Group Policy Explained - RM

Transcription

Group Policy Explained - RM
Group Policy Explained
Group Policy Explained
Paul Semple
[email protected]
• “*Group Policy is+…the ability for the
Administrator to state a wish about the
state of their Users environment once,
and then rely on the system to enforce
that wish.”
Technical Seminars Spring 2010
©2010 RM
1
Group Policy Explained
•
•
•
•
•
What is Group Policy?
What is a Group Policy Object (GPO)?
How do we (RM) manipulate GPOs?
Inside a GPO.
Management and Configuration of a
GPO.
• How GPOs are applied.
• Caveat…
• “*Group Policy is+…the ability for the
Administrator to state a wish about the
state of their Users environment once,
and then rely on the system to enforce
that wish.”
What is Group Policy?
• Rules that can be applied to a machine
every time the operating system starts up
and users login
Technical Seminars Spring 2010
©2010 RM
2
Group Policy Explained
• Group Policies can:
–Configure user's desktops
–Configure local security on
computers
–Install applications
–Configure Internet Explorer
settings
–Redirect special folders
What is a Group Policy Object
(GPO)?
• Group Policy Objects (GPOs) are
collections of Computer and/or User
specific settings
• GPOs are designed as a way to globally
modify user and computer settings
through a controllable and manageable
central interface
How do we (RM) manipulate
GPOs?
Technical Seminars Spring 2010
©2010 RM
3
Group Policy Explained
How do we (RM) manipulate GPO’s
• User and Computer configuration in
Community Connect based on Group
Policy
• Community Connect ships with ready
made GPOs
• Community Connect applies Group
Policies to the Establishments OU
• Allows for the integration of nonCommunity Connect machines into your
Domain
Group Policy Administrative
Tools
Group Policy Administrative
Tools
Technical Seminars Spring 2010
©2010 RM
4
Group Policy Explained
Group Policy Objects in more
detail
• Use the Microsoft Group Policy
Management Console (GPMC.MSC) to
view GPO configuration and settings
Managing Group Policy Prior to
the GPMC
Group Policy Management
Console
• Think of the GPMC as a one-stop
resource for managing your Group Policy
needs
http://www.microsoft.com/windowsserver
2003/gpmc/default.mspx
(Only install on Windows® Server® 2003)
Technical Seminars Spring 2010
©2010 RM
5
Group Policy Explained
• The GPMC provides an overview of the
content of a GPO
GPOs Under the Microscope
Inside a GPO
• Divisions of a GPO (GPEDIT)
•
•
•
•
•
Computer Configuration
User Configuration
Administrative Templates — registry-based settings
User Configuration settings modify HKEY_CURRENT_USER
Computer Configuration settings modify HKEY_LOCAL_MACHINE
Technical Seminars Spring 2010
©2010 RM
6
Group Policy Explained
Polices are applied in a specific
order
Community
Connect GPOs
Establishments
OU
Remember the acronym LSDOU
Local
Site
Domain
Organisation Unit
GPOs are applied from the
bottom up
GPOs are applied from the
bottom up
•Last writer wins!
Technical Seminars Spring 2010
©2010 RM
7
Group Policy Explained
When is Group Policy Applied
• Start-up and Shutdown
• Logon and Logoff
• Defined Intervals
• Forced with GPUPDATE.exe
How Group Policy Affects
Startup and Log On
•
•
•
•
Computer Policies:
The network starts.
A list of GPOs is obtained for the computer
If no changes have been made to the list of
GPOs, or the GPOs themselves, then no
processing will be done
• Computer configuration settings are processed.
No user interface is displayed while computer
configuration settings are being processed.
• Start-up Scripts run
• The user presses Ctrl+Alt+Del to log on
•
•
•
•
How Group Policy Affects
Startup and Log On
User Policies
After the user is validated their profile is loaded
A list of GPOs is obtained for the user
Again…If no changes have been made to the list of
GPOs or the GPOs themselves then no processing will
be done
• User configuration settings are processed in the
following order: local GPO, site GPOs, domain GPOs,
and OU GPOs. No user interface is displayed while user
policies are being processed
• Logon scripts run
• The operating system user interface set by Group Policy
appears
Technical Seminars Spring 2010
©2010 RM
8
Group Policy Explained
User Policies
• 4 Standard CC4 User Types; each
correlating to an AD GPO
Using Security Groups to Filter
GPO Scope
Technical Seminars Spring 2010
©2010 RM
9
Group Policy Explained
Using Security Groups to Filter
GPO Scope
• By default “Authenticated Users” have
read and apply group policy rights.
• We (RM) refine this so that the
appropriate GPOs are assigned to the
appropriate users and computers
GPOs can be disabled
• Entirely (for troubleshooting):
• Partially (performance):
Technical Seminars Spring 2010
©2010 RM
10
Group Policy Explained
GPO Components
Group Policy Containers
• GPOs consist of two objects - a
Group Policy Container (GPC) and a
Group Policy Template (GPT)
–GPCs are stored in Active Directory
–View by enabling Advanced
Features in AD Users and
Computers, then System/Policies
Technical Seminars Spring 2010
©2010 RM
11
Group Policy Explained
GPO Components
Group Policy Templates
• Group Policy Templates hold the policy
settings that are applied to stations and
users
• GPTs are stored in the file system of
your domain controllers in:
– %SystemRoot%\SYSVOL\sysvol\<DomainName>\
Policies directory
• Standard UserType
– 8978D66E-EA13-4D17-A389-A93785F5DBC2
Technical Seminars Spring 2010
©2010 RM
12
Group Policy Explained
• Which folders get populated depends on
the GPO they relate to:
– The ADM Folder will be populated if the GPO
is configured to specify custom registry
settings
– The Machine Folder contains settings for the
Computer part of the GPO – Registry.pol (can
also contain GptTmpl.inf – security settings)
– The User Folder contains settings for the
User part of the GPO – Registry.pol
• GPT.ini – records the GPO’s version
number
How can I look at the
registry.pol file contents?
