Configuring the User and Computer Environment Using Group Policy Lesson 8 Technology Skill Objective Domain Objective # Configuring Account Policies Configure account policies 4.6 Planning and Configuring an Audit Policy Configure Audit Policy by using GPOs 4.7 Skills Matrix Defining a Domain-Wide Account Policy Open the GPMC. Click Forest: <Forest Name>. Click Domains, click <Domain Name>, and then click Group Policy Objects. Right-click the Default Domain Policy, and click Edit. Lesson 8 Defining a Domain-Wide Account Policy (cont.) In the left window pane, expand the Computer Configuration node, and then expand the Windows Settings folder. Expand the Security Settings node. In the Security Settings node, expand Account Policies, and select Password Policy. Lesson 8 Defining a Domain-Wide Account Policy (cont.) To modify a setting, double-click the setting in the right window pane to open the Properties dialog box for the setting. Then, make the desired value changes. Click OK to close the setting's Properties dialog box. Close the Group Policy Management Editor window for this policy. Lesson 8 Configuring a Domain-Wide Account Lockout Policy Open the GPMC. Click Forest: <Forest Name>. Click Domains, click <Domain Name>, and then click Group Policy Objects. Right-click the Default Domain Policy, and click Edit. A Group Policy Management Editor window for this policy is displayed. Lesson 8 Configuring a Domain-Wide Account Lockout Policy (cont.) In the left window pane, expand the Computer Configuration node, and then expand the Windows Settings folder. Expand the Security Settings node. In the Security Settings node, expand Account Policies, and select Account Lockout Policy. Lesson 8 Configuring a Domain-Wide Account Lockout Policy (cont.) In the right window pane, double-click the Account lockout duration policy setting to view the Properties dialog box. Select the Define This Policy Setting checkbox. If you want to change the account lockout duration, you may do so here. Lesson 8 Configuring a Domain-Wide Account Lockout Policy (cont.) Click OK to accept the specified lockout duration. Click OK to automatically enable these other settings, or click Cancel to go back to the Account Lockout Duration Properties dialog box. Click OK to accept the additional setting defaults. Lesson 8 Configuring a Domain-Wide Account Lockout Policy (cont.) Make any additional changes, as necessary, to the other individual Account Lockout Policy settings. Close the Group Policy Management Editor window for this policy. Lesson 8 Configuring the Kerberos Policy Open the GPMC. Click Forest: <Forest Name>. Click Domains, click <Domain Name>, and then click Group Policy Objects. Right-click the Default Domain Policy, and click Edit. A Group Policy Management Editor window for this policy is displayed. Lesson 8 Configuring the Kerberos Policy (cont.) In the left window pane, expand the Computer Configuration node, and then expand the Windows Settings folder. Expand the Security Settings node. In the Security Settings node, expand Account Policies, and select Kerberos Policy. Lesson 8 Configuring the Kerberos Policy (cont.) To modify a setting, double-click the setting in the right window pane to open the Properties dialog box for the setting. Make the desired value changes. Click OK to close the setting's Properties dialog box. Close the Group Policy Management Editor window for this policy. Lesson 8 Configuring an Audit Policy Open the GPMC. Click Forest: <Forest Name>. Click Domains, click <Domain Name>, and then click Group Policy Objects. Right-click the Default Domain Policy, and click Edit. Lesson 8 Configuring an Audit Policy (cont.) In the left window pane, expand the Computer Configuration node, and then expand the Windows Settings folder. Expand the Security Settings node. In the Security Settings node, expand Local Policies, and select Audit Policy. Lesson 8 Configuring an Audit Policy (cont.) In the right window pane, double-click the Audit Policy setting you want to modify. The Properties dialog box for the chosen setting is displayed. Select the Define This Policy Setting checkbox. Lesson 8 Configuring an Audit Policy (cont.) Select the appropriate checkboxes to audit Success, Failure, or both under the Audit These Attempts heading. Click OK to close the setting's Properties dialog box. Close the Group Policy Management Editor window for this policy. Lesson 8 Configuring Files and Folders for Auditing In Windows Explorer, right-click the file or folder you want to audit. Select Properties. On the Security tab in the Properties dialog box for the selected file or folder, click Advanced. Lesson 8 Configuring Files and Folders for Auditing (cont.) In the Advanced Security Settings dialog box for the file or folder, select the Auditing tab, and then click Add. Select the users and groups to be audited for file or folder access, and then click OK. Lesson 8 Configuring Files and Folders for Auditing (cont.) Select Successful, Failed, or