Understanding Group policy

1
Understanding Group policy

• Felix Sedney
• Trainer/consultant
• InfoSupport bv
• FelixS_at_InfoSupport.com

Toni Bataraga Consultant InfoSupport
bv ToniB_at_InfoSupport.com
2
Prerequisites

• Experience Administering Windows 2000 / Windows
  server 2003.
• Familiarity with the Windows server user
  interface
• Understanding of Active Directory and Group
  Policy concepts

3
Agenda

• Staging Environment
• Creating Policies
• Filtering
• Testing and Troubleshooting
• From Staging to Production Environment
• Useful Tools

4
Agenda

• Staging Environment
• Creating Policies
• Filtering
• Testing and Troubleshooting
• From Staging to Production Environment
• Useful Tools

5
Staging Environment
Production Environment
Staging Environment
6
Staging Environment

• CreateXMLFromEnvironment.wsf
• Run against source (production) environment
• Stores policy settings in XML file
• Backs up GPOs
• CreateEnvironmentFromXML.wsf
• Create objects in target (staging) environment

7
Staging EnvironmentScript example

• cscript CreateXMLFromEnvironment.wsf
• C\Production.xml /domainnwtraders.msft
  /startingOU"ousales,dcnwtraders,dcmsft"
• /includeusers
• /templatepathC\staging\GPOBackup
• cscript CreateEnvironmentFromXML.wsf
• /XMLC\Production.xml
• /CreateUsersEnabled
• /PasswordForUsers"Sesam0pen"
• /ImportDefaultGPOs

8
Agenda

• Staging Environment
• Creating Policies
• Filtering
• Testing and Troubleshooting
• From Staging to Production Environment
• Useful Tools

9
Creating Policies

• Software Restriction Policies
• Software Deployment
• Folder Redirection
• LoopBack processing

10
Creating PoliciesSoftware Restriction Policies

• Avoid execution of undesired programs
• Increase productivity
• Avoid virusses
• Reduce support calls
• Rules
• Hash
• Path
• Certificate
• Internet Zone

11
Creating PoliciesSoftware Deployment

• Assign / Publish
• MSI and MST files
• Software Categories
• Upgrades

12
Creating PoliciesFolder redirection

• Application Data
• Desktop
• My Documents
• Start Menu

13
Creating PoliciesLoopBack Processing

• Why use LoopBack Processing ?
• LoopBack Processing Modes
• Replace mode
• Merge Mode

14
Creating PoliciesBest Practices

• Use GPMC
• Do not link to Sites
• Limit Inheritance Modifiers
• Limit Scoping Options
• Avoid Cross Domain Linking
• Choose a Manageable Hierarchy
• Disable Unused Nodes

15
Demonstration
Demo Environment
NWTraders.msft
TestNWTraders.msft
WS03
WS01
WS02
London
TestSrvr
Production
Staging
16
Demonstration

• Creating Staging environment
• Creating Policies

17
Agenda

• Staging Environment
• Creating Policies
• Filtering
• Testing and Troubleshooting
• From Staging to Production Environment
• Useful Tools

18
Filtering

• Scope Of Management
• Security Filtering
• WMI Filtering

19
FilteringWMI Filtering

• Uses WQL (Windows Management Instrumentation
  Query Language)
• Dynamic determination of scope
• Mainly focussed on System Properties
• One WMI Filter per GPO
• WMI Filter can be applied to Multiple GPOs
• Apply GPO if query returns true.
• W2000 ignores query and always applies GPO

20
Demonstration

• Security Filtering
• WMI Filtering

21
Agenda

• Staging Environment
• Creating Policies
• Filtering
• Testing and Troubleshooting
• From Staging to Production Environment
• Useful Tools

22
Testing And Troubleshooting

• GP influenced by
• Inheritance
• Asynchronous
• LoopBack
• Replication
• GP Refresh

• WMI Filter
• OS
• Security Filtering
• Disabled GPO
• Slow Links

23
Testing And Troubleshooting

• Group Policy Modelling (RSOP Planning Mode)
• Group Policy Results (RSOP Logging Mode)
• GPOTool
• GPResult
• GPInventory

24
Testing And Troubleshooting Group Policy
Modelling

• Requirements
• Windows Server 2003 DC
• GPMC
• Simulate Container or Object
• Specific user
• Specific computer
• Specific container

25
Testing And Troubleshooting Group Policy Results

• GP settings actually in effect on user / computer
• Local Policies are taken into account

26
Testing And Troubleshooting GPOTool

• Group Policy Verification Tool
• Test Consistency GPC/GPT on all DCs
• Cross Domain Support
• Search GPO

27
Testing And Troubleshooting GPResult

• GP Settings and RSOP
• View users / computers
• Profiles
• GPO
• OS
• groups

28
Testing and TroubleshootingBest Practices

• Do not use administrators as testing audience
• Be careful with DCGPOFix
• ICMP ping is used to detect slow networks

29
Demonstration

• GP Modelling
• GP Results

30
Agenda

• Staging Environment
• Creating Policies
• Filtering
• Testing and Troubleshooting
• From Staging to Production Environment
• Useful Tools

31
From Staging To Production Env.

• Copy
• Backup
• Import
• Restore

32
Testing And Troubleshooting GPInventory

• Overview users / computers in Domain / OU
• Installed applications
• systems where GPO has applied
• Hardware inventory
• Predefined queries
• Output in txt or xml format

33
From Staging To Production Env.Copy

• Copy GPO to desired destination domain
• Always creates a new GPO
• Migration Table
• Rights in Target Domain
• Copy DACL (optional)

34
From Staging To Production Env.Backup

• Backup to File System
• Multiple backups of same GPO at same location

35
From Staging To Production Env.Import

• Import in Existing GPO
• Migration Table
• DACL never Modified

36
Demonstration

• Backup and Restore
• From Staging to Production

37
Agenda

• Staging Environment
• Creating Policies
• Filtering
• Testing and Troubleshooting
• From Staging to Production Environment
• Useful Tools

38
Useful Tools

• PolicySettings.XLS
• ADMX.EXE
• SONAR.EXE

39
(No Transcript)