Tải bản đầy đủ - 0 (trang)
Chapter 21. Windows Server 2003 Group Policies

Chapter 21. Windows Server 2003 Group Policies

Tải bản đầy đủ - 0trang

WorkingWithintheGroupPolicySnap-inNamespace



Policies,historicallyknownas"systempolicies,"haveexistedin

Windowsproductsformanyserverversions.However,with

WindowsServer2000andnowWindowsServer2003,group

policieshavebecomeanintegralpartoftheoperatingsystem.

Grouppoliciesareusedtodeliverastandardsetofsecurity,

controls,rules,andoptionstoauser.Inaddition,theycanbe

usedtoconfigureeverythingfromloginscriptsandfolder

redirectiontodisablingActiveDesktopandpreventingusers

frominstallingsoftwareontheirworkstations.







LeveragingGroupPolicies

GrouppoliciesonlyapplytoWindows2000Professional,

WindowsXP,Windows2000Server,andWindowsServer2003

servermachines.Anymachinesrunningearlierversionsof

Windows,Unix,orotheroperatingsystemswillnotreceivea

grouppolicyfromWindowsServer2003.Machinesreceiving

grouppolicysettingsalsomustbemembersofthedomain.

Therearetwoareastowhichgrouppoliciescanbeapplied.One

isappliedtocomputersandtheotherisappliedtousers.



UsingComputerPolicies

Computerpoliciesareapplieduponbootofthemachine,arein

placebeforelogon,andareindependentoftheuserlogin

credentials.Theyapplytothecomputeronly,regardlessofwho

willbeloggingin.Typesofgrouppoliciesthatarebestapplied

inthecomputerpoliciesincludethingslike:

Startupscripts

Securitysettings

Permissionconfigurationonlocalfiles,Registryhives,or

servicesonaworkstation

SoftwareinstallationcanbepushediftheyareinanMSIformat

usingeithertheuserorcomputerpolicies.However,itis

suggestedthatitbepushedviacomputerpolicies.



UsingUserPolicies



Userpoliciesareappliedwhentheuserlogsinandoccurafter

bootandduringlogin.Theyapplytotheuserregardlessofwhat

computerorservertheuserislogginginto.Theyfollowtheuser

wherevertheusergoesinthedomain.

Typesofgrouppoliciesthatarebestappliedinthecomputer

policiesareasfollows(alsonotacompletelist):

Loginscripts

Restrictionsonuserrights

Folderredirection



UnderstandingGroupPolicyRefreshIntervals

Grouppoliciesarerefreshedatregularlyscheduledintervals

afteracomputerhasbeenbootedandauserhasloggedin.By

default,grouppoliciesarerefreshedevery90minutesonnondomaincontrollers(withastaggerintervalof30minutes)and

everyfiveminutesondomaincontrollers.

RefreshintervalsareconfigurableviaGroupPolicybygoingto

thefollowingareasinGroupPolicyandchangingtherefresh

intervaltimes:

TochangetheintervalforcomputerpoliciesandDCs,

chooseComputerConfiguration,AdministrativeTemplates,

System,GroupPolicy.

Tochangetheintervalforuserpolicies,chooseUser

Configuration,AdministrativeTemplates,System,Group

Policy.



MostchangesmadetoexistingGroupPolicyObjects(orGPOs)

ornewGPOswillbeenforcedwhentherefreshcycleruns.

However,thefollowingsettingswillbeenforcedonlyatloginor

uponboot,dependingontheGPOconfigurationsettings:

Softwareinstallationconfiguredinthecomputerpolicies

Softwareinstallationconfiguredintheuserpolicies

FolderRedirectionsettingconfiguredintheuserpolicies.



Note

ComputerConfigurationsecuritysettingsare

refreshedevery16hourswhetherornotthesettings

havebeenchanged.



GeneralBestPracticesforGroupPolicy

Deployment

GroupPolicyusageandconfigurationcanvarygreatlywitheach

individualimplementation.HowGPisimplementedcandepend

ontheorganization'susers,sites,corporateculture,anda

myriadofotherfactors.However,therearebasicbestpractices

thatapplynomatterwhattheGroupPolicyimplementation.

Thefollowingsectionsdescribethebasicbestpracticesand

lessonsthathavebeenlearnedthroughmultipleGP

implementationsinmanydifferentorganizations.



