Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 6 - Group Policy

    Uploaded by

    NM Thân
    4 views74 pages
    Group Policy (GP) allows administrators to apply configuration settings to users and computers in Active Directory. GP is implemented through Group Policy Objects (GPOs) which contain settings that can automatically configure software and security settings across an organization. GPOs are linked to sites, domains, or organizational units (OUs) to target the policies to different groups. The order that GPOs are applied and inheritance rules determine which settings take precedence when multiple policies apply. Security filtering allows administrators to further target GPOs to specific users or computers.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Group Policy (GP) allows administrators to apply configuration settings to users and computers in Active Directory. GP is implemented through Group Policy Objects (GPOs) which contain settings that can automatically configure software and security settings across an organization. GPOs are linked to sites, domains, or organizational units (OUs) to target the policies to different groups. The order that GPOs are applied and inheritance rules determine which settings take precedence when multiple policies apply. Security filtering allows administrators to further target GPOs to specific users or computers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    4 views74 pages

    Chapter 6 - Group Policy

    Uploaded by

    NM Thân
    Group Policy (GP) allows administrators to apply configuration settings to users and computers in Active Directory. GP is implemented through Group Policy Objects (GPOs) which contain settings that can automatically configure software and security settings across an organization. GPOs are linked to sites, domains, or organizational units (OUs) to target the policies to different groups. The order that GPOs are applied and inheritance rules determine which settings take precedence when multiple policies apply. Security filtering allows administrators to further target GPOs to specific users or computers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 74

    Chapter 6

    Group Policy and Software Deployment

    Tran Thanh Dien, PhD


    August, 2022
    Content

    • Understanding GP
    • Creating and editing GPO
    • Examples of GPOs setting
    • Software Deployment

    2
    Group Policy

    • Group Policy (GP): Windows Server 2019 feature that applies restrictions at the
    user and computer level
    • Group Policy Objects (GPOs);
     Administrative templates
     Enable system administrators to configure what users can and cannot do on
    computers, peripheral devices, and network applications across the
    organization's network
    Group Policy
     A collection of configuration settings applied to objects in the AD DS, including:
    o Software Settings
    o Scripts
    o Security Settings
    o Administrative Templates
    o Folder Redirection
     The goal of GP is to allow AD DS administrators to define a set of policies
     Policies targeted to users, computers, group, sites, domains, and OUs; and then
    rely on the system to enforce those policies
     Policies can execute scripts during logon or logoff and computer startup and
    shutdown.
    Group Policy

     Contain settings
    and configurations
    applied to either
    computers or users
    in AD
    Group Policy
    Group Policy Objects (GPOs)

     A collection of security and


    configuration settings that are
    managed by Group Policy
     Systematically applied to a group of
    users or computers
     Control the behavior of workstations
    and the end-user experience across
    the entire organization

     Settings in GPO applied automatically to computers


    joining to domain
    Group Policy
    GPO configuration values

    The default setting for


    GPOs, meaning that the
    value not been manipulated

    Indicates that a GPO


    enabled, meaning that the
    value set to 0x1 Indicates that a GPO
    disabled, meaning that
    the value set to 0x0
    Group Policy
    Creating GPOs

     Group Policy
    Management console
    (GPMC): The utility
    used to create, manage,
    delegate, and link GPOs
     Group Policy
    Management Editor
    (GPME): The utility
    used to edit a GPO.
    Group Policy
    Creating GPOs
    Group Policy
    Creating GPOs

     New GPO now shows


    up in the list of
    available GPOs, but it is
    not yet applying to
    anyone or any
    computers.
     The policy settings in
    the GPO are not applied
    until it is linked.
    Group Policy
    Configuring GPO Links

     To use a GPO you must apply it or link


    it to a site, domain, or OU
     Inside the GPMC, find the location (OU)
    to which you want to link the GPO, e.g.,
    assign this GPO to my CTU OU
     Right-click on the OU, and then choose
    Link an Existing GPO…
    Group Policy
    Configuring GPO Links

