Understanding Group Policy On Windows Server 2003[1]
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Understanding Group Policy On Windows Server 2003[1] as PDF for free.
More details
- Words: 875
- Pages: 41
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward
Agenda Introducing Group Policy Common tasks with Group Policy Planning & Best Practices
Introducing Group Policy Basic Understanding Works with Windows 2000 and later Enable one-to-many management of users and computers Simplify administrative tasks Implement security settings Implement standard computing environments
Introducing Group Policy Group Policy Terms Group Policy Management Console Group Policy settings Group Policy Object Editor Active Directory containers Site Domain OUs Child OUs
Introducing Group Policy Group Policy Capabilities
Registry-based Policy
Introducing Group Policy Group Policy Capabilities
Security Settings Registry-based Policy
Introducing Group Policy Group Policy Capabilities
Software Restrictions Security Settings Registry-based Policy
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions Security Settings Registry-based Policy
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions Security Settings Registry-based Policy
Computer and User Scripts
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions Security Settings
Roaming Profiles and Redirected Folders
Registry-based Policy
Computer and User Scripts
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions
Offline Folders
Security Settings
Roaming Profiles and Redirected Folders
Registry-based Policy
Computer and User Scripts
Introducing Group Policy Group Policy Capabilities Software Distribution
Internet Explorer Maintenance
Software Restrictions
Offline Folders
Security Settings
Roaming Profiles and Redirected Folders
Registry-based Policy
Computer and User Scripts
Introducing Group Policy Default Policies Local Security Policy Default Domain Policy Default Domain Controllers Policy
Introducing Group Policy Where is Group Policy Stored
Introducing Group Policy Where is Group Policy Stored
Introducing Group Policy Order of Precedence
Local Security Policy
Introducing Group Policy Order of Precedence
Site Policy Local Security Policy
Introducing Group Policy Order of Precedence
Domain Policy Site Policy Local Security Policy
Introducing Group Policy Order of Precedence
Parent OU Policy Domain Policy Site Policy Local Security Policy
Introducing Group Policy Order of Precedence
Child OU Policy Parent OU Policy Domain Policy Site Policy Local Security Policy
Introducing Group Policy Group Policy Management Console Unified, easy to use GUI Backup/Restore of GPOs Import/Export and Copy/Paste of GPOs Simplified security HTML reporting Scripting of Group Policy tasks
Introducing Group Policy Group Policy Objects & Links GPMC manages GPO Links Scope Of Management (SOM)
GPOs contain policy settings Links define what objects the GPO will target Scope Of Management (SOM) Site, Domain, OU, OU,….
Filtering can be based on links to SOM Better illustrates the relationship between GPOs and Links
Demo Introducing Group Policy
Agenda Introducing Group Policy Common tasks with Group Policy Planning & Best Practices
Common tasks Using Administrative Templates Enables configuration of policy settings Do not actually contain policy settings Used by Group Policy Object Editor Policy settings are contained registry.pol
Windows Server 2003 contains: System.adm Inetres.adm Conf.adm Wmplayer.adm Wuau.adm
Common tasks Using Administrative Templates KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files” Superset principle from WS2003 RTM onwards Historical .adm files available online Never edit the OS-shipped .adm files Know the benefits of a “true policy” (as compared to preferences) Security (local administrators) Cleanup (if GPO is out of scope)
Common Tasks Account Policies Password Account lockout Kerberos settings Domain level vs OU level setting
Common Tasks Software Restriction Policies Windows Server 2003 and Windows XP Base philosophies Unrestricted All programs run except those I select
Disallowed Use with care
Policy rules Hash Certificate Path Internet Explorer Zone
Common Tasks Restricted Groups Membership of Active Directory security groups No-one can be in Enterprise Administrators Only these users are helpdesk staff
Membership of Local Groups Helpdesk are members of local administrators
Common Tasks Some of the rest…. Additional security Registry Access Control Lists (ACLs) File System Access Control Lists (ACLs) Service Startup Mode
Internet Explorer Maintenance Audit Policies Especially on servers
Demo Common Tasks with Group Policy
Agenda Introducing Group Policy Common tasks with Group Policy Planning & Best Practices
Planning & Best Practices OU Design Why create OU’s Segment by role Domain controllers Computers Users
Redirect default OU for new accounts redirusr.exe and redircmp.exe
Use delegation of administration Create/Update/Link GPOs
Planning & Best Practices Group Policy Objects Normalise GPOs – “GP Common Scenarios” Naming conventions Clear purpose and intent 3-segment string: Scope/Purpose/Managed By e.g. WW-Outlook-OTG
What about the number of GPOs? MYTH: Fewer GPOs=Better performance FACT: Number of settings is more important
Planning & Best Practices General Guidance Avoid Cross-Domain GPO links Performance overhead Alternative - GPMC scripts
Use the following sparingly Enforce (no override) Block Inheritance Loopback
Keep it simple
Planning & Best Practices Using WMI Filters XP and Windows Server 2003 Only Performance hit Limit to known lifetime if possible Scriptomatic
Summary Group Policy serves many purposes If you’re not already using GPMC, why not? It’s not as hard as it looks …but without planning, it’s easy to make it look hard
http://www.microsoft.com/windowsserver2003/ techn grouppolicy
Recommended Reading “Group Policy, Profiles and Intellimirror for Windows 2003, Windows XP and Windows 2000” By Jeremy Moskowitz www.gpanswers.com
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward
Agenda Introducing Group Policy Common tasks with Group Policy Planning & Best Practices
