Embed Size (px)
Citation preview
Understanding Group Policy on Understanding Group Policy on Windows Server 2003Windows Server 2003
John Howard, IT Pro Evangelist, Microsoft UKJohn Howard, IT Pro Evangelist, Microsoft UK
http://blogs.technet.com/jhowardhttp://blogs.technet.com/jhoward
Introducing Group PolicyIntroducing Group Policy
Common tasks with Group PolicyCommon tasks with Group Policy
Planning & Best PracticesPlanning & Best Practices
AgendaAgenda
Introducing Group PolicyIntroducing Group PolicyBasic UnderstandingBasic Understanding
Works with Windows 2000 and laterWorks with Windows 2000 and later
Enable one-to-many management of users and Enable one-to-many management of users and computerscomputers
Simplify administrative tasksSimplify administrative tasks
Implement security settingsImplement security settings
Implement standard computing environmentsImplement standard computing environments
Introducing Group PolicyIntroducing Group PolicyGroup Policy TermsGroup Policy Terms
Group Policy Management ConsoleGroup Policy Management Console
Group Policy settingsGroup Policy settings
Group Policy Object EditorGroup Policy Object Editor
Active Directory containersActive Directory containers
SiteSite
DomainDomain
OUsOUs
Child OUsChild OUs
Registry-based Policy
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Registry-based Policy
Security Settings
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Registry-based Policy
Security Settings
Software Restrictions
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Registry-based Policy
Security Settings
Software Restrictions
Software Distribution
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Registry-based Policy
Security Settings
Software Restrictions
Software Distribution
Computer and User Scripts
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Registry-based Policy
Security Settings
Software Restrictions
Software Distribution
Computer and User Scripts
Roaming Profiles and Redirected Folders
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Registry-based Policy
Security Settings
Software Restrictions
Software Distribution
Computer and User Scripts
Roaming Profiles and Redirected Folders
Offline Folders
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Registry-based Policy
Security Settings
Software Restrictions
Software Distribution
Computer and User Scripts
Roaming Profiles and Redirected Folders
Offline Folders
Internet Explorer Maintenance
Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities
Introducing Group PolicyIntroducing Group PolicyDefault PoliciesDefault Policies
Local Security PolicyLocal Security Policy
Default Domain PolicyDefault Domain Policy
Default Domain Controllers PolicyDefault Domain Controllers Policy
Introducing Group PolicyIntroducing Group PolicyWhere is Group Policy StoredWhere is Group Policy Stored
Introducing Group PolicyIntroducing Group PolicyWhere is Group Policy StoredWhere is Group Policy Stored
Local Security Policy
Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence
Local Security Policy
Site Policy
Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence
Local Security Policy
Site Policy
Domain Policy
Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence
Local Security Policy
Site Policy
Domain Policy
Parent OU Policy
Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence
Local Security Policy
Site Policy
Domain Policy
Parent OU Policy
Child OU Policy
Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence
Introducing Group PolicyIntroducing Group PolicyGroup Policy Management ConsoleGroup Policy Management Console
Unified, easy to use GUIUnified, easy to use GUI
Backup/Restore of GPOs Backup/Restore of GPOs
Import/Export and Copy/Paste of GPOsImport/Export and Copy/Paste of GPOs
Simplified securitySimplified security
HTML reporting HTML reporting
Scripting of Group Policy tasksScripting of Group Policy tasks
Introducing Group PolicyIntroducing Group PolicyGroup Policy Objects & LinksGroup Policy Objects & Links
GPMC manages GPMC manages GPO Links GPO Links
Scope Of Management (SOM)Scope Of Management (SOM)
GPOs contain policy settings GPOs contain policy settings
Links define what objects the GPO will targetLinks define what objects the GPO will targetScope Of Management (SOM)Scope Of Management (SOM)
Site, Domain, OU, OU,….Site, Domain, OU, OU,….
