Chapter 9: Implementing and Using Group Policy

advertisement
70-290: MCSE Guide to Managing
a Microsoft Windows Server 2003
Environment, Enhanced
Chapter 9:
Implementing and Using
Group Policy
Objectives
• Create and manage Group Policy objects to
control user desktop settings, security, scripts, and
folder redirection
• Manage and troubleshoot Group Policy
inheritance
• Deploy and manage software using Group Policy
Guide to MCSE 70-290, Enhanced
2
1
Introduction to Group Policy
• Group policy centralizes management of user and
computer configuration settings throughout a
network
• A group policy object is an Active Directory
object used to configure policy settings for user
and computer objects
• There are two default Group Policy Objects:
• Default Domain Policy (linked to domain container)
• Default Domain Controllers Policy (linked to domain
controller OU)
Guide to MCSE 70-290, Enhanced
3
Introduction to Group Policy
(continued)
• You can modify default GPOs
• You can create new GPOs and link them to
particular sites, domains, and OUs
• Policy settings will be propagated to all users and
computers in container including child OUs
• Group policy can only be applied to computers
running Windows Server 2003, Windows 2000,
and Windows XP
Guide to MCSE 70-290, Enhanced
4
2
Creating a Group Policy
Object
• Two ways to create a GPO:
• Group Policy standalone Microsoft Management
Console (MMC) snap-in
• Group Policy extension in Active Directory Users and
Computers
Guide to MCSE 70-290, Enhanced
5
Activity 9-1: Creating a Group
Policy Object Using the MMC
• Objective: To create a GPO using the Group
Policy Object Editor MMC snap-in
• Locate the MMC Group Policy Object Editor snap-in
• Create a new GPO
Guide to MCSE 70-290, Enhanced
6
3
Activity 9-2: Creating OUs and
Moving User Accounts
• Objective: To create new Organizational Units
and move existing user accounts into them.
• Must be familiar with using OUs for controlling the
application of Group Policy settings
• Create new OUs using Active Directory Users and
Computers
• Move users into the new OUs
Guide to MCSE 70-290, Enhanced
7
Activity 9-3: Creating a Group
Policy Object and Browsing
Settings Using Active Directory
Users and Computers
• Objective: Create a GPO using Active Directory
Users and Computers as an alternative to MMC
snap-in
• From Active Directory Users and Computers, use the
Group Policy tab of the Properties of an existing OU to
add and create GPOs
• Browse configuration settings of a Group Policy Object
Guide to MCSE 70-290, Enhanced
8
4
Editing a GPO
Guide to MCSE 70-290, Enhanced
9
Editing a GPO (continued)
• Table 9-1 shows configuration categories for both
computer and user configurations
• Two tabs in Properties of each setting:
• Setting allows you to enable or disable the setting
• Explain provides information about the setting
• GPO content is stored in 2 locations:
• Group Policy container (GPC)
• Group Policy template (GPT)
• A GPO is identified by a 128-bit globally unique
identifier (GUID)
Guide to MCSE 70-290, Enhanced
10
5
Activity 9-4: Deleting Group
Policy Objects
• Objective: To delete a GPO using Active
Directory Users and Computers
• A previously created GPO is deleted from an OU
Guide to MCSE 70-290, Enhanced
11
Application of Group Policy
• Two main categories to a Group Policy
• Computer configuration (settings apply to computers in
the container)
• User configuration (settings apply to users in the
container)
• Upon computer startup (or user logon)
• Computer queries domain controller for GPOs. Domain
controller finds applicable GPOs.
• Domain controller presents list of GPOs. The client gets
Group Policy templates, applies the settings and runs
the scripts.
