1 week 5 group policy understand group policy implement gpos a deeper look at settings and gpos...
TRANSCRIPT
1
Week 5 Group Policy
•Understand Group Policy
•Implement GPOs
•A Deeper Look at Settings and GPOs
•Manage Group Policy Scope
•Group Policy Processing
•Frequently Used Group Policy Settings
2
Group Policy
•The framework for configuration management in an AD DS domain: Centralized management, applying one or more changes to one or more users or computers.
Setting • Definition of a change or configuration
Scope • Definition of the users or computers to which the changes
applies
Application: • A mechanism that applies the setting to users and
computers within the scope
DemoDemo
3
Group Policy Objects•The container for one or more policy settings
•Managed with the Group Policy management console (GPMC) Group Policy Objects container
•Edited with the Group Policy Management Editor (GPME)
•GPO can be linked to site, domain, or organizational unit (OU) (SDOU) GPO can be linked to multiple site(s) or OU(s) GPO link(s) define maximum scope of GPO
•Security group filtering Apply or deny application of GPO to members of global security group Filter application of scope of GPO within its link scope
4
WMI Filters
•Windows Management Instrumentation (WMI)
•WMI Query Language (WQL) Similar to T-SQL Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3"
•Create a WMI filter
•Use the filter for one or more GPOs
5
Group Policy Client and Client-Side Extensions (CSE)
•Group Policy Client retrieves ordered list of GPOs (client “pull”)
•GPOs are downloaded (then cached)
•Components called client-side extensions (CSEs) process the settings to apply the changes Most CSEs apply settings only if GPO (as a whole) has changed
• Improves performance• GPO application is client driven ("pull")
•Group Policy Refresh Every 90 – 120 minutes Gpupdate /force command Startup & Logon
•Resultant Set of Policy: The "cumulative" effect of GP
6
Local GPOs
•Apply before domain-based GPOs and will be overridden by domain-based GPO if any conflict
•Local GPO One local GPO in Windows 2000, Windows XP, Windows Server® 2003 Multiple local GPOs in Windows Vista® and later
• Local GPO: Computer settings and settings for all users• Administrators GPO: Settings for users in Administrators• Non-administrators GPO: Settings for users not in Admins• Per-user GPO: Settings for a specific user
•If domain members can be centrally managed using domain-linked GPOs, in what scenarios might local GPOs be used?
Home, Local Account, Deployment Image
7
Domain-Based GPOs
•Created in Active Directory, stored on domain controllers
•Two default GPOs Default Domain Policy
• Define account policies for the domain: Password, account lockout, and Kerberos policies
Default Domain Controllers Policy• Define auditing policies for domain controllers and
Active Directory
DemoDemo
8
GPO Storage
Group Policy Object (GPO)Group Policy Object (GPO)
• Stored in AD DS• Friendly name, globally unique
identifier (GUID)• Version
Group Policy Container (GPC)Group Policy Container (GPC)
• Stored in SYSVOL on domain controllers (DCs)
• Contains all files required to define and apply settings
• .ini file contains Version
Group Policy Template (GPT)Group Policy Template (GPT)
• What we call a GPO is actually two things, stored in two places
9
Registry Policies in the Administrative Templates Node
•Policy settings in the Administrative Templates node make changes to the registry
•HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegeditMode
• 1 – Regedit UI tool only• 2 – Also disable regedit /s
10
Managed Settings and Unmanaged Settings•Administrative templates
Managed policy setting
• User interface (UI) is locked; user cannot make a change to the setting
• Changes are made in one of four reserved registry keys
• Change and UI lock are "released" when the user/computer falls out of scope
Unmanaged policy setting
• UI not locked
• Makes a change that is persistent; "tattoos" the registry
