GPO - WINDOWS SERVER 2012. AGENDA: Introduction Group Policy Overview Types of Group Policies/Objects Associated Technologies How to implement.

GPO - WINDOWS SERVER 2012

AGENDA:

• Introduction

• Group Policy Overview

• Types of Group Policies/Objects

• Associated Technologies

• How to implement

33CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

GROUP POLICY OVERVIEW

• Group Policy Definition • Preferences• Define Scope of Policy (Site,

Domain, Etc.)• Inheritance/Enforce/Block • Administration/GPMC• Naming Conventions• Security Filtering/WMI Filters• RSOP /Modeling• Login Scripts/Startup Scripts• Fine-grained Password

Policies

• Security Templates (More detail later)

• Machine vs. User Policies• Group Policy Loop-back • Change Control

44CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

USER AND COMPUTER CONFIGURATION SETTINGS

Group Policy settings for users: Desktop settings Software settings Windows settings Security settings

Group Policy settings for computers:

Desktop behavior Software settings Windows settings Security settings

55CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

GPO COMPONENTS

Contains Group Policy settingsStores content in two locations

Group Policy ObjectGroup Policy Object

Stored in shared SYSVOL folder Provides Group Policy settingsStored in shared SYSVOL folder Provides Group Policy settings

Group Policy TemplateGroup Policy Template

Stored in Active DirectoryProvides version informationStored in Active DirectoryProvides version information

Group Policy ContainerGroup Policy Container

66CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

WHEN IS A GPO APPLIED?

Computer startsComputer starts

Computer settings applied

Startup scripts run

Computer settings applied

Startup scripts run

Refresh IntervalRefresh Interval

User logs onUser logs on

User settings applied

Logon scripts run

User settings applied

Logon scripts run

Refresh IntervalRefresh Interval

77CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

GPMC (GROUP POLICY MANAGEMENT CONSOLE)

88CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

WHAT IS A GPO LINK?

Organizational Unit GPOOrganizational Unit GPO

Organizational Unit GPOOrganizational Unit GPO

Site GPOSite GPO

Domain GPODomain GPO

Site

Domain

OUOU

OU

Applied in order: Local Site Domain OU

99CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

GP ENFORCEMENT

1010CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

POLICY FILTERING

1111CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

SITE POLICIES

• Second only to local polices• Conditional Polices depending on Network location (VPN,

DMZ, etc)• Time Zones• Printer location related policies

1212CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

DOMAIN POLICIES

• Password and Account Policies• Security and Auditing Policies• Control Restricted Domain Groups• Do not use the Default Domain Policy

1313CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

DEFAULT DOMAIN POLICIES

• Password Settings• Account Lockout Settings• Allow system to be shutdown without having to log on• Change Administrator account name to: • Change Guest account name to:• Clear pagefile on shutdown• Digitally sign server side communication• Digitally sign client communication

1414CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

FINE GRAINED PASSWORD POLICIES

• New in AD DS 2008• Allows companies to define different password policies for

groups within their organization, without creating separate domains

1515CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

USER POLICIES

• Desktop lockdown discussion » Removal of My Documents folder from

computer/Redirection» Removal of context menus» Remove Add/Remove programs» Password protect screen saver» Standard desktop? – same screen saver, desktop

background, fonts, etc for certain users?» Allow/disallow shared folders» Login/Logout Scripts- SW installation» Loopback processing mode (Kiosks)

1616CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

MACHINE POLICIES

• Roaming profiles – on or off, should they propagate to server• Startup scripts and shutdown scripts – async or sync• Run this at user logon – no matter which user• Disk quotas• Dynamic DNS• Group policy refresh interval• Security policy• EFS policy• (desktops) Remote assistance on/off• (desktops) system restore on/off/settings• (desktops) NTP – time settings

1717CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

GUIDELINES FOR PLANNING GPOS

• Apply GPO settings at the highest level• Reduce the number of GPOs• Create specialized GPOs• Use the Enforced option only when required• Use Block Inheritance sparingly• Use security filtering only when necessary

1818CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

Questions?