Introducing Group Policy Basic Understanding Works with Windows 2000 and later Enable one-to-many management of users and computers Simplify administrative tasks Implement security settings Implement standard computing environments
Introducing Group Policy Group Policy Terms Group Policy Management Console Group Policy settings Group Policy Object Editor Active Directory containers Site Domain OUs Child OUs
Introducing Group Policy Group Policy Capabilities
Registry-based Policy
Introducing Group Policy Group Policy Capabilities
Security Settings Registry-based Policy
Introducing Group Policy Group Policy Capabilities
Software Restrictions Security Settings Registry-based Policy
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions Security Settings Registry-based Policy
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions Security Settings Registry-based Policy
Computer and User Scripts
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions Security Settings
Roaming Profiles and Redirected Folders
Registry-based Policy
Computer and User Scripts
Introducing Group Policy Group Policy Capabilities Software Distribution Software Restrictions
Offline Folders
Security Settings
Roaming Profiles and Redirected Folders
Registry-based Policy
Computer and User Scripts
Introducing Group Policy Group Policy Capabilities Software Distribution
Internet Explorer Maintenance
Software Restrictions
Offline Folders
Security Settings
Roaming Profiles and Redirected Folders
Registry-based Policy
Computer and User Scripts
Introducing Group Policy Default Policies Local Security Policy Default Domain Policy Default Domain Controllers Policy
Introducing Group Policy Where is Group Policy Stored
Introducing Group Policy Where is Group Policy Stored
Introducing Group Policy Order of Precedence
Local Security Policy
Introducing Group Policy Order of Precedence
Site Policy Local Security Policy
Introducing Group Policy Order of Precedence
Domain Policy Site Policy Local Security Policy
Introducing Group Policy Order of Precedence
Parent OU Policy Domain Policy Site Policy Local Security Policy
Introducing Group Policy Order of Precedence
Child OU Policy Parent OU Policy Domain Policy Site Policy Local Security Policy
Introducing Group Policy Group Policy Management Console Unified, easy to use GUI Backup/Restore of GPOs Import/Export and Copy/Paste of GPOs Simplified security HTML reporting Scripting of Group Policy tasks
Introducing Group Policy Group Policy Objects & Links GPMC manages GPO Links Scope Of Management (SOM)
GPOs contain policy settings Links define what objects the GPO will target Scope Of Management (SOM) Site, Domain, OU, OU,….
Filtering can be based on links to SOM Better illustrates the relationship between GPOs and Links
Demo Introducing Group Policy
Agenda Introducing Group Policy Common tasks with Group Policy Planning & Best Practices
Common tasks Using Administrative Templates Enables configuration of policy settings Do not actually contain policy settings Used by Group Policy Object Editor Policy settings are contained registry.pol
Windows Server 2003 contains: System.adm Inetres.adm Conf.adm Wmplayer.adm Wuau.adm
Common tasks Using Administrative Templates KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files” Superset principle from WS2003 RTM onwards Historical .adm files available online Never edit the OS-shipped .adm files Know the benefits of a “true policy” (as compared to preferences) Security (local administrators) Cleanup (if GPO is out of scope)
Common Tasks Account Policies Password Account lockout Kerberos settings Domain level vs OU level setting
Common Tasks Software Restriction Policies Windows Server 2003 and Windows XP Base philosophies Unrestricted All programs run except those I select
Disallowed Use with care
Policy rules Hash Certificate Path Internet Explorer Zone
Common Tasks Restricted Groups Membership of Active Directory security groups No-one can be in Enterprise Administrators Only these users are helpdesk staff
Membership of Local Groups Helpdesk are members of local administrators
Common Tasks Some of the rest…. Additional security Registry Access Control Lists (ACLs) File System Access Control Lists (ACLs) Service Startup Mode
Internet Explorer Maintenance Audit Policies Especially on servers
Demo Common Tasks with Group Policy
Agenda Introducing Group Policy Common tasks with Group Policy Planning & Best Practices
Planning & Best Practices OU Design Why create OU’s Segment by role Domain controllers Computers Users
Redirect default OU for new accounts redirusr.exe and redircmp.exe
Use delegation of administration Create/Update/Link GPOs
Planning & Best Practices Group Policy Objects Normalise GPOs – “GP Common Scenarios” Naming conventions Clear purpose and intent 3-segment string: Scope/Purpose/Managed By e.g. WW-Outlook-OTG
What about the number of GPOs? MYTH: Fewer GPOs=Better performance FACT: Number of settings is more important
Planning & Best Practices General Guidance Avoid Cross-Domain GPO links Performance overhead Alternative - GPMC scripts
Use the following sparingly Enforce (no override) Block Inheritance Loopback
Keep it simple
Planning & Best Practices Using WMI Filters XP and Windows Server 2003 Only Performance hit Limit to known lifetime if possible Scriptomatic
Summary Group Policy serves many purposes If you’re not already using GPMC, why not? It’s not as hard as it looks …but without planning, it’s easy to make it look hard
http://www.microsoft.com/windowsserver2003/ techn grouppolicy
Recommended Reading “Group Policy, Profiles and Intellimirror for Windows 2003, Windows XP and Windows 2000” By Jeremy Moskowitz www.gpanswers.com
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK http://blogs.technet.com/jhoward
Related Documents
Understanding Group Policy On Windows Server 2003[1]
November 2019 8
20031
June 2020 13
Group Policy In Windows 200 Server Exchange Step
November 2019 3
Project On Group Policy Satpal
November 2019 10
Group Policy
April 2020 11
Group Policy
May 2020 8More Documents from ""
Understanding Group Policy On Windows Server 2003[1]
November 2019 8