PPT_CH07

advertisement
MCTS Guide to Configuring
Microsoft Windows Server 2008
Active Directory
Chapter 7: Configuring Group Policy
Objectives
•
•
•
•
•
Describe the architecture and processing of GPOs
Configure group policy settings
Work with security templates
Manage and monitor group policies
Configure group policy preferences
MCTS Windows Server 2008 Active Directory
2
Group Policy Architecture
• Group policy architecture and function involve the
following components:
– GPOs
• An object containing policy settings that affect user and computer
operating environments and security; can be local or AD objects
– Replication
• Ensures that all domain controllers have a current copy of each
GPO
– Scope and inheritance
• The scope of a group policy defines which users and computers
are affected by its settings
– Creating and linking
• GPOs are created in the Group Policy management console and
can be linked to one or more AD containers
MCTS Windows Server 2008 Active Directory
3
Group Policy Objects (GPOs)
• A GPO contains policy settings for managing many
aspects of domain controllers, member servers,
member computers, and users
• Two main types of GPOs
– Local GPOs
– Domain GPOs
MCTS Windows Server 2008 Active Directory
4
Local GPOs
• Local GPOs are stored on local computers and are
edited via the Group Policy Object Editor snap-in
• Settings in local GPOs that are inherited from
domain GPOs can’t be changed on the local
computer
• Only settings that are undefined or not configured
by domain GPOs can be edited locally
MCTS Windows Server 2008 Active Directory
5
New Local GPOs in Windows Vista and
Server 2008
• New policies allow setting of different policies
depending on who logs on to the computer
– Local Administrators GPO
– Local Non-Administrators GPO
– User-specific GPO
• If these policies are used, they are processed in
the above order, especially for conflict resolution
(last policy setting takes precedence)
MCTS Windows Server 2008 Active Directory
6
Domain GPOs
• Domain GPOs are stored in Active Directory on
domain controllers
• Consists of two separate parts: a group policy
template (GPT) and a group policy container (GPC)
• GPT and GPC have naming structure and folder
structure as common traits
• Knowing GPO structure is important for resolving
issues
MCTS Windows Server 2008 Active Directory
7
Group Policy Templates
• A group policy template contains all the policy
settings that make up a GPO as well as related
files, such as scripts, and is contained in the Sysvol
share on a domain controller
• Upon creation of a GPO, several files and
subfolders are created (exact number may vary),
but each GPT folder will contain at least three
items
– GPT.ini
– Machine
– User
MCTS Windows Server 2008 Active Directory
8
Group Policy Containers
• Stored in the System\Policies folder
• Contains GPO properties and status information
but no policy settings
• Similar to GPT in that it uses a GPO’s GUID for a
folder name
• Information contained in a GPC
–
–
–
–
Name of the GPO
File path to GPT
Version
Status
MCTS Windows Server 2008 Active Directory
9
Group Policy Containers (cont.)
MCTS Windows Server 2008 Active Directory
10
Group Policy Replication
• GPCs are replicated with Active Directory
• GPTs are replicated by one of the following
methods:
– File Replication Service (FRS)
• Used when running in a mixed environment of differing Windows
Server operating systems
– Distributed File System Replication (DFSR)
• Used when all DCs are running Windows Server 2008
• DFSR is more efficient and reliable
• GPC and GPT can become out of sync
• Replication problems can be diagnosed with
Gpotool.exe
MCTS Windows Server 2008 Active Directory
11
Creating and Linking GPOs
• Primary tools for managing, creating, and editing
GPOs are Group Policy Management Console
(GPMC) and Group Policy Management Editor
(GPME)
• If editing a GPO that is already linked to a
container, changes in policy settings take effect as
soon as clients download them
• Before introducing multiple policy changes at once,
test them individually
MCTS Windows Server 2008 Active Directory
12
Editing an Existing GPO
• To edit, right-click the GPO in GPMC and click Edit,
which will open the GPO in GPME
• It is possible to make changes to the Default
Domain Policy, but not advisable
• Recommended method for making changes to
domain policies is creating a new GPO and linking
it to the domain
• GPOs are applied to objects in reverse of the
specified link order
MCTS Windows Server 2008 Active Directory
13
Creating a New GPO
• Two ways to create a new GPO with the GPMC
– Right-click the container you’re linking the GPO to and select
“Create a GPO in this domain, and Link it here”
– Right-click the Group Policy Objects folder and click New
• Best practice is to create GPOs that focus on a
category of settings and then name the GPO
accordingly
MCTS Windows Server 2008 Active Directory
14
Using Starter GPOs
• A Starter GPO is a template for creating GPOs (not
a GPT)
• New GPO wizard includes option to use a Starter
GPO
• Stored in the Starter GPOs folder in GPMC
• To use a Starter GPO, select one in the Source
Starter GPO list box in the New GPO Wizard or
right-click a starter GPO in the starter GPOs folder
and click New GPO from Starter GPO
• To create a Starter GPO, right-click the Starter
GPOs folder and click New
MCTS Windows Server 2008 Active Directory
15
Group Policy Scope and Inheritance
• The scope of a group policy defines which objects
in AD are affected by settings in the policy
• If two GPOs are applied to an object and a setting
is configured on one GPO but not the other, the
configured setting is applied
• Policies are applied in the following order:
–
–
–
–
Local policies
Site-linked GPOs
Domain-linked GPOs
OU-linked GPOs
MCTS Windows Server 2008 Active Directory
16
Understanding Site-Linked GPOs
• GPOs linked to a site object affect all users and
computers physically located at the site
• Can be used to set up different policies for mobile
users
• In a singular site and domain environment, it is
better to use domain GPOs
• Site GPOs can be confusing for mobile users if
policy changes are drastic enough between sites
MCTS Windows Server 2008 Active Directory
17
Understanding Domain-Linked GPOs
• GPOs at domain level should contain settings that
apply to all objects in the domain
• Account policies can be defined only at the domain
level
• Best practices suggest setting account policies and
a few critical security policies at the domain level
MCTS Windows Server 2008 Active Directory
18
Understanding OU-Linked GPOs
• Fine-tuning of group policies should be done at the
OU level
• Users and computers with similar policy
requirements should be located in the same OU
• Since OUs can be nested, so can GPOs
• GPOs applied to nested OUs should be used for
exceptions to policies set at a higher level
MCTS Windows Server 2008 Active Directory
19
Changing Default GPO Inheritance
Behavior
• GPO inheritance is enabled by default
• To see where policies are inherited from, select a
container in the left pane of GPMC and click the
Group Policy Inheritance tab in the right pane
• There are several ways to affect GPO inheritance
–
–
–
–
Blocking inheritance
Enforcing inheritance
GPO filtering
Loopback policy processing
MCTS Windows Server 2008 Active Directory
20
Blocking GPO Inheritance
• Prevents GPOs linked to parent containers from
affecting child containers
• To block GPO inheritance, in GPMC, right-click the
child domain or OU and click Block Inheritance
• If blocking is enabled, the OU or domain object is
displayed with a blue exclamation point
• Frequent blocking implies a possible flawed OU
design
MCTS Windows Server 2008 Active Directory
21
Enforcing GPO Inheritance
• Forcing GPO inheritance overrides any conflicting
configurations at a deeper level
• If multiple GPOs are enforced, the GPO at the
highest level is enforced in a conflict
• Example: If a GPO linked to an OU and a GPO
linked to a domain are both set to be enforced, the
GPO linked to the domain takes stronger
precedence
MCTS Windows Server 2008 Active Directory
22
GPO Filtering
• GPO filtering allows changing inheritance on an
object-by-object basis
• Two types of GPO filtering
– Security filtering
– Windows Management Instrumentation (WMI) filtering
• Security filtering uses permissions to restrict
objects from accessing a GPO
• WMI filtering uses queries to select a group of
computers based on certain attributes and then
applies or doesn’t apply policies based on the
query’s results
MCTS Windows Server 2008 Active Directory
23
Loopback Policy Processing
• Normally, the policies that affect user settings
follow users to whichever computer they log on to
• Loopback policy processing allows settings in the
User Configuration node of the GPO to be applied
to all users who log on to the computer
• To use, enable the “User group policy loopback
processing mode” policy in the Computer
Configuration\Policies\Administrative
Templates\System\Group Policy node
MCTS Windows Server 2008 Active Directory
24
Group Policy Settings
• Settings in Computer configuration take
precedence over settings in User Configuration,
should there be a conflict
• Three folders under the Policies folder
– Software Settings
– Windows Settings
– Administrative Templates
• Policy settings can be managed or unmanaged
– Managed policies reset to ‘not configured’ when the object falls
outside of the policy’s scope
– Unmanaged policies are persistent
MCTS Windows Server 2008 Active Directory
25
Policies in the Computer Configuration
Node
• Applies to computers regardless of who logs on to
the computer
• Contains most of the security-related settings in the
Account Policies, User Rights Assignment, Audit
Policy, and Security Options nodes
• Computer configuration policies are uploaded to a
computer when the OS starts and are updated
every 90 minutes thereafter
• Some policy changes may require a restart
MCTS Windows Server 2008 Active Directory
26
Computer Configuration: Software Settings
• Contains the Software Installation extension, which
can be configured to install software packages
remotely
• Applications are deployed with the Windows
Installer service, which uses MSI files
• Software packages are assigned to target
computers, making installation mandatory the next
time the computer starts
MCTS Windows Server 2008 Active Directory
27
Advanced Application Deployment Options
• When deploying applications, click the Advanced
option button in the Deploy Software dialog box;
this will open a Properties box with the following
tabs:
–
–
–
–
Deployment tab
Upgrades tab
Categories tab
Modifications tab
• If changes are made to a package, it is not installed
again by default; however, the package can easily
be redeployed
MCTS Windows Server 2008 Active Directory
28
Computer Configuration: Windows Settings
• The Windows Settings folder contains four
subnodes
– Scripts (Startup/Shutdown)
• Allows the creation of scripts to be run during startup or shutdown
– Deployed Printers
• Can deploy printers to computer by specifying the UNC path to a
shared printer
– Security Settings
• Contains nodes for setting security policies, such as those related
to accounts
– Policy-based QoS
• Enables administrators to manage the use of network bandwidth
MCTS Windows Server 2008 Active Directory
29
Security Settings Subnode: Account
Policies
• Account policies must be linked to the domain to have any
effect
• Account Policies contains three subnodes
– Password Policy
•
•
•
•
•
•
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
– Account lockout policy
•
•
•
•
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Kerberos Policy
– Kerberos policy
MCTS Windows Server 2008 Active Directory
30
Security Settings Subnode: Local Policies
• Applies to what users can and can’t do on the local
computer to which they log on
• Usually defined in GPOs linked to OUs containing
computer accounts
• Three subnodes of Local Policies
– Audit Policy
– User Rights Assignment
– Security Options
MCTS Windows Server 2008 Active Directory
31
Auditing Object Access
• Two steps for auditing objects
– Enable the Audit object access policy for success, failure, or
both
– Enable auditing on target objects for success, failure, or both
• Auditing involves considerable overhead; a single
object access can create several log entries
• Windows Server 2008 logs successful logon events
and certain other events by default, even if auditing
is off
MCTS Windows Server 2008 Active Directory
32
Fine-Grained Password Policies
• Fine-grained password policies allow setting
different password and account lockout policies for
targeted users and groups
• Created by defining a Password Settings Object
(PSO) in the Password Settings Container (PSC)
• Two tools can be used to create a PSO
– ADSI Edit
– LDIFDE
MCTS Windows Server 2008 Active Directory
33
Additional Security Settings Subnodes
• 13 more subnodes under Security Settings
–
–
–
–
–
–
–
–
–
–
–
–
–
Event Log
Restricted Groups
System Services
Registry
File System
Wired Network (IEEE 802.3) Policies
Windows Firewall with Advanced Security
Network List Manager Policies
Wireless Network (IEEE 802.11) Policies
Public Key Policies
Software Restriction Policies
Network Access Protection
IP Security Policies on Active Directory
MCTS Windows Server 2008 Active Directory
34
Computer Configuration: Administrative
Templates
• Affects the HKEY_LOCAL_MACHINE section of the
computer’s registry
• Administrative template files are XML format files that define
policies in the Administrative Templates Folder in a GPO
• Uses file format .admx or .adml for language specific
• All ADMX and ADML files are under
%systemroot%\PolicyDefinitions
• Administrative Templates folder has the following subnodes:
–
–
–
–
–
Control Panel
Network
Printers
System
Windows Components
MCTS Windows Server 2008 Active Directory
35
Policies in the User Configuration Node
• Policies set under the User Configuration node
follow a user wherever he or she logs on
• Lacks most of the security settings and account
policies
• Policies under User Configuration node are more
focused on the user’s environment, such as
Windows features that can and can’t be accessed
MCTS Windows Server 2008 Active Directory
36
User Configuration: Software Settings
• Performs the same function as in Computer
Configuration, but with important differences in
options and execution
• Software package can only be assigned to a
computer, but there are two options
– Published
• Isn’t installed automatically; includes a link to the application in
Programs and Features or Add/Remove Programs
– Assigned
• Applications are advertised as a link on the Start menu
MCTS Windows Server 2008 Active Directory
37
User Configuration: Windows Settings
• Windows Settings contains seven subnodes
–
–
–
–
–
–
–
Remote Installation Services
Scripts (Logon/Logoff)
Security Settings
Folder Redirection
Policy-based QoS
Deployed Printers
Internet Explorer Maintenance
MCTS Windows Server 2008 Active Directory
38
Security Settings Subnode: Software
Restriction Policies
• Designed to prevent users from running certain applications or to
allow users to only be able to run specific applications
• Security Levels folder contains three rules
– Disallowed
– Basic User
– Unrestricted
• Additional rules folder is for exceptions and contains four ways to
identify exceptions
–
–
–
–
Hash
Certificate
Path
Network zone
• Three policies can be configured
– Enforcement
– Designated File Types
– Trusted Publishers
MCTS Windows Server 2008 Active Directory
39
The Folder Redirection Subnode
• Allows the redirection of one or more folders in a
user’s profile directory
• Useful in ensuring that a user’s documents are
backed up to a server with little to no intervention
required from the user
• Can help decrease bandwidth usage when roaming
profiles are in use
MCTS Windows Server 2008 Active Directory
40
User Configuration: Administrative
Templates
• Affects the HKEY_CURRENT_USER section of the
computer’s registry
• Very similar to the Administrative Templates in the
Computer Configuration node
• Contains the following additional subnodes:
– Desktop
– Shared Folders
– Start Menu and Taskbar
MCTS Windows Server 2008 Active Directory
41
Using Security Templates
• Security templates are text files with an .inf
extension that contain information to define policy
settings in the Security Settings node
• Can be used to verify current security settings on a
computer against the settings in a template
• Three tools for working with security templates
– Security Templates snap-in
– Security Configuration and Analysis snap-in
– Secedit.exe
MCTS Windows Server 2008 Active Directory
42
Security Templates Snap-in
• Can be used to create security templates for use
with computers that require different security
settings, such as servers with different roles
• When a user creates a template, it is stored under
the user’s Documents folder in Security\Templates
MCTS Windows Server 2008 Active Directory
43
Security Templates Snap-in (cont.)
MCTS Windows Server 2008 Active Directory
44
Security Configuration and Analysis Snapin
• Useful for checking a computer’s existing security settings
against the known settings in security template files
• Can also apply a security template to a computer
• Analyzing current security settings against a template
creates a report; for each policy setting, there are five
possible results
– An X in a red circle indicates a mismatch
– A check mark in green indicates a match
– A question mark in a white circle indicates that the policy wasn’t
defined or the user doesn’t have permission to access the policy
– An exclamation point in a white circle indicates that the policy doesn’t
exist on that computer
– No indicator indicates that the policy wasn’t defined in the template
MCTS Windows Server 2008 Active Directory
45
Secedit.exe
• Command-line program that performs many of the
same functions as the Security Configuration and
Analysis snap-in
• Can be automated with scripts and batch files
• Can import or export some of or all of the settings
between a security database and a template file
• Can compare settings between a security database
and a computer’s current settings or apply a
database to a computer
MCTS Windows Server 2008 Active Directory
46
GPO Management with GPMC
• GPO Delegation: Eight possible permissions can
be applied to GPOs and the container objects to
which they’re linked through delegation
–
–
–
–
–
–
–
–
Create GPOs
Link GPOs
Perform Group Policy Modeling analyses
Read Group Policy Results data
Read
Read (from Security Filtering)
Edit settings, delete, modify security
Edit Settings
MCTS Windows Server 2008 Active Directory
47
GPO Management with GPMC (cont.)
• After a GPO is created, it can be in one of the
following states:
–
–
–
–
–
–
–
Link status: unlinked
Link status: enabled
Link status: disabled
GPO status: Enabled
GPO status: User Configuration Settings Disabled
GPO status: Computer Configuration Settings Disabled
GPO status: All Settings Disabled
MCTS Windows Server 2008 Active Directory
48
GPO Backup and Restore
• Backing up a GPO backs up policy settings but
also backs up security filtering settings, delegation
settings, and WMI filter links
• Does not back up WMI filter files, IPSec policies,
and GPO container links
• The procedure for restoring a GPO varies
depending on whether you wish to:
– Restore a previous version
– Restore a deleted GPO
– Import settings
MCTS Windows Server 2008 Active Directory
49
GPO Migration
• Migration is useful if multiple domains have similar
policy requirements or if you wish to set up a test
environment
• GPOs can be migrated across domains in the
same or different forests by adding the domain to
GPMC
• GPOs can also be migrated using the backup and
import procedure
MCTS Windows Server 2008 Active Directory
50
Group Policy Results and Modeling
• Group Policy Results Wizard creates a report to
show Administrators which policy settings apply to
a user, computer, or both
• Provides the same information as Resultant Set of
Policy (RSoP) snap-in
• Once the wizard finishes, the report has three tabs:
– Summary
– Settings
– Policy Events
MCTS Windows Server 2008 Active Directory
51
Group Policy Results and Modeling (cont.)
MCTS Windows Server 2008 Active Directory
52
Group Policy Results and Modeling (cont.)
• Gpresult.exe performs a similar task as the Group
Policy Results Wizard
• Group Policy Modeling allows an Administrator to
examine the results of policy settings without
actually applying anything
• Instead of a Policy Events tab, it has a Query tab
that shows the choices made to produce the report
in Group Policy Modeling
MCTS Windows Server 2008 Active Directory
53
The ADMX Central Store
• ADMX Central Store is a centralized location for
maintaining ADMX files
• To create a central store, create a folder named
PolicyDefinitions in the
%systemroot%\SYSVOL\sysvol\domainname\
policies folder and then create a language-specific
folder that uses the two character ISO standard for
languages; lastly, copy ADMX files to the store
location
MCTS Windows Server 2008 Active Directory
54
Group Policy Preferences
• Creates a standardized environment while simultaneously
allowing users to make changes to configured settings
• With group policy preferences, you can perform tasks such
as:
–
–
–
–
–
–
–
Create and modify local users and groups
Enable and disable devices on a computer
Create drive mappings
Manage power options
Create and manage files, folders, and shortcuts
Create and modify printers
Customize application settings
• Can use item-level targeting, which enables administrators
to target users or computers for each preference based on a
set of criteria
MCTS Windows Server 2008 Active Directory
55
Chapter Summary
• Group policy architecture and function involves
these components: GPOs, replication, scope and
inheritance, and creating and linking GPOs;
domain GPOs consist of a GPT stored in the
Sysvol share and a GPC stored in Active Directory
• GPO replication is handled by Active Directory
replication for GPC and by FRS or DFSR for GPTs
• You use the GPMC to create, link, and manage
GPOs and the GPME to edit GPOs
MCTS Windows Server 2008 Active Directory
56
Chapter Summary (cont.)
• Starter GPOs are like template files
• GPOs can be linked to sites, domains, and OUs;
policies are applied in this order, and the last policy
setting applied takes precedence when conflicts
exists
• Default GPO inheritance can be changed by using
inheritance blocking, enforcement, GPO filtering,
and loopback policy processing
• Computer Configuration and User Configuration
nodes contain three subnodes: Software Settings,
Windows Settings, and Administrative Templates
MCTS Windows Server 2008 Active Directory
57
Chapter Summary (cont.)
• The Security Settings node in Computer
Configuration contains the Account Policies
subnode with settings that affect all domain users
• The Local Policies subnode in the Security Settings
node contains Audit Policy, User Rights
Assignment, and Security Options
• Fine-grained password policies, new in Windows
Server 2008, make it possible for administrators to
define different password policies for select groups
of users
MCTS Windows Server 2008 Active Directory
58
Chapter Summary (cont.)
• Administrative Templates can control hundreds of settings
on computers and for users
• Security templates are used to transfer security settings
easily from one GPO or computer to another and can be
used to analyze a computer’s current settings against a
security database created from one or more security
templates
• Group policy management involves managing GPO
delegation and GPO status as well as GPO backup and
migration
• Group policy preferences, new in Windows Server 2008,
enable administrators to set up user and computer
environments with preferred settings, but these settings can
be changed, unlike policy settings
MCTS Windows Server 2008 Active Directory
59
Download