gpo - windows server 2012. agenda: introduction group policy overview types of group...
TRANSCRIPT
GPO - WINDOWS SERVER 2012
AGENDA:
• Introduction
• Group Policy Overview
• Types of Group Policies/Objects
• Associated Technologies
• How to implement
33CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
GROUP POLICY OVERVIEW
• Group Policy Definition • Preferences• Define Scope of Policy (Site,
Domain, Etc.)• Inheritance/Enforce/Block • Administration/GPMC• Naming Conventions• Security Filtering/WMI Filters• RSOP /Modeling• Login Scripts/Startup Scripts• Fine-grained Password
Policies
• Security Templates (More detail later)
• Machine vs. User Policies• Group Policy Loop-back • Change Control
44CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
USER AND COMPUTER CONFIGURATION SETTINGS
Group Policy settings for users: Desktop settings Software settings Windows settings Security settings
Group Policy settings for computers:
Desktop behavior Software settings Windows settings Security settings
55CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
GPO COMPONENTS
Contains Group Policy settingsStores content in two locations
Group Policy ObjectGroup Policy Object
Stored in shared SYSVOL folder Provides Group Policy settingsStored in shared SYSVOL folder Provides Group Policy settings
Group Policy TemplateGroup Policy Template
Stored in Active DirectoryProvides version informationStored in Active DirectoryProvides version information
Group Policy ContainerGroup Policy Container
66CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
WHEN IS A GPO APPLIED?
Computer startsComputer starts
Computer settings applied
Startup scripts run
Computer settings applied
Startup scripts run
Refresh IntervalRefresh Interval
User logs onUser logs on
User settings applied
Logon scripts run
User settings applied
Logon scripts run
Refresh IntervalRefresh Interval
77CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
GPMC (GROUP POLICY MANAGEMENT CONSOLE)
88CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
WHAT IS A GPO LINK?
Organizational Unit GPOOrganizational Unit GPO
Organizational Unit GPOOrganizational Unit GPO
Site GPOSite GPO
Domain GPODomain GPO
Site
Domain
OUOU
OU
Applied in order: Local Site Domain OU
99CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
GP ENFORCEMENT
1010CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
POLICY FILTERING
1111CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
SITE POLICIES
• Second only to local polices• Conditional Polices depending on Network location (VPN,
DMZ, etc)• Time Zones• Printer location related policies
1212CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
DOMAIN POLICIES
• Password and Account Policies• Security and Auditing Policies• Control Restricted Domain Groups• Do not use the Default Domain Policy
1313CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
DEFAULT DOMAIN POLICIES
• Password Settings• Account Lockout Settings• Allow system to be shutdown without having to log on• Change Administrator account name to: • Change Guest account name to:• Clear pagefile on shutdown• Digitally sign server side communication• Digitally sign client communication
1414CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
FINE GRAINED PASSWORD POLICIES
• New in AD DS 2008• Allows companies to define different password policies for
groups within their organization, without creating separate domains
1515CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
USER POLICIES
• Desktop lockdown discussion » Removal of My Documents folder from
computer/Redirection» Removal of context menus» Remove Add/Remove programs» Password protect screen saver» Standard desktop? – same screen saver, desktop
background, fonts, etc for certain users?» Allow/disallow shared folders» Login/Logout Scripts- SW installation» Loopback processing mode (Kiosks)
1616CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
MACHINE POLICIES
• Roaming profiles – on or off, should they propagate to server• Startup scripts and shutdown scripts – async or sync• Run this at user logon – no matter which user• Disk quotas• Dynamic DNS• Group policy refresh interval• Security policy• EFS policy• (desktops) Remote assistance on/off• (desktops) system restore on/off/settings• (desktops) NTP – time settings
1717CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
GUIDELINES FOR PLANNING GPOS
• Apply GPO settings at the highest level• Reduce the number of GPOs• Create specialized GPOs• Use the Enforced option only when required• Use Block Inheritance sparingly• Use security filtering only when necessary
1818CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
Questions?