Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Slides

advertisement 
MCSA Guide to Installing and
Configuring Windows Server
2012/R2, Exam 70-410
Chapter 8
Configuring Group Policies
Objectives
• Describe the architecture and processing of group
policies
• Configure group policy settings, and manage and
monitor group policies
• Work with security templates
• Configure Windows Firewall with Group Policy
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
2
Introducing Group Policies
• A Group Policy Object (GPO) is a list of settings
that administrators use to configure user and
computer operating environments remotely
• The GPO scope defines which objects a GPO
affects
• Installing Active Directory creates two GPO’s by
default:
– Default Domain Policy
– Default Domain Controllers Policy
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
3
Introducing Group Policies
• You can view, create, and manage GPO’s by using
the Group Policy Management console (GPMC)
• Each GPO has two main nodes in GPMC:
– Computer Configuration - Used to set policies that
apply to computers within the GPO’s scope
– User Configuration - Used to set policies that apply
to all users within the GPO’s scope
• Each node contains a Policies folder and
Preferences folder
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
4
Figure 6-31 The Group Policy Management console
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
5
The Computer Configuration Node
• Three folders under the Policies folder contain the
following information:
– Software Settings - enables Administrators to install
and manage applications remotely
– Windows Settings - contains Name Resolution
Policy node, Scripts extension, Security Settings
node, and the Policy-based QoS node
– Administrative Templates - contains the Control
Panel, Network, Printers, System, and Windows
Components folders.
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
6
The User Configuration Node
• Policies folder contains the same three folders as in the
Computer Configuration node, but policies defined here
affect domain users within the GPO’s scope:
– Software Settings - can assign or publish application
packages
– Windows Settings – Contains four items:
•
•
•
•
Scripts extension
Security Settings node
Folder Redirection node
Policy based QoS node
– Administrative templates - contains settings that enable
administrators to control users’ computer and network
environments
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
7
How Group Policies Are Applied
• GPO’s can be applied in four places:
–
–
–
–
Local Computer
Site
Domain
Organizational Unit
• Policies are applied in the above order
– Policies that are not defined or configured are not
applied at all
– Last policy to be defined takes precedence
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
8
Group Policy Architecture
• Group policy architecture and function involve the
following components:
– GPOs - an object containing policy settings that
affect user and computer operating environments
and security. Can be local or AD objects
– Replication - ensures that all domain controllers
have a current copy of each GPO
– Scope and inheritance - the scope of a group policy
defines which users and computers are affected by
its settings
– Creating and linking - GPOs are created in the
Group Policy management console and can be
linked to one or more AD containers
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
9
Group Policy Objects
• A GPO contains policy settings for managing many
aspects of domain controllers, member servers,
member computers, and users
• Two main types of GPOs:
– Local GPOs
– Domain GPOs
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
10
Local GPOs
• Local GPOs are stored on local computers, and are
edited via the Group Policy Object Editor snap-in
• Settings in local GPOs that are inherited from
domain GPOs can’t be changed on the local
computer.
• Only settings that are undefined or not configured
by domain GPOs can be edited locally
• When you run gpedit.msc, you open a local
GPO named Local Computer Policy containing
Computer Configuration and User Configuration
nodes
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
11
Local GPOs
• Local GPOs that allow different policy settings
depending on who logs on to the computer:
– Local Administrators GPO
– Local Non-Administrators GPO
– User-specific GPO
• To access these GPOs, add the Group Policy
Object Editor snap-in to an MMC
– Browse to open the dialog box, click the Users tab,
and select one of the GPOs
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
12
Figure 8-2 Viewing local GPOs
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
13
Domain GPOs
• Domain GPOs are stored in Active Directory on
domain controllers
• Consists of two separate parts: a Group Policy
Template (GPT) and a Group Policy Container
(GPC)
• GPT and GPC have the following common traits:
– Naming structure
– Folder structure
• Knowing GPO structure is important for resolving
issues
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
14
Group Policy Templates
• A Group Policy Template (GPT) contains all the
policy settings that make up a GPO as well as
related files, such as scripts, and is contained in
the Sysvol share on a domain controller
• Upon creation of a GPO, several files and
subfolders are created (exact number may vary)
but each GPT folder will contain at least three
items:
– GPT.ini
– Machine
– User
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
15
Group Policy Containers
• A Group Policy Container (GPC) is stored in the
System\Policies folder
• Contains GPO properties and status information
