Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher Policies are “all or nothing” You cannot selectively choose within a policy.

Microsoft Server 2008 R2Group Policies & AD

Group Policies-Refresher Policies are “all or nothing”

You cannot selectively choose within a policy Only policy settings that are enabled are read.

Not configured are ignored. Policies are inherited and cumulative

LSDOU Policies are refreshed ever 90 minutes with a 30 minute

randomization DC’s are refreshed every 5 minutes

GPO Concepts Policies are applied from the bottom up. Rules that apply.

Listen to the last policy you heard from Execute policies from the bottom up as they appear in the GUI

GPO PlanningOU Design• Create separate OUs for computers and users• Segment machines/users into roles by OU; Examples

– Servers: Exchange Servers, Terminal Servers, Web Servers, File and Print, etc

– Workstations: Desktops; Laptops, task stations etc.– Prestage computers/servers

– Users: IT Staff, Engineers, Shop Floor, Laptop Users, etc.

GPO PlanningOU Design• Pre-staging PC/Servers

• Create computer objects before joining to domain.

• Allows for immediate GPO application to the system.

GPO Planning GPO naming conventions – make it consistent and easy to

interpret Simply use a clear name to describe intent of the GPO How significant is the number of GPOs applied?

999 is the maximum number of GPOs applied

Planning: DeploymentTest, Stage, And Production It’s a “good thing” if you: Test -> Stage -> Test ->

Deploy -> Validate Backup/Copy/Import (including migration tables) Documentation: HTML or XML Reports

Save Report…

PlanningDisaster Recovery GPMC Backup / Restore handles GPO as a logical entity Automate GPO backup using GPMC scripts -

BackupAllGPOs or BackupGPO Regularly test GPO restore in your environment –

RestoreAllGPOs or RestoreGPO Think about building/rebuilding your staging environment

PlanningDisaster Recovery• Be aware of what is NOT included in a backup of a GPO and

plan accordingly– IPSec Settings, which live in CN=IP Security,

CN=System,DC=xxxx (AD backup handles this); The GPO includes just the link to this data

– WMI Filter (only the filter link is backed up); The filter itself is stored in AD so your AD backup covers this

– GPO links from sites, domains or OUs, since they are not an attribute of the GPO (again, AD backup covers this)

– Don’t rely on DCGPOFix (last resort tool!) DCGPOFix returns default GPOs to the clean install state (not an upgrade) and they are unlinked; Use your own backup instead

PlanningGroup Policy Dependencies DNS: Many “Group Policy problems” turn out to be related to

DNS misconfiguration Don’t touch the Policies directory in Sysvol (including playing

with ACLs) – manage through supported tools only; If you plan to delete Sysvol – well, don’t!

GPO and 2008 R2 & Windows 7 Group Policy Preferences (GPP)

Extensions or “new settings” Adds more than 3000 policy settings!

Modify the local administrator password on every desktop Different than normal GPO settings as they are duplicate under

user and computer settings Multiple Local Group Policies Improvements to existing policies

Folder redirection Cleaner

GPO and 2008 R2 & Windows 7

• Multiple Local Group Policy Objects (MLGPO)

• Different Local Group Policies for different folks

GPO and 2008 R2 & Windows 7

Folder Redirection Cleaner view and handles most profile folders.

Troubleshooting• Know where you GPOs live

• Local GPOs%windir%\system32\grouppolicy• MLGPOs%windir%\system32\grouppolicyusers• Domain GPOsDC%windir%\sysvol\sysvol

• Know your reporting options– Group Policy Modeling– Group Policy Results– Event Log (exposed through GPMC)

• Know your tools– With Operating System: GPUpdate.exe– GPResults.exe– WS 2003 Resource Kit: GPOTool, GPMonitor– Download Center: GPInventory

• Know your log files– UserEnv (Core Engine), WinLogon (Security), FDeploy (Folder Redirection), Appmgmt.log

(software installation), Gpmgmt (GPMC), GPedit (GPEdit), GPText (CSE-specific)

Troubleshooting• Using the Local GPO (LGPO)

– A good option if you don’t have access to change GPOs in a domain (not all settings will be available – software installation and folder redirection, for example)

– Updating the LGPO on a domain-joined PC has no impact when using cached credentials

• Read the Explain Text for Admin Templates and Help for Security Settings

• Use the “force”…. gpupdate.exe /force switch• Forces the policy update.

• If you move a user/computer to a new OU, the change will not take place immediately. Reboot/Logon/Force

• Consider using a Virtualization - especially helpful for tattooing security settings; Undo when done!

Reference• http://www.microsoft.com