Managing Group Policy

1
Chapter 4

• Managing Group Policy

2
Objectives

• Create and manage Group Policy objects to control
  user desktop settings, security, scripts, and
  folder redirection
• Manage and troubleshoot Group Policy inheritance
• Deploy and manage software using Group Policy

3
Introduction to Group Policy

• Group Policy
• Enables the centralized management of user and
  computer configuration settings
• Implemented using a Group Policy object

4
Introduction to Group Policy (Continued)

• Group Policy object (GPO)
• Used to perform a variety of administrative
  tasks, including
• Configure desktop settings using administrative
  templates
• Control security settings for users and computers
• Assign scripts to run when
• A user logs on or off
• A computer is started up or shut down

5
Introduction to Group Policy (Continued)

• Redirect folders out of a users local profile to
  a different network location
• Automate software distribution and maintenance to
  computers throughout the network

6
Creating a Group Policy Object

• Ways to create a GPO
• Group Policy standalone Microsoft Management
  Console (MMC) snap-in
• Group Policy extension in Active Directory Users
  and Computers
• Once a GPO is created
• Edit the GPO to control specific user or computer
  settings

7
Configuration categories available for GPOs
8
Creating a Group Policy Object (Continued)

• The GPO content is stored in two different
  locations on the server
• Group Policy container (GPC)
• Stores information about the GPO and includes a
  version number
• Located in
• Active Directory Users and Computers\System\Polici
  es

9
Creating a Group Policy Object (Continued)

• Group Policy template (GPT)
• Contains the data that makes up the Group Policy
• Stored in
• The systemroot\\Sysvol\ltDomain Namegt\Policies
  folder
• Globally unique identifier (GUID)
• A unique 128-bit number assigned to the GPO when
  it is created
• Used to identify both the GPC and the GPT

10
Application of Group Policy

• GPOs can apply a variety of configuration options
  to the
• Local computer
• Site
• Domain
• OU
• Main categories to a Group Policy
• Computer Configuration
• User Configuration

11
Controlling User Desktop Settings

• Group Policy
• Helps reduce administrative costs by allowing the
  administrator to
• Enforce standard computer configurations
• Limit user access to various areas of the
  operating system
• Ensure that users have their own personal desktop
  and application settings
• Administrative templates
• Consist of several categories of configuration
  settings

12
Configuration categories of administrative
templates
13
Managing Security with Group Policy

• Group Policy
• Can be used to modify and maintain a number of
  domain-based security configurations to comply
  with organizational security standards
• Security templates
• Can be created based on current security standards

14
Configuring Account Policies

• Account Policies node
• Found under the computer configuration category
  of a GPO
• Includes three subcategories
• Password Policy
• Account Lockout Policy
• Kerberos Policy
• Password Policy node
• Contains configuration settings for the
  passwords
• History
• Length
• Complexity

15
Password policies in Windows Server 2003
16
Configuring Account Policies (Continued)

• Account Lockout Policy node
• Contains configuration settings for
• Password lockout threshold and duration
• Reset options

17
Account Lockout Policies
18
Configuring Account Policies (Continued)

• Kerberos Policy node
• Contains configuration settings for
• Kerberos ticket-granting ticket (TGT)
• Session ticket lifetimes and time stamp

19
Kerberos policy node configuration
20
Managing Security with Group Policy

• Other nodes under the security settings category
• Local Policies
• Event Log
• Restricted Groups
• System Services
• Registry
• File System
• Wireless Network (IEEE 802.11) Policies
• Public Key Policies
• Software Restriction Policies
• IP Security Policies on Active Directory

21
Using the Security Configuration Manager Tools
with Group Policy

• Security Configuration Manager tools
• Can be used with Group Policies to
• Create a Security Policy template using a
  specific group of security settings
• Can be used to analyze and implement security
  settings on a computer system
• Useful in maintaining security settings

22
Using the Security Configuration Manager Tools
with Group Policy (Continued)

• Core components of the Security Configuration
  Manager tools
• Security templates
• Security settings in Group Policy objects
• Security Configuration and Analysis tool
• Secedit command-line tool

23
Security Templates

• A security template
• Is used to define, edit, and save baseline
  security settings to be applied to computers with
  common security requirements
• Helps ensure that a consistent setting can be
  applied to multiple machines and easily
  maintained
• Is created and edited using the Security
  Templates snap-in

24
Viewing the Security Templates console
25
Analyzing the Preconfigured Security Templates

• First step in configuring and implementing
  security templates
• Categorize the network computers into
• Workstations
• Servers
• Domain controllers

26
Analyzing the Preconfigured Security Templates
(Continued)

• Setup Security.inf template
• Stores the default security settings applied to
  the computer when Windows Server 2003 is
  installed
• Purpose
• Provides a single file in which all of the
  original computer security settings are stored

27
Analyzing the Preconfigured Security Templates
(Continued)

• Incremental templates
• Modify security settings incrementally
• Allow the creation of security configurations
  other than the basic security settings
• Include
• Compatws.inf
• Securews.inf and Securedc.inf
• Hisecws.inf and Hisecdc.inf
• DC Security.inf
• Rootsec.inf

