ITEC1420 Chapter 6 Group Policy PDF
Document Details
Uploaded by IndebtedOwl
Tags
Summary
This document presents an overview of group policy, focusing on its use in managing users and computers within a network. It describes different types of group policies, their operations, and associated concepts such as Group Policy Objects (GPOs). The document discusses the practical implementation aspects, including the creation, configuration, and linking of GPOs.
Full Transcript
Group Policy ITEC1420 CHAPTER 6 Content 2 Group Policy Group Policy Objects (GPOs) Operation on GPOs Types of Group Policies Application of GPOs and Inheritance What is Group Policy? 3 The Active Directory di...
Group Policy ITEC1420 CHAPTER 6 Content 2 Group Policy Group Policy Objects (GPOs) Operation on GPOs Types of Group Policies Application of GPOs and Inheritance What is Group Policy? 3 The Active Directory directory service uses Group Policy to manage users and computers in your network. When using Group Policy, you can define the state of a user’s work environment once, and then rely on the Windows Server 2012 family to continually enforce the Group Policy settings that you defined. You can apply Group Policy settings across an entire organization, or you can apply Group Policy settings to specific groups of users and computers. What is Group Policy? 4 Group Policy is a feature of the Microsoft Windows NT family of operating systems. Basically Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment Group policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on Group Policy Objects (1) (Skill 6) 5 Group Policy Object (GPO) : is the object that contains or specifies one or more policies Like all AD objects, each GPO includes a Globally Unique Identifier (GUID) It Controls: Computer configuration User environment Account policies Group Policy Objects (2) (Skill 6) 6 Apply to AD objects (domain, Site, OU, etc.) to control the objects and their child function There are two types of Group Policy Settings 1.Group Policy for computers (Computer Configuration) 2.Group Policy for users (User Configuration) Group Policy settings override user profile settings Operation on GPO 7 Creation GPOs: GPO can be created using one of the following tools: ADUC: Active Directory Users and Computers. GPMC: Group Policy Management Console. ADSS: Active Directory Sites And Services. Linking to objects: GPO is applied by linking the GPO to site, domain, or OU using GPMC Editing GPOs: Group Policy Object Editor snap-in can be used to modify the default settings for GPs Operation on GPO (2) 8 GPMC Functions: Group Policy administration for WS2000/2012 Ds Ability to back up/ restore/ import/ (copy/paste)/ create/ delete/ rename GPOs Allow linking GPOs Allow searching GPOs Types of Group Policies (Skill 7) 9 Types of Group Polices: 1. Local Group Policy: Can configure the Group Policy for a single local computer Has fewer options than Active Directory Group Policy. 2. Active Directory Group Policy: Created in the Active Directory to control the linked objects such as Domains, Sites and OUs. If a computer is connected to a domain then the Active Directory group policies overrides the local group policies on the computer. Most GPs are used to update and manage Registry configuration data: Database settings and options for Windows OS: information about HW, OS and Non OS SW, U, C preferences, … User changes are reflected in registry: control panel, system policies, installation, … User Configuration & Computer Configuration Nodes (1) 10 Both Computer Configuration and User Configuration nodes have: 1. Software Settings: contains software settings that apply to user/computer and software installation settings, and it might contain other settings that are placed there by independent software vendors (ISVs) 2. Windows Settings: contains Windows settings that apply to user/computer. It is also contains the following items: Security Settings, and Scripts. For examples: Startup/Shutdown (in Computer Configuration node) and Logon/Logoff (in User Configuration node). In User Configuration node only: the Windows Settings contains the additional nodes like: Remote Installation Services, Folder Redirection, and Internet Explorer Maintenance. User Configuration & Computer Configuration Nodes (2) 11 3. Administrative Templates nodes: It contains registry- based GP settings: more than 550 of available for configuring the user environment Each of the settings in the Administrative Templates node can be: Not Configured: registry is not modified Enabled: registry reflects that the policy setting is selected Disabled: registry reflects that the policy setting is not selected In most situations, setting of the policy in the Computer Configuration node override setting of policy in the User Configuration node What Happens When Local and AD GPOs Conflict? 12 Application Order Local GPO applied first Order (1) In the computer one GPO stored locally. Default: only the Security Settings policies are configured in LGP Then, any AD policy is applied and override local policies by the following order: Site GPOs applied Order (2) D policies applied Order (3) Finally, OUs and child OUs Policies applied Order (4) Policies cumulative via inheritance: as administrator you have to test all policies prior to implementing them in a production environment! Inheritance (1) (Skill 7) 13 Cumulative Inheritance Policies passed down from parent to child containers within a domain. If GPO (set to Enabled or Disabled) to parent container, but not set to child container → parent GPO applied If GPO set to both parent container and child container, and no conflict, both parent and child GPOs apply If GPO set to both parent container and child container, and conflict, child GPO apply If conflict between user policy and a computer policy; then the computer policy applied Resultant Set of Policies (RSoP) is the total impact of all cumulative policies Inheritance (2) (Skill 7) 14 Exceptions of Inheritance Block Inheritance: administrator can block (disable) the inheritance If a computer is Workgroup members then only the local GP applied No Override: administrator can disable the overriding GPO to a site, domain, or OU set to No Override its policy settings will not be overridden by any other GPO during the processing of GPs More than one GPO set No Override, GPO highest in AD hierarchy (or higher in the hierarchy specified by the administrator at each level in AD) takes precedence Policies will always override a configuration made by a user or by a script