Installing and Configuring FAZAM 2000

1
The FAZAM 2000 Group Policy Management Solution
for Windows 2000
Danny Kim Louis Klubenspies
2
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
3
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
4
Who Is FullArmor?

• FullArmor is the leading provider of Enterprise
  Policy Management Software
• Headquartered in Boston MA
• Our West Coast Sales Office is located in Irvine
  CA
• Privately held, founded in 1987
• 1987 Windows Lockdown Management (FullArmor
  Solution)
• 1993 Windows NT System Policy Management (FAZAM
  NT)
• 2000 Windows 2000 Group Policy Management (FAZAM
  2000)
• 2002 Windows 2000 Group Policy Repository (FAZAM
  GPR)

5
Whos using FAZAM 2000?
Registered Trademarks are the Property of their
Respective Owners
6
Why Group Policy Management?

• In reality, Active Directory isn't going to be
  the tough challenge Group Policy is.
• Ty Carlson, Microsoft RDP

7
Managing Group Policy Objects

• FAZAM 2000 / NetIQ GPA v2.0
• Policy Centric View of Active Directory
• Resultant Set of Policies (RSoP)
• Backup and Restore
• GPO Reporting
• Searching GPO settings
• Remote Diagnostics
• GPO Health Check Report
• Granular Delegation of Administration
• GPO Replication Across Domains
• Process Automation and Scripting

8
Additional Benefits

• Fully Microsoft Management Console Compliant
  (shipped as three MMC Snap-ins)

• Provides heterogeneous Group Policy Management
  across Windows 2000, Windows XP and Windows .NET
  environments.
• Has received both the Certified for Windows 2000
  Server and Designed for Windows XP logos
• The FullArmor Corporation is a Microsoft Gold
  Certified Partner

9
Whats New in Version 3.0?

• FAZAM 2000 GP REPOSITORY
• A SOLID FOUNDATION for implementing change and
  configuration management (CCM) processes in your
  Group Policy environment
• ANSWERS to the four Ws of GPO Change Management
• Who made the change?
• What did they change?
• When was the change made?
• Why was the change made?
• MORE GRANULAR ADMINISTRATION, enabling you to
  delegate GPO change permissions without fear of
  corrupting your live production domains

10
The FAZAM GPR Feature Set
The FAZAM GPR Feature Set
1/5

• An Integrated Development Lifecycle for Group
  Policy. Features include

• Offline creation and deletion
• Import and export to and from AD
• Copy and paste
• Check-out and check-in
• Rename

• Edit AD linkage
• Report
• Compare
• Approve
• Migrate
• Rollback

• Granular delegation of every feature enables you
  to establish customized administrative roles for
  Group Policy administration in your environment

11
Basic GPR Workflow
1 Import GPO from test domain (or create
directly in GPR)
2 Check-out from GPR and make changes
3 Check-in to staging domain in GPR
4 Export to test AD for live testing
5 Once changes are approved, GPO is migrated to
launch domain in GPR
6 GPO is exported to production AD and goes live
LAUNCH
STAGING
12
How does GPR compare to native Windows?
13
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
14
FAZAM 2000 / GPA v2.0 Product Architecture
Plan, Deploy, Manage GPOs
Management Console(MMC Snap-ins)
Live Active Directory Domain Controller
Group Policy Administrator
Troubleshoot Remote Desktops
faDiagService
15
FAZAM 2000 / GPA v2.0 Product Architecture

• Three MMC Snap-ins
• Reporting functions use the Crystal Reports
  version 7.0 runtime engine
• Reporting functions also use an Access 2000
  reporting database
• Does not require Access to be installed
• Extensible by the user to support custom ADM
  templates, using the FAAdmPublisher applet

16
FAZAM 2000 / GPA v2.0 Product Distribution

• Microsoft Windows Installer (MSI) Compliant
• Distributed as MSI packages
• Can be deployed via SMS or Group Policy
• Scripting functions use a COM object that exposes
  the FullArmor scripting API
• Installed by default along with FAZAM 2000

17
FAZAM 2000 / GPA v2.0 Installation Requirements

• Active Directory
• FAZAM 2000 gets all its information from a live
  AD in real-time
• An Admin workstation that supports MMC
• FAZAM 2000 is packaged as three MMC snap-ins
• - Windows 2000 Pro/Adv Serv SP2, Windows XP
• The FullArmor Policy Diagnostic Service
• Required on each policy-aware client for the
  Auditing and Diagnostics snap-in to work properly.

