Section 3: Designing a Group Policy Infrastructure Overview of Active Directory Introducing the Design Stages for Implementing Group Policy Planning Your.

Slides:



Advertisements
Similar presentations
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Advertisements

Module 14: Implementing an Active Directory Infrastructure.
Lesson 17: Configuring Security Policies
Managing User Settings with Group Policy
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008
(ITI310) By Eng. BASSEM ALSAID SESSIONS
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
Windows Server 2008 Chapter 4 Last Update
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Module 6: Designing Active Directory Security in Windows Server 2008.
Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh.
Designing Active Directory for Security
Module 15: Manage the Windows ® Small Business Server 2008 Environment Using Group Policy.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Managing User Desktops with Group Policy
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Module 7 Active Directory and Account Management.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
11.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 11: Planning.
1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.
GPO - WINDOWS SERVER AGENDA: Introduction Group Policy Overview Types of Group Policies/Objects Associated Technologies How to implement.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Module 5: Implementing Group Policy
Section 4: Understanding the Architecture of Group Policy Processing Group Policy Components in AD DS Understanding the Group Policy Processing Sequence.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Implementing Group Policy
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
Implementing a Group Policy Infrastructure
OVERVIEW OF ACTIVE DIRECTORY
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.
10.1 © 2004 Pearson Education, Inc. Lesson 10: Specifying Group Policy Settings Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
GROUP POLICY. Group Policy is a hierarchical infrastructure which allows systems administrators to configure computer and user settings from a central.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Unit 8 NT1330 Client-Server Networking II Date: 2?10/2016
1.1 Microsoft® Windows® 2003 Server Group Policy Management Prof. Abdul Hameed.
Introduction to Group Policy Lesson 7. Group Policy Group Policy is a method of controlling settings across your network. – Group Policy consists of user.
Implementing Active Directory Domain Services
Active Directory Administration
Windows Server 2008 Administration
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Presentation transcript:

Section 3: Designing a Group Policy Infrastructure Overview of Active Directory Introducing the Design Stages for Implementing Group Policy Planning Your Group Policy Design Designing Your Group Policy Solution Deploying Your Group Policy Solution Managing Your Group Policy Solution Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Describe the basic structure of Active Directory Describe the four stages of implementing Group Policy Explain how to plan your Group Policy in accordance with company requirements Describe the guidelines that you should follow when you create new GPOs Explain how to deploy Group Policy based on the Active Directory structure Explain how to manage Group Policy by delegating administration and setting permissions 3-2

© 2013 Global Knowledge Training LLC. All rights reserved. Overview of Active Directory Active Directory is used to store objects, authenticate users, and implement policies. Active Directory concepts include: Active Directory Objects Active Directory Architecture Naming Standards Users and Groups Organizational Units 3-3

© 2013 Global Knowledge Training LLC. All rights reserved. Active Directory Objects UsersGroups Computers ContactsPrintersShared folders 3-4

© 2013 Global Knowledge Training LLC. All rights reserved. Active Directory Architecture Site Global Catalog Forest Tree Domain Domain controller OU Southeast site Northeast site ou=Sales cn=JaneD hq.local atl.hq.local widget.com na.widget.com Forest Tree Domain DC Global Catalog DC 3-5

© 2013 Global Knowledge Training LLC. All rights reserved. Naming Standards DNS LDAP X.500 Active Directory naming architecture cn=JaneD cn=janed,ou=sales,dc=atl,dc=hq,dc=local 3-6

© 2013 Global Knowledge Training LLC. All rights reserved. Users and Groups Local User Accounts Exist on the local computer only Domain User Accounts Can be used by any domain member Support a single sign-on environment Group Types Security Distribution Group Scopes Domain local Global Universal 3-7

© 2013 Global Knowledge Training LLC. All rights reserved. Organizational Units OUs and Groups Creating an OU Structure 3-9

© 2013 Global Knowledge Training LLC. All rights reserved. OUs and Groups OUs OUs are used to store collections of accounts. Accounts can be stored in only one OU at a time. OUs can be used to apply Group Policy. Groups Groups are used for permissions and delegation. Users in a group receive the permissions of the group. A user can be in multiple groups. Users are members of groups for access control purposes. 3-10

