Module 4: Managing Security
Download
Report
Transcript Module 4: Managing Security
Module 5: Creating
and Configuring
Group Policies
Module Overview
• Overview of Group Policies
• Configuring the Scope of Group Policy Objects
• Evaluating the Application of Group Policy Objects
• Managing Group Policy Objects
• Delegating Administrative Control of Group Policies
Lesson 1: Overview of Group Policies
• What Are Group Policies?
• Group Policy Settings
• How Group Policies Are Applied
• Exceptions to Normal Group Policy Processing
• Group Policy Components
• What Are ADM and ADMX files?
• What Is the Central Store?
• Demonstration: Configuring Group Policy Objects
What Are Group Policies?
Group Policies enable IT administrators to automate one-to-many
management of users and computers
Use Group Policies to:
• Apply standard configurations
• Deploy software
• Enforce security settings
• Enforce a consistent desktop environment
Local group policies are always in effect for local and domain
users and local computer settings
Group Policy Settings
Group Policy
settings for
users control
these settings:
•
•
•
•
Software
Windows
Security
Desktop
Group Policy
settings for
computers
control these
settings:
•
•
•
•
Software
Windows
Security
Operating systems
How Group Policies are Applied
Computer starts
Refresh Interval
Every 90 minutes
• Computer settings
applied
• Startup scripts run
User logs on
Refresh Interval
Every 90 minutes
• User settings applied
• Logon scripts run
Exceptions to Group Policy Processing
• 500 KPS by default
• Certain client side extensions are not
Slow links
processed
• Prior to Vista, ICMP is used to detect a slow
link
• Vista uses Network Location Awareness
• Windows XP and Vista use cached credential
Cached
credentials
for faster logons
• Many GPO settings take two logons to take
effect
Additional exceptions:
• Remote access connections
• Moving a user or computer object in Active Directory
Group Policy Components
Group Policy Container
• Stored in Active Directory
• Provides version information
Group Policy Object
Group Policy Template
• Contains Group Policy settings
• Stores content in two locations
• Stored in shared SYSVOL folder
• Provides Group Policy settings
• Supports both ADM and
ADMX templates
What Are ADM and ADMX Files?
ADM files are:
• Copied into every GPO in SYSVOL
• Difficult to customize
ADMX files are:
• Language neutral
• Not stored in the GPO
• Extensible through XML
What Is the Central Store?
The Central Store:
• Is a central repository for ADMX and ADML files
• Is stored in SYSVOL
• Must be created manually
• Is detected automatically by Windows Vista or Server 2008
ADMX files
Windows Vista
or Windows Server 2008
workstation
Domain controller
with SYSVOL
Domain controller
with SYSVOL
Demonstration: Configuring Group Policy Objects
In this demonstration, you will see how to:
• Create a GPO
• Configure settings
Lesson 2: Configuring the Scope of Group
Policy Objects
• Group Policy Processing Order
• What Are Multiple Local Group Policies?
• Options for Modifying Group Policy Processing
• Demonstration: Configuring Group Policy Object Links
• Demonstration: Configuring Group Policy Inheritance
• Demonstration: Filtering Group Policy Objects Using
Security Groups
• Demonstration: Filtering Group Policy Objects Using
WMI Filters
• How Does Loopback Processing Work?
• Discussion: Configuring the Scope of Group Policy
Processing
Group Policy Processing Order
GPO1
Local group
GPO2
Site
GPO3
GPO4
Domain
GPO5
OU
OU
OU
What Are Multiple Local Group Policies?
• One layer of computer configurations that applies to
all users
• Layers apply only to individual users, not to groups
• There are three layers of user configurations:
• Administrator
• Non-Administrator
• User-specific
Options for Modifying Group Policy Processing
Five methods to modify GPO default processing:
• Block inheritance
• Enforcement
• Filtering using security groups or WMI filters
• Disabling GPOs
• Loopback processing
Demonstration: Configuring Group Policy
Object Links
• In this demonstration, you will see how to:
Create and link GPOs to different locations within AD DS
Disable a GPO link
Demonstration: Configuring Group
Policy Inheritance
• In this demonstration, you will see how to:
Block GPO inheritance
Enforce GPO inheritance
Demonstration: Filtering Group Policy Objects By
Using Security Groups
In this demonstration, you will see how to filter the
application of GPOs using security groups
Demonstration: Filtering Group Policy Objects
Using WMI Filters
In this demonstration, you will see how to create and assign
a WMI filter
How Does Loopback Processing Work?
