By Eng. BASSEM ALSAID
• Identity and access (IDA) infrastructure refers to the tools and core technologies used to integrate people, processes, and technology in an organization. An effective IDA infrastructure ensures that the right people have access to the right resources at the right time.
• Active Directory (Data Store): distributed database stores information about users, groups, computers, and other identities.
• Identity: is a property that uniquely identifies the object (GUID).
• The information within data store allows DC to perform the three main functions of an IDA infrastructure: authentication, access control
(authorization), and auditing.
• Schema: defines the classes of objects and attributes that can be contained in the directory.
• Directory Partitions: Schema, Configuration, Domain
AD Logical Components: Object, Organizational Unit (OU), Domain, Tree,
AD Physical Components: Domain Controller (DC), Site, Link.
Local vs. Domain User Accounts: Local user account is controlled and managed by the computer logged on and has access to this computer resources only. Domain user account is controlled and managed by the domain controller and has access to all network resources depending on permissions and policies.
OU vs. GROUP: Groups are mainly defined for assigning permissions to shared folders. Organizational Unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority .
2 types of groups: distribution group, security group.
SID vs. GUID
Session 7 : Introducing Group Policies
PART I: Implementing Group Policy
• Identify the business drivers for configuration management.
• Understand the core components and terminology of Group Policy.
• Explain the fundamentals of Group Policy processing.
• Create, edit, and link Group Policy objects.
• Create a GPO from a Starter GPO.
PART II: Managing Group Policy Scope
• Manage GPO links.
• Identify the relationship between OU structure and GPO application.
• Evaluate GPO inheritance and precedence.
• Understand the Block Inheritance and Enforced link options.
• Use security filtering to narrow the scope of a GPO.
What is Configuration Management?
Configuration management is a centralized approach of applying one or more changes to one or more users or computers.
The key elements of configuration management are:
- A centralized definition of a change, also called a setting. The setting brings a user or a computer to a desired state of configuration.
- A definition of the users or computers to whom the change applies, called the scope of the change.
- A mechanism to ensures that the setting is applied to users and computers within the scope. This process is called the application.
Group Policy: a framework within Windows that allows you to centrally manage configuration in an AD domain.
Group Policy Object: Policy settings are defined and exist within a Group
Policy object (GPO). A GPO is an object that contains one or more policy settings and thereby applies one or more configuration settings for a user or computer.
Group Policy Management Editor (GPME): helps you to configure policy settings (enable/disable, parameterize).
User configuration settings: affect a user, regardless of the computer to which the user logs on (ex: prevent access to registry editing tools).
Computer configuration settings: affect a computer, regardless of which user logs on to that computer (ex: rename the Administrator account).
GPO Scope: collection of computers/users to which the GPO applies.
Methods to determine the scope of GPOs:
• GPO link: GPOs can be linked to sites, domains, and OUs in Active
• GPO filters: security filters, Windows Management Instrumentation
How are the policy settings applied?
When a Group Policy refresh begins, a service running on all Windows systems (called the Group Policy Client) determines which GPOs apply to the computer or user. It downloads any GPOs that it does not already have cached. Then a series of processes called client-side extensions (CSEs) do the work of interpreting the settings in a GPO and making appropriate changes to the local computer or the currently logged-on user.
One of the more important concepts to remember about Group Policy is that it is client driven. The Group Policy Client pulls the GPOs from the domain, triggering the CSEs to apply settings locally. Group Policy is not a “push” technology.
Note I: You can configure CSEs to reapply policy settings, even if the GPO has not changed, at a background refresh.
Note II: When are policies applied?
• Policy settings in the Computer Configuration node are applied at system startup and every 90 to 120 minutes thereafter.
• User Configuration policy settings are applied at logon and every 90 to 120 minutes thereafter.
The application of policies is called Group Policy refresh.
You can also force a policy refresh by using the GPUpdate command.
Each computer has several GPOs stored locally on the system—local GPOs— and can be (the computer) within the scope of any number of domain-based
Local GPOs: local GPOs are designed for non domain environments.
Computers running Windows 2000, Windows XP, and Windows Server 2003 each have one local GPO, which can manage configuration of that system.
Windows Vista and Windows Server 2008 and later systems have multiple local GPOs.
Domain-Based GPOs: Domain-based GPOs are created in Active Directory and stored on domain controllers. They are used to manage configuration centrally for users and computers in the domain.
Copy: This command copies the GPO between domains.
Back Up: Back Up command pulls all GPO pieces (files, objects, permissions, and links) into a single place and makes restore easy.
Restore From Backup: This command restores an entire GPO, including its files, objects, permissions, and links, into the same domain in which the
GPO originally existed.
Import Settings: This command imports only the settings from a backed up
GPO, it does not import permissions or links; it can be useful for transferring GPOs between non-trusted domains.
Save Report: Use this to save an HTML report of the GPO settings.
Delete: This command deletes the GPO. All links to the GPO are also deleted.
