section 3: designing a group policy infrastructure overview of active directory introducing the...

Section 3: Designing a Group Policy Infrastructure

Overview of Active Directory

Introducing the Design Stages for Implementing

Group Policy

Planning Your Group Policy Design

Designing Your Group Policy Solution

Deploying Your Group Policy Solution

Managing Your Group Policy Solution

Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved.

Section Objectives

After completing this section, you will be able to:Describe the basic structure of Active DirectoryDescribe the four stages of implementing Group PolicyExplain how to plan your Group Policy in accordance

with company requirementsDescribe the guidelines that you should follow when

you create new GPOsExplain how to deploy Group Policy based on the

Active Directory structureExplain how to manage Group Policy by delegating

administration and setting permissions

3-2


Overview of Active Directory

Active Directory is used to store objects, authenticate users, and implement policies. Active Directory concepts include:Active Directory ObjectsActive Directory ArchitectureNaming StandardsUsers and GroupsOrganizational Units

3-3


Active Directory Objects

Users Groups Computers

Contacts Printers Shared folders

3-4


Active Directory Architecture

SiteGlobal CatalogForestTreeDomainDomain controllerOU

Southeast site

Northeast site

ou=Salescn=JaneD

hq.local

atl.hq.local

widget.com

na.widget.com

ForestTree Tree

Domain Domain

Domain Domain

DC

DC

Global Catalog DC

DC

3-5


Naming Standards

DNSLDAPX.500Active Directory naming architecture

cn=JaneD

cn=janed,ou=sales,dc=atl,dc=hq,dc=local

3-6


Users and Groups

Local User Accounts Exist on the local computer only

Domain User Accounts Can be used by any domain member Support a single sign-on environment

Group Types Security Distribution

Group Scopes Domain local Global Universal

3-7


Organizational Units

OUs and GroupsCreating an OU Structure

3-9


OUs and Groups

OUsOUs are used to store

collections of accounts.Accounts can be stored

in only one OU at a time.OUs can be used to

apply Group Policy.

GroupsGroups are used for

permissions and delegation.

Users in a group receive the permissions of the group.

A user can be in multiple groups.

Users are members of groups for access control purposes.

3-10


Creating an OU Structure

Geographic FunctionalDepartmental

NorthAmerica

SouthAmerica

Europe

AsiaAsia

Admins

Help Desk

Managers

Users

Sales

Marketing

Engineering

Accounting

3-11


Introducing the Design Stages for Implementing Group Policy

The four major stages in a successful Group Policy implementation

Designing

Deploying

Planning

Managing

3-12


Planning Your Group Policy Design

3-13

Policy SurveyPolicy ObjectivesPolicy Components

Planning


Policy Survey

Analyze user requirements

Inventory the IT roles in the company

Examine existing security policies

What level of security is required for servers?

What level of security is desired for: Network clients

Public computers

How is software distributed?

How are updates distributed?

Where is the essential data stored?

Who currently has management authority?3-14


Policy Objectives

Evaluate corporate practices Can Group Policy mirror existing

user practicesDiscuss security concernsSome policy objectives

may not work for every company

Users that resist policyacceptance will try to circumventrestrictions

3-15


Policy Components

Computer securitySoftware deploymentLogon scriptsFolder redirection Administrative Template settingsPreference settings

3-16


Designing Your Group Policy Solution

3-17

Group Policy Solution Components

Designing Your Group Policy Model

Delegating GPO Responsibilities

Creating new GPOs

Sites and GPOs

Designing


Group Policy Solution Components

Networking

DNS Services

Time Synchronization

Administration

Client Interoperability

3-18


Designing Your Group Policy Model

GPO linksSecurity filteringNumber of Group Policy objectsScope of Group PolicyApplicability of Group Policy settingsNon-applicability of Group Policy settingsRoles and locations of users and computersDesktop configurations User requirements for various types of users

3-20


Delegating GPO Responsibilities

Assign subordinate administrators the ability to create and link policies for select Ous

Avoid having too many administrators with responsibility for the same GPOs

3-21


Creating New GPOs

Gradually implement restrictive policiesAvoid configuring restrictive policies at the domain

rootConfigure more granular GPOs on a per OU basis

3-22


Sites and GPOs

Geographical location of your Active Directory sites Physical location of each domain controller

determines its site location Speed of the FRS

Intersite and intrasite replication

DCNortheast

site

3-23


Deploying Your Group Policy Solution

3-25

Applying Group Policy Changes

Linking GPOs to the DomainDesigning an OU Structure for

Group PolicyApplying Group Policy to New

Users and Computers

Deploying


Applying Group Policy Changes

The primary mechanisms for refreshing Group Policy are startup and logon.

