chap04

advertisement
Hands-On Microsoft
Windows Server 2003
Administration
Chapter 4
Managing Group Policy
Objectives
• Create and manage Group Policy objects to
control user desktop settings, security, scripts,
and folder redirection
• Manage and troubleshoot Group Policy
inheritance
• Deploy and manage software using Group
Policy
2
Introduction to Group Policy
• Group Policy
– Enables the centralized management of user and
computer configuration settings
– Implemented using a Group Policy object
3
Introduction to Group Policy
(Continued)
• Group Policy object (GPO)
– Used to perform a variety of administrative tasks,
including:
• Configure desktop settings using administrative
templates
• Control security settings for users and computers
• Assign scripts to run when
– A user logs on or off
– A computer is started up or shut down
4
Introduction to Group Policy
(Continued)
• Redirect folders out of a user’s local profile to a
different network location
• Automate software distribution and maintenance to
computers throughout the network
5
Creating a Group Policy Object
• Ways to create a GPO
– Group Policy standalone Microsoft Management
Console (MMC) snap-in
– Group Policy extension in Active Directory Users
and Computers
• Once a GPO is created
– Edit the GPO to control specific user or computer
settings
6
Configuration categories available
for GPOs
7
Creating a Group Policy Object
(Continued)
• The GPO content is stored in two different
locations on the server
– Group Policy container (GPC)
• Stores information about the GPO and includes a
version number
• Located in
– Active Directory Users and
Computers\System\Policies
8
Creating a Group Policy Object
(Continued)
– Group Policy template (GPT)
• Contains the data that makes up the Group Policy
• Stored in
– The %systemroot%\\Sysvol\<Domain
Name>\Policies folder
• Globally unique identifier (GUID)
– A unique 128-bit number assigned to the GPO
when it is created
– Used to identify both the GPC and the GPT
9
Application of Group Policy
• GPOs can apply a variety of configuration
options to the
–
–
–
–
Local computer
Site
Domain
OU
• Main categories to a Group Policy:
– Computer Configuration
– User Configuration
10
Controlling User Desktop Settings
• Group Policy
– Helps reduce administrative costs by allowing the
administrator to
• Enforce standard computer configurations
• Limit user access to various areas of the operating
system
• Ensure that users have their own personal desktop
and application settings
• Administrative templates
– Consist of several categories of configuration
settings
11
Configuration categories of
administrative templates
12
Managing Security with Group
Policy
• Group Policy
– Can be used to modify and maintain a number of
domain-based security configurations to comply
with organizational security standards
• Security templates
– Can be created based on current security
standards
13
Configuring Account Policies
• Account Policies node
– Found under the computer configuration category
of a GPO
– Includes three subcategories
• Password Policy
• Account Lockout Policy
• Kerberos Policy
• Password Policy node
– Contains configuration settings for the password’s
• History
• Length
• Complexity
14
Password policies in Windows
Server 2003
15
Configuring Account Policies
(Continued)
• Account Lockout Policy node
– Contains configuration settings for
• Password lockout threshold and duration
• Reset options
16
Account Lockout Policies
17
Configuring Account Policies
(Continued)
• Kerberos Policy node
– Contains configuration settings for
• Kerberos ticket-granting ticket (TGT)
• Session ticket lifetimes and time stamp
18
Kerberos policy node configuration
19
Managing Security with Group
Policy
• Other nodes under the security settings category
–
–
–
–
–
–
–
–
–
–
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Wireless Network (IEEE 802.11) Policies
Public Key Policies
Software Restriction Policies
IP Security Policies on Active Directory
20
Using the Security Configuration
Manager Tools with Group Policy
• Security Configuration Manager tools
– Can be used with Group Policies to
• Create a Security Policy template using a specific
group of security settings
– Can be used to analyze and implement security
settings on a computer system
– Useful in maintaining security settings
21
Using the Security Configuration
Manager Tools with Group Policy
(Continued)
• Core components of the Security Configuration
Manager tools:
–
–
–
–
Security templates
Security settings in Group Policy objects
Security Configuration and Analysis tool
Secedit command-line tool
22
Security Templates
• A security template
– Is used to define, edit, and save baseline security
settings to be applied to computers with common
security requirements
– Helps ensure that a consistent setting can be
applied to multiple machines and easily
maintained
– Is created and edited using the Security
Templates snap-in
23
Viewing the Security Templates
console
24
Analyzing the Preconfigured
Security Templates
• First step in configuring and implementing
security templates
– Categorize the network computers into:
• Workstations
• Servers
• Domain controllers
25
Analyzing the Preconfigured
Security Templates (Continued)
• Setup Security.inf template
– Stores the default security settings applied to the
computer when Windows Server 2003 is installed
– Purpose
• Provides a single file in which all of the original
computer security settings are stored
26
Analyzing the Preconfigured
Security Templates (Continued)
• Incremental templates
– Modify security settings incrementally
– Allow the creation of security configurations other
than the basic security settings
– Include
•
•
•
•
•
Compatws.inf
Securews.inf and Securedc.inf
Hisecws.inf and Hisecdc.inf
DC Security.inf
Rootsec.inf
27
Analyzing the Preconfigured
Security Templates (Continued)
• Applying security templates
– Security templates can be applied to either the