Discussion: Configuring the Scope of Group
Policy Processing
Woodgrove Bank Domain Tree
Woodgrove Bank
Head Office
Head Office site
Winnipeg
Slow link
Branches
Toronto
Winnipeg
Servers
SQL Server
Exchange
Server
High-speed link
Toronto site
Head Office
Lesson 3: Evaluating the Application of Group
Policy Objects
• What Is Group Policy Reporting?
• What Is Group Policy Modeling?
• Demonstration: How to Evaluate the Application of Group
Policies
What Is Group Policy Reporting?
Group policy reporting is a method of planning and
troubleshooting group policy
• Group Policy results are provided by the GPMC
• GPResult is a command line utility
What Is Group Policy Modeling?
The Group Policy Modeling Wizard calculates the simulated
net effect of GPOs
The Group Policy Modeling Wizard simulates:
• Site membership
• Security group membership
• WMI filters
• Slow links
• Loopback processing
• The effects of moving user or computer objects to a
different Active Directory container
Demonstration: How to Evaluate the Application
of Group Policies
In this demonstration, you will see how to run each of the
tools for reviewing the application of group policies
Lesson 4: Managing Group Policy Objects
• GPO Management Tasks
• What Is a Starter GPO?
• Demonstration: How to Copy a GPO
• Demonstration: Backing up and Restoring GPOs
• Demonstration: Importing a GPO
• Migrating Group Policy Objects
GPO Management Tasks
GPO management tasks:
• Back up GPOs
• Restore GPOs
• Copy GPOs
• Import GPOs
What Is a Starter GPO?
• Stores administrative template settings on which the new
GPOs will be based
• Can be exported to .cab files
• Can be imported into other areas of the enterprise
Exported to cab file
starterGPO
Imported to GPMC
Cab file
Load
cabinet file
Demonstration: How to Copy a GPO
In this demonstration, you will see how to copy a GPO
Demonstration: Backing up and Restoring GPOs
In this demonstration, you will see how to back up and
restore a GPO
Demonstration: Importing a GPO
• In this demonstration, you will see how to:
Import a GPO
Use a migration table
Migrating Group Policy Objects
The ADMX Migrator utility:
• Can be used to convert custom ADM files to ADMX
• Is GUI based and can be downloaded from
the Microsoft download site utility
Lesson 5: Delegating Administrative Control of
Group Policies
• Options for Delegating Control of GPOs
• Demonstration: How to Delegate Administrative Control
of GPOs
Options for Delegating Control of GPOs
Create
Methods to delegate GPOs in
control of GPOs
the
domain
Membership in Group
Policy Creator Owners
group or explicit
permission to create
GPOs
Assign Edit rights to
individual policies
Delegate the right to
link GPOs to
containers
Delegate the right to
use group policy
reporting tools
Edit or
delete
GPOs
Link GPOs
to
containers
Use
reporting
tools
Demonstration: How to Delegate Administrative
Control of GPOs
In this demonstration, you will see how to delegate the right
to create, edit, link, and use the reporting tools for
group policies
Lab: Creating and Configuring GPOs
• Exercise 1: Creating Group Policy Objects
• Exercise 2: Managing the Scope of GPO Application
• Exercise 3: Verifying GPO Application
• Exercise 4: Managing GPOs
• Exercise 5: Delegating Administrative Control of GPOs
Logon information
Virtual machine
NYC-DC1, NYC-CL1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 75 minutes
Lab Review
• What other method could be used to grant a user the right
to create GPOs in the domain?
• If you need to apply a GPO to computers that have certain
services installed, what is the best approach?
Module Review and Takeaways
• Considerations
• Review questions
Beta Feedback Tool
Beta feedback tool helps:
•
•
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
Walkthrough of the tool
Beta Feedback
Overall flow of module:
•
Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
Pacing:
•
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
Learner activities:
•
Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
that really made you think? Were there questions you
thought weren’t helpful?