Full Transcript

Week 5: Group Policy NTWK-8070: Windows Server Roles and Features This week… This week we will learn about: • Introduction to GPOs • Types of Policies • Working with Group Policy • Example Policies Group Policies – What are they? Group Policies • Group Policies are defined as an “infrastructur...

Week 5: Group Policy NTWK-8070: Windows Server Roles and Features This week… This week we will learn about: • Introduction to GPOs • Types of Policies • Working with Group Policy • Example Policies Group Policies – What are they? Group Policies • Group Policies are defined as an “infrastructure to allow you to manage specific configurations for users and computers” • Group Policies exist in two forms: – Local Group Policy – applying to local computers – ADDS (Active Directory) Group Policy – or a policy that is applied to domain users and computers What are they used for? • Group Policies are used in order secure your organization and provide “standards”. You can also perform a wide number of other tasks through Group Policy. • With Group Policy you can (a non-exhaustive list): – – – – – – – Set Password Policies Deploy Software Control access to system features (i.e. disable certain applications) Disallow access to certain devices (such as USB drives) Disable certain accounts (Administrator, Guest) Apply login/logoff scripts Map printers and shared drives Local Group Policy Editor The Local Group Policy editor • Local Group Policy Editor is a Microsoft Management Console (MMC) snap-in that is used to configure and modify Group Policy settings within Group Policy Objects (GPOs). • It applies only to that computer in which the Group Policy is configured. • Cannot be used to administer Domain Group Policies. • Can only administer a single Group Policy that applies to the single computer it is applied on. Group Policy Management The Domain Group Policy Management • Is used on PAWs (Privilege Accessed Workstations – more on that later), Servers, Member Servers, and those that have Remote Server Administration Tools to manage Group Policies across the domain/organization. • Is used to administer Group Policy Objects across your entire domain/organization. GPOs – What are they? GPOs A GPO is a “Group Policy Object” • GPOs are collections of Group Policies • Are only accessible from the Domain Group Policy Management • You can have as many group policy objects as you want How do GPOs apply? In order to use GPOs, you must link them first. With the exception of a GPO known as “Default Domain Policy”, GPOs must be “Linked” to an OU (Organizational Unit) before they apply. • This is one of the benefits of GPO: You can apply different policies to different Organizational Units. GPO application order In order to prevent GPO conflicts, GPOs apply in a specific order: LSDOU Local Site Domain Organizational Unit Each subsequent GPO application takes precedence over the next. GPO Application Example L – Minimum Password Length: 18, Screen timeout: 5 min S – Minimum Password Length: 8, Wallpaper: Blue.jpg D – Minimum Password Length: 12, Screen timeout: 15 min OU – Minimum, Password Length: 10, Wallpaper: Red.jpg Password Length: 10, why? This is because it is specified at the OU level. It overwrites any changes from L, S, D applications. Screen Timeout: 15 min, why? Because the Domain policy overwrites anything in the Local group policy (not specified anywhere else) Wallpaper: Red.jpg. Why? Because it’s specified in the OU level, overwriting anything else above it. Linking a GPO As mentioned, before a Group Policy is applied, it must be “linked” to an OU. This introduces the concept of inheritance. With inheritance, child objects (OUs) inherit any policies above it. GPO Inheritance A GPO applied to an organizational unit applies directly to all users and computers in the organizational unit and, by inheritance, to all users and computers in child organizational units. You can, however, specify “Enforce” or “Block” Blocking Inheritance As mentioned, child OUs get all linked policies above it (higherlevel OUs, Domain and Site policies). Blocking Inheritance will sever the link between this hierarchy – meaning that only directly-linked GPOs will apply. (OUs under will receive these linked GPOs, but nothing higher) Enforcing Inheritance Sometimes you want to ensure that GPOs can’t be blocked. Enforcing is also known as “no override”) It is applied on a GPO (rather than an OU) Also prevents changes from being overwritten by childOU GPO objects/settings GPO Link Order – Conflict Resolution Conflicts are addressed by Link Order • If you have multiple conflicting OUs, Link Order comes into play. • Unlike the Application Order (LSDOU) – Link order is in order of most importance: – A GPO with a link order of 1 will take precedence over a GPO with a link order of 2 – Policies will still filter down (meaning that those policies that don’t exist in GPO with the LO of 1, will be applied in a GPO with the LO of 2. • “Enforced” GPOs bubble up to the top, and will still remain at the top. Example – Link Order Example – Link Order explained In the previous screenshot, you can see the “link order” and “enforcement” in play, however notice that the first enforced policy – the “Default Domain Policy Enforced” – is #12, it still bubbles up to the top. • So, Enforced GPOs have their own hierarchy at the top, then comes nonenforced GPOs Group Policies – Working with Group Policies Working with GPOs Before we work with GPOs, we must first understand the two types of policies: User and Computer policies. User versus Computer User Policies You can use User Configuration in Group Policy to set policies that apply to users, regardless of which computer they log on to. User Configuration typically contains subitems for Software Settings, Windows Settings, and Administrative Templates Computer Policies • With Computer Configuration in Group Policy, you can set policies that are applied to computers, regardless of who logs on to the computers. • Computer Configuration typically contains Software Settings, Windows Settings, and Administrative Templates. Policies versus Preferences For the context of this course, we will be discussing Policies, not preferences. However a short description is still beneficial: Preferences are just that – settings that you are able to push out through Group Policy. The key difference is in security: Group Policy Preferences (unlike Policies) are not strictly enforced. A note on security: • Group Policies are almost always Registry Changes. • They are written to a special location and almost always protected from being able to be changed by regular users. – Unlike Policies, which are simply changes to things like INI config files • Group Policies are also enforced and updated at regular intervals (90 minutes + random offset of up-to 30 minutes, so between 1.5 hours and 2 hours). They also happen at logon/logoff. Software Settings, Windows Settings and Administrative Templates Inside of GP Management there are also 3 subtypes of policies: Software Settings, Windows Settings, and Administrative Templates. Software Settings are settings that are related to deploying applications through Group Policy Windows Settings are built-in settings that allow you to control a number of system-specific preferences that are key to Windows, such as Security Administrative Templates are an extendible list that is used to manage applications and other types of policies In this class, we will be discussing Windows Settings and Administrative Templates exclusively. Creating Group Policies As mentioned, in order to use a new or custom group policy (Default Domain Policy always exists) – you must first create one and link it to an OU. Changing GPO Settings Editing Policies Policy Configuration Basics Nomenclature Not Configured: This is the default “leave whatever the manufacturer/vendor wants” – or “default settings” Enabled: This “enables” the specific policy item, for example “Enabling the Disable Task Manager policy item will disable Task Manager” Disables: This “disables” the specific policy item, for example “disabling the Disable Task Manager policy item will enable Task Manager” Nomenclature - Continued Options: Sometimes additional options are provided, such as being able to specify the nuances of a specific group policy item. Comment: This is a field for sysadmins to specify a comment for internal use. Completely optional. Supported On: This tells you what Operating Systems that the Group Policy object will apply to. End of Lecture, Questions?

Use Quizgecko on...
Browser
Browser