    Choose the domain


    to search for
    policies

    select a policy
    Group Policy
    Configuring GPO Links

    All GPOs linked


    to the currently
    selected node

    Disabled links: Not


    apply settings to
    To override any conflicts
    objects in the
    with GPOs link to the
    directory
    child objects
    Group Policy
    Managing Starter GPOs

     GPOs have the potential to be large, complex configurations (thousands of potential


    settings)
     A template of preconfigured policy settings to reduce the time and burden when
    creating new policies
     Starter GPO serves as templates
     New GPOs created from a starter GPO will include all the settings, values,
    comments, and delegations defined in the starter GPO
     Starter GPOs can also be easily exported and imported for use across domains,
    forests, or even entirely separate AD DS deployments
    Group Policy
    Managing Starter GPOs

    Creating a Starter GPO


    Group Policy
    Managing Starter GPOs

    Creating new GPO from Starter GPO


    Group Policy
    Managing Starter GPOs

    Export starter GPOs to use in another forest


    Group Policy
    Configuring Group Policy Processing

     Ways that a GPO can be applied to a security principal:


    o linked to a domain, site, or OU
    o inherited from a parent OU;
    o and assigned by local Group Policy.
     More than one GPO is often applied to AD objects.
     How does GP resolve conflicts when two or more GPOs apply the same policy
    setting?
    o Group Policy walks through a specific order when processing GPO
    o As GPOs processed, Group Policy retains the most recent value for a policy setting
    o Any policy setting that is not configured on subsequent GPOs is still applied.
    Group Policy
    GPO Application order

     GPOs are processed on a client computer in the following order:


    1. Local GPOs
    2. Site-level GPOs
    3. Domain-level GPOs
    4. OU GPOs, including any nested OUs
     Last GPO applied takes precedent
    Group Policy
    GPO Application order
    GPO1

    Local group

    GPO2

    Site

    GPO3
    GPO4
    Domain

    GPO5
    OU

    OU OU
    Group Policy
    GPO Application order

     Within each processing step there are additional rules as well

    o When multiple GPOs linked


    to a node, GPMC indicates
    a Link Order value.
    o Group Policy processes
    GPOs in descending order,
    from highest to lowest. i.e.,
    a policy with a Link Order Administrators can adjust the
    of 1 takes precedence over Link Order for GPOs at a node
    policies with a higher link
    order
    Group Policy
    GPO inheritance and preference

     The application of GPOs linked to each container results in a cumulative effect


    called policy inheritance:
    o Default precedence: Local 
    Site  Domain  OU 
    Child OU…
    o Visible on the Group Policy
    Inheritance tab
     The lower the number the higher
    the precedence of the GPO
    Group Policy
    GPO inheritance and precedence

     Block Inheritance (attribute of OU):


    o Inheritance can be blocked both for an entire domain or for individual OUs.
    o When inheritance is blocked, the node does not inherit any of the policies from
    GPOs linked to its parent node unless the parent GPO link is flagged as
    Enforced
     Enforced (attribute of GPO link):
    o Enforced GPOs override Block Inheritance
    o Enforced GPO settings win over conflicting settings in lower GPOs
    Group Policy
    Security Filtering

     Link GPO to particular OUs to apply settings to machines


     Having a new GPO linked to an OU that contained all of your desktop computers,
    but then decided that some of those machines needed the policy and some did not
     Split those machines up into two separate OUs just for the purpose of this policy
    that you are building
     This is where GPO Security Filtering comes into play
    Group Policy
    Security Filtering

     Security Filtering: the ability to filter a GPO down to particular Active Directory
    objects
     Set filters so that the GPO only applies to particular users, particular computers, or
    even particular groups of users or computers
     Create a new Security Group inside Active Directory and add only those
    computers into the group.
     Once the GPO has been configured with that group listed in the filtering section,
    that policy would only apply to machines that are part of that group.
    Group Policy
    Security Filtering

    Security Filtering: set an additional security filter so that only machines belong to
    the specific security group will actually receive the settings from the GPO
    Group Policy
    Configuring Group Policy Settings

