Dynamic Directory .


29 views
Uploaded on:
Description
Bunch Policy Overview. Successor to NT approaches Much all the more flexibleOnly applies to 2000 workstationsUse old style strategies for NTUsed to oversee desktop environmentIntegrated into Active Directory. What Can Group Policy Manage?. Managerial Templates
Transcripts
Slide 1

Dynamic Directory Group Policy

Slide 2

Group Policy Overview Successor to NT approaches Much more adaptable Only applies to 2000 workstations Use old style strategies for NT Used to oversee desktop condition Integrated into Active Directory

Slide 3

What Can Group Policy Manage? Regulatory Templates — registry-based settings Security settings Software establishment Scripts Login, logout, startup, shutdown Folder redirection Remote Installation Services Internet Explorer support

Slide 4

Registry-based Settings Control over desktop, control board get to, Start Menu and Taskbar, a few Windows parts, and that\'s only the tip of the iceberg… Generally three settings — Not arranged, Enabled, Disabled Implemented through Administrative Templates Text record with .adm expansion Extensible Can make your own particular Some projects send with their own (Office)

Slide 5

Security Policy Settings Account Policies — secret key, account, Kerberos Local Policies — inspecting, client rights, security choices Event Log — e.g. most extreme size Restricted Group — bunch participation System Services — security and startup settings Registry — registry key security File System — record framework security Public Key Policies — encryped information, declaration experts IP Security Policies — IP security

Slide 6

Software Installation Use to introduce programming Use to redesign programming Three techniques Assign applications to clients Assign applications to PCs Publish applications to clients Available to clients, however not introduced unless asked for

Slide 7

Script Settings Assign scripts (login, logout and so on.) Set preparing request

Slide 8

Folder Redirection Redirect extraordinary organizers Start Menu, Desktop My Pictures, My Documents, Application Data Choices No redirection Direct to same area Different areas in view of security gatherings

Slide 9

Parts of Group Policy Objects Each GPO has two segments Computer Configuration User Configuration Each part might be handicapped Properties of GPO/General Recommended — if a segment is unused, incapacitate it E.g. On GPO to design client desktop, cripple Computer Configuration area

Slide 10

Creating Group Policy Objects AD Users and Computers Properties of Domain/OU Creates new GPO connected to that space/OU AD Sites and Services To make site GPO Also through MMC Group Policy Snap-into make a GPO not connected to a site, area or OU

Slide 11

How are Group Policy Objects Applied GPOs might be connected to AD holders Sites, Domains and Organizational Units (OUs) Apply to clients and PCs inside compartment Objects in tyke OUs acquire GPO settings from parent OUs, space and site unless unequivocally obstructed No legacy crosswise over area limits One GPO might be connected to various compartments Multiple GPOs might be connected to a holder GPOs are not connected to bunches

Slide 12

Modifying GPO Inheritance Block Inheritance If empowered on a holder, questions in compartment don\'t get any GPO settings from parent holders No Override If empowered on a GPO interface, legacy of GPO settings can\'t be ceased by means of piece legacy NB Applied to connect, not the GPO itself

Slide 13

Filtering Group Policy Settings GPO settings connected to all articles in compartment Filter utilizing security bunches Change default GPO authorizations Need Read and Apply GP ACEs to have the capacity to apply a GPO Need Read and Write GP ACEs to have the capacity to peruse and adjust a GPO

Slide 14

Deleting and Disabling Group Policy Objects Disabling a GPO Disable Computer or User areas Disable both to incapacitate GPO completely Also debilitate utilizing Options catch in AD Users and Computers/Container Properties Deleting a GPO AD Users and Computers Will be offered two choices Remove the connection from the rundown — erases connect however not GPO Remove the connection and erase the GPO for all time — erases GPO

Slide 15

Disabling and Inheriting:— What do the Properties Belong to? Properties of a given GPO Disable Computer Configuration Settings Disable User Configuration Settings Properties of a given holder Block arrangement legacy Properties of a given connection No supersede Disabled: the GPO is not connected to this compartment

Slide 16

Storage of Group Policy Objects Group Policy Container (GPC) Active Directory protest putting away form, status and so on. See by empowering Advanced Features in AD Users and Computers, then System/Policies Named by GUID Group Policy Template (GPT) Sysvol\Policies organizer Contains all GP) settings Named by GUID GPC and GPT imitated independently Policies just apply if both GPC and GPT are in a state of harmony

Slide 17

Storage of Group Policy Settings Stored in customer registry HKEY_LOCAL_MACHINE (Computer settings) HKEY_CURRENT_USER (User settings) Special registry keys utilized \Software\Policies (favored) \Software\Microsoft\Windows\CurrentVersion\Policies Removed when GPO does not have any significant bearing anymore

