1. Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy

2. 2 Objectives Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection Manage and troubleshoot Group Policy inheritance Deploy and manage software using Group Policy

3. 3 Introduction to Group Policy Group Policy –Enables the centralized management of user and computer configuration settings –Implemented using a Group Policy object

4. 4 Introduction to Group Policy (Continued) Group Policy object (GPO) –Used to perform a variety of administrative tasks, including: Configure desktop settings using administrative templates Control security settings for users and computers Assign scripts to run when –A user logs on or off –A computer is started up or shut down

5. 5 Introduction to Group Policy (Continued) Redirect folders out of a user’s local profile to a different network location Automate software distribution and maintenance to computers throughout the network

6. 6 Creating a Group Policy Object Ways to create a GPO –Group Policy standalone Microsoft Management Console (MMC) snap-in –Group Policy extension in Active Directory Users and Computers Once a GPO is created –Edit the GPO to control specific user or computer settings

7. 7 Configuration categories available for GPOs

8. 8 Creating a Group Policy Object (Continued) The GPO content is stored in two different locations on the server –Group Policy container (GPC) Stores information about the GPO and includes a version number Located in –Active Directory Users and Computers\System\Policies

9. 9 Creating a Group Policy Object (Continued) –Group Policy template (GPT) Contains the data that makes up the Group Policy Stored in –The %systemroot%\\Sysvol\ \Policies folder Globally unique identifier (GUID) –A unique 128-bit number assigned to the GPO when it is created –Used to identify both the GPC and the GPT

10. 10 Application of Group Policy GPOs can apply a variety of configuration options to the –Local computer –Site –Domain –OU Main categories to a Group Policy: –Computer Configuration –User Configuration

11. 11 Controlling User Desktop Settings Group Policy –Helps reduce administrative costs by allowing the administrator to Enforce standard computer configurations Limit user access to various areas of the operating system Ensure that users have their own personal desktop and application settings Administrative templates –Consist of several categories of configuration settings

12. 12 Configuration categories of administrative templates

13. 13 Managing Security with Group Policy Group Policy –Can be used to modify and maintain a number of domain-based security configurations to comply with organizational security standards Security templates –Can be created based on current security standards

14. 14 Configuring Account Policies Account Policies node –Found under the computer configuration category of a GPO –Includes three subcategories Password Policy Account Lockout Policy Kerberos Policy Password Policy node –Contains configuration settings for the password’s History Length Complexity

15. 15 Password policies in Windows Server 2003

16. 16 Configuring Account Policies (Continued) Account Lockout Policy node –Contains configuration settings for Password lockout threshold and duration Reset options

17. 17 Account Lockout Policies

18. 18 Configuring Account Policies (Continued) Kerberos Policy node –Contains configuration settings for Kerberos ticket-granting ticket (TGT) Session ticket lifetimes and time stamp

19. 19 Kerberos policy node configuration

20. 20 Managing Security with Group Policy Other nodes under the security settings category –Local Policies –Event Log –Restricted Groups –System Services –Registry –File System –Wireless Network (IEEE 802.11) Policies –Public Key Policies –Software Restriction Policies –IP Security Policies on Active Directory

21. 21 Using the Security Configuration Manager Tools with Group Policy Security Configuration Manager tools –Can be used with Group Policies to Create a Security Policy template using a specific group of security settings –Can be used to analyze and implement security settings on a computer system –Useful in maintaining security settings

22. 22 Core components of the Security Configuration Manager tools: –Security templates –Security settings in Group Policy objects –Security Configuration and Analysis tool –Secedit command-line tool Using the Security Configuration Manager Tools with Group Policy (Continued)

23. 23 Security Templates A security template –Is used to define, edit, and save baseline security settings to be applied to computers with common security requirements –Helps ensure that a consistent setting can be applied to multiple machines and easily maintained –Is created and edited using the Security Templates snap-in

24. 24 Viewing the Security Templates console

25. 25 Analyzing the Preconfigured Security Templates First step in configuring and implementing security templates –Categorize the network computers into: Workstations Servers Domain controllers

26. 26 Analyzing the Preconfigured Security Templates (Continued) Setup Security.inf template –Stores the default security settings applied to the computer when Windows Server 2003 is installed –Purpose Provides a single file in which all of the original computer security settings are stored

27. 27 Analyzing the Preconfigured Security Templates (Continued) Incremental templates –Modify security settings incrementally –Allow the creation of security configurations other than the basic security settings –Include Compatws.inf Securews.inf and Securedc.inf Hisecws.inf and Hisecdc.inf DC Security.inf Rootsec.inf