     The primary goal of Group Policy is to apply configuration settings on the client
    machines. The settings used to:
    o create a consistent and seamless experience for users across the domain.
    o ensure that users do not have access to features and functions that could
    compromise enterprise security efforts.
    o control what software is installed, where folders are located on the network,
    access and rights to various Windows features,…
    Group Policy
    Configuring Group Policy Settings

    To manage GPOs, in Server Manager, Click Tools, and choose Group Policy
    Management.
    Group Policy
    Configuring Group Policy Settings

    Two distinct sets of policies:


    o Computer policies: Settings
    apply to computers and
    Settings apply triggered when a computer is
    to computers started
    o User policies: Settings apply
    to users and triggered when a
    Settings apply user logs on to a computer
    to users
    Group Policy
    Configuring Group Policy Settings

    For automated
    deployment of new
    software and
    software upgrades

    For managing key


    Windows settings:
    scripts, security,
    Remote Installation,…

    For managing
    registry settings
    Group Policy
    Default Domain Policy

     Created during
    installation, and
    applies to every
    computer and user
    who is part of the
    domain

     A common place to enforce global password policies or security rules that need to
    apply to everyone
    Group Policy
    Default Domain Policy

     Default Domain Policy: a very quick and easy way to get settings configured and
    pushed out to everyone
     Settings change to this policy affect everyone in your domain, including yourself
     It is highly recommended that you stay away from the Default Domain Policy
     And instead set up a brand new GPO when need applied some settings
    Group Policy
    Default Domain Policy

     Default Domain Policy: a very quick and easy way to get settings configured and
    pushed out to everyone
     Settings change to this policy affect everyone in your domain, including yourself
     It is highly recommended that you stay away from the Default Domain Policy
     And instead set up a brand new GPO when need applied some settings
    Group Policy
    Examples of GPOs: Rename the administrator account

     Create a GPO and apply it to an OU


     Edit the new GPO
     Navigate to the following path to reach the GPO: Computer Configuration\
    Policies\Windows Settings\SecuritySettings\Local Policies\Security Options
     Double click at Accounts: Rename administrator account
     In the Properties dialog box, check the box for Define this policy setting, and
    enter the new name that you want to use for the administrator account
     Click OK to close the Properties dialog box
    Group Policy
    Examples of GPOs: Rename the guest account

     Edit the GPO


     Navigate to the following path to reach the GPO: Computer Configuration\
    Policies\Windows Settings\SecuritySettings\Local Policies\Security Options
     Double click at Accounts: Rename guest account
     In the Properties dialog box, check the box for Define this policy setting, and
    enter the new name that you want to use for the guest account
     Click OK to close the Properties dialog box
    Group Policy
    Examples of GPOs: Blocking the Microsoft account

     Edit the GPO


     Navigate to the following path to reach the GPO: Computer Configuration\
    Policies\Windows Settings\SecuritySettings\Local Policies\Security Options
     Double click at Accounts: Block Microsoft accounts
     In the Properties dialog box, check the box for Define this policy setting, and
    then select Users can't add or log on with Microsoft accounts from the
    dropdown combo list
     Click OK to close the Properties dialog box
    Group Policy
    Examples of GPOs: Prohibiting access to the Control Panel and PC settings

     Edit the GPO


     Navigate to the following path to reach the GPO: User Configuration\Policies
    \AdministrativeTemplates\Control Panel
     Double click at Prohibit access to the Control Panel and PC settings
     In the dialog box, select the Enable option, and then click OK to close the
    dialog box
    Group Policy
    Examples of GPOs: Denying access to all removable storage classes

     Edit the GPO


     Navigate the following path to reach the GPO: User Configuration\Policies
    \AdministrativeTemplates\System\Removable Storage Access
     Double click at All the removable storage classes: Deny all access
     In the dialog box, select the Enable option, and then click OK to close the
    dialog box
    Software Deployment
    Software Deployment
    Assigning Software

     Automatically distribute programs to client computers or users


     Distribute computer programs by using the following methods:
    1) Assigning Software: assign a program to users or computers
    ⁃ If assign the program to a user, it is installed when the user logs on to the
    computer.
    ⁃ If assign the program to a computer, it is installed when the computer starts,
    and it is available to all users who log on to the computer.
    Software Deployment
    Publishing Software