• Same basic process happens for user logons
Guide to MCSE 70-290, Enhanced
12
6
Controlling User Desktop
Settings
• Administrative templates
• Used to limit user manipulation of user desktop and
computer configurations
• Aim is to reduce administrative costs
• Seven main categories of configuration settings can be
applied to either computer or user section of a GPO
Guide to MCSE 70-290, Enhanced
13
Controlling User Desktop
Settings (continued)
Guide to MCSE 70-290, Enhanced
14
7
Activity 9-5: Configuring
Group Policy Object User
Desktop Settings
• Objective: To configure and test the application of
Group Policy settings
• Use Active Directory Users and Computers to
access the desired configuration settings
• Configure settings using the Group Policy Object
Editor
• Verify that the configured settings have the
expected results
Guide to MCSE 70-290, Enhanced
15
Managing Security Settings
with Group Policy
• Password Policy, Account Policy, and Kerberos
Policy settings are only applicable to domain
objects
• Other nodes in Security Settings category can be
applied at both domain and OU levels
• Local Policies
• Audit Policy
• User Rights Assignment
• Security Options
Guide to MCSE 70-290, Enhanced
16
8
Managing Security Settings
with Group Policy (continued)
•
•
•
•
•
•
•
•
•
Event Log
Restricted Groups
System Services
Registry
File System
Wireless Network Policies
Public Key Policies
Software Restriction Policies
IP Security Policies on Active Directory
Guide to MCSE 70-290, Enhanced
17
Activity 9-6: Configuring
Group Policy Object Security
Settings
• Objective: Use Group Policy settings to configure
a logon banner for domain users
• Use Active Directory Users and Computers to
access the Default Domain Policy GPO
• Create a logon banner
• Verify that the banner appears
Guide to MCSE 70-290, Enhanced
18
9
Activity 9-7: Configuring File
System Security Using Group
Policy Settings
• Objective: Use Group Policy settings to configure
security permissions
• Create a folder
• Use Active Directory Users and Computers to
configure the permissions on the folders
• Update Group Policy settings on the server
• Verify that the permissions are explicitly defined
Guide to MCSE 70-290, Enhanced
19
Assigning Scripts
• Windows Server 2003 can run scripts during:
• User logon or logoff
• User section of GPO
• Computer startup and shutdown
• Computer section of GPO
• Default is for scripts to run synchronously from
top to bottom
• Can specify script time-outs, asynchronous
execution, and hiding of scripts
Guide to MCSE 70-290, Enhanced
20
10
Activity 9-8: Assigning Logon
Scripts to Users Using Group
Policy
• Objective: Use GPOs to assign logon scripts to
domain users
• Create a script file
• Add the script to the logon policies of a particular
group using Active Directory Users and
Computers
• Verify that the script runs for members of the
group and not for other users
Guide to MCSE 70-290, Enhanced
21
Redirecting Folders
• Allows you to redirect the following contents of a
user’s profile to a network location
•
•
•
•
application data
Desktop
My Documents
Start menu
• Redirection is useful because it:
• Aids in backup
• Reduces logon time
• Allows creation of a standard desktop for multiple users
Guide to MCSE 70-290, Enhanced
22
11
Redirecting Folders
(continued)
Guide to MCSE 70-290, Enhanced
23
Managing Group Policy
Inheritance
• Specific order for GPO application:
• Local computer Æ Site Æ Domain Æ Parent OU Æ
Child OU
• By default, all GPO settings are inherited
• At each level, there can be multiple GPOs
• Policies are applied in the order that they appear on the
Group Policy tab for each container, bottom GPO first
• Applying a large number of GPOs can affect
startup and logon performance
Guide to MCSE 70-290, Enhanced
24
12
Managing Group Policy
Inheritance (continued)
• When multiple policies apply to a user or computer:
• If there is no conflict, both policies are applied
• If there is a conflict, the last policy applied overwrites previously applied
policies
• If computer policy and user policy conflict, computer policies usually
override user policies
•
•
•
•
•
Computer policies are updated automatically at set intervals
Policies can be updated manually (GPUPDATE)
Policies can be linked to a site, domain, or specific OU containers
Multiple Group Policies can be assigned to a single container
A single Group Policy can be linked to multiple containers
Guide to MCSE 70-290, Enhanced
25
Activity 9-9: Linking a Group
Policy Object to Multiple
Containers
• Objective: Link a single GPO to multiple
containers
• Using Active Directory Users and Computers,
create and configure a new GPO in one OU
• Add the GPO to another OU
Guide to MCSE 70-290, Enhanced
26
13
Configuring Block Policy
Inheritance, No Override, and
Filtering
• These options allow default behavior to be
changed for specific containers
• Can change default inheritance policy
• Can change default conflict resolution
• Can change permissions for a specific member within a
group to deny GPO application for that member
Guide to MCSE 70-290, Enhanced
27
Blocking Group Policy
Inheritance
• To change default inheritance, use the Block
Policy inheritance check box on the Group Policy
tab for a child container
• Child will not inherit parent’s policies
• Useful if one OU needs to be managed separately
Guide to MCSE 70-290, Enhanced
28
14
Configuring No Override
• If a policy is configured with No Override
• It will be enforced despite conflicts in lower-level
policies
• It will be enforced on lower-level containers with Block
Policy inheritance set
Guide to MCSE 70-290, Enhanced
29
Filtering Using Permissions
• Prevents policy settings from applying to a
particular user, group, or computer within a
container
• To filter a GPO from a particular container
member, deny Read and Apply Group Policy
permissions for the member account only
Guide to MCSE 70-290, Enhanced
30
15
Activity 9-10: Configuring Group
Policy Object Inheritance
Settings
• Objective: Explore and configure Group Policy
inheritance settings
• Configure the Default Domain Policy GPO using
Active Directory Users and Computers
• Override the Default Domain Policy configuration
