View
221
Download
3
Category
Tags:
Preview:
Citation preview
Section 3: Designing a Group Policy Infrastructure
Overview of Active Directory
Introducing the Design Stages for Implementing
Group Policy
Planning Your Group Policy Design
Designing Your Group Policy Solution
Deploying Your Group Policy Solution
Managing Your Group Policy Solution
Managing Windows Environments with Group Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Section Objectives
After completing this section, you will be able to:Describe the basic structure of Active DirectoryDescribe the four stages of implementing Group PolicyExplain how to plan your Group Policy in accordance
with company requirementsDescribe the guidelines that you should follow when
you create new GPOsExplain how to deploy Group Policy based on the
Active Directory structureExplain how to manage Group Policy by delegating
administration and setting permissions
3-2
© 2013 Global Knowledge Training LLC. All rights reserved.
Overview of Active Directory
Active Directory is used to store objects, authenticate users, and implement policies. Active Directory concepts include:Active Directory ObjectsActive Directory ArchitectureNaming StandardsUsers and GroupsOrganizational Units
3-3
© 2013 Global Knowledge Training LLC. All rights reserved.
Active Directory Objects
Users Groups Computers
Contacts Printers Shared folders
3-4
© 2013 Global Knowledge Training LLC. All rights reserved.
Active Directory Architecture
SiteGlobal CatalogForestTreeDomainDomain controllerOU
Southeast site
Northeast site
ou=Salescn=JaneD
hq.local
atl.hq.local
widget.com
na.widget.com
ForestTree Tree
Domain Domain
Domain Domain
DC
DC
Global Catalog DC
DC
3-5
© 2013 Global Knowledge Training LLC. All rights reserved.
Naming Standards
DNSLDAPX.500Active Directory naming architecture
cn=JaneD
cn=janed,ou=sales,dc=atl,dc=hq,dc=local
3-6
© 2013 Global Knowledge Training LLC. All rights reserved.
Users and Groups
Local User Accounts Exist on the local computer only
Domain User Accounts Can be used by any domain member Support a single sign-on environment
Group Types Security Distribution
Group Scopes Domain local Global Universal
3-7
© 2013 Global Knowledge Training LLC. All rights reserved.
Organizational Units
OUs and GroupsCreating an OU Structure
3-9
© 2013 Global Knowledge Training LLC. All rights reserved.
OUs and Groups
OUsOUs are used to store
collections of accounts.Accounts can be stored
in only one OU at a time.OUs can be used to
apply Group Policy.
GroupsGroups are used for
permissions and delegation.
Users in a group receive the permissions of the group.
A user can be in multiple groups.
Users are members of groups for access control purposes.
3-10
© 2013 Global Knowledge Training LLC. All rights reserved.
Creating an OU Structure
Geographic FunctionalDepartmental
NorthAmerica
SouthAmerica
Europe
AsiaAsia
Admins
Help Desk
Managers
Users
Sales
Marketing
Engineering
Accounting
3-11
© 2013 Global Knowledge Training LLC. All rights reserved.
Introducing the Design Stages for Implementing Group Policy
The four major stages in a successful Group Policy implementation
Designing
Deploying
Planning
Managing
3-12
© 2013 Global Knowledge Training LLC. All rights reserved.
Planning Your Group Policy Design
3-13
Policy SurveyPolicy ObjectivesPolicy Components
Planning
© 2013 Global Knowledge Training LLC. All rights reserved.
Policy Survey
Analyze user requirements
Inventory the IT roles in the company
Examine existing security policies
What level of security is required for servers?
What level of security is desired for: Network clients
Public computers
How is software distributed?
How are updates distributed?
Where is the essential data stored?
Who currently has management authority?3-14
© 2013 Global Knowledge Training LLC. All rights reserved.
Policy Objectives
Evaluate corporate practices Can Group Policy mirror existing
user practicesDiscuss security concernsSome policy objectives
may not work for every company
Users that resist policyacceptance will try to circumventrestrictions
3-15
© 2013 Global Knowledge Training LLC. All rights reserved.
