Group Policy
advertisement
Lecture 3: Active Directory Domain Service (AD DS) Agenda • Active Directory Domain Service (AD DS) Installing and Configuring Active Directory Domain Services Implementing a Group Policy Infrastructure Managing User Desktop with Group Policy Module 1 Configuring Active Directory® Domain Services Module Overview • Installing Domain Controllers • Configuring Read-Only Domain Controllers • New Features in Group Policy • Configuring Group Policy Preferences Lesson 1: Installing Domain Controllers • Requirements for Installing AD DS • What Are Domain and Forest Functional Levels? • AD DS Installation Process • Advanced Options for Installing AD DS Requirements for Installing AD DS Requirements Description Server • A computer running Windows Server 2008 Network configuration • TCP/IP must be configured, including DNS AD DS Installation Permissions • Local Administrator permissions to install the (Web Server edition is not supported) • Minimum disk space of 250 MB and a partition formatted with NTFS file system client settings • DNS Server that supports dynamic updates must be available or will be configured on the domain controller first domain controller in a forest • Domain Administrator permissions to install additional domain controllers in a domain • Enterprise Administrator permissions to install additional domains in a forest What Are Domain and Forest Functional Levels? Functional levels: • Determine the AD DS features available in a domain or forest • Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported functional levels: Domain Supported Domain Controller Operating Systems Forest Windows 2000 Server native • Windows Server 2008 • Windows Server 2003 • Windows 2000 Server Windows 2000 Windows Server 2003 • Windows Server 2008 • Windows Server 2003 Windows Server 2003 Windows Server 2008 • Windows Server 2008 Windows Server 2008 AD DS Installation Process the Active Directory Domain Services role by 1 Install using the Server Manager Run the Active Directory Domain Services 2 Installation Wizard (Dcpromo) 3 Choose the deployment configuration 4 Select the additional domain controller features Select the location for the database, log files, and 5 SYSVOL folder Configure the Directory Services Restore 6 Mode Administrator Password Advanced Options for Installing AD DS To access the advanced mode installation options, choose the Advanced Mode option in the Active Directory Domain Services Installation Wizard or run dcpromo /adv Use the advanced mode options to: • Create a new domain tree • Use backup media as the source for AD DS information • Select the source domain controller for the installation • Modify the default domain NetBIOS name • Define the Password Replication Policy for an RODC Installing AD DS by Using IFM (Install From Media) Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media: • Full (or writable) domain controller • Full (or writable) domain controller with SYSVOL data • Read-only domain controller with SYSVOL data • Read-only domain controller Upgrading to Windows Server 2008 AD DS To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation: Current Version Before Installing Windows 2000 Server or Windows Server 2003 • Windows Server 2008 adprep /forestprep Windows 2000 Server • Windows Server 2008 adprep /domainprep /gpprep Windows Server 2003 • Windows Server 2008 adprep /domainprep Windows Server 2003 • Windows Server 2008 adprep /rodcprep domain controllers • Must be run before other Adprep commands domain controllers domain controllers RODCs Command Lesson 2: Configuring Read-Only Domain Controllers • What Is a Read-Only Domain Controller? • Read-Only Domain Controller Features • What Are Password Replication Policies? What Is a Read-Only Domain Controller? RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication RODC RODCs provide: • Additional security for branch office with limited physical security • Additional security if applications must run on a domain controller RODCs: • Cannot hold operation master roles or be configured as replication bridgehead servers • Can be deployed on servers running Windows Server 2008 Server Core for additional security Read-Only Domain Controller Features RODCs provide: • Unidirectional replication • Credential caching • Administrative role separation • Read-only DNS • RODC filtered attribute set What Are Password Replication Policies? • The password replication policy determines how the RODC performs credential caching for authenticated user • By default, the RODC does not cache any user credentials or computer credentials Options for configuring password replication policies: • No credentials cached • Enable credential caching on an RODC for specified accounts • Add users or groups to the Domain RODC Password Allowed group so that credentials are cached on all RODCs Lesson 3: New Features in Group Policy • New Group Policy Settings • What Are Multiple Local Group Policies? New Group Policy Settings There are approximately 700 new settings available New settings : • Antivirus • Client Help • Deployed Printer Connections • Internet Explorer 7 • Wireless Configuration • Terminal Services • Windows Error Reporting New categories: • Removable storage device management • Power management • User Account Control • Network Access Protection • Windows Defender • Windows Firewall with Advanced Security What Are Multiple Local Group Policies? • One layer of computer configurations that applies to all users • Layers apply only to individual users, not to groups • There are three layers of user configurations: • Administrator • Non-Administrator • User-specific Lesson 4: Configuring Group Policy Preferences • What Are Group Policy Preferences? • Difference Between Group Policy Preferences and Settings • Group Policy Preference Features What Are Group Policy Preferences? Group Policy preferences expand the range of configurable settings within a GPO and: • Are not enforced • Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable using Group Policy Difference Between Group Policy Preferences and Settings Group Policy Preferences Group Policy Settings Are written to the normal locations in the registry that the application or operating system feature uses to store the setting. Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify. Do not cause the application or Typically disable the user interface operating system feature to disable for settings that Group Policy is the user interface for the settings managing. they configure. Refresh preferences by using the same interval as Group Policy settings by default. Refresh policy settings at a regular interval. Are not available on local computers. Are available through local Group Policy. Group Policy Preference Features Common Tab Used to configure additional options that control the behavior of a Group Policy preference item Targeting Features Determines to which users and computers a preference item applies Module 2 Implementing a Group Policy Infrastructure Module Overview • Understand Group Policy • Implement GPOs • Manage Group Policy Scope • Group Policy Processing • Troubleshoot Policy Application Lesson 1: Understand Group Policy • What Is Configuration Management? • Overview of Policies • Benefits of Using Group Policy • Group Policy Objects • GPO Scope • Group Policy Client and Client-Side Extensions • Group Policy Refresh • Review the Components of Group Policy What Is Configuration Management? • A centralized approach to applying one or more changes to one or more users or computers • Group Policy: The framework for configuration management in an AD DS domain Setting: Definition of a change or configuration Scope: Definition of the users or computers to which the change applies Application: A mechanism that applies the setting to users and computers within the scope Tools for management, configuration, and troubleshooting What Is Group Policy? Group Policy enables IT administrators to automate one-to-many management of users and computers Use Group Policy to: • Apply standard configurations • Deploy software • Enforce security settings • Enforce a consistent desktop environment Local Group Policy is always in effect for local and domain users and local computer settings Group Policy Settings Group Policy settings for users control these settings: • • • • Software Windows Security Desktop Group Policy settings for computers control these settings: • • • • Software Windows Security Operating systems How Group Policy Is Applied Computer starts Refresh Interval Every 90 minutes • Computer settings applied • Startup scripts run User logs on Refresh Interval Every 90 minutes • User settings applied • Logon scripts run Overview of Policies • The granular definition of a change or configuration Prevent access to registry-editing tools Rename the Administrator account • Divided between User Configuration ("user policies") Computer Configuration ("computer policies") • Define a setting Not configured (default) Enabled Disabled Benefits of Using Group Policy • Apply security settings • Manage desktop and application settings • Deploy software • Manage folder redirection • Configure network settings Group Policy Objects • Container for one or more policy settings • Managed with the GPMC • Stored in Group Policy Objects container • Edited with the GPME • Applied to a specific level in AD DS hierarchy GPO Scope • Scope Definition of objects (users or computers) to which GPO applies • GPO Links GPO can be linked to multiple sites, domain, or organizational unit (OU) (SDOU) GPO link(s) define maximum scope of GPO • Security Group Filtering Apply or deny application of GPO to members of global security group Filter application of scope of GPO within its link scope • WMI Filtering Refine scope of GPO within link based on WMI query • Preference Targeting Group Policy Client and Client-Side Extensions • How GPOs and their settings are applied • Group Policy Client retrieves ordered list of GPOs • GPOs are downloaded, and then cached • Components called CSEs process the settings to apply the changes One for each major category of policy settings: Security, registry, script, software installation, mapped drive preferences, and so on Most CSEs apply settings only if the GPO as a whole has changed • Improves performance • Security CSE applies changes every 16 hours GPO application is client driven ("pull") Group Policy Refresh • When GPOs and their settings are applied • Computer Configuration Startup Every 90-120 minutes Triggered: GPUpdate command • User Configuration Logon Every 90-120 minutes Triggered: GPUpdate command Lesson 2: Implement GPOs • Local GPOs • Domain-Based GPOs • Demonstration: Create, Link, and Edit GPOs • GPO Storage • Manage GPOs and Their Settings Local GPOs • Apply before domain-based GPOs Any setting specified by a domain-based GPO will override the setting specified by the local GPOs. • Local GPO One local GPO in Windows 2000 Server, Windows XP, Windows Server 2003 Multiple local GPOs in Windows Vista and later • Local GPO: Computer settings and settings for all users • Administrators GPO: Settings for users in Administrators • Non-administrators GPO: Settings