but no policy settings
• Similar to GPT in that it uses a GPO’s GUID for a
folder name
• Information contained in a GPC:
–
–
–
–
Name of the GPO
File path to GPT
Version
Status
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
16
Figure 8-4 Viewing GPC attributes
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
17
Group Policy Replication
• GPCs are replicated with Active Directory
• GPTs are replicated by one of the following
methods:
– File Replication Service (FRS) - used when running
in a mixed environment of differing Windows Server
operating systems
– Distributed File System Replication (DFSR) - used
when all DCs are running Windows Server 2008
• DFSR is more efficient and reliable
• GPC and GPT can become out of sync
• Replication problems can be diagnosed with
gpotool.exe
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
18
Creating and Linking GPOs
• Primary tools for managing, creating, and editing
GPOs are Group Policy Management Console
(GPMC) and Group Policy Management Editor
(GPME)
• If editing a GPO that is already linked to a
container, changes in policy settings take effect as
soon as clients download them
– There’s no Save option in the GPME; changes are
saved immediately
• Before introducing multiple policy changes at once,
test them individually
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
19
Editing an Existing GPO
• To edit, right click the GPO in GPMC and click Edit,
which will open the GPO in GPME
• It is possible to make changes to the default
Domain Policy, but not advisable
• Recommended method for making changes to
domain policies is creating a new GPO and linking
it to the domain
• GPOs are applied to objects in reverse of the
specified link order
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
20
Figure 8-8 Multiple GPOs linked to a container
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
21
Creating a New GPO
• Two ways to create a new GPO with the GPMC:
– Right click the container you’re linking the GPO to
and select “Create a GPO in this domain, and Link it
here”
– Right click the Group Policy Objects folder and click
New
• Best practice is to create GPOs that focus on a
category of settings, then name the GPO
accordingly
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
22
Using Starter GPOs
• A Starter GPO is a template for creating GPO’s
(not a GPT)
• New GPO wizard includes an option to use a
Starter GPO
• Stored in the Starter GPOs folder in GPMC
• To use a Starter GPO, select one in the Source
Starter GPO list box in the New GPO Wizard, or
right click a starter GPO in the starter GPOs folder
and click New GPO from Starter GPO
• To create a Starter GPO, right click the Starter
GPOs folder and click New
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
23
Group Policy Scope
• The scope of a group policy defines which objects in
AD are affected by settings in the policy
• If two GPOs are applied to an object, and a setting is
configured on one GPO but not the other, the
configured setting is applied
• Policies are applied in this order:
–
–
–
–
1. Local policies
2. Site-linked GPOs
3. Domain-linked GPOs
4. OU-linked GPOs
• The last policy applied takes precedence over
policies applied earlier
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
24
Understanding Site-Linked GPOs
• GPOs linked to a site object affect all users and
computers physically located at the site
• Can be used to set up different policies for mobile
users
• In a singular site and domain environment, it is
better to use domain GPOs
• Site GPOs can be confusing for users if policy
changes are drastic enough between sites
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
25
Understanding Domain-Linked GPO
• GPOs at the domain level should contain settings
that apply to all objects in the domain
• Account policies can be defined only at the domain
level
• Active Directory folders, such as Computers and
Users, are not OUs and can’t have a GPO linked to
them
• Best practices suggest setting account policies and
a few critical security policies at the domain level
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
26
Understanding OU-Linked GPOs
• Fine-tuning of group policies should be done at the
OU level
• OU-linked policies are applied last
– They take precedence over site and domain policies
• Users and computers with similar policy
requirements should be located in the same OU
• Since OUs can be nested, so can GPOs
• GPOs applied to nested OUs should be used for
exceptions to policies set at a higher level
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
27
Changing Default GPO Inheritance
Behavior
• GPO inheritance is enabled by default
• To see where policies are inherited from, select a
container in the left pane of GPMC and click the
group policy inheritance tab in the right pane
• There are several ways to affect GPO inheritance:
– Blocking inheritance
– Enforcing inheritance
– GPO filtering
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
28
Blocking GPO Inheritance
• Prevents GPOs linked to parent containers from
affecting child containers
• To block GPO inheritance, in GPMC, right click the
child domain or OU and click Block Inheritance
• If blocking is enabled, the OU or domain object is
displayed with a blue exclamation point
• Inheritance blocking should be used sparingly
– Frequent blocking implies a possible flawed OU
design
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
29
Enforcing GPO Inheritance
• Forcing GPO Inheritance overrides any conflicting
configurations at a deeper level
– A GPO that’s enforced has the strongest
precedence of all GPOs in its scope
• If multiple GPOs are enforced, the GPO at the
