Group Policy – Tips, Tricks and Best Practices John Howard IT Pro Evangelist, Microsoft UK.
Agenda Planning / Building / Testing / Deploying Specific Group Policy “Features” Troubleshooting
Recommended Reading Group Policy, Profiles and Intellimirror For Window Server 2003, Windows 2000 and Windows XP By Jeremy Moskowitz http://www.GPAnswers.com
Quick Refresh By default, how often does Group Policy initiate a refresh after a user has logged on? Does the version number between the AD and Sysvol parts of the GPO need to match in order for Group Policy to apply? What is the biggest .adm file?
Planning OU Design Why create OU’s Segment by role Domain controllers Computers Users Redirect default OU for new accounts redirusr.exe and redircmp.exe 1 Use delegation of administration Create/Update/Link GPOs
Planning GPO Design Normalise GPOs – GP Common Scenarios 2 Naming conventions Clear purpose and intent 3-token string: Scope/Purpose/Managed By e.g. WW-Outlook-OTG What about the number of GPOs? MYTH: Fewer GPOs=Better performance FACT: Number of settings is more important
Planning GPO Design Avoid Cross-Domain GPO links Performance overhead Alternative - GPMC scripts Use the following sparingly Enforce (no override) Block Inheritance Loopback Keep it simple
Planning GPO Design – WMI Filters XP and Windows Server 2003 Only Performance hit Limit to known lifetime if possible Scriptomatic 3
Planning: Deployment Test, Stage, Production, Validate The right thing to do Pilot significant changes …but not just with IT Staff! Use GPMC features to assist 4 Sample scripts eg CreateXMLFromEnvironment and CreateEnvironmentFromXML Documentation – HTML or XML reports Backup/Copy/Import functions Modelling
Planning: Deployment Test, Stage, Production, Validate
Planning Disaster Recovery Group Policy can affect every computer and user Authoritative Restore is not nice! GPMC Backup and Restore is Consider scripted solution Secure your backup location Test your restore
Planning Disaster Recovery What is not backed up and why Are characteristics of other objects in Active Directory IPSec Settings WMI Filters GPO Links Active Directory Backup or Scripted Solution DCGPOFix – Never use!
Planning Group Policy Dependencies DNS misconfiguration 5 File Replication Service 6 Sonar Ultrasound Policies directory – sysvol Don’t change ACLs or contents manually Don’t delete “my disk was full” Only use supported tools
Planning Group Policy Dependencies ICMP Checking if a DC contactable Slow Link Detection If ICMP blocked, disable slow link detection
So Many Policy Settings Where Do I Start? Policy Settings Reference Spreadsheet 7 Consider the common scenarios Think small – iterative deployment Security OS/Application Configuration IE Maintenance Software Installation
Windows 2000 Domains Fixing Mismatched ACL’s Windows 2000 domains created prior to SP4 Just let GPMC fix it for you Relax – is very minor problem!
Domain Upgrades Upgrading To Windows Server 2003 Impact to FRS replication traffic For Cross-domain GP Modelling, ACE on GPO’s Only if GPO existed before WS2003 upgrade To manage use GrantPermissiononGPO or GrantPermissionOnAllGPOs Alternative in Windows Server 2003 SP1
Cross Forest Logon 8 Forest is security boundary User from Forest A logs onto Machine in Forest B Differences in behaviour depending on OS Windows Server 2003, Windows XP From SP1, Windows 2000 From SP4: User policy settings come from Forest B (similar to loopback) “Allow Cross-Forest User Policy and Roaming User Profiles” policy setting
Group Policy “Features” Administrative Templates Security Machine and User Scripts Folder Redirection Resultant Set of Policy (RSoP) Software Installation GPMC Scripting
Features Administrative Templates What is an “adm” file? Zero role for a client Only for administrative User Interface KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files” Superset principle from WS2003 RTM onwards Historical .adm files available online Never edit the OS-shipped .adm files
Features Administrative Templates Know the benefits of a “true policy” (as compared to preferences) Security (local administrators) Cleanup (if GPO is out of scope) IE changes in XP SP2
Features Security Settings Not always highest security settings In XP SP2 “Dangerous” settings warnings 9
Features Security Settings
Features Security Settings Domain Level Policies 11 Account Policies Rename or Disable Admin/Guest Account Kerberos From W2K SP4 and XP SP2, you can add a domain group to a local group on a computer 12
Features Security Settings Avoid modifying default GPOs Unfortunately, some applications may expect it User Rights and Password policy Applications may update these when installed on DCs Replication to all DCs Domain Controller Consistency OU Selection (don’t change) Don’t use security filtering
