Active Directory Group Policies

1
Active Directory Group Policies

• A more in-depth Look

2
Presented by

• Clay Walker
• Bridgeport ISD
• clay_at_bridgeportisd.net
• Notes and other information can be found at
• http//www.ntatd.org/clay

3
BISD Active Directory Overview

• All students grade 3-12 have an active directory
  account
• All users have a personal h drive
• All Data (student and faculty) is stored on a
  server (no local data)
• My Documents is redirected to h drive
• Favorites is redirected to the h drive

4
BISD A/D overview (cont)

• Each campus has an application folder for
  networked (and not so networked) applications.
• Campus Shortcuts folder
• Faculty Application Shortcuts
• Student Application Shortcuts
• Printer Shortcuts

5
Computer OUs

• Fac/Staff Computers
• Organized by Campus
• Admin
• Organized by Campus
• Laptops separate
• Servers Separate

• Student Computers
• Organized by campus
• Each lab has its own OU
• Student Computers
• HS
• Lab1
• Lab2
• MS
• Lab1
• Lab2

6
Computer OUs

• Allows ability to apply GPOs at many different
  levels

7
User OUs

• Faculty
• Organized by campus
• Super users in separate OU

• Students
• Organized by Graduation Year

8
BISD LAN Overview

• Windows 2003 Servers
• Windows XP Pro Clients (100)
• Fiber connectivity between all campuses (1Gbps)

9
Access Based Enumeration

• With ABE installed, users only see what they have
  permission to read and/or write.
• Windows 2003 Server only
• Installed on server that shares the files
• Quick and easy to install and configure
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyID04a563d9-78d9-4342-a485-b030ac442084displa
  ylangen

10
Access Based Enumeration
Administrator Logged In Sees
Student Logged in Sees
11
Group Policies Fundamentals

• GPOs can ONLY be applied to OUs
• Use GPMC.msc to manage GPOs (download from
  Microsoft)
• If the user is an administrator on the local
  computer, most (if any) of the restrictions will
  not work
• GPOs can be used to open the PC enough so that
  users DO NOT NEED to be local administrators

12
Group Policy Fundamentals

• 2 sections in each group policy
• Computer Configuration
• Workstation settings such as security, services,
  etc
• User Configuration
• User environment settings such as login scripts,
  desktop environment, restrictions, etc
• Normally, if you apply a User Configuration
  policy to a Computer OU, nothing happens.

13
Group Policy Best Practices

• Create Test OUs under production OU
• Apply policies to that Test OU
• Move a test computer into that OU
• Allow for replication
• gpupdate /force on the client and reboot
• When finished testing, move computer back to
  production OU, gpupdate and reboot

14
GPO Example Redirect My Docs

• Redirect My Documents
• User Configuration -gt Windows Settings -gt Folder
  Redirection -gt My Documents
• Basic Redirect everyones folder to the same
  location
• Target folder location Create a folder for each
  user under the root path \\student1\08
• Settings tab
• IMPORTANT Uncheck Grant the user exclusive
  rights to My Documents

15
GPO Example Redirect My Docs
16
GPO Example Permissions

• AutoCAD 2005
• Give users modify rights to
• c\program files\AutoCAD 2005
• Computer Configuration -gt Windows Settings -gt
  Security Settings -gt File System -gt Add File,
  browse for folder, and set permissions
• CLASSES_ROOT\AutoCAD.Drawing.15\protocol\StdFileEd
  itor\Server
• Computer Configuration -gt Windows Settings -gt
  Security Settings -gt Registry -gt Add Key, browse
  for key, and set permissions.
• CLASSES_ROOT\CLSID\8E75E913-3D21-11D2-85C4-080000
  9A0C626

17
GPO Example - Permissions

• How did we know what Reg keys and files to open
  up?
• Documentation ? (if it exists)
• regmon, filemon, and now processmon
• http//technet.microsoft.com/en-us/sysinternals/bb
  896645.aspx
• Log in as regular user
• Make sure processmon is in a location the regular
  user can access
• Runas Administrator the processmon program to
  monitor what is being accessed

18
GPO Example - Permissions
19
GPO Example Software Push

• Adobe Acrobat Reader 8
• Must be an MSI file
• If you cant download an MSI (Adobe has msis
  available), you may be able to extract from a
  setup package (.exe file)
• You can use an MST transform file to customize
  the install
• use documentation or ORCA to create your MST

20
GPO Example Software Push

• Computer Configuration -gt Software Settings -gt
  Software Installation New -gt Package.
• Find MSI file
• make sure MSI is located in a share that EVERYONE
  has at least read only access to
• Select Assigned (if no MST file)
• Select Advanced (if MST file)
• Select Modifications tab
• Add MST file (should be in same share as MSI file)

21
GPO Example Printer

• In a lab scenario, you want all users to get
  connected to the lab printer and set as default
• Must have Loop Back Processing enabled
• Computer Configuration -gt Administrative
  Templates -gt System -gt Group Policy User Group
  Policy loopback processing mode Enabled, Mode
  Merge
• This is done at the highest level (all
  computers have this policy enabled)

