Transcript Group Policy In Windows Active Directory

Auditing Microsoft
Active Directory
Eric Dugger
Network Services Manager
Nevada Legislature
What is Active Directory
A central component of the Windows platform, Active Directory
directory service provides the means to manage the identities
and relationships that make up network environments.
Resources – Computers & Printers
Services – E-Mail, Policies, DNS, etc.
Users – Accounts and security groups
Primary Items of Importance
Business Continuity
•Is Active Directory backed up?
•Are there multiple Domain Controllers?
Security
•Who has access to change Active Directory?
•What settings in Active Directory affect security? (passwords, etc.)
Policies
•What environment is created from AD Polices?
Business Continuity
Active Directory Backups – Critical Data
•How often?
•Where are they stored?
see Backing up an Active Directory Server doc
Multiple Domain Controllers
•Should have the global catalog
show where in Sites and Services
Questions
Active Directory Security
Who can access Active Directory?
What can they change?
Is auditing turned on for Active Directory?
Access to Active Directory
Active Directory Boundaries
Physical Security
Domain Forests & Trusts
Permissions to Change AD
Groups of Interest
Enterprise Admins
Schema Admins
Administrators
Domain Admins
Server Operators
Account Operators
Backup Operators
DS Restore Mode Administrator
Questions
Group Policy
in Microsoft Windows
Active Directory
What is Active Directory Group
Policy?
 The Group Policy management solution in Microsoft®
Windows Server™ 2003 allows administrators to define
configurations for both servers and user machines. Local
policy settings can be applied to all machines, and for
those that are part of a domain, an administrator can use
Group Policy to set policies that apply across a given site,
domain, or range of organizational units (OUs) in the
Active Directory® directory service. Support for Group
Policy is available on machines running Microsoft
Windows 2000 Server, Microsoft Windows 2000
Professional, Microsoft Windows® XP Professional, and
Windows Server 2003.
Overview
 Control Internet Explorer Settings
 Control Computer/User Settings
 Software Distribution
 Windows Updates
 Much, Much More…..
Getting Started
 Windows 2003 Active Directory
 Group Policy Manager Plug-in
Creating a Policy
Create and
Link GPO
Choose an Organizational Unit
Assigning a Policy
Policies Linked
Policies Inherited
Delegation
to this OU to this OUof this OU
Defining Internet Explorer
 Control the Functionality of IE



Plug-Ins
Menus
Empty Temp Folder
 Control the Security of IE



Active X
.NET
Block Sites
Configuring an IE Policy
 Define your Zones




Internet
Intranet
Trusted
Restricted
 Define your Settings
 Apply Policy to an OU
ZONES
1 – Intranet
2 – Trusted
3 – Internet
4 - Restricted
Control User/Computer
Settings
 Configure the Desktop


Hide icons/menus
Dictate wallpaper
 Control Software Installation or Use


Prohibit software from being installed or uninstalled
Prohibit software from being run
 Lockdown Administrator Functions

Network or security settings
 Configure Windows Firewall
Configure a Desktop Policy
Software Distribution
 Automatically Install Software at Logon
 Publish Software
 Remove Software
 Update Software
Configure a Software Install
Policy
 Install a Software Package on Logon
 The software will be installed when the user logs on
 Publish a Software Package
 The software will be available through
“Add/Remove Programs”
 Redeploy a Software Package
Install Path to
MSI File
 The package will be redeployed
(Update or New
Version)
 Uninstall a Software Package
 The software will be removed
Managing Windows Updates
 Create a policy to use the Windows
Update Services server


Assign WSUS Server
Assign WSUS Groups
 Install and Configure WSUS
Windows System Update
Server
 Updates for Windows, Office, Exchange Server, and





SQL Server, with additional product support over time
Automatic download of specific updates
Automated actions for updates, determined by
administrator approval
Ability to determine the applicability of updates before
installing them
Targeting
Reporting
How WSUS Works
Downloads selected updates to central update server
Release updates to specified groups
Report on status of updates
Computer Name
Operating System
Last Status Computer
Report
Group
Install
Detect only
Not Approved
Update Name
Update Type
Release Date
Approval
Reporting
Computer Name
Status Type
Update
Title
Installed
Needed
Not Needed
Unknown
Failed
Last Updated
Questions
Tools
GPResult
Admx
Group Policy Manager
True Last Logon
http://www.dovestones.com/products/True_Last_Logon.asp
What AD Policies am I
getting?
GPRESULT
Open a command window
Type gpresult
Export Group Policy Settings
AdmX.exe: ADM File Parser
Category
The ADM File Parser (AdmX) is a command-line tool that enables an
administrator to export Group Policy settings to a tab-delimited text
file. The administrator can then use the text produced by ADM File
Parser (AdmX) to find changes for the policy settings between
different versions of the operating systems. AdmX is for use only with
policies based on administrative templates.
Version compatibility
The AdmX.exe tool runs on Windows 2000, Windows Server 2003,
and Windows XP Professional. AdmX.exe also requires the
Microsoft .NET Framework 1.0.
Group Policy Manager
Questions