Boston Area Windows Server User Group

Download Report

Transcript Boston Area Windows Server User Group 

Clyde G. Johnson

Test Environment

Tools of the trade


Central Store


Show
Group Policy Spreadsheets


Demo
Demo
Planning and Deployment

Mine is built in VMware Workstation
◦ Windows 2003 domain controller / file server
◦ Windows XP client
◦ Windows 7 client



Windows 2003 Domain / forest
Used GPMC scripts to import my environment
Isolated from production network

RSAT
◦ Installs WS2008R2 administration tools on Windows 7
computers for remote management
◦ Enables GUI-based remote management
for full server and server core installations
◦ Download

GPMC
◦ Part of Windows 7 and 2008 R2

Security Compliance Manager



Install RSAT
Install GMPC
Show SCM
◦ Export as spreadsheet
◦ Export as GPO







Centralized Repository for ADMX Files
One-time creation and population of central store
per domain
Replicated to all domain controllers
Helps prevent “GPO bloat”
Contains all ADMX templates including Office 2010
and IE 8.0
Located in Sysvol (case sensitive)
[sysvol]\<domain>\policies\PolicyDefinitions

Sample

It’s a “good thing” if you: Test -> Stage -> Test -> Deploy ->
Validate

For significant functional changes, consider a pilot.

Some GPMC features are specifically focused on
testing/staging/piloting/deploying GPOs
◦ Don’t limit the pilot to just IT Staff – they often know how to
workaround/resolve issues!
◦ Group Policy Modeling (more elegant face on RSoP Planning)
◦ Backup/Copy/Import (including migration tables)
◦ Specific “sample” scripts - particularly CreateXMLFromEnvironment
and CreateEnvironmentFromXML (optionally include users and
groups)
◦ Documentation: HTML or XML Reports

Start small and build…
◦ Security (SCM)
◦ Firewall
◦ Folder Redirection
◦ OS / Application Configuration
◦ IE Maintenance
◦ Software Installation
◦ Segregate and congregate
1.
2.
3.
Per Group Policy Object (GPO)
Per Group Policy setting
Per Group Policy Preference (GPP) Item
1.
2.
3.




Administrative Log
Applications and services log
XML Based event logs
New Tools - GPOLogView
Multple local GPO’s
LGPO’s
LGPO
Local Computer Policy
Admin
Admin/Non-Admin Group Policy
User
User Specified Group Policy


Folder Redirection
Offline Files (encrypted) – Mobile only

Do not pre-create folders (ACL issues)

Do not redirect Application Data folder (particularly
if logged on from multiple computers):
◦ Exclusive locks
◦ Absolute paths
◦ Network latency

You cannot redirect to a mapped drive (folder
redirection occurs before mapping of drives)

•
•
•
•
25 PowerShell cmdlets for Group Policy scripting
GPO operations: creation, removal, backup, and
import
GPO link operations: creation, update, and removal
Setting inheritance flags and permissions on Active
Directory organizational units (OUs) and domains
GPO Settings: Creating, update, retrieval, removal
◦ Only registry-based policy settings (Administrative
Templates)
•
GPP Settings: Creating, update, retrieval, removal
◦ No Item-Level Targeting
•
Starter GPOs operations: creation and update
Backup all GPO’s in
current domain to
directory
• Backup-GPO –all –path
‘C:\BackupFiles\’
Get RSoP for local
computer and logged
on user in html form
• Get-GPResultantSetofPolicy -ReportType html -Path D:\ConfigDocuments\Reports\
Copy a GPO across
domains
• Copy-GPO -SourceName TestGpo1 SourceDomain test.contoso.com TargetName
TestGpo1 -TargetDomain sales.contoso.com
Configure a registry
key to policy with a
set of values
•Set-GPRegistryValue -Name "TestGPO" -key
"HKCU\Software\Policies\Microsoft\ExampleKey" ValueName "ValueOne",
"ValueTwo", "ValueThree" Type String -Value "String 1", "String 2", "String
3"
•
•
PowerShell Scripts supported in GPO
Startup/Shutdown & Logon/Logoff scripts
By default, Windows PowerShell scripts run
after non-Windows PowerShell scripts

Group Policy TechNet page

Group Policy Wiki
http://www.microsoft.com/technet/grouppolicy
http://grouppolicy.editme.com

Group Policy Team Blog

Group Policy Settings Reference

Remote Server Administration Tools (RSAT)
http://blogs.technet.com/grouppolicy
http://go.microsoft.com/fwlink/?LinkID=131389
http://www.microsoft.com/downloads/en/details.aspx?Famil
yID=7d2f6ad7-656b-4313-a005-4e344e43997d
New UI: More intuitive, integrated help content, no more
tabs
Support for:
◦ REG_MultiSZ
◦ REG_QWORD
Easier to use authoring experience
Support for more data types
Do things faster
More control
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand &
Community
Microsoft Certification & Training
Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT
Professionals
Resources for Developers