22
GPO Example Printer

• Write the script first
• Example
• on error resume next
• Set WshNetwork WScript.CreateObject("WScript.Net
  work")
• Set oPrinters WshNetwork.EnumPrinterConnections
• For i 0 to oPrinters.Count - 1 Step 2
• if oPrinters.Item(i) ltgt "LPT1" then
• PrinterPath oPrinters.Item(i1)
• WshNetwork.RemovePrinterConnection
  PrinterPath, true, true
• end if
• Next
• Set WshNetwork WScript.CreateObject("WScript.Net
  work")
• PrinterPath "\\apps1\hs-BusEdLas"
• WshNetwork.AddWindowsPrinterConnection
  PrinterPath
• WshNetwork.SetDefaultPrinter PrinterPath

23
GPO Example Printer

• Save the script anywhere (temporary location)
• Create the policy
• User Configuration -gt Windows Settings -gt Scripts
  (Logon/Logoff) Logon
• Click Add and then Browse
• Copy script into this folder (automatically opens
  where you need to have the script)
• Apply the policy to the Lab OU (COMPUTER OU not
  USER)
• The loopback processing feature allows this USER
  policy to run even though it is applied to the
  COMPUTER OU

24
GPO Example Drive Mapping

• Create your script
• Example
• ON ERROR RESUME NEXT
• Dim WshNetwork
• Set WshNetwork WScript.CreateObject("WScript.Net
  work")
• WshNetwork.MapNetworkDrive "q",
  "\\apps2\hsapps",False
• wscript.quit

25
GPO Example Drive Mapping

• Save the script anywhere (temporary location)
• Create the policy
• User Configuration -gt Windows Settings -gt Scripts
  (Logon/Logoff) Logon
• Click Add and then Browse
• Copy script into this folder (automatically opens
  where you need to have the script)
• Apply the policy to the Users OU

26
GPO Example Software Hash

• Used to block .exes from running (IE Games,
  unwanted applications, etc)
• Computer Configuration -gt Windows Settings -gt
  Security Settings -gt Software Restriction
  Policies
• RC New Software Restriction Policy
• -gt Additional Rules, RC New Hash Rule, Browse, OK

27
GPO Example Wireless Profile

• Used to push out Wireless settings to clients
• Clients must use Windows to manage Wireless Card
• GPO must be created from a 2003 DC (settings are
  not available on an XP workstation)
• Once the GPO is created, you need to wait for
  replication before you edit the Wireless Policies

28
GPO Example Wireless Profile

• Computer Configuration -gt Windows Settings -gt
  Security Settings -gt Wireless Network (IEEE
  802.11) Policies
• RC Create Wireless network policy
• Edit Policies create SSID profiles with
  security
• Requires testing, but once it is set, it works
  well

29
Group Policy Example - Firewall

• Windows Firewall has 2 states
• Domain Profile if the computer can see a
  Domain Controller. This indicates it is on his
  home network
• Standard Profile if the computer can not see a
  Domain Controller indicating it is on a foreign
  network
• Set the standard profile very restrictive
  firewall on, no or very limited exceptions (for
  inbound traffic)
• Set the domain profile very unrestrictive
  firewall off or allow all traffic incoming from
  local network

30
Group Policy Example - Firewall

• Computer Configuration -gt Administrative
  Templates -gt Network -gt Network Connections gt
  Windows Firewall

31
Group Policy Example WSUS

• Use GPO to define WSUS groups and Settings
• Computer Configuration -gt Administrative
  Templates -gt Windows Components -gt Windows
  Updates
• Configure Automatic Updates Enabled
• 4 Auto d/l and schedule install
• Install day 0 Everyday
• Install time 2000
• Specify intranet Microsoft update service
  location Enabled
• Enable client-side targeting Enabled
• Reschedule Automatic Updates scheduled
  installations Enabled
• Allow Automatic Updates immediate installation
  Enabled

32
Group Policy Example TestNav

• Online TAKS Testing
• Set IE to use proctor cache as proxy, disable any
  A/V services (optional), open firewall ports (if
  needed)
• User Configuration -gt Windows Settings -gt
  Internet Explorer Maintenance -gt Connection
  Proxy Settings

33
Custom Group Policy Templates

• ADM Files
• Use notepad to edit/create
• Use examples or web to help create
• www.ntatd.org/clay
• Bottom of page Group Policy Template for
  Favorites Folder and Group Policy Template for
  several hacks

34
Custom Group Policy Templates

• Right Click Administrative Templates to import
  ADM files
• Highlight Administrative Templates, View -gt
  Filtering -gt Clear Only show policy settings
  that can be fully managed
• Tattood policies
• Repeat for each GPO (where ADM needed) and for
  both User and Computer Configurations

35
Custom Group Policy Templates

• Turn off Remove Wallpaper setting in UltraVNC
• Disable MSN Messenger
• Disable pop-up balloons on start bar (such as
  Clean up your desktop)
• Set IE Start Page
• Set Default Mail Icon and Default Browser on XP
  Start Menu
• Redirect Favorites Folder

36
Presented by

• Clay Walker
• Bridgeport ISD
• clay_at_bridgeportisd.net
• Notes and other information can be found at
• http//www.ntatd.org/clay