Only managed setting shown by default
Set Filter Options to view unmanaged settings
11
Administrative Templates•Modify Registry Settings
HKEY_LOCAL_MACHINE for computer settings HKEY_CURRENT_USER for user settings
Setting typesSetting typesSetting typesSetting types ControlsControlsControlsControls Available forAvailable forAvailable forAvailable for
WindowsComponents
WindowsComponents
Windows’s tools and components to which users can gain access, including MMCWindows’s tools and components to which users can gain access, including MMC
SystemSystem Logon and logoff, Group Policy, disk quotas, and loopback policyLogon and logoff, Group Policy, disk quotas, and loopback policy
NetworkNetwork The properties of network connections and dial-in connectionsThe properties of network connections and dial-in connections
PrintersPrinters Printer settingsPrinter settings
Start Menu &Taskbar
Start Menu &Taskbar What users can gain access to from the Start menuWhat users can gain access to from the Start menu
DesktopDesktop The Active Desktop, what appears on desktops, and what users can do with the My Documents folderThe Active Desktop, what appears on desktops, and what users can do with the My Documents folder
Control PanelControl Panel The use of Add/Remove Programs, Printers, and Display in Control PanelThe use of Add/Remove Programs, Printers, and Display in Control Panel
12
Administrative Templates
.ADMX
.ADML Registry
13
The Central Store•.ADM files
Stored in the GPT Leads to version control and GPO bloat problems
•.ADMX/.ADML files Retrieved from the client
•Central Store Create a folder called PolicyDefinitions on a DC
• Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions
• Locally: %SystemRoot%\SYSVOL\contoso.com\Policies\PolicyDefinitions
Copy .ADMX files from your %SystemRoot%\PolicyDefinitions Copy .ADML file from language-specific subfolders (such as
en-us)
14
Manage GPOs and Their Settings•Copy (and Paste into a Group Policy Objects container)
Create a new "copy" GPO and modify it
Transfer a GPO to a trusted domain, such as test-to-production
•Back Up all settings, objects, links, permissions (access control lists [ACLs])
•Restore into same domain as backup
•Import Settings into a new GPO in same or any domain Migration table for source-to-destination mapping of UNC paths
and security group names
Replaces all settings in the GPO – not a "merge"
•Save Report
•Delete
•Rename
DemoDemo
15
Group Policy Processing Order
Site
Domain
OUOUOUOU
OU
GPO2GPO2
GPO3GPO3
GPO4GPO4
GPO5GPO5
GPO1GPO1
Local GroupLocal Group
16
Computer DUser D
Computer BUser B
Computer CUser C
ComputerUser E
BusinessOU
Employees Groups Clients
Computer D+B+CUser D+B+E
Domain
17
Computer DUser D
Computer BUser B
Computer CUser C
ComputerUser E
BusinessOU
Employees Groups Clients
Domain
Block Inheritance
Computer B+CUser B+E
18
Computer DUser D
Computer BUser B
Computer CUser C
ComputerUser E
BusinessOU
Employees Groups Clients
Domain
Block Inheritance
SecurityComputer SUser S
Enforced
Computer B+C+SUser B+E+S
19
Enable or Disable GPOs and GPO Nodes
•GPO Details tab GPO Status drop-down list
•Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs
•All settings disabled: CSEs will not process the GPO
•Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration
•User Configuration settings disabled: CSEs will not process settings in User Configuration
20
Loopback Policy Processing•At user logon, user settings from GPOs scoped back to computer object are applied Create a consistent user experience on a computer Conference rooms, kiosks, computer labs, VDI, RDS/TS, etc.
•Computer Configuration\Policies\Administrative Templates\System\Group Policy User Group Policy loopback processing mode
•Replace mode The user gets none of the User settings that are scoped to the user… only
the User settings that are scoped to computer.
•Merge mode The user gets the User settings scoped to the user, but those settings are
overlaid with User settings scoped to the computer. The computer wins.
