Title: Managing Group Policy
1Chapter 4
2Objectives
- Create and manage Group Policy objects to control
user desktop settings, security, scripts, and
folder redirection - Manage and troubleshoot Group Policy inheritance
- Deploy and manage software using Group Policy
3Introduction to Group Policy
- Group Policy
- Enables the centralized management of user and
computer configuration settings - Implemented using a Group Policy object
4Introduction to Group Policy (Continued)
- Group Policy object (GPO)
- Used to perform a variety of administrative
tasks, including - Configure desktop settings using administrative
templates - Control security settings for users and computers
- Assign scripts to run when
- A user logs on or off
- A computer is started up or shut down
5Introduction to Group Policy (Continued)
- Redirect folders out of a users local profile to
a different network location - Automate software distribution and maintenance to
computers throughout the network
6Creating a Group Policy Object
- Ways to create a GPO
- Group Policy standalone Microsoft Management
Console (MMC) snap-in - Group Policy extension in Active Directory Users
and Computers - Once a GPO is created
- Edit the GPO to control specific user or computer
settings
7Configuration categories available for GPOs
8Creating a Group Policy Object (Continued)
- The GPO content is stored in two different
locations on the server - Group Policy container (GPC)
- Stores information about the GPO and includes a
version number - Located in
- Active Directory Users and Computers\System\Polici
es
9Creating a Group Policy Object (Continued)
- Group Policy template (GPT)
- Contains the data that makes up the Group Policy
- Stored in
- The systemroot\\Sysvol\ltDomain Namegt\Policies
folder - Globally unique identifier (GUID)
- A unique 128-bit number assigned to the GPO when
it is created - Used to identify both the GPC and the GPT
10Application of Group Policy
- GPOs can apply a variety of configuration options
to the - Local computer
- Site
- Domain
- OU
- Main categories to a Group Policy
- Computer Configuration
- User Configuration
11Controlling User Desktop Settings
- Group Policy
- Helps reduce administrative costs by allowing the
administrator to - Enforce standard computer configurations
- Limit user access to various areas of the
operating system - Ensure that users have their own personal desktop
and application settings - Administrative templates
- Consist of several categories of configuration
settings
12Configuration categories of administrative
templates
13Managing Security with Group Policy
- Group Policy
- Can be used to modify and maintain a number of
domain-based security configurations to comply
with organizational security standards - Security templates
- Can be created based on current security standards
14Configuring Account Policies
- Account Policies node
- Found under the computer configuration category
of a GPO - Includes three subcategories
- Password Policy
- Account Lockout Policy
- Kerberos Policy
- Password Policy node
- Contains configuration settings for the
passwords - History
- Length
- Complexity
15Password policies in Windows Server 2003
16Configuring Account Policies (Continued)
- Account Lockout Policy node
- Contains configuration settings for
- Password lockout threshold and duration
- Reset options
17Account Lockout Policies
18Configuring Account Policies (Continued)
- Kerberos Policy node
- Contains configuration settings for
- Kerberos ticket-granting ticket (TGT)
- Session ticket lifetimes and time stamp
19Kerberos policy node configuration
20Managing Security with Group Policy
- Other nodes under the security settings category
- Local Policies
- Event Log
- Restricted Groups
- System Services
- Registry
- File System
- Wireless Network (IEEE 802.11) Policies
- Public Key Policies
- Software Restriction Policies
- IP Security Policies on Active Directory
21Using the Security Configuration Manager Tools
with Group Policy
- Security Configuration Manager tools
- Can be used with Group Policies to
- Create a Security Policy template using a
specific group of security settings - Can be used to analyze and implement security
settings on a computer system - Useful in maintaining security settings
22Using the Security Configuration Manager Tools
with Group Policy (Continued)
- Core components of the Security Configuration
Manager tools - Security templates
- Security settings in Group Policy objects
- Security Configuration and Analysis tool
- Secedit command-line tool
23Security Templates
- A security template
- Is used to define, edit, and save baseline
security settings to be applied to computers with
common security requirements - Helps ensure that a consistent setting can be
applied to multiple machines and easily
maintained - Is created and edited using the Security
Templates snap-in
24Viewing the Security Templates console
25Analyzing the Preconfigured Security Templates
- First step in configuring and implementing
security templates - Categorize the network computers into
- Workstations
- Servers
- Domain controllers
26Analyzing the Preconfigured Security Templates
(Continued)
- Setup Security.inf template
- Stores the default security settings applied to
the computer when Windows Server 2003 is
installed - Purpose
- Provides a single file in which all of the
original computer security settings are stored
27Analyzing the Preconfigured Security Templates
(Continued)
- Incremental templates
- Modify security settings incrementally
- Allow the creation of security configurations
other than the basic security settings - Include
- Compatws.inf
- Securews.inf and Securedc.inf
- Hisecws.inf and Hisecdc.inf
- DC Security.inf
- Rootsec.inf
28Analyzing the Preconfigured Security Templates
(Continued)
- Applying security templates
- Security templates can be applied to either the
