1 / 48

Chapter 10

Chapter 10. Implementing Group Policy . Learning Objectives. Understand Group Policy concepts Plan an effective Group Policy design Implement Group Policy. Overview of Group Policies.

lynde
Télécharger la présentation

Chapter 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 10 Implementing Group Policy

  2. Learning Objectives • Understand Group Policy concepts • Plan an effective Group Policy design • Implement Group Policy

  3. Overview of Group Policies • Group policies are a set of configuration settings that an administrator applies to one or more objects in the Active Directory store. • A group policy consists of settings that govern how an object and its child objects behave. • Group policies provide users with a fully populated desktop environment. • Conflicts can exist between group policies and local needs.

  4. Understanding Group Policy Concepts • Windows NT 4.0 System Policies • Applied only to domains • Limited to Registry-based settings • Not written to a secure location of the Registry • Often last beyond their useful life spans • Can be applied through NT domain security groups

  5. Understanding Group Policy Concepts • Windows 2000 Group Policy • Can be applied to sites, domains, or OUs • Can be applied through domain security groups • Written to a secure section of the Registry • Removed and rewritten whenever a policy change takes place • Provide a more granular level of administrative control over a user’s environment

  6. Understanding Group Policy Concepts • Group Policy benefits • Can reduce the TCO for a Windows 2000 network • Securing user environment • Provides customized environments to meet the user’s work requirements

  7. Understanding Group Policy Concepts • Group Policy Objects (GPOs) • LocalGPOs are stored on each Windows 2000 computer • Non-local GPOs are stored at the domain level within AD • GPC – Group Policy Container • GPT – Group Policy Template

  8. Understanding Group Policy Concepts • Non-local GPOs • Group Policy container includes • version information • status information • list of extensions • policy settings • Group Policy template • Folder under %Sysvol%/DomainName/Policies • Identified by it GUID

  9. Understanding Group Policy Concepts • Group Policy template information

  10. Understanding Group Policy Concepts • Group Policy template subfolders

  11. Understanding Group Policy Concepts • Group Policy template subfolders • GPT.INI • In root folder of each template • Enabled/Disabled • Version

  12. Using the Group Policy Snap-In • Computer Configuration • Applies to Computers • When system initialized • Every user • Startup/Shutdown Scripts • User Configuration • Applies to users • When logon • Logon/logoff scripts

  13. Group Policy • More than 500 settings • Software Settings • Software installation • Windows Settings • Desktop settings • Administrative Templates

  14. Group Policies • Computer settings take precedence over user settings • Computer settings take effect • After refresh interval • When OS restarted • User setting • After refresh interval • When new logon

  15. Group Policies • Policy settings • Not Configured • Processed • Enabled • Processed • Disabled • Not Processed • Local Computer policy settings • Applied as soon as they are saved

  16. Understanding Group Policy Concepts • Password Policy settings, under Windows settings • Password History • Password age • Min Length • Complexity • Encryption

  17. Understanding Group Policy Concepts • Account Lockout Policy under Windows settings • Duration • Threshold • Reset • Zero must manually reset

  18. Managing Administrative Templates • Registry based GP settings • Explanations • Can be extended with custom .adm files

  19. #if version >= 3 system.adm CLASS MACHINE CATEGORY !!AdministrativeServices POLICY !!NoSecurityMenu KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" EXPLAIN !!NoSecurityMenu_Help VALUENAME "NoNTSecurity" END POLICY POLICY !!NoDisconnectMenu KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" EXPLAIN !!NoDisconnectMenu_Help VALUENAME "NoDisconnect" END POLICY

  20. Understanding Group Policy Concepts • Group Policy categories and subcategories

  21. Understanding Group Policy Concepts • Group Policy categories and subcategories

  22. Understanding Group Policy Concepts • Startup, Shutdown, Logon, and Logoff • computer policies can be applied at system startup and shutdown • user policies can be applied at logon and logoff • combinations of these policies can be used to create complex policy configurations

  23. Understanding Group Policy Concepts • AD structure and Group Policy • GPOs linked to a site apply to all domains within the site • GPOs applied to a domain apply to all users and computers within the domain • GPOs applied at the OU level apply to all users and computers within the OU • Local policies are applied first, followed by non-local policies • Non-local policies are applied in the following order: site, domain, OU

