Presentation is loading. Please wait.

Presentation is loading. Please wait.

Section 3: Designing a Group Policy Infrastructure Overview of Active Directory Introducing the Design Stages for Implementing Group Policy Planning Your.

Published bySophie Ross Modified over 9 years ago

Similar presentations

Presentation on theme: "Section 3: Designing a Group Policy Infrastructure Overview of Active Directory Introducing the Design Stages for Implementing Group Policy Planning Your."— Presentation transcript:

1 Section 3: Designing a Group Policy Infrastructure Overview of Active Directory Introducing the Design Stages for Implementing Group Policy Planning Your Group Policy Design Designing Your Group Policy Solution Deploying Your Group Policy Solution Managing Your Group Policy Solution Managing Windows Environments with Group Policy

2 © 2013 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Describe the basic structure of Active Directory Describe the four stages of implementing Group Policy Explain how to plan your Group Policy in accordance with company requirements Describe the guidelines that you should follow when you create new GPOs Explain how to deploy Group Policy based on the Active Directory structure Explain how to manage Group Policy by delegating administration and setting permissions 3-2

3 © 2013 Global Knowledge Training LLC. All rights reserved. Overview of Active Directory Active Directory is used to store objects, authenticate users, and implement policies. Active Directory concepts include: Active Directory Objects Active Directory Architecture Naming Standards Users and Groups Organizational Units 3-3

4 © 2013 Global Knowledge Training LLC. All rights reserved. Active Directory Objects UsersGroups Computers ContactsPrintersShared folders 3-4

5 © 2013 Global Knowledge Training LLC. All rights reserved. Active Directory Architecture Site Global Catalog Forest Tree Domain Domain controller OU Southeast site Northeast site ou=Sales cn=JaneD hq.local atl.hq.local widget.com na.widget.com Forest Tree Domain DC Global Catalog DC 3-5

6 © 2013 Global Knowledge Training LLC. All rights reserved. Naming Standards DNS LDAP X.500 Active Directory naming architecture cn=JaneD cn=janed,ou=sales,dc=atl,dc=hq,dc=local 3-6

7 © 2013 Global Knowledge Training LLC. All rights reserved. Users and Groups Local User Accounts Exist on the local computer only Domain User Accounts Can be used by any domain member Support a single sign-on environment Group Types Security Distribution Group Scopes Domain local Global Universal 3-7

8 © 2013 Global Knowledge Training LLC. All rights reserved. Organizational Units OUs and Groups Creating an OU Structure 3-9

9 © 2013 Global Knowledge Training LLC. All rights reserved. OUs and Groups OUs OUs are used to store collections of accounts. Accounts can be stored in only one OU at a time. OUs can be used to apply Group Policy. Groups Groups are used for permissions and delegation. Users in a group receive the permissions of the group. A user can be in multiple groups. Users are members of groups for access control purposes. 3-10

10 © 2013 Global Knowledge Training LLC. All rights reserved. Creating an OU Structure GeographicFunctionalDepartmental North America South America Europe Asia Admins Help Desk Managers Users Sales Marketing Engineering Accounting 3-11

11 © 2013 Global Knowledge Training LLC. All rights reserved. Introducing the Design Stages for Implementing Group Policy The four major stages in a successful Group Policy implementation Designing Deploying Planning Managing 3-12

12 © 2013 Global Knowledge Training LLC. All rights reserved. Planning Your Group Policy Design 3-13 Policy Survey Policy Objectives Policy Components Planning

13 © 2013 Global Knowledge Training LLC. All rights reserved. Policy Survey Analyze user requirements Inventory the IT roles in the company Examine existing security policies What level of security is required for servers? What level of security is desired for: Network clients Public computers How is software distributed? How are updates distributed? Where is the essential data stored? Who currently has management authority? 3-14

14 © 2013 Global Knowledge Training LLC. All rights reserved. Policy Objectives Evaluate corporate practices Can Group Policy mirror existing user practices Discuss security concerns Some policy objectives may not work for every company Users that resist policy acceptance will try to circumvent restrictions 3-15

