windows group policy

Design a Group Policy strategy

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

1


2

Learning Objectives

• Design Organizational Units to support an administrative model

• Understand Group Policy basics• Design a Group Policy strategy• Configure different Group Policy settings• Configure advanced GPO settings• Implement fine-grained policies using a password

settings object


3

Designing Organizational Units

• Forest and domains design– Different for different goals

• Two important reasons to use OUs– Managing with Group Policy– Delegation of control

• Active Directory Domain Services (AD DS) structure– Supports autonomy and isolation goals


4

Using OUs for Group Policy

• Group Policy Objects (GPOs)– Linked to sites, domains, OUs– Used to manage users and computers– Set different security policies, configure standards,

restrict usage, deploy applications, etc.• Organizing users and computers in OUs

– Allows management with a single OU• GPOs cannot be linked to:

– The Users container – The Computers container


5

Figure 4-1 An example of how OUs can be created within a domainCourtesy Course Technology/Cengage Learning


6

Using OUs to Delegate Control

• Administrative tasks often delegated to administrators– Perform tasks specific to their area of responsibility

• Need appropriate permissions and privileges• Consider basic security principle of least privilege

• Delegation of Control Wizard– Available within Active Directory Users and

Computers• For specific users or groups:

– Create OUs and move AD objects to the OU


7

Figure 4-2 Starting the Delegation of Control WizardCourtesy Course Technology/Cengage Learning


8

Using OUs to Delegate Control (cont’d.)

• Activity 4-1: Delegating Control with the Delegation of Control Wizard

Figure 4-3 Delegating permissions to change passwordsCourtesy Course Technology/Cengage Learning


9

Using OUs to Delegate Control (cont’d.)

• Activity 4-2: Delegating Full Control with the Delegation of Control Wizard

Figure 4-4 Delegating Full Control permissions to a groupCourtesy Course Technology/Cengage Learning


10

Designing Organizational Units

• Understand the two benefits and purposes of OUs– Makes design easier

• Technical reasons to design OUs– Delegate control or manage objects using Group

Policy• Another reason to create OUs

– Logically organize users and computers


11

Designing Organizational Units (cont’d.)

• OU design characteristics– OUs created for administrators’ use– OUs completely separate from DNS– OUs easy to modify

• OU design options– Organizational structure– Geography– Hybrid

• May further refine the OU structure– Objects separated in different OUs


12

Figure 4-5 A hybrid OU design based on geography and the organizational hierarchyCourtesy Course Technology/Cengage Learning


13

Designing Group Strategies

• Assign permissions to groups - not users• Groups identified by their group scope

– Universal– Global– Domain local

• Groups can be added together– Added to other global groups (nesting)– Added to universal groups– Added to domain local groups


14

Figure 4-6 Understanding groupsCourtesy Course Technology/Cengage Learning


15

Figure 4-7 Group policy strategy using universal groupsCourtesy Course Technology/Cengage Learning

Redirecting Placement of New Accounts

• All new computers joined to the domain– Automatically added to the Computers container

• User accounts created without specifying the OU– Placed in the Users container by default

• Redircmp and redirusr commands– Redirect new account placement

• Distinguished name (DN)– Uniquely identify objects in any Lightweight Directory

Access Protocol (LDAP)-based directory– Three most common elements: CN, OU, DC


16

Redirecting Placement of New Accounts (cont’d.)

• Example: full DN of the AR OU (a child of the Accounting OU) within the Cengage.com domain– OU=AR, OU=Accounting, DC=Cengage, DC=com

• Ensure all new computers joined to the Cengage.com domain– Added to the NewComputers OU

• redircmp OU=NewComputers, DC=Cengage, DC=com

• Ensure users created without specifying a target OU– Created in the New Users OU

• redirusr OU=NewUsers, DC=Cengage, DC=com


17


18

Reviewing Group Policy Basics

• Group Policy tool– Automates user and computer management

• Topics covered:– Group Policy scope– Group Policy inheritance and order of precedence– Group Policy setting categories– Default Group policies– Group Policy Management console– Starter GPOs


19

Group Policy Scope

• GPO applied to a site, a domain, OU– Applies to all user and computer objects at that level

• GPO applied to a site can affect:– One or more domains– Part of a domain– Entire domain


20

Figure 4-8 Comparing sites and groups with Group PolicyCourtesy Course Technology/Cengage Learning


21

Group Policy Scope (cont’d.)