Group Policy is also refreshed on a regular basis. The policy refresh interval in force affects how quickly

changes to Group Policy objects are applied. Folder redirection and the assignment of software

applications require the user to log off and log on again before they take effect.

Software applications assigned to computers are installed only when the computer is restarted.

3-26


Linking GPOs to the Domain

Linking GPOs to the domain applies equally to all users and computers in the domain.

All domain controllers retrieve the values of these account policy settings from the Default Domain Policy GPO.

The term “linked” defines where the GPO was created or where the GPO settings are to apply.

3-27


Designing an OU Structure that Supports Group Policy

You can move users and computers into and out of OUs within a single domain.

If necessary, you can rearrange OUs within the single domain.

Groups of users with common requirements can be easily moved and contained.

Users and computers can be organized based on which administrators manage them.

3-28


Applying Group Policy to New User and Computer Accounts

In Active Directory, the Users and Computers containers cannot have policies assigned to them.

redircmp.exe and redirusr.exe change the default location for new account objects.

Redirect new users and computers to OUs that policies can affect.

3-29


Managing Your Group Policy Solution

3-30

Delegating the Administration of Group Policy

Specifying a Domain Controller for Editing GPOs

Rolling Back Domain GPOs

Starter GPOs

Adding Comments to a GPO

Using the AGPM

Managing


Delegating the Administration of Group Policy

Default Rights for Group Policy Management

Group Policy Creator Owners Group GPO Delegation

Manually Assigning Permissions

3-31


Default Rights for Group Policy Management

When a Windows Domain is installed, default permissions are assigned to specific administrative groups for creating, deleting, and linking GPOs.

Enterprise Administrators can create, delete, link, or unlink GPOs anywhere in the forest.

Delegate limited control to other administrators to assist in GPO management

3-32


Groups Assigned GPO Rights

Windows Group Rights Granted

Enterprise Admin Create, delete, edit, and link GPOs in all forest containers (sites, domains, and OUs).

Domain Admins Create, delete, edit, and link GPOs in the domain and all OUs hosted by the domain, but not in sites.

3-32


Groups Assigned GPO Rights (cont.)

Windows Group Rights Granted

Group Policy Creator Owners

Create GPOs in the domain to which the group belongs. Users who are members of this group can edit any GPOs that they create; however, other members of the group cannot. Deleting GPOs is not allowed. Linking to a site, domain, or OU is also not allowed.

Local Admins

Create GPOs in the domain to which the group belongs. A user that is a member of this group can edit and delete all GPOs that any other group member has created.Linking the GPO to the domain and any OUs hosted by the domain is also allowed.

3-32


Group Policy Creator Owners Group

Members of the GPCO

group can link only to

containers they have link

rights to.

Being a member of the

GPCO group gives the

non-administrator full

control of only those GPOs

that the user creates.

GPCO members do not

have permissions for GPOs

that they do not create.

3-33


GPO Delegation

The right to link GPOs can be delegated separately from the right to create and edit GPOs.

Be sure to delegate these rights only to the groups you want to be able to create and link GPOs.

Creation of GPOs can be delegated to any group or user.

3-34


Manually Assigning Permissions

Permissions guidelines for creating and editing GPOs are: The ability to create GPOs in a domain is a permission

that is managed on a per-domain basis. By default, only domain administrators, enterprise

administrators, Group Policy creator owners, and System can create new GPOs.

By default, domain administrators can edit all GPOs in the domain.

3-35


Rights for GPO Control

Rights Control

Full control Create, edit, view, and delete the GPO

Read View the GPO in the Group Policy Console (Opening the GPO to edit is not allowed.)

WriteView and edit the GPO (Note: The read permissions must also be granted to even be able to view the GPO.)

Create all child objectsCreate and edit GPOs (Deleting is not allowed.)

Delete all child objects Delete a GPO

3-35


Specifying a Domain Controller for Editing GPOs

3-36

The choice of domain

controllers is important for

administrators to consider

to avoid replication

conflicts.

In each domain, the domain

controller with the FSMO

role of PDC emulator is

used for all GPO

operations in that domain.

This includes all operations

on the GPOs that are

located in that domain.


The default Domain GPOs can be rolled back to their standard configuration using dcgpofix.exe if needed.

Rolling Back Domain GPOs

3-37


Starter GPOs

Quickly create a new GPO from the Starter GPO.

Several Starter GPOs are included by default.

3-38


Adding Comments to a GPO

When you enter a comment in the properties of the GPO, it is displayed in the GPMC on the Details tab.

