ADM 222 Configuring Windows Using Group Policy BJ

ADM 222 Configuring Windows Using Group Policy BJ Whalen Program Manager Group Policy Microsoft Corporation Mike Jorden Technology Specialist BPSG Microsoft Ltd

The Long and the Short of Group Policy! BJ Whalen Program Manager Group Policy Microsoft Corporation Mike Jorden Technology Specialist BPSG Microsoft Ltd

Oooppps…. Sorry about the slide deck

Agenda Background Windows functionality configurable using Group Policy How do clients apply Group Policy in action Common Group Policy Questions

Group Policy Sessions at Tech. Ed ADM 222 Using Group Policy to Configure Windows This one!!!! ADM 320 Managing Group Policy Thursday 10: 00 room 10 ADM 421 Scripting Group Policy Thursday 18: 15 room 9

Group Policy Overview Do More with Less Effort n “New Policy” One Administrator Action Many End User Results Active Directory n Group Policy enables admins to set and maintain a desired computing state New Group Policy Management Console (GPMC) makes administration much easier Many Computer Results

Policy-based management What can you do with Group Policy? Centralized storage and mgmt of user data Users have access to data and settings from any computer Consistency of user experience across computers Data safety and availability Rapid PC replacement Configuration of the Operating System: Networking settings, control panel access, remote assistance, disk quotas, IE Securing the Operating System Ongoing & dynamic configuration management

Group Policy Controls What? Enables configuration on Win 2000 and later of: Administrative Templates Registry-based policy settings Security Users Rights, restricted groups, Account Policies, IPSec, Public Key, Wireless, System Services, Software Restriction Policies, etc IE Maintenance Administer Internet Explorer Software Distribution Centralized mgmt of application installation Scripts Startup, Shutdown, logoff Folder Redirection Store users’ folders on the network Remote Installation Service Configure Client options for RIS 3 rd Party extensions Group Policy framework allows for extensibility

Group Policy: Not just for desktops Server Management Manage OS components Especially security management Terminal servers, web servers, etc.

What we do at Tech. Ed Europe 1, 000 PCs Comms. Net (400 PCs) Session Feedback Pods (60 PCs) Session Room PCs Hands-on Labs Speaker Lounge Back. Office 2 How many images? Thanks to Group Policy

Tech. Ed Infrastructure London Event Comms. Net msevdad 1 msevdad 2 msevsad 11 Session Feedback Pods msevsad 12 Speakers Lounge Session Rooms Back-office

Tech. Ed AD Structure London Servers You ( & BJ! ) Me Event Servers Computers Travel Desk Kiosks Comms. Net Session Rooms Feed. Back pods

Windows Functionality Configurable through Group Policy

Administrative Templates Managing the OS and Apps by manipulating the registry Windows ships with. ADM files for managing OS components All settings in these files are true policy settings No tattooing Original user preference restored upon removal Secure for non-admins Custom. ADMs possible, but generally not true policy settings Note difference between. POL and. ADM file. ADM File Available Settings and UI description Used by GPEdit only to expose settings for editing Exists in both sysvol and locally in %windir%inf Registry. Pol File Actual Settings delivered This is what is delivered to the client to modify registry during GP processing Exists in sysvol

. ADM and. POL files Client computer Domain Controller Settings transferred during policy processing %windir%inf 0010 1100 0111 . . . POLICY !!No. Run … . ADM Svsvolpolicies{GUID} . POL Default behavior: When using GPEdit, upload from client version if its timestamp is newer . . . POLICY !!No. Run … . ADM

ADM Files: Managing mixed environments ADM files provided in Windows are cumulative E. g. , settings in Windows Server 2003. ADM files are a superset of settings in XP and 2000 ADMs OS applicability of setting indicated by “Supported on” field in UI Note: “Supported on” field is not yet supported on Win 2000 Up-level settings ignored on down-level clients E. g. Win 2000 ignores settings XP+ only settings General recommendation: Use ADM files from latest OS If possible, perform administration on XP or later Consider use of policy settings to control ADM behavior (see next slide)

ADM file management Group Policy Object Editor ADM files used to display UI in “Administrative Templates” node ADM files loaded from Sysvol by default If local copy is newer, it’s uploaded to sysvol Note: issues with Win 2 k SP 3 & SP 4 (fix planned for SP 5) This behavior is configurable via 2 policy settings Never upload to sysvol (“Turn off Automatic Update of ADM Files”) Use local ADMs only - new for Windows Server 2003 GPMC ADM files used to generate HTML reports ADM files loaded from local computer by default If not found, loaded from sysvol User can specify custom location from which to load ADMs NEVER copied to sysvol

