Understanding Group Policy on Understanding Group Policy on Windows Server 2003Windows Server 2003

John Howard, IT Pro Evangelist, Microsoft UKJohn Howard, IT Pro Evangelist, Microsoft UK

http://blogs.technet.com/jhowardhttp://blogs.technet.com/jhoward

Introducing Group PolicyIntroducing Group Policy

Common tasks with Group PolicyCommon tasks with Group Policy

Planning & Best PracticesPlanning & Best Practices

AgendaAgenda

Introducing Group PolicyIntroducing Group PolicyBasic UnderstandingBasic Understanding

Works with Windows 2000 and laterWorks with Windows 2000 and later

Enable one-to-many management of users and Enable one-to-many management of users and computerscomputers

Simplify administrative tasksSimplify administrative tasks

Implement security settingsImplement security settings

Implement standard computing environmentsImplement standard computing environments

Introducing Group PolicyIntroducing Group PolicyGroup Policy TermsGroup Policy Terms

Group Policy Management ConsoleGroup Policy Management Console

Group Policy settingsGroup Policy settings

Group Policy Object EditorGroup Policy Object Editor

Active Directory containersActive Directory containers

SiteSite

DomainDomain

OUsOUs

Child OUsChild OUs

Registry-based Policy

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Registry-based Policy

Security Settings

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Registry-based Policy

Security Settings

Software Restrictions

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Registry-based Policy

Security Settings

Software Restrictions

Software Distribution

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Registry-based Policy

Security Settings

Software Restrictions

Software Distribution

Computer and User Scripts

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Registry-based Policy

Security Settings

Software Restrictions

Software Distribution

Computer and User Scripts

Roaming Profiles and Redirected Folders

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Registry-based Policy

Security Settings

Software Restrictions

Software Distribution

Computer and User Scripts

Roaming Profiles and Redirected Folders

Offline Folders

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Registry-based Policy

Security Settings

Software Restrictions

Software Distribution

Computer and User Scripts

Roaming Profiles and Redirected Folders

Offline Folders

Internet Explorer Maintenance

Introducing Group PolicyIntroducing Group PolicyGroup Policy CapabilitiesGroup Policy Capabilities

Introducing Group PolicyIntroducing Group PolicyDefault PoliciesDefault Policies

Local Security PolicyLocal Security Policy

Default Domain PolicyDefault Domain Policy

Default Domain Controllers PolicyDefault Domain Controllers Policy

Introducing Group PolicyIntroducing Group PolicyWhere is Group Policy StoredWhere is Group Policy Stored

Introducing Group PolicyIntroducing Group PolicyWhere is Group Policy StoredWhere is Group Policy Stored

Local Security Policy

Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence

Local Security Policy

Site Policy

Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence

Local Security Policy

Site Policy

Domain Policy

Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence

Local Security Policy

Site Policy

Domain Policy

Parent OU Policy

Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence

Local Security Policy

Site Policy

Domain Policy

Parent OU Policy

Child OU Policy

Introducing Group PolicyIntroducing Group PolicyOrder of PrecedenceOrder of Precedence

Introducing Group PolicyIntroducing Group PolicyGroup Policy Management ConsoleGroup Policy Management Console

Unified, easy to use GUIUnified, easy to use GUI

Backup/Restore of GPOs Backup/Restore of GPOs

Import/Export and Copy/Paste of GPOsImport/Export and Copy/Paste of GPOs

Simplified securitySimplified security

HTML reporting HTML reporting

Scripting of Group Policy tasksScripting of Group Policy tasks

Introducing Group PolicyIntroducing Group PolicyGroup Policy Objects & LinksGroup Policy Objects & Links

GPMC manages GPMC manages GPO Links GPO Links

Scope Of Management (SOM)Scope Of Management (SOM)

GPOs contain policy settings GPOs contain policy settings

Links define what objects the GPO will targetLinks define what objects the GPO will targetScope Of Management (SOM)Scope Of Management (SOM)

Site, Domain, OU, OU,….Site, Domain, OU, OU,….

Filtering can be based on links to SOMFiltering can be based on links to SOM

Better illustrates the relationship between GPOs Better illustrates the relationship between GPOs and Linksand Links

Introducing Group PolicyIntroducing Group Policy

DemoDemo

Introducing Group PolicyIntroducing Group Policy

Common tasks with Group PolicyCommon tasks with Group Policy

Planning & Best PracticesPlanning & Best Practices

AgendaAgenda

Common tasksCommon tasksUsing Administrative TemplatesUsing Administrative Templates

Enables configuration of policy settingsEnables configuration of policy settings

Do not actually contain policy settingsDo not actually contain policy settings

Used by Group Policy Object EditorUsed by Group Policy Object Editor

Policy settings are contained registry.polPolicy settings are contained registry.pol

Windows Server 2003 contains:Windows Server 2003 contains:

System.admSystem.adm

Inetres.admInetres.adm

Conf.adm Conf.adm

Wmplayer.admWmplayer.adm

Wuau.admWuau.adm

Common tasksCommon tasksUsing Administrative TemplatesUsing Administrative Templates

KB 816662 – “Recommendations for Managing KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files”Group Policy Administrative Template Files”

Superset principle from WS2003 RTM onwardsSuperset principle from WS2003 RTM onwards

