Windows 2008 Server - UPMlaurel.datsi.fi.upm.es/.../docencia/asignaturas/asi/adminw2k8_gpo.pdf ·...
Transcript of Windows 2008 Server - UPMlaurel.datsi.fi.upm.es/.../docencia/asignaturas/asi/adminw2k8_gpo.pdf ·...
Group Policy
•A centralized approach to applying one or more changes to one or more users or computers
•Setting: Definition of a change or configuration
•Scope: Definition of the user(s) or computer(s) to which the change applies
•Application: A mechanism that applies the setting to users and computers within the scope
•Group Policy: The framework for configuration management in an AD DS domain
Setting
Scope
Application
Tools for management, configuration, and troubleshooting
Group Policy
• The granular definition of a change or configuration
Prevent access to registry-editing tools
Rename the Administrator account
•Divided between
User Configuration ("user policies")
Computer Configuration ("computer policies")
•Define a setting
Not configured (default)
Enabled
Disabled
•Read explanatory text
• Test all settings
Group Policy Object
•Or GPO, is the container for one or more policy settings
•Managed with the Group Policy Management console (GPMC)
Group Policy Objects container
• Edited with the Group Policy Management Editor (GPME)
GPO Scope
•Scope. Definition of objects (users or computers) to which GPO applies
•GPO link. GPO can be linked to site, domain, or organizational unit (OU) (SDOU)
GPO can be linked to multiple site(s) or OU(s)
GPO link(s) define maximum scope of GPO
•Security group filtering
Apply or deny application of GPO to members of global security group
Filter application of scope of GPO within its link scope
•WMI filtering
Refine scope of GPO within link based on WMI query
•Preference targeting
Group Policy Refresh
•When GPOs and their settings are applied
•Computer Configuration
Startup
Every 90-120 minutes
Triggered: GPUpdate command
•User Configuration
Logon
Every 90-120 minutes
Triggered: GPUpdate command
Example
• Demonstration Steps
• Create a GPO
• 1. Start 6425B-HQDC01-A.
• 2. Log on to HQDC01 as Pat.Coleman with the password Pa$$w0rd.
• 3. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
• 4. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container.
• 5. In the console tree, right-click the Group Policy Objects container, and then click New.
• 6. In Name: type CONTOSO Standards, and then click OK.
•
Example
• Open a GPO for editing
• 1. In the details pane of the Group Policy Management console (GPMC), right-click the CONTOSO Standards GPO, and then click Edit.
• The Group Policy Management Editor (GPME) appears.
• 2. Close the GPME.
•
• Link a GPO
• 1. In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO.
2. Select CONTOSO Standards and click OK.
Example
• Delegate the management of GPOs
• 1. In the GPMC console tree, click the contoso.com domain.
• 2. In the details pane, click the Delegation tab.
• 3. Review the default delegation.
• 4. In the GPMC console tree, expand the Group Policy Objects container, and then click the CONTOSO Standards GPO.
• 5. In the details pane, click the Delegation tab.
• 6. Review the default delegation.
• 7. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
Example
• 8. In the console tree, click the Users container.
• 9. In the details pane, double-click the Group Policy Creator Owners group, and then click the Members tab.
• 10. Review the default membership.
•
• Delete a GPO
• 1. In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO Standards GPO, and then click Delete.
• 2. Click No.
GPO Storage
•Separate replication mechanisms
•GPOTool
Microsoft® Downloads Center
Group Policy Object (GPO)
• Stored in AD DS • Friendly name, globally unique
identifier (GUID) • Version
Group Policy Container (GPC)
• Stored in SYSVOL on domain controllers (DCs)
• Contains all files required to define and apply settings
• .ini file contains Version
Group Policy Template (GPT)
• What we call a GPO is actually two things, stored in two places
GPO
•Users
•Machines
• Each one of theses has this subtree:
Policies
• SW config.
• Windows config. (security, scripts, folder redirection)
• Administrative template
Preferences
• Windows config. (enviroment variables, direct access, netowrk drives, etc.)
• Control panel config.
Administrative Templates
• Policy that makes changes to the registry
•HKCU\Software\Microsoft\ Windows\CurrentVersion\ Policies\System
DisableRegeditMode
• 1 – Regedit UI tool only
• 2 – Also disable regedit /s
Client computer starts, or user logs on, and the computer retrieves a list of GPOs that apply
1
Client computer writes to the registry subtrees (HKLM and HKCU) 3
Logon dialog box (for computer) or the desktop (for user) appears 4
Client computer connects to SYSVOL and locates the Registry.pol files 2
How Computers Apply Administrative Template Settings
2
GPO
List 1
3
4 Registry .pol
Registry .pol
GPT
Sysvol Registry .pol
Registry .pol
HKCU Registry .pol
Registry .pol
HKLM
Example
• User Filter Options to locate polices in Administrative Templates
• 1. Switch to HQDC01.
• 2. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
• 3. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container.
• 4. In the details pane, right-click the CONTOSO Standards GPO, and then click Edit.
• The Group Policy Management Editor appears.
• 5. In the console tree, expand User Configuration and Policies, and then click Administrative Templates.
• 6. Right-click Administrative Templates, and then click Filter Options.
Example
• 7. Select the Enable Keyword Filters check box.
• 8. In the Filter for word(s) text box, type screen saver.
• 9. In the drop-down list next to the text box, select Exact, and click OK.
• Administrative Templates policy settings are filtered to show only those that contain the words screen saver.
• 10. Spend a few moments examining the settings that you have found.
• 11. In the console tree, right-click Administrative Templates under User Configuration, and then click Filter Options.
• 12. Clear the Enable Keyword Filters check box.
• 13. In the Configured drop-down list, select Yes, and then click OK.
• Administrative Template policy settings are filtered to show only those that have been configured (enabled or disabled).
• 14. Spend a few moments examining those settings.
15.In the console tree, right-click Administrative Templates under User Configuration and clear the Filter On option.