Slide 18

Order of GPO Application Order of utilization is Site, Domain OU (SDOU) Multiple OUs — request of use is as indicated by area progressive system (begin at top of tree and work down) Multiple GPOs for same OU — prepared backward request of rundown of GPOs appeared for that OU I.e. GPO at top of rundown comes first Order can be changed

Slide 19

When are GP Settings Applied? PC settings On boot According to occasional revive cycle User settings On client logon According to intermittent invigorate cycle If PC and client settings strife, PC settings outweigh everything else

Slide 20

Refreshing Group Policy Default revive interims 2000 expert and part servers — exceptionally a hour and a half with randomized 30 minutes balance Domain controllers — at regular intervals Changed by adjusting authoritative format settings for client or PCs Exception — programming establishment and envelope redirection strategies just connected on boot or client logon, not occasionally

Slide 21

Conflicts Where settings for GPO of parent compartment struggle with those for GPO of youngster, kid holder settings win Where settings from various GPOs connected to same holder strife, settings of GPO most elevated in rundown are win Use Up/Down to change position Exception — where PC and client settings strife, PC settings win Except IP Security and User Rights settings

Slide 22

Managing Group Policy Objects Creating or altering GPOs controlled by PDC emulator as a matter of course Minimize clashes To change Group Policy mmc snap-in/View/DC Options Or utilize Group Policy Recommended this is left unaltered NB By default, just Domain Admins, Enterprise Admins, Group Policy Creator Owners and System record can make and alter GPOs

Slide 23

Loopback Processing Computer settings some portion of GPO connected to OU apply just to PCs inside OU Similarly, client settings apply just to clients inside OU Therefore, typically, client in OU A signing on to PC in OU B gets blend of client settings from OU A GPOs and PC settings from OU B GPOs (and any acquired and so on.)

Slide 24

Loopback Processing cont. Might need to apply same client settings to any client signing on to a given workstation, paying little mind to client OU E.g. classroom, open zone workstations Loopback handling does this Merge mode applies ordinary GPOs for client too (yet those from PC come first) Replace mode does not have any significant bearing typical GPOs for client

Slide 25

Local Group Policy Computers additionally have a solitary Local Group Policy Object (LGPO) Only backings Security Settings, Administrative Templates and Scripts Processed before AD GPOs Block legacy does not stop its application Generally unused in an AD setup Most helpful for designing independent PCs

Slide 26

Delegation It is conceivable to delegate duty regarding the accompanying assignments Managing joins Creating GPOs Editing GPOs

Slide 27

DomainExceptions for Domain Controllers Some settings just from GPOs connected to space Domain controllers share same record database so a few settings must be the same Not connected to Domain Controllers OU in light of the fact that DCs might be moved out of this OU NB Can change these settings in different GPOs however will have no impact on area approach Will influence nearby logons (i.e. non-space) in the event that they apply to workstations or part servers

Slide 28

Exceptions for Domain Controllers cont. Area wide settings All record strategies (Computer Configuration/Windows Settings/Security Settings) I.e. Secret key, Account lockout and Kerberos arrangements) Some settings from Computer Configuration/Windows Settings/Local Policies/Security Options Automatically log off clients when logon time terminates Rename chairman account Rename visitor account

Slide 29

Common Desktop Management Scenarios Package containing GPOs created for six unique situations that can be stacked into AD Includes white paper depicting situations Excel spreadsheet reporting all GPO settings Scenarios are for the accompanying Lightly Managed Desktop (e.g. control client) Mobile User Multi-User Desktop AppStation (Highly Managed Desktop) (e.g. administrator client) TaskStation (e.g. single undertaking) Kiosk (e.g. open workstation)

Slide 30

Common Desktop Management Scenarios NB Loading GPOs into AD does not mean they produce quick results Not connected to any compartment Use as beginning stages Use Excel spreadsheet to record GPO changes

Slide 31

Common Desktop Management Scenarios White paper http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/send/grppolsc.asp All documents http://www.microsoft.com/windows2000/zipdocs/grouppolscen.exe

Slide 32

OU Design Issues Deep OU structure Easier to apply GPOs without separating More prone to require legacy adjustments Flat OU structure More liable to require sifting Easier to investigate (less legacy issues)

Slide 33

Number of GPOs Required Few far reaching GPOs Less to oversee Shorter logon times Many barely focussed GPOs More to oversee Likely to need to additionally sifting Increased logon times in principle, up to 20 GPOs applying to a client ought to no

Recommended
View more...