Filtering can be based on links to SOMFiltering can be based on links to SOM
Better illustrates the relationship between GPOs Better illustrates the relationship between GPOs and Linksand Links
Introducing Group PolicyIntroducing Group Policy
DemoDemo
Introducing Group PolicyIntroducing Group Policy
Common tasks with Group PolicyCommon tasks with Group Policy
Planning & Best PracticesPlanning & Best Practices
AgendaAgenda
Common tasksCommon tasksUsing Administrative TemplatesUsing Administrative Templates
Enables configuration of policy settingsEnables configuration of policy settings
Do not actually contain policy settingsDo not actually contain policy settings
Used by Group Policy Object EditorUsed by Group Policy Object Editor
Policy settings are contained registry.polPolicy settings are contained registry.pol
Windows Server 2003 contains:Windows Server 2003 contains:
System.admSystem.adm
Inetres.admInetres.adm
Conf.adm Conf.adm
Wmplayer.admWmplayer.adm
Wuau.admWuau.adm
Common tasksCommon tasksUsing Administrative TemplatesUsing Administrative Templates
KB 816662 – “Recommendations for Managing KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files”Group Policy Administrative Template Files”
Superset principle from WS2003 RTM onwardsSuperset principle from WS2003 RTM onwards
Historical .adm files available onlineHistorical .adm files available online
NeverNever edit the OS-shipped .adm files edit the OS-shipped .adm files
Know the benefits of a “true policy” (as Know the benefits of a “true policy” (as compared to preferences)compared to preferences)
Security (local administrators)Security (local administrators)
Cleanup (if GPO is out of scope)Cleanup (if GPO is out of scope)
Common TasksCommon TasksAccount PoliciesAccount Policies
PasswordPassword
Account lockoutAccount lockout
Kerberos settingsKerberos settings
Domain level vs OU level settingDomain level vs OU level setting
Common TasksCommon TasksSoftware Restriction PoliciesSoftware Restriction Policies
Windows Server 2003 and Windows XPWindows Server 2003 and Windows XP
Base philosophies Base philosophies
UnrestrictedUnrestricted
All programs run except those I selectAll programs run except those I select
DisallowedDisallowed
Use with careUse with care
Policy rulesPolicy rules
HashHash
CertificateCertificate
PathPath
Internet Explorer ZoneInternet Explorer Zone
Common TasksCommon TasksRestricted GroupsRestricted Groups
Membership of Active Directory security groupsMembership of Active Directory security groups
No-one can be in Enterprise AdministratorsNo-one can be in Enterprise Administrators
Only these users are helpdesk staffOnly these users are helpdesk staff
Membership of Local GroupsMembership of Local Groups
Helpdesk are members of local administratorsHelpdesk are members of local administrators
Common TasksCommon TasksSome of the rest….Some of the rest….
Additional securityAdditional security
Registry Access Control Lists (ACLs)Registry Access Control Lists (ACLs)
File System Access Control Lists (ACLs)File System Access Control Lists (ACLs)
Service Startup ModeService Startup Mode
Internet Explorer MaintenanceInternet Explorer Maintenance
Audit PoliciesAudit Policies
Especially on serversEspecially on servers
Common Tasks with Group PolicyCommon Tasks with Group Policy
DemoDemo
Introducing Group PolicyIntroducing Group Policy
Common tasks with Group PolicyCommon tasks with Group Policy
Planning & Best PracticesPlanning & Best Practices
AgendaAgenda
Planning & Best PracticesPlanning & Best PracticesOU DesignOU Design
Why create OU’sWhy create OU’s
Segment by roleSegment by role
Domain controllersDomain controllers
ComputersComputers
UsersUsers
Redirect default OU for new accountsRedirect default OU for new accounts
redirusr.exe and redircmp.exeredirusr.exe and redircmp.exe
Use delegation of administrationUse delegation of administration
Create/Update/Link GPOsCreate/Update/Link GPOs
Planning & Best PracticesPlanning & Best PracticesGroup Policy ObjectsGroup Policy Objects
Normalise GPOs – “GP Common Scenarios”Normalise GPOs – “GP Common Scenarios”
Naming conventionsNaming conventions
Clear purpose and intentClear purpose and intent
3-segment string: Scope/Purpose/Managed By3-segment string: Scope/Purpose/Managed By
e.g. e.g. WW-Outlook-OTGWW-Outlook-OTG
What about the number of GPOs?What about the number of GPOs?
MYTH: Fewer GPOs=Better performanceMYTH: Fewer GPOs=Better performance
FACT: Number of settings is more importantFACT: Number of settings is more important
Planning & Best PracticesPlanning & Best PracticesGeneral GuidanceGeneral Guidance
Avoid Cross-Domain GPO linksAvoid Cross-Domain GPO links
Performance overheadPerformance overhead
Alternative - GPMC scriptsAlternative - GPMC scripts
Use the following sparinglyUse the following sparingly
Enforce (no override)Enforce (no override)
Block InheritanceBlock Inheritance
LoopbackLoopback
Keep it simpleKeep it simple
Planning & Best PracticesPlanning & Best PracticesUsing WMI FiltersUsing WMI Filters
XP and Windows Server 2003 OnlyXP and Windows Server 2003 Only
Performance hitPerformance hit
Limit to known lifetime if possibleLimit to known lifetime if possible
ScriptomaticScriptomatic
SummarySummary
Group Policy serves many purposes Group Policy serves many purposes
If you’re not already using GPMC, why not?If you’re not already using GPMC, why not?
It’s not as hard as it looks It’s not as hard as it looks
……but without planning, it’s easy to make it look hardbut without planning, it’s easy to make it look hard
http://www.microsoft.com/windowsserver2003/ thttp://www.microsoft.com/windowsserver2003/ technologies/management/echnologies/management/grouppolicygrouppolicy
Recommended ReadingRecommended Reading
““Group Policy, Profiles and Intellimirror for Group Policy, Profiles and Intellimirror for Windows 2003, Windows XP and Windows 2000”Windows 2003, Windows XP and Windows 2000”
By Jeremy MoskowitzBy Jeremy Moskowitz
www.gpanswers.comwww.gpanswers.com
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Understanding Group Policy on Understanding Group Policy on Windows Server 2003Windows Server 2003
John Howard, IT Pro Evangelist, Microsoft UKJohn Howard, IT Pro Evangelist, Microsoft UK
http://blogs.technet.com/jhowardhttp://blogs.technet.com/jhoward
