mcsa guide to installing and configuring windows server 2012/r2, exam 70-410 chapter 8 configuring...

MCSA Guide to Installing and Configuring Windows Server

2012/R2, Exam 70-410

Chapter 8Configuring Group Policies

MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

2© Cengage Learning 2015

Objectives

• Describe the architecture and processing of group policies

• Configure group policy settings, and manage and monitor group policies

• Work with security templates• Configure Windows Firewall with Group Policy


Introducing Group Policies

• A Group Policy Object (GPO) is a list of settings that administrators use to configure user and computer operating environments remotely

• The GPO scope defines which objects a GPO affects

• Installing Active Directory creates two GPO’s by default:– Default Domain Policy– Default Domain Controllers Policy



Introducing Group Policies

• You can view, create, and manage GPO’s by using the Group Policy Management console (GPMC)

• Each GPO has two main nodes in GPMC:– Computer Configuration - Used to set policies that

apply to computers within the GPO’s scope– User Configuration - Used to set policies that apply

to all users within the GPO’s scope• Each node contains a Policies folder and

Preferences folder




Figure 6-31 The Group Policy Management console


The Computer Configuration Node

• Three folders under the Policies folder contain the following information:– Software Settings - enables Administrators to install

and manage applications remotely– Windows Settings - contains Name Resolution Policy

node, Scripts extension, Security Settings node, and the Policy-based QoS node

– Administrative Templates - contains the Control Panel, Network, Printers, System, and Windows Components folders.



The User Configuration Node

• Policies folder contains the same three folders as in the Computer Configuration node, but policies defined here affect domain users within the GPO’s scope:– Software Settings - can assign or publish application

packages– Windows Settings – Contains four items:

• Scripts extension• Security Settings node• Folder Redirection node• Policy based QoS node

– Administrative templates - contains settings that enable administrators to control users’ computer and network environments



How Group Policies Are Applied

• GPO’s can be applied in four places:– Local Computer– Site– Domain– Organizational Unit

• Policies are applied in the above order– Policies that are not defined or configured are not

applied at all– Last policy to be defined takes precedence




Group Policy Architecture

• Group policy architecture and function involve the following components:– GPOs - an object containing policy settings that

affect user and computer operating environments and security. Can be local or AD objects

– Replication - ensures that all domain controllers have a current copy of each GPO

– Scope and inheritance - the scope of a group policy defines which users and computers are affected by its settings

– Creating and linking - GPOs are created in the Group Policy management console and can be linked to one or more AD containers


Group Policy Objects

• A GPO contains policy settings for managing many aspects of domain controllers, member servers, member computers, and users

• Two main types of GPOs:– Local GPOs– Domain GPOs



Local GPOs

• Local GPOs are stored on local computers, and are edited via the Group Policy Object Editor snap-in

• Settings in local GPOs that are inherited from domain GPOs can’t be changed on the local computer.

• Only settings that are undefined or not configured by domain GPOs can be edited locally

• When you run gpedit.msc, you open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes



Local GPOs

• Local GPOs that allow different policy settings depending on who logs on to the computer:– Local Administrators GPO– Local Non-Administrators GPO– User-specific GPO

• To access these GPOs, add the Group Policy Object Editor snap-in to an MMC– Browse to open the dialog box, click the Users tab,

and select one of the GPOs




Figure 8-2 Viewing local GPOs


Domain GPOs

• Domain GPOs are stored in Active Directory on domain controllers

• Consists of two separate parts: a Group Policy Template (GPT) and a Group Policy Container (GPC)

• GPT and GPC have the following common traits:– Naming structure– Folder structure

• Knowing GPO structure is important for resolving issues



Group Policy Templates

• A Group Policy Template (GPT) contains all the policy settings that make up a GPO as well as related files, such as scripts, and is contained in the Sysvol share on a domain controller

• Upon creation of a GPO, several files and subfolders are created (exact number may vary) but each GPT folder will contain at least three items:– GPT.ini– Machine– User