28. 28 Analyzing the Preconfigured Security Templates (Continued) Applying security templates –Security templates can be applied to either the local machine or the domain via GPOs –To apply a security template to a local machine Open the Local Security Settings MMC snap-in Right-click Security Settings in the console pane and choose Import Policy Select the template file to be imported

29. 29 Security Configurations and Analysis Security Configuration and Analysis utility –Compares current system settings to a previously configured security template –Identifies Changes to the original security configurations Possible security weaknesses that may be evident when compared to a stronger security baseline template

30. 30 Security Configurations and Analysis (Continued) –Results of the comparison A green check mark –Indicates that the two settings match A red “x” –Indicates a mismatch

31. 31 Viewing the Security Configuration and Analysis tool

32. 32 Analyzing security on a computer

33. 33 Security Configurations and Analysis (Continued) Secedit.exe –Command-line tool that is used to Create and apply security templates Analyze security settings –Can be used in situations where Group Policy cannot be applied

34. 34 Assigning Scripts and Redirecting Folders Scripts –Can be used in Windows Server 2003 to perform tasks at various times during the logon or logoff process –Computer startup and shutdown scripts Configured in the computer section of a GPO –User logon and logoff scripts Configured in the user section of a GPO

35. 35 Assigning Scripts and Redirecting Folders (Continued) Folder redirection –Group Policy feature –Enables you to redirect the following contents of a user’s profile to a network location: Application data Desktop My Documents Start menu

36. 36 Folder redirection settings

37. 37 Managing Group Policy Inheritance Order in which Group Policy is applied –Local computer, site, domain, parent OU, child OU All individual GPO settings are inherited by default At each level, more than one GPO can be applied If there is more than one GPO per container Policies are applied in the order that they appear on the Group Policy tab for the container, starting with the bottom GPO first

38. 38 Managing Group Policy Inheritance (Continued) Multiple policies applied to a user or computer –If there is no conflict Both policies are applied –If there is a conflict Later settings overwrite earlier settings –Computer policies usually overwrite user policies

39. 39 Configuring Block Policy Inheritance, No Override, and Filtering Blocking Group Policy inheritance –Done when you do not want any higher-level settings to be applied to a particular child container Configuring No Override –Done when you want a particular GPO’s settings to always be enforced Filtering policy settings for groups –Done to prevent policy settings for groups from applying to a particular user, group, or computer within a container

40. 40 Blocking Group Policy inheritance

41. 41 Configuring No Override on a Group Policy object

42. 42 Troubleshooting Group Policy Settings Areas to inspect when trying to find the reason for a GPO not working as expected –Active Directory hierarchy –Order of Group Policy processing –Containers above and below OU that is causing problem –Group Policy’s Security tab

43. 43 Troubleshooting Group Policy Settings (Continued) Troubleshooting tools –gpresult.exe –Resultant Set of Policy (RSoP) –Can be used to Discover Group Policy-related problems Illustrate which GPOs were applied to a user or computer

44. 44 Using the Gpresult tool

45. 45 Generating RSoP data

46. 46 Deploying Software Using Group Policy Group Policy can help deploy and maintain software installations throughout the domain When a company rolls out a new software application, the four main phases of the process are: –Software preparation –Deployment –Software maintenance –Software removal

47. 47 Software Preparation Microsoft Windows installer package (MSI) file –Used by Windows Server 2003 Group Policy –Contains all the information needed to install an application in a variety of configurations Steps to take before the installation of a software –Place the MSI package file and any related software installation files in a shared folder on the network –Configure Group Policy to access this shared folder

48. 48 Deployment Using Windows Server 2003 Group Policy, applications can be deployed by either: –Assigning applications A shortcut to the application is advertised on the Start menu –Publishing applications Application is not advertised on the Start menu

49. 49 Software Maintenance Maintenance tasks to be performed after an application has been deployed –Installing updates and service patches –Installing new versions of the software Choices when deploying application patches or upgrades –A mandatory upgrade –An optional upgrade –Redeploying an application

50. 50 Software Removal Choices regarding how an application is removed –A forced removal –An optional removal

51. 51 Summary Group Policy –Enables the centralized management of user and computer settings throughout the network GPOs –Can be used to perform administrative tasks, such as Configuration of desktop settings Control of security settings for users and computers Assignment of scripts Redirection of folders Automation of software distribution on computers throughout the network

52. 52 Summary (Continued) The order in which Group Policy is applied –Local computer, site, domain, OU, child OU Security Configuration and Analysis tool –Can be used to analyze, modify, and apply security templates to objects within Active Directory

53. 53 Summary (Continued) Group Policy is automatically inherited from parent containers to child containers; this can be modified by –Applying Block Policy inheritance –Applying No Override –Filtering the policy for specific users When deploying software, Group Policy uses an MSI file to determine the installation options Applications can either be assigned or published within a GPO