at the OU level and verify the override
• Configure No Override option at the domain level
• Verify No Override option
Guide to MCSE 70-290, Enhanced
31
Activity 9-11: Filtering Group
Policy Objects Using Security
Permissions
• Objective: Use security permissions to filter and
control the application of Group Policy settings
• Using Active Directory Users and Computers, add
a user account to a group but deny the group’s
GPO permissions
• Verify that the added user account is not
configured with the group’s GPO
Guide to MCSE 70-290, Enhanced
32
16
Troubleshooting Group Policy
Settings
• Potential trouble areas:
• Order of Group Policy processing
• Improper use of No Override or Block Policy
inheritance settings
• Read and Apply Group Policy permissions
• Utilities that show effective Group Policy settings
• GPRESULT
• Command-line utility
• Resultant Set of Policy (RSoP)
• Graphical utility
Guide to MCSE 70-290, Enhanced
33
Activity 9-12: Determining
Group Policy Settings Using
the Resultant Set of Policy Tool
• Objective: Use RSoP to determine effective Group
Policy settings
• Use Active Directory Users and Computers to
configure the Default Domain Policy
• Open a new MMC with the Resultant Set of
Policy snap-in
• Use RSoP to Generate RSoP Data
Guide to MCSE 70-290, Enhanced
34
17
Deploying Software Using
Group Policy
• Applications that can be deployed using Group
Policy include:
• Business applications (e.g., Microsoft Office)
• Anti-virus software
• Software updates (e.g., service packs)
• Four phases of software rollout
•
•
•
•
Software preparation
Deployment
Software maintenance
Software removal
Guide to MCSE 70-290, Enhanced
35
Software Preparation
• Microsoft Windows installer package (MSI)
• MSI file contains all of the information needed to
install an application in a variety of configurations
• Software vendors include preconfigured MSI packages
• For older applications, can create MSI packages using
3rd party utilities (e.g., VERITAS)
• To install, place MSI file in a shared folder and
configure Group Policy to access for installation
Guide to MCSE 70-290, Enhanced
36
18
Software Preparation
(continued)
• If application doesn’t have an MSI package can
use ZAP file
•
•
•
•
Text file used by Group Policy to deploy an application
Can only be published and not assigned
Is not resilient
Requires user intervention and proper permissions
Guide to MCSE 70-290, Enhanced
37
Deployment
• Two ways to deploy an application
• Assigning applications
• Publishing applications
Guide to MCSE 70-290, Enhanced
38
19
Assigning Applications
• When a policy is created to assign an application
• Any user who the policy applies to has a shortcut on the
Start menu
• Application is installed when user clicks shortcut the
first time or opens it with an associated document
• If policy configured in computer section, application is
installed next time the computer is started
• Applications are resilient (if files are corrupted, will
reinstall itself)
Guide to MCSE 70-290, Enhanced
39
Publishing Applications
• When a policy is created to publish an application
• Not advertised in Start menu
• Installed using the Add/Remove Programs applet or by
opening an associated document
• Only published to users and not computers
Guide to MCSE 70-290, Enhanced
40
20
Configuring the Deployment
• Create or edit a GPO and specify deployment
options
• Assign or publish application to computers or
users to install at the appropriate time
Guide to MCSE 70-290, Enhanced
41
Activity 9-13: Publishing an
Application to Users Using
Group Policy
• Objective: Publish an application using Group
Policy settings
• Create a shared folder and copy files into it
• Create a GPO to publish the msi software files in
the folder
• Login as a member of the group using the GPO
and install the software
Guide to MCSE 70-290, Enhanced
42
21
Activity 9-14: Assigning an
Application to Users Using
Group Policy
• Objective: To assign an application using Group
Policy settings
• Create and configure a new GPO to assign
software installation to the users in an OU
• Log on as a user in the OU
• Verify that the software installs and executes as
expected
Guide to MCSE 70-290, Enhanced
43
Software Maintenance
• Software must be maintained with patches and
updates
• Deployment of patches and updates can be:
• Mandatory upgrade
• Optional upgrade
• Redeployment of an application
Guide to MCSE 70-290, Enhanced
44
22
Software Removal
• Application must have been originally installed
using a Windows installer package
• Removal can be:
• Forced removal
• Optional removal
• Forced removal uninstalls application and
prevents it from being reinstalled
• Optional removal does not uninstall application
but does prevent it from being reinstalled once
removed
Guide to MCSE 70-290, Enhanced
45
Summary
• A Group Policy Object is an object in Active
Directory used to configure and apply settings for
user and computer objects
• Two default GPOs created when Active Directory
is installed:
• Default Domain Policy
• Default Domain Controllers Policy
• Two mechanisms for creating GPOs
• Microsoft Management Console Group Policy snap-in
• Group Policy extension in Active Directory Users and
Computers
Guide to MCSE 70-290, Enhanced
46
23
Summary
• GPOs can be used:
• to control user desktop settings and security settings
• to apply scripts on user logon and logoff and computer
startup and shutdown
• for folder redirection
• GPOs are applied in a specific order
• GPOs are inherited by default
• Can be changed by blocking Group Policy inheritance,
configuring No Override, or filtering using user
permissions
• Use GPRESULT or Resultant Set of Policy tool to view
effective Group Policy settings
Guide to MCSE 70-290, Enhanced
47
Summary
• GPOs are useful in deploying and maintaining
software applications
• GPOs are used for four main phases of software
rollout: preparation, deployment, maintenance,
removal
• For deployment, Group Policy uses an MSI file
containing information needed to install in a variety
of configurations
• Deployed applications can be either assigned or
published
Guide to MCSE 70-290, Enhanced
48
24
Download