group policies (the day after) group policy preferences powershell
Post on 20-Dec-2015
225 views
TRANSCRIPT
More GPO’s, GPP & PowerShell
Chapter 7
Agenda
• Group Policies (the day after)• Group Policy Preferences• Powershell
Group Policies (the day after)
• How can we keep track of what we have done or changed?
• We can name the policy appropriately based on function or grouping of settings– Interactive_Logon_Policy– Internet_Explorer_Policy
• The GPMC allows us to make comments regarding a particular policy.
Group Policies (the day after)
• What should we comment on?– Who’s in charge of the GPO– Who to call if there is a problem?– Who is supposed to be affected by this GPO?– Detailed information about what this GPO should
do– Who will get fired if this doesn’t work
Group Policies (the day after)
• Comments…• GPMCSelect PolicyEditRight click on Policy
name (see below)Properties
Group Policies (the day after)
• Comments…
Group Policies (the day after)
• Controlling how GPO’s run– Disable local GPOs from applying• CCPoliciesAdmin TemplatesSystemGroup Policy
Group Policies (the day after)
• Controlling how GPO’s run– Disable Link Enabled Status– Disable “half” of a Group Policy• Will speed up processing (not very noticeable)
Group Policies (the day after)
• Controlling how GPO’s run– The Enforced Function• Guarantees that policy settings within a GPO from a
higher level are always inherited by lower levels• Right click on Policy and choose Enforce
Group Policy Preferences
• Group Policy Preferences (GPP) are essentially an extension DLL (dynamic link library) that does a bunch of stuff.
• Can be “undone” by the user
Group Policy PreferencesComputer Configuration PreferencesWindows Settings• Environment:– Set user and system environment variables– Change the Windows system path variable
• Files– Copy files from point A to point B• Server share to %Documents% on the local system
• Folders– Create, delete or empty folders
Group Policy Preferences
• Network Shares– Create shares on workstations or servers
• Shorcuts– Place program or URL on desktops, startup folder,
Programs folders, etc etc.
Group Policy Preferences
Computer/User ConfigurationPreferencesControl Panel
Group Policy Preferences
Common Control Panel Settings• Local users and groups– Create/change local users– Modify local user passwords– Change local user group membership
• Power Options– Create power options for XP– Create power plans for Vista and later
Group Policy Preferences
Group Policy Preferences
• Printers– ComputerLocal/IP– UserLocal/IP/Shared
PowerShell
• Microsoft ® shell environment• Gives administrators more power and
command in the shell environment– Hence…PowerShell?
• Active Directory Module for Windows® Powershell allows for Active Directory specific command-line and scripted operations
• Only available in Windows ® Server R2 and Windows ® 7
PowerShell
• First, we need to understand naming formats– Distinguished namecn=John Doe, OU=Sale_OU,
DC=MS1, DC=local– RDNRelative Distinguished Name• CNCommon Name• DCDomain Component• OUOrganizational Unit
– Fully Qualified Domain Name (FQDN)• SVBlue1.ms1.local
PowerShell
• Growing resources daily– http://technet.microsoft.com/en-us/scriptcenter/powershell.as
px– http://gallery.technet.microsoft.com/ScriptCenter/en-us/– http://technet.microsoft.com/en-us/library/dd378937(WS.10).a
spx
PowerShell
• Creating an Active Directory user account:– New-aduser
• How do I use it? Get HELP! No seriously get-help– Get-help new-aduser– Get-help new-aduser –examples– Get-help new-aduser –detailed
• new-aduser jdoe• New-aduser “John Doe” –samaccountname
“jdoe” –Givenname “John” –Surname ……..
PowerShell
• Setting Passwords– Set-ADAccountPassword –Identity jdoe -Reset -
NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" –Force)
• Change attributes for multiple users– Get-ADUser -Filter 'Name -like "*"' -SearchBase
"OU=Sale_OU,DC=MS1, DC=Local" | Set-ADUser -Description "Member of the Sales Department"
PowerShell
• Display user attributes– Get-aduser jdoe– Get-aduser jdoe –properties * | more
• Add groups and members– Add-adgroupmember “Sale_Group”– Add-adgroupmember “Sale_Group” –member
jdoe• A great deal more online
Summary
• You can add comments to help document GPOs
• Enforced Function overrules blocking of inheritance
• You can disable “half” of a GPO• GPP’s can be undone by the users• Active Directory Module for Windows®
Powershell allows for command-line and scripted operations