Tải bản đầy đủ - 0 (trang)
Chapter 29. Group Policy Management for Network Clients

Chapter 29. Group Policy Management for Network Clients

Tải bản đầy đủ - 0trang

workstationexperienceappropriatetothevaryingfunctional

needsinyourcompany.

ThischapterconcentratesonwaysyoucanapplyGroupPolicy

toolstousersandgroupsbasedontheirspecificneedsand

goals.Inadditiontoprovidinggeneralbestpractices,this

chapterprovidesrecommendationsonhowtohandleparticular

typesofnetworkusersthroughGroupPolicy.



LeveragingthePowerofGroupPolicy

GroupPolicyfunctionalityisusedtodeliverastandardsetof

security,controls,rules,andoptionstoauserandworkstation

whenauthenticatingtothedomain.Inaddition,itcanbeused

toconfigureeverythingfromloginscriptsandfolderredirection

toenablingdesktopfeaturesandpreventingusersfrom

installingsoftwareonnetworkworkstations.WithWindows

Server2003andapplicationslikeMicrosoftOffice,GroupPolicy

canbeusedtocontrolthepreferencesandoptionsavailable

whenconfiguringandcustomizingtheapplication.

ThissectionhelpsnetworkadministratorsunderstandGroup

Policyanditsfunctionalityandcharacteristicswhenthey

managetheenforcementofpolicies.



ManagingGroupPolicy

TomanageGroupPolicy,administratorsmustunderstandthat

GroupPolicyappliesonlytoWindows2000clientsystems,

WindowsXPclientsystems,Windows2000serversystems,and

WindowsServer2003serversystems.

ToaccessandmanageWindowsGroupPolicy,administrators

canusetheGroupPolicysnap-inavailableintheAdministrative

ToolsprogramgroupoftheWindowsdomaincontroller.Another

morepowerfuloptionformanagingGroupPolicywithWindows

Server2003istheuseoftheGroupPolicyManagementConsole

(GPMC)tool,describedindetailinChapter21,"WindowsServer

2003GroupPolicies."

WiththebasicGroupPolicyManagementsnap-in,

administratorsareprovidedwithastandardmanagement

consolethroughthebuilt-inadministrativetoolsofWindows



server.ThroughthestandardmethodofaccessingGroupPolicy,

administratorsareprovidedasingleinterfacetoaccess,

manage,andconfigurepolicieswiththestandardoptionsand

functionalityavailableinthebuilt-inWindowstools.

UsingtheGroupPolicyManagementConsoletool,

administratorsareprovidedwitheasieraccessandbetter

managementcapabilitiesofGroupPolicythatextendbeyond

thestandardoptionsavailablewiththeAdministrativeTools

built-inManagementsnap-in.GPMCalsoprovidesenhanced

functionalityandoptionsforplanningandtestingGroupPolicy

implementationspriortodeployingandenforcingthemonthe

Windowsdomain.



Note

TomanageGroupPolicyusingtheGPMCtoolina

Windows2000domain,theGPMCmustbeinstalled

onaWindowsXPdesktoponthedomainbeing

managed.



TheGPMCmustbeinstalledonWindowsServer2003or

WindowsXP.TheGPMC.msipackagecanbedownloadedfrom

http://www.microsoft.com/Windowsserver2003/downloads/featurepacks

Afteritisinstalled,itcanbefoundintheStartmenuinthe

AdministrativeToolsprogramgroupbyselectingtheGroup

PolicyManagementoption.



Caution

BecauseGroupPolicycanhaveatremendousimpact

onusers,anyGroupPolicyimplementationshouldbe

testedwiththeResultantSetofPoliciestoolin

Planningmode.Seethe"WorkingwithResultantSet



ofPolicies"sectiontolearnmoreabouttesting

GroupPolicyandusingtheGroupPolicy

ManagementtoolinSimulationmode.



UnderstandingPoliciesandPreferences

WhenworkingwithGroupPolicy,youhavetwomethodsfor

makingchangesonthelocalworkstations:usingpreferences

andusingpolicies.Withbothpreferencesandpolicies,changes

areappliedandenforcedusingthelocalRegistryofthemachine

wheretheyarebeingapplied.

Withpreferences,changestooptionssuchaswallpaperor

screensaversandsoftwaresettingsareappliedlocally.With

policies,changestotheRegistryareappliedthataffectsecurity

andRegistrykeys,whichareprotectedbyAccessControlLists

(ACLs).

AlthoughGroupPolicyoverridespreferencesettingswhen

workingwithapplications,thepolicydoesnotoverwritethe

preferencekeyswhenpreferencesaresetonthelocalsystem

bytheworkstationusers.Thismeansthatifapolicyiscreated,

configured,andappliedandthenthepolicyisremoved,the

preferencesthatweresetbythelocaluserbeforethepolicy

wasappliedwillreturn.

