ADM320 Managing Group Policy BJ Whalen Program Manager Windows Server Microsoft Corporation

Agenda Using the Group Policy Management Console (GPMC) Best Practices for Managing Group Policy

Group Policy Sessions ADM 222: Using Group Policy to Configure Windows Yesterday ADM 320: Managing Group Policy Now! ADM 421: Scripting Group Policy Today, 6:15 Room 9

Managing Group Policy Existing challenges Group Policy was too hard to manage in the past Existing UI confusing and limited Core capabilities were missing Reporting of GPO Settings Backup/restore of GPOs Import/export of GPOs Existing capabilities were not scriptable Understanding, assessing, and planning the impact of Group Policy was difficult Solution: Group Policy Management Console (GPMC)

GPMC Overview What is the GPMC? New admin tool for managing Group Policy Set of scriptable interfaces for managing GP MMC Snap-in, built on these interfaces Standalone web release, available now GPMC Design Goals Unify management of Group Policy Address key deployment issues Provide better UI for visualization Enable programmatic access to Group Policy

GPMC Feature Summary New UI for managing Group Policy Reporting Search Resultant Set of Policy (RSoP) integration Backup/restore Import/export, copy/paste Scripting of GPO operations (not settings)

GPMC System Requirements GPMC runs on Windows® Server 2003 or Windows XP with SP1.NET Framework Post SP1 QFE (included with GPMC) which updates GPEdit.dll GPMC can manage Windows 2000 domains Some capabilities only available in Windows Server 2003 forests or domains WMI Filters Group Policy Modeling Delegation of Group Policy Results

Scope And Inheritance GPO Scope is managed by Linking GPOs to an Active Directory Container Adding Security Filters to a GPO Adding WMI Filters to a GPO Group Policy inheritance can be altered by Changing GPO link order Blocking inheritance GPO link enforcement

Delegation The following GP aspects can be delegated GPO creation rights in a domain Permissions on an individual GPO Policy related permissions on a site/domain/OU Link GPOs Perform Group Policy Modeling analyses Read Group Policy Results data WMI filter creation rights in a domain Permissions on an individual WMI filter GPMC offers simplified security mgmt for GP Reduce reliance on ACL editor

Reporting Problem No read-only access to GPO settings Difficult to identify the settings that are set in a GPO Documentation of GPO settings and RSOP data Solution GPMC provides HTML reports for GPO settings RSOP data

Searching For GPOs Can search for GPOs based on Display name Explicit permissions Effective permissions WMI filter GUID Policy extensions set in the GPOs Example Find all GPOs that “Policy Admins” group has effective edit rights and that have Folder Redirection policy set

UI Walkthrough demo demo

Resultant Set Of Policy (RSoP) Shows conflict resolution of policy settings Example Both GPO A and GPO B apply to same user GPO A sets Wallpaper = Red Moon Desert GPO B sets Wallpaper = Bliss RSOP data tells you Which setting ultimately “wins” Which GPO set that winning setting Precedence info (what were the losing GPOs) Allows you to more easily plan and troubleshoot Group Policy deployments

RSoP In GPMC All RSoP capability exposed in GPMC GPMC is the recommended way to access RSoP Original RSoP MMC snap-ins available GPMC adds HTML-based presentation of RSOP data RSoP is renamed in GPMC Group Policy Results = logging mode Group Policy Modeling = planning mode

Group Policy Results Previously known as Resultant Set of Policy – logging mode Represents what actually was applied on a target machine Queries target machine to get the data Supported by clients running Windows XP and later Note: to effectively delegate, you need the Windows Server 2003 AD schema

Group Policy Modeling Previously known as Resultant Set of Policy – Planning mode A simulation of what might be applied “What if scenarios” based on hypothetical changes to User, Computer location Site, Domain, OU Security Group membership Simulation performed on DC that must be running Windows Server 2003 Can be used to simulate policy for Win2K clients

RSoP In GPMC demo demo

GPO Backup A GPO backup transfers to the file system Policy settings in the GPO ACLs on the GPO Link to the WMI filter (but not the filter itself) Report of the settings in the GPO Backup is same as Export Requires read access to the GPO

GPO Restore Restores all attributes of the GPO Policy settings in the GPO Uses same GPO GUID ACLs on the GPO Link to the WMI filter (but not the filter itself) GPO must be in the same domain Use import or copy to transfer settings across domains Does not modify/restore links to the GPO This is an attribute of the OU/Site/Domain Required permissions Existing GPO: edit/delete/modify security Deleted GPO: GPO creation rights

Managing GPO Backups Multiple backups can be stored in the same file system location Multiple GPOs Multiple versions of the same GPO Each backed up GPO can be identified by Name, description, domain, timestamp, GPO GUID Can be viewed and managed using GPMC

GPO Import And Copy Overview Enables “templatization” of managed configuration Transfers policy settings, does not modify links to the GPO Can be used same domain, cross domain, or cross forest Cross domain/forest enabled via Migration Tables Key differences between import and copy Copy requires simultaneous access to source and destination domains (e.g., trust) Import does not require simultaneous access Source/destination behavior Import: from file system to existing GPO Copy: from live GPO to new GPO

GPO Import Details Import source: any backed up GPO in the file system Import destination: an existing GPO in Active Directory Erases existing settings in the GPO Import operation does not modify these items on the existing GPO GUID ACLs Links on OUs/domains/sites to this GPO Link to WMI filter Permissions: requires edit rights on existing GPO

GPO Copy Details Copy source: a live GPO in Active Directory Copy destination: creates a new GPO New GUID Two choices for handling ACL on the GPO Use the default ACL on the GPO Preserve the existing ACL from the source GPO WMI Filter handling Link is preserved in same domain copy operations Link is dropped in cross-domain copy operations Permissions Requires GPO creation rights in target domain Requires read access to source GPO

