Active Directory Users & Computers Group Policies Users & Computers domains • domain • trusted domains, trusting domains • subdomains tree of domains • forest of trees Groups • • • • • • Groups in Active Directory are directory objects that reside within a domain and organizational unit container objects. Active Directory provides a set of default groups upon installation, and also allows the option to create groups. A group is a collection of user and computer accounts, contacts and other groups that can be managed as a single unit (objects of DAC) objects are distributed to several groups according to the object's missions A user group is a collection of user accounts that all have the same security rights. User groups are also sometimes referred to as security groups. Domain Local Global - can be used in trusting domains Universal - contains users, groups, and computers from any domain in the forest mmc • File | Add/Remove Snap-in... Active Directory Users and Computers • Builtin • Users • • • Domain Users Guests Administrators • Computers • Users téměř 50 předdefinovaných objektů Group User/ Session A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Account Operators Administrator A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group. A built-in group . After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group. Administrators Anonymous Authenticated Users Description A user who has logged on anonymously. A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. users Organizational units • Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. • An organizational unit mirrors organization's functional or business structure • An organizational unit cannot contain objects from other domains. • Can be linked to Group Policies Group Policy Group policy • hromadné nastavení • • • systému Windows (cca 3500 položek konfigurace) jeho komponent různých dalších produktů • • • Microsoft Office Google Chrome ... Group Policy Editor • editor lokálního objektu "Group Policy" gpedit.msc • editor objektů "Group Policy" uložených v Active Directory • DC - Server Manager - Tools - Group Policy Management - Edit • remote - Remote Server Administration Kit - Group Policy Management - Edit Computer + User • Computer Configuration platí pro všechny uživatele, kteří se na daný počítač přihlásí • User Configuration je aplikováno na všech počítačích domény, kde se daný uživatel přihlásí • asi 3/4 položek jsou stejné Software Settings • instalace SW pomocí MSI balíčků • • • • dialog Deploy Software • uninstall when out of the management scopr publish Assign Advanced Windows Settings • DNS • Startup/Shutdown scripts • Deployed Printers • Security Settings • QoS Security Settings • Account policies • Local Policies - Audit, User Rights, Security • File System • Registry • Software Restriction Policies • Application Control Policies (AppLocker) • Public Key Policies • Windows Firewall with Advanced Security • IP Security Policies (IPSec) Administrative Templates • Policy definitions (ADMX files) • • • • • • Control Panel • Windows Components • • Internet Explorer • Bitlocker • Mobility Center • Windows Update • ... Office Network Printers Server (backup restrictions) Start Menu and Taskbar (W8.1 Update 2) System Preferences • enables to deploy settings to client computers without restricting the users from changing the settings (Windows Server 2008, ...) • Windows Settings • • • • • • • Environment Files Folders Ini Files Registry Network Shares Control Panel Settings Group Policy Management • Forest • Domains • domain.enterprise.com • • • • • • • Default Domain Policy other global domain policies organizational units Group Policy Objects Sites Group Policy Modeling Group Policy Results Active Directory Group Group Group Group Group Group Active Directory OU OU OU OU OU OU Active Directory Group Group Group Group Group Group OU OU OU OU OU OU Active Directory Group Policy Objects GP GP GP Active Directory Group Group Group OU OU OU Group Policy Objects GP Group Group Group OU OU OU GP GP Group Policy client-side extensions (CSE) • Policy settings are grouped into categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, Software Installation, and the Group Policy preference extensions. • The settings in each category require a specific CSE to process them, and each CSE has its own rules for processing settings. • Group Policy preference extensions represent a set of client-side extensions, not a single CSE. Each Group Policy preference extension has rules to process settings. • Fast Logon Optimization and Fast Startup vs. Group Policy Advanced Group Policy Management • Extension to Group Policy Management (server + client) only in Microsoft Desktop Optimization Pack (Software Assurance) • Perform offline editing of GPOs so that you can create and test them before you deploy them to a production environment. • Maintain multiple versions of a GPO in a central archive so that you can roll back if a problem occurs. • Share the responsibility for editing, approving, and reviewing GPOs among multiple people by using role-based delegation. • Eliminate the danger of multiple Group Policy administrators overwriting one another's work by using the check-in and check-out capability for GPOs. • Analyze changes to a GPO, comparing it to another GPO or another version of the same GPO by using difference reporting. • Simplify creating new GPOs by using GPO templates, storing common policy settings and preference settings to use as starting points for new GPOs. • • • Delegate access to the production environment. Search for GPOs with specific attributes and filter the list of GPOs displayed. Export a GPO to a file so that you can copy it from a domain in a test forest to a domain in a production forest.