Configuring Windows Using Group Policy

1
Configuring Windows Using Group Policy
2
Agenda

• Background
• Windows functionality configurable using Group
  Policy
• How do clients apply Group Policy
• Group Policy in action
• Common Group Policy Questions

3
Group Policy Sessions at TechEd

• ADM222 Using Group Policy to Configure Windows
• This one!!!!
• ADM320 Managing Group Policy
• Thursday 1000 room 10
• ADM 421 Scripting Group Policy
• Thursday 1815 room 9

4
Group Policy OverviewDo More with Less Effort

• Group Policy enables admins to set and maintain a
  desired computing state
• New Group Policy Management Console (GPMC) makes
  administration much easier

One Administrator Action
5
Policy-based managementWhat can you do with
Group Policy?

• Centralized storage and mgmt of user data
• Users have access to data and settings from any
  computer
• Consistency of user experience across computers
• Data safety and availability
• Rapid PC replacement
• Configuration of the Operating System
• Networking settings, control panel access, remote
  assistance, disk quotas, IE
• Securing the Operating System
• Ongoing dynamic configuration management

6
Group Policy Controls What?
Enables configuration on Win2000 and later of
Administrative Templates Registry-based policy settings
Security Users Rights, restricted groups, Account Policies, IPSec, Public Key, Wireless, System Services, Software Restriction Policies, etc
IE Maintenance Administer Internet Explorer
Software Distribution Centralized mgmt of application installation
Scripts Startup, Shutdown, logon, logoff
Folder Redirection Store users folders on the network
Remote Installation Service Configure Client options for RIS
3rd Party extensions Group Policy framework allows for extensibility
7
Group PolicyNot just for desktops

• Server Management
• Manage OS components
• Especially security management
• Terminal servers, web servers, etc.

8
What we do at TechEd Europe

• 1,000 PCs
• CommsNet (400 PCs)
• Session Feedback Pods (60 PCs)
• Session Room PCs
• Hands-on Labs
• Speaker Lounge
• BackOffice
• How many images?

2
Thanks to Group Policy
9
TechEd Infrastructure
London
Event
msevdad1
msevdad2
10
TechEd AD Structure
London Servers
You ( BJ! )
Me ?
Event Servers
Computers
Travel Desk Kiosks
CommsNet
Session Rooms
FeedBack pods
11
Windows Functionality Configurable through Group
Policy
12
Administrative Templates

• Managing the OS and Apps by manipulating the
  registry
• Windows ships with .ADM files for managing OS
  components
• All settings in these files are true policy
  settings
• No tattooing
• Original user preference restored upon removal
• Secure for non-admins
• Custom .ADMs possible, but generally not true
  policy settings
• Note difference between .POL and .ADM file
• .ADM File
• Available Settings and UI description
• Used by GPEdit only to expose settings for
  editing
• Exists in both sysvol and locally in windir\inf
• Registry.Pol File
• Actual Settings delivered
• This is what is delivered to the client to modify
  registry during GP processing
• Exists in sysvol

13
.ADM and .POL files
Client computer
Domain Controller
Svsvol\policies\GUID
windir\inf
14
ADM Files Managing mixed environments

• ADM files provided in Windows are cumulative
• E.g., settings in Windows Server 2003 .ADM files
  are a superset of settings in XP and 2000 ADMs
• OS applicability of setting indicated by
  Supported on field in UI
• Note Supported on field is not yet supported
  on Win2000
• Up-level settings ignored on down-level clients
• E.g. Win2000 ignores settings XP only settings
• General recommendation Use ADM files from latest
  OS
• If possible, perform administration on XP or
  later
• Consider use of policy settings to control ADM
  behavior (see next slide)

15
ADM file management

• Group Policy Object Editor
• ADM files used to display UI in Administrative
  Templates node
• ADM files loaded from Sysvol by default
• If local copy is newer, its uploaded to sysvol
• Note issues with Win2k SP3 SP4 (fix planned
  for SP5)
• This behavior is configurable via 2 policy
  settings
• Never upload to sysvol (Turn off Automatic
  Update of ADM Files)
• Use local ADMs only - new for Windows Server 2003
• GPMC
• ADM files used to generate HTML reports
• ADM files loaded from local computer by default
• If not found, loaded from sysvol
• User can specify custom location from which to
  load ADMs
• NEVER copied to sysvol