18
FAZAM 2000 / GPA v2.0 Installation
non-Requirements

• No Schema Modifications Required
• No Native File Formats are Altered
• FAZAM can be used in conjunction with any of the
  native MS MMC snap-ins
• No External Data Store
• FAZAM data comes from a live AD changes are
  immediately reflected in the tool, and vice versa

19
FAZAM 2000 / GPA v2.0 Typical Deployment Scenarios

• Locally on Administrator Workstations
• Any MMC-capable system
• Terminal Server
• Allows remote administration, single image of
  FAZAM, single reporting database
• Useful for centralizing scripting operations
• Remote workstation via VPN
• Allows secure remote dialup administration

20
FAZAM 2000/GPA 2.0 The Default Console

• Three MMC Snap-ins
• FAZAM 2000 Administrator Performs day-to-day
  Operations functions like searching, backup and
  restore, policy replication, reporting, etc.
• FAZAM 2000 Policy Planning Analysis Performs
  Resultant Set of Policy (RSoP) calculations,
  What-If modeling, and GPO summary reports.
• FAZAM 2000 Policy Auditing Diagnostics
  Provides advanced troubleshooting and diagnosis
  tools for use on policy-aware clients (Windows
  2000 and XP workstations and servers).

21
FAZAM 2000/ GPA v3.0 The Default Console

• FAZAM 2000 v3.0 Management Console Four MMC
  Snap-ins
• FAZAM 2000 Administrator
• FAZAM 2000 Policy Planning Analysis
• FAZAM 2000 Policy Auditing Diagnostics
• FAZAM 2000 GP Repository

22
FAZAM 2000 / GPA v3.0 Product Architecture
Plan, Deploy, Manage GPO Changes
Management Console( MMC Snap ins)
Group Policy Administrator
Troubleshoot Remote Desktops
Live Active Directory Domain Controller
faDiagService
23
FAZAM 2000/ GPA v3.0 Product Architecture

• Repository Server Setup on
• Microsoft SQL Server Standard Edition,
• Microsoft SQL Server Enterprise Edition
• MSDE(Microsoft SQL Desktop Edition)
• MSDE for evaluation and very small enterprises.
  Recommend Standard or Enterprise
• Enhanced Reporting using Crystal Reports 8.5
• GP Editor integrated into the product
• Requires a special container in AD to support GP
  Edit operations

24
Additional Installation Requirements in v3.0

• Active Directory
• User installing the Server Component requires
  permissions in AD to create a Domain Local Group
• SQL Server
• User installing the Server Component requires SQL
  server administration privileges to create
  Database and users and groups

25
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
26
FAZAM 2000 Administrator Snap-in

• The Administrator Snap-in provides the following
  functions
• Policy-centric view of Active Directory
• GPO Reporting
• GPO Backup Restore
• GPO Search
• Import of settings
• Copy Paste of settings
• Merge of settings
• Delegation of ADM templates
• GPO Replication

27
Reporting

• Requires read only access to GPO
• Organized into
• GPO Summary Info
• AD Links
• Security Filters
• GPO Settings
• Consistent report format for GPO, RSoP,
  Diagnostics

28
GPO Reporting
29
FaAdmPublisher Features

• The FullArmor ADM Publisher (FaAdmPublisher.exe)
  allows an administrator to extend the reporting
  capabilities of FAZAM 2000 by including
  non-standard, custom or recently-released ADM
  templates
• Enables updated reporting of GPO settings without
  requiring or waiting for a revision of FAZAM 2000
• Installed by default with FAZAM 2000
• NOTE ADM templates are added to GPOs using the
  Group Policy Editor snap-in