TheFewerPolicies,theBetter:The"LessIs

More"Approach

TheprimarythingtorememberwithGroupPolicyisthatlessis

more.GroupPolicyisveryusefulandadministratorsnewtoit

frequentlyapplyagreatmanygrouppolicies,usingGroup

Policyastheelixirforalladministrativeissues.However,it's

importanttorememberthatwitheachGroupPolicyObjectthat

isimplementedandwitheachnewlayerofGroupPolicy,a

fractionofasecondisaddedontocomputerboottimeanduser

logintime.Additionally,theGPOstakeupspaceinSYSVOLon

domaincontrollers,causingreplicationtrafficaswellasadding

complexitythatcanmaketroubleshootingmoredifficult.



KnowingResultantSetofPolicies(RSoP)

ThenewGroupPolicyManagementConsole(GPMC)provides

youwithahandytoolforplanningandtestingGroupPolicy

implementationspriortoimplementingthem.BecauseGroup



Policycancausetremendousimpactonusers,anyGroupPolicy

implementationshouldbetestedusingtheRSoPtoolin

planningmode.Seethesectionstitled"UsingResultantSetof

PoliciesinGPMC"and"GroupPolicyModelingUsingResultant

SetofPolicy"formoreinformation.



GroupPolicyOrderofInheritance

GroupPolicycanbeconfiguredonmanydifferentlevelsand,by

default,isimplementedinaparticularorder.However,byusing

theBlockPolicyInheritance,Enforcement,andLinkEnabled

conditions,thedefaultorderofapplicationcanbechanged.It's

agoodideatousetheseconditionssparinglybecausetheycan

addagreatdealofcomplexitytotroubleshootingproblemswith

theGroupPolicyapplication.Seethesectionstitled

"UnderstandingGPInheritanceandApplicationOrder"and

"ModifyingGroupPolicyInheritance"laterinthischapterfor

moreinformation.



KnowingtheImpactofSlowLinkDetection

Slowlinkdetectioncanchangethegrouppolicythatauser

receives,whichcanbeadifficultthingtotroubleshootasan

administrator.Understandingtheimportanceofslowlinkscan

maketroubleshootingagreatdealeasierforyouifyouhave

WANlinksthatmaygoupanddownorworkinanenvironment

withbandwidthissues.Seethesectioninthischaptertitled

"UnderstandingtheEffectsofSlowLinksonGroupPolicy"for

moreinformation.



DelegatingGPManagementRights



Itisimportanttodelegatetheproperrightsforadministrators

tomanipulateGroupPolicy.Forexample,averysmallgroupof

usersshouldbeabletoeditpoliciesonthedomainlevel,butit

mightbenecessarytoallowdiversegroupsofadministratorsto

configuregrouppolicieslowerdowntheADtreeinareasin

whichtheyadminister.Anadministratorcandelegatethe

followingrightstootheradministrators:

CreateGPO

CreateWMIfilters

PermissionsonWMIfilters

PermissionstoreadandeditanindividualGPO

PermissionsonindividuallocationstowhichtheGPOis

linked(calledthescopeofmanagementorSOM)

UsingtheGroupPolicyDelegationWizardmakesiteasytogive

therightgroupsofadministratorstherightstheyneedtodo

theirjob,andcontinuetoadministerWindowsServer2003in

themostsecurewayspossible.



AvoidingCross-DomainPolicyAssignments

Avoidingcross-domainpolicyassignmentsisarecommended

bestpractice.Themorelocalthepoliciesare,themorequickly

thecomputersbootupandtheuserscanlogon,astheusersor

machinesdon'thavetogoacrossdomainlinestoreceivegroup

policiesfromotherdomains.Thisisespeciallypertinentfor

remoteusers.



UsingGroupPolicyNamingConventions

TheimpactofusingGroupPolicynamingconventionscannotbe

overstated.Namingconventionsallowforeasiertroubleshooting

andidentificationofpoliciesandsimplifymanaginggroup

policies,especiallyinalargeenvironment.



UsingaProperNamingConvention

Usecommonnamingconventionsforsimilar

policies("SiteNameSoftwarePolicy,"or"OU

NameDefaultPolicy")ratherthanadifferent

namingconventionforsimilarpolicies.For

example,beginGroupPolicynameswiththe

nameoftheOUorsitetowhichitapplies.

