Configuring Windows Using Group Policy - PowerPoint PPT Presentation

About This Presentation
Title:

Configuring Windows Using Group Policy

Description:

Title: Configuring Windows Using Group Policy Last modified by: n Created Date: 5/13/2003 11:35:47 AM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:252
Avg rating:3.0/5.0
Slides: 45
Provided by: bestitdoc
Category:

less

Transcript and Presenter's Notes

Title: Configuring Windows Using Group Policy


1
Configuring Windows Using Group Policy
2
Agenda
  • Background
  • Windows functionality configurable using Group
    Policy
  • How do clients apply Group Policy
  • Group Policy in action
  • Common Group Policy Questions

3
Group Policy Sessions at TechEd
  • ADM222 Using Group Policy to Configure Windows
  • This one!!!!
  • ADM320 Managing Group Policy
  • Thursday 1000 room 10
  • ADM 421 Scripting Group Policy
  • Thursday 1815 room 9

4
Group Policy OverviewDo More with Less Effort
  • Group Policy enables admins to set and maintain a
    desired computing state
  • New Group Policy Management Console (GPMC) makes
    administration much easier

One Administrator Action
5
Policy-based managementWhat can you do with
Group Policy?
  • Centralized storage and mgmt of user data
  • Users have access to data and settings from any
    computer
  • Consistency of user experience across computers
  • Data safety and availability
  • Rapid PC replacement
  • Configuration of the Operating System
  • Networking settings, control panel access, remote
    assistance, disk quotas, IE
  • Securing the Operating System
  • Ongoing dynamic configuration management

6
Group Policy Controls What?
Enables configuration on Win2000 and later of
Administrative Templates Registry-based policy settings
Security Users Rights, restricted groups, Account Policies, IPSec, Public Key, Wireless, System Services, Software Restriction Policies, etc
IE Maintenance Administer Internet Explorer
Software Distribution Centralized mgmt of application installation
Scripts Startup, Shutdown, logon, logoff
Folder Redirection Store users folders on the network
Remote Installation Service Configure Client options for RIS
3rd Party extensions Group Policy framework allows for extensibility
7
Group PolicyNot just for desktops
  • Server Management
  • Manage OS components
  • Especially security management
  • Terminal servers, web servers, etc.

8
What we do at TechEd Europe
  • 1,000 PCs
  • CommsNet (400 PCs)
  • Session Feedback Pods (60 PCs)
  • Session Room PCs
  • Hands-on Labs
  • Speaker Lounge
  • BackOffice
  • How many images?

2
Thanks to Group Policy
9
TechEd Infrastructure
London
Event
msevdad1
msevdad2
10
TechEd AD Structure
London Servers
You ( BJ! )
Me ?
Event Servers
Computers
Travel Desk Kiosks
CommsNet
Session Rooms
FeedBack pods
11
Windows Functionality Configurable through Group
Policy
12
Administrative Templates
  • Managing the OS and Apps by manipulating the
    registry
  • Windows ships with .ADM files for managing OS
    components
  • All settings in these files are true policy
    settings
  • No tattooing
  • Original user preference restored upon removal
  • Secure for non-admins
  • Custom .ADMs possible, but generally not true
    policy settings
  • Note difference between .POL and .ADM file
  • .ADM File
  • Available Settings and UI description
  • Used by GPEdit only to expose settings for
    editing
  • Exists in both sysvol and locally in windir\inf
  • Registry.Pol File
  • Actual Settings delivered
  • This is what is delivered to the client to modify
    registry during GP processing
  • Exists in sysvol

13
.ADM and .POL files
Client computer
Domain Controller
Svsvol\policies\GUID
windir\inf
14
ADM Files Managing mixed environments
  • ADM files provided in Windows are cumulative
  • E.g., settings in Windows Server 2003 .ADM files
    are a superset of settings in XP and 2000 ADMs
  • OS applicability of setting indicated by
    Supported on field in UI
  • Note Supported on field is not yet supported
    on Win2000
  • Up-level settings ignored on down-level clients
  • E.g. Win2000 ignores settings XP only settings
  • General recommendation Use ADM files from latest
    OS
  • If possible, perform administration on XP or
    later
  • Consider use of policy settings to control ADM
    behavior (see next slide)

15
ADM file management
  • Group Policy Object Editor
  • ADM files used to display UI in Administrative
    Templates node
  • ADM files loaded from Sysvol by default
  • If local copy is newer, its uploaded to sysvol
  • Note issues with Win2k SP3 SP4 (fix planned
    for SP5)
  • This behavior is configurable via 2 policy
    settings
  • Never upload to sysvol (Turn off Automatic
    Update of ADM Files)
  • Use local ADMs only - new for Windows Server 2003
  • GPMC
  • ADM files used to generate HTML reports
  • ADM files loaded from local computer by default
  • If not found, loaded from sysvol
  • User can specify custom location from which to
    load ADMs
  • NEVER copied to sysvol