30
GPO Backup Features

• Complete GP Object Backup
• Captures settings (AD and SYSVOL), relevant
  GPlink properties and ACLs for each policy
  object each option is individually selectable
• HTML reporting of backup information
• Option to include a report in the backup folder
• Backs up (uncompressed format) to any writable
  media
• HDD, FDD, CD-R, Tape, Network Shares, etc.
• GPOs are referenced by GUID in the backup archive
• Allows comments to be included in the backup
  archive
• Backups are scriptable
• Security Requirement User must have read
  permissions to the GPO and the container(s)
  associated with it

31
GPO Restore Features

• Complete GP Object Restore
• Restores settings (AD and SYSVOL), relevant
  GPlink properties and ACLs for each policy
  object each option is individually selectable
• Authoritative Restores
• Restored GPO version numbers are updated and
  become authoritative for AD/SYSVOL replication
• Single or Multiple Target restores
• Option to restore a GPO to more than one domain
• Security Requirements User must be a member of
  one of the following
• Enterprise Administrators
• Domain Administrators
• Group Policy Creator Owners

32
GPO Search Features

• Allows a user to search for GPOs based on any of
  the following criteria
• GPO Name
• GPO GUID
• Registry data (POL files)
• Registry Key
• Registry Name
• Literal string
• The Search function also supports
• Arithmetic comparisons
• Wildcard search strings
• Boolean AND/OR complex searches based on multiple
  criteria
• Search scope is the domain
• Security Requirement User must have read
  permissions to the GPO

33
Scripting Features

• The Backup, Import and Reporting functions are
  currently scriptable in Version 3.0 of FAZAM 2000
• FullArmor provides a COM object that exposes a
  scripting API that can be accessed via simple VB
  scripts
• Scripts can be run on a scheduled basis using
  Task Scheduler
• Required permissions are the same as when using
  the UI

34
A Sample Script
35
Other Features

• Import
• Import GPO data from backup
• Copy/Paste
• Copy and Paste GPO settings
• Merge GPO Settings
• Merge settings from one GPO to another
• Create GPO
• Link GPO to AD Container
• Unlinked GPOs
• Site GPOs

36
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
37
Quick Review Policy Hierarchy

• Policies are inherited from higher levels
• Policy inheritance can be blocked
• And blocks can be overridden
• Where two or more GPOs affect the same setting(s)
  the policy highest in the priority list is
  authoritative
• When User and Computer settings conflict within
  the same GPO, the computer settings are usually
  authoritative
• When multiple GPOs are linked at the same
  container level, the GPOs are processed in order
  of lowest to highest priority

38
Quick Review Policy Hierarchy
L
S
D
OU
OU
39
Planning and Analysis

• The Planning and Analysis Snap-in provides the
  following functions
• Resultant Set of Policy (RSoP) calculations
• What if modeling of RSoP
• UI display of user and computer AD hierarchy
• GPO Summary Report

40
RSoP Features

• Policy Hierarchy Displays the logical policy
  hierarchy (LSDOU) and policy priority list for
  both the user and computer object
• User and Computer are mandatory
• Site and Local policies can optionally be
  included in the calculation
• Supports loopback processing
• Multi-domain support can select a user and
  computer from different domains/forests
• Snap-in can be focused on a local DC to reduce
  network traffic and DC workload
• What if analysis Allows a predictive
  simulation of changes in RSoP based on proposed
  AD changes

41
RSoP Typical Scenarios

• Planning and Design phase Architects can verify
  that a proposed namespace and policy design is
  functioning as intended
• Helpdesk/Support Helpdesk and Tier 1 support
  can rule out policy settings without having to
  escalate every support call
• Mobile Users Enterprise Admins can determine if
  differing Site policies will have adverse effects
  on traveling users
• User Migrations Admins can simulate the RSoP
  for users being moved between OUs before actually
  committing to the move in Production

