Scribd Logo
Upload

Welcome to Scribd!

  • Understanding Group Policy On Windows Server 2003

    Uploaded by

    ameetsaha
    1K views41 pages
    Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK Agenda Introducing Group Policy Common tasks with Group Policy Planning and Best Practices Introducing Group Policy Basic Understanding Works with Windows 2000 and later Enable one-many management of users and computers Simplify administrative tasks Implement security settings Implement standard computing environments.

    Original Description:

    Original Title

    Understanding Group Policy on Windows Server 2003[1]

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK Agenda Introducing Group Policy Common tasks with Group Policy Planning and Best Practices Introducing Group Policy Basic Understanding Works with Windows 2000 and later Enable one-many management of users and computers Simplify administrative tasks Implement security settings Implement standard computing environments.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views41 pages

    Understanding Group Policy On Windows Server 2003

    Uploaded by

    ameetsaha
    Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK Agenda Introducing Group Policy Common tasks with Group Policy Planning and Best Practices Introducing Group Policy Basic Understanding Works with Windows 2000 and later Enable one-many management of users and computers Simplify administrative tasks Implement security settings Implement standard computing environments.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 41

    Understanding Group Policy on

    Windows Server 2003


    John Howard, IT Pro Evangelist, Microsoft UK
    http://blogs.technet.com/jhoward
    Agenda

    Introducing Group Policy


    Common tasks with Group Policy
    Planning & Best Practices
    Introducing Group Policy
    Basic Understanding
    Works with Windows 2000 and later
    Enable one-to-many management of users and
    computers
    Simplify administrative tasks
    Implement security settings
    Implement standard computing environments
    Introducing Group Policy
    Group Policy Terms
    Group Policy Management Console
    Group Policy settings
    Group Policy Object Editor
    Active Directory containers
    Site
    Domain
    OUs
    Child OUs
    Introducing Group Policy
    Group Policy Capabilities

    Registry-based Policy
    Introducing Group Policy
    Group Policy Capabilities

    Security Settings

    Registry-based Policy
    Introducing Group Policy
    Group Policy Capabilities

    Software Restrictions

    Security Settings

    Registry-based Policy
    Introducing Group Policy
    Group Policy Capabilities

    Software Distribution

    Software Restrictions

    Security Settings

    Registry-based Policy
    Introducing Group Policy
    Group Policy Capabilities

    Software Distribution

    Software Restrictions

    Security Settings

    Computer and User


    Registry-based Policy
    Scripts
    Introducing Group Policy
    Group Policy Capabilities

    Software Distribution

    Software Restrictions

    Roaming Profiles and


    Security Settings
    Redirected Folders
    Computer and User
    Registry-based Policy
    Scripts
    Introducing Group Policy
    Group Policy Capabilities

    Software Distribution

    Software Restrictions Offline Folders

    Roaming Profiles and


    Security Settings
    Redirected Folders
    Computer and User
    Registry-based Policy
    Scripts
    Introducing Group Policy
    Group Policy Capabilities

    Internet Explorer
    Software Distribution Maintenance

    Software Restrictions Offline Folders

    Roaming Profiles and


    Security Settings
    Redirected Folders
    Computer and User
    Registry-based Policy
    Scripts
    Introducing Group Policy
    Default Policies
    Local Security Policy
    Default Domain Policy
    Default Domain Controllers Policy
    Introducing Group Policy
    Where is Group Policy Stored
    Introducing Group Policy
    Where is Group Policy Stored
    Introducing Group Policy
    Order of Precedence

    Local Security Policy


    Introducing Group Policy
    Order of Precedence

    Site Policy

    Local Security Policy


    Introducing Group Policy
    Order of Precedence

    Domain Policy

    Site Policy

    Local Security Policy


    Introducing Group Policy
    Order of Precedence

    Parent OU Policy

    Domain Policy

    Site Policy

    Local Security Policy


    Introducing Group Policy
    Order of Precedence

    Child OU Policy

    Parent OU Policy

    Domain Policy

    Site Policy

    Local Security Policy


    Introducing Group Policy
    Group Policy Management Console
    Unified, easy to use GUI
    Backup/Restore of GPOs
    Import/Export and Copy/Paste of GPOs
    Simplified security
    HTML reporting
    Scripting of Group Policy tasks
    Introducing Group Policy
    Group Policy Objects & Links
    GPMC manages
    GPO Links
    Scope Of Management (SOM)
    GPOs contain policy settings
    Links define what objects the GPO will target
    Scope Of Management (SOM)
    Site, Domain, OU, OU,….
    Filtering can be based on links to SOM
    Better illustrates the relationship between GPOs
    and Links
    Demo