15 © 2013 Global Knowledge Training LLC. All rights reserved. Policy Components Computer security Software deployment Logon scripts Folder redirection Administrative Template settings Preference settings 3-16

16 © 2013 Global Knowledge Training LLC. All rights reserved. Designing Your Group Policy Solution 3-17 Group Policy Solution Components Designing Your Group Policy Model Delegating GPO Responsibilities Creating new GPOs Sites and GPOs Designing

17 © 2013 Global Knowledge Training LLC. All rights reserved. Group Policy Solution Components Networking DNS Services Time Synchronization Administration Client Interoperability 3-18

18 © 2013 Global Knowledge Training LLC. All rights reserved. Designing Your Group Policy Model GPO links Security filtering Number of Group Policy objects Scope of Group Policy Applicability of Group Policy settings Non-applicability of Group Policy settings Roles and locations of users and computers Desktop configurations User requirements for various types of users 3-20

19 © 2013 Global Knowledge Training LLC. All rights reserved. Delegating GPO Responsibilities Assign subordinate administrators the ability to create and link policies for select Ous Avoid having too many administrators with responsibility for the same GPOs 3-21

20 © 2013 Global Knowledge Training LLC. All rights reserved. Creating New GPOs Gradually implement restrictive policies Avoid configuring restrictive policies at the domain root Configure more granular GPOs on a per OU basis 3-22

21 © 2013 Global Knowledge Training LLC. All rights reserved. Sites and GPOs Geographical location of your Active Directory sites Physical location of each domain controller determines its site location Speed of the FRS Intersite and intrasite replication DC Northeast site 3-23

22 © 2013 Global Knowledge Training LLC. All rights reserved. Deploying Your Group Policy Solution 3-25 Applying Group Policy Changes Linking GPOs to the Domain Designing an OU Structure for Group Policy Applying Group Policy to New Users and Computers Deploying

23 © 2013 Global Knowledge Training LLC. All rights reserved. Applying Group Policy Changes The primary mechanisms for refreshing Group Policy are startup and logon. Group Policy is also refreshed on a regular basis. The policy refresh interval in force affects how quickly changes to Group Policy objects are applied. Folder redirection and the assignment of software applications require the user to log off and log on again before they take effect. Software applications assigned to computers are installed only when the computer is restarted. 3-26

24 © 2013 Global Knowledge Training LLC. All rights reserved. Linking GPOs to the Domain Linking GPOs to the domain applies equally to all users and computers in the domain. All domain controllers retrieve the values of these account policy settings from the Default Domain Policy GPO. The term “linked” defines where the GPO was created or where the GPO settings are to apply. 3-27

25 © 2013 Global Knowledge Training LLC. All rights reserved. Designing an OU Structure that Supports Group Policy You can move users and computers into and out of OUs within a single domain. If necessary, you can rearrange OUs within the single domain. Groups of users with common requirements can be easily moved and contained. Users and computers can be organized based on which administrators manage them. 3-28

26 © 2013 Global Knowledge Training LLC. All rights reserved. Applying Group Policy to New User and Computer Accounts In Active Directory, the Users and Computers containers cannot have policies assigned to them. redircmp.exe and redirusr.exe change the default location for new account objects. Redirect new users and computers to OUs that policies can affect. 3-29

27 © 2013 Global Knowledge Training LLC. All rights reserved. Managing Your Group Policy Solution 3-30 Delegating the Administration of Group Policy Specifying a Domain Controller for Editing GPOs Rolling Back Domain GPOs Starter GPOs Adding Comments to a GPO Using the AGPM Managing

28 © 2013 Global Knowledge Training LLC. All rights reserved. Delegating the Administration of Group Policy Default Rights for Group Policy Management Group Policy Creator Owners Group GPO Delegation Manually Assigning Permissions 3-31

29 © 2013 Global Knowledge Training LLC. All rights reserved. Default Rights for Group Policy Management When a Windows Domain is installed, default permissions are assigned to specific administrative groups for creating, deleting, and linking GPOs. Enterprise Administrators can create, delete, link, or unlink GPOs anywhere in the forest. Delegate limited control to other administrators to assist in GPO management 3-32