  24. Group Policy • More than 500 settings • Software Settings • Software installation • Windows Settings • Desktop settings • Administrative Templates

  25. Group Policies • Computer settings take precedence over user settings • Computer settings take effect • After refresh interval • When OS restarted • User setting • After refresh interval • When new logon

  26. Group Policies • Policy settings • Not Configured • Processed • Enabled • Processed • Disabled • Not Processed • Local Computer policy settings • Applied as soon as they are saved

  27. Understanding Group Policy Concepts • Group Policy Inheritance • No override • Prevent policies at lower level from taking precedence • Block Policy Inheritance

  28. Understanding Group Policy Concepts • Group Policy Processing • Computer vs. User Policy processing • Computer wins • Synchronous vs. Asynchronous processing • Asynchronous – Coputer and User Policies applied at same time • In Case of Conflict • Install with Elevated Privileges • Mudt be set both in Computer and User • Periodic Policy processing • 90 minute refresh period • 30 minute offset • Force refresh with SECEDIT

  29. Group Policy Planning • Change control procedures • name of the GPO • settings that the GPO applies • whether the settings apply to computers or users • specific sites, domains, and OUs to which the GPO applies • creation and modification dates • list of changes since GPO creation • description of changes and reasons for them

  30. Group Policy Planning • Structuring domains and OUs for Group Policy • Delegation of permissions will determine where you place OUs in the domain structure • GPO location will depend on the structure of your network (centralized vs. decentralized control)

  31. Group Policy Planning • Segmented vs. monolithic GPOs • Monolithic design - few large GPOs implemented at the site or domain level • Segmented design - smaller GPOs that contain fewer settings • Best design is probably a mix of the two

  32. Group Policy Planning • Cross-domain GPO links • it is possible, but not recommended, to create such links, as computer startup and logon are significantly slower

  33. Group Policy Planning • Managing network bandwidth • Windows 2000 has built-in safeguards when slow links are encountered • Security and Administrative always processed • Folder Redirection • Policy templates can be created and modified • Security and administrative templates always apply

  34. Group Policy Planning • Group Policy best practices • Disabling unused portions of a GPO

  35. Group Policy Planning • Group Policy best practices • Restrict the number of policies • Avoid No Override and Block Policy Inheritance when possible • Use Group Policy rather than System Policies • Filter Group Policy with Security Groups • Avoid cross-domain GPO links when possible • Limit the GPO refresh period

  36. Group Policy Implementation • Creating a GPO • Creating a GPO console • Specifying Group Policy settings • Filtering Group Policy • Delegating administrative control of Group Policy • Linking a GPO

  37. Group Policy Implementation • Creating a GPO • first step • Windows 2000 creates a GPO by default (Default Domain Policy) • AD Users and Computers management console • Add • New • Edit • Delete

  38. Group Policy Implementation • Creating a GPO Console • Use Group Policy Editor to add snap-ins to your console

  39. Group Policy Implementation • Creating a GPO Console

  40. Group Policy Implementation • Creating a GPO Console

  41. Group Policy Implementation • Creating a GPO Console

  42. Group Policy Implementation • Specifying Group Policy settings

  43. Group Policy Implementation • Filtering Group Policy

  44. Group Policy Implementation • Delegating administrative control of Group Policy • Managing Group Policy links for a site, domain, or OU • Creating GPOs • Editing GPOs

  45. Group Policy Implementation • Delegating administrative control of Group Policy

  46. Group Policy Implementation • Linking a GPO • You must have Read/Write or Full Control permissions • Use AD Users and Computers

  47. Chapter Summary • Windows 2000 Group Policy far surpasses Windows NT Group Policy in functionality • GPOs can be applied at the site, domain, or OU level • Group Policy can help reduce TCO on networks, while increasing ROI for tech expenditures • Group Policy is processed in the following order: local, site, domain, OU • The Group Policy Editor is the primary interface for modifying Group Policy settings

  48. Chapter Summary • Policy settings can be overridden or blocked, if necessary • The use of Group Policy can impact the AD domain and OU design process • Group Policy administration can be filtered or delegated • GPOs can be linked to other sites, domains, and OUs

More Related