42
RSoP Security and Requirements

• User must have read permissions to the GPOs and
  containers involved
• If not, they will be excluded from the
  calculation
• GPA 2.0 requires User performing RSoP to be a
  member of Enterprise Admins, Domain Admins or
  Group Policy Creator Owners. GPA V3.0 does not
  have this requirement
• A User and Computer object must be specified
• Can be in different domains/forests
• If you are including local policies (LGPOs) in
  the RSoP calculation, the machine must be
  accessible
• LGPO processing also requires the user to have
  Local Admin rights on the machine being analyzed

43
A Note on Expected vs. Effective Policy

• Expected Policy refers to the settings that
  should take effect for a particular user on a
  particular machine
• RSoP shows the expected policy settings
• Effective Policy refers to the settings that are
  actually in effect for a particular user on a
  particular machine
• Remote Diagnostics shows the effective policy
  settings

44
GPO Summary Report

• Displays all GPOs in the domain
• Report includes
• Summary of GPO properties
• Link Information
• Basic health of each GPO

45
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
46
Remote Diagnostics Features

• For any networked PC with the FullArmor Policy
  Diagnostic Service installed, Remote Diagnostics
  gives Administrators real-time, non-intrusive
  verification of the policies in effect
• Windows 2000 machines track down to the
  client-side extension level
• Windows XP machines track down to the individual
  settings level, allowing for client-side RSoP
  capability in FAZAM

47
Remote Diagnostics Security Requirements

• Read permissions to all GPO and container
  hierarchies
• User running the diagnostics must have Local
  Admin rights on the remote machine
• Policy diagnostic service must be installed on
  the target machine

48
About the FullArmor Policy Diagnostic Service

• Runs as a local system service on the client
• Not limited by the security context of the
  currently logged on user unlike gpresult.exe
• Gathers policy information on every user to ever
  log onto the computer being analyzed
• Manual Start only runs when needed
• 100Kb footprint
• Distributed as an MSI package
• Can be easily deployed via Group Policy or SMS

49
Client Side Auditing Features

• Client Side Auditing enables Administrators to
  remotely examine a users application event log
  for any GP-related event ids
• Uses WMI to access the event log on the target
  device
• Only event codes related to GP processing are
  returned to the console

50
Client Side Auditing Security Requirements

• User must have Local Admin rights to the machine
  being analyzed
• Machine to be analyzed must be accessible on the
  network

51
Client Side Auditing Step-by-Step
52
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
53
Repository Concepts

• Offline
• The FAZAM 2000 GP Repository MMC snap-in works
  with an offline database of GPOs.
• Repository Domains
• Each of your test and production AD domains whose
  GPOs you wish to manage needs to be modeled
  offline in the Repository Database.
• Category
• A convenient grouping of GPOs. Eg Security,
  Desktop etc
• Can create subcategories (model OU design)
• Default Categories All, Backup

54
Repository Concepts

• Check Out / Check In
• Prevents more than one user from editing a GPO
• Need to Check Out GPO to rename, edit settings,
  AD link or security filters
• Every Check Out Check In operation increments
  Repository Version number of GPO by 1
• GPO Version
• Native Revision number attribute in AD is
  inadequate to maintain track of GPO changes
• Each edit operation increments the GPO version
  number in the Repository

55
Repository Concepts

• Approval
• Changes to a GPO has to be approved prior to
  export to AD
• Approved changes can be unapproved
• Import/Export
• GPOs can be imported into GPR without having to
  be recreated
• GPO changes in Repository are not effected in AD
  until Approved and Exported by Repository Admin

56
Repository Operations - GPO Creation

• Create New GPO
• This creates a new GPO offline in the Database
• Import existing GPO from AD
• You need not recreate the GPOs already in your
  domain. Just import them
• Copy Paste GPO
• As a New Object GPOs can be easily copied within
  GPR to quickly clone existing policies and
  create new ones
• As a Link Allows multiple administrators to have
  edit access to the same GPO across any GPR
  categories
• Migrate GPO from another Repository Domain
• DEMO OF GPO CREATION OPERATIONS
• Would be addressed under Multi Domain operations