• Can have a single domain in a single site– No difference between linking a GPO to the site or

linking the GPO to the domain• GPOs linked to the domain

– Apply to all objects in the domain• Including objects in the Users and Computers container

• Common to link GPOs to OUs– Applies to:

• All objects in that OU• All objects in children OUs (by default)


22

Figure 4-9 Identifying the scope of GPOs assigned to OUsCourtesy Course Technology/Cengage Learning


23

GPO Inheritance and Order of Precedence

• GPOs applied at domain level– Inherited by all OUs in the domain– Applied to Users and Computers containers in the

domain• GPOs applied to parent OU

– Apply to all child OUs• Occurs because of GPO inheritance

– Unless Block Inheritance option used• GPO inheritance

– GPO settings applied at higher levels• Inherited and applied at lower levels


24

GPO Inheritance and Order of Precedence (cont’d.)

• GPO order of precedence– How Group Policy applied– What settings take precedence

• If problems with two conflicting settings

• Order of precedence:– Site– Domain– Parent OUs– Children OUs


25

Figure 4-10 Group Policy and order of precedenceCourtesy Course Technology/Cengage Learning


26

GPO Inheritance and Order of Precedence (cont’d.)

• Figure 4-10 summary– IT OU: Telnet service disabled (GPO1 wins)– Computers container: Telnet service disabled (GPO1

wins)– Sales OU: Telnet service enabled (GPO2 wins)– Direct OU: Telnet service disabled (GPO3 wins)


27

Group Policy Setting Categories

• Commonly used categories of GPO settings– Software settings– Windows settings– Security settings– Administrative templates– Preferences


28

Default Group Policies

• Promotion of first server in the domain to a domain controller– Two default Group Policy objects created

• Default Domain policy• Default Domain Controllers policy

• Policies have several different settings– Mostly related to security

• Policies provide a starting point• Policies can be modified• Additional group policies can be added


29

Figure 4-11 Group Policy Management console showing Default Domain policyCourtesy Course Technology/Cengage Learning


30

Default Group Policies (cont’d.)

• Default Domain policy– Linked at the domain level– Applies to all users and computers in the domain

• Default Domain Controllers policy– Linked to the Domain Controllers OU– Has more stringent security applied

• Adds a stronger layer of security for domain controllers


31

Group Policy Management Console

• Group Policy Management Console (GPMC)– Primary tool used to create and manipulate Group

Policy• GPMC tasks

– Create and modify GPOs– Link and unlink GPOs– Modify advanced options

• Enforced and Block Inheritance


32

Group Policy Management Console (cont’d.)

• GPMC tasks (cont’d.)– Modify permissions on GPOs– View the settings of GPOs– Backup and restore GPOs– Plan and document GPOs


33

Starter GPOs

• Templates of GPOs– Can accelerate the use of GPOs in an organization

• Collections of preconfigured Administrative templates– Only include settings within the Administrative

Templates node of a Group Policy• Can create Starter GPOs• Can download preconfigured Starter GPOs

– Add them to the GPMC• Activity 4-3: Applying a Starter GPO


34

Figure 4-12 Adding a Starter GPO cabinet file to the GPMCCourtesy Course Technology/Cengage Learning


35

Figure 4-13 Viewing the Starter GPO settingsCourtesy Course Technology/Cengage Learning


36

Group Policy Settings

• Group Policy settings covered:– Device installation restrictions– Restricting group membership– Deploying applications– Internet Explorer proxy settings– Implementing printer location policies– Configuring IPSec settings


37

Device Installation Restrictions

• Most risky device in an organization– USB flash drive

• Organizations seek ways to control device installation

• Group Policy– Provides several settings to

• Restrict installation of devices and/or device drivers


38

Device Installation Restrictions (cont’d.)

• Settings– Allow administrators to override Device installation

Restriction policies– Allow installation of devices using drivers matching

these device setup classes– Prevent installation of devices using drivers that match

these device setup classes– Display a custom message when installation

prevented by policy (balloon text)– Display a custom message when installation

prevented by policy (balloon title)


39

Figure 4-14 Identifying a Device Class GUID using Device ManagerCourtesy Course Technology/Cengage Learning


40

Device Installation Restrictions (cont’d.)

• Settings (cont’d.)– Allow installation of devices that match any of these

device IDs– Prevent installation of devices that match any of these

device IDs– Prevent installation of removable devices– Prevent installation of devices not described by other

policy settings• Settings policy can prevent new device installation

– Settings won’t stop devices already installed


41

Figure 4-15 Controlling the use of removable storage devicesCourtesy Course Technology/Cengage Learning

Restrict Group Membership

• Restrict Group Membership setting– Useful to control group membership in AD

• Group Policy checks group membership– If extra member added

• Group Policy removes member– If member removed that should be in group

• Group Policy adds member

• Group Policy applied every 90 to 120 minutes– Use GPUpdate /force command for immediate

refresh


42

Restrict Group Membership (cont’d.)