for users not in Admins • Per-user GPO: Settings for a specific user • If domain members can be centrally managed using domain-linked GPOs, in which scenarios might local GPOs be used? Domain-Based GPOs • Created in Active Directory, stored on domain controllers • Two default GPOs Default Domain Policy • Define account policies for the domain: Password, account lockout, and Kerberos policies Default Domain Controllers Policy • Define auditing policies for domain controllers and Active Directory GPO Storage GPC GPO • Stored in AD DS • Friendly name, globally unique identifier (GUID) • Version GPT • What we call a GPO is actually two things, stored in two places • Separate replication mechanisms • Stored in SYSVOL on domain controllers (DCs) • Contains all files required to define and apply settings • .ini file contains Version Manage GPOs and Their Settings • Copy and Paste into a Group Policy Objects container Create a new "copy" GPO and modify it Transfer a GPO to a trusted domain, such as test-toproduction • Back Up all settings, objects, links, permissions (access control lists [ACLs]) • Restore into same domain as backup • Import Settings into a new GPO in same or any domain Migration table for source-to-destination mapping of UNC paths and security group names Replaces all settings in the GPO – not a "merge" • Save Report • Delete • Rename Lesson 3: Manage Group Policy Scope • GPO Links • Group Policy Processing Order • GPO Inheritance and Precedence • Use Security Filtering to Modify GPO Scope • WMI Filters • Enable or Disable GPOs and GPO Nodes • Target Preferences • Loopback Policy Processing GPO Links • GPO link Causes policy settings in GPO to apply to users or computers within that container Links GPO to site, domain, or OU (SDOU) • Must enable sites in the GPM console GPO can be linked to multiple sites or OUs Link can exist but be disabled Link can be deleted, but GPO remains Group Policy Processing Order GPO1 Local Group GPO2 Site GPO3 GPO4 Domain GPO5 OU OU OU Computer D User D Domain Business OU Computer B User B Computer User E Employees Computer C User C Groups Clients Computer D+B+C User D+B+E Computer D User D Domain Block Inheritance Business OU Computer B User B Computer User E Employees Computer C User C Groups Clients Computer B+C User B+E Security Computer D Computer S User D User S Domain Block Inheritance Business OU Enforced Computer B User B Computer User E Employees Computer C User C Groups Clients Computer B+C+S User B+E+S GPO Inheritance and Precedence • The application of GPOs linked to each container results in a cumulative effect called inheritance Default Precedence: Local Site Domain OU OU… (LSDOU) Seen on the Group Policy Inheritance tab • Link order (attribute of GPO Link) Lower number Higher on list Precedent • Block Inheritance (attribute of OU) Blocks the processing of GPOs from above • Enforced (attribute of GPO Link) Enforced GPOs “blast through” Block Inheritance Enforced GPO settings win over conflicting settings in lower GPOs Use Security Filtering to Modify GPO Scope • Apply Group Policy permission GPO has an ACL (Delegation tab Advanced) Default: Authenticated Users have Allow Apply Group Policy • Scope only to users in selected global groups Remove Authenticated Users Add appropriate global groups • Must be global groups (GPOs don’t scope to domain local) • Scope to users except for those in selected groups On the Delegation tab, click Advanced Add appropriate global groups Deny Apply Group Policy permission Does not appear on the Delegation tab or in filtering section WMI Filters • Create a WMI filter • WQL Similar to T-SQL Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3" • Create a WMI filter • Use the filter for one or more GPOs Enable or Disable GPOs and GPO Nodes • GPO Details tab GPO Status drop-down list • Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs • All settings disabled: CSEs will not process the GPO • Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration • User Configuration settings disabled: CSEs will not process settings in User Configuration Target Preferences • Targeting within a GPO Scope = scope of GPO + scope of targeting Only possible with preferences • Multiple options • Test effect • Test performance impact Loopback Policy Processing • At user logon, user settings from GPOs scoped to computer object are applied Create a consistent user experience on a computer Conference rooms, kiosks, computer labs, VDI, RDS, and so on • Computer Configuration\Policies\Administrative Templates\System\Group Policy User Group Policy loopback processing mode • Replace mode User gets none of the User settings that are scoped to the user and gets only the User settings that are scoped to computer • Merge mode User gets the User settings scoped to the user, but those settings are overlaid with User settings scoped to the computer. The computer settings prevail. Business OU • Computer User E Employees Computer B User B Loopback Computer K User K Computer C User Groups Clients Computer B+C User B+E Replace Computer B+K User B+K Kiosks Merge Computer B+K User E+B+K Lesson 4: Group Policy Processing • Detailed Review of Group Policy Processing • Slow Links and Disconnected Systems • Identify When Settings Take Effect Detailed Review of Group Policy Processing 1. Computer starts; RPCSS and MUP are started 2. Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer • Local Site Domain OU Enforced GPOs GPC processes each GPO in order 3. • Should it be applied? (enabled/disabled/permission/WMI filter) • CSEs are triggered to process settings in GPO • Settings configured as Enabled or Disabled are processed 4. User logs on 5. Process repeats for user settings 6. Every 90-120 minutes after startup, computer refresh 7. Every 90-120 minutes after logon, user refresh Slow Links and Disconnected Systems • Group Policy Client determines whether link to domain should be considered slow link By default, less than 500 kilobits per second (kbps) Each CSE can use determination of slow link to decide whether it should process • Software CSE, for example, does not process • Disconnected Settings previously applied will continue to take effect Exceptions include startup, logon, logoff, and shutdown scripts • Connected Windows Vista and newer operating systems detect new connection and perform Group Policy refresh if the refresh window was missed while the system was disconnected Identify When Settings Take Effect • GPO replication must happen GPC and GPT must replicate • Group changes must be incorporated Logoff/logon for user; restart for computer • Group Policy refresh must occur Windows XP, Windows Vista, and Windows 7 clients Always wait for network at startup and logon • User must logoff or logon or the computer must restart for the settings to take effect • Manually refresh: GPUpdate [/force] [/logoff] [/boot] • Most CSEs do not reapply settings if GPO has not changed Configure in Computer\Admin Templates\System\Group Policy Lesson 5: Troubleshoot Policy Application • Resultant Set of Policy • Generate RSoP Reports • Perform What-If Analyses with the Group Policy Modeling Wizard • Examine Policy Event Logs Resultant Set of Policy • Inheritance, filters, loopback, and other policy scope and precedence factors are complex • RSoP The "end result" of policy application Tools to help evaluate, model, and troubleshoot the application of Group Policy settings • RSoP analysis The Group Policy Results Wizard The Group Policy Modeling Wizard GPResult.exe Generate RSoP Reports • Group Policy Results Wizard Queries WMI to report actual Group Policy application • Requirements Administrative credentials on the target computer Access to WMI (firewall) User must have logged on at least once • RSoP report Can be saved View in Advanced mode • Shows some settings that do not show in the HTML report • View Group Policy processing events • GPResult.exe /s ComputerName /h filename Perform What-If Analyses with the Group Policy Modeling Wizard • Group Policy Modeling Wizard Emulates Group Policy application to report anticipated RSoP Can be used prior to GPO application Recommended in Group Policy design phase Examine Policy Event Logs • System log High-level information about Group Policy Errors elsewhere in the system that could impact Group Policy • Application log Events recorded by CSEs • Group Policy Operational log Detailed trace of Group Policy application Module 3 Managing User Desktop with Group Policy Module Overview • Implement Administrative Templates • Configure Group Policy Preferences • Manage Software with GPSI • Folder Redirection Lesson 1: Implement Administrative Templates • What Are Administrative Templates? • How Administrative Templates Work • Managed Settings, Unmanaged Settings, and Preferences • Central Store What Are Administrative Templates? .ADMX .ADML Registry How Administrative Templates Work • Policy settings in the Administrative Templates node make changes to the registry • HKCU\Software\Microsoft\ Windows\CurrentVersion\ Policies\System DisableRegeditMode • 1–Regedit UI tool only • 2–Also disable regedit /s Central Store • .ADM files Stored in the GPT Leads to version control and GPO bloat problems • .ADMX/.ADML files Retrieved from the client Problematic if the client doesn't have the appropriate files • Central Store Create a folder called PolicyDefinitions on a DC • Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\ PolicyDefinitions • Locally: %SystemRoot%\SYSVOL\contoso.com\ Policies\PolicyDefinitions Copy .ADMX files from your %SystemRoot%\PolicyDefinitions Copy .ADML file from language-specific subfolders (such as en-us) Lesson 2: Configure Group Policy Preferences • What Are Group Policy Preferences? • Differences Between Group Policy Preferences and Settings What Are Group Policy Preferences? Group Policy preferences expand the range of configurable settings within a GPO and: • Are not enforced • Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable by using Group Policy Features of Group Policy Preferences: • Create: Create a new item on the targeted computer • Delete: Remove an existing item from the targeted computer • Replace: Delete and re-create an item on the targeted computer • Update: Modify an existing item on the targeted computer Differences Between Group Policy Preferences and Settings Group Policy Preferences Group Policy Settings Are written to the normal locations in the registry that the application or operating system feature uses to store the setting Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify Do not cause the application or Typically disable the user interface operating system feature to disable for settings that Group Policy is the user interface for the settings managing they configure Refresh preferences by using the same interval as Group Policy settings by default Refresh policy settings at a regular interval Are not available on local computers Are available through local Group Policy Lesson 3: Manage Software with GPSI • Understand GPSI • Software Deployment Options • Create and Scope a Software Deployment GPO • Maintain Software Deployed with GPSI • GPSI and Slow Links Understand GPSI (Group