Features Machine/User Scripts Async logon/off scripts finish order Startup scripts security context Access to both script and referenced resources Local only copy of script Consider environment variables HKLM update rights for user scripts Event logs event sources Processing GPO -> UserEnv Running of a script -> UserInit
Features Folder Redirection Don’t pre-create folders On Windows 2000… Do not use folder redirection to same machine used for roaming user profiles Fixed in Windows 2003 Application data folder redirection Recommend not to. Cannot redirect to mapped drive Folder redirection before mapping of drives
Features RSoP No Group Policy Results data available for IPSec, Wireless, and Disk Quota Windows 2000 (can simulate) Always simulated Slow links status, WMI Filters, Loopback Modelling doesn’t know about the LGPO Estimation
Features Software Installation Async Policy Processing Multiple reboots Wait For Network At Computer Startup and Logon? Machine assignment of software Requires reboot Gotcha for MMCs Limit security filtering Remember the application administrators
Features GPMC Scripting The 32 sample scripts Building Blocks GPMC API Samples HTML or XML reports for documentation
Features Miscellaneous … Wireless: Need to be on wired network to get certificates for wireless policy (for 802.1x) GPMC: Drag a GPO across domains to an OU or domain and you get a cross-domain link (not a copy of the GPO); Instead, drag to Group Policy Objects node (note: No links will exist at this point)
Troubleshooting Know your reporting options Know your tools Group Policy Modeling, Group Policy Results - Proactive Know your tools With Operating System: GPUpdate (/force) WS 2003 Resource Kit: GPOTool, GPMonitor (push) Download Center: GPInventory (gather WMI/RSoP) Help and Support Group Policy Troubleshooting Whitepaper 13 Consider the GP Management Pack (GPMP) for MOM
Troubleshooting Using the Local GPO (LGPO) A good option if you don’t have access to change GPOs in a domain (not all settings will be available – software installation and folder redirection, for example) Updating the LGPO on a domain-joined PC has no impact when using cached credentials Read the Explain Text for Admin Templates and Help for Security Settings Remember the /force switch If you move a user/computer to a new OU, the change will not take place immediately (GetUserNameEx caches the location of a user/computer for 30 mins); Reboot/Logon to resolve Consider using a Virtual PC - especially helpful for tattooing security settings; Undo when done!
We Want To Hear From You… Please visit the new Windows Server Feedback site: http://www.windowsserverfeedback.com/ “Help us improve Windows Server by providing us with your suggestions and ideas; All feedback submitted will be sent to the Windows Server Development Team for review and analysis Your ideas can impact Windows Server in many ways, and might even be incorporated into new Service Packs, Feature Packs, or the next Windows Server release “
References Redirecting the Users and Computers Containers in Windows Server 2003 KB 324949 Group Policy Common Scenarios Using GPMC http://go.microsoft.com/fwlink/?LinkId=14951 Scriptomatic Tool http://www.microsoft.com/technet/scriptcenter/tools/wmimatic.mspx Staging Group Policy Deployments (Chapter 3, Windows Server 2003 Deployment Kit - Designing a Managed Environment Book) http://www.microsoft.com/downloads/details.aspx?familyid=b671967b-ef65-4ccf-9d00-89d6ae428edc&displaylang=en Monitoring and Troubleshooting the File Replication Support Webcast: DNS In the Active Directory Part 2: Best Practices, Common Problems and Troubleshooting http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc030601/wcblurb030601.asp File Replication Service (FRS) – includes Sonar and Ultrasound http://www.microsoft.com/windowsserver2003/technologies/fileandprint/file/dfs/tshootfrs.mspx Group Policy Settings Reference Spreadsheet (with history) http://go.microsoft.com/fwlink/?linkid=22031 Cross Forest Logon, Loopback and User Policy Logon KB 823862 Recommendations for Managing Group Policy Administrative Template Files KB 816662
References 10.Client, Service and Program Incompatibilities That May Occur When Modifying Security Settings and User Rights Assignments KB 823659 11 Threats and Countermeasures: Security Policy Settings in WS 2003 and XP http://www.microsoft.com/downloads/details.aspx?FamilyID=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en#filelist 12 Adding Domain Groups to Local Machine Groups on Member Computers KB 810076 13 Troubleshooting Group Policy with Windows Server 2003 http://go.microsoft.com/fwlink/?LinkId=14949
© 2004 Microsoft Corporation. All rights reserved © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.