Group Policy - Part 2 of 3 Rick Claus IT Pro Advisor Microsoft Canada [email protected].
25
Group Policy - Part 2 of 3 Rick Claus Rick Claus IT Pro Advisor IT Pro Advisor Microsoft Canada Microsoft Canada [email protected] [email protected] http://blogs.technet.com/rclaus http://blogs.technet.com/rclaus
-
Upload
daniel-ryan -
Category
Documents
-
view
215 -
download
2
Transcript of Group Policy - Part 2 of 3 Rick Claus IT Pro Advisor Microsoft Canada [email protected].
Group Policy - Part 2 of 3
Rick ClausRick ClausIT Pro AdvisorIT Pro Advisor
Microsoft CanadaMicrosoft Canada
[email protected]@microsoft.comhttp://blogs.technet.com/rclaushttp://blogs.technet.com/rclaus
What Will We Cover?
• Advanced Group Policy management
• Deploying software with Group Policy
• Group Policy troubleshooting
Agenda
• Implementing Group Policy
• Deploying Software
• Troubleshooting Group Policy
Domain-Level Security Settings
Account Policies
Local Policies
IP Security Policies
File and Registry ACLs
Software Restriction Policies
Account Policies
Local Policies
IP Security Policies
File and Registry ACLs
Software Restriction Policies
Demo
Configuring Domain Policies
demonstration
Software Restriction Policies
Software Restriction Policies
Application started
Hash Rule
Certificate Rule
Path Rule
Internet Zone Rule
Using Software Restriction PoliciesUnrestricted
C:\WINDOWS\SYSTEM32\eventquery.vbsC:\WINDOWS\SYSTEM32\eventquery.vbsC:\WINDOWS\SYSTEM32\pagefileconfig.vbsC:\WINDOWS\SYSTEM32\pagefileconfig.vbs\\LOGIN_SRV\Scripts\CustomerScript1.vbs\\LOGIN_SRV\Scripts\CustomerScript1.vbsC:\Documents and Settings\ILUVU.txt.vbsC:\Documents and Settings\ILUVU.txt.vbs
Demo
Software Restriction Policies
demonstration
Managing Desktops
Local Folder
Shared Network Folder
Elevated privileges
Demo
Managing Desktops
demonstration
Group Policy Filtering
• Security filtering
Refines which users and computers process GPO
• WMI filtering
Filter based on attributes of target computer
Best practice: If you deny GPOs to certain users, disable Read access as well.Best practice: If you deny GPOs to certain users, disable Read access as well.
Group Policy Inheritance
• Link order
• Block inheritance
• Enforcement
• Link status
www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
Demo
Group Policy Filtering and Inheritance
demonstration
Agenda
• Implementing Group Policy
• Deploying Software
• Troubleshooting Group Policy
Software Deployment Options
SMS
WSUSGroup Policy
Rich, granular software distributionRich, granular software distribution
Approve and distribute critical updatesApprove and distribute critical updatesTargeted software deploymentTargeted software deployment
Group Policy Software Deployment
Demo
Deploying Software with Group Policy
demonstration
Session Recap
• Domain-level security settings
• Software restriction policies
• Group Policy filtering and inheritance
• Software deployment with Group Policy
Agenda
• Implementing Group Policy
• Deploying Software
• Troubleshooting Group Policy
Use the Troubleshooting Flowchart
Does Group Policy Results lists the
policy as applied?
Yes NoIs the setting listed?
Is the GPO in the
Denied list?
1. Inheritance2. Asynchronous3. Loopback
1. Replication2. GP Refresh3. Slow Link
1. Security Filtering2. Disabled GPO3. WMI Filter
1. SOM2. GP Refresh3. Network
Yes No Yes
No
Network and Replication Issues
Intersite ReplicationSlow Link Connections
DNS
SMB and LDAP
Group Policy Troubleshooting Tools
> GPResult.exe
> GPMonitor.exe
> GPOTool.exe
> ADDiag.exe
Demo
Troubleshooting Group Policy
demonstration
Session Summary• Group Policy is a powerful tool
• Deploy software through Group Policy
• Several tools are available for troubleshooting Group Policy
For More Information
Visit TechNet at
www.microsoft.ca/technet
Rick ClausRick ClausIT Pro AdvisorIT Pro Advisor
Microsoft CanadaMicrosoft Canada
[email protected]@microsoft.comhttp://blogs.technet.com/rclaushttp://blogs.technet.com/rclaus
