Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Configuring Windows Using Group Policy

advertisement 
Configuring Windows Using Group Policy
Agenda
Background
Windows functionality configurable using
Group Policy
How do clients apply Group Policy
Group Policy in action
Common Group Policy Questions
Group Policy Sessions at TechEd
ADM222 Using Group Policy to Configure
Windows
This one!!!!
ADM320 Managing Group Policy
Thursday 10:00 room 10
ADM 421 Scripting Group Policy
Thursday 18:15 room 9
Group Policy Overview
Do More with Less Effort

“New Policy”
One Administrator
Action
Many End User
Results
Active
Directory

Group Policy enables admins
to set and maintain a desired
computing state
New Group Policy
Management Console (GPMC)
makes administration much
easier
Many Computer
Results
Policy-based management
What can you do with Group Policy?
Centralized storage and mgmt of user data
Users have access to data and settings from any computer
Consistency of user experience across computers
Data safety and availability
Rapid PC replacement
Configuration of the Operating System:
Networking settings, control panel access, remote assistance,
disk quotas, IE
Securing the Operating System
Ongoing & dynamic configuration management
Group Policy Controls What?
Enables configuration on Win2000 and later of:
Administrative Templates
Registry-based policy settings
Security
Users Rights, restricted groups, Account
Policies, IPSec, Public Key, Wireless,
System Services, Software Restriction
Policies, etc
IE Maintenance
Administer Internet Explorer
Software Distribution
Centralized mgmt of application
installation
Scripts
Startup, Shutdown, logon, logoff
Folder Redirection
Store users’ folders on the network
Remote Installation Service
Configure Client options for RIS
3rd Party extensions
Group Policy framework allows for
extensibility
Group Policy:
Not just for desktops
Server Management
Manage OS components
Especially security management
Terminal servers, web servers, etc.
What we do at TechEd Europe
1,000 PCs
CommsNet (400 PCs)
Session Feedback Pods (60 PCs)
Session Room PCs
Hands-on Labs
Speaker Lounge
BackOffice
How many images?
2
Thanks to Group Policy
TechEd Infrastructure
London
Event
CommsNet
msevdad1
msevdad2
msevsad11
Session Feedback Pods
msevsad12
Speakers Lounge
Session Rooms
Back-office
TechEd AD Structure
London Servers
You ( & BJ! )
Me 
Event Servers
Computers
Travel Desk Kiosks
CommsNet
Session Rooms
FeedBack pods
Windows Functionality Configurable through
Group Policy
Administrative Templates
Managing the OS and Apps by manipulating the registry
Windows ships with .ADM files for managing OS components
All settings in these files are true policy settings
No tattooing
Original user preference restored upon removal
Secure for non-admins
Custom .ADMs possible, but generally not true policy settings
Note difference between .POL and .ADM file
.ADM File
Available Settings and UI description
Used by GPEdit only to expose settings for editing
Exists in both sysvol and locally in %windir%\inf
Registry.Pol File
Actual Settings delivered
This is what is delivered to the client to modify registry during GP processing
Exists in sysvol
.ADM and .POL files
Client computer
Domain Controller
Settings
transferred during
policy processing
%windir%\inf
Svsvol\policies\{GUID}
0010
1100
0111
...
POLICY
!!NoRun
…
.POL
.ADM
Default behavior:
When using GPEdit, upload
from client version if its
timestamp is newer
...