Policy Components
Computer securitySoftware deploymentLogon scriptsFolder redirection Administrative Template settingsPreference settings
3-16
© 2013 Global Knowledge Training LLC. All rights reserved.
Designing Your Group Policy Solution
3-17
Group Policy Solution Components
Designing Your Group Policy Model
Delegating GPO Responsibilities
Creating new GPOs
Sites and GPOs
Designing
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Solution Components
Networking
DNS Services
Time Synchronization
Administration
Client Interoperability
3-18
© 2013 Global Knowledge Training LLC. All rights reserved.
Designing Your Group Policy Model
GPO linksSecurity filteringNumber of Group Policy objectsScope of Group PolicyApplicability of Group Policy settingsNon-applicability of Group Policy settingsRoles and locations of users and computersDesktop configurations User requirements for various types of users
3-20
© 2013 Global Knowledge Training LLC. All rights reserved.
Delegating GPO Responsibilities
Assign subordinate administrators the ability to create and link policies for select Ous
Avoid having too many administrators with responsibility for the same GPOs
3-21
© 2013 Global Knowledge Training LLC. All rights reserved.
Creating New GPOs
Gradually implement restrictive policiesAvoid configuring restrictive policies at the domain
rootConfigure more granular GPOs on a per OU basis
3-22
© 2013 Global Knowledge Training LLC. All rights reserved.
Sites and GPOs
Geographical location of your Active Directory sites Physical location of each domain controller
determines its site location Speed of the FRS
Intersite and intrasite replication
DCNortheast
site
3-23
© 2013 Global Knowledge Training LLC. All rights reserved.
Deploying Your Group Policy Solution
3-25
Applying Group Policy Changes
Linking GPOs to the DomainDesigning an OU Structure for
Group PolicyApplying Group Policy to New
Users and Computers
Deploying
© 2013 Global Knowledge Training LLC. All rights reserved.
Applying Group Policy Changes
The primary mechanisms for refreshing Group Policy are startup and logon.
Group Policy is also refreshed on a regular basis. The policy refresh interval in force affects how quickly
changes to Group Policy objects are applied. Folder redirection and the assignment of software
applications require the user to log off and log on again before they take effect.
Software applications assigned to computers are installed only when the computer is restarted.
3-26
© 2013 Global Knowledge Training LLC. All rights reserved.
Linking GPOs to the Domain
Linking GPOs to the domain applies equally to all users and computers in the domain.
All domain controllers retrieve the values of these account policy settings from the Default Domain Policy GPO.
The term “linked” defines where the GPO was created or where the GPO settings are to apply.
3-27
© 2013 Global Knowledge Training LLC. All rights reserved.
Designing an OU Structure that Supports Group Policy
You can move users and computers into and out of OUs within a single domain.
If necessary, you can rearrange OUs within the single domain.
Groups of users with common requirements can be easily moved and contained.
Users and computers can be organized based on which administrators manage them.
3-28
© 2013 Global Knowledge Training LLC. All rights reserved.
Applying Group Policy to New User and Computer Accounts
In Active Directory, the Users and Computers containers cannot have policies assigned to them.
redircmp.exe and redirusr.exe change the default location for new account objects.
Redirect new users and computers to OUs that policies can affect.
3-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Managing Your Group Policy Solution
3-30
Delegating the Administration of Group Policy
Specifying a Domain Controller for Editing GPOs
Rolling Back Domain GPOs
Starter GPOs
Adding Comments to a GPO
Using the AGPM
Managing
© 2013 Global Knowledge Training LLC. All rights reserved.
Delegating the Administration of Group Policy
Default Rights for Group Policy Management
Group Policy Creator Owners Group GPO Delegation
Manually Assigning Permissions
3-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Default Rights for Group Policy Management
When a Windows Domain is installed, default permissions are assigned to specific administrative groups for creating, deleting, and linking GPOs.