    2) Publishing Software:
    o Publish a program distribution to users.
    o When the user logs on to the computer, the published program is displayed in
    the Add or Remove Programs dialog box, and it can be installed from there.
    Software Deployment
    Using Group Policy

    1. Create a folder in Server and share it with appropriate permission for domain
    users to execute MSI files
    Software Deployment
    Using Group Policy

    2. Create a new Group Policy

     In Server Manager, click Tools and


    open Group Policy Management
     In the Group Policy Management
    console, right click domain name,
    and click Create a GPO in this
    domain, and link it here.
    Software Deployment
    Using Group Policy

     In the New GPO box, in the Name box, type GPO’s name (e.g., Software
    Deployment), and then click OK.
    Software Deployment
    Using Group Policy

    3. Edit New GPO

    In the Group Policy Management console,


    right click Deploy Software GPO and click
    Edit.
    Software Deployment
    Using Group Policy

     In the Group Policy Management


    Editor, under Computer
    Configuration, expand Policies,
    and then expand Software Settings
     Right-click Software installation. From
    the context menu, click New, and then
    click Package.
    Software Deployment
    Using Group Policy

     In the opened window, using the UNC path of the software select the software
    MSI file you want to deploy (e.g., 7zip software) to clients.
    Software Deployment
    Using Group Policy

     In the Deploy Software window, ensure that


    the Assigned option is selected, and then click OK.

     Wait for few second and verify


    that the 7-zip is listed in the
    GPME
    Software Deployment
    Testing Software Deployment

     Now lets switch to our Windows 10


    client PC, and run gpupdate /force
    in the client PC and then restart the
    client PC.
     After restarting your client PC and
    log in as domain user, you can
    verify that 7-zip is installed.
    Windows Deployment Services (WDS)
    Windows Deployment Services (WDS)

     Allows to perform network-based operating system installations

     Uses existing technologies, such as Windows PE, Windows image file (.wim) and
    virtual hard disk (.vhd and .vhdx) image files, and image-based deployment.
    Windows Deployment Services (WDS)
    Infrastructure Requirement

     01 DC SERVER (AD DS), DNS, DHCP, WDS.


     1 PC or VM with No Operating System
    Windows Deployment Services (WDS)
    Install WDS

    1) In Server Manager, on the Dashboard click Add Roles and Features


    2) In the Add Roles and Features Wizard box, click Next
    3) On the Select installation type page, verify that you choose Role-Based or
    feature-based installation then click Next.
    4) Select desired server you’d like to install Windows Deployment Services on
    Windows Deployment Services (WDS)
    Install WDS

    5) On the Select server roles


    page, select the Windows
    Deployment
    Services Click Add
    Features in the popup window
    then click Next.
    6) On the Select features box,
    click Next.
    Windows Deployment Services (WDS)
    Install WDS

    7) On the WDS box, review the


    information presented, and
    then proceed with Next.
    8) On the Select role
    services box, click Next.
    9) On the Confirm installation
    selections box, click Install.
    10) Once installation of WDS
    successful, just click Close.
    Windows Deployment Services (WDS)
    Configure Windows Deployment Services

    1) In Server Manager,
    click Tools, and then
    click Windows Deployment
    Services.
    2) On the Windows
    Deployment Services
    console, double
    click Servers, then right-
    click server name, and then
    click Configure Server.
    Windows Deployment Services (WDS)
    Configure Windows Deployment Services

    3) On the Before You Begin box,


    click Next to proceed.
    4) On the Install Options page,
    verify that you choose
    Integrated with Active
    Directory and then click Next.
    Windows Deployment Services (WDS)
    Configure Windows Deployment Services

    5) On the Remote Installation


    Folder Location page, you
    can accept the default
    location which
    is C:\RemoteInstall and then
    click Next.
    6) On the System Volume
    Warning dialog box,
    click Yes.
    Windows Deployment Services (WDS)
    Configure Windows Deployment Services