16
Security Policy Settings
Account Policies Configure password, account, and Kerberos policies (domain only)
Local Policies Configure auditing, user rights, and security options
Event Log Configure settings for application logs, system logs, and security logs
Restricted Group Configure group memberships for security sensitive groups
System Services Configure security and startup settings for services running on a computer
Registry Configure security on registry keys
File System Configure security on specific file paths
Public Key Configure encrypted data recovery agents, domain roots, trusted certificate authorities, and so on
IP Security Configure IP security on a network
Wireless Configure wireless settings
Software Restriction Configure which apps can be run or disallowed
17
Security Tips
  • Account Policies must be configured at domain
    level
  • Security settings always re-apply every 16 hours
  • Dont apply full security templates through Group
    Policy
  • Those are intended for one time only
  • File and Registry ACLs time consuming to apply
    and also tattoo
  • Restricted groups dont merge See 810076

18
Internet Explorer Maintenance
  • Set policy settings to control
  • Browser User Interface (Title, logo)
  • Connection (Proxy, autodetect, etc)
  • URLs home page, favorites
  • IE Security Zones, Privacy, Content Ratings,
    Authenticode
  • Programs
  • Enhanced Security Configuration (ESC) on Win2003
  • New secure configuration for IE impacts Zones and
    Privacy
  • ESC-enabled and -disabled computers must be
    managed independently
  • GPOs with ESC-enabled settings only apply to ESC
    enabled machines, and vice versa.
  • ESC state of admin machine determines whether a
    GPO is ESC-enabled or not

19
CommsNet example
Set Home Page Trusted Zones
20
Folder Redirection
  • Supports Server-Based Storage of Common Folders
  • My Documents
  • Application Data
  • Desktop
  • Start Menu
  • Benefits
  • Availability of user data on any computer
  • Reduced network usage when users move between
    machines
  • Increased ease of backup of redirected folders
  • Used in conjunction with Offline Files to provide
    access when disconnected from network
  • On XP and above, all redirected folders are
    automatically admin pinned for offline use
  • For each folder, you can choose
  • No policy - does not redirect
  • Basic - redirects all users to the same place
  • Advanced- redirects users to different locations
    based on security group membership

21
Folder Redirection Tips
  • General recommendations
  • Consider redirection of My documents
  • If using Roaming Profiles, this is a must
  • Optionally consider redirecting Desktop
  • If users store documents on desktop
  • Start Menu and AppData generally not recommended
    for redirection
  • Let the system create folders for each user to
    avoid improper ACLs
  • To remove Folder Redirection, use the Redirect
    to the local user profile setting
  • When using EFS, encrypt the local cache, not the
    folder on the server

22
CommsNet
London
msevdad1
msevdad2
Event
23
CommsNet example
Redirect Desktop My Documents
24
Software Installation
  • 3 deployment options
  • Assign to computer
  • App is installed at boot.
  • Assign to user
  • App installed either on demand or (with XP and
    above) at user logon
  • Publish to user
  • User chooses to install from add remove programs.
  • Requires MSI apps
  • Except ZAP apps, which is limited (no elevated
    install)
  • Tips
  • Make sure machine accounts have access to
    Software Distribution points for machine assigned
    apps
  • On Win2k, turn off Include OLE and Class product
    information in Advanced Deployment Options
  • No supported way to control install order within
    a GPO

25
CommsNet Example
Install the Citrix Client
26
Scripts
  • Computer-based scripts
  • startup and shutdown
  • Run in local system context
  • User based scripts
  • logon and logoff
  • Run in user context
  • Configurable options
  • Processing order if multiple scripts
  • Script timeout (default is 10 minutes)
  • Computer Configuration\Administrative
    Templates\System\Logon\Maximum wait time for
    Group Policy scripts
  • Tips
  • Scripts only execute at if connected to network
    during boot and logon (requires foreground
    refresh)

27
CommsNet Example
Deploy new Wallpaper Set Local Group
Membership Etc etc.
28
Remote OS Installation
  • Most RIS infrastructure on the RIS Server
  • Group Policy allows configuration of client
    install wizard options

29
How do clients apply Group Policy
30
When Does Group Policy Get Applied?
  • Group Policy Applies Computer Settings
  • Startup Scripts Run