28
Analyzing the Preconfigured Security Templates
(Continued)

• Applying security templates
• Security templates can be applied to either the
  local machine or the domain via GPOs
• To apply a security template to a local machine
• Open the Local Security Settings MMC snap-in
• Right-click Security Settings in the console pane
  and choose Import Policy
• Select the template file to be imported

29
Security Configurations and Analysis

• Security Configuration and Analysis utility
• Compares current system settings to a previously
  configured security template
• Identifies
• Changes to the original security configurations
• Possible security weaknesses that may be evident
  when compared to a stronger security baseline
  template

30
Security Configurations and Analysis (Continued)

• Results of the comparison
• A green check mark
• Indicates that the two settings match
• A red x
• Indicates a mismatch

31
Viewing the Security Configuration and Analysis
tool
32
Analyzing security on a computer
33
Security Configurations and Analysis (Continued)

• Secedit.exe
• Command-line tool that is used to
• Create and apply security templates
• Analyze security settings
• Can be used in situations where Group Policy
  cannot be applied

34
Assigning Scripts and Redirecting Folders

• Scripts
• Can be used in Windows Server 2003 to perform
  tasks at various times during the logon or logoff
  process
• Computer startup and shutdown scripts
• Configured in the computer section of a GPO
• User logon and logoff scripts
• Configured in the user section of a GPO

35
Assigning Scripts and Redirecting Folders
(Continued)

• Folder redirection
• Group Policy feature
• Enables you to redirect the following contents of
  a users profile to a network location
• Application data
• Desktop
• My Documents
• Start menu

36
Folder redirection settings
37
Managing Group Policy Inheritance

• Order in which Group Policy is applied
• Local computer, site, domain, parent OU, child OU
• All individual GPO settings are inherited by
  default
• At each level, more than one GPO can be applied
• If there is more than one GPO per container
• Policies are applied in the order that they
  appear on the Group Policy tab for the container,
  starting with the bottom GPO first

38
Managing Group Policy Inheritance (Continued)

• Multiple policies applied to a user or computer
• If there is no conflict
• Both policies are applied
• If there is a conflict
• Later settings overwrite earlier settings
• Computer policies usually overwrite user policies

39
Configuring Block Policy Inheritance, No
Override, and Filtering

• Blocking Group Policy inheritance
• Done when you do not want any higher-level
  settings to be applied to a particular child
  container
• Configuring No Override
• Done when you want a particular GPOs settings to
  always be enforced
• Filtering policy settings for groups
• Done to prevent policy settings for groups from
  applying to a particular user, group, or computer
  within a container

40
Blocking Group Policy inheritance
41
Configuring No Override on a Group Policy object
42
Troubleshooting Group Policy Settings

• Areas to inspect when trying to find the reason
  for a GPO not working as expected
• Active Directory hierarchy
• Order of Group Policy processing
• Containers above and below OU that is causing
  problem
• Group Policys Security tab

43
Troubleshooting Group Policy Settings (Continued)

• Troubleshooting tools
• gpresult.exe
• Resultant Set of Policy (RSoP)
• Can be used to
• Discover Group Policy-related problems
• Illustrate which GPOs were applied to a user or
  computer

44
Using the Gpresult tool
45
Generating RSoP data
46
Deploying Software Using Group Policy

• Group Policy can help deploy and maintain
  software installations throughout the domain
• When a company rolls out a new software
  application, the four main phases of the process
  are
• Software preparation
• Deployment
• Software maintenance
• Software removal

47
Software Preparation

• Microsoft Windows installer package (MSI) file
• Used by Windows Server 2003 Group Policy
• Contains all the information needed to install an
  application in a variety of configurations
• Steps to take before the installation of a
  software
• Place the MSI package file and any related
  software installation files in a shared folder on
  the network
• Configure Group Policy to access this shared
  folder

48
Deployment

• Using Windows Server 2003 Group Policy,
  applications can be deployed by either
• Assigning applications
• A shortcut to the application is advertised on
  the Start menu
• Publishing applications
• Application is not advertised on the Start menu

49
Software Maintenance

• Maintenance tasks to be performed after an
  application has been deployed
• Installing updates and service patches
• Installing new versions of the software
• Choices when deploying application patches or
  upgrades
• A mandatory upgrade
• An optional upgrade
• Redeploying an application

50
Software Removal

• Choices regarding how an application is removed
• A forced removal
• An optional removal

51
Summary

• Group Policy
• Enables the centralized management of user and
  computer settings throughout the network
• GPOs
• Can be used to perform administrative tasks, such
  as
• Configuration of desktop settings
• Control of security settings for users and
  computers
• Assignment of scripts
• Redirection of folders
• Automation of software distribution on computers
  throughout the network

52
Summary (Continued)

• The order in which Group Policy is applied
• Local computer, site, domain, OU, child OU
• Security Configuration and Analysis tool
• Can be used to analyze, modify, and apply
  security templates to objects within Active
  Directory

53
Summary (Continued)

• Group Policy is automatically inherited from
  parent containers to child containers this can
  be modified by
• Applying Block Policy inheritance
• Applying No Override
• Filtering the policy for specific users
• When deploying software, Group Policy uses an MSI
  file to determine the installation options
• Applications can either be assigned or published
  within a GPO