both checkboxes for the events you wish to audit. In the Apply Onto list, specify which objects are to be audited. Click OK to return to the Advanced Security Settings dialog box for the object. Lesson 8 Configuring Files and Folders for Auditing (cont.) Choose whether you wish auditing entries from parent objects to be inherited to this object by selecting or deselecting the Allow Inheritable Auditing Entries From Parent To Propagate To This Object And All Child Objects checkbox. Click OK to complete this process. Close the Group Policy Management Editor window for this policy. Lesson 8 Customizing Event Log Policies From the Administrative Tools menu, open Event Viewer. Right-click the log for which you want to view or modify the settings, and select Properties. Modify the desired settings, and click OK. Lesson 8 Configuring Folder Redirection Create a GPO or modify an existing GPO with the necessary Folder Redirection Policy setting. Using the Group Policy Management Editor for the desired GPO, locate the Folder Redirection policy extension in the User Configuration/Windows Settings/node. Right-click the Documents folder in the left window pane, and select Properties. Lesson 8 Configuring Folder Redirection (cont.) Use the Setting dropdown box of the Target tab to select one of the options in the My Documents Properties dialog box. Lesson 8 Configuring Folder Redirection (cont.) If you choose Basic–Redirect Everyone's Folder To The Same Location, you must specify the Target folder location in the Settings dialog box. If you choose Advanced–Specify Locations For Various User Groups, you must specify the target folder location for each group that you add in the Settings dialog box. Lesson 8 Configuring Folder Redirection (cont.) The Settings tab of the Documents Properties dialog box provides several additional selections. Select from the options in the Policy Removal box of the Settings tab. Click OK. Lesson 8 Optimizing Group Policy Processing Open the Group Policy Management Console (GPMC). Click Forest: <Forest Name>. Click Domains, click <Domain Name>, and then click Group Policy Objects. Select the Default Domain Policy, and click Edit. Lesson 8 Optimizing Group Policy Processing (cont.) Right-click the Default Domain Policy node at the top of the left window pane. Click GPO Status, and place a checkmark next to User Configuration Settings Disabled, Computer Configuration Settings Disabled, or All Settings Disabled. Lesson 8 You Learned Most security-related settings are found within the Windows Settings node of the Computer Configuration node of a GPO. Policy settings that you wish to apply to all computers or users within a domain should be made within the Default Domain Policy GPO. Generally, domain-wide account policies, such as Password Policies, Account Lockout, and Kerberos settings, are modified here. Lesson 8 You Learned (cont.) Windows Server 2008 provides the ability to configure Fine-Grained Password Policies, which allow multiple password and account lockout policies within a single domain. Local Policy settings govern the actions users can perform on a specific computer and determine whether the actions are recorded in an event log. Create Audit Policies here. Lesson 8 You Learned (cont.) Auditing can be configured to audit successes, failures, or both. Plan auditing carefully before implementation. Events that are not important to your documentation and information needs can cause unnecessary overhead when audited. Auditing can be a very important security tool when used prudently. Lesson 8 You Learned (cont.) Because audited events are recorded in the appropriate event log, it is necessary to understand the Event Log Policy setting area. This area allows control over maximum log sizes, log retention, and access rights to each log. Lesson 8 You Learned (cont.) Restrictions on group memberships can be accomplished using the Group Restriction Policy setting. Implementing this policy removes group members who are not part of the configured group membership list or adds group members according to a preconfigured list. Lesson 8 You Learned (cont.) Folder Redirection can be configured for folders located on a local computer within the Documents And Settings folder. The Offline Files settings allow redirected folders to be available when a network connection is not present. These two setting areas complement each other. Lesson 8 You Learned (cont.) Disk quotas can be used to control storage space on a network drive. Implementing disk quotas allows administrators to have tighter control over drive usage, which can affect tape backup and restore functionality. Lesson 8 You Learned (cont.) Computer configuration group policies are refreshed every 90 minutes by default. Domain controller group policies are refreshed every 2 minutes. These settings can be altered based on the frequency in which policy changes occur. Disabling unused portions of a GPO decreases the time it takes to complete policy processing. Lesson 8