UsedescriptivenamingforGroupPolicyObjects.

Don'tusethedefault"NewGroupPolicy"forany

policy.Ifit'sasoftwarepushpolicy,labelitas

such.

Useuniquenames.Itisnotrecommendedto

nametwogrouppoliciesthesame

nameespeciallyindifferentdomainsorforests.



UnderstandingtheDefaultDomainPolicy

Thedefaultdomainpolicyisthedomain-levelpolicythatis

installed(butnotconfigured)whenWindows2003isinstalled.

Itshouldnotberenamed,removed,deleted,ormovedupor



downinthelistofgrouppoliciesthatexistonthetoplevelof

thedomain.Certainsecuritysettingswillonlyfunctionproperly

whenimplementedintheDefaultDomainPolicy(seethe

followingWarning).It'salsoagoodideatolockdownthe

capabilitytoedittheDefaultDomainPolicytoasmallnumber

ofadministratorsbecausesecuritysettingsandother

domainwidepoliciesaresetatthatlevel.



Warning

AccountPolicysettingsappliedattheOUlevelaffect

thelocalSAMdatabase,notActiveDirectory

accounts.TheAccountPolicysettingsmustbe

appliedontheDefaultDomainPolicytoaffectActive

Directoryaccounts.



Byunderstandingandusingthesegenericbestpractices,you

canprovideuserswithamoresecure,fasterrunning,and

uniformapplicationofgrouppolicies.







UnderstandingGPInheritanceandApplication

Order

UnderstandingtheorderinwhichGroupPolicyisappliedis

essentialtoadministeringitsuccessfully.Withoutaclear

understanding,GroupPolicyimplementationand

troubleshootingcanbeverydifficult,evenwiththetools

providedbyMicrosofttohelpoutwiththoseverythings.



BestPracticesforGroupPolicyInheritance

TomaximizetheinheritancefeatureofGroupPolicy,keepthe

followinginmind:

IsolatetheserversintheirownOU.Createdescriptive

ServerOUsandplaceallthenondomain-controllerservers

inthoseOUsunderacommonServerOU.Ifsoftware

pushesareappliedthroughGroupPolicyonthedomain

leveloronalevelabovetheserver'sOUanddonothave

theEnforcementoptionchecked,theserver'sOUcanbe

configuredwithBlockPolicyInheritancechecked.Asa

result,theserverswon'treceivesoftwarepushesappliedat

levelsabovetheirOU.

UseBlockPolicyInheritanceandEnforcementsparinglyto

maketroubleshootingGroupPolicylesscomplex.



UnderstandingtheOrderinWhichGroupPolicy

ObjectsAreApplied

Asstatedpreviously,GroupPolicyObjectsareappliedina



specificorder.Computersanduserswhoseaccountsarelower

intheDirectorytreecaninheritpoliciesappliedatdifferent

levelswithintheActiveDirectorytree.GroupPolicyObjectsare

appliedinthefollowingorderthroughouttheADtree:

LocalSecurityPolicy

SiteGPOs

DomainGPOs

OUGPOs

NestedOUGPOs

NestedOUGPOsandondownareapplieduntiltheOUatwhich

thecomputeroruserisamemberisreached.

IfasettinginaGroupPolicyObjectissettoNotConfiguredina

policyhigherup,theexistingsettingremains.However,ifthere

areconflictsinconfiguration,thelastGroupPolicyObjecttobe

appliedprevails.Forexample,ifaconflictexistsinaSiteGPO

andinanOUGPO,thesettingsconfiguredintheOUGPOwill

"win."

IfmultipleGPOsareappliedtoaspecificADObjectsuchasa

siteorOU,theyareappliedinreverseoftheordertheyare

listed.ThelastGPOisappliedfirst,andthereforeifconflicts

exist,settingsinhigherGPOsoverridethoseinlowerones.For

example,ifaContactsOUhasthefollowingthreegrouppolicies

appliedtoitandtheyappearinthisorder(asshowninFigure

21.1),thepolicieswillbeappliedfromthebottomup:



Figure21.1.GroupPolicyObjectorder.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 21. Windows Server 2003 Group Policies

Tải bản đầy đủ ngay(0 tr)

×