© 2013 Global Knowledge Training LLC. All rights reserved. Creating an OU Structure GeographicFunctionalDepartmental North America South America Europe Asia Admins Help Desk Managers Users Sales Marketing Engineering Accounting 3-11

© 2013 Global Knowledge Training LLC. All rights reserved. Introducing the Design Stages for Implementing Group Policy The four major stages in a successful Group Policy implementation Designing Deploying Planning Managing 3-12

© 2013 Global Knowledge Training LLC. All rights reserved. Planning Your Group Policy Design 3-13 Policy Survey Policy Objectives Policy Components Planning

© 2013 Global Knowledge Training LLC. All rights reserved. Policy Survey Analyze user requirements Inventory the IT roles in the company Examine existing security policies What level of security is required for servers? What level of security is desired for: Network clients Public computers How is software distributed? How are updates distributed? Where is the essential data stored? Who currently has management authority? 3-14

© 2013 Global Knowledge Training LLC. All rights reserved. Policy Objectives Evaluate corporate practices Can Group Policy mirror existing user practices Discuss security concerns Some policy objectives may not work for every company Users that resist policy acceptance will try to circumvent restrictions 3-15

© 2013 Global Knowledge Training LLC. All rights reserved. Policy Components Computer security Software deployment Logon scripts Folder redirection Administrative Template settings Preference settings 3-16

© 2013 Global Knowledge Training LLC. All rights reserved. Designing Your Group Policy Solution 3-17 Group Policy Solution Components Designing Your Group Policy Model Delegating GPO Responsibilities Creating new GPOs Sites and GPOs Designing

© 2013 Global Knowledge Training LLC. All rights reserved. Group Policy Solution Components Networking DNS Services Time Synchronization Administration Client Interoperability 3-18

© 2013 Global Knowledge Training LLC. All rights reserved. Designing Your Group Policy Model GPO links Security filtering Number of Group Policy objects Scope of Group Policy Applicability of Group Policy settings Non-applicability of Group Policy settings Roles and locations of users and computers Desktop configurations User requirements for various types of users 3-20

© 2013 Global Knowledge Training LLC. All rights reserved. Delegating GPO Responsibilities Assign subordinate administrators the ability to create and link policies for select Ous Avoid having too many administrators with responsibility for the same GPOs 3-21

© 2013 Global Knowledge Training LLC. All rights reserved. Creating New GPOs Gradually implement restrictive policies Avoid configuring restrictive policies at the domain root Configure more granular GPOs on a per OU basis 3-22

© 2013 Global Knowledge Training LLC. All rights reserved. Sites and GPOs Geographical location of your Active Directory sites Physical location of each domain controller determines its site location Speed of the FRS Intersite and intrasite replication DC Northeast site 3-23

© 2013 Global Knowledge Training LLC. All rights reserved. Deploying Your Group Policy Solution 3-25 Applying Group Policy Changes Linking GPOs to the Domain Designing an OU Structure for Group Policy Applying Group Policy to New Users and Computers Deploying

© 2013 Global Knowledge Training LLC. All rights reserved. Applying Group Policy Changes The primary mechanisms for refreshing Group Policy are startup and logon. Group Policy is also refreshed on a regular basis. The policy refresh interval in force affects how quickly changes to Group Policy objects are applied. Folder redirection and the assignment of software applications require the user to log off and log on again before they take effect. Software applications assigned to computers are installed only when the computer is restarted. 3-26

© 2013 Global Knowledge Training LLC. All rights reserved. Linking GPOs to the Domain Linking GPOs to the domain applies equally to all users and computers in the domain. All domain controllers retrieve the values of these account policy settings from the Default Domain Policy GPO. The term “linked” defines where the GPO was created or where the GPO settings are to apply. 3-27

© 2013 Global Knowledge Training LLC. All rights reserved. Designing an OU Structure that Supports Group Policy You can move users and computers into and out of OUs within a single domain. If necessary, you can rearrange OUs within the single domain. Groups of users with common requirements can be easily moved and contained. Users and computers can be organized based on which administrators manage them. 3-28

© 2013 Global Knowledge Training LLC. All rights reserved. Applying Group Policy to New User and Computer Accounts In Active Directory, the Users and Computers containers cannot have policies assigned to them. redircmp.exe and redirusr.exe change the default location for new account objects. Redirect new users and computers to OUs that policies can affect. 3-29