21
•
ReplaceComputer B+KUser B+K
Computer BUser B
Computer CUser
LoopbackComputer KUser K
ComputerUser E
BusinessOU
Employees Groups Clients Kiosks
Computer B+CUser B+E
MergeComputer B+KUser E+B+K
22
A Detailed Review of Group Policy Processing
•Computer starts; Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) are started
•Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer Local Site Domain OU Enforced GPOs
•GPC processes each GPO in order Should it be applied? (enabled/disabled/permission/WMI filter)
CSEs are triggered to process settings in GPO
• Settings configured as Enabled or Disabled are processed
•User logs on
•Process repeats for user settings
•Every 90-120 minutes after startup, computer refresh
•Every 90-120 minutes after logon, user refresh
23
Understand When Settings Take Effect•GPO replication must happen
•Group changes must be incorporated Logoff/logon for user; restart for computer
•Group Policy refresh must occur Windows XP, Windows Vista, and Windows 7 clients Always wait for network at startup and logon
•Settings may require logoff/logon (user) or restart (computer) to take effect
•Manually refresh: GPUpdate [/force] [/logoff] [/boot]
•Most CSEs do not re-apply settings if GPO has not changed Configure in Computer\Admin Templates\System\Group Policy
24
Slow Links and Disconnected Systems
•Group Policy Client determines whether link to domain should be considered slow link By default, less than 500 kilobits per second (kbps) Each CSE can use determination of slow link to decide whether it
should process or not• Software CSE, for example, does not process
•Disconnected Settings previously applied will continue to take effect Exceptions include startup, logon, logoff, and shutdown scripts
•Connected Windows Vista and later operating systems detect new
connection and perform Group Policy refresh if refresh window was missed while disconnected
25
Frequently Used Policy Settings
• Scripts
• Folder Re-direction
• Administrative Template Users Desktop Environment Control Panel Internet Explorer
• Connection Settings• Proxy Settings
• Software Distribution
• Account Policies
• Local Policies
26
Group Policy Script
Group Policy Script Settings Allow You to: Centrally Configure Scripts to Run Automatically at Startup and
Shutdown, and When Users Log On and Log Off Manage and Configure User Environments
ScriptsScripts
Computer ConfigurationComputer Configuration
Startup/ShutdownStartup/ShutdownStartup/ShutdownStartup/Shutdown
User ConfigurationUser Configuration
Logon/LogoffLogon/LogoffLogon/LogoffLogon/Logoff
Startup/ShutdownStartup/ShutdownStartup/ShutdownStartup/Shutdown
ComputerComputer
UserUser
Logon/LogoffLogon/LogoffLogon/LogoffLogon/Logoff
27
Processing OrderProcessing OrderProcessing OrderProcessing Order
When a user starts a computer and logs on:a. Startup scripts runb. Logon scripts run
When a user logs off and shuts down a computer:a. Logoff scripts runb. Shutdown scripts run
Windows 2008 Processes Multiple Scripts From Top to Bottom
The Process of Applying Script
28
Assigning Group Policy Script
Logon Properties
Scripts
Logon Scripts for Log On Script[AUCKLAND.contoso.msft]
Name Parameters
Development.vbs
Information Services.vbs
UpUp
Down
Add...
Edit...
Remove
Show Files...
OK Cancel ApplyApply
To view the script files stores in this Group Policy Object, press the button below.
Copy the script to the appropriate GPTCopy the script to the appropriate GPT
Add the script to the appropriate GPOAdd the script to the appropriate GPO
29
Folder Redirection
•Data Is Always Available to Users Regardless of the Computer Logged on
•Data Is Centrally Stored for Ease of Management and Backup
•Files Are Not Saved on the Client Computer
MyDocuments
MyDocuments
MyDocuments
MyDocuments
FolderFolderFolderFolder Redirect to a server so thatRedirect to a server so thatRedirect to a server so thatRedirect to a server so that
DocumentsDocuments
Start MenuStart Menu
DesktopDesktop
ApplicationDataApplicationData
Users can access their data from any computer, and this data can be backed up and managed centrallyUsers can access their data from any computer, and this data can be backed up and managed centrally
Users’ Start menus are standardizedUsers’ Start menus are standardized
Users have the same desktop regardless of the computer to which they log onUsers have the same desktop regardless of the computer to which they log onApplications use the same user-specific data for a user regardless of the computer to which the user logs onApplications use the same user-specific data for a user regardless of the computer to which the user logs on
30
Redirect Folders to a Share on a ServerDesktop Properties
Target Settings
You can specify the location of the Desktop folder
No administrative policy specifiedSetting:
OK Cancel ApplyApply
The Group Policy Object will have no effect on the location of this folder.
Desktop Properties
Target Settings
You can specify the location of the Desktop folder
Basic – Redirect everyone’s folder to the dame locSetting:
OK Cancel Apply
This folder will be redirected to the specified location. An example target path is: \\server\share\%username%.