Security Policy Settings Account Policies Configure password, account, and Kerberos policies (domain only) Local Policies Configure auditing, user rights, and security options Event Log Configure settings for application logs, system logs, and security logs Restricted Group Configure group memberships for security sensitive groups System Services Configure security and startup settings for services running on a computer Registry Configure security on registry keys File System Configure security on specific file paths Public Key Configure encrypted data recovery agents, domain roots, trusted certificate authorities, and so on IP Security Configure IP security on a network Wireless Software Restriction Configure wireless settings Configure which apps can be run or disallowed

Security Tips Account Policies must be configured at domain level Security settings always re-apply every 16 hours Don’t apply full security templates through Group Policy – Those are intended for one time only File and Registry ACLs time consuming to apply and also tattoo Restricted groups don’t merge: See 810076

Internet Explorer Maintenance Set policy settings to control: Browser User Interface (Title, logo) Connection (Proxy, autodetect, etc) URLs: home page, favorites IE Security: Zones, Privacy, Content Ratings, Authenticode Programs Enhanced Security Configuration (ESC) on Win 2003 New secure configuration for IE impacts Zones and Privacy ESC-enabled and -disabled computers must be managed independently GPOs with ESC-enabled settings only apply to ESC enabled machines, and vice versa. ESC state of admin machine determines whether a GPO is ESCenabled or not

Comms. Net example Set Home Page & Trusted Zones

Folder Redirection Supports Server-Based Storage of Common Folders My Documents Application Data Desktop Start Menu Benefits Availability of user data on any computer Reduced network usage when users move between machines Increased ease of backup of redirected folders Used in conjunction with Offline Files to provide access when disconnected from network On XP and above, all redirected folders are automatically admin pinned for offline use For each folder, you can choose No policy - does not redirect Basic - redirects all users to the same place Advanced- redirects users to different locations based on security group membership

Folder Redirection Tips General recommendations: Consider redirection of My documents If using Roaming Profiles, this is a must Optionally consider redirecting Desktop If users store documents on desktop Start Menu and App. Data generally not recommended for redirection Let the system create folders for each user to avoid improper ACLs To remove Folder Redirection, use the “Redirect to the local user profile” setting When using EFS, encrypt the local cache, not the folder on the server

Comms. Net London msevdad 1 msevdad 2 Event Profile msevsad 11 msevsad 12

Comms. Net example Redirect Desktop & My Documents

Software Installation 3 deployment options Assign to computer App is installed at boot. Assign to user App installed either on demand or (with XP and above) at user logon Publish to user User chooses to install from add remove programs. Requires MSI apps Except ZAP apps, which is limited (no elevated install) Tips Make sure machine accounts have access to Software Distribution points for machine assigned apps On Win 2 k, turn off “Include OLE and Class product information” in Advanced Deployment Options No supported way to control install order within a GPO

Comms. Net Example Install the Citrix Client

Scripts Computer-based scripts startup and shutdown Run in local system context User based scripts logon and logoff Run in user context Configurable options: Processing order if multiple scripts Script timeout (default is 10 minutes) Computer ConfigurationAdministrative TemplatesSystemLogonMaximum wait time for Group Policy scripts Tips Scripts *only* execute at if connected to network during boot and logon (requires foreground refresh)

Comms. Net Example Deploy new Wallpaper Set Local Group Membership Etc etc.

Remote OS Installation Most RIS infrastructure on the RIS Server Group Policy allows configuration of client install wizard options

How do clients apply Group Policy

When Does Group Policy Get Applied? Computer Starts User Logs On …and at periodic intervals Group Policy Applies Computer Settings Startup Scripts Run Group Policy Applies User Settings Logon Scripts Run

Foreground vs Background refresh Foreground refresh At boot and logon Processing is synchronous: Logon prompt not displayed till computer processing complete Desktop not displayed till user processing complete Requires connectivity to domain All extensions processed Background refresh Approximately every 90 minutes (except for DCs, 5 mins) Interval and random offset configurable through policy setting Processing is asynchronous Software installation and folder redirection settings not processed

Processing Optimizations During refresh, GP is re-applied only if there are changes in the GPOs, or the list of GPOs Can override this to ALWAYS process via policy setting, for each extension Windows XP Fast Logon Optimization OS does not wait for network start before displaying logon screen Configurable via policy setting Computer policy is processed as background refresh at logon. Changes to Folder Redirection and Software Installation may require multiple reboots to apply