Group Policy Containers• A Group Policy Container (GPC) is stored in the

System\Policies folder• Contains GPO properties and status information

but no policy settings• Similar to GPT in that it uses a GPO’s GUID for a

folder name• Information contained in a GPC:

– Name of the GPO– File path to GPT– Version– Status




Figure 8-4 Viewing GPC attributes


Group Policy Replication

• GPCs are replicated with Active Directory• GPTs are replicated by one of the following

methods:– File Replication Service (FRS) - used when running

in a mixed environment of differing Windows Server operating systems

– Distributed File System Replication (DFSR) - used when all DCs are running Windows Server 2008

• DFSR is more efficient and reliable• GPC and GPT can become out of sync• Replication problems can be diagnosed with gpotool.exe



Creating and Linking GPOs

• Primary tools for managing, creating, and editing GPOs are Group Policy Management Console (GPMC) and Group Policy Management Editor (GPME)

• If editing a GPO that is already linked to a container, changes in policy settings take effect as soon as clients download them– There’s no Save option in the GPME; changes are

saved immediately• Before introducing multiple policy changes at once,

test them individuallyMCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410


Editing an Existing GPO

• To edit, right click the GPO in GPMC and click Edit, which will open the GPO in GPME

• It is possible to make changes to the default Domain Policy, but not advisable

• Recommended method for making changes to domain policies is creating a new GPO and linking it to the domain

• GPOs are applied to objects in reverse of the specified link order




Figure 8-8 Multiple GPOs linked to a container


Creating a New GPO

• Two ways to create a new GPO with the GPMC:– Right click the container you’re linking the GPO to

and select “Create a GPO in this domain, and Link it here”

– Right click the Group Policy Objects folder and click New

• Best practice is to create GPOs that focus on a category of settings, then name the GPO accordingly



Using Starter GPOs

• A Starter GPO is a template for creating GPO’s (not a GPT)

• New GPO wizard includes an option to use a Starter GPO

• Stored in the Starter GPOs folder in GPMC• To use a Starter GPO, select one in the Source

Starter GPO list box in the New GPO Wizard, or right click a starter GPO in the starter GPOs folder and click New GPO from Starter GPO

• To create a Starter GPO, right click the Starter GPOs folder and click New



Group Policy Scope• The scope of a group policy defines which objects in

AD are affected by settings in the policy• If two GPOs are applied to an object, and a setting is

configured on one GPO but not the other, the configured setting is applied

• Policies are applied in this order:– 1. Local policies– 2. Site-linked GPOs– 3. Domain-linked GPOs– 4. OU-linked GPOs

• The last policy applied takes precedence over policies applied earlier



Understanding Site-Linked GPOs

• GPOs linked to a site object affect all users and computers physically located at the site

• Can be used to set up different policies for mobile users

• In a singular site and domain environment, it is better to use domain GPOs

• Site GPOs can be confusing for users if policy changes are drastic enough between sites



Understanding Domain-Linked GPO

• GPOs at the domain level should contain settings that apply to all objects in the domain

• Account policies can be defined only at the domain level

• Active Directory folders, such as Computers and Users, are not OUs and can’t have a GPO linked to them

• Best practices suggest setting account policies and a few critical security policies at the domain level



Understanding OU-Linked GPOs

• Fine-tuning of group policies should be done at the OU level

• OU-linked policies are applied last– They take precedence over site and domain policies

• Users and computers with similar policy requirements should be located in the same OU

• Since OUs can be nested, so can GPOs• GPOs applied to nested OUs should be used for

exceptions to policies set at a higher level



Changing Default GPO Inheritance Behavior

• GPO inheritance is enabled by default• To see where policies are inherited from, select a

container in the left pane of GPMC and click the group policy inheritance tab in the right pane

• There are several ways to affect GPO inheritance:– Blocking inheritance– Enforcing inheritance– GPO filtering



Blocking GPO Inheritance

• Prevents GPOs linked to parent containers from affecting child containers

• To block GPO inheritance, in GPMC, right click the child domain or OU and click Block Inheritance

