1 / 19

Group Policies

Group Policies. Chapter 8. Group Policies. What are group policies? Grouping of settings A method in which to establish consistency and security on the desktop across the enterprise More than 5000 settings. Group Policies. Allows an administrator to create consistency on the network

asasia
Télécharger la présentation

Group Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Group Policies Chapter 8

  2. Group Policies • What are group policies? • Grouping of settings • A method in which to establish consistency and security on the desktop across the enterprise • More than 5000 settings

  3. Group Policies • Allows an administrator to create consistency on the network • Group Policy Objects (GPOs) are created using the Group Policy Management Editor (GPME) • GPME is invoked by using the Group Policy Management Console (GPMC)

  4. Group Policies • Alphabet Soup OMG! • GPOGroup Policy Object • GPMEGroup Policy Management Editor • GPMCGroup Policy Management Console

  5. Group Policies What can we do with Group Policies? • Assign startup, shutdown, logon, logoff scripts • Another area for logon scripts. Maintenance scripts as well • Define password, lockout and audit policies • Password Policies are only applied at domain. • Audit who is logging on and logging off. • Standardize user settings • Display required application icons • Define and enforce restrictions on desktops • Do not allow changing of backgrounds or display settings • Redirect folders such as Documents • Rename local guest and administrator accounts

  6. Group Policy Makeup • The Group policy consists of two nodes of configuration settings: • Computer Configuration • Settings are applied when the system loads the OS prior to logon • Settings always apply to the computer regardless of WHO is logging in • User Configuration • Settings are applied after the user logs in. • The system cannot apply user settings until it knows who the user is. • In Active Directory, the User Configuration Settings are applied no matter where that user is logging in.

  7. Group Policies

  8. Group Policy Object’s (GPO’s) and Active Directory How does this work with Active Directory? • Policies are stored in Active Directory • AD handles replication(sharing of changes to other DC’s) of policies in the Sysvol share • C:\windows\sysvol\sysvol • Removing domain based policies undo all changes made to the system

  9. GPO’s and Active Directory How does this work with Active Directory? • Create a single policy and apply it to every user or computer in the Domain or to an Organizational Unit • Configure setting ONCE! Apply it 100’s of times!

  10. GPO’s and Active Directory

  11. GPO’s and Active Directory Are there policies already created and how can I use them? • There are two default policies in an Active Directory Domain • Microsoft suggests NOT modifying the default policies • Default Domain Policy • Found at the Domain level • Default Domain Controller Policy • Linked to the Domain Controller organizational unit. • Best practice is to BLOCK POLICY inheritance for this OU to prevent unwanted policies from affecting the Domain Controllers

  12. GPO’s and Active Directory Fun Facts and/or Rules  (Quiz/Exam Stuff) • Only policy settings that are enabled are read. • If a policy is set to Not Defined, it is ignored. • If you choose to filter permissions, via ACL’s, none of the GPO settings will apply, it is all or nothing. • Policies are inherited and cumulative. • Policies are refreshed every 90 minutes with a 30 minute randomization • DC’s are refreshed every 5 minutes

  13. GPO’s and Active Directory • There are four levels for which policies are applied (LSDOU.) • (L)ocal->local computer policy. • (S)ite->Policies linked at the site level • (D)omain->Policies linked at domain level (same level as default domain policy) • (O)rganizational (U)nit (OU)->Policies linked at the OU level ***Quiz material*** • Multiple policies can be assigned to a single container. The rules are: • Listen to the last policy you heard from • Execute policies from the bottom up as they appear in the GUI

  14. GPO’s and Active Directory

  15. GPO’s and Active Directory • Polices can be applied/refreshed at cmd prompt • Gpupdate /? • GPupdate /force ->applies both user and computer configuration policies. Sometimes requires reboot. • Computer Configuration settings changes typically require reboot • User Configuration settings typically require log off/log on

  16. GPO’s and Active Directory • GPO naming conventions – make it consistent and easy to interpret • Simply use a clear name to describe intent of the GPO • How significant is the number of GPOs applied? • 999 is the maximum number of GPOs applied • You have a little wiggle room

  17. GPO Troubleshooting • Read the Explain Text for a GPO setting • Remember the gpupdate /force switch • If you move a user/computer to a new OU, the change will not take place immediately. • Reboot/Logon to resolve • Consider using a Virtualization - especially helpful for tattooing security settings; Undo when done!

  18. Summary • Group Policies help create consistency across the domain. A consistent network is a manageable network. • Group Policies can help restrict/secure our network. • Group Policies have settings for both USER and COMPUTER configurations • The order in which GPO’s are applied in AD are: • Local • Site • Domain • Organizational Unit

  19. Summary • Policy settings that are NOT DEFINED are simply ignored/not read. • The last policy that is read wins. • Domain policy disables requiring Cntrl-Alt-Del to login. • Sales_OU Policy enables requiring Cntrl-Alt-Del to login. • Which one wins and what is the effective setting? (L,S,D,OU) • Some policy settings can be applied by typing: gpupdate /force at the CLI.

More Related