create and manage group policy - netwrix.com · –asynchronous (default) and synchronous script...
TRANSCRIPT
![Page 1: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/1.jpg)
Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado
Daniel GoaterSystems EngineerNetwrix
Create and Manage Group Policy
Active Directory 101
![Page 2: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/2.jpg)
Active Directory 101 vs. Exam 70-742
o Implement and manage a certificate authority (CA) hierarchy with AD CS
o Deploy and manage certificates
o Implement and administer Active Directory Federation Services (AD FS)
o Implement and administer Active Directory Rights Management Services (AD RMS)
o Monitor, troubleshoot, and establish business continuity for AD DS services
o Secure AD DS and user accounts
o Manage user settings by using GPOs
o Implement and manage Group Policy
o Configure and manage replication
o Implement AD DS sites
o Implement AD DS in complex environments
o Manage objects in AD DS
o Install and configure Domain Controllers Act
ive
Dir
ect
ory
10
1
Mic
roso
ft e
xam
70
-74
2
Ide
nti
ty w
ith
Win
do
ws
Se
rve
r 2
01
6
o Implement synchronization between AD DS and Azure AD
![Page 3: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/3.jpg)
Agenda
Implementing Group Policy
Managing User settings with Group Policy
Group Policy Best Practices
How to deliver complete visibility into all security and configuration
changes in Group Policy
![Page 4: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/4.jpg)
Implementing Group Policy
![Page 5: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/5.jpg)
Introduction to Group Policy
Centralized approach to applying one or more changes to more than one user or computer
Very powerful tool, in the right hands, to
• Apply security settings
• Manage the Windows (Server) experience
• Deploy software
• Configure networking
Group Policy Objects, Settings and Links
• Apply settings to Domains, OUs, Sites and/or local computers
• Despite its name, you can’t apply Group Policies to individual users or groups
![Page 6: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/6.jpg)
Tools for managing Group Policy
Graphical Tools
• Group Policy Management Console (gpmc)
• Group Policy Editor (gpedit)
Command-line Tools
• GPUpdate.exe
• GPResult.exe
PowerShell
• Invoke-gpupdate
Advanced Group Policy Management (AGPM) tool
• Part of Software Assurance
• Allows versioning, etc.
![Page 7: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/7.jpg)
How Group Policy settings are applied
Group Policy Objects are linked
Enabled vs. Disabled GPOs
Group Policy Processing Order and Precedence
• Local Group Policies, Site, Domain, OUs
• Last setting to be applied wins
• Precedence when multiple links on Site, Domain or OU: lowest number last
Block Inheritance vs. Enforced
Loopback processing
• Replace mode vs. Merge mode
• Ideal for Remote Desktop Session Hosts, public-use computers
Security Filtering and WMI Filtering
![Page 8: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/8.jpg)
Group Policy Refresh
Policy settings apply every 90-120 minutes, when clients retrieve the group policy settings to update their cached settings
• By default, only when Group Policy settings have changed
Group Policy refresh can be
• Changed through Group Policies
• Initiated using gpupdate.exe on per domain-joined device
• Initiated in the GPMC from a Domain Controller, too
![Page 9: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/9.jpg)
Administrative Templates
Control the environment of the OS and UI
• OS features like Control Panel, network and printers
• UI features like Desktop, network, Start Menu and taskbar
Two file types:
• *.adm
– Copied into every GPO in the System Volume (SYSVOL)
• *.admx and *.adml
– Not stored in the GPO
– Language Neutral
Administrative Templates make Group Policy expandable
![Page 10: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/10.jpg)
The Group Policy Central Store
Central repository for *.admx and *.adml in SYSVOL
Must be created manually and files must be copied manually
• From C:\Windows\PolicyDefinitions, and downloads
• To \\domain.tld\SYSVOL\domain.tld\policies\PolicyDefinitions
![Page 11: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/11.jpg)
Group Policy Preferences
Extensions to Group Policy Settings
• Manage settings previously unavailable
– Map drives
– Create shortcuts
– Configure power options
– Schedule tasks
– Configure Internet Explorer
Do not cause the UI for these settings to grey out
Use Group Policy Refresh by default, but can be configured to only run once
![Page 12: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/12.jpg)
Troubleshooting Group Policy
When do Group Policy settings apply?