• The registry.pol file contains the current
set of registry policy settings defined in
the computer or user portion of a GPO
• You can use the regview.exe tool provided
in the Windows 2003 Resource Kit Tools
to view the contents of any registry.pol
file
What happens on the station?
• Client Side Extensions (CSEs) interpret
GPOs and make the changes to the
environment
• Called by Winlogon at computer startup,
user logon and Group Policy Refresh
Interval
• CSEs are DLLs - each responsible for a
specific policy
Technical Seminars Spring 2010
©2010 RM
13
Group Policy Explained
What happens on the station?
Extension
DLL
Registry
Userenv.dll
Disk Quota
Dskquota.dll
Folder Redirection
Fdeploy.dll
Scripts
Gptext.dll
Software Installation
Appmgmts.dll
Security
Scecli.dll
IP Security
Gptext.dll
EFS Recovery
Scecli.dll
IE Maintenance
Ledkcs32.dll
Slow link detection using Internet Control Message Protocol (ICMP)
Some policies not applied if link considered slow (Folder re-direction / IE maintenance)
• On boot:
• Client (Winlogon) uses LDAP to search and
build list of GPOs to be evaluated for
processing using GPLINK attribute of
container
• Each GPO then searched in AD to check
whether the user or computer has
permissions to process it
• Path to GPT and version also evaluated
• GPT.ini version number checked
Technical Seminars Spring 2010
©2010 RM
14
Group Policy Explained
Container
GPC
What happens on the station if a
GPO changes?
• Stations keep a record of the version numbers
of the GPOs they have processed:
– HKLM\Software\Microsoft\Windows\Currentversion
\Group Policy\History (Computer Policies)
– HKCU\Software\Microsoft\Windows\Currentversion
\Group Policy\<SID of User> (User Polices)
• The GP version in the registry doesn’t have to
be smaller, it just has to be different
• Reflects the number of changes in the GPT and
GPC, ensures they are in sync and, if not,
initiates a policy refresh
Technical Seminars Spring 2010
©2010 RM
15
Group Policy Explained
Which Policies have been
applied?
• Watermarks
– HKLM\Software\Policies\Research
Machines\ Network
Management\Computer Policies
– HKCU\Software\Policies\Research
Machines\Network Management\User
Policies
Technical Seminars Spring 2010
©2010 RM
16
Group Policy Explained
Speaking of SYSVOL…Group
Policy Replication
• In a domain that contains more than one
domain controller, Group Policy information
propagates, or replicates, from one domain
controller to another
ADM Templates
• Used to populate the Administrative
Templates folder in Group Policy Editor
• D:\RMNetwork\RMManage\Type
Manager\ADM
• Removal will not affect policies already
defined
Policies and Preferences
• A “policy” is a registry setting that lives
either under \Software\Policies or
\SOFTWARE\Microsoft\Windows\Current
Version\Policies in the registry (in HKLM
for machine policy settings and HKCU for
user policy settings).
• All other registry values are called
preferences.
• Policies Do not "tattoo”.
Technical Seminars Spring 2010
©2010 RM
17
Group Policy Explained
• 3rd party apps often not coded to take
advantage of “volatile” registry areas
• To use GPOs to control these apps create
a custom adm file:
– http://support.microsoft.com/kb/225087
• To view ADM files which set
“preferences” remove tick from “Only
show policies which can be fully
managed”
• Red for Preferences, Blue for Policies
What can’t GPOs do….and what
else can they do?
• GPOs cannot control applications that do not
store their settings in the system registry
• GPOs can give us control over desktop, control
panel access, Start Menu and Taskbar, Windows
components, and more…
• GPOs can enforce security
• GPOs can redirect My Documents
– Aids in backup
– Allows creation of a standard desktop for multiple
users
Technical Seminars Spring 2010
©2010 RM
18
Group Policy Explained
Software Restrictions
Technical Seminars Spring 2010
©2010 RM
19
Group Policy Explained
Software Restrictions
• Allows you to control what programs can
run on the computer
• File rules (also know as “hash” rules) – a
cryptographic finger print
• Path rules – allow or disallow all
programs within a folder
Summary
• A Group Policy Object is an object in
Active Directory used to configure and
apply settings for user and computer
objects
• Two default GPOs created when Active
Directory is installed:
– Default Domain Policy
– Default Domain Controllers Policy
Summary
• Mechanisms for managing GPOS:
– GPMC
– GPEDIT
– RMMC
• GPOs can be used:
– to control user desktop settings and security
settings
– to apply scripts on user logon and logoff and
computer startup and shutdown
– for folder redirection
Technical Seminars Spring 2010
©2010 RM
20
Group Policy Explained
Summary
• GPOs are applied in a specific order
• GPOs are inherited by default
– Can be changed by blocking Group Policy
inheritance, configuring No Override, or
filtering using user permissions
• A GPO is a combination of the GPT and
GPC.
Need to know more?
• http://www.microsoft.com/grouppolicy
• http://www.microsoft.com/windowsserver2003/gpmc
• GPOs Hardcore seminar session!
Technical Seminars Spring 2010
©2010 RM
21