    Introducing Group Policy


    Agenda

    Introducing Group Policy


    Common tasks with Group Policy
    Planning & Best Practices
    Common tasks
    Using Administrative Templates
    Enables configuration of policy settings
    Do not actually contain policy settings
    Used by Group Policy Object Editor
    Policy settings are contained registry.pol
    Windows Server 2003 contains:
    System.adm
    Inetres.adm
    Conf.adm
    Wmplayer.adm
    Wuau.adm
    Common tasks
    Using Administrative Templates
    KB 816662 – “Recommendations for Managing
    Group Policy Administrative Template Files”
    Superset principle from WS2003 RTM onwards
    Historical .adm files available online
    Never edit the OS-shipped .adm files
    Know the benefits of a “true policy” (as
    compared to preferences)
    Security (local administrators)
    Cleanup (if GPO is out of scope)
    Common Tasks
    Account Policies
    Password
    Account lockout
    Kerberos settings

    Domain level vs OU level setting


    Common Tasks
    Software Restriction Policies
    Windows Server 2003 and Windows XP
    Base philosophies
    Unrestricted
    All programs run except those I select
    Disallowed
    Use with care
    Policy rules
    Hash
    Certificate
    Path
    Internet Explorer Zone
    Common Tasks
    Restricted Groups
    Membership of Active Directory security groups
    No-one can be in Enterprise Administrators
    Only these users are helpdesk staff
    Membership of Local Groups
    Helpdesk are members of local administrators
    Common Tasks
    Some of the rest….
    Additional security
    Registry Access Control Lists (ACLs)
    File System Access Control Lists (ACLs)
    Service Startup Mode
    Internet Explorer Maintenance
    Audit Policies
    Especially on servers
    Demo

    Common Tasks with Group Policy


    Agenda

    Introducing Group Policy


    Common tasks with Group Policy
    Planning & Best Practices
    Planning & Best Practices
    OU Design

    Why create OU’s


    Segment by role
    Domain controllers
    Computers
    Users
    Redirect default OU for new accounts
    redirusr.exe and redircmp.exe
    Use delegation of administration
    Create/Update/Link GPOs
    Planning & Best Practices
    Group Policy Objects
    Normalise GPOs – “GP Common Scenarios”
    Naming conventions
    Clear purpose and intent
    3-segment string: Scope/Purpose/Managed By
    e.g. WW-Outlook-OTG
    What about the number of GPOs?
    MYTH: Fewer GPOs=Better performance
    FACT: Number of settings is more important
    Planning & Best Practices
    General Guidance

    Avoid Cross-Domain GPO links


    Performance overhead
    Alternative - GPMC scripts
    Use the following sparingly
    Enforce (no override)
    Block Inheritance
    Loopback
    Keep it simple
    Planning & Best Practices
    Using WMI Filters

    XP and Windows Server 2003 Only


    Performance hit
    Limit to known lifetime if possible
    Scriptomatic
    Summary

    Group Policy serves many purposes


    If you’re not already using GPMC, why not?
    It’s not as hard as it looks
    …but without planning, it’s easy to make it look hard
    http://www.microsoft.com/windowsserver2003/ techn
    grouppolicy
    Recommended Reading

    “Group Policy, Profiles and Intellimirror for


    Windows 2003, Windows XP and Windows 2000”

    By Jeremy Moskowitz
    www.gpanswers.com
    © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.
    MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
    © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.
    MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
    Understanding Group Policy on
    Windows Server 2003
    John Howard, IT Pro Evangelist, Microsoft UK
    http://blogs.technet.com/jhoward

    You might also like