Policy Software Installation) • Client-side extension (CSE) • Installs supported packages Windows Installer packages (.msi) • Optionally modified by Transform (.mst) or patches (.msp) • GPSI automatically installs with elevated privileges Downlevel application package (.zap) • Supported by “publish” option only • Requires user to have admin privileges System Center Configuration Manager and other deployment tools can support a wider variety of installation and configuration packages • No “feedback” No centralized indication of success or failure No built-in metering, auditing, license management Software Deployment Options • Software deployment options Assign application to users • Start menu shortcuts appear - Install-on-demand • File associations made (optional “Auto Install”) - Install-on-document invocation • Optionally, configure to install at logon Publish application to users • Advertised in Programs And Features (Control Panel) - Install-on-request Assign to computers • Install at startup Options for Deploying and Managing Software Using Group Policy 1 2 1.0 Preparation Deployment 4 3 2.0 Removal Maintenance How Software Distribution Works Windows Installer Windows Installer service Fully automates the software installation and configuration process Modifies or repairs an existing application installation Benefits of Using Windows Installer Windows Installer package contains Information about installing or uninstalling an application An .msi file and any external source files Summary information about the application A reference to an installation point Custom installations Resilient applications Clean removal Options for Installing Software Assign software during Computer Configuration Software Distribution Point Assign software during User Configuration ? Publish software using document activation Publish software using Add or Remove Programs Maintaining Software Using Group Policy Users can use only the upgraded version 2.0 Deploy next version of the application Mandatory upgrade 2.0 1.0 Users can decide when to upgrade 2.0 Optional upgrade 2.0 1.0 Selective upgrade You can select specific users for an upgrade Create and Scope a Software Deployment GPO • Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation Right-click New Package Browse to .msi file through network path (\\server\share) Choose deployment option (Recommended: Advanced) • Managing the scope of a software deployment GPO Typically easiest to manage with security group filtering Create an app group such as APP_XML Notepad Put users into the group: allows users to access software share in the event that repairs or reinstalls are necessary Put computers into the group if assigning to computers Maintain Software Deployed with GPSI • Redeploy application After successful install, client will not attempt to reinstall app You might make a change to the package Package All Tasks Redeploy Application • Upgrade application Create new package in same or different GPO Advanced Upgrades Select package to upgrade Uninstall old version first; or install over old version • Remove application Package All Tasks Remove Uninstall immediately (forced removal) or Prevent new installations (optional removal) Don’t delete or unlink GPO until all clients have applied setting GPSI and Slow Links • The Group Policy Client determines whether the domain controller providing GPOs is on the other side of a slow link Less than 500 kbps by default • Each CSE uses the “slow link” determination to decide whether to process By default, GPSI does not process over a slow link • You can change slow link processing behavior of each CSE Computer Configuration\Policies\Administrative Templates\ System\Group Policy • You can change the slow link threshold Computer [or User] Configuration\Policies\Administrative Templates\System\Group Policy What Is Folder Redirection? Folder redirection allows folders to be located on a network server, but appear as if they are located on the local drive The folders that can be redirected are: • My Documents (Documents in Windows® Vista) • Application Data (AppData in Windows Vista) • Desktop • Start Menu Extra folders that can be redirected in Windows Vista are: • Contacts • Searches • Downloads • Links • Favorites Folder Redirection Configuration Options • Use basic Folder Redirection when all users save their files to the same location • With advanced Folder Redirection, the server hosting the folder location is based on group membership • Target folder location options: • Redirect to the users’ home directory • Create a folder for each user under the root path • Redirect to the following location • Redirect to the local userprofile location Accounting Users Accounts A-M Accounts N-Z Accounting Managers Misty Anne Options for Securing Redirected Folders NTFS permissions for root folder Creator/Owner Full control - subfolders and files only • None Administrator Security group of • List Folder/Read Data, Create users that Folders/Append Data - This Folder Only put data on share • Full control Local System Share permissions for root folder Full control - subfolders and files only Creator/Owner Security group of • Full control users that put data on share NTFS permissions for each users’ redirected folder Creator/Owner Full control - subfolders and files only %Username% • Full control, owner of folder Administrators • None Local system • Full Control ©2009 Microsoft, Microsoft Dynamics, the Office logo, and Your potential. Our passion. are trademarks of the Microsoft group of companies. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