Thismakespoliciesapowerfultoolwhenanetwork's

administratorwantstocontrolcertainaspectsofaclient

applicationorwantssomethingtheuseraccessestoremain

static.Policiescanbeusedtodisableendusersfromchanging

theappearance,configuration,orfunctionalityoftheitemto

whichthepolicywasapplied.



GroupPolicyandSecurityTemplates

Oneofthemostimportantfeaturesforminimizing

administrationwhenworkingwithGroupPolicyisleveraging

securitytemplates.Securitytemplatesareapowerful

predefinedsetofsecurityoptionsavailablefromMicrosoftfor

applyingGroupPolicytoaspecificareaorsoftwarecomponent

availabletousersonthenetwork.Basedonthetypeofusers

andenvironmentneeded,thesetemplatescanbeahandytool

tocreateandenforceconfigurationsettingsoncomponents

alreadypredefinedinthetemplate.

AvailablewiththestandardinstallationofWindowsServer2000

andWindowsServer2003,thesetemplatescanbedownloaded

andimportedintoGroupPolicyObjects(GPOs)wheretheycan

theneitherbeimplementedasis,ormodifiedtomeetthe

specificneedsoftheareainwhichthetemplateapplies.

However,whentemplatesareused,theyareagreatstarting

pointfornetworkadministratorstoobtainabase-level

configurationofaclientworkstation'ssoftwarecomponentor

securitysettings.

Templatescanalsobeusedtoconfiguresettingssuchas

accountpolicies,eventlogsettings,localpolicies,Registry

permissions,fileandfolderpermissions,andExchangeServer

2003clientsettings.



DefiningtheOrderofApplication

WhenapplyingGroupPolicy,eachpolicyobjectisappliedina

specificorder.Computersanduserswhoseaccountsarelower

intheADtreemayinheritpoliciesappliedatdifferentlevels

withintheActiveDirectory.Policiesshouldbeappliedtoobjects

intheADinthefollowingorder:



1. Localsecuritypolicy

2. SiteGPOs

3. DomainGPOs

4. OUGPOs

5. NestedOUGPOsandondownuntiltheOUatwhichthe

computeroruserisamemberisreached



IfmultipleGPOsareappliedtoaspecificADobjectsuchasa

siteorOUtheyareappliedinthereverseorderfromwhichthey

arelisted.ThismeansthatthelastGPOlistedisappliedfirst

andifconflictsexist,settingsinhigherGPOsoverridethosein

lowerones.



GroupPolicyRefreshIntervals

WhenGroupPolicyisapplied,thepolicyisrefreshedand

enforcedatregularlyscheduledintervalsafteracomputerhas

beenbootedandauserhasloggedontothedomain.By

default,GroupPolicyisrefreshedevery90minuteson

workstationandmemberserverswithinthedomain.

Whenyouneedtobettercontroltherefreshintervalofagroup

policy,therefreshintervalcanbeconfiguredforeachgroup

policybychangingitstimeinthepolicyconfiguration.Usingthe

GPMC,refreshintervalscanbeconfiguredbygoingtodomain

policyandselectingthefollowing:

ComputerConfiguration,AdministrativeTemplates,System,

GroupPolicy(tochangetheintervalforcomputerpolicies



anddomaincontrollers)

UserConfiguration,AdministrativeTemplates,System,

GroupPolicy(tochangetheintervalforuserpolicies)

ChangesmadetoexistingGPOsornewGPOsbeingcreatedare

enforcedwhentherefreshcycleruns.However,withthe

followingsettings,policiesareenforcedonlyatloginorwhen

bootingaworkstationtothedomain,dependingontheGPO

configurationsettings:

SoftwareinstallationconfiguredintheComputerPolicies

SoftwareinstallationconfiguredintheUserPolicies



Note

Whenworkingwithapplicationsettings,refresh

intervalscanbeconfiguredandcustomizedtofit

theenvironmentneeds.Youshouldleavethe

refreshintervalasthedefault,however,unless

requirementscallthemtobemodified.



BaselineAdministrationforGroupPolicy

Deployment

Nowthatyouhaveabaseunderstandingoffunctionalityand

terminologyofGroupPolicy,youcanlookatusageandhowthe

configurationofGroupPolicycanvarygreatlywitheach

individualimplementation.

Administratorscanusethisinformationtounderstandthemore

commonmethodsofapplyingpermissionstoGroupPolicyfor

managementpurposesandthetoolsfortestingGroupPolicy

implementationspriortodeploymentintheproduction

environment.



Note

Inthissection,somebestpracticesformanaging

GroupPolicyarecovered.Formoreinformationand

detailsregardingGroupPolicymanagement,view

thehelpinformationformanagingGroupPolicywith

WindowsServer2000andWindowsServer2003.



