Embed Size (px)
Citation preview
ADM222
Configuring Windows Using Group Policy
BJ WhalenProgram Manager
Group Policy
Microsoft Corporation
Mike Jorden
Technology Specialist
BPSG
Microsoft Ltd
The Long and the Short of Group Policy!
BJ WhalenProgram Manager
Group Policy
Microsoft Corporation
Mike JordenTechnology Specialist
BPSGMicrosoft Ltd
Oooppps….
Sorry about the slide deck
Agenda
Background Windows functionality configurable using Group PolicyHow do clients apply Group PolicyGroup Policy in actionCommon Group Policy Questions
Group Policy Sessions at TechEd
ADM222 Using Group Policy to Configure Windows
This one!!!!
ADM320 Managing Group PolicyThursday 10:00 room 10
ADM 421 Scripting Group PolicyThursday 18:15 room 9
Group Policy OverviewDo More with Less Effort
Active Active DirectoryDirectory
One AdministratorOne Administrator
ActionAction
““New Policy”New Policy”
Group Policy enables admins Group Policy enables admins to set and maintain a desired to set and maintain a desired computing statecomputing state
New Group Policy New Group Policy Management Console (GPMC) Management Console (GPMC) makes administration much makes administration much easiereasier
Many End UserMany End User
ResultsResults Many ComputerMany Computer
ResultsResults
Policy-based managementWhat can you do with Group Policy?
Centralized storage and mgmt of user dataUsers have access to data and settings from any computer Consistency of user experience across computersData safety and availabilityRapid PC replacement
Configuration of the Operating System:Networking settings, control panel access, remote assistance, disk quotas, IE
Securing the Operating SystemOngoing & dynamic configuration management
Group Policy Controls What?
Administrative Templates Registry-based policy settings
Security Users Rights, restricted groups, Account Policies, IPSec, Public Key, Wireless, System Services, Software Restriction Policies, etc
IE Maintenance Administer Internet Explorer
Software Distribution Centralized mgmt of application installation
Scripts Startup, Shutdown, logon, logoff
Folder Redirection Store users’ folders on the network
Remote Installation Service Configure Client options for RIS
3rd Party extensions Group Policy framework allows for extensibility
Enables configuration on Win2000 and later of:Enables configuration on Win2000 and later of:
Group Policy:Not just for desktops
Server ManagementManage OS components
Especially security management
Terminal servers, web servers, etc.
What we do at TechEd Europe
1,000 PCsCommsNet (400 PCs)
Session Feedback Pods (60 PCs)
Session Room PCs
Hands-on Labs
Speaker Lounge
BackOffice
How many images?
22
Thanks to Group Policy
TechEd InfrastructureLondon
msevdad1 msevdad2
Event
msevsad11 msevsad12
Session Feedback Pods
Session Rooms
CommsNet
Speakers Lounge
Back-office
TechEd AD Structure
London Servers
You ( & BJ! )
Me
Event Servers
Computers
Travel Desk Kiosks
CommsNet
Session Rooms
FeedBack pods
Windows Functionality Configurable through Group Policy
Administrative Templates Managing the OS and Apps by manipulating the registryWindows ships with .ADM files for managing OS components
All settings in these files are true policy settingsNo tattooingOriginal user preference restored upon removalSecure for non-admins
Custom .ADMs possible, but generally not true policy settings
Note difference between .POL and .ADM file.ADM File
Available Settings and UI descriptionUsed by GPEdit only to expose settings for editingExists in both sysvol and locally in %windir%\inf
Registry.Pol FileActual Settings deliveredThis is what is delivered to the client to modify registry during GP processingExists in sysvol
.ADM and .POL files
Client computer Domain Controller
%windir%\inf 001011000111
.POL
.ADM
...POLICY !!NoRun …
.ADM
...POLICY !!NoRun …
Svsvol\policies\{GUID}
Settings transferred during policy processing
Default behavior:When using GPEdit, upload from client version if its timestamp is newer
ADM Files: Managing mixed environments
ADM files provided in Windows are cumulativeE.g., settings in Windows Server 2003 .ADM files are a superset of settings in XP and 2000 ADMsOS applicability of setting indicated by “Supported on” field in UI
Note: “Supported on” field is not yet supported on Win2000
Up-level settings ignored on down-level clientsE.g. Win2000 ignores settings XP+ only settings
General recommendation: Use ADM files from latest OSIf possible, perform administration on XP or laterConsider use of policy settings to control ADM behavior (see next slide)
ADM file management Group Policy Object Editor
ADM files used to display UI in “Administrative Templates” nodeADM files loaded from Sysvol by defaultIf local copy is newer, it’s uploaded to sysvol
Note: issues with Win2k SP3 & SP4 (fix planned for SP5)
This behavior is configurable via 2 policy settingsNever upload to sysvol (“Turn off Automatic Update of ADM Files”)Use local ADMs only - new for Windows Server 2003
GPMCADM files used to generate HTML reportsADM files loaded from local computer by defaultIf not found, loaded from sysvolUser can specify custom location from which to load ADMs NEVER copied to sysvol
Security Policy Settings
Account Policies
Configure password, account, and Kerberos policies (domain only)