• Activity 4-4: Implementing Restricted Groups


43

Figure 4-16 Restricting the membership of the Domain Admins groupCourtesy Course Technology/Cengage Learning


44

Deploying Applications

• Must be packaged as:– Windows Installer file (.msi)– Transform file (.mst)– Patch file (.msp)

• Large organizations will use more sophisticated enterprise applications– System Center Configuration Manager (SCCM)

• Any organization can use Group Policy to deploy applications


45

Deploying Applications (cont’d.)

• Two methods– Assigned– Published

• Applications assigned or published to users– Can also be installed through file extension activation


46

Figure 4-17 Deploying the same application to different sitesCourtesy Course Technology/Cengage Learning


47

Deploying Applications (cont’d.)

• Activity 4-5: Deploying an Application

Figure 4-18 Deploying the same application to different sitesCourtesy Course Technology/Cengage Learning


48

Internet Explorer Proxy Settings

• Proxy server– Middleman to retrieve the data from the Internet

• Proxy server benefits– Network Address Translation (NAT)– Caching

• Conserves bandwidth usage– Site access restrictions

• Often used in corporate networks– Clients need to be configured to use them


49

Figure 4-19 Configuring a proxy server on IECourtesy Course Technology/Cengage Learning


50

Internet Explorer Proxy Settings (cont’d.)

• Activity 4-6: Implementing Internet Explorer Proxy Server Settings

Figure 4-20 Configuring proxy server settings via a GPOCourtesy Course Technology/Cengage Learning


51

Printer Location Policies

• Implemented to provide users with a list of printers– Close to them in an office

• User can see the location of the printer in the search results

• Primary Group Policy setting to enable printer locations – Called “Pre-populate printer search location text”


52

Figure 4-21 Configuring printer location settingsCourtesy Course Technology/Cengage Learning


53

Printer Location Policies (cont’d.)

• Configuring setting to Enabled– Enables the Location Tracking feature

• Additional required steps– Ensure network IP Addressing corresponds to the

physical layout– Site and subnet objects created in Active Directory

Sites and Services• Must match actual sites in the organization

– Naming convention follows a format of location\location

• Entered in the sites, subnets, printer properties


54

IPSec

• Internet Protocol Security (IPSec) protocol– Provides both confidentiality and authentication

• When data transmitted on a network

• Provides confidentiality by encrypting the data– Uses Encapsulated Security Payload (ESP)

• Provides authentication with an Authentication Header (AH)

• Used with Network Access Protection (NAP)


55

Figure 4-22 Default IPSec policiesCourtesy Course Technology/Cengage Learning


56

IPSec (cont’d.)

• Three default policies– Client (Respond Only)– Server (Request Security)– Secure Server (Require Security)

• When IPSec needed– Not uncommon to configure a GPO at the domain

level with the Client (Respond Only) GPO• All clients can communicate using IPSec

– Specific systems will have a GPO applied with the Server (Require Security) IPSec policy


57

Manipulating GPO Deployments with Advanced Options

• Advanced options covered– Enforcing GPOs– Blocking Inheritance– Filtering GPOs– Loopback processing


58

Blocking Inheritance

• Might not want inherited Group Policies to apply to an OU– Achieved by setting the Block Inheritance

• Group Policy design using Block Inheritance– Can only block inheritance at the OU level– All inherited GPOs blocked– GPOs applied directly to the OU still apply


59

Figure 4-23 Configuring Block InheritanceCourtesy Course Technology/Cengage Learning


60

Enforcing GPOs

• May have policies that should not be:– Overwritten due to conflicts– Blocked by the Block Inheritance setting

• Use the Enforced option• Two points about the Enforced option

– Enforced can only be set on a per-GPO basis– Settings in the enforced GPO

• Cannot be overwritten or blocked


61

Figure 4-24 Configuring the Enforced optionCourtesy Course Technology/Cengage Learning


62

Filtering GPOs

• Filter a GPO to apply a GPO to select group of users based on group membership

• Two most important permissions to understand– Read– Apply Group Policy

• GPO can be filtered in two ways– Select Deny for Apply Group Policy– Remove the Authenticated Users group and add

another group


63

Figure 4-25 Viewing the underlying permissions for a Group PolicyCourtesy Course Technology/Cengage Learning


64

Filtering GPOs (cont’d.)

• Advanced permissions page– Can use to manually assign permissions– Not needed to remove the Authenticated Users group

and add another group


65

Figure 4-26 Viewing the underlying permissions for a Group PolicyCourtesy Course Technology/Cengage Learning


66

Filtering GPOs (cont’d.)

