Managing Group Policy - PowerPoint PPT Presentation

1 / 53
About This Presentation
Title:

Managing Group Policy

Description:

Includes three subcategories. Password Policy. Account Lockout Policy. Kerberos Policy ... Right-click Security Settings in the console pane and choose Import Policy ... – PowerPoint PPT presentation

Number of Views:96
Avg rating:3.0/5.0
Slides: 54
Provided by: zz91
Category:

less

Transcript and Presenter's Notes

Title: Managing Group Policy


1
Chapter 4
  • Managing Group Policy

2
Objectives
  • Create and manage Group Policy objects to control
    user desktop settings, security, scripts, and
    folder redirection
  • Manage and troubleshoot Group Policy inheritance
  • Deploy and manage software using Group Policy

3
Introduction to Group Policy
  • Group Policy
  • Enables the centralized management of user and
    computer configuration settings
  • Implemented using a Group Policy object

4
Introduction to Group Policy (Continued)
  • Group Policy object (GPO)
  • Used to perform a variety of administrative
    tasks, including
  • Configure desktop settings using administrative
    templates
  • Control security settings for users and computers
  • Assign scripts to run when
  • A user logs on or off
  • A computer is started up or shut down

5
Introduction to Group Policy (Continued)
  • Redirect folders out of a users local profile to
    a different network location
  • Automate software distribution and maintenance to
    computers throughout the network

6
Creating a Group Policy Object
  • Ways to create a GPO
  • Group Policy standalone Microsoft Management
    Console (MMC) snap-in
  • Group Policy extension in Active Directory Users
    and Computers
  • Once a GPO is created
  • Edit the GPO to control specific user or computer
    settings

7
Configuration categories available for GPOs
8
Creating a Group Policy Object (Continued)
  • The GPO content is stored in two different
    locations on the server
  • Group Policy container (GPC)
  • Stores information about the GPO and includes a
    version number
  • Located in
  • Active Directory Users and Computers\System\Polici
    es

9
Creating a Group Policy Object (Continued)
  • Group Policy template (GPT)
  • Contains the data that makes up the Group Policy
  • Stored in
  • The systemroot\\Sysvol\ltDomain Namegt\Policies
    folder
  • Globally unique identifier (GUID)
  • A unique 128-bit number assigned to the GPO when
    it is created
  • Used to identify both the GPC and the GPT

10
Application of Group Policy
  • GPOs can apply a variety of configuration options
    to the
  • Local computer
  • Site
  • Domain
  • OU
  • Main categories to a Group Policy
  • Computer Configuration
  • User Configuration

11
Controlling User Desktop Settings
  • Group Policy
  • Helps reduce administrative costs by allowing the
    administrator to
  • Enforce standard computer configurations
  • Limit user access to various areas of the
    operating system
  • Ensure that users have their own personal desktop
    and application settings
  • Administrative templates
  • Consist of several categories of configuration
    settings

12
Configuration categories of administrative
templates
13
Managing Security with Group Policy
  • Group Policy
  • Can be used to modify and maintain a number of
    domain-based security configurations to comply
    with organizational security standards
  • Security templates
  • Can be created based on current security standards

14
Configuring Account Policies
  • Account Policies node
  • Found under the computer configuration category
    of a GPO
  • Includes three subcategories
  • Password Policy
  • Account Lockout Policy
  • Kerberos Policy
  • Password Policy node
  • Contains configuration settings for the
    passwords
  • History
  • Length
  • Complexity

15
Password policies in Windows Server 2003
16
Configuring Account Policies (Continued)
  • Account Lockout Policy node
  • Contains configuration settings for
  • Password lockout threshold and duration
  • Reset options

17
Account Lockout Policies
18
Configuring Account Policies (Continued)
  • Kerberos Policy node
  • Contains configuration settings for
  • Kerberos ticket-granting ticket (TGT)
  • Session ticket lifetimes and time stamp

19
Kerberos policy node configuration
20
Managing Security with Group Policy
  • Other nodes under the security settings category
  • Local Policies
  • Event Log
  • Restricted Groups
  • System Services
  • Registry
  • File System
  • Wireless Network (IEEE 802.11) Policies
  • Public Key Policies
  • Software Restriction Policies
  • IP Security Policies on Active Directory

21
Using the Security Configuration Manager Tools
with Group Policy
  • Security Configuration Manager tools
  • Can be used with Group Policies to
  • Create a Security Policy template using a
    specific group of security settings
  • Can be used to analyze and implement security
    settings on a computer system
  • Useful in maintaining security settings

22
Using the Security Configuration Manager Tools
with Group Policy (Continued)
  • Core components of the Security Configuration
    Manager tools
  • Security templates
  • Security settings in Group Policy objects
  • Security Configuration and Analysis tool
  • Secedit command-line tool

23
Security Templates
  • A security template
  • Is used to define, edit, and save baseline
    security settings to be applied to computers with
    common security requirements
  • Helps ensure that a consistent setting can be
    applied to multiple machines and easily
    maintained
  • Is created and edited using the Security
    Templates snap-in

24
Viewing the Security Templates console
25
Analyzing the Preconfigured Security Templates
  • First step in configuring and implementing
    security templates
  • Categorize the network computers into
  • Workstations
  • Servers
  • Domain controllers

26
Analyzing the Preconfigured Security Templates
(Continued)
  • Setup Security.inf template
  • Stores the default security settings applied to
    the computer when Windows Server 2003 is
    installed
  • Purpose
  • Provides a single file in which all of the
    original computer security settings are stored

27
Analyzing the Preconfigured Security Templates
(Continued)
  • Incremental templates
  • Modify security settings incrementally
  • Allow the creation of security configurations
    other than the basic security settings
  • Include
  • Compatws.inf
  • Securews.inf and Securedc.inf
  • Hisecws.inf and Hisecdc.inf
  • DC Security.inf
  • Rootsec.inf

