group policy – tips, tricks and best practices john howard it pro evangelist, microsoft uk
TRANSCRIPT
Group Policy – Tips, Tricks and Group Policy – Tips, Tricks and Best PracticesBest Practices
John HowardJohn Howard
IT Pro Evangelist, Microsoft UK.IT Pro Evangelist, Microsoft UK.
AgendaAgenda
Planning / Building / Testing / DeployingPlanning / Building / Testing / Deploying
Specific Group Policy “Features”Specific Group Policy “Features”
TroubleshootingTroubleshooting
Recommended ReadingRecommended Reading
Group Policy, Profiles and IntellimirrorGroup Policy, Profiles and IntellimirrorFor Window Server 2003, Windows 2000 and Windows XPFor Window Server 2003, Windows 2000 and Windows XP
By Jeremy MoskowitzBy Jeremy Moskowitz
http://http://www.GPAnswers.comwww.GPAnswers.com
Quick RefreshQuick Refresh
By default, how often does Group Policy initiate By default, how often does Group Policy initiate a refresh after a user has logged on?a refresh after a user has logged on?
Does the version number between the AD and Does the version number between the AD and Sysvol parts of the GPO need to match in order Sysvol parts of the GPO need to match in order for Group Policy to apply?for Group Policy to apply?
What is the biggest .adm file?What is the biggest .adm file?
PlanningPlanningOU DesignOU Design
Why create OU’sWhy create OU’s
Segment by roleSegment by role
Domain controllersDomain controllers
ComputersComputers
UsersUsers
Redirect default OU for new accountsRedirect default OU for new accounts
redirusr.exe and redircmp.exe redirusr.exe and redircmp.exe 11
Use delegation of administrationUse delegation of administration
Create/Update/Link GPOsCreate/Update/Link GPOs
PlanningPlanningGPO DesignGPO Design
Normalise GPOs – GP Common Scenarios Normalise GPOs – GP Common Scenarios 22
Naming conventionsNaming conventions
Clear purpose and intentClear purpose and intent
3-token string: Scope/Purpose/Managed By3-token string: Scope/Purpose/Managed By
e.g. e.g. WW-Outlook-OTGWW-Outlook-OTG
What about the number of GPOs?What about the number of GPOs?
MYTH: Fewer GPOs=Better performanceMYTH: Fewer GPOs=Better performance
FACT: Number of settings is more importantFACT: Number of settings is more important
PlanningPlanningGPO DesignGPO Design
Avoid Cross-Domain GPO linksAvoid Cross-Domain GPO links
Performance overheadPerformance overhead
Alternative - GPMC scriptsAlternative - GPMC scripts
Use the following sparinglyUse the following sparingly
Enforce (no override)Enforce (no override)
Block InheritanceBlock Inheritance
LoopbackLoopback
Keep it simpleKeep it simple
PlanningPlanningGPO Design – WMI FiltersGPO Design – WMI Filters
XP and Windows Server 2003 OnlyXP and Windows Server 2003 Only
Performance hitPerformance hit
Limit to known lifetime if possibleLimit to known lifetime if possible
Scriptomatic Scriptomatic 33
Planning: DeploymentPlanning: DeploymentTest, Stage, Production, ValidateTest, Stage, Production, Validate
The right thing to doThe right thing to do
Pilot significant changesPilot significant changes
……but not just with IT Staff!but not just with IT Staff!
Use GPMC features to assist Use GPMC features to assist 44
Sample scripts eg CreateXMLFromEnvironment and Sample scripts eg CreateXMLFromEnvironment and CreateEnvironmentFromXMLCreateEnvironmentFromXML
Documentation – HTML or XML reportsDocumentation – HTML or XML reports
Backup/Copy/Import functionsBackup/Copy/Import functions
ModellingModelling
Planning: DeploymentPlanning: DeploymentTest, Stage, Production, ValidateTest, Stage, Production, Validate
PlanningPlanningDisaster RecoveryDisaster Recovery
Group Policy can affect Group Policy can affect everyevery computer and user computer and user
Authoritative Restore is not nice! Authoritative Restore is not nice!
GPMC Backup and Restore is GPMC Backup and Restore is
Consider scripted solutionConsider scripted solution
Secure your backup locationSecure your backup location
Test your restoreTest your restore
PlanningPlanningDisaster RecoveryDisaster Recovery
What is not backed up and whyWhat is not backed up and why
Are characteristics of other objects in Active DirectoryAre characteristics of other objects in Active Directory
IPSec SettingsIPSec Settings
WMI FiltersWMI Filters
GPO LinksGPO Links
Active Directory Backup or Scripted SolutionActive Directory Backup or Scripted Solution
DCGPOFix – Never use!DCGPOFix – Never use!