16
Security Policy Settings
Account Policies Configure password, account, and Kerberos policies (domain only)
Local Policies Configure auditing, user rights, and security options
Event Log Configure settings for application logs, system logs, and security logs
Restricted Group Configure group memberships for security sensitive groups
System Services Configure security and startup settings for services running on a computer
Registry Configure security on registry keys
File System Configure security on specific file paths
Public Key Configure encrypted data recovery agents, domain roots, trusted certificate authorities, and so on
IP Security Configure IP security on a network
Wireless Configure wireless settings
Software Restriction Configure which apps can be run or disallowed
17
Security Tips

• Account Policies must be configured at domain
  level
• Security settings always re-apply every 16 hours
• Dont apply full security templates through Group
  Policy
• Those are intended for one time only
• File and Registry ACLs time consuming to apply
  and also tattoo
• Restricted groups dont merge See 810076

18
Internet Explorer Maintenance

• Set policy settings to control
• Browser User Interface (Title, logo)
• Connection (Proxy, autodetect, etc)
• URLs home page, favorites
• IE Security Zones, Privacy, Content Ratings,
  Authenticode
• Programs
• Enhanced Security Configuration (ESC) on Win2003
• New secure configuration for IE impacts Zones and
  Privacy
• ESC-enabled and -disabled computers must be
  managed independently
• GPOs with ESC-enabled settings only apply to ESC
  enabled machines, and vice versa.
• ESC state of admin machine determines whether a
  GPO is ESC-enabled or not

19
CommsNet example
Set Home Page Trusted Zones
20
Folder Redirection

• Supports Server-Based Storage of Common Folders
• My Documents
• Application Data
• Desktop
• Start Menu
• Benefits
• Availability of user data on any computer
• Reduced network usage when users move between
  machines
• Increased ease of backup of redirected folders
• Used in conjunction with Offline Files to provide
  access when disconnected from network
• On XP and above, all redirected folders are
  automatically admin pinned for offline use
• For each folder, you can choose
• No policy - does not redirect
• Basic - redirects all users to the same place
• Advanced- redirects users to different locations
  based on security group membership

21
Folder Redirection Tips

• General recommendations
• Consider redirection of My documents
• If using Roaming Profiles, this is a must
• Optionally consider redirecting Desktop
• If users store documents on desktop
• Start Menu and AppData generally not recommended
  for redirection
• Let the system create folders for each user to
  avoid improper ACLs
• To remove Folder Redirection, use the Redirect
  to the local user profile setting
• When using EFS, encrypt the local cache, not the
  folder on the server

22
CommsNet
London
msevdad1
msevdad2
Event
23
CommsNet example
Redirect Desktop My Documents
24
Software Installation

• 3 deployment options
• Assign to computer
• App is installed at boot.
• Assign to user
• App installed either on demand or (with XP and
  above) at user logon
• Publish to user
• User chooses to install from add remove programs.
• Requires MSI apps
• Except ZAP apps, which is limited (no elevated
  install)
• Tips
• Make sure machine accounts have access to
  Software Distribution points for machine assigned
  apps
• On Win2k, turn off Include OLE and Class product
  information in Advanced Deployment Options
• No supported way to control install order within
  a GPO

25
CommsNet Example
Install the Citrix Client
26
Scripts

• Computer-based scripts
• startup and shutdown
• Run in local system context
• User based scripts
• logon and logoff
• Run in user context
• Configurable options
• Processing order if multiple scripts
• Script timeout (default is 10 minutes)
• Computer Configuration\Administrative
  Templates\System\Logon\Maximum wait time for
  Group Policy scripts
• Tips
• Scripts only execute at if connected to network
  during boot and logon (requires foreground
  refresh)

27
CommsNet Example
Deploy new Wallpaper Set Local Group
Membership Etc etc.
28
Remote OS Installation

• Most RIS infrastructure on the RIS Server
• Group Policy allows configuration of client
  install wizard options