POLICY
!!NoRun
…
.ADM
ADM Files:
Managing mixed environments
ADM files provided in Windows are cumulative
E.g., settings in Windows Server 2003 .ADM files are a superset of
settings in XP and 2000 ADMs
OS applicability of setting indicated by “Supported on” field in UI
Note: “Supported on” field is not yet supported on Win2000
Up-level settings ignored on down-level clients
E.g. Win2000 ignores settings XP+ only settings
General recommendation: Use ADM files from latest OS
If possible, perform administration on XP or later
Consider use of policy settings to control ADM behavior (see next slide)
ADM file management
Group Policy Object Editor
ADM files used to display UI in “Administrative Templates” node
ADM files loaded from Sysvol by default
If local copy is newer, it’s uploaded to sysvol
Note: issues with Win2k SP3 & SP4 (fix planned for SP5)
This behavior is configurable via 2 policy settings
Never upload to sysvol (“Turn off Automatic Update of ADM Files”)
Use local ADMs only - new for Windows Server 2003
GPMC
ADM files used to generate HTML reports
ADM files loaded from local computer by default
If not found, loaded from sysvol
User can specify custom location from which to load ADMs
NEVER copied to sysvol
Security Policy Settings
Account Policies
Configure password, account, and Kerberos policies (domain only)
Local Policies
Configure auditing, user rights, and security options
Event Log
Configure settings for application logs, system logs,
and security logs
Restricted Group Configure group memberships for security sensitive groups
System Services
Registry
Configure security and startup settings for services running on
a computer
Configure security on registry keys
File System
Configure security on specific file paths
Public Key
Configure encrypted data recovery agents, domain roots, trusted certificate
authorities, and so on
IP Security
Configure IP security on a network
Wireless
Software
Restriction
Configure wireless settings
Configure which apps can be run or disallowed
Security Tips
Account Policies must be configured at domain
level
Security settings always re-apply every 16 hours
Don’t apply full security templates through
Group Policy –
Those are intended for one time only
File and Registry ACLs time consuming to apply
and also tattoo
Restricted groups don’t merge: See 810076
Internet Explorer Maintenance
Set policy settings to control:
Browser User Interface (Title, logo)
Connection (Proxy, autodetect, etc)
URLs: home page, favorites
IE Security: Zones, Privacy, Content Ratings, Authenticode
Programs
Enhanced Security Configuration (ESC) on Win2003
New secure configuration for IE impacts Zones and Privacy
ESC-enabled and -disabled computers must be managed independently
GPOs with ESC-enabled settings only apply to ESC enabled machines,
and vice versa.
ESC state of admin machine determines whether a GPO is ESCenabled or not
CommsNet example
Set Home Page &
Trusted Zones
Folder Redirection
Supports Server-Based Storage of Common Folders
My Documents
Application Data
Desktop
Start Menu
Benefits
Availability of user data on any computer
Reduced network usage when users move between machines
Increased ease of backup of redirected folders
Used in conjunction with Offline Files to provide access when
disconnected from network
On XP and above, all redirected folders are automatically admin pinned for
offline use
For each folder, you can choose
No policy - does not redirect
Basic - redirects all users to the same place
Advanced- redirects users to different locations based on security group
membership
Folder Redirection Tips
General recommendations:
Consider redirection of My documents
If using Roaming Profiles, this is a must
Optionally consider redirecting Desktop
If users store documents on desktop
Start Menu and AppData generally not recommended for
redirection
Let the system create folders for each user to avoid
improper ACLs
To remove Folder Redirection, use the “Redirect to
the local user profile” setting
When using EFS, encrypt the local cache, not the
folder on the server
CommsNet
London
msevdad1
msevdad2
Event
Profile
msevsad11
msevsad12
CommsNet example
Redirect Desktop &
My Documents
Software Installation
3 deployment options
Assign to computer
App is installed at boot.
Assign to user
App installed either on demand or (with XP and above) at user
logon
Publish to user
User chooses to install from add remove programs.
Requires MSI apps
Except ZAP apps, which is limited (no elevated install)
Tips
Make sure machine accounts have access to Software Distribution
points for machine assigned apps
On Win2k, turn off “Include OLE and Class product information”
in Advanced Deployment Options
No supported way to control install order within a GPO
CommsNet Example
Install the Citrix Client
Scripts
Computer-based scripts
startup and shutdown
Run in local system context
User based scripts
logon and logoff
Run in user context
Configurable options:
Processing order if multiple scripts
Script timeout (default is 10 minutes)
Computer Configuration\Administrative Templates\System\Logon\Maximum
wait time for Group Policy scripts
Tips
Scripts *only* execute at if connected to network during boot and logon
(requires foreground refresh)
CommsNet Example
Deploy new Wallpaper
Set Local Group Membership
Etc etc.
Remote OS Installation
Most RIS infrastructure on the RIS Server
Group Policy allows configuration of client install
wizard options
How do clients apply Group Policy
When Does Group
Policy Get Applied?