highest level is enforced in a conflict
• Example: If a GPO linked to an OU and a GPO
linked to a domain are both set to be enforced, the
GPO linked to the domain has stronger precedence
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
30
Figure 8-11 The Active Directory Structure for GPO inheritance examples
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
31
GPO Filtering
• GPO filtering - a method to alter the normal scope
of a GPO and exclude certain objects from being
affected by its settings
• Two types of GPO filtering:
– Security filtering
– Windows Management Instrumentation (WMI)
filtering
• Security filtering uses permissions to restrict
objects from accessing a GPO
• Use the Security Filtering dialog box in the GPMC
to add or remove security principals from the GPO
access list
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
32
Figure 8-12 Viewing security filtering settings
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
33
GPO Filtering
• Another way to use security filtering is to edit the
GPO’s DACL directly
– In the GPMC, click the GPO in the Group Policy
Objects folder, and click the Delegation tab in the
right pane to see a complete list of ACEs for the
GPO
• WMI filtering uses queries to select a group of
computers based on certain attributes, and then
applies or doesn’t apply policies based on the
query’s results
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
34
Group Policy Settings
• Settings in Computer Configuration take
precedence over settings in User Configuration,
should there be a conflict
• Three folders under the Policies folder:
– Software Settings
– Windows Settings
– Administrative Templates
• Policy settings can be managed or unmanaged
– Managed policies reset to ‘Not configured’ when
the object falls outside of the policy’s scope
– Unmanaged policies are persistent
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
35
Policies in the Computer Configuration
Node
• The Computer Configuration node applies policies
to computers regardless of who logs on to the
computer
• Contains most of the security related settings in the
Account Policies, User Rights Assignment, Audit
Policy, and Security Options nodes
• Computer configuration policies are uploaded to a
computer when the OS starts and are updated
every 90 minutes thereafter
• Some policy changes may require a restart
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
36
Computer Configuration: Software
Settings
• Contains the Software Installation extension, which
can be configured to install software packages
remotely
• Applications are deployed with the Windows
Installer service, which uses MSI files
– An MSI file is a collection of files packaged into a
single file with an .msi extension
– Contains the instructions Windows Installer needs to
install the application correctly
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
37
Computer Configuration: Windows
Settings
• The Windows Settings folder contains four
subnodes:
– Name Resolution Policy - used to deploy DNS
security (DNSSEC) policies to clients
– Scripts (Startup/Shutdown) - allows the creation of
scripts to be run during startup or shutdown
– Security Settings - contains subnodes for setting
security policies
– Policy-based QoS - enables administrators to
manage the use of network bandwidth and prioritize
network packets based on type of data in the packet
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
38
Security Settings
• There are over 100 policies under Security Settings
– Some of the most important are under Account
Policies and Local Policies
• Many of the important policies are covered in the
following sections
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
39
Local Policies: Audit Policy
• Applies to what users can and can’t do on the local
computer to which they log on
• Administrators can audit events such as logon and
logoff, file and folder access, Active Directory
access, and system and process events
– Can be enabled for successful events, failed events,
or both
• Creates a lot of system overhead so it should be
used sparingly
• Events created by auditing are listed in the Security
log
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
40
Auditing Object Access
• There are two steps for auditing objects:
– Enable the “Audit object access” policy for success,
failure, or both
– Enable auditing on target objects for success,
failure, or both
• After object access is enabled in Group Policy, you
need to enable auditing on the target object
– Do this by changing the system access control list
(SACL) for the object in the Auditing tab of the
Advanced Security Settings dialog box for the object
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
41
Figure 8-15 The Auditing tab for a folder
MCSA Guide to Installing and Configuring
Windows Server 2012/R2, Exam 70-410
© Cengage Learning 2015
42
Changing Default Auditing
• Windows Server 2012/R2 logs successful logon
events and certain other events by default
• You must use the auditpol.exe command-line tool
to have more control over the types of events that
are audited
• To clear all audit policy subcategories so that
auditing is controlled only by Group Policy, type:
– auditpol /clear
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
43
Local Policies: User Rights
Assignment
• User rights define the actions users can take on a
computer
• More than 40 user rights polices can be assigned
• The Default Domain Controllers Policy specifies
User Rights Assignment policies that define actions
users can take on domain controllers
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
44