DelegatingGroupPolicyManagementRights

Itisimportanttodelegatetheproperrightsforadministrators

tomanageandmanipulateGroupPolicy.Forexample,inlarger

organizations,averysmallgroupofusersnormallyhas

permissiontoeditpoliciesatthedomainlevel.However,when

specificrequirementsareneededtoadministerapplications

suchastheExchangeclient,permissionscanbegrantedto



specificareaswiththeGroupPolicyManagementConsole.

WhencreatingspecificpermissionswiththeGPMC,

administratorscandelegatecontrolforotheradministratorsto

managethefollowingareaswithinGroupPolicy:

CreateGPOs

CreateWMIfilters

PermissionsonWMIfilters

PermissionstoreadandeditanindividualGPO

PermissionsonindividuallocationstowhichtheGPOis

linked,calledthescopeofmanagement(SOM)

ToeasilyassignpermissionstoGPOs,administratorscanuse

theDelegationWizard.



WorkingwithResultantSetofPolicies

ThenewGPMCtoolprovidesadministratorswithanadditional

functioncalledResultantSetofPolicies(RSoP)forplanningand

testingGroupPolicyimplementationspriortoenforcingthemon

domainworkstationsandusers.UsingtheRSoPtoolinPlanning

mode,administratorscansimulatethedeploymentofa

specifiedgrouppolicy,evaluatetheresultsofthetest,make

changesasneeded,andthentestthedeploymentagain.After

RSoPshowsthattheGPOiscorrect,theadministratorcanthen

backuptheGPOconfigurationandimportitintoproduction.

TorunRSoPinsimulationmode,right-clickonGroupPolicy

Modelingintheforestthatwillbesimulated,andchooseGroup



PolicyModelingWizard.Thewizardenablesyoutoinputslow

links,loop-backconfiguration,WMIfilters,andother

configurationchoices.Eachmodelingispresentinginitsown

reportasasubnodeundertheGroupPolicyModelingnode.



Tip

BecauseerrorsinGroupPolicysettingscanaffect

usersandclientserverconnectivity,anyGroup

Policyimplementationshouldbetestedusingthe

RSoPtoolinPlanningmodebeforeapplyingthe

policy.



ManagingGroupPolicyInheritance

TomaximizetheinheritancefeatureofGroupPolicy,keepthe

followinginmind:

IsolatetheserversintheirownOU:Createdescriptive

ServerOUsandplaceallthenondomaincontrollerservers

inthoseOUsunderacommonServerOU.Ifsoftware

pushesareappliedthroughGroupPolicyonthedomain

leveloronalevelabovetheServerOUanddonothavethe

Enforcementoptionchecked,theServerOUcanbe

configuredwithBlockPolicyInheritancechecked.Asa

result,theserverswon'treceivesoftwarepushesappliedat

levelsabovetheirOU.

UseBlockPolicyInheritanceandEnforcementsparinglyto

maketroubleshootingGroupPolicylesscomplex.



GroupPolicyBackup,Restore,Copy,andImport

OnenewmajorimprovementtoGroupPolicymanagement

offersthecapabilitytobackup(orexport)theGroupPolicy

datatoafile.UsingthebackupfunctionalityoftheGPMC,any

policycanbetestedinalabenvironmentandthenexportedto

afilefordeploymentintheproductiondomain.

Whenbackingupagrouppolicy,youbackuponlydataspecific

tothatpolicyitself.OtherActiveDirectoryobjectsthatcanbe

linkedtoGPOs,suchasindividualWMIfiltersandTCP/IP

securitypolicies,arenotbackedupbecauseofcomplications

withrestorationwhenworkingwiththesespecificareas.When

backupiscompleted,administratorscanrestoretheGroup

Policydatainthesamelocation,restoringproperfunctionality

tomisconfiguredandaccidentallydeletedgrouppolicies.

TheimportfunctionalityoftheGPMCalsoenables

administratorstotakeanexportedGroupPolicyfileandimport

theGroupPolicydataintoalocationotherthanitsoriginalone.

Thisfunctionalityistrueeveninscenariosinwhichnotrust

existsbetweendomains.

ImportsofGroupPolicyfilescanbecompletedusingfilesfrom

differentdomains,acrossforestdomains,orwithinthesame

domain.Thisfunctionalityismostpowerfulwhenyoumovea

GPOfromatestlabintoproductionwithouthavingtomanually

re-createthepolicysettingtestedinthelabenvironment.

AnotherhelpfulfunctionofGroupPolicyManagementiscopying

GPOs.Iftheadministratorhasconfiguredacomplexgroup

policyandappliedthesettingtoaspecificorganizationalunit

(OU)inthedomain,thegrouppolicycanbecopiedand

duplicatedforapplicationtoanotherOU.Whenusingthecopy

function,anewgrouppolicyiscreatedwhenthecopyfunction

isperformed.Thisnewpolicycanthenbeplacedandappliedto

thenewlocation.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 29. Group Policy Management for Network Clients

Tải bản đầy đủ ngay(0 tr)

×