Managing Workstations with Group Policy
advertisement
Managing Workstations with Group Policy Group Policy Site Users Domain OU Administrator Sets Group Policy Once Computers Windows 2000 Applies Continually Group Policy Enables You to: ◦ Set centralized and decentralized policies ◦ Ensure users have their required environments ◦ Lower total cost of ownership by controlling user and computer environments ◦ Enforce corporate policies Types of Group Policy Settings Group Policy Objects Group Policy Settings for Computers and Users Group Policy Objects and Active Directory Containers Types of Group Policy Settings Administrative Templates Registry-based Group Policy settings Security Settings for local, domain, and network security Software Installation Settings for central management of software installation Scripts Startup, shutdown, logon, and logoff scripts Remote Installation Services Settings that control the options available to users when running the Client Installation wizard used by RIS Internet Explorer Maintenance Settings to administer and customize Microsoft Internet Explorer on Windows 2000–based computers Folder Redirection Settings for storing of users’ folders on a network server Group Policy Container (GPC) Group Policy Object Contains Group Policy settings Content stored in two locations Located in Active Directory Provides version information used by domain controllers Group Policy Template (GPT) Located in domain controller shared Sysvol folder Provides Group Policy settings that computers running Windows 2000 obtain and apply Group Policy Settings for Computers: ◦ Specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings ◦ Apply when the operating system initializes and during the periodic refresh cycle Group Policy Settings for Users: ◦ Specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts ◦ Apply when users log on to the computer and during the periodic refresh cycle Computers Users Domain GPO Site GPO OU OU OU GPO Domain Site OU OU GPO GPO Settings Affect User and Computer Objects Within Sites, Domains, and OUs to Which a GPO Is Linked ◦ You can link one GPO to multiple sites, domains, or OUs ◦ You can link multiple GPOs to one site, domain, or OU You Cannot Link GPOs to Default Active Directory Containers Creating Linked Group Policy Objects Creating Unlinked Group Policy Objects Linking an Existing Group Policy Object Specifying a Domain Controller for Managing Group Policy Objects contoso.msft Properties General To Apply Group Policy to a Container, Create a GPO Linked to the Container: ◦ Create GPOs linked to domains and OUs by using Active Directory Users and Computers ◦ Create GPOs linked to sites by using Active Directory Sites and Services To create a GPO Managed By Object Security Group Policy Current Group Policy Object Links for contoso.msft Group Policy Object Links Default Domain Policy Account Lockout Policy Passwords Policy No Override Disabled Name of linked GPO Group Policy Objects higher in the list have the highest priority. This list obtained from: London.contoso.msft New Add... Edit Up Options... Delete... Properties Down Block Policy inheritance Close Cancel Apply Browse for a Group Policy Object Domains/OUs Look in: Select Group Policy Object Sites Computers All contoso.msft All Group Policy Objects stored in this domain: Name Application Deployment Default Domain Controllers Policy Default Domain Policy View New Group Policy Object New Group Policy Object Arrange Icons New Group Policy Object Line up Icons New Group Policy Object Test To create an New unlinked GPO Refresh Local Computer Browse… Allow the focus of the Group Policy Snap-in to be changed when launching from the command line. This only applies if you save the console. Add a Group Policy Object Link Select appropriate tab Domains/OUs Sites Look in: All contoso.msft Select container in which GPO resides Group Policy Objects linked to this container: Domain Name Domain Controllers.nwtraders.msft General Managed By Object Security Group Policy Accounting.nwtraders.msft Human Resources.nwtraders.msft Current Group Policy Object Links for contoso.msft Default Domain Policy Select GPO Redirect My Document Policy to link Group Policy Object Links No Override Disabled Logon Attempts Policy Default Domain Policy Passwords Policy Account Lockout Policy Start Menu Policy Passwords Policy contoso.msft Properties OK Group Policy Objects higher in the list have the highest priority. This list obtained from: London.contoso.msft New Add... Options... Delete... To link anUp existing GPO Properties Down Edit Cancel Group Policy Inheritance How Group Policy Settings Are Processed Controlling the Processing of Group Policy Group Policy and Slow Network Connections (Links) Resolving Conflicts Between Group Policy Settings Site Windows Applies GPO Settings in a Specific Order Domain OU Domain GPO Domain Payroll Child Containers Inherit GPO Settings from Parent Containers Computers Users Computer starts User logs on Computer settings applied Startup scripts run User settings applied Logon scripts run The GetGPOList Function Executes on the Client Computer During: Computer startup to determine which GPOs contain computer configurations settings to be applied User logon to determine which GPOs contain user configurations settings to be applied Synchronous and Asynchronous Processing ◦ By default, the processing of Group Policy is synchronous ◦ You can change the processing of Group Policy to asynchronous by using a Group Policy setting for both computers and users Refreshing Group Policy at Established Intervals of: ◦ 90 minutes for computers running Windows 2000 Professional and for member servers running Windows 2000 Server ◦ 5 minutes for domain controllers Processing Unchanged Group Policy Settings ◦ You can configure each client-side extension to process all applicable Group Policy settings Group Policy Can Detect a Slow Link Group Policy Uses an