer Configuration

• Windows Components
• NetMeeting
• Internet Explorer
• Task Scheduler
• Windows Installer

12
Computer Configuration

• System
• Logon
• Disk Quotas
• DNS Client
• Group Policy
• Windows File Protection

13
Computer Configuration

• System

14
Computer Configuration

• Network
• Offline Files
• Network and Dialup Connections

15
Computer Configuration

• Printers
• No subnodes, but you can configure policy settings

16
User Configuration

• The following nodes exist by default in
  Administrative Templates under the User
  Configuration node
• Windows Components
• Start Menu Taskbar
• Desktop
• Control Panel
• Network
• System

17
User Configuration
18
User Configuration

• Windows Components
• NetMeeting
• Internet Explorer
• Windows Explorer
• Microsoft Management Console (MMC)
• Task Scheduler
• Windows Installer

19
User Configuration

• Start Menu Taskbar
• this node can be used to severely restrict and
  limit what a user can do by eliminating choices
  from the taskbars and Start menu
• Desktop
• Active Desktop
• Active Directory

20
User Configuration

• Control Panel
• Add/Remove Programs
• Display
• Printers
• Regional Options

21
User Configuration

• Network
• Offline files
• Network and dialup connections
• System
• Logon/Logoff
• Group Policy

22
Using Scripts to Apply Configuration Settings to
Users and Computers

• Overview of scripts
• Windows Scripting Host (WSH)
• Assigning scripts through Group Policy

23
Overview of Scripts

• Scripts can be run at
• Startup
• Logon
• Logoff
• Shutdown

24
Windows Scripting Host

• Allows VBScript or JavaScript to be run natively
  on 32-bit Windows platforms
• WSH version 2 shipped with Windows 2003
• WSH comes with two executable files
• WScript - GUI version of WSH
• CScript - command-line version of WSH
• Extensions vbs, js, wsf

25
Windows Scripting Host

• Options

26
Scripts

• GPOs can contain scripts for
• Logon (User Configuration)
• Logoff (User Configuration)
• Startup (Computer Configuration)
• Shutdown (Computer Configuration)
• Can be written in languages such as
• VBScript (.vbs)
• JScript (.js)
• Must store scripts in location accessible to
  users running them - SYSVOL

27
Windows Scripting Host

• Assigning scripts through Group Policy

28
Windows Scripting Host

• Assigning scripts through Group Policy

29
Windows Scripting Host

• Assigning scripts through Group Policy

30
Logon Scripts

• Hello.vbs
• MsgBox "Hello World!
• Hello.js
• WScript.Echo("Hello World!")

31
Logon Scripts

• Map Network Drive on Logon
• Dim net
• Set net CreateObject("WScript.Network")
• net.MapNetworkDrive "W", "\\tcpipinstr.pbcc.edu\s
  hare2","FALSE","administrator","network"

32
Logoff Scripts

• Disconnect Mapped Drive on Logon
• Dim net
• set netCreateObject("WScript.network")
• net.RemoveNetworkDrive "W","FALSE"

33
Startup Scripts

• Copy a file
• Dim net
• Set netCreateObject("Scripting.FileSystemObject")
  
• net.CopyFile "\\tcpipinstr.pbcc.edu\share2\text.tx
  t","f\folder\"

34
Startup Scripts

• Set a default printer
• Dim net
• Set netCreateObject("WScript.Network")
• net.SetDefaultPrinter "\\192.168.0.1\deskjet"

35
Windows Scripting Host

• Assigning scripts through Group Policy

36
Using Folder Redirection to Move User Files to a
Server

• An extension within Group Policy
• Only the following files can be redirected
• Application Data
• Desktop
• My Documents
• My Pictures
• Start Menu

37
Folder Redirection

• Allows administrator change location of default
  Windows folders
• Locate on server
• Allows users to access information from any
  computer on network
• \\servername\userfiles

38
Using Folder Redirection to Move User Files to a
Server

• BasicRedirect Everyones Folder To The Same
  Location
• \\server\folders\username

39
Using Folder Redirection to Move User Files to a
Server

• AdvancedSpecify Locations For Various Groups

40
Using Folder Redirection to Move User Files to a
Server
41
Using Folder Redirection to Move User Files to a
Server

• Available settings
• Grant The User Exclusive Rights To ?special
  folder?
• Move The Contents Of ?special folder? To The New
  Location
• Policy Removal

42
Using Folder Redirection to Move User Files to a
Server

• Consider

43
Group Policy

• Introduced in Windows 2000
• Enhanced in
• Windows XP
• Windows Server 2003
• Largely collection of registry entries
• Enhancements in Windows Server 2003
• Transient policy settings
• Expanded capabilities

44
Group Policy Storage

• Stored on
• Domain controllers
• Local computers
• Local policy object
• Stored in hidden folder
• Referred to as local computer policy
• Applies only to local computer
• Great for workgroup environment

45
Group Policy Storage (continued)

• GPOs
• Stored on domain controllers
• Centrally managed
• Single GPO typically affects many users and
  computers
• One part stored in Active Directory database
• Called group policy container (GPC)
• Other stored in SYSVOL share
• Referred to as group policy template (GPT)

46
Group Policy Storage (continued)

• GPT subfolders
• Adm
• USER
• USER\applications
• MACHINE
• MACHINE\applications

47
Creating a Group Policy Object

• Tools for creating GPOs
• Group Policy standalone Microsoft Management
  Console (MMC) snap-in
• Group Policy extension in Active Directory Users
  and Computers

48
Group Policy Processing

• GPOs linked to sites, domains, and organizational
  units using GPO links
• Applies to user and computer objects that exist
  in container to which they are linked
• Can be linked with multiple organizational units,
  sites, or even domains
• Only stored on domain controllers in domain where
  created