Enterprise Administrators can create, delete, link, or unlink GPOs anywhere in the forest.
Delegate limited control to other administrators to assist in GPO management
3-32
© 2013 Global Knowledge Training LLC. All rights reserved.
Groups Assigned GPO Rights
Windows Group Rights Granted
Enterprise Admin Create, delete, edit, and link GPOs in all forest containers (sites, domains, and OUs).
Domain Admins Create, delete, edit, and link GPOs in the domain and all OUs hosted by the domain, but not in sites.
3-32
© 2013 Global Knowledge Training LLC. All rights reserved.
Groups Assigned GPO Rights (cont.)
Windows Group Rights Granted
Group Policy Creator Owners
Create GPOs in the domain to which the group belongs. Users who are members of this group can edit any GPOs that they create; however, other members of the group cannot. Deleting GPOs is not allowed. Linking to a site, domain, or OU is also not allowed.
Local Admins
Create GPOs in the domain to which the group belongs. A user that is a member of this group can edit and delete all GPOs that any other group member has created.Linking the GPO to the domain and any OUs hosted by the domain is also allowed.
3-32
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Creator Owners Group
Members of the GPCO
group can link only to
containers they have link
rights to.
Being a member of the
GPCO group gives the
non-administrator full
control of only those GPOs
that the user creates.
GPCO members do not
have permissions for GPOs
that they do not create.
3-33
© 2013 Global Knowledge Training LLC. All rights reserved.
GPO Delegation
The right to link GPOs can be delegated separately from the right to create and edit GPOs.
Be sure to delegate these rights only to the groups you want to be able to create and link GPOs.
Creation of GPOs can be delegated to any group or user.
3-34
© 2013 Global Knowledge Training LLC. All rights reserved.
Manually Assigning Permissions
Permissions guidelines for creating and editing GPOs are: The ability to create GPOs in a domain is a permission
that is managed on a per-domain basis. By default, only domain administrators, enterprise
administrators, Group Policy creator owners, and System can create new GPOs.
By default, domain administrators can edit all GPOs in the domain.
3-35
© 2013 Global Knowledge Training LLC. All rights reserved.
Rights for GPO Control
Rights Control
Full control Create, edit, view, and delete the GPO
Read View the GPO in the Group Policy Console (Opening the GPO to edit is not allowed.)
WriteView and edit the GPO (Note: The read permissions must also be granted to even be able to view the GPO.)
Create all child objectsCreate and edit GPOs (Deleting is not allowed.)
Delete all child objects Delete a GPO
3-35
© 2013 Global Knowledge Training LLC. All rights reserved.
Specifying a Domain Controller for Editing GPOs
3-36
The choice of domain
controllers is important for
administrators to consider
to avoid replication
conflicts.
In each domain, the domain
controller with the FSMO
role of PDC emulator is
used for all GPO
operations in that domain.
This includes all operations
on the GPOs that are
located in that domain.
© 2013 Global Knowledge Training LLC. All rights reserved.
The default Domain GPOs can be rolled back to their standard configuration using dcgpofix.exe if needed.
Rolling Back Domain GPOs
3-37
© 2013 Global Knowledge Training LLC. All rights reserved.
Starter GPOs
Quickly create a new GPO from the Starter GPO.
Several Starter GPOs are included by default.
3-38
© 2013 Global Knowledge Training LLC. All rights reserved.
Adding Comments to a GPO
When you enter a comment in the properties of the GPO, it is displayed in the GPMC on the Details tab.
3-39
© 2013 Global Knowledge Training LLC. All rights reserved.
Using the AGPM
Granular Administration Robust delegation model Role-based administration Change request approval
Reduced Failure Risk Offline editing of GPOs Difference reporting and audit logging Recovery of a deleted GPO Repair of live GPOs
Change Management Creation of GPO template libraries Subscription to policy change e-mail notifications Version tracking, history capture, and quick rollback of
deployed changes3-40
Note: Microsoft has not yet released an updated AGPM for
Windows 8 and Windows Server 2012
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary
The heart of Active Directory is a database with object types such as Users, Groups, Computers, Contacts, Printers, and Shared folders. Active Directory is made up of a collection of components (Site, Global Catalog, Forest, Tree, Domain, Domain Controller, and OU) that work at different levels of a hierarchy.