57
Repository Operations - GPO Modification

• Check Out a GPO
• Locks GPO for edit by a user
• Opens GP Editor inside the console to carry out
  changes
• Change Settings or Links or Security
• Settings can be changed from GP Editor, Links and
  Filters from Properties node
• Check In a GPO
• Creates a new version of GPO inside Repository
• Unlocks GPO
• Undo Check Out
• Discards changes carried out during a check out.
  New version of GPO is not created.
• DEMO OF GPO MODIFICATION OPERATIONS

58
Repository Operations - Version Management

• View History
• Tracks changes made to GPO
• Who changed, What changed, When Changed and
  optionally Why changed
• Compare Versions
• Provides difference and similarity between 2
  versions of a GPO
• Rollback a GPO
• Sets the GPO back to a previous versions state
• DEMO OF VERSION MANAGEMENT OPERATIONS

59
Repository Operations - Release Management

• Approve GPO for Export
• Changes status of GPO to Approved
• Un Approve GPO that is marked as Approved
• Removes the Approved Status
• Export GPO to live AD domains
• Cannot export a GPO unless it is Approved
• Prompts user before overwriting a live AD version
  of the GPO
• Creates a backup of live AD GPO if GPO already
  exists in AD
• 
  DEMO OF RELEASE MANAGEMENT
  OPERATIONS

60
Repository Operations - Multi User Operations

• Allows multiple users from different domains to
  work on same repository database
• Special UI icons to display GPO being edited by
  another user
• Concurrency issues addressed by locking GPO
  during edit operations
• Status of GPO can be viewed by clicking on its
  Category node
• History dialog displays audit trail of GPO
  operations
• DEMO OF MULTI USER OPERATIONS

61
Repository Operations

• Multi Domain Operations
• Migration of GPOs between
• Domains in the same forest
• Non Trusted domains in different forest
• Disconnected domains
• Security Filters and AD Link information Map
• Automates most of the mapping information
• Mapping information required to ensure successful
  Export of GPO in target domain (production
  domain)
• DEMO OF MIGRATION WIZARD

62
Repository Operations - Reporting

• GPO REPORTS
• COMPARISON REPORTS
• Between two versions of a GPO
• Between two different GPOs in Repository
• Between a live GPO and a Repository GPO
• DIFFERENCE REPORTS
• Between two versions of a GPO
• Between two different GPOs in Repository
• Between a live GPO and a Repository GPO

63
FAZAM 2000 v3.0 Product Training Agenda
Introduction Section 1 Overview of FullArmor
and FAZAM 2000 Section 2 Installing and
Configuring FAZAM 2000 Section 3 Administration S
ection 4 Planning and Analysis Section
5 Diagnostics and Auditing Section 6
Repository Operations Section 7 Repository
Administration Wrap-Up / QA
64
Repository Administration

• Same User interface for end users and Repository
  Administrators
• Administrators click on View Security icon to
  manage security at all nodes
• User Interface has context sensitive toolbars and
  menus that are enabled/disable based on the
  current node and security rights for the user

65
Repository Administration

• REPOSITORY SECURITY ARCHITECTURE
• Very Granular levels of delegation
• Modeled on Windows and AD security features
  including Inheritance
• FA_REPOSITORY_MANAGEMENT. A Domain Local Group
  created in AD. Offers recovery mechanism if admin
  is locked out. Do not delete/rename this group.
  Restrict membership to this group
• Security Rules
• Security is inherited from parent nodes
• Permission set on object overrides inherited
  permission
• Deny Overrides Allow

66
REPOSITORY SECURITY

• Typical Roles
• Repository Admin
• GP Creator/Editor
• GP Approver
• GP Test Manager
• GP Release Manager
• Smaller Organizations can collapse these roles
  when same person carries out multiple tasks

67
Repository Administration

• SCRIPTING
• Most UI operations scriptable (Import, Export, GP
  Report, Comparison, Difference Report,
  Domain/Category creation)
• Important Scripting parameters provided in the UI
• Database Maintenance
• Repository Administrators need to maintain
  periodic backups using native SQL backup tools

68
Questions, Comments or Complements

• Email
• Danny dkim_at_fullarmor.com
• Dilip dradhakrishnan_at_fullarmor.com
• Lou lklubenspies_at_fullarmor.com