30 © 2013 Global Knowledge Training LLC. All rights reserved. Groups Assigned GPO Rights Windows GroupRights Granted Enterprise Admin Create, delete, edit, and link GPOs in all forest containers (sites, domains, and OUs). Domain Admins Create, delete, edit, and link GPOs in the domain and all OUs hosted by the domain, but not in sites. 3-32

31 © 2013 Global Knowledge Training LLC. All rights reserved. Groups Assigned GPO Rights (cont.) Windows GroupRights Granted Group Policy Creator Owners Create GPOs in the domain to which the group belongs. Users who are members of this group can edit any GPOs that they create; however, other members of the group cannot. Deleting GPOs is not allowed. Linking to a site, domain, or OU is also not allowed. Local Admins Create GPOs in the domain to which the group belongs. A user that is a member of this group can edit and delete all GPOs that any other group member has created. Linking the GPO to the domain and any OUs hosted by the domain is also allowed. 3-32

32 © 2013 Global Knowledge Training LLC. All rights reserved. Group Policy Creator Owners Group Members of the GPCO group can link only to containers they have link rights to. Being a member of the GPCO group gives the non-administrator full control of only those GPOs that the user creates. GPCO members do not have permissions for GPOs that they do not create. 3-33

33 © 2013 Global Knowledge Training LLC. All rights reserved. GPO Delegation The right to link GPOs can be delegated separately from the right to create and edit GPOs. Be sure to delegate these rights only to the groups you want to be able to create and link GPOs. Creation of GPOs can be delegated to any group or user. 3-34

34 © 2013 Global Knowledge Training LLC. All rights reserved. Manually Assigning Permissions Permissions guidelines for creating and editing GPOs are: The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only domain administrators, enterprise administrators, Group Policy creator owners, and System can create new GPOs. By default, domain administrators can edit all GPOs in the domain. 3-35

35 © 2013 Global Knowledge Training LLC. All rights reserved. Rights for GPO Control RightsControl Full controlCreate, edit, view, and delete the GPO Read View the GPO in the Group Policy Console (Opening the GPO to edit is not allowed.) Write View and edit the GPO (Note: The read permissions must also be granted to even be able to view the GPO.) Create all child objects Create and edit GPOs (Deleting is not allowed.) Delete all child objectsDelete a GPO 3-35

36 © 2013 Global Knowledge Training LLC. All rights reserved. Specifying a Domain Controller for Editing GPOs 3-36 The choice of domain controllers is important for administrators to consider to avoid replication conflicts. In each domain, the domain controller with the FSMO role of PDC emulator is used for all GPO operations in that domain. This includes all operations on the GPOs that are located in that domain.

37 © 2013 Global Knowledge Training LLC. All rights reserved. The default Domain GPOs can be rolled back to their standard configuration using dcgpofix.exe if needed. Rolling Back Domain GPOs 3-37

38 © 2013 Global Knowledge Training LLC. All rights reserved. Starter GPOs Quickly create a new GPO from the Starter GPO. Several Starter GPOs are included by default. 3-38

39 © 2013 Global Knowledge Training LLC. All rights reserved. Adding Comments to a GPO When you enter a comment in the properties of the GPO, it is displayed in the GPMC on the Details tab. 3-39

40 © 2013 Global Knowledge Training LLC. All rights reserved. Using the AGPM Granular Administration Robust delegation model Role-based administration Change request approval Reduced Failure Risk Offline editing of GPOs Difference reporting and audit logging Recovery of a deleted GPO Repair of live GPOs Change Management Creation of GPO template libraries Subscription to policy change e-mail notifications Version tracking, history capture, and quick rollback of deployed changes 3-40 Note: Microsoft has not yet released an updated AGPM for Windows 8 and Windows Server 2012

41 © 2013 Global Knowledge Training LLC. All rights reserved. Summary The heart of Active Directory is a database with object types such as Users, Groups, Computers, Contacts, Printers, and Shared folders. Active Directory is made up of a collection of components (Site, Global Catalog, Forest, Tree, Domain, Domain Controller, and OU) that work at different levels of a hierarchy. 3-43