3-39


Using the AGPM

Granular Administration Robust delegation model Role-based administration Change request approval

Reduced Failure Risk Offline editing of GPOs Difference reporting and audit logging Recovery of a deleted GPO Repair of live GPOs

Change Management Creation of GPO template libraries Subscription to policy change e-mail notifications Version tracking, history capture, and quick rollback of

deployed changes3-40

Note: Microsoft has not yet released an updated AGPM for

Windows 8 and Windows Server 2012


Summary

The heart of Active Directory is a database with object types such as Users, Groups, Computers, Contacts, Printers, and Shared folders. Active Directory is made up of a collection of components (Site, Global Catalog, Forest, Tree, Domain, Domain Controller, and OU) that work at different levels of a hierarchy.

3-43


Summary (cont.)

The four stages of implementing Group Policy are: Planning: During this stage, you will decide which

components of Group Policy to deploy in your organization; start gathering information about your company and how it carries out its day-to-day business with an Active Directory network; design a Group Policy that manages entities such as: Computer security, Software deployment, etc.

Designing: During this stage, you will configure the physical components of the environment, lay out the Group Policy model, delegate management authority, create new GPOs, and design the interaction of GPOs with Active Directory sites.

3-43


Summary (cont.)

Deploying: During this stage, you will make the policy available to the users and computers that you want to affect with the settings.

Managing: During this stage, you will put mechanisms in place to manage group policies on an ongoing basis; delegate authority to subordinate administrators to manage certain aspects of Group Policy; specify a default domain controller for GPO editing; use tools such as Starter GPOs and the GPO to track and control Group Policy objects.

3-43


Summary (cont.)

To plan your Group Policy in accordance with your company requirements, do the following:

Ask your help desk, end users, management, and support staff the planning stage questions.

Determine which components of Group Policy to deploy. Find out about the design and implementation of your

Active Directory infrastructure. Start gathering information about your company; how it

carries out its day-to-day business with an Active Directory network.

If your company has several divisions, find out how the network infrastructure is managed.

3-43


Summary (cont.)

Base your Group Policy design on your physical and logical Active Directory deployment.

Ensure the plan manages the Group Policy entities such as computer security, folder redirection, roaming user profiles, etc.

Follow these guidelines when you create new GPOs: Use the settings in your GPOs that you are already familiar

with and use a domain GPO to deploy a company-wide GPO with minimal settings that are acceptable to everyone.

3-43


Summary (cont.)

Create more granular GPOs on a per-OU basis to affect smaller numbers of users and computers with their specific needs.

Define a meaningful naming convention for GPOs that clearly identifies the purpose of each GPO; the name should include the settings applied and the date of creation and change.

You can link policies to the domain, site, or at the various levels of a nested OU structure.

3-44


Summary (cont.)

Decide the degree to which you should centralize or distribute administrative control of Group Policy. In a centralized administration model, the IT group provides services and setting standards for the entire company. In a distributed administration model, each business unit manages its own IT group. Based on the administrative model, determine which configuration management components should be handled at the site, domain, and OU levels.

You can manually assign permissions to a GPO from the Group Policy MMC.

3-44


Knowledge Check

1. What types of objects can you store in Active Directory?Users, Groups, Computers, Contacts, Printers, and Shared Folders

3-44


Knowledge Check (cont.)

2. Briefly describe the Planning and Design stages of implementing Group Policy.

During the Planning stage: Decide which components of Group Policy to

deploy Start gathering information about your company

and how it carries out its day-to-day business with an Active Directory network

Design a Group Policy that manages entities (computer security, software deployment, etc.)

3-44



2. Briefly describe the Planning and Design stages of implementing Group Policy.

During the Design stage: Configure the physical components of the

environment Lay out the Group Policy model Delegate management authority Create new GPOs Design the interaction of GPOs with Active

Directory sites

3-44



3. What should you do when you plan your Group Policy in accordance with your company requirements? (Choose all that apply.)a. Ask the planning stage questions.

b. Find out about the design and implementation of your Active Directory infrastructure.

c. Base your Group Policy design on your physical and logical domain controller deployment.

d. Determine how your company carries out its day-to-day business with an Active Directory network.

3-44



4. What should you include when you name a GPO?The settings applied and the date of creation and change.

5. What can you link the policies to when you deploy your Group Policy solution?You can link the policies to the domain, site, or at the various levels of a nested OU structure.

6. Name the two models you can use to delegate the administration of Group Policy.Centralized administration model and distributed administration model

3-44/45

section 3: designing a group policy infrastructure overview of active directory introducing the...

Documents

group policy solutiondeploying

group policy designdesigning

group policy design3

global knowledge training

group policyplanning

group policythe

group policyexplain

active directory concepts