Computer Starts
  • Group Policy Applies User Settings
  • Logon Scripts Run

User Logs On
and at periodic intervals
31
Foreground vs Background refresh
  • Foreground refresh
  • At boot and logon
  • Processing is synchronous
  • Logon prompt not displayed till computer
    processing complete
  • Desktop not displayed till user processing
    complete
  • Requires connectivity to domain
  • All extensions processed
  • Background refresh
  • Approximately every 90 minutes (except for DCs, 5
    mins)
  • Interval and random offset configurable through
    policy setting
  • Processing is asynchronous
  • Software installation and folder redirection
    settings not processed

32
Processing Optimizations
  • During refresh, GP is re-applied only if there
    are changes in the GPOs, or the list of GPOs
  • Can override this to ALWAYS process via policy
    setting, for each extension
  • Windows XP Fast Logon Optimization
  • OS does not wait for network start before
    displaying logon screen
  • Configurable via policy setting
  • Computer policy is processed as background
    refresh at logon.
  • Changes to Folder Redirection and Software
    Installation may require multiple reboots to apply

33
CommsNet example
Disable fast logon to ensure Kiosk mode
34
Group Policy Over Slow Links
  • Slow link connection lt 500 kbps, by default
  • Configurable via policy setting
  • When slow link is detected
  • Security Settings and Administrative Templates
    are always applied
  • By Default, Software Installation, Scripts, and
    Folder Redirection are not applied
  • Configurable via policy setting for each
    extension
  • RAS does not necessarily imply slow link

35
Common Group Policy Questions
36
Question 1
  • Q Where can I get a list of the available ADM
    settings?
  • A http//go.microsoft.com/fwlink/?LinkId15165
  • Allows filtering by
  • Supported OS
  • Component Area
  • Includes
  • Registry Setting
  • Explain text

37
Question 2
  • Q Are there pre-configured example GPOs
    available to get me started?
  • A Yes
  • http//go.microsoft.com/fwlink/?LinkId14951
  • Provides GPO templates for several common
    scenarios
  • Will be updated in next few weeks to be based on
    GPMC backups

38
Question 3
  • Q Where can I learn more about managing ADM
    files?
  • A KB 816662 discusses and provides
    recommendations for
  • Mixed platforms
  • Mixed languages
  • Sysvol size issues

39
Question 4
  • Q What are the new Group Policy features since
    Windows 2000
  • A
  • Introduced in WinXP
  • Group Policy Results (RSoP logging)
  • WMI filter client support
  • Software Restriction Policy client support
  • Fast logon optimization
  • New policy settings
  • New GPResult.exe based on RSOP
  • Introduced in Windows Server 2003
  • GPMC
  • New admin tool for managing Group Policy
  • Web download for both XP and 2003
  • Group Policy Modeling (RSoP planning)
  • WMI Filters admin support
  • Software Restriction Policies Admin Support
  • New Policy Settings

40
Question 5
  • Part 1
  • Q What are requirements to use Group Policy
    Results
  • A Clients must be running on XP or later
  • Part 2
  • Q Is there any dependency on whether I have a
    2000 or 2003 based AD ?
  • A Group Policy Results is a function of the
    client. However the ability to delegate remote
    access to read Group Policy results data requires
    AD schema for Windows Server 2003
  • ADPrep /ForestPrep

41
Question 6
  • Q What are the requirements for using Group
    Policy Modeling
  • A Group Policy Modeling is performed by a
    service that is only available on DCs running
    Windows 2003. There is no dependency on the
    client OS.

42
Question 7
  • Q What are the requirements to use WMI filters?
  • A
  • Client Dependencies
  • Clients must be running XP or later
  • Win2000 clients ignore the filter and always
    apply the WMI filtered GPO
  • Server Dependencies
  • Forest must have Windows 2003 AD schema (ADPrep
    /ForestPrep)
  • Domain Must run ADPrep /DomainPrep to use for
    clients in that domain
  • DCs dont actually need to be running Win2003

43
Question 8
  • Q Are there any dependencies in Group Policy on
    native mode vs mixed mode?
  • A No. However, various features do have
    dependencies on the following
  • Schema level of the forest (ADPrep /ForestPrep)
  • Domain configuration (has ADPrep /DomainPrep been
    run?)
  • Presence of at least one DC

44
Question 9
  • Qa Can I use GPMC to manage a my environment if
    all my DCs are running Windows 2000?
  • Qb Can I use GPMC if my clients are running
    Windows 2000?
  • A Yes. However, GPMC itself must run on a
    computer running Windows XP SP1 or Windows Server
    2003.
Write a Comment
User Comments (0)
About PowerShow.com