Configuring the User and Computer
Environment Using Group Policy
Lesson 8
Skills Matrix
Technology Skill
Objective Domain
Objective #
Configuring Account
Policies
Configure account
policies
4.6
Planning and Configuring
an Audit Policy
Configure Audit Policy by
using GPOs
4.7
Security Settings
Security Settings
Security Settings
Account Policies
• Account policies influence how a user interacts
with a computer or a domain.
• By default, they are linked to the Default Domain
Policy.
• This account policy is applied to all accounts
throughout the domain by default, unless you
create one or more Fine-Grained Password Policies
(FGPP) that override the domain-wide policy.
• These Fine-Grained Password Policies can be
applied.
Password Policies
Fine-Grained Password Policy
• Prior to Windows Server 2008, an Active Directory
administrator was only able to configure a single
Password Policy and Account Lockout Policy for any
Active Directory domain.
• If you were faced with a subset of users whose
password policy requirements were different, you
were left with the choice of configuring a separate
domain or forcing all users within the domain to
conform to a single password policy.
• Beginning in Windows Server 2008, you can
configure Fine-Grained Password Policies, which
allow you to define multiple password policies
within a single domain.
Lockout Policy
Kerberos Policy
• Kerberos is the default mechanism for
authenticating domain users in Windows Server
2008, Windows Server 2003, and Microsoft
Windows 2000. Kerberos is a ticket-based system
that allows domain access by using a Key
Distribution Center (KDC), which is used to issue
Kerberos tickets to users, computers, or network
services.
– These tickets have a finite lifetime and are based in
part on system time clocks. Note that Kerberos has
a 5-minute clock skew tolerance between the client
and the domain controller.
– If the clocks are off by more than 5 minutes, the
client will not be able to log on.
Kerberos Policy
Kerberos Policy
• Enforce User Logon Restrictions tells
Windows Server 2008 to validate each
request for a session ticket against the
rights associated with the user account.
• Although this process can slow the response
time for user access to resources, it is an
important security feature that should not be
overlooked or disabled.
• Enforce User Logon Restrictions is enabled
by default.
Local Policies
• Allow administrators to set user privileges on
the local computer that govern what users
can do on the computer and determine if
these actions are tracked within an event log
(auditing):
– User Rights Assignment.
– Security Options.
– Audit Policy.
User Rights
Audit Policy
Audit Policy
• System events — Events that trigger a log
entry in this category include system
startups and shutdowns; system time
changes; system event resources
exhaustion, such as when an event log is
filled and can no longer append entries;
security log cleaning; or any event that
affects system security or the security log.
– In the Default Domain Controllers GPO, this
setting is set to log successes by default.
Audit Policy
• Policy change events — By default, this
policy is set to audit successes in the Default
Domain Controllers GPO.
– Policy change audit log entries are triggered
by events such as user rights assignment
changes, establishment or removal of trust
relationships, IPSec policy agent changes,
and grants or removals of system access
privileges.
Audit Policy
• Account management events — This policy
setting is set to audit successes in the
Default Domain Controllers GPO. This setting
triggers an event that is written based on
changes to account properties and group
properties.
– Log entries written due to this policy setting
reflect events related to user or group
account creation, deletion, renaming,
enabling, or disabling.
Audit Policy
• Logon events — This setting logs events
related to successful user log-ons on a
computer.
– The event is logged to the Event Viewer
Security Log on the computer that processes
the request. The default setting is to log
successes in the Default Domain Controllers
GPO.
Audit Policy
• Account logon events — This setting logs
events related to successful user log-ons to
a domain.
– The event is logged to the domain controller
that processes the request. The default
setting is to log successes in the Default
Domain Controllers GPO.
Audit Policy
• Audit Directory Service Access — This event
category logs user access to Active Directory
objects, such as other user objects or OUs.
• Audit Object Access — This event category
logs user access to files, folders, registry
keys, and printers.
– After you enable Audit Object Access, you
need to then specify what you are going to
audit via Windows Explorer, Registry, Printers
and Faxes or Active Directory Users and
Computers.