42 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) The four stages of implementing Group Policy are: Planning: During this stage, you will decide which components of Group Policy to deploy in your organization; start gathering information about your company and how it carries out its day-to-day business with an Active Directory network; design a Group Policy that manages entities such as: Computer security, Software deployment, etc. Designing: During this stage, you will configure the physical components of the environment, lay out the Group Policy model, delegate management authority, create new GPOs, and design the interaction of GPOs with Active Directory sites. 3-43

43 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Deploying: During this stage, you will make the policy available to the users and computers that you want to affect with the settings. Managing: During this stage, you will put mechanisms in place to manage group policies on an ongoing basis; delegate authority to subordinate administrators to manage certain aspects of Group Policy; specify a default domain controller for GPO editing; use tools such as Starter GPOs and the GPO to track and control Group Policy objects. 3-43

44 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) To plan your Group Policy in accordance with your company requirements, do the following: Ask your help desk, end users, management, and support staff the planning stage questions. Determine which components of Group Policy to deploy. Find out about the design and implementation of your Active Directory infrastructure. Start gathering information about your company; how it carries out its day-to-day business with an Active Directory network. If your company has several divisions, find out how the network infrastructure is managed. 3-43

45 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Base your Group Policy design on your physical and logical Active Directory deployment. Ensure the plan manages the Group Policy entities such as computer security, folder redirection, roaming user profiles, etc. Follow these guidelines when you create new GPOs: Use the settings in your GPOs that you are already familiar with and use a domain GPO to deploy a company-wide GPO with minimal settings that are acceptable to everyone. 3-43

46 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Create more granular GPOs on a per-OU basis to affect smaller numbers of users and computers with their specific needs. Define a meaningful naming convention for GPOs that clearly identifies the purpose of each GPO; the name should include the settings applied and the date of creation and change. You can link policies to the domain, site, or at the various levels of a nested OU structure. 3-44

47 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Decide the degree to which you should centralize or distribute administrative control of Group Policy. In a centralized administration model, the IT group provides services and setting standards for the entire company. In a distributed administration model, each business unit manages its own IT group. Based on the administrative model, determine which configuration management components should be handled at the site, domain, and OU levels. You can manually assign permissions to a GPO from the Group Policy MMC. 3-44

48 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check 1.What types of objects can you store in Active Directory? Users, Groups, Computers, Contacts, Printers, and Shared Folders 3-44

49 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.Briefly describe the Planning and Design stages of implementing Group Policy. During the Planning stage: Decide which components of Group Policy to deploy Start gathering information about your company and how it carries out its day-to-day business with an Active Directory network Design a Group Policy that manages entities (computer security, software deployment, etc.) 3-44

50 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.Briefly describe the Planning and Design stages of implementing Group Policy. During the Design stage: Configure the physical components of the environment Lay out the Group Policy model Delegate management authority Create new GPOs Design the interaction of GPOs with Active Directory sites 3-44

51 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 3.What should you do when you plan your Group Policy in accordance with your company requirements? (Choose all that apply.) a.Ask the planning stage questions. b.Find out about the design and implementation of your Active Directory infrastructure. c.Base your Group Policy design on your physical and logical domain controller deployment. d.Determine how your company carries out its day-to- day business with an Active Directory network. 3-44

52 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 4.What should you include when you name a GPO? The settings applied and the date of creation and change. 5.What can you link the policies to when you deploy your Group Policy solution? You can link the policies to the domain, site, or at the various levels of a nested OU structure. 6.Name the two models you can use to delegate the administration of Group Policy. Centralized administration model and distributed administration model 3-44/45

Download ppt "Section 3: Designing a Group Policy Infrastructure Overview of Active Directory Introducing the Design Stages for Implementing Group Policy Planning Your."

Similar presentations

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Module 14: Implementing an Active Directory Infrastructure.

Module 14: Implementing an Active Directory Infrastructure.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Managing User Settings with Group Policy

Managing User Settings with Group Policy
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
1 Chapter 1 Introduction to Windows Server 2003. 2 Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.

1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google