70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy

Guide to MCSE , Enhanced2 Objectives Understand and describe the purpose of Group Policy Describe how Group Policy is applied Manage desktop computers using Group Policy Analyze and configure security settings using Group Policy

Guide to MCSE , Enhanced3 Objectives (continued) Install and use the Group Policy Management Console Troubleshoot Group Policy

Guide to MCSE , Enhanced4 Group Policy Introduced in Windows 2000 Enhanced in: Windows XP Windows Server 2003 Largely collection of registry entries Enhancements in Windows Server 2003: Transient policy settings Expanded capabilities

Guide to MCSE , Enhanced5 Administrative Templates Files with.adm extension Describe registry settings Can be configured in policy or Group Policy Included with Windows Server 2003: System.adm Inetres.adm Wmplayer.adm Conf.adm Wuau.adm

Guide to MCSE , Enhanced6 Client-side Extensions Allow for more advanced control and configuration Included with Windows Server 2003 and Windows XP: EFS (encrypting file system) recovery Folder redirection Internet Explorer maintenance IP security

Guide to MCSE , Enhanced7 Client-side Extensions (continued) Included with Windows Server 2003 and Windows XP: Microsoft Disk Quota QoS Packet Scheduler Scripts Security Software installation Wireless

Guide to MCSE , Enhanced8 Group Policy Storage Stored on Domain controllers Local computers Local policy object Stored in hidden folder Referred to as local computer policy Applies only to local computer Great for workgroup environment

Guide to MCSE , Enhanced9 Group Policy Storage (continued) GPOs Stored on domain controllers Centrally managed Single GPO typically affects many users and computers One part stored in Active Directory database Called group policy container (GPC) Other stored in SYSVOL share Referred to as group policy template (GPT)

Guide to MCSE , Enhanced10 Group Policy Storage (continued) GPT subfolders: Adm USER USER\applications MACHINE MACHINE\applications

Guide to MCSE , Enhanced11 Creating a Group Policy Object Tools for creating GPOs: Group Policy standalone Microsoft Management Console (MMC) snap-in Group Policy extension in Active Directory Users and Computers

Guide to MCSE , Enhanced12 Activity 11-1: Creating a Group Policy Object Using the MMC Objective: Use the Group Policy Object Editor MMC snap-in to create GPOs Follow directions to create GPOs

Guide to MCSE , Enhanced13 Group Policy Processing GPOs linked to sites, domains, and organizational units using GPO links Applies to user and computer objects that exist in container to which they are linked Can be linked with multiple organizational units, sites, or even domains Only stored on domain controllers in domain where created

Guide to MCSE , Enhanced14 Group Policy Priority Processing order: First policy to be applied is the local computer policy Any GPOs linked to site are applied GPOs linked to domain are applied GPOs linked to organizational units are applied

Guide to MCSE , Enhanced15 Group Policy Priority (continued) Process is followed twice Once for Computer Configuration When computer starts up Once for User Configuration When user logs on

Guide to MCSE , Enhanced16 Default GPO Processing Order

Guide to MCSE , Enhanced17 Dealing with Conflict Options for policy settings Enabled Disabled Not Configured Policy settings from multiple GPOs can be combined As long as they do not conflict In case of conflict: GPO to be applied last wins

Guide to MCSE , Enhanced18 Modifying Group Policy Priority Modify priority by configuring settings: No Override Block Policy Inheritance Loopback Processing Mode

Guide to MCSE , Enhanced19 Controlling Group Policy Application with Permissions GPOs cannot be linked to groups Application of Group Policy can be controlled through permissions

Guide to MCSE , Enhanced20 Controlling Group Policy Application with Permissions (continued) Standard permissions available to GPO: Full Control Read Write Create All Child Objects Delete All Child Objects Apply Group Policy

Guide to MCSE , Enhanced21 Activity 11-5: Filtering Group Policy Objects Using Security Permissions Objective: Use security permissions to filter and control the application of policy settings Follow instructions to stop settings in Marketing Policy GPO from applying to Administrators group

Guide to MCSE , Enhanced22 Windows Management Instrumentation Filters Used to restrict application of GPOs Control GPO application based on computer configuration, such as: Hardware configuration File existence or attributes Applications being installed Amount of free hard drive space Written in WMI Query Language (WQL) Does not apply to Windows 2000

Guide to MCSE , Enhanced23 Slow Link Detection When working over slow link May be undesirable to apply parts of Group Policy Client pings domain controller several times To determine link speed 500 Kbps or less is considered slow