    7) On the PXE Server Initial


    Settings box, click Respond to all
    client computers (known
    and unknown), and then click
    Next, please wait for few second for
    the process to complete.
    8) On the Operation Complete box,
    please clear the Add images to the
    server now check box, and
    then click Finish. (we will manually
    add the Server in the next step).
    Windows Deployment Services (WDS)
    Images addition

    1) Make sure that you


    already insert your Windows
    Server 2016, either DVD and
    ISO format if you are VM.
    2) In Windows Deployment
    Services console, double click
    Server Name and then right-
    click Boot Images, and then
    click Add Boot Image.
    Windows Deployment Services(WDS)
    Images addition

    3) On the Add Image Wizard, on the Image File page, click Browse, then
    in Select Windows Image File box, select the sources folder for boot image file
    (i.e., boot.wim)
    4) On the Image Metadata box, click Next.
    5) On the Summary box, click Next.
    6) On the Task Progress page, click Finish.
    Windows Deployment Services(WDS)
    Add Install Image

    The next step is to add an install image into WDS:


    1) In the WDS console, right-click Install Images, and then click Add Image
    Group.
    2) In the Add Image Group box, type Windows Server 2016, and then click OK.
    3) Next, on the WDS console, right-click Windows Server 2016, and then
    click Add Install Image.
    Windows Deployment Services(WDS)
    Add Install Image

    4) In the Add Image Wizard box, browse


    to the folder contain the install.wim
    file then click Next.
    5) On the Available Images box, select
    Windows Server 2016
    SERVERDATACENTER only, and
    then click Next
    Windows Deployment Services(WDS)
    Add Install Image

    6) On the Summary box, click Next and wait


    for few minutes for the process to be
    completed
    7) On the Task Progress box, click Finish
    8) In WDS, right-click Server name, and
    then click Properties
    9) Click the PXE Response tab, and
    then Select the Require administrator
    approval for unknown computers check
    box. On the PXE Response Delay, choose
    3 seconds, and then click OK.
    Windows Deployment Services(WDS)
    Add Install Image

    10) Next, open Windows PowerShell, and type this command:


    WDSUTIL /Set-Server /AutoAddPolicy /Message:”CLC Server Admin is authorizing
    this request. Please wait.”
    Next, to configure a WDS server for multicast transmission.
    11) In WDS, right-click Multicast
    Transmissions, and then click Create
    Multicast Transmission
    12) Type NewHelptech Blog Server 2016 into
    the Type a name of the Transmission
    Name box, and then click Next
    Windows Deployment Services(WDS)
    Add Install Image

    13) On the Image Selection page, click Windows Server 2016, then in the Name
    list, click Windows Server 2016 SERVERDATACENTER, and then
    click Next.

    14) On the Multicast Type box, verify


    that Auto-Cast is selected, and
    then click Next then Click Finish.
    Windows Deployment Services (WDS)
    Testing

    1) Configure the VM for Pre-Boot EXecution Environment (PXE) Booting.


    For VMWare workstation: Configuring the Network Adapter to the same
    network as that of WDS
    2) Next, turn on the new Server to install the Server 2016 using WDS. When
    prompted, press F12 for Network Service Boot.
    Windows Deployment Services(WDS)
    Testing

    3) Now you should see the admin approval message.


    Windows Deployment Services (WDS)
    Testing

    4) Now, return to WDS Server, In WDS, click Pending Devices, right-click the
    pending request, and then click Approve.
    Windows Deployment Services (WDS)
    Testing

    5) Next, go to the NewHelpTech Server 2016 and you should see now our New
    Server 2016 is loading files from the WDS server.
    Windows Deployment Services (WDS)
    Testing

    6) If the loading files successful, WDS Windows Setup box will appear and you can
    proceed by clicking Next.
    Windows Deployment Services (WDS)
    Testing

    7) Type a User Name and Password on.


    Windows Deployment Services (WDS)
    Testing

    8) Next, on the Select the operating system you want to install, you should notice
    that Windows Server 2016 SERVERDATACENTER is listed, then click Next to
    proceed with installation.
    Summary

     Group policy: configuration settings applied to objects in the AD


     Software Deployment: Automatically distribute programs to client computers or
    users
     Windows Deployment Services: perform network-based operating system
    installations

    You might also like