Local Policies Configure auditing, user rights, and security options
Event LogConfigure settings for application logs, system logs,
and security logs
Restricted Group
Configure group memberships for security sensitive groups
System Services
Configure security and startup settings for services running on a computer
Registry Configure security on registry keys
File System Configure security on specific file paths
Public KeyConfigure encrypted data recovery agents, domain roots, trusted certificate authorities, and so on
IP Security Configure IP security on a network
Wireless Configure wireless settings
Software Restriction
Configure which apps can be run or disallowed
Security Tips
Account Policies must be configured at domain level
Security settings always re-apply every 16 hours
Don’t apply full security templates through Group Policy –
Those are intended for one time only
File and Registry ACLs time consuming to apply and also tattoo
Restricted groups don’t merge: See 810076
Internet Explorer Maintenance
Set policy settings to control:Browser User Interface (Title, logo)
Connection (Proxy, autodetect, etc)
URLs: home page, favorites
IE Security: Zones, Privacy, Content Ratings, Authenticode
Programs
Enhanced Security Configuration (ESC) on Win2003New secure configuration for IE impacts Zones and Privacy
ESC-enabled and -disabled computers must be managed independently
GPOs with ESC-enabled settings only apply to ESC enabled machines, and vice versa.
ESC state of admin machine determines whether a GPO is ESC-enabled or not
CommsNet example
Set Home Page &
Trusted Zones
Folder RedirectionSupports Server-Based Storage of Common Folders
My Documents
Application Data
Desktop
Start Menu
BenefitsAvailability of user data on any computer
Reduced network usage when users move between machines
Increased ease of backup of redirected folders
Used in conjunction with Offline Files to provide access when disconnected from network
On XP and above, all redirected folders are automatically admin pinned for offline use
For each folder, you can chooseNo policy - does not redirect
Basic - redirects all users to the same place
Advanced- redirects users to different locations based on security group membership
Folder Redirection TipsGeneral recommendations:
Consider redirection of My documentsIf using Roaming Profiles, this is a must
Optionally consider redirecting DesktopIf users store documents on desktop
Start Menu and AppData generally not recommended for redirection
Let the system create folders for each user to avoid improper ACLsTo remove Folder Redirection, use the “Redirect to the local user profile” settingWhen using EFS, encrypt the local cache, not the folder on the server
CommsNetLondon
msevdad1 msevdad2 Event
msevsad11 msevsad12
Profile
CommsNet example
Redirect Desktop &
My Documents
Software Installation3 deployment options
Assign to computerApp is installed at boot.
Assign to userApp installed either on demand or (with XP and above) at user logon
Publish to userUser chooses to install from add remove programs.
Requires MSI appsExcept ZAP apps, which is limited (no elevated install)
TipsMake sure machine accounts have access to Software Distribution points for machine assigned appsOn Win2k, turn off “Include OLE and Class product information” in Advanced Deployment OptionsNo supported way to control install order within a GPO
CommsNet Example
Install the Citrix Client
ScriptsComputer-based scripts
startup and shutdownRun in local system context
User based scriptslogon and logoffRun in user context
Configurable options:Processing order if multiple scriptsScript timeout (default is 10 minutes)
Computer Configuration\Administrative Templates\System\Logon\Maximum wait time for Group Policy scripts
TipsScripts *only* execute at if connected to network during boot and logon (requires foreground refresh)
CommsNet Example
Deploy new Wallpaper
Set Local Group Membership
Etc etc.
Remote OS Installation
Most RIS infrastructure on the RIS Server
Group Policy allows configuration of client install wizard options
How do clients apply Group Policy
When Does Group Policy Get Applied?
Group Policy Applies Computer Settings
Startup Scripts Run
Group Policy Applies User Settings
Logon Scripts Run
ComputerComputer Starts Starts
User Logs OnUser Logs On
……and at periodic intervalsand at periodic intervals
Foreground vs Background refresh
Foreground refreshAt boot and logonProcessing is synchronous:
Logon prompt not displayed till computer processing completeDesktop not displayed till user processing complete
Requires connectivity to domainAll extensions processed
Background refreshApproximately every 90 minutes (except for DCs, 5 mins)Interval and random offset configurable through policy settingProcessing is asynchronousSoftware installation and folder redirection settings not processed
Processing Optimizations
During refresh, GP is re-applied only if there are changes in the GPOs, or the list of GPOs
Can override this to ALWAYS process via policy setting, for each extension
Windows XP Fast Logon OptimizationOS does not wait for network start before displaying logon screen
Configurable via policy setting
Computer policy is processed as background refresh at logon.
Changes to Folder Redirection and Software Installation may require multiple reboots to apply
CommsNet example…
Disable fast logon to ensure Kiosk mode
Group Policy Over Slow Links
Slow link = connection < 500 kbps, by defaultConfigurable via policy setting
When slow link is detected:Security Settings and Administrative Templates are always applied
By Default, Software Installation, Scripts, and Folder Redirection are not applied
Configurable via policy setting for each extension
RAS does not necessarily imply slow link
Common Group Policy Questions
Question 1
Q: Where can I get a list of the available ADM settings? A: http://go.microsoft.com/fwlink/?LinkId=15165
Allows filtering by:Supported OS
Component Area
Includes:Registry Setting
Explain text
Question 2
Q: Are there pre-configured example GPOs available to get me started?
A: Yes:http://go.microsoft.com/fwlink/?LinkId=14951
Provides GPO “templates” for several common scenarios
Will be updated in next few weeks to be based on GPMC backups
Question 3
Q: Where can I learn more about managing ADM files?
A: KB 816662 discusses and provides recommendations for:
Mixed platforms
Mixed languages
Sysvol size issues
Question 4Q: What are the new Group Policy features since Windows 2000
A: Introduced in WinXP:
Group Policy Results (RSoP logging)
WMI filter client support
Software Restriction Policy – client support
Fast logon optimization
New policy settings
New GPResult.exe based on RSOP
Introduced in Windows Server 2003:GPMC:
New admin tool for managing Group Policy
Web download for both XP and 2003
Group Policy Modeling (RSoP – planning)
WMI Filters admin support
Software Restriction Policies – Admin Support
New Policy Settings
Question 5
Part 1Q: What are requirements to use Group Policy ResultsA: Clients must be running on XP or later
Part 2Q: Is there any dependency on whether I have a 2000 or 2003 based AD ?A: Group Policy Results is a function of the client. However the ability to delegate remote access to read Group Policy results data requires AD schema for Windows Server 2003
ADPrep /ForestPrep
Question 6
Q: What are the requirements for using Group Policy ModelingA: Group Policy Modeling is performed by a service that is only available on DCs running Windows 2003. There is no dependency on the client OS.
Question 7
Q: What are the requirements to use WMI filters?A:
Client Dependencies:Clients must be running XP or laterWin2000 clients ignore the filter and always apply the WMI filtered GPO
Server Dependencies:Forest: must have Windows 2003 AD schema (ADPrep /ForestPrep)Domain: Must run ADPrep /DomainPrep to use for clients in that domainDCs don’t actually need to be running Win2003
Question 8
Q: Are there any dependencies in Group Policy on native mode vs mixed mode?A: No. However, various features do have dependencies on the following:
Schema level of the forest (ADPrep /ForestPrep)Domain configuration (has ADPrep /DomainPrep been run?)Presence of at least one DC
Question 9
Qa: Can I use GPMC to manage a my environment if all my DCs are running Windows 2000?
Qb: Can I use GPMC if my clients are running Windows 2000?
A: Yes. However, GPMC itself must run on a computer running Windows XP SP1 or Windows Server 2003.
Group Policy On The Web
Group Policy Product Pagehttp://www.microsoft.com/grouppolicy
Group Policy Technology Centerhttp://www.microsoft.com/technet/grouppolicy
Windows Server 2003 Deployment KitDesigning a Managed Environment Book
http://go.microsoft.com/fwlink/?LinkId=15311
Group Policy WhitepapersAll linked from the Group Policy Technology Center (TechNet)
Introduction to Group Policy
Windows Server 2003 Group Policy Infrastructure
Group Policy Administration using GPMC
Troubleshooting Group Policy with Windows Server 2003
Migrating GPOs Across Domains with GPMC
Group Policy Community
NewsgroupsUsing a newsreader: microsoft.public.windows.group_policy
Using web browser: http://www.microsoft.com/windowsserver2003/community/newsgroups/windows_grouppolicy.asp
TechNet ChatsGenerally scheduled monthly
Previous Transcripts available at:http://go.microsoft.com/fwlink/?LinkId=16504
Ask The ExpertsGet Your Questions Answered
BJ will be at the ATE on Thursday morning at 11:30 (after Managing GP talk).
Mike has to fly back (and miss the party )
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
The tools you need to put technology to work!The tools you need to put technology to work!
Suggested Reading And Resources
TITLETITLE AvailableAvailable
TodayTodayActive Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Technical Windows® Server 2003 Technical Reference: 0-7356-1577-2Reference: 0-7356-1577-2
Microsoft® Windows® Server Microsoft® Windows® Server 2003 Administrator's Companion: 2003 Administrator's Companion: 0-7356-1367-2 0-7356-1367-2
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
