Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado

Daniel GoaterSystems EngineerNetwrix

Create and Manage Group Policy

Active Directory 101

Active Directory 101 vs. Exam 70-742

o Implement and manage a certificate authority (CA) hierarchy with AD CS

o Deploy and manage certificates

o Implement and administer Active Directory Federation Services (AD FS)

o Implement and administer Active Directory Rights Management Services (AD RMS)

o Monitor, troubleshoot, and establish business continuity for AD DS services

o Secure AD DS and user accounts

o Manage user settings by using GPOs

o Implement and manage Group Policy

o Configure and manage replication

o Implement AD DS sites

o Implement AD DS in complex environments

o Manage objects in AD DS

o Install and configure Domain Controllers Act

ive

Dir

ect

ory

10

1

Mic

roso

ft e

xam

70

-74

2

Ide

nti

ty w

ith

Win

do

ws

Se

rve

r 2

01

6

o Implement synchronization between AD DS and Azure AD

Agenda

Implementing Group Policy

Managing User settings with Group Policy

Group Policy Best Practices

How to deliver complete visibility into all security and configuration

changes in Group Policy

Implementing Group Policy

Introduction to Group Policy

Centralized approach to applying one or more changes to more than one user or computer

Very powerful tool, in the right hands, to

• Apply security settings

• Manage the Windows (Server) experience

• Deploy software

• Configure networking

Group Policy Objects, Settings and Links

• Apply settings to Domains, OUs, Sites and/or local computers

• Despite its name, you can’t apply Group Policies to individual users or groups

Tools for managing Group Policy

Graphical Tools

• Group Policy Management Console (gpmc)

• Group Policy Editor (gpedit)

Command-line Tools

• GPUpdate.exe

• GPResult.exe

PowerShell

• Invoke-gpupdate

Advanced Group Policy Management (AGPM) tool

• Part of Software Assurance

• Allows versioning, etc.

How Group Policy settings are applied

Group Policy Objects are linked

Enabled vs. Disabled GPOs

Group Policy Processing Order and Precedence

• Local Group Policies, Site, Domain, OUs

• Last setting to be applied wins

• Precedence when multiple links on Site, Domain or OU: lowest number last

Block Inheritance vs. Enforced

Loopback processing

• Replace mode vs. Merge mode

• Ideal for Remote Desktop Session Hosts, public-use computers

Security Filtering and WMI Filtering

Group Policy Refresh

Policy settings apply every 90-120 minutes, when clients retrieve the group policy settings to update their cached settings

• By default, only when Group Policy settings have changed

Group Policy refresh can be

• Changed through Group Policies

• Initiated using gpupdate.exe on per domain-joined device

• Initiated in the GPMC from a Domain Controller, too

Administrative Templates

Control the environment of the OS and UI

• OS features like Control Panel, network and printers

• UI features like Desktop, network, Start Menu and taskbar

Two file types:

• *.adm

– Copied into every GPO in the System Volume (SYSVOL)

• *.admx and *.adml

– Not stored in the GPO

– Language Neutral

Administrative Templates make Group Policy expandable

The Group Policy Central Store

Central repository for *.admx and *.adml in SYSVOL

Must be created manually and files must be copied manually

• From C:\Windows\PolicyDefinitions, and downloads

• To \\domain.tld\SYSVOL\domain.tld\policies\PolicyDefinitions

Group Policy Preferences

Extensions to Group Policy Settings

• Manage settings previously unavailable

– Map drives

– Create shortcuts

– Configure power options

– Schedule tasks

– Configure Internet Explorer

Do not cause the UI for these settings to grey out

Use Group Policy Refresh by default, but can be configured to only run once

Troubleshooting Group Policy

When do Group Policy settings apply?

• Computer settings in a GPO apply at startup of device

• User settings in a GPO apply at logon of user

• Group Policy Refresh interval (Security Settings at least every 16 hours)

• Manual Group Policy Refresh

How do I know what GPO applies certain settings?Why is a device taking long ‘Applying Group Policy settings’?

• Use the Group Policy Results Wizard in GPMC

• Use GPResults.exe

• Use Get-GPResultantSetOfPolicy

Delegating Group Policy Management

You can delegate Group Policy Management to non-Domain Admins:

• Create

• Edit

• Manage links

• Perform Modeling

• Reading Group Policy results data

• Creating WMI Filters

But not:

• Backup and Restore

• Copy and Import

• Manage Starter GPOs

Managing user settings with Group Policy

Folder Redirection

Folder Redirection allows folders to be located on a network server, but appear as if they are located on a local drive

• Basic Folder Redirection: All users save to the same location

• Advanced Folder Redirection: Group membership-based locations

By default, Administrators have no permissions on user folders

Distributing software and running scripts

Yes, you can install software using Group Policy

– Assign software: install at next startup/logon

– Publish software

• Manual install from Control Panel

• Automatically install based on file extensions

Yes, you can run scripts with Group Policy automatically

– Four available triggers for scripts:

• Computer: startup scripts and shutdown scripts

• User: logon scripts and logoff scripts

– Asynchronous (default) and synchronous script processing

Group Policy best practices

Group Policy Best Practices

Implement the Group Policy Central Store

Do not use the Group Policy functionality to set passwords

Avoid using Enforce and Block Inheritance

Avoid linking GPOs to Sites

Avoid elaborate WMI Filters

Replace scripts with Group Policy Preferences

Do not place Group Policy Settings and Group Policy Preferences in the same GPO

Netwrix Auditor for Active Directory

About Netwrix Corporation

Year of foundation: 2006

Headquarters location: Irvine, California

Global customer base: over 9,000

Recognition: Among the fastest growing

software companies in the US with 140

industry awards from Redmond

Magazine, SC Magazine, Windows IT Pro

and others

Customer support: global 24/5 support

with 97% customer satisfaction

Netwrix Auditor Unified Platform

Netwrix Auditor for Active Directory

Netwrix Auditor for Windows File Servers

Netwrix Auditor for Oracle Database

Netwrix Auditor for Azure AD

Netwrix Auditor for EMC

Netwrix Auditor for SQL Server

Netwrix Auditor for Exchange

Netwrix Auditor for NetApp

Netwrix Auditor for Windows Server

Netwrix Auditor for Office 365

Netwrix Auditor for SharePoint

Netwrix Auditor for VMware

LinuxUnix

Free Add-Ons

Demonstration

Netwrix Auditor

Next Steps

Experiment with Group Policy in your testlab

Contact Sales to obtain more information

netwrix.com/contactsales

Live One-to-One Demo: product tour with Netwrix expert

netwrix.com/livedemo

Upcoming and On-Demand Netwrix Webinars: join upcoming webinars or watch previously recorded sessions

netwrix.com/webinars

netwrix.com/webinars#featured

Visit: dirteam.com for more Active Directory information

Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado

Daniel GoaterSystems EngineerNetwrix

Thank you!

Questions?