active directory group policies
DESCRIPTION
TRANSCRIPT
Active Directory Group PoliciesA more in-depth Look
Presented by:
Clay WalkerBridgeport ISD
Notes and other information can be found at:
http://www.ntatd.org/clay
BISD Active Directory Overview All students grade 3-12 have an active
directory account All users have a personal h: drive All Data (student and faculty) is stored
on a server (no local data) My Documents is redirected to h: drive Favorites is redirected to the h: drive
BISD A/D overview (con’t)
Each campus has an “application folder” for networked (and not so networked) applications. Campus Shortcuts folder
Faculty Application Shortcuts Student Application Shortcuts Printer Shortcuts
Computer OU’s Fac/Staff Computers
Organized by Campus
Admin Organized by
Campus Laptops separate Servers Separate
Student Computers Organized by campus Each lab has its own
OU
Student Computers HS
Lab1 Lab2
MS Lab1 Lab2
Computer OU’s
Allows ability to apply GPO’s at many different levels
User OU’s Faculty
Organized by campus
Super users in separate OU
Students Organized by
Graduation Year
BISD LAN Overview
Windows 2003 Servers Windows XP Pro Clients (100%) Fiber connectivity between all
campuses (1Gbps)
Access Based Enumeration
With ABE installed, users only see what they have permission to read and/or write.
Windows 2003 Server only
Installed on server that shares the files
Quick and easy to install and configurehttp://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en
Access Based Enumeration
Administrator Logged In Sees: Student Logged in Sees:
Group Policies Fundamentals
GPO’s can ONLY be applied to OU’s Use GPMC.msc to manage GPO’s
(download from Microsoft) If the user is an administrator on the
local computer, most (if any) of the restrictions will not work
GPO’s can be used to open the PC enough so that users DO NOT NEED to be local administrators
Group Policy Fundamentals
2 sections in each group policy Computer Configuration
Workstation settings such as security, services, etc
User Configuration User environment settings such as login
scripts, desktop environment, restrictions, etc Normally, if you apply a “User
Configuration” policy to a Computer OU, nothing happens.
Group Policy Best Practices
Create Test OU’s under production OU Apply policies to that Test OU Move a test computer into that OU Allow for replication gpupdate /force on the client and
reboot When finished testing, move computer
back to production OU, gpupdate and reboot
GPO Example – Redirect My Docs Redirect My Documents
User Configuration -> Windows Settings -> Folder Redirection -> My Documents
Basic – Redirect everyone’s folder to the same location
Target folder location: Create a folder for each user under the root path: \\student1\08
Settings tab IMPORTANT: Uncheck “Grant the user exclusive
rights to My Documents”
GPO Example – Redirect My Docs
GPO Example – Permissions
AutoCAD 2005 Give users modify rights to
c:\program files\AutoCAD 2005 Computer Configuration -> Windows Settings ->
Security Settings -> File System -> Add File, browse for folder, and set permissions
CLASSES_ROOT\AutoCAD.Drawing.15\protocol\StdFileEditor\Server
Computer Configuration -> Windows Settings -> Security Settings -> Registry -> Add Key, browse for key, and set permissions.
CLASSES_ROOT\CLSID\{8E75E913-3D21-11D2-85C4-0800009A0C626}
GPO Example - Permissions
How did we know what Reg keys and files to open up? Documentation (if it exists) regmon, filemon, and now processmon
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Log in as “regular” user Make sure processmon is in a location the regular
user can access Runas Administrator the processmon program
to monitor what is being accessed
GPO Example - Permissions
GPO Example – Software Push Adobe Acrobat Reader 8
Must be an MSI file If you can’t download an MSI (Adobe has msi’s
available), you may be able to extract from a setup package (.exe file)
You can use an MST transform file to customize the install
use documentation or ORCA to create your MST
GPO Example – Software Push Computer Configuration -> Software
Settings -> Software Installation: New -> Package. Find MSI file
make sure MSI is located in a share that EVERYONE has at least read only access to
Select Assigned (if no MST file) Select Advanced (if MST file)
Select Modifications tab Add MST file (should be in same share as MSI file)
GPO Example – Printer
In a lab scenario, you want all users to get connected to the lab printer and set as default
Must have Loop Back Processing enabled Computer Configuration -> Administrative
Templates -> System -> Group Policy: User Group Policy loopback processing mode: Enabled, Mode: Merge