Comms. Net example… Disable fast logon to ensure Kiosk mode

Group Policy Over Slow Links Slow link = connection < 500 kbps, by default Configurable via policy setting When slow link is detected: Security Settings and Administrative Templates are always applied By Default, Software Installation, Scripts, and Folder Redirection are not applied Configurable via policy setting for each extension RAS does not necessarily imply slow link

Common Group Policy Questions

Question 1 Q: Where can I get a list of the available ADM settings? A: http: //go. microsoft. com/fwlink/? Link. Id=15165 Allows filtering by: Supported OS Component Area Includes: Registry Setting Explain text

Question 2 Q: Are there pre-configured example GPOs available to get me started? A: Yes: http: //go. microsoft. com/fwlink/? Link. Id=14951 Provides GPO “templates” for several common scenarios Will be updated in next few weeks to be based on GPMC backups

Question 3 Q: Where can I learn more about managing ADM files? A: KB 816662 discusses and provides recommendations for: Mixed platforms Mixed languages Sysvol size issues

Question 4 Q: What are the new Group Policy features since Windows 2000 A: Introduced in Win. XP: Group Policy Results (RSo. P logging) WMI filter client support Software Restriction Policy – client support Fast logon optimization New policy settings New GPResult. exe based on RSOP Introduced in Windows Server 2003: GPMC: New admin tool for managing Group Policy Web download for both XP and 2003 Group Policy Modeling (RSo. P – planning) WMI Filters admin support Software Restriction Policies – Admin Support New Policy Settings

Question 5 Part 1 Q: What are requirements to use Group Policy Results A: Clients must be running on XP or later Part 2 Q: Is there any dependency on whether I have a 2000 or 2003 based AD ? A: Group Policy Results is a function of the client. However the ability to delegate remote access to read Group Policy results data requires AD schema for Windows Server 2003 ADPrep /Forest. Prep

Question 6 Q: What are the requirements for using Group Policy Modeling A: Group Policy Modeling is performed by a service that is only available on DCs running Windows 2003. There is no dependency on the client OS.

Question 7 Q: What are the requirements to use WMI filters? A: Client Dependencies: Clients must be running XP or later Win 2000 clients ignore the filter and always apply the WMI filtered GPO Server Dependencies: Forest: must have Windows 2003 AD schema (ADPrep /Forest. Prep) Domain: Must run ADPrep /Domain. Prep to use for clients in that domain DCs don’t actually need to be running Win 2003

Question 8 Q: Are there any dependencies in Group Policy on native mode vs mixed mode? A: No. However, various features do have dependencies on the following: Schema level of the forest (ADPrep /Forest. Prep) Domain configuration (has ADPrep /Domain. Prep been run? ) Presence of at least one DC

Question 9 Qa: Can I use GPMC to manage a my environment if all my DCs are running Windows 2000? Qb: Can I use GPMC if my clients are running Windows 2000? A: Yes. However, GPMC itself must run on a computer running Windows XP SP 1 or Windows Server 2003.

Group Policy On The Web Group Policy Product Page http: //www. microsoft. com/grouppolicy Group Policy Technology Center http: //www. microsoft. com/technet/grouppolicy Windows Server 2003 Deployment Kit Designing a Managed Environment Book http: //go. microsoft. com/fwlink/? Link. Id=15311

Group Policy Whitepapers All linked from the Group Policy Technology Center (Tech. Net) Introduction to Group Policy Windows Server 2003 Group Policy Infrastructure Group Policy Administration using GPMC Troubleshooting Group Policy with Windows Server 2003 Migrating GPOs Across Domains with GPMC

Group Policy Community Newsgroups Using a newsreader: microsoft. public. windows. group_policy Using web browser: http: //www. microsoft. com/windowsserver 2003/community/newsgr oups/windows_grouppolicy. asp Tech. Net Chats Generally scheduled monthly Previous Transcripts available at: http: //go. microsoft. com/fwlink/? Link. Id=16504

Ask The Experts Get Your Questions Answered BJ will be at the ATE on Thursday morning at 11: 30 (after Managing GP talk). Mike has to fly back (and miss the party )

Community Resources http: //www. microsoft. com/communities/default. mspx Most Valuable Professional (MVP) http: //www. mvp. support. microsoft. com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http: //www. microsoft. com/communities/newsgroups/default. mspx User Groups Meet and learn with your peers http: //www. microsoft. com/communities/usergroups/default. mspx

Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: 0 -7356 -1577 -2 Today Microsoft® Windows® Server 2003 Administrator's Companion: 07356 -1367 -2 Today Microsoft Press books are 20% off at the Tech. Ed Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluations