Unit 8 NT1330 Client-Server Networking II Date: 2?10/2016 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2?10/2016 Instructor: Williams Obinkyereh
Class Agenda 1 Learning Objectives Lesson Presentation, Discussions and video. Assignments and Lab Activities. Break Times as per School regulation Note: Submit all Assignment and labs due today.
Class Agenda 2 Theory : Unit 8:00pm-8:00pm) Lab : (8:15pm to 11:00pm) Text book for Unit 8: Windows Server 2008 Active Directory Configuration MOAC 70-640-Lesson 7 and 8
Introduction to Group Policy Lesson 7
Configuring the User and Computer Environment Using Group Policy Lesson 8
Skills Matrix Technology Skill Objective Domain Objective # Configuring Account Policies Configure account policies 4.6 Planning and Configuring an Audit Policy Configure Audit Policy by using GPOs 4.7
Skills Matrix Technology Skill Objective Domain Objective # Using the Group Policy Management Console Create and apply Group Policy Objects (GPOs) 4.3 Configuring Group Policy Settings Configure GPO templates 4.4
Group Policy Group Policy is a method of controlling settings across your network. Group Policy consists of user and computer settings. You can configure one or more GPOs within a domain (domain, sites and OUs) within Active Directory. You can link multiple GPOs to a single container or link one GPO to multiple containers throughout the Active Directory structure. Emphasize the power of group policies and all of the wonderful things you can do with them. Also explain how group policies are essential to security.
Group Policy The following managed settings can be defined or changed through Group Policies: Registry-based policies – Used to modify the Windows Registry. Software installation policies - used to ensure that have the latest versions of applications. Folder redirection - allows files to be redirected to a network drive for backup and makes them accessible from anywhere on the network. Offline file storage -ability to cache files locally to allow files to be available even when the network is inaccessible.
Group Policy Scripts – Including logon, logoff, startup, and shutdown scripts, these can assist in configuring the user environment. Windows Deployment Services (WDS) – Assists in rebuilding or deploying workstations quickly and efficiently in an enterprise environment. Microsoft Internet Explorer settings – Provide quick links and bookmarks for user accessibility, in addition to browser options such as proxy use, acceptance of cookies, and caching options. Security settings – Protect resources on computers in the enterprise.
Group Policy Objects (GPOs) Contain all of the Group Policy settings that you wish to implement to user and computer objects within a site, domain, or OU. There are three types of GPOs: Local GPOs. Domain GPOs. Starter GPOs.
Default Group Policies When Active Directory is installed, two domain GPOs are created by default. Default Domain Policy — It is linked to the domain, and its settings affect all users and computers in the domain. Default Domain Controller Policy — It is linked to the Domain Controllers OU and its settings affect all domain controllers in the domain.
Creating and Managing Group Policies The Group Policy Management Console (GPMC) is the Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings. The GPMC is not explained in the book until a later chapter. But you need to use it for the students to see group policies in this chapter.
Group Policy Management Console (GPMC) Show group policies and how to set them.
The actual settings are divided into two subcategories: Group Policy Settings Configuring Group Policy settings enables you to customize the configuration of a user’s desktop, environment, and security settings. The actual settings are divided into two subcategories: Computer Configuration User Configuration
GPO Inheritance You link a GPO to a domain, site, or OU or create and link a GPO to one of these containers in a single step. The settings within that GPO apply to all child objects within the object.
Group Policy Processing (LSDOU) Local policies. Site policies. Domain policies. OU policies. Any conflicting GPO settings are overwritten by the later running GPO.
To manually push group policies, you need to use the gpupdate command: If you make changes to a group policy, users may not see changes take effect until: They log off or log back in. They Reboot the computer. They wait 90 minutes (+/- 30 minutes) for stand-alone servers/workstations and 2 minutes for domain controllers. To manually push group policies, you need to use the gpupdate command: Gpupdate /force This is introduced in next chapter but should be emphasized often.
Summary Group Policy consists of user and computer settings that can be implemented during computer startup and user logon. These settings can be used to customize the user environment, to implement security guidelines, and to assist in simplifying user and desktop administration. Group Policies can be beneficial to users and administrators. They can be used to increase a company's return on investment and to decrease the overall total cost of ownership for the network.
Security Settings
Security Settings
Security Settings
Account Policies Account policies influence how a user interacts with a computer or a domain. By default, they are linked to the Default Domain Policy. This account policy is applied to all accounts throughout the domain by default, unless you create one or more Fine-Grained Password Policies (FGPP) that override the domain-wide policy. These Fine-Grained Password Policies can be applied.
Kerberos Policy Kerberos is the default mechanism for authenticating domain users in Windows Server 2008, Windows Server 2003, and Microsoft Windows 2000. Kerberos is a ticket-based system that allows domain access by using a Key Distribution Center (KDC), which is used to issue Kerberos tickets to users, computers, or network services.
Kerberos Policy
Local Policies Allow administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log (auditing): User Rights Assignment. Security Options. Audit Policy.
User Rights Go over the key user rights. Also explain the local logon right and how you get a message if you don’t have it.
Audit Policy Show auditing policies. Also file auditing.
Audit Policy System events — Events that trigger a log entry in this category include system startups and shutdowns; system time changes; system event resources exhaustion, such as when an event log is filled and can no longer append entries; security log cleaning; or any event that affects system security or the security log. In the Default Domain Controllers GPO, this setting is set to log successes by default.
Audit Policy Logon events — This setting logs events related to successful user log-ons on a computer. The event is logged to the Event Viewer Security Log on the computer that processes the request. The default setting is to log successes in the Default Domain Controllers GPO.
Configuring Files and Folders for Auditing In Windows Explorer, right-click the file or folder you want to audit. Select Properties. On the Security tab in the Properties dialog box for the selected file or folder, click Advanced. In the Advanced Security Settings dialog box for the file or folder, select the Auditing tab.
Restricted Groups Policy Allows an administrator to specify group membership lists. You can control membership in important groups, such as the local Administrators and Backup Operators groups.
Folder Redirection Policy Folder redirection provides administrators with the ability to redirect the contents of certain folders to a network location or to another location on the user’s local computer. Contents of folders on a local computer located in the Documents and Settings folder, including the Documents, Application Data, Desktop, and Start Menu folders, can be redirected.
Configuring Folder Redirection If you choose Basic–Redirect Everyone's Folder To The Same Location, you must specify the Target folder location in the Settings dialog box. If you choose Advanced–Specify Locations For Various User Groups, you must specify the target folder location for each group that you add in the Settings dialog box.
Folder Redirection Policy
Offline Files Policy A separate Group Policy category that can allow files to be available to users, even when the users are disconnected from the network. The Offline Files feature works well with Folder Redirection: When Offline Files is enabled, users can access necessary files as if they were connected to the network. When the network connection is restored, changes made to any documents are updated to the server. Folders can be configured so that either all files or only selected files within the folder are available for offline use. When it is combined with Folder Redirection, users have the benefits of being able to redirect files to a network location and still have access to the files when the network connection is not present.
Disk Quotas Limit the amount of space available on the server for user data.
Domain controller group policies are refreshed every 2 minutes. Group Policy Refresh Computer configuration group policies are refreshed every 90 minutes (+/- 30 minutes) by default. Domain controller group policies are refreshed every 2 minutes. You can force group policies by using the gpupdate command: gpupdate /force For domain controllers, older Windows had 5 minutes for updates, not 2.
Summary Most security-related settings are found within the Windows Settings node of the Computer Configuration node of a GPO. Policy settings that you wish to apply to all computers or users within a domain should be made within the Default Domain Policy GPO. Generally, domain-wide account policies, such as Password Policies, Account Lockout, and Kerberos settings, are modified here.
Unit 8 Assignments and Labs Unit 8. Assignment 1. Group Policy in a Mixed Client OS Environment Unit 8. Lab 1. Exploring Group Policy Administration Unit 8. Exercise 1. Administrative Control versus Trust: Research/Scenario