Local Policies: Security Options
• This subnode includes almost 100 settings
• One category of security policies to configure right
away is User Account Control
– Determine what happens on a computer when a
user attempts to perform an action that requires
elevation
– Elevation - a process that occurs when a user
attempts to perform an action requiring
administrative rights and is prompted to enter
credentials
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
45
Local Policies: Security Options
• Additional settings that are commonly configured:
– Accounts: Administrator account status
– Accounts: Guest account status
– Accounts: Limit local account use of blank
passwords to console logon only
– Accounts: Rename administrator account
– Accounts: Rename guest account
– Interactive logon: Do not display last user name
– Interactive logon: Do not require CTRL+ALT+DEL
– Microsoft network server: Disconnect clients when
logon hours expire
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
46
Computer Configuration:
Administrative Templates
• Administrative Templates folder has the following
subnodes:
–
–
–
–
–
–
–
Control Panel
Network
Printers
Server
Start Menu and Taskbar
System
Windows Components
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
47
Policies in the User Configuration
Node
• Policies set under the User Configuration node
follow a user wherever he or she logs on
• User Configuration node lacks most of the security
settings and account policies than Computer
Configuration node
• Policies under User Configuration node are more
focused on the user’s environment, such as
Windows features that can and can’t be accessed
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
48
User Configuration: Software Settings
• Performs the same function as in Computer
Configuration
• Because it’s defined in the User Configuration node
of a GPO, it affects users in the scope of the GPO
no matter where they log on
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
49
User Configuration: Windows Settings
• Windows Settings contains four subnodes:
– Scripts (Logon/Logoff) - identical to Scripts policy,
except scripts specified here are run only by users in
the GPO’s scope
– Security Settings - contains two folders: Public Key
Policies and Software Restriction Policies
– Folder Redirection - controls which folders in a
user’s profile are redirected to a location outside the
user’s profile folder
– Policy-based QoS - the same function as in the
Computer Configuration node but applied to users
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
50
User Configuration: Administrative
Templates
• Affects the HKEY_CURRENT_USER section of the
computer’s Registry
• Very similar to the Administrative Templates in the
Computer Configuration node
• Contain the Control Panel, Network, Start Menu
and Taskbar, System, and Windows Components
subnodes as well as the following subnodes:
– Desktop
– Shared Folders
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
51
Managing GPO Status and Link Status
• After a GPO is created, it can be in one of the
following states:
–
–
–
–
–
–
Link status: unlinked
Link status: enabled
Link status: disabled
GPO status: Enabled
GPO status: User Configuration Settings Disabled
GPO status: Computer Configuration Settings
Disabled
– GPO status: All Settings Disabled
MCSA Guide to Installing and Configuring Windows Server
2012/R2, Exam 70-410
© Cengage Learning 2015
52
Summary
• Group policy architecture and function involves three
components: GPOs, replication, scope and inheritance,
and creating and linking GPOs
• GPO replication is handled by Active Directory replication
for GPCs and by FRS or DFSR for GPTs
• You use the Group Policy Management console to create,
link, and manage GPOs and the Group Policy
Management Editor to edit GPOs
• Starter GPOs are like template files for GPOs
• GPOs can be linked to sites, domains, and OUs
• Default GPO inheritance can be changed by using
inheritance blocking, enforcement, and GPO filtering
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
53
Summary
• The Computer Configuration and User Configuration
nodes contain three subnodes: Software Settings,
Windows Settings, and Administrative Templates
• The Security Settings node in Computer Configuration
contains the Account Policies subnode with settings that
affect all domain users
• The Local Policies subnode in the Security Settings
node contains Audit Policy, User Rights Assignment,
and Security Options
• Administrative Templates can control hundreds of
settings on computers and for users
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
54
Summary
• Security templates are used to transfer security settings
easily from one GPO or computer to another and can be
used to analyze a computer’s current settings against a
security database created from one or more security
templates
• The ADMX central store can be created to ensure that
ADMX files are synchronized among all computers
where group policies are managed
MCSA Guide to Installing and Configuring Windows Server 2012/R2,
Exam 70-410
© Cengage Learning 2015
55
Related documents
Group Policy Class Notes
Group Policy Class Notes
MCSE AND SYSTEM ADMINISTRATOR JOB INTERVIEW
MCSE AND SYSTEM ADMINISTRATOR JOB INTERVIEW
GPO Training Program Application
GPO Training Program Application
CH 7 Introduction to Group Policy
CH 7 Introduction to Group Policy
Group Policies
Group Policies
OUHSC Group Policy Objects - OUHSC Information Technology
OUHSC Group Policy Objects - OUHSC Information Technology
applicant details - BC Cancer Agency
applicant details - BC Cancer Agency
Group Policies
Group Policies
Download
advertisement