• Computer settings in a GPO apply at startup of device
• User settings in a GPO apply at logon of user
• Group Policy Refresh interval (Security Settings at least every 16 hours)
• Manual Group Policy Refresh
How do I know what GPO applies certain settings?Why is a device taking long ‘Applying Group Policy settings’?
• Use the Group Policy Results Wizard in GPMC
• Use GPResults.exe
• Use Get-GPResultantSetOfPolicy
![Page 13: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/13.jpg)
Delegating Group Policy Management
You can delegate Group Policy Management to non-Domain Admins:
• Create
• Edit
• Manage links
• Perform Modeling
• Reading Group Policy results data
• Creating WMI Filters
But not:
• Backup and Restore
• Copy and Import
• Manage Starter GPOs
![Page 14: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/14.jpg)
Managing user settings with Group Policy
![Page 15: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/15.jpg)
Folder Redirection
Folder Redirection allows folders to be located on a network server, but appear as if they are located on a local drive
• Basic Folder Redirection: All users save to the same location
• Advanced Folder Redirection: Group membership-based locations
By default, Administrators have no permissions on user folders
![Page 16: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/16.jpg)
Distributing software and running scripts
Yes, you can install software using Group Policy
– Assign software: install at next startup/logon
– Publish software
• Manual install from Control Panel
• Automatically install based on file extensions
Yes, you can run scripts with Group Policy automatically
– Four available triggers for scripts:
• Computer: startup scripts and shutdown scripts
• User: logon scripts and logoff scripts
– Asynchronous (default) and synchronous script processing
![Page 17: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/17.jpg)
Group Policy best practices
![Page 18: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/18.jpg)
Group Policy Best Practices
Implement the Group Policy Central Store
Do not use the Group Policy functionality to set passwords
Avoid using Enforce and Block Inheritance
Avoid linking GPOs to Sites
Avoid elaborate WMI Filters
Replace scripts with Group Policy Preferences
Do not place Group Policy Settings and Group Policy Preferences in the same GPO
![Page 19: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/19.jpg)
Netwrix Auditor for Active Directory
![Page 20: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/20.jpg)
About Netwrix Corporation
Year of foundation: 2006
Headquarters location: Irvine, California
Global customer base: over 9,000
Recognition: Among the fastest growing
software companies in the US with 140
industry awards from Redmond
Magazine, SC Magazine, Windows IT Pro
and others
Customer support: global 24/5 support
with 97% customer satisfaction
![Page 21: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/21.jpg)
Netwrix Auditor Unified Platform
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Oracle Database
Netwrix Auditor for Azure AD
Netwrix Auditor for EMC
Netwrix Auditor for SQL Server
Netwrix Auditor for Exchange
Netwrix Auditor for NetApp
Netwrix Auditor for Windows Server
Netwrix Auditor for Office 365
Netwrix Auditor for SharePoint
Netwrix Auditor for VMware
LinuxUnix
Free Add-Ons
![Page 22: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/22.jpg)
Demonstration
Netwrix Auditor
![Page 23: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/23.jpg)
Next Steps
Experiment with Group Policy in your testlab
Contact Sales to obtain more information
netwrix.com/contactsales
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Upcoming and On-Demand Netwrix Webinars: join upcoming webinars or watch previously recorded sessions
netwrix.com/webinars
netwrix.com/webinars#featured
Visit: dirteam.com for more Active Directory information
![Page 24: Create and Manage Group Policy - netwrix.com · –Asynchronous (default) and synchronous script processing. Group Policy best practices. Group Policy Best Practices Implement the](https://reader030.vdocuments.us/reader030/viewer/2022040218/5e0d5de455629d052650358d/html5/thumbnails/24.jpg)
Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado
Daniel GoaterSystems EngineerNetwrix
Thank you!
Questions?