section 1: introducing group policy what is group policy? group policy scenarios new group policy...
TRANSCRIPT
Section 1: Introducing Group Policy
What Is Group Policy?
Group Policy Scenarios
New Group Policy Features Introduced with Windows
Server 2008 and Windows Vista
New Group Policy Features Introduced with Windows
Server 2008 R2 and Windows 7
New Group Policy Features in Windows Server 2012 and
Windows 8 Client
Managing Windows Environments with Group Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Section Objectives
After completing this section, you will be able to:Define Group PolicyList the ways you can use Group PolicyDescribe the tools, features, and policies you can use
to manage group policiesDescribe the new Group Policy features available in the
latest versions of Windows
1-2
© 2013 Global Knowledge Training LLC. All rights reserved.
What Is Group Policy?
Group Policy is built on the Active Directory structure
Desktop settings and restrictions
Security policies
Folder redirection
Software deployment
Software restrictions
Logon scripts
Group Policy controls:
1-3
© 2013 Global Knowledge Training LLC. All rights reserved.
Desktop Settings and Restrictions
Configure standardized settings for the desktop environment
Screen saver Desktop background Shortcuts to Applications
Configure desktop restrictions to reduce support calls Lock the taskbar Prevent access to control panel apps Restrict or hide Start screen/menu items
1-4
© 2013 Global Knowledge Training LLC. All rights reserved.
Security Policies
Password PolicyAccount Lockout PolicyAudit Policy and Advanced Audit PoliciesUser Rights AssignmentSecurity OptionsEvent LogRestricted GroupsSystem ServicesFile SystemWindows Firewall with Advanced Security
1-5
© 2013 Global Knowledge Training LLC. All rights reserved.
Folder Redirection
Use Folder Redirection to store the user’s personal documents on a server instead of locally
1-5
AppData(Roaming) Favorites
Desktop Contacts
Start Menu Downloads
Documents Links
Pictures Searches
Music Saved Games
Videos
© 2013 Global Knowledge Training LLC. All rights reserved.
Software Deployment
Myapp.msi
Distribute MSI packages to the Computer or User
Configure as Assigned or Published
1-6
© 2013 Global Knowledge Training LLC. All rights reserved.
Software Restrictions
Software Restriction Policies Compatible with Windows XP and later Are more difficult to configure for large numbers of files
AppLocker Policies Compatible with Windows 7 and later Can be created by scanning a folder structure Can use wild-card values to restrict or allow access
1-7
© 2013 Global Knowledge Training LLC. All rights reserved.
Logon Scripts
Computer scriptsStartup scriptShutdown script
User scriptsLogon scriptLogoff script
Scripts can be written as:ExecutablesVBScript, JavaScript, Perl scriptsPowershell scripts
1-8
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Scenarios
1-9
Scenario
Prevent changes to the desktop environment
Enforce an Audit policy for servers
Maintain user documents on a central server
Assign a software package to many computers
Prevent users from running unauthorized code
Map a drive letter to a server resource
Solution
Use desktop restriction policy settings
Use security policies
Use Folder Redirection
Create a software deployment policy
Use a software restriction policy
Create a login script in a policy
© 2013 Global Knowledge Training LLC. All rights reserved.
New Group Policy Features Introduced with Windows Server 2008 and Windows Vista
1-10
Group Policy Management Editor Enhancements
Group Policy Service Changes New GPO Settings
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Management Editor Enhancements
New Feature DescriptionNew format for ADMX (Administrative Templates)
XML format
Starter GPO Templates for GPO creation
Comments for GPOs Ability to add custom comments to GPOs
GPO filtered view Ability to sort or limit the display of policies
GPMC Now the default Group Policy tool
1-11
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Service Changes
New
Group Policy service Restarts and logoff/logon not required
Local Group Policy enhancements
Multiple local GPOs
Network location awareness
No longer relies on ICMP Ability to sort or limit the display of policies
1-12
© 2013 Global Knowledge Training LLC. All rights reserved.
New GPO Settings
New
Hundreds of new policy settings have been added:
New power management options Block device driver installation Windows Firewall with Advanced Security options New Windows Internet Explorer options Location-Based printer installation Printer driver installation for non-administrators
1-13
© 2013 Global Knowledge Training LLC. All rights reserved.
