CST8200 Windows Domain Administration PDF
Document Details
Uploaded by GracefulIslamicArt5348
Algonquin College
Denis Latremouille
Tags
Summary
This document is a set of lecture notes on Windows Domain Administration. It provides an overview of group policy objects (GPOs), their configuration, and management within a Windows domain environment. The notes cover various aspects of GPOs, including their architecture, processing, and replication.
Full Transcript
CST8200 –Windows Domain Administration Professor: Denis Latremouille Week 7 CST8200 2 Agenda Describe the architecture and processing of group policies Configure group policy settings Configure group policy security settings Configure and manage administrative templates ...
CST8200 –Windows Domain Administration Professor: Denis Latremouille Week 7 CST8200 2 Agenda Describe the architecture and processing of group policies Configure group policy settings Configure group policy security settings Configure and manage administrative templates Work with security templates Configure Group Policy Preferences 3 Agenda Configure group policy processing Configure group policy client processing Configure Group Policy Results and Group Policy Modeling tools Manage GPOs 4 Local GPOs Local GPOs are stored on local computers, and are edited via the Group Policy Object Editor snap-in Settings in local GPOs that are inherited from domain GPOs can’t be changed on the local computer. Only settings that are undefined or not configured by domain GPOs can be edited locally When you run gpedit.msc, you open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes 5 Local GPOs 6 Domain GPOs Domain GPOs are stored in Active Directory on domain controllers Consists of two separate parts: a Group Policy Template (GPT) and a Group Policy Container (GPC) GPT and GPC have the following common traits: Naming structure Folder structure Knowing GPO structure is important for resolving issues 7 Group Policy Templates A Group Policy Template (GPT) contains all the policy settings that make up a GPO as well as related files, such as scripts, and is contained in the Sysvol share on a domain controller Upon creation of a GPO, several files and subfolders are created (exact number may vary) but each GPT folder will contain at least three items: GPT.ini Machine User 8 Group Policy Containers A Group Policy Container (GPC) is stored in the System\Policies folder Stores GPO properties and status information but no policy settings Similar to GPT in that it uses a GPO’s GUID for a folder name Information contained in a GPC: ◼ Name of the GPO ◼ File path to GPT ◼ Version ◼ Status 9 Group Policy Replication GPCsare replicated with Active Directory GPTs, located in the SYSVOL share, are replicated by one of the following methods: File Replication Service (FRS) - used when running in a mixed environment of differing Windows Server operating systems Distributed File System Replication (DFSR) - used when all DC s are running Windows Server 2008 DFSR is more efficient and reliable GPC and GPT can become out of sync To gather information, open Group Policy Management Console and click the domain node in the left pane and the Status tab in the right pane Click Detect Now 10 Group Policy Settings Settings in Computer Configuration take precedence over settings in User Configuration, should there be a conflict Three folders under the Policies folder: Software Settings Windows Settings Administrative Templates 11 Software Installation Policies Contains the Software Installation extension, which can be configured to install software packages remotely Applications are deployed with the Windows Installer service, which uses Microsoft Software Installation (MS I) files An MSI file is a collection of files packaged into a single file with an.msi extension Contains the instructions Windows Installer needs to install the application correctly 12 Configuring Software Installation for Users The Software installation extension performs the same function in the User Configuration node A software package can only be assigned to a computer, but there are two options for deploying software to users: Published - isn’t installed automatically; a link to install the application is available in Control Panel’s Programs and Features Assigned - can be installed automatically when the user logs on to a computer in the domain 13 Configuring Group Policy Processing An administrator should have a solid understanding of how GPOs are processed, how settings are inherited, and the exceptions to normal processing and inheritance This section discusses the following: GPO scope and precedence GPO inheritance GPO filtering 14 GPO Scope and Precedence GPO scope - defines which objects are affected by settings in a GPO GPOs are applied in this order: Local policies Site-linked GPOs Domain-linked GPOs OU-linked GPOs Policies that aren’t defined or configured are not applied at all and the last policy applied is the one that takes precedence A GPO linked to a domain affects all computers and users in the domain, but settings in a GPO linked to an OU override the settings in a GPO linked to the domain if there are conflicts 15 GPO Scope and Precedence When OUs are nested, the GPO linked to the OU nested the deepest takes precedence over all other GPOs If two GPOs are applied to an object, and a certain setting is configured on one GPO but not the other, the configured setting is applied 16 Understanding Site-Linked GPOs GPOs linked to a site object affect all users and computers physically located at the site Can be used to set up different policies for mobile users In a singular site and domain environment, it is better to use domain GPOs Site GPOs can be confusing for users if policy changes are drastic enough between sites Use with caution and only when there are valid reasons for different sites to have different policies 17 Understanding Domain-Linked GPOs GPOs at the domain level should contain settings that apply to all objects in the domain Account policies that affect domain logons can be defined only at the domain level Active Directory folders, such as Computers and Users, are not OUs and can’t have a GPO linked to them Best practices suggest setting account policies and a few critical security policies at the domain level 18 Understanding OU-Linked GPOs Fine-tuning of group policies should be done at the OU level OU-linked policies are applied last They take precedence over site and domain policies Users and computers with similar policy requirements should be located in the same OU Because OUs can be nested, so can GPOs applied to them GPOs applied to nested OUs should be used for exceptions to policies set at a higher level 19 Group Policy Inheritance GPO inheritance is enabled by default To see which policies affect a domain or OU and where policies are inherited from, select a container in the left pane of GPMC and click the group policy inheritance tab in the right pane There are several ways to affect GPO inheritance: Blocking inheritance GPO enforcement 20 Blocking Inheritance Blocking inheritance prevents GPOs linked to parent containers from affecting child containers To block GPO inheritance, in GPMC, right click the child domain or OU and click Block Inheritance If blocking is enabled, the OU or domain object is displayed with a blue exclamation point Inheritance blocking should be used sparingly Frequent blocking implies a possible flawed OU design 21 Blocking Inheritance 22 GPO Enforcement GPO enforcement forces inheritance of settings on all child objects in the GPO’s scope, even if a GPO with conflicting settings is linked to a container at a deeper level GPO that’s enforced has the strongest precedence of all GPOs in its scope If multiple GPOs are enforced, the GPO at the highest level is enforced in a conflict Example: If a GPO linked to an OU and a GPO linked to a domain are both set to be enforced, the GPO linked to the domain has stronger precedence 23 GPO Enforcement 24 GPO Filtering GPO filtering - a method to alter the normal scope of a GPO and exclude certain objects from being affected by its settings Two types of GPO filtering: Security filtering Windows Management Instrumentation (WMI) filtering Security filtering uses permissions to restrict objects from accessing a GPO Use the Security Filtering dialog box in the GPMC to add or remove security principals from the GPO access list 25 GPO Filtering 26 GPO Filtering Another way to use security filtering is to edit the GPO’s D A C L directly In the GPMC, click the GPO in the Group Policy Objects folder, and click the Delegation tab in the right pane to see a complete list of access control entries (ACEs) for the GPO You can add security principals to the DACL or click the Advanced button to open the Advanced Security Settings dialog box You can assign Deny permissions as well as Allow permissions 27 WMI Filtering WMI filtering uses queries to select a group of computers based on certain attributes, and then applies or doesn’t apply policies based on the query’s results You need to have a solid understanding of the WMI query language before creating WMI filters Example of using a WMI filter to select only computers running Windows 10 Enterprise: Select * from Win32_OperatingSystem where Caption = “Microsoft Windows 10 Enterprise” 28 WMI Filtering 29