PlanningPlanningGroup Policy DependenciesGroup Policy Dependencies
DNS misconfiguration DNS misconfiguration 55
File Replication Service File Replication Service 66
SonarSonar
UltrasoundUltrasound
Policies directory – sysvolPolicies directory – sysvol
Don’t change ACLs or contents manuallyDon’t change ACLs or contents manually
Don’t delete “my disk was full”Don’t delete “my disk was full”
Only use supported toolsOnly use supported tools
PlanningPlanningGroup Policy DependenciesGroup Policy Dependencies
ICMPICMP
Checking if a DC contactableChecking if a DC contactable
Slow Link DetectionSlow Link Detection
If ICMP blocked, disable slow link detectionIf ICMP blocked, disable slow link detection
So Many Policy SettingsSo Many Policy SettingsWhere Do I Start?Where Do I Start?
Policy Settings Reference Spreadsheet Policy Settings Reference Spreadsheet 77
Consider the common scenariosConsider the common scenarios
Think small – iterative deploymentThink small – iterative deployment
SecuritySecurity
OS/Application ConfigurationOS/Application Configuration
IE MaintenanceIE Maintenance
Software InstallationSoftware Installation
Windows 2000 DomainsWindows 2000 DomainsFixing Mismatched ACL’sFixing Mismatched ACL’s
Windows 2000 domains created prior to SP4Windows 2000 domains created prior to SP4
Just let GPMC fix it for youJust let GPMC fix it for you
Relax – is very minor problem!Relax – is very minor problem!
Domain UpgradesDomain UpgradesUpgrading To Windows Server 2003Upgrading To Windows Server 2003
Impact to FRS replication trafficImpact to FRS replication traffic
For Cross-domain GP Modelling, ACE on GPO’sFor Cross-domain GP Modelling, ACE on GPO’s
Only if GPO existed before WS2003 upgradeOnly if GPO existed before WS2003 upgrade
To manage use GrantPermissiononGPO orTo manage use GrantPermissiononGPO orGrantPermissionOnAllGPOsGrantPermissionOnAllGPOs
Alternative in Windows Server 2003 SP1Alternative in Windows Server 2003 SP1
Cross Forest Logon Cross Forest Logon 88
Forest is security boundaryForest is security boundary
User from Forest A logs onto Machine in Forest BUser from Forest A logs onto Machine in Forest B
Differences in behaviour depending on OS Differences in behaviour depending on OS
Windows Server 2003, Windows XP From SP1, Windows Windows Server 2003, Windows XP From SP1, Windows 2000 From SP4:2000 From SP4:
User policy settings come from Forest B (similar to User policy settings come from Forest B (similar to loopback)loopback)
““Allow Cross-Forest User Policy and Roaming User Allow Cross-Forest User Policy and Roaming User Profiles” policy settingProfiles” policy setting
Group Policy “Features”Group Policy “Features”
Administrative TemplatesAdministrative Templates
SecuritySecurity
Machine and User ScriptsMachine and User Scripts
Folder RedirectionFolder Redirection
Resultant Set of Policy (RSoP)Resultant Set of Policy (RSoP)
Software InstallationSoftware Installation
GPMC ScriptingGPMC Scripting
FeaturesFeaturesAdministrative TemplatesAdministrative Templates
What is an “adm” file?What is an “adm” file?
Zero role for a clientZero role for a client
Only for administrative User InterfaceOnly for administrative User Interface
KB 816662 – “Recommendations for Managing Group KB 816662 – “Recommendations for Managing Group Policy Administrative Template Files”Policy Administrative Template Files”
Superset principle from WS2003 RTM onwardsSuperset principle from WS2003 RTM onwards
Historical .adm files available onlineHistorical .adm files available online
Never Never edit the OS-shipped .adm filesedit the OS-shipped .adm files
FeaturesFeaturesAdministrative TemplatesAdministrative Templates
Know the benefits of a “true policy” (as Know the benefits of a “true policy” (as compared to preferences)compared to preferences)
Security (local administrators)Security (local administrators)
Cleanup (if GPO is out of scope)Cleanup (if GPO is out of scope)
IE changes in XP SP2IE changes in XP SP2
FeaturesFeaturesSecurity SettingsSecurity Settings
Not always highest security settingsNot always highest security settings
In XP SP2 “Dangerous” settings warnings In XP SP2 “Dangerous” settings warnings 99
FeaturesFeaturesSecurity SettingsSecurity Settings
FeaturesFeaturesSecurity SettingsSecurity Settings
Domain Level PoliciesDomain Level Policies 1111
Account PoliciesAccount Policies
Rename or Disable Admin/Guest AccountRename or Disable Admin/Guest Account
KerberosKerberos
From W2K SP4 and XP SP2, you can add a From W2K SP4 and XP SP2, you can add a domain group to a local group on a computerdomain group to a local group on a computer 1212
FeaturesFeaturesSecurity SettingsSecurity Settings
Avoid modifying default GPOsAvoid modifying default GPOs
Unfortunately, some applications may expect it Unfortunately, some applications may expect it
User Rights and Password policyUser Rights and Password policy
Applications may update these when installed on DCsApplications may update these when installed on DCs
Replication to all DCsReplication to all DCs
Domain Controller ConsistencyDomain Controller Consistency