Cross Domain/Forest Migration Overview Key challenge – some GPO settings are domain/forest specific References to users, groups and computers References to UNC paths Solution: Migration Table Maps a reference in the source GPO to a new reference in the destination GPO Migration tables are created using Migration Table Editor

Cross Domain/Forest Migration Details Users, groups, computers referenced in GPOs References possible in these settings Folder redirection, GP-based software deployment Security Settings: (User Rights, Restricted Groups, System Services, File System, Registry) Issues Domain local groups not valid in other domains, even if there is trust Users, groups not usable if X-forest and no trust Even if there is trust, you may want to use different groups in target domain, especially for production to production scenarios UNC paths referenced in GPOs References possible in these settings Software Distribution points, Folder redirection shares, and pointers to externally stored scripts Issue: Users in destination domain may not have access to source path

Scenario: Test to production migration C B A D F E Test Forest Production Forest GPO X User rights B\PilotUsersGroupB\AdminGroupA\PilotUserRemoteGroupC\SpecialGroup Copy of GPO X User rights E\RedmondUsersE\AdminGroupD\RemoteUsersGroupF\VerySpecialGroup

Scenario: Production to Production Migration C B A GPO X User rights B\JapanUsersB\STDA\GPAdmins Copy of GPO X User rights C\EuropeUsersC\STDA\GPAdmins Production Forest

Migration Tables What is a migration table? An XML file created by the admin using the migration table editor (MTE) Maps security principals and UNC paths to new values Used during import and copy operations Choices for using Migration Tables with Import and Copy No migration table – copy as is Use migration table Use migration table exclusively

Deploying From Test To Production demo demo

Scripting All operations in this tool are scriptable Scriptability achieved via COM objects GPMC UI uses same interfaces Caveat: cannot script settings within a GPO GPMC includes 32 sample scripts For more details on scripting, see GPMC SDK (link at end of presentation) “Scripting Group Policy Operations” ADM421

Creating A Staging Environment demo demo

GPMC Availability Web download, available now Requires one licensed copy of Windows Server 2003 in your org /gpmc

Agenda Using the Group Policy Management Console (GPMC) Best Practices for Managing Group Policy

General Guidelines Limit who can create and modify GPOs Fewer GPOs per user/computer are better Avoid using Deny for GPO security Consider using loopback for lab, server and shared machines Use Block Inheritance and Enforce sparingly

DC Issues Avoid modifying the default GPOs Default Domain Policy Default Domain Controllers policy Exceptions Account Policy should be set only in the Default Domain Policy, not in any other GPO at the domain level User rights for DCs should only be contained in the Default DC Policy As required for app compat if you install apps on DCs (avoid this) Avoid installing apps on DCs that modify security policy automatically Ensure all DCs receive consistent policy settings Do not filter policy settings on individual DCs All DCs should remain in the Domain Controllers OU

OU Design Considerations Don’t plan your OU design without considering Group Policy issues Users and Computers Objects Don’t mix users and computers in the same OU Define roles for users and computers and create OUs corresponding to those roles User account must have read access up the OU tree to get Group Policy

Operations SYSVOL Don’t mess with the policies directory in the SYSVOL! Don’t adjust ACLs on the SYSVOL Only manage the SYSVOL and AD via Group Policy tools (GPEdit, GPMC, AD Users and Computers) GPMC checks ACL consistency of GPO between AD and SYSVOL Backup Backup your GPOs on a regular basis (GPMC includes sample script for this) Ensure that the GPO backup directory is secured

Performance Considerations Fewer GPOs per user/computer is better Use WMI Filters sparingly Avoid cross-domain GPO linking

Deployment Stage policy deployments in a test environment, prior to production deployment Staging domain is easy to build using GPMC! Roll out major changes to Group Policy incrementally

Win2K domains & upgrades In any Win2000 domain created prior to SP4: ACLs on Default Domain Policy and Default GPOs slightly mismatched GPMC will prompt you to clean up. Do this! In this case, it sets the DACL protect bit on sysvol In any Windows 2003 domain that was upgraded from Win2000: Need to adjust permissions on all GPOs created prior to upgrade, in order for cross domain Group Policy Modeling to work You will get the ACL-mismatch popup Run script “GrantPermissionOnAllGPOs.wsf” – See Help for details.

Managing New Accounts Difficult to apply Group Policy to newly created accounts Default locations are not OUs: CN=users CN=computers GPOs can only be linked to OUs, site, domains In Windows 2003, these default locations can be redirected to OUs Tools at %windir%\ system32: RedirUsr.exe RedirComp.exe Allows GP management of new accounts See KB

Troubleshooting Your primary tools to troubleshoot Group Policy are all exposed in GPMC: Event Log Group Policy Modeling (RSoP Planning) Group Policy Results (RSoP Logging) Many Group Policy issues are due to improperly configured DNS Group Policy client must be able to ping the DC Read the Troubleshooting Group Policy white paper!

Best Practices Use The GPMC! #1 Recommendation?

Resources GPMC Web site Link to download GPMC White Paper Migrating GPOs Technical article Scripting resources Thirty two sample scripts included with the product %programfiles%\gpmc\scripts GPMC SDK Installed to %programfiles%\gpmc\scripts\gpmc.chm Also in Platform SDK Group Policy Web sites Newsgroup Microsoft.public.windows.group_policy

The tools you need to put technology to work! Suggested Reading And Resources TITLE Available Today Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: Microsoft® Windows® Server 2003 Administrator's Companion: Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.