This is done at the “highest” level (all computers have this policy enabled)
GPO Example – Printer Write the script first
Example:on error resume nextSet WshNetwork = WScript.CreateObject("WScript.Network")Set oPrinters = WshNetwork.EnumPrinterConnections For i = 0 to oPrinters.Count - 1 Step 2 if oPrinters.Item(i) <> "LPT1:" then PrinterPath = oPrinters.Item(i+1) WshNetwork.RemovePrinterConnection PrinterPath, true,
true end if NextSet WshNetwork = WScript.CreateObject("WScript.Network")PrinterPath = "\\apps1\hs-BusEdLas"WshNetwork.AddWindowsPrinterConnection PrinterPathWshNetwork.SetDefaultPrinter PrinterPath
GPO Example – Printer Save the script anywhere (temporary
location) Create the policy
User Configuration -> Windows Settings -> Scripts (Logon/Logoff): Logon
Click Add and then Browse Copy script into this folder (automatically opens where
you need to have the script)
Apply the policy to the Lab OU (COMPUTER OU – not USER)
The loopback processing feature allows this USER policy to run even though it is applied to the COMPUTER OU
GPO Example – Drive Mapping Create your script Example
ON ERROR RESUME NEXTDim WshNetworkSet WshNetwork =
WScript.CreateObject("WScript.Network")WshNetwork.MapNetworkDrive "q:", "\\apps2\
hsapps",Falsewscript.quit
GPO Example – Drive Mapping Save the script anywhere (temporary
location) Create the policy
User Configuration -> Windows Settings -> Scripts (Logon/Logoff): Logon
Click Add and then Browse Copy script into this folder (automatically
opens where you need to have the script)
Apply the policy to the Users’ OU
GPO Example – Software Hash Used to block .exe’s from running
(IE: Games, unwanted applications, etc)
Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies
RC – New Software Restriction Policy -> Additional Rules, RC New Hash
Rule, Browse, OK
GPO Example – Wireless Profile Used to push out Wireless settings to
clients Clients must use Windows to manage
Wireless Card GPO must be created from a 2003 DC
(settings are not available on an XP workstation)
Once the GPO is created, you need to wait for replication before you edit the Wireless Policies
GPO Example – Wireless Profile Computer Configuration -> Windows
Settings -> Security Settings -> Wireless Network (IEEE 802.11) Policies
RC – Create Wireless network policy Edit Policies – create SSID profiles with
security Requires testing, but once it is set, it
works well
Group Policy Example - Firewall Windows Firewall has 2 states
Domain Profile: if the computer can “see” a Domain Controller. This indicates it is on his home network
Standard Profile: if the computer can not see a Domain Controller indicating it is on a foreign network
Set the standard profile very restrictive – firewall on, no or very limited exceptions (for inbound traffic)
Set the domain profile very unrestrictive – firewall off or allow all traffic incoming from local network
Group Policy Example - Firewall Computer Configuration ->
Administrative Templates -> Network -> Network Connections –> Windows Firewall
Group Policy Example – WSUS Use GPO to define WSUS groups and Settings Computer Configuration -> Administrative
Templates -> Windows Components -> Windows Updates Configure Automatic Updates: Enabled
4 – Auto d/l and schedule install Install day: 0 – Everyday Install time: 20:00
Specify intranet Microsoft update service location: Enabled
Enable client-side targeting: Enabled Reschedule Automatic Updates scheduled
installations: Enabled Allow Automatic Updates immediate installation:
Enabled
Group Policy Example – TestNav Online TAKS Testing Set IE to use proctor cache as proxy,
disable any A/V services (optional), open firewall ports (if needed)
User Configuration -> Windows Settings -> Internet Explorer Maintenance -> Connection: Proxy Settings
Custom Group Policy Templates ADM Files Use notepad to edit/create Use examples or web to help create
www.ntatd.org/clay Bottom of page – Group Policy Template for
Favorites Folder and Group Policy Template for several hacks
Custom Group Policy Templates Right Click Administrative Templates
to import ADM files Highlight Administrative Templates,
View -> Filtering -> Clear “Only show policy settings that can be fully managed” Tattoo’d policies
Repeat for each GPO (where ADM needed) and for both User and Computer Configurations
Custom Group Policy Templates Turn off “Remove Wallpaper” setting
in UltraVNC Disable MSN Messenger Disable pop-up balloons on start bar
(such as: “Clean up your desktop”) Set IE Start Page Set Default Mail Icon and Default
Browser on XP Start Menu Redirect Favorites Folder
Presented by:
Clay WalkerBridgeport ISD
Notes and other information can be found at:
http://www.ntatd.org/clay