• If blocking is enabled, the OU or domain object is displayed with a blue exclamation point

• Inheritance blocking should be used sparingly– Frequent blocking implies a possible flawed OU

design



Enforcing GPO Inheritance

• Forcing GPO Inheritance overrides any conflicting configurations at a deeper level– A GPO that’s enforced has the strongest

precedence of all GPOs in its scope• If multiple GPOs are enforced, the GPO at the

highest level is enforced in a conflict• Example: If a GPO linked to an OU and a GPO

linked to a domain are both set to be enforced, the GPO linked to the domain has stronger precedence




Figure 8-11 The Active Directory Structure for GPO inheritance examples


GPO Filtering• GPO filtering - a method to alter the normal scope

of a GPO and exclude certain objects from being affected by its settings

• Two types of GPO filtering:– Security filtering– Windows Management Instrumentation (WMI)

filtering• Security filtering uses permissions to restrict

objects from accessing a GPO• Use the Security Filtering dialog box in the GPMC

to add or remove security principals from the GPO access list




Figure 8-12 Viewing security filtering settings


GPO Filtering

• Another way to use security filtering is to edit the GPO’s DACL directly– In the GPMC, click the GPO in the Group Policy

Objects folder, and click the Delegation tab in the right pane to see a complete list of ACEs for the GPO

• WMI filtering uses queries to select a group of computers based on certain attributes, and then applies or doesn’t apply policies based on the query’s results



Group Policy Settings• Settings in Computer Configuration take

precedence over settings in User Configuration, should there be a conflict

• Three folders under the Policies folder:– Software Settings– Windows Settings– Administrative Templates

• Policy settings can be managed or unmanaged– Managed policies reset to ‘Not configured’ when

the object falls outside of the policy’s scope– Unmanaged policies are persistent



Policies in the Computer Configuration Node

• The Computer Configuration node applies policies to computers regardless of who logs on to the computer

• Contains most of the security related settings in the Account Policies, User Rights Assignment, Audit Policy, and Security Options nodes

• Computer configuration policies are uploaded to a computer when the OS starts and are updated every 90 minutes thereafter

• Some policy changes may require a restart



Computer Configuration: Software Settings

• Contains the Software Installation extension, which can be configured to install software packages remotely

• Applications are deployed with the Windows Installer service, which uses MSI files– An MSI file is a collection of files packaged into a

single file with an .msi extension– Contains the instructions Windows Installer needs to

install the application correctly



Computer Configuration: Windows Settings

• The Windows Settings folder contains four subnodes:– Name Resolution Policy - used to deploy DNS

security (DNSSEC) policies to clients– Scripts (Startup/Shutdown) - allows the creation of

scripts to be run during startup or shutdown– Security Settings - contains subnodes for setting

security policies– Policy-based QoS - enables administrators to

manage the use of network bandwidth and prioritize network packets based on type of data in the packet



Security Settings

• There are over 100 policies under Security Settings– Some of the most important are under Account

Policies and Local Policies• Many of the important policies are covered in the

following sections



Local Policies: Audit Policy

• Applies to what users can and can’t do on the local computer to which they log on

• Administrators can audit events such as logon and logoff, file and folder access, Active Directory access, and system and process events– Can be enabled for successful events, failed events,

or both• Creates a lot of system overhead so it should be

used sparingly • Events created by auditing are listed in the Security

log



Auditing Object Access

• There are two steps for auditing objects:– Enable the “Audit object access” policy for success,

failure, or both– Enable auditing on target objects for success, failure,

or both• After object access is enabled in Group Policy, you

need to enable auditing on the target object– Do this by changing the system access control list

(SACL) for the object in the Auditing tab of the Advanced Security Settings dialog box for the object




Figure 8-15 The Auditing tab for a folder


Changing Default Auditing

• Windows Server 2012/R2 logs successful logon events and certain other events by default

• You must use the auditpol.exe command-line tool to have more control over the types of events that are audited