Rename: This command changes the name of the GPO.
GPO consist of two components:
• Group Policy Container (GPC).
• Group Policy Template (GPT).
Like all Active Directory objects, each GPC includes a GUID attribute that uniquely identifies the object within Active Directory.
When you make changes to the settings of a GPO, the changes are saved to the GPT of the server from which the GPO was opened.
Describe the default Group Policy processing behavior, including refresh intervals and CSE application of policy settings.
Every 90 to 120 minutes, the Group Policy Client service determines which GPOs are scoped to the user or computer and downloads any GPOs that have been updated, based on the
GPOs’ version numbers. CSEs process the policies in the GPOs according to their policy processing configuration. By default, most CSEs apply policy settings only if a GPO has been updated.
Some CSEs also do not apply settings if a slow link is detected.
The two parts of a GPO are replicated between domain controllers by using distinct mechanisms. The GPC in Active Directory is replicated by the
Directory Replication Agent (DRA), using a topology generated by the
Knowledge Consistency Checker (KCC) that can be refined or defined manually. The result is that the GPC is replicated within seconds to all domain controllers in a site, and between sites based on your inter-site replication configuration.
The GPT in the SYSVOL is replicated by using one of two technologies. The File
Replication Service (FRS) is used to replicate SYSVOL. If all domain controllers are running Windows Server 2008 or later, you can configure
SYSVOL replication to use Distributed File System Replication (DFS-R), a much more efficient and robust mechanism.
• Create, Edit and Scope a Group Policy Object.
• View the Effects of Group Policy Application.
You are an administrator at MTN Co. at a recent conference, you had a conversation with administrators at Syriatel Co. You discussed a particularly successful set of configurations you have deployed using a
GPO. Syriatel administrators have asked you to copy the GPO to their domain. Which steps can you and Syriatel administrators perform?
A. Right-click the MTN GPO and choose Save Report. Create a GPO in the
Syriatel domain, right-click it, and choose Import.
B. Right-click the MTN GPO and choose Back Up. Right-click the Group Policy
Objects container in the Syriatel domain and choose Restore From Backup.
Right-click the MTN GPO and choose Back Up. Create a GPO in the Syriatel domain, right-click it, and choose Paste.
D. Right-click the MTN GPO and choose Back up. Create a GPO in the Syriatel domain, right-click it, and choose Import Settings.
The GPO’s scope determines which computers’ CSEs will receive and process the GPO, and only the computers or users within the scope of a GPO apply the settings in that GPO.
Several mechanisms are used to scope a GPO:
• The GPO link to a site, domain, or OU.
• The Enforce option of a GPO.
• The Block Inheritance option on an OU.
• Security group filtering.
• WMI filtering.
• Policy node enabling or disabling.
• Loopback policy processing.
In this part, you learn each of the mechanisms with which you can scope a
GPO and, in the process, master the concepts of Group Policy application, inheritance, and precedence.
GPO Links: A GPO can be linked to one or more Active Directory sites, domains, or OUs. After a policy is linked to a site, domain, or OU, the users or computers and users in that container are within the scope of the GPO, including computers and users in child OUs.
A site, domain, or OU can have more than one GPO linked to it.
GPO Inheritance and Precedence: A policy setting can be configured in more than one GPO, and GPOs can be in conflict with one another.
A GPO with higher precedence prevails over a GPO with lower precedence.
Precedence is shown as a number in the GPMC.
Default domain policy processing order: site, domain, OU.
Remember that domain policy settings are applied after—and therefore take precedence over—settings in local GPOs.
Modify GPO Scope using Security Filtering: you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO.
Filtering a GPO to Exclude Specific Groups.
WMI Filters: Windows Management Instrumentation (WMI) is a management infrastructure technology that allows administrators to monitor and control managed objects in the network.
Enabling or Disabling GPOs and GPO Nodes: You can prevent the settings in the Computer Configuration or User Configuration nodes from being processed during policy refresh by changing GPO Status.
GPOs are applied in an order (site, domain, and OU), and that GPOs applied later in the order have higher precedence; their settings, when applied, override settings applied earlier.
The following sequence describes the process through which settings in a domain-based GPO are applied to affect a computer or user:
1.The computer starts, and the network starts. Remote Procedure Call System
Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) are started. The Group Policy Client is started.
2.The Group Policy Client obtains an ordered list of GPOs scoped to the computer. The order of the list determines the order of GPO processing, which is, by default, local, site, domain, and OU followed by enforced GPOs.
3.When the user logs on step 2 is repeated for user settings.
4.Every 90 to 120 minutes after computer startup, computer policy refresh occurs.
5.Every 90 to 120 minutes after user logon, user policy refresh occurs.
• Create a GPO with a policy setting that takes precedence over a conflicting setting.
• Configure the Enforced Option.
• Configure Security Filtering.
C2: Saturday 02-Jan-2015 12:00
C3: Saturday 02-Jan-2015 13:30
Title: “ACTIVE DIRECTORY – PART 3”