Algorithm to Determine Whether a Link Should Be Considered Slow Group Policy Sets a Flag to Indicate a Slow Link to the Client-side Extensions All Group Policy Settings Apply Unless There Are Conflicts The Last Setting Processed Applies ◦ When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply ◦ When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply A Computer Setting Applies When It Conflicts with a User Setting GPO1 GPO1 ensures that Favorites appears on the Start menu GPO2 and GPO3 require a password of 11 characters and remove the Windows Update icon GPO4 removes Favorites from the Start menu and adds the Windows Update icon What are the resultant Group Policy settings for the OU? Site GPO2 GPO3 Domain OU GPO4 GPO1 What are the resultant Group Policy settings for the OU? A password must be at least 11 characters long The Windows Update icon appears on the Start menu Favorites does not appear on the Start menu Site GPO2 GPO3 Domain OU GPO4 Enabling Block Inheritance Enabling No Override Filtering Group Policy Settings Class Discussion: Changing Group Policy Inheritance Block Inheritance: ◦ Stops inheritance of all GPOs from all parent containers ◦ Cannot GPOs selectively choose which GPOs are blocked No GPO settings ◦ Cannot stop No apply Override Domain Production Sales No Override: Domain Production No Override GPO Settings Sales Conflicting GPO Settings ◦ Overrides Block Inheritance and GPO conflicts ◦ Should be set high in the Active Directory tree ◦ Is applicable to links and not to GPOs ◦ Enforces corporatewide rules Domain GPO settings apply Filter Group Policy Settings by: Domain Sales Mengph Kimyo Group Explicitly denying the Apply Group Policy permission Omitting an explicit Apply Group Policy permission Allow Read and Apply Group Policy Deny Apply Group Policy Settings That Are Needed An anti-virus application must be installed on all computers in the domain The Office suite must be installed on all computers in the domain, except for K-6 Teachers An accounting application must be installed on Staff computers, except for the computers used by the Secretaries How do you set up your GPOs? JLSC.local Students Teachers K-6 How do you set up your GPOs? A GPO linked to the domain with the antivirus application settings configured and the link configured with No Override A GPO linked to the domain that installs the Office suite Enable Block Inheritance for the K-6l OU A GPO linked to the Teachers OU to install the accounting application Modify the DACL of the GPO linked to the Teachers OU to deny the Apply Group Policy permission for the computer accounts used by the Secretaries JLSC.local Students Teachers K-6 Enable a User to Manage Group Policy Links for a Site, Domain, or OU by: ◦ Assigning the user read and write permissions to the gPLink and gPOptions attributes of the site, domain, or OU ◦ Using the Delegation of Control wizard Enable a User or Group to Create GPOs by: ◦ Adding the user or group to the Group Policy Creator Owners group Enable a User to Edit GPOs by: ◦ Assigning the user read and write permissions to the GPO ◦ Making the user a member of either Domain Admins, Enterprise Admins, or GPO Creator Owners groups ◦ Granting the user access to the GPO by using the Security tab in the GPO Properties dialog box Monitoring Group Policy Group Policy Troubleshooting Tools Troubleshooting Group Policy You Can Monitor Group Policy by: Enabling Diagnostic Logging to the Event Log ◦ Causes Group Policy to generate detailed events in the Event Log Enabling Verbose Logging ◦ Tracks all changes and settings applied to the local computer and the users who log on to the computer ◦ Involves the addition of the registry keys for verbose logging Windows Server Support Tools for Group Policy Troubleshooting: ◦ Netdiag.exe ◦ Replmon.exe Windows Server Resource Kit Tools for Group Policy Troubleshooting: ◦ Gpotool.exe ◦ Gpresult.exe Err or Cannot Access or Open the Group Policy Object Err or Group Policy Settings Not Taking Effect as Expected Limit the Use of Blocking, No Override, and Filtering of GPOs Limit the Number of GPOs That Affect Any Computer or User Group Related Settings in a Single GPO Delegate Administrative Control of a GPO to One or Two Users Avoid Linking GPOs to a Site with Multiple Domains Plan and Test GPOs Before You Implement Them 54321 Deploy Test Prepare BuildGPOs staging to for production deployment environment Synchronize with production Staging Production GPO Backups Migration Tables CreateEnvironmentFromXML.wsf CreateXMLFromEnvironment.wsf Group Policy Results Group GroupPolicy PolicyResults Modeling Sales Users settings Lab Computers Lab Computers Sales Users settings settings settings Startup and shutdown Logon and logoff Defined intervals Forced with GPUpdate.exe Synchronous Initial Processing Asynchronous Initial Processing Group Policy Modeling ◦ Simulates GPOs on user or computer Group Policy Results ◦ Reports actual policy settings Local Folder Shared Network Folder Elevated privileges Security filtering ◦ Refines which users and computers process GPO Best practice: If you deny GPOs to certain users, disable Read access as well. WMI filtering ◦ Filter based on attributes of target computer Link order Block inheritance Enforcement Link status www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx SMS Approve and distribute critical updates Targeted software deployment Rich, granular software distribution WSUS Group Policy 321 Modifyapplied Policy Group Policy to client Stored on domain controller SYSVOL Domain Controller Active Directory Database Use to Increase security Disable interface options Disable confusing items Control data Do not use to • Configure all settings • Create unsupported policy HKEY_LOCAL_MACHINE\SOFTWARE\policies HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies HKEY_CURRENT_USER\SOFTWARE\policies HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies 4/4 3/4 4/4
