Implementing Group Policy

1
Chapter 10

• Implementing Group Policy

2
Learning Objectives

• Understand Group Policy concepts
• Plan an effective Group Policy design
• Implement Group Policy

3
Overview of Group Policies

• Group policies are a set of configuration
  settings that an administrator applies to one or
  more objects in the Active Directory store.
• A group policy consists of settings that govern
  how an object and its child objects behave.
• Group policies provide users with a fully
  populated desktop environment.
• Conflicts can exist between group policies and
  local needs.

4
Understanding Group Policy Concepts

• Windows NT 4.0 System Policies
• Applied only to domains
• Limited to Registry-based settings
• Not written to a secure location of the Registry
• Often last beyond their useful life spans
• Can be applied through NT domain security groups

5
Understanding Group Policy Concepts

• Windows 2000 Group Policy
• Can be applied to sites, domains, or OUs
• Can be applied through domain security groups
• Written to a secure section of the Registry
• Removed and rewritten whenever a policy change
  takes place
• Provide a more granular level of administrative
  control over a users environment

6
Understanding Group Policy Concepts

• Group Policy benefits
• Can reduce the TCO for a Windows 2000 network
• Securing user environment
• Provides customized environments to meet the
  users work requirements

7
Understanding Group Policy Concepts

• Group Policy Objects (GPOs)
• Local GPOs are stored on each Windows 2000
  computer
• Non-local GPOs are stored at the domain level
  within AD
• GPC Group Policy Container
• GPT Group Policy Template

8
Understanding Group Policy Concepts

• Non-local GPOs
• Group Policy container includes
• version information
• status information
• list of extensions
• policy settings
• Group Policy template
• Folder under Sysvol/DomainName/Policies
• Identified by it GUID

9
Understanding Group Policy Concepts

• Group Policy template information

10
Understanding Group Policy Concepts

• Group Policy template subfolders

11
Understanding Group Policy Concepts

• Group Policy template subfolders
• GPT.INI
• In root folder of each template
• Enabled/Disabled
• Version

12
Using the Group Policy Snap-In

• Computer Configuration
• Applies to Computers
• When system initialized
• Every user
• Startup/Shutdown Scripts
• User Configuration
• Applies to users
• When logon
• Logon/logoff scripts

13
Group Policy

• More than 500 settings
• Software Settings
• Software installation
• Windows Settings
• Desktop settings
• Administrative Templates

14
Group Policies

• Computer settings take precedence over user
  settings
• Computer settings take effect
• After refresh interval
• When OS restarted
• User setting
• After refresh interval
• When new logon

15
Group Policies

• Policy settings
• Not Configured
• Processed
• Enabled
• Processed
• Disabled
• Not Processed
• Local Computer policy settings
• Applied as soon as they are saved

16
Understanding Group Policy Concepts

• Password Policy settings, under Windows settings
• Password History
• Password age
• Min Length
• Complexity
• Encryption

17
Understanding Group Policy Concepts

• Account Lockout Policy under Windows settings
• Duration
• Threshold
• Reset
• Zero must manually reset

18
Managing Administrative Templates

• Registry based GP settings
• Explanations
• Can be extended with custom .adm files

19
if version gt 3 system.adm CLASS
MACHINE CATEGORY !!AdministrativeServices
POLICY !!NoSecurityMenu KEYNAME
"Software\Microsoft\Windows\CurrentVersion\Policie
s\Explorer" EXPLAIN !!NoSecurityMenu_Help
VALUENAME "NoNTSecurity" END POLICY
POLICY !!NoDisconnectMenu KEYNAME
"Software\Microsoft\Windows\CurrentVersion\Policie
s\Explorer" EXPLAIN !!NoDisconnectMenu_Hel
p VALUENAME "NoDisconnect" END POLICY
20
Understanding Group Policy Concepts

• Group Policy categories and subcategories

21
Understanding Group Policy Concepts

• Group Policy categories and subcategories

22
Understanding Group Policy Concepts

• Startup, Shutdown, Logon, and Logoff
• computer policies can be applied at system
  startup and shutdown
• user policies can be applied at logon and logoff
• combinations of these policies can be used to
  create complex policy configurations

23
Understanding Group Policy Concepts

• AD structure and Group Policy
• GPOs linked to a site apply to all domains within
  the site
• GPOs applied to a domain apply to all users and
  computers within the domain
• GPOs applied at the OU level apply to all users
  and computers within the OU
• Local policies are applied first, followed by
  non-local policies
• Non-local policies are applied in the following
  order site, domain, OU