Guide to MCSE , Enhanced24 Default Slow Link Behavior

Guide to MCSE , Enhanced25 Desktop Management with Group Policy Desktop management One of primary goals that can be accomplished with Group Policy

Guide to MCSE , Enhanced26 Restricting Windows Can protect users from their own mistakes Remove access to features such as: Configuring proxy settings Setting desktop wallpaper

Guide to MCSE , Enhanced27 Folder Redirection Allows administrator change location of default Windows folders Locate on server: Allows users to access information from any computer on network

Guide to MCSE , Enhanced28 Folder Redirection (continued) Folders that can be redirected are: Application data Desktop My Documents Start menu

Guide to MCSE , Enhanced29 Scripts GPOs can contain scripts for: Logon Logoff Startup Shutdown Can be written in languages such as VBScript (.vbs) JScript (.js) Must store scripts in location accessible to users running them

Guide to MCSE , Enhanced30 Security Management with Group Policy Security policy Collection of security-related settings Located in all GPOs Majority of security policy settings apply to computers Found in Computer Configuration section

Guide to MCSE , Enhanced31 Account Policies Includes configuration settings that may be the initial step to securing computer network Must be configured in GPO linked to domain Subcategories: Password Policy Account Lockout Policy Kerberos Policy

Guide to MCSE , Enhanced32 Local Policies Wide variety of settings Very flexible Categories: Audit policy User rights assignment Security options

Guide to MCSE , Enhanced33 Restricted Groups Define users that are allowed membership to specific groups When group policy applied: Any member of restricted group not listed in restricted group’s member list removed Prevents administrators from accidentally adding users to sensitive groups

Guide to MCSE , Enhanced34 System Services Define which services are started, stopped, or disabled on computers Can also configure security for services Effective way to disable unnecessary services on: Client computers Servers

Guide to MCSE , Enhanced35 Registry Settings Define security permissions for registry entries Applied to all computers affected by GPO

Guide to MCSE , Enhanced36 File System Defines NTFS permissions applied to local hard drives of computers affected by GPO Enhance security by removing permissions to files and folders

Guide to MCSE , Enhanced37 Wireless Network Policies Define settings for wireless network connectivity Configure which wireless networks’ workstations can connect to and automatically configure Wireless Encryption Protocol (WEP)

Guide to MCSE , Enhanced38 Public Key Policies Define configuration settings relating to use of different public key-based applications such as: Encrypting file system (EFS) Automatic certificate enrolment settings Certificate Authority (CA) trusts Autoenrollment New feature Allows computers and users to request version 2 certificate templates automatically

Guide to MCSE , Enhanced39 Software Restriction Policies Define security settings related to what programs are allowed to run on system Individual rules can be based on: File’s hash Digital certificate used to sign executable File’s path Internet zone

Guide to MCSE , Enhanced40 IP Security Policies Define IPSec settings Can enable IPSec for entire network with little effort

Guide to MCSE , Enhanced41 Security Templates Used to: Define, edit, and save baseline security settings Applied to computers with common security requirements Meet organizational security standards Help ensure Consistent setting can be applied to multiple machines Easily maintained Stored in.inf files

Guide to MCSE , Enhanced42 Security Templates (continued) Setup Security.inf. Default template Provides single file in which all original computer security settings are stored Incremental templates Only apply to machines already running default security settings Use Security Templates snap-in to create custom templates

Guide to MCSE , Enhanced43 Analyzing Security Security Configuration and Analysis utility Compare current system settings to previously configured security template Identifies Changes to original security configurations Possible security weaknesses

Guide to MCSE , Enhanced44 Using the Group Policy Management Console Available as free download for Windows Server 2003 customers Brings together tools and options accessible from number of different tools Adds new functionality Highly recommended Especially in large deployments

Guide to MCSE , Enhanced45 Troubleshooting Group Policy Most important thing is interaction of: Links to containers Priority ordering by administrators No Override Block Inheritance ACL permissions Loopback Processing Mode WMI filters

Guide to MCSE , Enhanced46 Troubleshooting Tools Resultant Set of Policy (RSoP) Gpresult Gpupdate Dcgpofix

Guide to MCSE , Enhanced47 Summary Group Policy applies settings to users and computers in: Site Domain Organizational unit Order of application for GPOs is: Local Site Domain Organizational unit

Guide to MCSE , Enhanced48 Summary (continued) User or computer must have Read and Apply Group Policy permissions on a GPO in order for the policy to apply To affect domain accounts, account policies must be set at the domain level Security management using Group Policy is accomplished with security templates