29
How do clients apply Group Policy
30
When Does Group Policy Get Applied?

• Group Policy Applies Computer Settings
• Startup Scripts Run

Computer Starts

• Group Policy Applies User Settings
• Logon Scripts Run

User Logs On
and at periodic intervals
31
Foreground vs Background refresh

• Foreground refresh
• At boot and logon
• Processing is synchronous
• Logon prompt not displayed till computer
  processing complete
• Desktop not displayed till user processing
  complete
• Requires connectivity to domain
• All extensions processed
• Background refresh
• Approximately every 90 minutes (except for DCs, 5
  mins)
• Interval and random offset configurable through
  policy setting
• Processing is asynchronous
• Software installation and folder redirection
  settings not processed

32
Processing Optimizations

• During refresh, GP is re-applied only if there
  are changes in the GPOs, or the list of GPOs
• Can override this to ALWAYS process via policy
  setting, for each extension
• Windows XP Fast Logon Optimization
• OS does not wait for network start before
  displaying logon screen
• Configurable via policy setting
• Computer policy is processed as background
  refresh at logon.
• Changes to Folder Redirection and Software
  Installation may require multiple reboots to apply

33
CommsNet example
Disable fast logon to ensure Kiosk mode
34
Group Policy Over Slow Links

• Slow link connection lt 500 kbps, by default
• Configurable via policy setting
• When slow link is detected
• Security Settings and Administrative Templates
  are always applied
• By Default, Software Installation, Scripts, and
  Folder Redirection are not applied
• Configurable via policy setting for each
  extension
• RAS does not necessarily imply slow link

35
Common Group Policy Questions
36
Question 1

• Q Where can I get a list of the available ADM
  settings?
• A http//go.microsoft.com/fwlink/?LinkId15165
• Allows filtering by
• Supported OS
• Component Area
• Includes
• Registry Setting
• Explain text

37
Question 2

• Q Are there pre-configured example GPOs
  available to get me started?
• A Yes
• http//go.microsoft.com/fwlink/?LinkId14951
• Provides GPO templates for several common
  scenarios
• Will be updated in next few weeks to be based on
  GPMC backups

38
Question 3

• Q Where can I learn more about managing ADM
  files?
• A KB 816662 discusses and provides
  recommendations for
• Mixed platforms
• Mixed languages
• Sysvol size issues

39
Question 4

• Q What are the new Group Policy features since
  Windows 2000
• A
• Introduced in WinXP
• Group Policy Results (RSoP logging)
• WMI filter client support
• Software Restriction Policy client support
• Fast logon optimization
• New policy settings
• New GPResult.exe based on RSOP
• Introduced in Windows Server 2003
• GPMC
• New admin tool for managing Group Policy
• Web download for both XP and 2003
• Group Policy Modeling (RSoP planning)
• WMI Filters admin support
• Software Restriction Policies Admin Support
• New Policy Settings

40
Question 5

• Part 1
• Q What are requirements to use Group Policy
  Results
• A Clients must be running on XP or later
• Part 2
• Q Is there any dependency on whether I have a
  2000 or 2003 based AD ?
• A Group Policy Results is a function of the
  client. However the ability to delegate remote
  access to read Group Policy results data requires
  AD schema for Windows Server 2003
• ADPrep /ForestPrep

41
Question 6

• Q What are the requirements for using Group
  Policy Modeling
• A Group Policy Modeling is performed by a
  service that is only available on DCs running
  Windows 2003. There is no dependency on the
  client OS.

42
Question 7

• Q What are the requirements to use WMI filters?
• A
• Client Dependencies
• Clients must be running XP or later
• Win2000 clients ignore the filter and always
  apply the WMI filtered GPO
• Server Dependencies
• Forest must have Windows 2003 AD schema (ADPrep
  /ForestPrep)
• Domain Must run ADPrep /DomainPrep to use for
  clients in that domain
• DCs dont actually need to be running Win2003

43
Question 8

• Q Are there any dependencies in Group Policy on
  native mode vs mixed mode?
• A No. However, various features do have
  dependencies on the following
• Schema level of the forest (ADPrep /ForestPrep)
• Domain configuration (has ADPrep /DomainPrep been
  run?)
• Presence of at least one DC

44
Question 9

• Qa Can I use GPMC to manage a my environment if
  all my DCs are running Windows 2000?
• Qb Can I use GPMC if my clients are running
  Windows 2000?
• A Yes. However, GPMC itself must run on a
  computer running Windows XP SP1 or Windows Server
  2003.