• Activity 4-7: Filtering a GPO

Figure 4-27 Filtering the Domain Admins group for a GPOCourtesy Course Technology/Cengage Learning


67

WMI Filtering

• Windows Management Instrumentation (WMI) filtering– Used to control how GPOs applied– Allows the inspection of systems

• Look for specific conditions on a computer– Widely used with scripting

• WMI filter used with a GPO– GPO only applied if WMI filter condition met


68

WMI Filtering (cont’d.)

• Work on any computers running Windows XP or later– Not Windows 2000

• Can create a WMI filter to identify the operating system

• Most common use of WMI filters– Exception management


69

Loopback Processing

• Allows GPO settings for a computer to override the settings applied to a user

• Any computer– Can have multiple GPOs applied

• Based on the site, domain OU of a computer object– Conflict resolution

• Last GPO applied wins• User can have multiple GPOs applied

– Can have multiple GPOs applied– Conflict resolution

• Last GPO applied wins


70

Loopback Processing (cont’d.)

• Conflicts between GPOs applying to the computer and GPOs applying to the user– Resolved by user settings

• This conflict resolution may not be desirable – Example: computer placed in a public place for

company employees


71


• GPOs could be applied for a public computer and a user in the IT Admins group– Public Computer:

• GPO1 applied to ensure tight security for this computer– User in the IT Admins group

• GPO2 applied to unlock most of the settings locked down on the public computer

• Use loopback processing to:– Ensure public computer stays locked down

• No matter who accesses it


72


• Loopback Process mode– Two possible settings when enabled

• Replace• Merge


73

Figure 4-28 Using loopback processingCourtesy Course Technology/Cengage Learning


74

Fine-Grained Account Policies

• Significant addition to Windows Server 2008– Allow more than one account policy within a single

domain• Prior to Windows Server 2008

– Need for group of users to have a more stringent account policy

• Handled with a separate domain• Three groups of Account policies settings

– Password Policy– Account Lockout Policy– Kerberos Policy


75

Figure 4-29 Account policies configured in the Default Domain policyCourtesy Course Technology/Cengage Learning


76

Requirements for Fine-Grained Policies

• Can support fine-grained policies– When domain functional level raised to Windows

Server 2008• Allows some organizations to consolidate multiple

domain forests– To single-domain forests

• Requirement– All domain controllers in the domain

• Must be running at least Windows Server 2008


77

Requirements for Fine-Grained Policies (cont’d.)

• For extra domains specifically designed to support extra account policies:– Upgrade all DCs in the target domain

• To Windows Server 2008– Raise domain functional level to Windows Server

2008– Create a fine-grained policy– Migrate accounts to the target domain– Delete older domain


78

Requirements for Fine-Grained Policies (cont’d.)

• Password settings object (PSO)– Created to implement a f ne-grained policy

• To create a PSO– Must be a member of the Domain Admins group


79

Creating Fine-Grained Policies

• Two-step process– Create a PSO– Link the PSO to a group

• Not recommended– Linking the PSO to individual users– Assigning permissions to individual users

• Use groups instead of users

• Active Directory Service Interfaces Editor (ADSI Edit) tool– Used to create PSOs


80

Creating Fine-Grained Policies (cont’d.)

• Several attributes must be entered

Table 4-1 PSO “mustHave” attributes


81

Creating Fine-Grained Policies (cont’d.)

• Activity 4-8: Creating and Applying a PSO

Figure 4-30 Accessing the Password Settings Container in ADSI EditCourtesy Course Technology/Cengage Learning


82

Figure 4-31 Linking the PSO to the G_Researchers groupCourtesy Course Technology/Cengage Learning


83

Summary

• Technical reasons to create an OU– Delegate control to a group of users and apply GPOs

• Delegation of Control Wizard– Used to delegate control of OUs to groups

• Group Policy Management console– Used to manage GPOs

• GPOs cannot be linked to the Users and Computers containers in Active Directory

• Redircmp and redirusr command-line commands– Used to redirect default location of accounts


84

Summary (cont’d.)

• Group Policy objects (GPOs)– Can be linked to sites, domains, OUs– Settings of OUs take precedence over site GPOs or

domain GPOs settings• Two GPOs created by default in a domain

– Default Domain policy– Default Domain Controllers policy

• Block Inheritance setting– Established on an OU to block all inherited OUs

• Enforced setting configured on a GPO– Ensures its settings applied within GPO scope


85

Summary (cont’d.)

• Filter GPOs by modifying the permissions• Fine-grained policies

– Implemented when the domain in the functional level of Windows Server 2008

• Password settings object (PSO)– Created with ADSI Edit and applied to groups

windows group policy

Documents

microsoft windows server

enterprise administration

oumcitp guide

isolation goalsmcitp

delegating control

delegate control contd

users container

active directory users