3-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
The four stages of implementing Group Policy are: Planning: During this stage, you will decide which
components of Group Policy to deploy in your organization; start gathering information about your company and how it carries out its day-to-day business with an Active Directory network; design a Group Policy that manages entities such as: Computer security, Software deployment, etc.
Designing: During this stage, you will configure the physical components of the environment, lay out the Group Policy model, delegate management authority, create new GPOs, and design the interaction of GPOs with Active Directory sites.
3-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Deploying: During this stage, you will make the policy available to the users and computers that you want to affect with the settings.
Managing: During this stage, you will put mechanisms in place to manage group policies on an ongoing basis; delegate authority to subordinate administrators to manage certain aspects of Group Policy; specify a default domain controller for GPO editing; use tools such as Starter GPOs and the GPO to track and control Group Policy objects.
3-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
To plan your Group Policy in accordance with your company requirements, do the following:
Ask your help desk, end users, management, and support staff the planning stage questions.
Determine which components of Group Policy to deploy. Find out about the design and implementation of your
Active Directory infrastructure. Start gathering information about your company; how it
carries out its day-to-day business with an Active Directory network.
If your company has several divisions, find out how the network infrastructure is managed.
3-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Base your Group Policy design on your physical and logical Active Directory deployment.
Ensure the plan manages the Group Policy entities such as computer security, folder redirection, roaming user profiles, etc.
Follow these guidelines when you create new GPOs: Use the settings in your GPOs that you are already familiar
with and use a domain GPO to deploy a company-wide GPO with minimal settings that are acceptable to everyone.
3-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Create more granular GPOs on a per-OU basis to affect smaller numbers of users and computers with their specific needs.
Define a meaningful naming convention for GPOs that clearly identifies the purpose of each GPO; the name should include the settings applied and the date of creation and change.
You can link policies to the domain, site, or at the various levels of a nested OU structure.
3-44
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Decide the degree to which you should centralize or distribute administrative control of Group Policy. In a centralized administration model, the IT group provides services and setting standards for the entire company. In a distributed administration model, each business unit manages its own IT group. Based on the administrative model, determine which configuration management components should be handled at the site, domain, and OU levels.
You can manually assign permissions to a GPO from the Group Policy MMC.
3-44
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check
1. What types of objects can you store in Active Directory?Users, Groups, Computers, Contacts, Printers, and Shared Folders
3-44
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
2. Briefly describe the Planning and Design stages of implementing Group Policy.
During the Planning stage: Decide which components of Group Policy to
deploy Start gathering information about your company
and how it carries out its day-to-day business with an Active Directory network
Design a Group Policy that manages entities (computer security, software deployment, etc.)
3-44
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
2. Briefly describe the Planning and Design stages of implementing Group Policy.
During the Design stage: Configure the physical components of the
environment Lay out the Group Policy model Delegate management authority Create new GPOs Design the interaction of GPOs with Active
Directory sites
3-44
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
3. What should you do when you plan your Group Policy in accordance with your company requirements? (Choose all that apply.)a. Ask the planning stage questions.
b. Find out about the design and implementation of your Active Directory infrastructure.
c. Base your Group Policy design on your physical and logical domain controller deployment.
d. Determine how your company carries out its day-to-day business with an Active Directory network.
3-44
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
4. What should you include when you name a GPO?The settings applied and the date of creation and change.
5. What can you link the policies to when you deploy your Group Policy solution?You can link the policies to the domain, site, or at the various levels of a nested OU structure.
6. Name the two models you can use to delegate the administration of Group Policy.Centralized administration model and distributed administration model
3-44/45
Recommended