Target folder location
\\london\desktops\%username%
Browse
Use the%username%
variable
Use the%username%
variable
Desktop Properties
Target Settings
You can specify the location of the Desktop folder
Advanced – Specify locations for various user grouSetting:
OK Cancel Apply
This folder will be redirected to different locations based on the security group membership of the users. An example target path is \\server\share\%username%
Security Group Membership
GroupCONTOSO\acct \\london\acct\%username%CONTOSO\sales \\london\sales\%username%
Path
Add EditEdit RemoveRemove
31
Hide all icons on desktop Don’t save settings at exit Hide these specified drives in My Computer Remove Run menu from Start menu Prohibit user from running Display control panel Disable and remove links to Windows Update Disable changes to Taskbar and Start Menu settings Disable/Remove the Shut Down command
Group Policy Settings to Lock Down the DesktopGroup Policy Settings to Lock Down the DesktopGroup Policy Settings to Lock Down the DesktopGroup Policy Settings to Lock Down the Desktop
32
Remove Search menu from Start menu
Remove Run menu from Start menu
Disable Task Manager
Run only allowed Windows applications
Remove the Documents menu from the Start menu
Disable changes to Taskbar and Start Menu settings
Hide common program groups in Start menu
Group Policy Settings to Lock Down User AccessGroup Policy Settings to Lock Down User Accessto Administrative Tools and Applicationsto Administrative Tools and Applications
Group Policy Settings to Lock Down User AccessGroup Policy Settings to Lock Down User Accessto Administrative Tools and Applicationsto Administrative Tools and Applications
33
Internet Explorer Connection
34
Understand Password Policies
•Defined and Enforced at Domain Level
•Password policies consist of Enforce password history: 24 passwords Max password age: 42 days Min password age: 1 day Min password length: 7 characters Complex Password: enabled Store password using reversible encryption: disabled
35
Understand Account Lockout Policies
•Account lockout policies consist of Lockout duration: not defined Lockout threshold: 0 invalid logon attempts Reset account lockout after: not defined
•Help mitigate the threat of brute force attacks on user accounts
•Unlock A user who is locked out can be unlocked by an
administrator The Reset account lockout policy can specify a "timeout"
after which the account is automatically unlocked
36
Fine-Grained Password and Lockout Policy
Administrative accounts
Service Accounts
Finance users
Length: 15Max age: 45Lockout: 5 in 60 minReset: 1 day
Password Never ExpiresLength: 64Lockout: None
Length: 15Max age: 60Lockout: 5 in 30 minReset: 30 min
Fine-grained password and lockout policies allow multiple password and lockout policies to exist in the same domain
Domain Policy:Length: 10Max age: 90Lockout: 5 in 30 minReset: 30 min
37
Password Settings Objects (PSOs)
A PSO has the following settings available:• Password policies
• Account lockout policies
• PSO Link
• Precedence
Considerations when implementing PSOs:
PSOs can only be applied to users or global groups
PSOs can be created through ADSI Edit or LDIFDE
The Password Settings Container (PSC) and Password Setting Objects (PSOs) are new object classes defined by the Schema
Windows Server 2008 domain functional level required
38
PSO Precedence and Resultant PSO
• A PSO can be linked to more than one group or user, and a group or user can have more than one PSO linked to it
• Only one PSO "wins"—the Resultant PSO Precedence: lower (closer to 1) has higher precedence
Any PSOs linked to user override all global group PSOs. User-linked PSO with highest precedence (closest to 1) wins
• If there are no PSOs, domain account policies apply
• Best practices Use only group-linked PSOs. Do not link to user objects.
Avoid having two PSOs with the same precedence value
• PSOs cannot be "linked" to an OU Create a shadow group that contains all users in the OU
39
Managing User Environments
• Configure and Centrally Manage User Environments Enforce standard configurations Limit user access to portions of the operating system Ensure that users always have their data Restrict the use of Windows tools and components Populate user desktops Secure the user environment
Manage User EnvironmentsAdministrative
Templates SettingsScript
SettingsRedirecting User Folders
SecuritySettings
DocumentsDocumentsHKEY_LOCAL_MACHINEHKEY_CURRENT_USER
RegistryRegistry