Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy Khan Rashid Overview • The capabilities of group policies. • Manage security using group policies. • Manage users’ environment using group policies. • Manage group policy implementation and interaction. Khan Rashid The Capabilities of Group Policies • Group policy tools. • Group policy settings categories. Khan Rashid Group Policy Tools Group Policy Object Editor (GPOE): – Is the most commonly used tool for working with the Group Policy Objects (GPOs). – Is a snap-in for the Microsoft Management Console (MMC). Khan Rashid Group Policy Tools There are several methods of accessing the GPOE: – Through the properties of the scope of management (SOM) to which the GPO is linked. – By creating a new GPOE console. Khan Rashid Group Policy Tools The Group Policy tab of the Domain Properties dialog box Khan Rashid Group Policy Tools Khan The Group Policy Object Editor Console Rashid Group Policy Tools Group Policy Management Console (GPMC): Khan – Is the newest tool for working with GPOs. – Provides a single, unified interface for managing all aspects of all existing group policies within the domain. – Provides tools for analyzing and controlling the interaction of multiple policies. Rashid Group Policy Tools The Group Policy Management Console Khan Rashid Group Policy Settings Categories • Computer configuration settings. • User configuration settings. Khan Rashid Group Policy Settings Categories The computer and the user configuration settings are subdivided into the following categories: • Software settings • Windows settings • Administrative templates Khan Rashid Software Settings Software Settings in the Group Policy Object Editor Khan Rashid Windows Settings • The computer and the user configuration Windows settings are used to configure startup and shutdown scripts. • The user configuration Windows settings provide fewer security settings than those available under computer configuration. Khan Rashid Administrative Templates The administrative templates settings for computer and user configuration can be used to: • Change the desktop. • Modify the logon procedure. • Remove items from the Start menu or the Control Panel. Khan Rashid Manage Security Using Group Policies • Security settings. • Software restriction policies. Khan Rashid Security Settings Account policies include: – Password policies – Kerberos policies – Account lockout policies Khan Rashid Security Settings Password Policies and Their Default Domain Policy Settings Khan Rashid Security Settings Kerberos policies: – Kerberos policies rarely need to be modified. – Kerberos security authenticates user accounts when users log on. – It also allows them to request services from the server without further authentication. Khan Rashid Security Settings Account Lockout policies and Their Default Domain Policy Settings Khan Rashid Software Restriction Policies Software restriction policies: – Are one of the new features of Windows Server 2003. – Help to block executing specific programs in a directory. Khan Rashid Software Restriction Policies The GPO Console Khan Rashid Software Restriction Policies Defining the Khan Rashid Policy Software Restriction Policies Account Lockout Khan Rashid Threshold Properties Software Restriction Policies Software Restriction Policies Khan Rashid Software Restriction Policies New Path Rule Khan Rashid Manage Users’ Environment Using Group Policy Khan Policy Settings Breakdown for the Group Policy Rashid Administrative Manage Users’ Environment Using Group Policy Khan Administrative Templates First-Level Categories Rashid They Are and Where Manage Users’ Environment Using Group Policy The administrative templates settings can be used: – When the taskbar needs to be locked. – When an appropriate wallpaper needs to be used. – When access to Control Panel needs to be restricted. Khan Rashid Manage Users’ Environment Using Group Policy Khan Preventing Changes to Taskbar and Start Menu Settings Rashid Manage Users’ Environment Using Group Policy Setting Active Desktop Khan Rashid Wallpaper Manage Users’ Environment Using Group Policy Restrict Access to the Control Panel Khan Rashid Manage Group Policy Implementation and Interaction • Applying group policy. • Analyzing group policy interactions. Khan Rashid Applying Group Policy • Group Policy Object Options. • Group Policy Object Properties. Khan Rashid Group Policy Object Options The options in the Group Policy Object Options dialog box are: – No Override – Prevents any other settings from taking a higher priority. – Disabled – Does not allow the settings to be applied, if a GPO link is disabled. Khan Rashid Group Policy Object Options The Group Policy Object Options dialog box Khan Rashid Group Policy Object Properties The various tabs of the Properties dialog box for a GPO link are: • General – Allows users to disable the computer and/or the used configuration settings. • Links – Offers a Find Now button that searches and displays the sites, domains, and OUs to which the GPO is linked. Khan Rashid Analyzing Group Policy Interactions Resultant Set of Policy (RSoP): – Is a group policy tool. – Analyzes all the policies that apply in a particular situation. – Reports the resultant policy. Khan Rashid Analyzing Group Policy Interactions RSoP can be run in one of the following modes: – Planning – Logging Khan Rashid Summary • The various tools for working with the group policy objects (GPOs) are the Group Policy Object Editor (GPOE) and the Group Policy Management Console (GPMC). • The GPO settings are divided into the user and the computer configuration settings. • The user and the computer configuration settings are further divided into software settings, Windows settings, and administrative templates. Khan Rashid Summary • The most commonly used security settings are the account policies. • Account policies include password, account lockout, and Kerberos policies. • Software restriction policies help to block executing specific programs in an entire directory. Khan Rashid Summary • The five administrative templates files are System.adm, Inetres.adm, conf.adm, Wuau.adm, and Wmplayer.adm. • Resultant Set of Policy (RSoP) is a tool for analyzing the effect of all applicable policies on a particular domain, site, OU, computer, or user. Khan Rashid