Audit Policy
• Events produced by auditing can be viewed
by looking at the Security logs in the Event
Viewer.
Configuring Files and Folders for Auditing
• In Windows Explorer, right-click the file or
folder you want to audit.
• Select Properties.
• On the Security tab in the Properties dialog
box for the selected file or folder, click
Advanced.
• In the Advanced Security Settings dialog box
for the file or folder, select the Auditing tab.
Restricted Groups Policy
• Allows an administrator to specify group
membership lists.
– You can control membership in important
groups, such as the local Administrators and
Backup Operators groups.
Folder Redirection Policy
• Folder redirection provides administrators
with the ability to redirect the contents of
certain folders to a network location or to
another location on the user’s local
computer.
• Contents of folders on a local computer
located in the Documents and Settings
folder, including the Documents, Application
Data, Desktop, and Start Menu folders, can
be redirected.
Configuring Folder Redirection
• If you choose Basic–Redirect Everyone's
Folder To The Same Location, you must
specify the Target folder location in the
Settings dialog box.
• If you choose Advanced–Specify Locations
For Various User Groups, you must specify
the target folder location for each group that
you add in the Settings dialog box.
Folder Redirection Policy
Offline Files Policy
• A separate Group Policy category that can allow files to
be available to users, even when the users are
disconnected from the network.
– The Offline Files feature works well with Folder
Redirection: When Offline Files is enabled, users can
access necessary files as if they were connected to the
network.
– When the network connection is restored, changes
made to any documents are updated to the server.
– Folders can be configured so that either all files or only
selected files within the folder are available for offline
use. When it is combined with Folder Redirection, users
have the benefits of being able to redirect files to a
network location and still have access to the files when
the network connection is not present.
Offline Folder Policy
Offline Folder Policy
Disk Quotas
• Limit the amount of
space available on
the server for user
data.
Disk Quotas
Group Policy Refresh
• Computer configuration group policies are
refreshed every 90 minutes (+/- 30 minutes)
by default.
• Domain controller group policies are
refreshed every 2 minutes.
• You can force group policies by using the
gpupdate command:
gpupdate /force
Summary
• Most security-related settings are found
within the Windows Settings node of the
Computer Configuration node of a GPO.
• Policy settings that you wish to apply to all
computers or users within a domain should
be made within the Default Domain Policy
GPO.
– Generally, domain-wide account policies,
such as Password Policies, Account Lockout,
and Kerberos settings, are modified here.
Summary
• Windows Server 2008 provides the ability to
configure Fine-Grained Password Policies,
which allow multiple password and account
lockout policies within a single domain.
• Local Policy settings govern the actions
users can perform on a specific computer
and determine whether the actions are
recorded in an event log. Create Audit
Policies here.
Summary
• Auditing can be configured to audit
successes, failures, or both.
• Plan auditing carefully before
implementation.
• Events that are not important to your
documentation and information needs can
cause unnecessary overhead when audited.
• Auditing can be a very important security
tool when used prudently.
Summary
• Because audited events are recorded in the
appropriate event log, it is necessary to
understand the Event Log Policy setting
area.
• This area allows control over maximum log
sizes, log retention, and access rights to
each log.
Summary
• Restrictions on group memberships can be
accomplished using the Group Restriction
Policy setting.
– Implementing this policy removes group
members who are not part of the configured
group membership list or adds group
members according to a preconfigured list.
Summary
• Folder Redirection can be configured for
folders located on a local computer within
the Documents And Settings folder.
• The Offline Files settings allow redirected
folders to be available when a network
connection is not present.
• These two setting areas complement each
other.
Summary
• Disk quotas can be used to control storage
space on a network drive.
• Implementing disk quotas allows
administrators to have tighter control over
drive usage, which can affect tape backup
and restore functionality.
Summary
• Computer configuration group policies are
refreshed every 90 minutes by default.
• Domain controller group policies are
refreshed every 2 minutes.
• These settings can be altered based on the
frequency in which policy changes occur.
• Disabling unused portions of a GPO
decreases the time it takes to complete
policy processing.