OU Selection (don’t change)OU Selection (don’t change)
Don’t use security filteringDon’t use security filtering
FeaturesFeaturesMachine/User ScriptsMachine/User Scripts
Async logon/off scripts finish orderAsync logon/off scripts finish order
Startup scripts security contextStartup scripts security context
Access to both script and referenced resourcesAccess to both script and referenced resources
Local only copy of script Local only copy of script
Consider environment variables Consider environment variables
HKLM update rights for user scriptsHKLM update rights for user scripts
Event logs event sourcesEvent logs event sources
Processing GPO -> UserEnvProcessing GPO -> UserEnv
Running of a script -> UserInitRunning of a script -> UserInit
FeaturesFeaturesFolder RedirectionFolder Redirection
Don’t pre-create foldersDon’t pre-create folders
On Windows 2000…On Windows 2000…
Do not use folder redirection to same machine used for roaming Do not use folder redirection to same machine used for roaming user profilesuser profiles
Fixed in Windows 2003Fixed in Windows 2003
Application data folder redirectionApplication data folder redirection
Recommend not to.Recommend not to.
Cannot redirect to mapped driveCannot redirect to mapped drive
Folder redirection before mapping of drivesFolder redirection before mapping of drives
FeaturesFeaturesRSoPRSoP
No Group Policy Results data available forNo Group Policy Results data available for
IPSec, Wireless, and Disk QuotaIPSec, Wireless, and Disk Quota
Windows 2000 (can simulate)Windows 2000 (can simulate)
Always simulatedAlways simulated
Slow links status, WMI Filters, LoopbackSlow links status, WMI Filters, Loopback
Modelling doesn’t know about the LGPOModelling doesn’t know about the LGPO
EstimationEstimation
FeaturesFeaturesSoftware InstallationSoftware Installation
Async Policy ProcessingAsync Policy Processing
Multiple rebootsMultiple reboots
Wait For Network At Computer Startup and Logon?Wait For Network At Computer Startup and Logon?
Machine assignment of softwareMachine assignment of software
Requires rebootRequires reboot
Gotcha for MMCsGotcha for MMCs
Limit security filteringLimit security filtering
Remember the application administratorsRemember the application administrators
FeaturesFeaturesGPMC ScriptingGPMC Scripting
The 32 sample scriptsThe 32 sample scripts
Building BlocksBuilding Blocks
GPMC API SamplesGPMC API Samples
HTML or XML reports for documentationHTML or XML reports for documentation
FeaturesFeaturesMiscellaneous …Miscellaneous …
Wireless: Need to be on wired network to get Wireless: Need to be on wired network to get certificates for wireless policy (for 802.1x)certificates for wireless policy (for 802.1x)
GPMC: Drag a GPO across domains to an OU or GPMC: Drag a GPO across domains to an OU or domain and you get a cross-domain link (not a domain and you get a cross-domain link (not a copy of the GPO); Instead, drag to Group Policy copy of the GPO); Instead, drag to Group Policy Objects node (note: No links will exist at Objects node (note: No links will exist at this point)this point)
TroubleshootingTroubleshooting
Know your reporting optionsKnow your reporting options
Group Policy Modeling, Group Policy Results - ProactiveGroup Policy Modeling, Group Policy Results - Proactive
Know your toolsKnow your tools
With Operating System: GPUpdate (/force)With Operating System: GPUpdate (/force)
WS 2003 Resource Kit: GPOTool, GPMonitor (push)WS 2003 Resource Kit: GPOTool, GPMonitor (push)
Download Center: GPInventory (gather WMI/RSoP)Download Center: GPInventory (gather WMI/RSoP)
Help and SupportHelp and Support
Group Policy Troubleshooting Whitepaper Group Policy Troubleshooting Whitepaper 1313
Consider the GP Management Pack (GPMP) for MOMConsider the GP Management Pack (GPMP) for MOM
TroubleshootingTroubleshooting
Using the Local GPO (LGPO)Using the Local GPO (LGPO)
A good option if you don’t have access to change GPOs in a domain (not all settings A good option if you don’t have access to change GPOs in a domain (not all settings will be available – software installation and folder redirection, for example)will be available – software installation and folder redirection, for example)
Updating the LGPO on a domain-joined PC has no impact when using cached Updating the LGPO on a domain-joined PC has no impact when using cached credentialscredentials
Read the Explain Text for Admin Templates and Help for Read the Explain Text for Admin Templates and Help for Security SettingsSecurity Settings
Remember the /force switchRemember the /force switch
If you move a user/computer to a new OU, the change will not take place If you move a user/computer to a new OU, the change will not take place immediately (GetUserNameEx caches the location of a user/computer for 30 immediately (GetUserNameEx caches the location of a user/computer for 30 mins); Reboot/Logon to resolvemins); Reboot/Logon to resolve
Consider using a Virtual PC - especially helpful for tattooing security settings; Consider using a Virtual PC - especially helpful for tattooing security settings; Undo when done!Undo when done!