© 2013 Global Knowledge Training LLC. All rights reserved. Managing Your Group Policy Solution 3-30 Delegating the Administration of Group Policy Specifying a Domain Controller for Editing GPOs Rolling Back Domain GPOs Starter GPOs Adding Comments to a GPO Using the AGPM Managing

© 2013 Global Knowledge Training LLC. All rights reserved. Delegating the Administration of Group Policy Default Rights for Group Policy Management Group Policy Creator Owners Group GPO Delegation Manually Assigning Permissions 3-31

© 2013 Global Knowledge Training LLC. All rights reserved. Default Rights for Group Policy Management When a Windows Domain is installed, default permissions are assigned to specific administrative groups for creating, deleting, and linking GPOs. Enterprise Administrators can create, delete, link, or unlink GPOs anywhere in the forest. Delegate limited control to other administrators to assist in GPO management 3-32

© 2013 Global Knowledge Training LLC. All rights reserved. Groups Assigned GPO Rights Windows GroupRights Granted Enterprise Admin Create, delete, edit, and link GPOs in all forest containers (sites, domains, and OUs). Domain Admins Create, delete, edit, and link GPOs in the domain and all OUs hosted by the domain, but not in sites. 3-32

© 2013 Global Knowledge Training LLC. All rights reserved. Groups Assigned GPO Rights (cont.) Windows GroupRights Granted Group Policy Creator Owners Create GPOs in the domain to which the group belongs. Users who are members of this group can edit any GPOs that they create; however, other members of the group cannot. Deleting GPOs is not allowed. Linking to a site, domain, or OU is also not allowed. Local Admins Create GPOs in the domain to which the group belongs. A user that is a member of this group can edit and delete all GPOs that any other group member has created. Linking the GPO to the domain and any OUs hosted by the domain is also allowed. 3-32

© 2013 Global Knowledge Training LLC. All rights reserved. Group Policy Creator Owners Group Members of the GPCO group can link only to containers they have link rights to. Being a member of the GPCO group gives the non-administrator full control of only those GPOs that the user creates. GPCO members do not have permissions for GPOs that they do not create. 3-33

© 2013 Global Knowledge Training LLC. All rights reserved. GPO Delegation The right to link GPOs can be delegated separately from the right to create and edit GPOs. Be sure to delegate these rights only to the groups you want to be able to create and link GPOs. Creation of GPOs can be delegated to any group or user. 3-34

© 2013 Global Knowledge Training LLC. All rights reserved. Manually Assigning Permissions Permissions guidelines for creating and editing GPOs are: The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only domain administrators, enterprise administrators, Group Policy creator owners, and System can create new GPOs. By default, domain administrators can edit all GPOs in the domain. 3-35

© 2013 Global Knowledge Training LLC. All rights reserved. Rights for GPO Control RightsControl Full controlCreate, edit, view, and delete the GPO Read View the GPO in the Group Policy Console (Opening the GPO to edit is not allowed.) Write View and edit the GPO (Note: The read permissions must also be granted to even be able to view the GPO.) Create all child objects Create and edit GPOs (Deleting is not allowed.) Delete all child objectsDelete a GPO 3-35

© 2013 Global Knowledge Training LLC. All rights reserved. Specifying a Domain Controller for Editing GPOs 3-36 The choice of domain controllers is important for administrators to consider to avoid replication conflicts. In each domain, the domain controller with the FSMO role of PDC emulator is used for all GPO operations in that domain. This includes all operations on the GPOs that are located in that domain.

© 2013 Global Knowledge Training LLC. All rights reserved. The default Domain GPOs can be rolled back to their standard configuration using dcgpofix.exe if needed. Rolling Back Domain GPOs 3-37

© 2013 Global Knowledge Training LLC. All rights reserved. Starter GPOs Quickly create a new GPO from the Starter GPO. Several Starter GPOs are included by default. 3-38

© 2013 Global Knowledge Training LLC. All rights reserved. Adding Comments to a GPO When you enter a comment in the properties of the GPO, it is displayed in the GPMC on the Details tab. 3-39