local machine or the domain via GPOs
– To apply a security template to a local machine
• Open the Local Security Settings MMC snap-in
• Right-click Security Settings in the console pane
and choose Import Policy
• Select the template file to be imported
28
Security Configurations and
Analysis
• Security Configuration and Analysis utility
– Compares current system settings to a previously
configured security template
– Identifies
• Changes to the original security configurations
• Possible security weaknesses that may be evident
when compared to a stronger security baseline
template
29
Security Configurations and
Analysis (Continued)
– Results of the comparison
• A green check mark
– Indicates that the two settings match
• A red “x”
– Indicates a mismatch
30
Viewing the Security Configuration
and Analysis tool
31
Analyzing security on a computer
32
Security Configurations and
Analysis (Continued)
• Secedit.exe
– Command-line tool that is used to
• Create and apply security templates
• Analyze security settings
– Can be used in situations where Group Policy
cannot be applied
33
Assigning Scripts and Redirecting
Folders
• Scripts
– Can be used in Windows Server 2003 to perform
tasks at various times during the logon or logoff
process
– Computer startup and shutdown scripts
• Configured in the computer section of a GPO
– User logon and logoff scripts
• Configured in the user section of a GPO
34
Assigning Scripts and Redirecting
Folders (Continued)
• Folder redirection
– Group Policy feature
– Enables you to redirect the following contents of a
user’s profile to a network location:
•
•
•
•
Application data
Desktop
My Documents
Start menu
35
Folder redirection settings
36
Managing Group Policy Inheritance
• Order in which Group Policy is applied
– Local computer, site, domain, parent OU, child
OU
• All individual GPO settings are inherited by
default
• At each level, more than one GPO can be
applied
• If there is more than one GPO per container
• Policies are applied in the order that they appear
on the Group Policy tab for the container, starting
with the bottom GPO first
37
Managing Group Policy Inheritance
(Continued)
• Multiple policies applied to a user or computer
– If there is no conflict
• Both policies are applied
– If there is a conflict
• Later settings overwrite earlier settings
– Computer policies usually overwrite user policies
38
Configuring Block Policy
Inheritance, No Override, and
Filtering
• Blocking Group Policy inheritance
– Done when you do not want any higher-level
settings to be applied to a particular child
container
• Configuring No Override
– Done when you want a particular GPO’s settings
to always be enforced
• Filtering policy settings for groups
– Done to prevent policy settings for groups from
applying to a particular user, group, or computer
within a container
39
Blocking Group Policy inheritance
40
Configuring No Override on a Group
Policy object
41
Troubleshooting Group Policy
Settings
• Areas to inspect when trying to find the reason
for a GPO not working as expected
– Active Directory hierarchy
– Order of Group Policy processing
– Containers above and below OU that is causing
problem
– Group Policy’s Security tab
42
Troubleshooting Group Policy
Settings (Continued)
• Troubleshooting tools
– gpresult.exe
– Resultant Set of Policy (RSoP)
– Can be used to
• Discover Group Policy-related problems
• Illustrate which GPOs were applied to a user or
computer
43
Using the Gpresult tool
44
Generating RSoP data
45
Deploying Software Using Group
Policy
• Group Policy can help deploy and maintain
software installations throughout the domain
• When a company rolls out a new software
application, the four main phases of the process
are:
–
–
–
–
Software preparation
Deployment
Software maintenance
Software removal
46
Software Preparation
• Microsoft Windows installer package (MSI) file
– Used by Windows Server 2003 Group Policy
– Contains all the information needed to install an
application in a variety of configurations
• Steps to take before the installation of a software
– Place the MSI package file and any related
software installation files in a shared folder on the
network
– Configure Group Policy to access this shared
folder
47
Deployment
• Using Windows Server 2003 Group Policy,
applications can be deployed by either:
– Assigning applications
• A shortcut to the application is advertised on the
Start menu
– Publishing applications
• Application is not advertised on the Start menu
48
Software Maintenance
• Maintenance tasks to be performed after an
application has been deployed
– Installing updates and service patches
– Installing new versions of the software
• Choices when deploying application patches or
upgrades
– A mandatory upgrade
– An optional upgrade
– Redeploying an application
49
Software Removal
• Choices regarding how an application is
removed
– A forced removal
– An optional removal
50
Summary
• Group Policy
– Enables the centralized management of user and
computer settings throughout the network
• GPOs
– Can be used to perform administrative tasks,
such as
• Configuration of desktop settings
• Control of security settings for users and
computers
• Assignment of scripts
• Redirection of folders
• Automation of software distribution on computers
throughout the network
51
Summary (Continued)
• The order in which Group Policy is applied
– Local computer, site, domain, OU, child OU
• Security Configuration and Analysis tool
– Can be used to analyze, modify, and apply
security templates to objects within Active
Directory
52
Summary (Continued)
• Group Policy is automatically inherited from
parent containers to child containers; this can be
modified by
– Applying Block Policy inheritance
– Applying No Override
– Filtering the policy for specific users
• When deploying software, Group Policy uses an
MSI file to determine the installation options
• Applications can either be assigned or published
within a GPO
53
Download