Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy Objectives • Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection • Manage and troubleshoot Group Policy inheritance • Deploy and manage software using Group Policy 2 Introduction to Group Policy • Group Policy – Enables the centralized management of user and computer configuration settings – Implemented using a Group Policy object 3 Introduction to Group Policy (Continued) • Group Policy object (GPO) – Used to perform a variety of administrative tasks, including: • Configure desktop settings using administrative templates • Control security settings for users and computers • Assign scripts to run when – A user logs on or off – A computer is started up or shut down 4 Introduction to Group Policy (Continued) • Redirect folders out of a user’s local profile to a different network location • Automate software distribution and maintenance to computers throughout the network 5 Creating a Group Policy Object • Ways to create a GPO – Group Policy standalone Microsoft Management Console (MMC) snap-in – Group Policy extension in Active Directory Users and Computers • Once a GPO is created – Edit the GPO to control specific user or computer settings 6 Configuration categories available for GPOs 7 Creating a Group Policy Object (Continued) • The GPO content is stored in two different locations on the server – Group Policy container (GPC) • Stores information about the GPO and includes a version number • Located in – Active Directory Users and Computers\System\Policies 8 Creating a Group Policy Object (Continued) – Group Policy template (GPT) • Contains the data that makes up the Group Policy • Stored in – The %systemroot%\\Sysvol\<Domain Name>\Policies folder • Globally unique identifier (GUID) – A unique 128-bit number assigned to the GPO when it is created – Used to identify both the GPC and the GPT 9 Application of Group Policy • GPOs can apply a variety of configuration options to the – – – – Local computer Site Domain OU • Main categories to a Group Policy: – Computer Configuration – User Configuration 10 Controlling User Desktop Settings • Group Policy – Helps reduce administrative costs by allowing the administrator to • Enforce standard computer configurations • Limit user access to various areas of the operating system • Ensure that users have their own personal desktop and application settings • Administrative templates – Consist of several categories of configuration settings 11 Configuration categories of administrative templates 12 Managing Security with Group Policy • Group Policy – Can be used to modify and maintain a number of domain-based security configurations to comply with organizational security standards • Security templates – Can be created based on current security standards 13 Configuring Account Policies • Account Policies node – Found under the computer configuration category of a GPO – Includes three subcategories • Password Policy • Account Lockout Policy • Kerberos Policy • Password Policy node – Contains configuration settings for the password’s • History • Length • Complexity 14 Password policies in Windows Server 2003 15 Configuring Account Policies (Continued) • Account Lockout Policy node – Contains configuration settings for • Password lockout threshold and duration • Reset options 16 Account Lockout Policies 17 Configuring Account Policies (Continued) • Kerberos Policy node – Contains configuration settings for • Kerberos ticket-granting ticket (TGT) • Session ticket lifetimes and time stamp 18 Kerberos policy node configuration 19 Managing Security with Group Policy • Other nodes under the security settings category – – – – – – – – – – Local Policies Event Log Restricted Groups System Services Registry File System Wireless Network (IEEE 802.11) Policies Public Key Policies Software Restriction Policies IP Security Policies on Active Directory 20 Using the Security Configuration Manager Tools with Group Policy • Security Configuration Manager tools – Can be used with Group Policies to • Create a Security Policy template using a specific group of security settings – Can be used to analyze and implement security settings on a computer system – Useful in maintaining security settings 21 Using the Security Configuration Manager Tools with Group Policy (Continued) • Core components of the Security Configuration Manager tools: – – – – Security templates Security settings in Group Policy objects Security Configuration and Analysis tool Secedit command-line tool 22 Security Templates • A security template – Is used to define, edit, and save baseline security settings to be applied to computers with common security requirements – Helps ensure that a consistent setting can be applied to multiple machines and easily maintained – Is created and edited using the Security Templates snap-in 23 Viewing the Security Templates console 24 Analyzing the Preconfigured Security Templates • First step in configuring and implementing security templates – Categorize the network computers into: • Workstations • Servers • Domain controllers 25 Analyzing the Preconfigured Security Templates (Continued) • Setup Security.inf template – Stores the default security settings applied to the computer when Windows Server 2003 is installed – Purpose • Provides a single file in which all of the original computer security settings are stored 26 Analyzing the Preconfigured Security Templates (Continued) • Incremental templates – Modify security settings incrementally – Allow the creation of security configurations other than the basic security settings – Include • • • • • Compatws.inf Securews.inf and Securedc.inf Hisecws.inf and Hisecdc.inf DC Security.inf Rootsec.inf 27 Analyzing the Preconfigured Security Templates (Continued) • Applying security templates – Security templates can be applied to either the local machine or the domain via GPOs – To