24
Group Policy

• More than 500 settings
• Software Settings
• Software installation
• Windows Settings
• Desktop settings
• Administrative Templates

25
Group Policies

• Computer settings take precedence over user
  settings
• Computer settings take effect
• After refresh interval
• When OS restarted
• User setting
• After refresh interval
• When new logon

26
Group Policies

• Policy settings
• Not Configured
• Processed
• Enabled
• Processed
• Disabled
• Not Processed
• Local Computer policy settings
• Applied as soon as they are saved

27
Understanding Group Policy Concepts

• Group Policy Inheritance
• No override
• Prevent policies at lower level from taking
  precedence
• Block Policy Inheritance

28
Understanding Group Policy Concepts

• Group Policy Processing
• Computer vs. User Policy processing
• Computer wins
• Synchronous vs. Asynchronous processing
• Asynchronous Coputer and User Policies applied
  at same time
• In Case of Conflict
• Install with Elevated Privileges
• Mudt be set both in Computer and User
• Periodic Policy processing
• 90 minute refresh period
• 30 minute offset
• Force refresh with SECEDIT

29
Group Policy Planning

• Change control procedures
• name of the GPO
• settings that the GPO applies
• whether the settings apply to computers or users
• specific sites, domains, and OUs to which the GPO
  applies
• creation and modification dates
• list of changes since GPO creation
• description of changes and reasons for them

30
Group Policy Planning

• Structuring domains and OUs for Group Policy
• Delegation of permissions will determine where
  you place OUs in the domain structure
• GPO location will depend on the structure of your
  network (centralized vs. decentralized control)

31
Group Policy Planning

• Segmented vs. monolithic GPOs
• Monolithic design - few large GPOs implemented
  at the site or domain level
• Segmented design - smaller GPOs that contain
  fewer settings
• Best design is probably a mix of the two

32
Group Policy Planning

• Cross-domain GPO links
• it is possible, but not recommended, to create
  such links, as computer startup and logon are
  significantly slower

33
Group Policy Planning

• Managing network bandwidth
• Windows 2000 has built-in safeguards when slow
  links are encountered
• Security and Administrative always processed
• Folder Redirection
• Policy templates can be created and modified
• Security and administrative templates always
  apply

34
Group Policy Planning

• Group Policy best practices
• Disabling unused portions of a GPO

35
Group Policy Planning

• Group Policy best practices
• Restrict the number of policies
• Avoid No Override and Block Policy Inheritance
  when possible
• Use Group Policy rather than System Policies
• Filter Group Policy with Security Groups
• Avoid cross-domain GPO links when possible
• Limit the GPO refresh period

36
Group Policy Implementation

• Creating a GPO
• Creating a GPO console
• Specifying Group Policy settings
• Filtering Group Policy
• Delegating administrative control of Group Policy
• Linking a GPO

37
Group Policy Implementation

• Creating a GPO
• first step
• Windows 2000 creates a GPO by default (Default
  Domain Policy)
• AD Users and Computers management console
• Add
• New
• Edit
• Delete

38
Group Policy Implementation

• Creating a GPO Console
• Use Group Policy Editor to add snap-ins to your
  console

39
Group Policy Implementation

• Creating a GPO Console

40
Group Policy Implementation

• Creating a GPO Console

41
Group Policy Implementation

• Creating a GPO Console

42
Group Policy Implementation

• Specifying Group Policy settings

43
Group Policy Implementation

• Filtering Group Policy

44
Group Policy Implementation

• Delegating administrative control of Group Policy
• Managing Group Policy links for a site, domain,
  or OU
• Creating GPOs
• Editing GPOs

45
Group Policy Implementation

• Delegating administrative control of Group Policy

46
Group Policy Implementation

• Linking a GPO
• You must have Read/Write or Full Control
  permissions
• Use AD Users and Computers

47
Chapter Summary

• Windows 2000 Group Policy far surpasses Windows
  NT Group Policy in functionality
• GPOs can be applied at the site, domain, or OU
  level
• Group Policy can help reduce TCO on networks,
  while increasing ROI for tech expenditures
• Group Policy is processed in the following order
  local, site, domain, OU
• The Group Policy Editor is the primary interface
  for modifying Group Policy settings

48
Chapter Summary

• Policy settings can be overridden or blocked, if
  necessary
• The use of Group Policy can impact the AD domain
  and OU design process
• Group Policy administration can be filtered or
  delegated
• GPOs can be linked to other sites, domains, and
  OUs