We Want To Hear From You…We Want To Hear From You…
Please visit the new Windows Server Feedback site:Please visit the new Windows Server Feedback site:
http://www.windowsserverfeedback.com/http://www.windowsserverfeedback.com/
““Help us improve Windows Server by providing us with your suggestions and Help us improve Windows Server by providing us with your suggestions and ideas; All feedback submitted will be sent to the Windows Server Development ideas; All feedback submitted will be sent to the Windows Server Development Team for review and analysis Your ideas can impact Windows Server in many Team for review and analysis Your ideas can impact Windows Server in many
ways, and might even be incorporated into new Service Packs, Feature Packs, or ways, and might even be incorporated into new Service Packs, Feature Packs, or the next Windows Server release “the next Windows Server release “
ReferencesReferences
1.1. Redirecting the Users and Computers Containers in Windows Server 2003 Redirecting the Users and Computers Containers in Windows Server 2003 KB 324949KB 324949
2.2. Group Policy Common Scenarios Using GPMC http://go.microsoft.com/fwlink/?Group Policy Common Scenarios Using GPMC http://go.microsoft.com/fwlink/?LinkId=14951LinkId=14951
3.3. Scriptomatic Tool http://www.microsoft.com/technet/scriptcenter/tools/wmimatic.mspxScriptomatic Tool http://www.microsoft.com/technet/scriptcenter/tools/wmimatic.mspx
4.4. Staging Group Policy Deployments (Chapter 3, Windows Server 2003 Deployment Kit - Staging Group Policy Deployments (Chapter 3, Windows Server 2003 Deployment Kit - Designing a Managed Environment Book) Designing a Managed Environment Book) http://www.microsoft.com/downloads/http://www.microsoft.com/downloads/details.aspx?familyiddetails.aspx?familyid=b671967b-ef65-4ccf-9d00-89d6ae428edc&displaylang=en=b671967b-ef65-4ccf-9d00-89d6ae428edc&displaylang=en
5.5. Monitoring and Troubleshooting the File Replication Support Webcast: DNS In the Monitoring and Troubleshooting the File Replication Support Webcast: DNS In the Active Directory Part 2: Best Practices, Common Problems and Troubleshooting Active Directory Part 2: Best Practices, Common Problems and Troubleshooting http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc030601/http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc030601/wcblurb030601.asp wcblurb030601.asp
6.6. File Replication Service (FRS) – includes Sonar and Ultrasound File Replication Service (FRS) – includes Sonar and Ultrasound http://www.microsoft.com/windowsserver2003/technologies/fileandprint/file/dfs/http://www.microsoft.com/windowsserver2003/technologies/fileandprint/file/dfs/tshootfrs.mspxtshootfrs.mspx
7.7. Group Policy Settings Reference Spreadsheet (with history) Group Policy Settings Reference Spreadsheet (with history) http://go.microsoft.com/fwlink/?linkid=22031 http://go.microsoft.com/fwlink/?linkid=22031
8.8. Cross Forest Logon, Loopback and User Policy Logon Cross Forest Logon, Loopback and User Policy Logon KB 823862 KB 823862
9.9. Recommendations for Managing Group Policy Administrative Template Files Recommendations for Managing Group Policy Administrative Template Files KB 816662 KB 816662
ReferencesReferences
10.Client, Service and Program Incompatibilities That May 10.Client, Service and Program Incompatibilities That May Occur When Modifying Security Settings and User Rights Occur When Modifying Security Settings and User Rights Assignments Assignments KB 823659 KB 823659
11 Threats and Countermeasures: Security Policy Settings 11 Threats and Countermeasures: Security Policy Settings in WS 2003 and XP in WS 2003 and XP http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?FamilyID=1b6acf93-147a-4481-9346-FamilyID=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en#filelistf93a4081eea8&displaylang=en#filelist
12 Adding Domain Groups to Local Machine Groups on 12 Adding Domain Groups to Local Machine Groups on Member Computers Member Computers KB 810076 KB 810076
13 Troubleshooting Group Policy with Windows Server 2003 13 Troubleshooting Group Policy with Windows Server 2003 http://go.microsoft.com/fwlink/?LinkId=14949http://go.microsoft.com/fwlink/?LinkId=14949
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