New Group Policy Features Introduced with Windows Server 2008 R2 and Windows 7
1-15
Windows PowerShell Cmdlets
Group Policy Preferences Starter GPOs Administrative Template Settings AppLocker
© 2013 Global Knowledge Training LLC. All rights reserved.
New Group Policy Features in Windows Server 2012 and Windows 8 Client
1-16
Remote Update from the GPMC
PowerShell Invoke-GPUpdate Group Policy Infrastructure Status Policy Error Links in RSOP Results Hundreds of New GPO Items
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary
Group Policy is a mechanism for applying computer and user settings to one or many computers throughout an Active Directory environment.
Use Group Policy to: Prevent changes to the desktop environment Enforce an Audit policy for servers Maintain user documents on a central server Assign a software package to many computers Prevent users from running unauthorized code Map a drive letter to a server resource
1-18
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
New Group Policy features in Windows Server 2008 and Windows Vista
1-18
Feature Description
Group Policy Management Editor Enhancements
• New format for ADMX: Based on XML file format; new GPO tools can read ADM and ADMX files
• Starter GPO: Creates a template of GPO settings that you can reuse
• Comments for GPOs: Add custom comments to GPOs• GPO filter view: Displays settings in a variety of ways,
including sort view or filtered view• GPMC: Standard tool for managing group policies
Group Policy Service Changes
• Group Policy service: Runs as a service of its own • Local Group Policy enhancements: Create multiple GPOs for
the local computer• Network location awareness: Group Policy now uses event
detection and event notification and provides faster startup times when group policies are applied
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
New Group Policy features in Windows Server 2008 and Windows Vista (cont.)
1-19
Feature Description
New GPO Settings
• New power management options: Set central standard for power management settings
• Block device driver installation: Settings are now more granular; can block or allow device driver installation down to a specific PnP hardware identifier; can block installation of removable media devices; can customize a balloon tip message when installation is prevented
• Windows Firewall with Advanced Security options: With a new interface you can easily create outbound filters; IPSec functionality has been integrated directly into the Windows Firewall interface
• New Internet Explorer options: Most new Windows Internet Explorer settings are now configurable through Group Policy; can centrally define homes pages, security settings, history retention, etc.
• Printer installation: Location-based printer installation (shared printer connections are automatically available to computer or user side of the GPO); printer driver installation for non-administrators (installation of printer device drivers now occurs in the background with elevated privileges)
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
New Group Policy features in Windows Server 2008 R2 and Windows 7
1-20
Feature Description
Windows PowerShell cmdlets
• Manage Group Policy from Windows PowerShell and run Windows PowerShell scripts during logon and startup; cmdlets allow GPO configuration from command line and for automation
Group Policy Preferences
• Additional types of GPO preference items were added
Starter GPOs • New default Starter GPOs were added to the GPMC interface
Administrative Template Settings
• New user interface and additional policy settings were added; Administrative Templates section was augmented with new settings and an editor window that is easier to navigate
AppLocker • A new mechanism for restricting access to software that is only supported by Windows Server 2008 R2 and Windows 7; supports wildcards for version numbering, allowing a single policy to restrict multiple versions of a file; can restrict by user name or group
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check
1. What is Group Policy used for? (Choose all that apply.)a. To configure desktop settings
b. To deploy software
c. To enforce security policies
d. To run logon scripts
2. What is Group Policy?It is a mechanism for applying computer and user settings to one or many computers throughout an Active Directory environment.
1-20
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
3. Match each Group Policy feature with its correct description.
1-23
Group Policy Feature Description
GPMC A. A tool used to create inbound and outbound firewall policies. IPSec functionality has been integrated directly into the interface.
Windows Firewall with Advanced Security
B. These allow GPO configuration from the command line and for automation.
AppLocker C. These set the central standard for power management settings.
Windows PowerShell cmdlets
D. A standard tool used to manage group policies.
Power management options
E. A new mechanism for restricting access to software that is only supported by Windows Server 2008 R2 and Windows 7; supports wildcards for version numbering, allowing a single policy to restrict multiple versions of a file; can restrict by user name or group.
A
D
E
B
C