apply a security template to a local machine • Open the Local Security Settings MMC snap-in • Right-click Security Settings in the console pane and choose Import Policy • Select the template file to be imported 28 Security Configurations and Analysis • Security Configuration and Analysis utility – Compares current system settings to a previously configured security template – Identifies • Changes to the original security configurations • Possible security weaknesses that may be evident when compared to a stronger security baseline template 29 Security Configurations and Analysis (Continued) – Results of the comparison • A green check mark – Indicates that the two settings match • A red “x” – Indicates a mismatch 30 Viewing the Security Configuration and Analysis tool 31 Analyzing security on a computer 32 Security Configurations and Analysis (Continued) • Secedit.exe – Command-line tool that is used to • Create and apply security templates • Analyze security settings – Can be used in situations where Group Policy cannot be applied 33 Assigning Scripts and Redirecting Folders • Scripts – Can be used in Windows Server 2003 to perform tasks at various times during the logon or logoff process – Computer startup and shutdown scripts • Configured in the computer section of a GPO – User logon and logoff scripts • Configured in the user section of a GPO 34 Assigning Scripts and Redirecting Folders (Continued) • Folder redirection – Group Policy feature – Enables you to redirect the following contents of a user’s profile to a network location: • • • • Application data Desktop My Documents Start menu 35 Folder redirection settings 36 Managing Group Policy Inheritance • Order in which Group Policy is applied – Local computer, site, domain, parent OU, child OU • All individual GPO settings are inherited by default • At each level, more than one GPO can be applied • If there is more than one GPO per container • Policies are applied in the order that they appear on the Group Policy tab for the container, starting with the bottom GPO first 37 Managing Group Policy Inheritance (Continued) • Multiple policies applied to a user or computer – If there is no conflict • Both policies are applied – If there is a conflict • Later settings overwrite earlier settings – Computer policies usually overwrite user policies 38 Configuring Block Policy Inheritance, No Override, and Filtering • Blocking Group Policy inheritance – Done when you do not want any higher-level settings to be applied to a particular child container • Configuring No Override – Done when you want a particular GPO’s settings to always be enforced • Filtering policy settings for groups – Done to prevent policy settings for groups from applying to a particular user, group, or computer within a container 39 Blocking Group Policy inheritance 40 Configuring No Override on a Group Policy object 41 Troubleshooting Group Policy Settings • Areas to inspect when trying to find the reason for a GPO not working as expected – Active Directory hierarchy – Order of Group Policy processing – Containers above and below OU that is causing problem – Group Policy’s Security tab 42 Troubleshooting Group Policy Settings (Continued) • Troubleshooting tools – gpresult.exe – Resultant Set of Policy (RSoP) – Can be used to • Discover Group Policy-related problems • Illustrate which GPOs were applied to a user or computer 43 Using the Gpresult tool 44 Generating RSoP data 45 Deploying Software Using Group Policy • Group Policy can help deploy and maintain software installations throughout the domain • When a company rolls out a new software application, the four main phases of the process are: – – – – Software preparation Deployment Software maintenance Software removal 46 Software Preparation • Microsoft Windows installer package (MSI) file – Used by Windows Server 2003 Group Policy – Contains all the information needed to install an application in a variety of configurations • Steps to take before the installation of a software – Place the MSI package file and any related software installation files in a shared folder on the network – Configure Group Policy to access this shared folder 47 Deployment • Using Windows Server 2003 Group Policy, applications can be deployed by either: – Assigning applications • A shortcut to the application is advertised on the Start menu – Publishing applications • Application is not advertised on the Start menu 48 Software Maintenance • Maintenance tasks to be performed after an application has been deployed – Installing updates and service patches – Installing new versions of the software • Choices when deploying application patches or upgrades – A mandatory upgrade – An optional upgrade – Redeploying an application 49 Software Removal • Choices regarding how an application is removed – A forced removal – An optional removal 50 Summary • Group Policy – Enables the centralized management of user and computer settings throughout the network • GPOs – Can be used to perform administrative tasks, such as • Configuration of desktop settings • Control of security settings for users and computers • Assignment of scripts • Redirection of folders • Automation of software distribution on computers throughout the network 51 Summary (Continued) • The order in which Group Policy is applied – Local computer, site, domain, OU, child OU • Security Configuration and Analysis tool – Can be used to analyze, modify, and apply security templates to objects within Active Directory 52 Summary (Continued) • Group Policy is automatically inherited from parent containers to child containers; this can be modified by – Applying Block Policy inheritance – Applying No Override – Filtering the policy for specific users • When deploying software, Group Policy uses an MSI file to determine the installation options • Applications can either be assigned or published within a GPO 53