© 2013 Global Knowledge Training LLC. All rights reserved. Using the AGPM Granular Administration Robust delegation model Role-based administration Change request approval Reduced Failure Risk Offline editing of GPOs Difference reporting and audit logging Recovery of a deleted GPO Repair of live GPOs Change Management Creation of GPO template libraries Subscription to policy change notifications Version tracking, history capture, and quick rollback of deployed changes 3-40 Note: Microsoft has not yet released an updated AGPM for Windows 8 and Windows Server 2012

© 2013 Global Knowledge Training LLC. All rights reserved. Summary The heart of Active Directory is a database with object types such as Users, Groups, Computers, Contacts, Printers, and Shared folders. Active Directory is made up of a collection of components (Site, Global Catalog, Forest, Tree, Domain, Domain Controller, and OU) that work at different levels of a hierarchy. 3-43

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) The four stages of implementing Group Policy are: Planning: During this stage, you will decide which components of Group Policy to deploy in your organization; start gathering information about your company and how it carries out its day-to-day business with an Active Directory network; design a Group Policy that manages entities such as: Computer security, Software deployment, etc. Designing: During this stage, you will configure the physical components of the environment, lay out the Group Policy model, delegate management authority, create new GPOs, and design the interaction of GPOs with Active Directory sites. 3-43

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Deploying: During this stage, you will make the policy available to the users and computers that you want to affect with the settings. Managing: During this stage, you will put mechanisms in place to manage group policies on an ongoing basis; delegate authority to subordinate administrators to manage certain aspects of Group Policy; specify a default domain controller for GPO editing; use tools such as Starter GPOs and the GPO to track and control Group Policy objects. 3-43

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) To plan your Group Policy in accordance with your company requirements, do the following: Ask your help desk, end users, management, and support staff the planning stage questions. Determine which components of Group Policy to deploy. Find out about the design and implementation of your Active Directory infrastructure. Start gathering information about your company; how it carries out its day-to-day business with an Active Directory network. If your company has several divisions, find out how the network infrastructure is managed. 3-43

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Base your Group Policy design on your physical and logical Active Directory deployment. Ensure the plan manages the Group Policy entities such as computer security, folder redirection, roaming user profiles, etc. Follow these guidelines when you create new GPOs: Use the settings in your GPOs that you are already familiar with and use a domain GPO to deploy a company-wide GPO with minimal settings that are acceptable to everyone. 3-43

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Create more granular GPOs on a per-OU basis to affect smaller numbers of users and computers with their specific needs. Define a meaningful naming convention for GPOs that clearly identifies the purpose of each GPO; the name should include the settings applied and the date of creation and change. You can link policies to the domain, site, or at the various levels of a nested OU structure. 3-44

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Decide the degree to which you should centralize or distribute administrative control of Group Policy. In a centralized administration model, the IT group provides services and setting standards for the entire company. In a distributed administration model, each business unit manages its own IT group. Based on the administrative model, determine which configuration management components should be handled at the site, domain, and OU levels. You can manually assign permissions to a GPO from the Group Policy MMC. 3-44

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check 1.What types of objects can you store in Active Directory? Users, Groups, Computers, Contacts, Printers, and Shared Folders 3-44

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.Briefly describe the Planning and Design stages of implementing Group Policy. During the Planning stage: Decide which components of Group Policy to deploy Start gathering information about your company and how it carries out its day-to-day business with an Active Directory network Design a Group Policy that manages entities (computer security, software deployment, etc.) 3-44

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.Briefly describe the Planning and Design stages of implementing Group Policy. During the Design stage: Configure the physical components of the environment Lay out the Group Policy model Delegate management authority Create new GPOs Design the interaction of GPOs with Active Directory sites 3-44

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 3.What should you do when you plan your Group Policy in accordance with your company requirements? (Choose all that apply.) a.Ask the planning stage questions. b.Find out about the design and implementation of your Active Directory infrastructure. c.Base your Group Policy design on your physical and logical domain controller deployment. d.Determine how your company carries out its day-to- day business with an Active Directory network. 3-44

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 4.What should you include when you name a GPO? The settings applied and the date of creation and change. 5.What can you link the policies to when you deploy your Group Policy solution? You can link the policies to the domain, site, or at the various levels of a nested OU structure. 6.Name the two models you can use to delegate the administration of Group Policy. Centralized administration model and distributed administration model 3-44/45

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.