local machine or the domain via GPOs - To apply a security template to a local machine
- Open the Local Security Settings MMC snap-in
- Right-click Security Settings in the console pane
and choose Import Policy - Select the template file to be imported
29Security Configurations and Analysis
- Security Configuration and Analysis utility
- Compares current system settings to a previously
configured security template - Identifies
- Changes to the original security configurations
- Possible security weaknesses that may be evident
when compared to a stronger security baseline
template
30Security Configurations and Analysis (Continued)
- Results of the comparison
- A green check mark
- Indicates that the two settings match
- A red x
- Indicates a mismatch
31Viewing the Security Configuration and Analysis
tool
32Analyzing security on a computer
33Security Configurations and Analysis (Continued)
- Secedit.exe
- Command-line tool that is used to
- Create and apply security templates
- Analyze security settings
- Can be used in situations where Group Policy
cannot be applied
34Assigning Scripts and Redirecting Folders
- Scripts
- Can be used in Windows Server 2003 to perform
tasks at various times during the logon or logoff
process - Computer startup and shutdown scripts
- Configured in the computer section of a GPO
- User logon and logoff scripts
- Configured in the user section of a GPO
35Assigning Scripts and Redirecting Folders
(Continued)
- Folder redirection
- Group Policy feature
- Enables you to redirect the following contents of
a users profile to a network location - Application data
- Desktop
- My Documents
- Start menu
36Folder redirection settings
37Managing Group Policy Inheritance
- Order in which Group Policy is applied
- Local computer, site, domain, parent OU, child OU
- All individual GPO settings are inherited by
default - At each level, more than one GPO can be applied
- If there is more than one GPO per container
- Policies are applied in the order that they
appear on the Group Policy tab for the container,
starting with the bottom GPO first
38Managing Group Policy Inheritance (Continued)
- Multiple policies applied to a user or computer
- If there is no conflict
- Both policies are applied
- If there is a conflict
- Later settings overwrite earlier settings
- Computer policies usually overwrite user policies
39Configuring Block Policy Inheritance, No
Override, and Filtering
- Blocking Group Policy inheritance
- Done when you do not want any higher-level
settings to be applied to a particular child
container - Configuring No Override
- Done when you want a particular GPOs settings to
always be enforced - Filtering policy settings for groups
- Done to prevent policy settings for groups from
applying to a particular user, group, or computer
within a container
40Blocking Group Policy inheritance
41Configuring No Override on a Group Policy object
42Troubleshooting Group Policy Settings
- Areas to inspect when trying to find the reason
for a GPO not working as expected - Active Directory hierarchy
- Order of Group Policy processing
- Containers above and below OU that is causing
problem - Group Policys Security tab
43Troubleshooting Group Policy Settings (Continued)
- Troubleshooting tools
- gpresult.exe
- Resultant Set of Policy (RSoP)
- Can be used to
- Discover Group Policy-related problems
- Illustrate which GPOs were applied to a user or
computer
44Using the Gpresult tool
45Generating RSoP data
46Deploying Software Using Group Policy
- Group Policy can help deploy and maintain
software installations throughout the domain - When a company rolls out a new software
application, the four main phases of the process
are - Software preparation
- Deployment
- Software maintenance
- Software removal
47Software Preparation
- Microsoft Windows installer package (MSI) file
- Used by Windows Server 2003 Group Policy
- Contains all the information needed to install an
application in a variety of configurations - Steps to take before the installation of a
software - Place the MSI package file and any related
software installation files in a shared folder on
the network - Configure Group Policy to access this shared
folder
48Deployment
- Using Windows Server 2003 Group Policy,
applications can be deployed by either - Assigning applications
- A shortcut to the application is advertised on
the Start menu - Publishing applications
- Application is not advertised on the Start menu
49Software Maintenance
- Maintenance tasks to be performed after an
application has been deployed - Installing updates and service patches
- Installing new versions of the software
- Choices when deploying application patches or
upgrades - A mandatory upgrade
- An optional upgrade
- Redeploying an application
50Software Removal
- Choices regarding how an application is removed
- A forced removal
- An optional removal
51Summary
- Group Policy
- Enables the centralized management of user and
computer settings throughout the network - GPOs
- Can be used to perform administrative tasks, such
as - Configuration of desktop settings
- Control of security settings for users and
computers - Assignment of scripts
- Redirection of folders
- Automation of software distribution on computers
throughout the network
52Summary (Continued)
- The order in which Group Policy is applied
- Local computer, site, domain, OU, child OU
- Security Configuration and Analysis tool
- Can be used to analyze, modify, and apply
security templates to objects within Active
Directory
53Summary (Continued)
- Group Policy is automatically inherited from
parent containers to child containers this can
be modified by - Applying Block Policy inheritance
- Applying No Override
- Filtering the policy for specific users
- When deploying software, Group Policy uses an MSI
file to determine the installation options - Applications can either be assigned or published
within a GPO