Historical .adm files available onlineHistorical .adm files available online

NeverNever edit the OS-shipped .adm files edit the OS-shipped .adm files

Know the benefits of a “true policy” (as Know the benefits of a “true policy” (as compared to preferences)compared to preferences)

Security (local administrators)Security (local administrators)

Cleanup (if GPO is out of scope)Cleanup (if GPO is out of scope)

Common TasksCommon TasksAccount PoliciesAccount Policies

PasswordPassword

Account lockoutAccount lockout

Kerberos settingsKerberos settings

Domain level vs OU level settingDomain level vs OU level setting

Common TasksCommon TasksSoftware Restriction PoliciesSoftware Restriction Policies

Windows Server 2003 and Windows XPWindows Server 2003 and Windows XP

Base philosophies Base philosophies

UnrestrictedUnrestricted

All programs run except those I selectAll programs run except those I select

DisallowedDisallowed

Use with careUse with care

Policy rulesPolicy rules

HashHash

CertificateCertificate

PathPath

Internet Explorer ZoneInternet Explorer Zone

Common TasksCommon TasksRestricted GroupsRestricted Groups

Membership of Active Directory security groupsMembership of Active Directory security groups

No-one can be in Enterprise AdministratorsNo-one can be in Enterprise Administrators

Only these users are helpdesk staffOnly these users are helpdesk staff

Membership of Local GroupsMembership of Local Groups

Helpdesk are members of local administratorsHelpdesk are members of local administrators

Common TasksCommon TasksSome of the rest….Some of the rest….

Additional securityAdditional security

Registry Access Control Lists (ACLs)Registry Access Control Lists (ACLs)

File System Access Control Lists (ACLs)File System Access Control Lists (ACLs)

Service Startup ModeService Startup Mode

Internet Explorer MaintenanceInternet Explorer Maintenance

Audit PoliciesAudit Policies

Especially on serversEspecially on servers

Common Tasks with Group PolicyCommon Tasks with Group Policy

DemoDemo

Introducing Group PolicyIntroducing Group Policy

Common tasks with Group PolicyCommon tasks with Group Policy

Planning & Best PracticesPlanning & Best Practices

AgendaAgenda

Planning & Best PracticesPlanning & Best PracticesOU DesignOU Design

Why create OU’sWhy create OU’s

Segment by roleSegment by role

Domain controllersDomain controllers

ComputersComputers

UsersUsers

Redirect default OU for new accountsRedirect default OU for new accounts

redirusr.exe and redircmp.exeredirusr.exe and redircmp.exe

Use delegation of administrationUse delegation of administration

Create/Update/Link GPOsCreate/Update/Link GPOs

Planning & Best PracticesPlanning & Best PracticesGroup Policy ObjectsGroup Policy Objects

Normalise GPOs – “GP Common Scenarios”Normalise GPOs – “GP Common Scenarios”

Naming conventionsNaming conventions

Clear purpose and intentClear purpose and intent

3-segment string: Scope/Purpose/Managed By3-segment string: Scope/Purpose/Managed By

e.g. e.g. WW-Outlook-OTGWW-Outlook-OTG

What about the number of GPOs?What about the number of GPOs?

MYTH: Fewer GPOs=Better performanceMYTH: Fewer GPOs=Better performance

FACT: Number of settings is more importantFACT: Number of settings is more important

Planning & Best PracticesPlanning & Best PracticesGeneral GuidanceGeneral Guidance

Avoid Cross-Domain GPO linksAvoid Cross-Domain GPO links

Performance overheadPerformance overhead

Alternative - GPMC scriptsAlternative - GPMC scripts

Use the following sparinglyUse the following sparingly

Enforce (no override)Enforce (no override)

Block InheritanceBlock Inheritance

LoopbackLoopback

Keep it simpleKeep it simple

Planning & Best PracticesPlanning & Best PracticesUsing WMI FiltersUsing WMI Filters

XP and Windows Server 2003 OnlyXP and Windows Server 2003 Only

Performance hitPerformance hit

Limit to known lifetime if possibleLimit to known lifetime if possible

ScriptomaticScriptomatic

SummarySummary

Group Policy serves many purposes Group Policy serves many purposes

If you’re not already using GPMC, why not?If you’re not already using GPMC, why not?

It’s not as hard as it looks It’s not as hard as it looks

……but without planning, it’s easy to make it look hardbut without planning, it’s easy to make it look hard

http://www.microsoft.com/windowsserver2003/ thttp://www.microsoft.com/windowsserver2003/ technologies/management/echnologies/management/grouppolicygrouppolicy

Recommended ReadingRecommended Reading

““Group Policy, Profiles and Intellimirror for Group Policy, Profiles and Intellimirror for Windows 2003, Windows XP and Windows 2000”Windows 2003, Windows XP and Windows 2000”

By Jeremy MoskowitzBy Jeremy Moskowitz

www.gpanswers.comwww.gpanswers.com

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Understanding Group Policy on Understanding Group Policy on Windows Server 2003Windows Server 2003

John Howard, IT Pro Evangelist, Microsoft UKJohn Howard, IT Pro Evangelist, Microsoft UK

http://blogs.technet.com/jhowardhttp://blogs.technet.com/jhoward