28
Analyzing the Preconfigured Security Templates
(Continued)
  • Applying security templates
  • Security templates can be applied to either the
    local machine or the domain via GPOs
  • To apply a security template to a local machine
  • Open the Local Security Settings MMC snap-in
  • Right-click Security Settings in the console pane
    and choose Import Policy
  • Select the template file to be imported

29
Security Configurations and Analysis
  • Security Configuration and Analysis utility
  • Compares current system settings to a previously
    configured security template
  • Identifies
  • Changes to the original security configurations
  • Possible security weaknesses that may be evident
    when compared to a stronger security baseline
    template

30
Security Configurations and Analysis (Continued)
  • Results of the comparison
  • A green check mark
  • Indicates that the two settings match
  • A red x
  • Indicates a mismatch

31
Viewing the Security Configuration and Analysis
tool
32
Analyzing security on a computer
33
Security Configurations and Analysis (Continued)
  • Secedit.exe
  • Command-line tool that is used to
  • Create and apply security templates
  • Analyze security settings
  • Can be used in situations where Group Policy
    cannot be applied

34
Assigning Scripts and Redirecting Folders
  • Scripts
  • Can be used in Windows Server 2003 to perform
    tasks at various times during the logon or logoff
    process
  • Computer startup and shutdown scripts
  • Configured in the computer section of a GPO
  • User logon and logoff scripts
  • Configured in the user section of a GPO

35
Assigning Scripts and Redirecting Folders
(Continued)
  • Folder redirection
  • Group Policy feature
  • Enables you to redirect the following contents of
    a users profile to a network location
  • Application data
  • Desktop
  • My Documents
  • Start menu

36
Folder redirection settings
37
Managing Group Policy Inheritance
  • Order in which Group Policy is applied
  • Local computer, site, domain, parent OU, child OU
  • All individual GPO settings are inherited by
    default
  • At each level, more than one GPO can be applied
  • If there is more than one GPO per container
  • Policies are applied in the order that they
    appear on the Group Policy tab for the container,
    starting with the bottom GPO first

38
Managing Group Policy Inheritance (Continued)
  • Multiple policies applied to a user or computer
  • If there is no conflict
  • Both policies are applied
  • If there is a conflict
  • Later settings overwrite earlier settings
  • Computer policies usually overwrite user policies

39
Configuring Block Policy Inheritance, No
Override, and Filtering
  • Blocking Group Policy inheritance
  • Done when you do not want any higher-level
    settings to be applied to a particular child
    container
  • Configuring No Override
  • Done when you want a particular GPOs settings to
    always be enforced
  • Filtering policy settings for groups
  • Done to prevent policy settings for groups from
    applying to a particular user, group, or computer
    within a container

40
Blocking Group Policy inheritance
41
Configuring No Override on a Group Policy object
42
Troubleshooting Group Policy Settings
  • Areas to inspect when trying to find the reason
    for a GPO not working as expected
  • Active Directory hierarchy
  • Order of Group Policy processing
  • Containers above and below OU that is causing
    problem
  • Group Policys Security tab

43
Troubleshooting Group Policy Settings (Continued)
  • Troubleshooting tools
  • gpresult.exe
  • Resultant Set of Policy (RSoP)
  • Can be used to
  • Discover Group Policy-related problems
  • Illustrate which GPOs were applied to a user or
    computer

44
Using the Gpresult tool
45
Generating RSoP data
46
Deploying Software Using Group Policy
  • Group Policy can help deploy and maintain
    software installations throughout the domain
  • When a company rolls out a new software
    application, the four main phases of the process
    are
  • Software preparation
  • Deployment
  • Software maintenance
  • Software removal

47
Software Preparation
  • Microsoft Windows installer package (MSI) file
  • Used by Windows Server 2003 Group Policy
  • Contains all the information needed to install an
    application in a variety of configurations
  • Steps to take before the installation of a
    software
  • Place the MSI package file and any related
    software installation files in a shared folder on
    the network
  • Configure Group Policy to access this shared
    folder

48
Deployment
  • Using Windows Server 2003 Group Policy,
    applications can be deployed by either
  • Assigning applications
  • A shortcut to the application is advertised on
    the Start menu
  • Publishing applications
  • Application is not advertised on the Start menu

49
Software Maintenance
  • Maintenance tasks to be performed after an
    application has been deployed
  • Installing updates and service patches
  • Installing new versions of the software
  • Choices when deploying application patches or
    upgrades
  • A mandatory upgrade
  • An optional upgrade
  • Redeploying an application

50
Software Removal
  • Choices regarding how an application is removed
  • A forced removal
  • An optional removal

51
Summary
  • Group Policy
  • Enables the centralized management of user and
    computer settings throughout the network
  • GPOs
  • Can be used to perform administrative tasks, such
    as
  • Configuration of desktop settings
  • Control of security settings for users and
    computers
  • Assignment of scripts
  • Redirection of folders
  • Automation of software distribution on computers
    throughout the network

52
Summary (Continued)
  • The order in which Group Policy is applied
  • Local computer, site, domain, OU, child OU
  • Security Configuration and Analysis tool
  • Can be used to analyze, modify, and apply
    security templates to objects within Active
    Directory

53
Summary (Continued)
  • Group Policy is automatically inherited from
    parent containers to child containers this can
    be modified by
  • Applying Block Policy inheritance
  • Applying No Override
  • Filtering the policy for specific users
  • When deploying software, Group Policy uses an MSI
    file to determine the installation options
  • Applications can either be assigned or published
    within a GPO
Write a Comment
User Comments (0)
About PowerShow.com