create and manage group policy - netwrix.com · –asynchronous (default) and synchronous script...
TRANSCRIPT
Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado
Daniel GoaterSystems EngineerNetwrix
Create and Manage Group Policy
Active Directory 101
Active Directory 101 vs. Exam 70-742
o Implement and manage a certificate authority (CA) hierarchy with AD CS
o Deploy and manage certificates
o Implement and administer Active Directory Federation Services (AD FS)
o Implement and administer Active Directory Rights Management Services (AD RMS)
o Monitor, troubleshoot, and establish business continuity for AD DS services
o Secure AD DS and user accounts
o Manage user settings by using GPOs
o Implement and manage Group Policy
o Configure and manage replication
o Implement AD DS sites
o Implement AD DS in complex environments
o Manage objects in AD DS
o Install and configure Domain Controllers Act
ive
Dir
ect
ory
10
1
Mic
roso
ft e
xam
70
-74
2
Ide
nti
ty w
ith
Win
do
ws
Se
rve
r 2
01
6
o Implement synchronization between AD DS and Azure AD
Agenda
Implementing Group Policy
Managing User settings with Group Policy
Group Policy Best Practices
How to deliver complete visibility into all security and configuration
changes in Group Policy
Implementing Group Policy
Introduction to Group Policy
Centralized approach to applying one or more changes to more than one user or computer
Very powerful tool, in the right hands, to
• Apply security settings
• Manage the Windows (Server) experience
• Deploy software
• Configure networking
Group Policy Objects, Settings and Links
• Apply settings to Domains, OUs, Sites and/or local computers
• Despite its name, you can’t apply Group Policies to individual users or groups
Tools for managing Group Policy
Graphical Tools
• Group Policy Management Console (gpmc)
• Group Policy Editor (gpedit)
Command-line Tools
• GPUpdate.exe
• GPResult.exe
PowerShell
• Invoke-gpupdate
Advanced Group Policy Management (AGPM) tool
• Part of Software Assurance
• Allows versioning, etc.
How Group Policy settings are applied
Group Policy Objects are linked
Enabled vs. Disabled GPOs
Group Policy Processing Order and Precedence
• Local Group Policies, Site, Domain, OUs
• Last setting to be applied wins
• Precedence when multiple links on Site, Domain or OU: lowest number last
Block Inheritance vs. Enforced
Loopback processing
• Replace mode vs. Merge mode
• Ideal for Remote Desktop Session Hosts, public-use computers
Security Filtering and WMI Filtering
Group Policy Refresh
Policy settings apply every 90-120 minutes, when clients retrieve the group policy settings to update their cached settings
• By default, only when Group Policy settings have changed
Group Policy refresh can be
• Changed through Group Policies
• Initiated using gpupdate.exe on per domain-joined device
• Initiated in the GPMC from a Domain Controller, too
Administrative Templates
Control the environment of the OS and UI
• OS features like Control Panel, network and printers
• UI features like Desktop, network, Start Menu and taskbar
Two file types:
• *.adm
– Copied into every GPO in the System Volume (SYSVOL)
• *.admx and *.adml
– Not stored in the GPO
– Language Neutral
Administrative Templates make Group Policy expandable
The Group Policy Central Store
Central repository for *.admx and *.adml in SYSVOL
Must be created manually and files must be copied manually
• From C:\Windows\PolicyDefinitions, and downloads
• To \\domain.tld\SYSVOL\domain.tld\policies\PolicyDefinitions
Group Policy Preferences
Extensions to Group Policy Settings
• Manage settings previously unavailable
– Map drives
– Create shortcuts
– Configure power options
– Schedule tasks
– Configure Internet Explorer
Do not cause the UI for these settings to grey out
Use Group Policy Refresh by default, but can be configured to only run once
Troubleshooting Group Policy
When do Group Policy settings apply?
• Computer settings in a GPO apply at startup of device
• User settings in a GPO apply at logon of user
• Group Policy Refresh interval (Security Settings at least every 16 hours)
• Manual Group Policy Refresh
How do I know what GPO applies certain settings?Why is a device taking long ‘Applying Group Policy settings’?
• Use the Group Policy Results Wizard in GPMC
• Use GPResults.exe
• Use Get-GPResultantSetOfPolicy
Delegating Group Policy Management
You can delegate Group Policy Management to non-Domain Admins:
• Create
• Edit
• Manage links
• Perform Modeling
• Reading Group Policy results data
• Creating WMI Filters
But not:
• Backup and Restore
• Copy and Import
• Manage Starter GPOs
Managing user settings with Group Policy
Folder Redirection
Folder Redirection allows folders to be located on a network server, but appear as if they are located on a local drive
• Basic Folder Redirection: All users save to the same location
• Advanced Folder Redirection: Group membership-based locations
By default, Administrators have no permissions on user folders
Distributing software and running scripts
Yes, you can install software using Group Policy
– Assign software: install at next startup/logon
– Publish software
• Manual install from Control Panel
• Automatically install based on file extensions
Yes, you can run scripts with Group Policy automatically
– Four available triggers for scripts:
• Computer: startup scripts and shutdown scripts
• User: logon scripts and logoff scripts
– Asynchronous (default) and synchronous script processing
Group Policy best practices
Group Policy Best Practices
Implement the Group Policy Central Store
Do not use the Group Policy functionality to set passwords
Avoid using Enforce and Block Inheritance
Avoid linking GPOs to Sites
Avoid elaborate WMI Filters
Replace scripts with Group Policy Preferences
Do not place Group Policy Settings and Group Policy Preferences in the same GPO
Netwrix Auditor for Active Directory
About Netwrix Corporation
Year of foundation: 2006
Headquarters location: Irvine, California
Global customer base: over 9,000
Recognition: Among the fastest growing
software companies in the US with 140
industry awards from Redmond
Magazine, SC Magazine, Windows IT Pro
and others
Customer support: global 24/5 support
with 97% customer satisfaction
Netwrix Auditor Unified Platform
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Oracle Database
Netwrix Auditor for Azure AD
Netwrix Auditor for EMC
Netwrix Auditor for SQL Server
Netwrix Auditor for Exchange
Netwrix Auditor for NetApp
Netwrix Auditor for Windows Server
Netwrix Auditor for Office 365
Netwrix Auditor for SharePoint
Netwrix Auditor for VMware
LinuxUnix
Free Add-Ons
Demonstration
Netwrix Auditor
Next Steps
Experiment with Group Policy in your testlab
Contact Sales to obtain more information
netwrix.com/contactsales
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Upcoming and On-Demand Netwrix Webinars: join upcoming webinars or watch previously recorded sessions
netwrix.com/webinars
netwrix.com/webinars#featured
Visit: dirteam.com for more Active Directory information
Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado
Daniel GoaterSystems EngineerNetwrix
Thank you!
Questions?