49
Group Policy Priority

• Processing order
• First policy to be applied is the local computer
  policy
• Any GPOs linked to site are applied
• GPOs linked to domain are applied
• GPOs linked to organizational units are applied

50
Group Policy Priority (continued)

• Process is followed twice
• Once for Computer Configuration
• When computer starts up
• Once for User Configuration
• When user logs on
• If conflict, User Configuration will override
  Computer Configuration

51
Default GPO Processing Order
52
Dealing with Conflict

• Options for policy settings
• Enabled
• Disabled
• Not Configured
• Policy settings from multiple GPOs can be
  combined
• As long as they do not conflict
• In case of conflict
• GPO to be applied last wins
• Local, Site, Domain, OU (policy that will be
  applied)

53
Modifying Group Policy Priority

• Modify priority by configuring settings
• No Override
• Can not be overridden by contains further down in
  the hierarchy
• OU could not over policy from Domain
• Block Policy Inheritance
• Blocks policies from higher containers OU could
  block policies from Domain
• Can not block policies with no override
• Loopback Processing Mode
• Replace Computer Configuration settings will be
  applied only
• Merge Conflicting Computer Configuration
  settings will replace User Configuration settings
• Used in kiosk environment where you do not want
  User Configuration to be applied

54
Controlling Group Policy Application with
Permissions

• GPOs cannot be linked to groups
• Application of Group Policy can be controlled
  through permissions

55
Controlling Group Policy Application with
Permissions (continued)

• Standard permissions available to GPO
• Full Control
• Read
• Write
• Create All Child Objects
• Delete All Child Objects
• Apply Group Policy

56
Windows Management Instrumentation Filters

• Used to restrict application of GPOs
• Control GPO application based on computer
  configuration, such as
• Hardware configuration
• File existence or attributes
• Applications being installed
• Amount of free hard drive space
• Written in WMI Query Language (WQL)
• Does not apply to Windows 2000

57
Slow Link Detection

• When working over slow link
• May be undesirable to apply parts of Group Policy
• Client pings domain controller several times
• To determine link speed
• 500 Kbps or less is considered slow

58
Default Slow Link Behavior
59
Desktop Management with Group Policy

• Desktop management
• One of primary goals that can be accomplished
  with Group Policy

60
Restricting Windows

• Can protect users from their own mistakes
• Remove access to features such as
• Configuring proxy settings
• Setting desktop wallpaper

61
Security Management with Group Policy

• Security policy
• Collection of security-related settings
• Located in all GPOs
• Majority of security policy settings apply to
  computers
• Found in Computer Configuration section

62
Account Policies

• Includes configuration settings that may be the
  initial step to securing computer network
• Must be configured in GPO linked to domain
• Subcategories
• Password Policy
• Account Lockout Policy
• Kerberos Policy

63
Local Policies

• Wide variety of settings
• Very flexible
• Categories
• Audit policy
• User rights assignment
• Security options

64
Restricted Groups

• Define users that are allowed membership to
  specific groups
• When group policy applied
• Any member of restricted group not listed in
  restricted groups member list removed
• Prevents administrators from accidentally adding
  users to sensitive groups

65
System Services

• Define which services are started, stopped, or
  disabled on computers
• Can also configure security for services
• Effective way to disable unnecessary services on
  
• Client computers
• Servers

66
Registry Settings

• Define security permissions for registry entries
• Applied to all computers affected by GPO

67
File System

• Defines NTFS permissions applied to local hard
  drives of computers affected by GPO
• Enhance security by removing permissions to files
  and folders

68
Wireless Network Policies

• Define settings for wireless network connectivity
• Configure which wireless networks workstations
  can connect to and automatically configure
  Wireless Encryption Protocol (WEP)

69
Public Key Policies

• Define configuration settings relating to use of
  different public key-based applications such as
• Encrypting file system (EFS)
• Automatic certificate enrolment settings
• Certificate Authority (CA) trusts
• Autoenrollment
• New feature
• Allows computers and users to request version 2
  certificate templates automatically

70
Software Restriction Policies

• Define security settings related to what programs
  are allowed to run on system
• Individual rules can be based on
• Files hash
• Digital certificate used to sign executable
• Files path
• Internet zone

71
IP Security Policies

• Define IPSec settings
• Can enable IPSec for entire network with little
  effort

72
Security Templates

• Used to
• Define, edit, and save baseline security settings
  
• Applied to computers with common security
  requirements
• Meet organizational security standards
• Help ensure
• Consistent setting can be applied to multiple
  machines
• Easily maintained
• Stored in .inf files

73
Security Templates (continued)

• Setup Security.inf.
• Default template
• Provides single file in which all original
  computer security settings are stored
• Incremental templates
• Only apply to machines already running default
  security settings
• Use Security Templates snap-in to create custom
  templates

74
Analyzing Security

• Security Configuration and Analysis utility
• Compare current system settings to previously
  configured security template
• Identifies
• Changes to original security configurations
• Possible security weaknesses

75
Using the Group Policy Management Console

• Available as free download for Windows Server
  2003 customers
• Brings together tools and options accessible from
  number of different tools
• Adds new functionality
• Highly recommended
• Especially in large deployments

76
Troubleshooting Group Policy

• Most important thing is interaction of
• Links to containers
• Priority ordering by administrators
• No Override
• Block Inheritance
• ACL permissions
• Loopback Processing Mode
• WMI filters

77
Troubleshooting Tools

• Resultant Set of Policy (RSoP)
• Gpresult
• Gpupdate
• Dcgpofix