Computer Starts
User Logs On
…and at periodic intervals
Group Policy Applies
Computer Settings
Startup Scripts Run
Group Policy Applies
User Settings
Logon Scripts Run
Foreground vs Background refresh
Foreground refresh
At boot and logon
Processing is synchronous:
Logon prompt not displayed till computer processing complete
Desktop not displayed till user processing complete
Requires connectivity to domain
All extensions processed
Background refresh
Approximately every 90 minutes (except for DCs, 5 mins)
Interval and random offset configurable through policy setting
Processing is asynchronous
Software installation and folder redirection settings not processed
Processing Optimizations
During refresh, GP is re-applied only if there are
changes in the GPOs, or the list of GPOs
Can override this to ALWAYS process via policy setting, for
each extension
Windows XP Fast Logon Optimization
OS does not wait for network start before displaying logon
screen
Configurable via policy setting
Computer policy is processed as background refresh at
logon.
Changes to Folder Redirection and Software Installation
may require multiple reboots to apply
CommsNet example…
Disable fast logon to ensure
Kiosk mode
Group Policy Over Slow Links
Slow link = connection < 500 kbps, by default
Configurable via policy setting
When slow link is detected:
Security Settings and Administrative Templates are
always applied
By Default, Software Installation, Scripts, and Folder
Redirection are not applied
Configurable via policy setting for each extension
RAS does not necessarily imply slow link
Common Group Policy Questions
Question 1
Q: Where can I get a list of the available ADM
settings?
A: http://go.microsoft.com/fwlink/?LinkId=15165
Allows filtering by:
Supported OS
Component Area
Includes:
Registry Setting
Explain text
Question 2
Q: Are there pre-configured example GPOs
available to get me started?
A: Yes:
http://go.microsoft.com/fwlink/?LinkId=14951
Provides GPO “templates” for several common scenarios
Will be updated in next few weeks to be based on GPMC
backups
Question 3
Q: Where can I learn more about managing
ADM files?
A: KB 816662 discusses and provides
recommendations for:
Mixed platforms
Mixed languages
Sysvol size issues
Question 4
Q: What are the new Group Policy features since Windows
2000
A:
Introduced in WinXP:
Group Policy Results (RSoP logging)
WMI filter client support
Software Restriction Policy – client support
Fast logon optimization
New policy settings
New GPResult.exe based on RSOP
Introduced in Windows Server 2003:
GPMC:
New admin tool for managing Group Policy
Web download for both XP and 2003
Group Policy Modeling (RSoP – planning)
WMI Filters admin support
Software Restriction Policies – Admin Support
New Policy Settings
Question 5
Part 1
Q: What are requirements to use Group Policy Results
A: Clients must be running on XP or later
Part 2
Q: Is there any dependency on whether I have a 2000 or 2003
based AD ?
A: Group Policy Results is a function of the client. However
the ability to delegate remote access to read Group Policy
results data requires AD schema for Windows Server 2003
ADPrep /ForestPrep
Question 6
Q: What are the requirements for using Group
Policy Modeling
A: Group Policy Modeling is performed by a
service that is only available on DCs running
Windows 2003. There is no dependency on
the client OS.
Question 7
Q: What are the requirements to use WMI filters?
A:
Client Dependencies:
Clients must be running XP or later
Win2000 clients ignore the filter and always apply the WMI
filtered GPO
Server Dependencies:
Forest: must have Windows 2003 AD schema (ADPrep
/ForestPrep)
Domain: Must run ADPrep /DomainPrep to use for clients in that
domain
DCs don’t actually need to be running Win2003
Question 8
Q: Are there any dependencies in Group
Policy on native mode vs mixed mode?
A: No. However, various features do have
dependencies on the following:
Schema level of the forest (ADPrep /ForestPrep)
Domain configuration (has ADPrep /DomainPrep
been run?)
Presence of at least one DC
Question 9
Qa: Can I use GPMC to manage a my
environment if all my DCs are running
Windows 2000?
Qb: Can I use GPMC if my clients are running
Windows 2000?
A: Yes. However, GPMC itself must run on a
computer running Windows XP SP1 or
Windows Server 2003.
Related documents
commercial trainee
commercial trainee
SELMARK KWA ZULU NATAL
SELMARK KWA ZULU NATAL
Six Classification Issues and Concerns Power Point
Six Classification Issues and Concerns Power Point
Environmental Analysis Questionnaire, 7-1
Environmental Analysis Questionnaire, 7-1
489 Mid-Termkey - Our Project Management Practicum Class
489 Mid-Termkey - Our Project Management Practicum Class
Unit 6 Matching
Unit 6 Matching
News Release
News Release
Download
advertisement