• To clear all audit policy subcategories so that auditing is controlled only by Group Policy, type:– auditpol /clear



Local Policies: User Rights Assignment

• User rights define the actions users can take on a computer

• More than 40 user rights polices can be assigned• The Default Domain Controllers Policy specifies

User Rights Assignment policies that define actions users can take on domain controllers



Local Policies: Security Options

• This subnode includes almost 100 settings• One category of security policies to configure right

away is User Account Control– Determine what happens on a computer when a

user attempts to perform an action that requires elevation

– Elevation - a process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials



Local Policies: Security Options• Additional settings that are commonly configured:

– Accounts: Administrator account status– Accounts: Guest account status– Accounts: Limit local account use of blank

passwords to console logon only– Accounts: Rename administrator account– Accounts: Rename guest account– Interactive logon: Do not display last user name– Interactive logon: Do not require CTRL+ALT+DEL– Microsoft network server: Disconnect clients when

logon hours expire



Computer Configuration: Administrative Templates

• Administrative Templates folder has the following subnodes:– Control Panel– Network– Printers– Server– Start Menu and Taskbar– System– Windows Components



Policies in the User Configuration Node

• Policies set under the User Configuration node follow a user wherever he or she logs on

• User Configuration node lacks most of the security settings and account policies than Computer Configuration node

• Policies under User Configuration node are more focused on the user’s environment, such as Windows features that can and can’t be accessed



User Configuration: Software Settings

• Performs the same function as in Computer Configuration

• Because it’s defined in the User Configuration node of a GPO, it affects users in the scope of the GPO no matter where they log on



User Configuration: Windows Settings

• Windows Settings contains four subnodes:– Scripts (Logon/Logoff) - identical to Scripts policy,

except scripts specified here are run only by users in the GPO’s scope

– Security Settings - contains two folders: Public Key Policies and Software Restriction Policies

– Folder Redirection - controls which folders in a user’s profile are redirected to a location outside the user’s profile folder

– Policy-based QoS - the same function as in the Computer Configuration node but applied to users



User Configuration: Administrative Templates

• Affects the HKEY_CURRENT_USER section of the computer’s Registry

• Very similar to the Administrative Templates in the Computer Configuration node

• Contain the Control Panel, Network, Start Menu and Taskbar, System, and Windows Components subnodes as well as the following subnodes:– Desktop– Shared Folders



Managing GPO Status and Link Status

• After a GPO is created, it can be in one of the following states:– Link status: unlinked– Link status: enabled– Link status: disabled– GPO status: Enabled– GPO status: User Configuration Settings Disabled– GPO status: Computer Configuration Settings

Disabled– GPO status: All Settings Disabled




Summary• Group policy architecture and function involves three

components: GPOs, replication, scope and inheritance, and creating and linking GPOs

• GPO replication is handled by Active Directory replication for GPCs and by FRS or DFSR for GPTs

• You use the Group Policy Management console to create, link, and manage GPOs and the Group Policy Management Editor to edit GPOs

• Starter GPOs are like template files for GPOs• GPOs can be linked to sites, domains, and OUs• Default GPO inheritance can be changed by using

inheritance blocking, enforcement, and GPO filtering



Summary• The Computer Configuration and User Configuration

nodes contain three subnodes: Software Settings, Windows Settings, and Administrative Templates

• The Security Settings node in Computer Configuration contains the Account Policies subnode with settings that affect all domain users

• The Local Policies subnode in the Security Settings node contains Audit Policy, User Rights Assignment, and Security Options

• Administrative Templates can control hundreds of settings on computers and for users



Summary• Security templates are used to transfer security settings

easily from one GPO or computer to another and can be used to analyze a computer’s current settings against a security database created from one or more security templates

• The ADMX central store can be created to ensure that ADMX files are synchronized among all computers where group policies are managed

mcsa guide to installing and configuring windows server 2012/r2, exam 70-410 chapter 8 configuring...

Documents

group policy settings

processing of group

windows server 2012r2

resolution policy node

group policy object

cengage learning

order policies

monitor group policies