These guidelines can dramatically improve logon and startup performance.



Similar documents
Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Create, Link, or Edit a GPO with Active Directory Users and Computers

Group Policy 21/05/2013

PLANNING AND DESIGNING GROUP POLICY, PART 1

Administering Group Policy with Group Policy Management Console

Module 8: Implementing Group Policy

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

DeviceLock Management via Group Policy

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

The Windows Server 2003 Environment. Introduction. Computer Roles. Introduction to Administering Accounts and Resources. Lab 2

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

How to monitor AD security with MOM

Active Directory Software Deployment

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

Managing Windows Environments with Group Policy

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

DeviceLock Management via Group Policy

ACTIVE DIRECTORY DEPLOYMENT

UNCLASSIFIED DISABLING USB STORAGE DEVICES THROUGH GROUP POLICY

How to Configure Microsoft System Operation Manager to Monitor Active Directory, Group Policy and Exchange Changes Using NetWrix Active Directory

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Understanding Group Policy Basics to Manage Windows Vista Systems

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Quick Start Guide. IT Management On-Demand

Installing Client GPO Software

How to Configure Terminal Services for Pro-Watch in Remote Administration Mode (Windows 2000)

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

Group Policy for Beginners

Virtual Office Remote Installation Guide

Outpost Network Security

Module 5: Implementing Group Policy

CHAPTER THREE. Managing Groups

4cast Client Specification and Installation

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

SARANGSoft WinBackup Business v2.5 Client Installation Guide

Distributing SMS v2.0

BACKUP & RESTORE (FILE SYSTEM)

User Management Tool 1.6

Server Manager Performance Monitor. Server Manager Diagnostics Page. . Information. . Audit Success. . Audit Failure

R4: Configuring Windows Server 2008 Active Directory

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

Changing Passwords in Cisco Unity 8.x

How to Install the Active Directory Domain Services (AD DS) Role in Windows Server 2008 R2 and Promote a Server to a Domain Controller

Symantec Endpoint Encryption Full Disk

SafeWord Domain Login Agent Step-by-Step Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

File and Printer Sharing with Microsoft Windows

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Ultimus and Microsoft Active Directory

Outpost Office Firewall

Windows GPO Deep Dive

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Configuring Windows Server 2008 Active Directory

The Administrator Shortcut Guide tm. Active Directory Security. Derek Melber, Dave Kearns, and Beth Sheresh

Dadeschools.net Site Administrator Security Settings Request for Comment (RFC)

Promap V4 ActiveX MSI File

June 2012 FORESTSAFE 4 ENTARIAN LIMITED. ForestSafe Service Configuration Adrian Owen and Jani Järvinen

How To Implement A Group Policy Object (Gpo)

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

SSL VPN Setup for Windows

Planning and Implementing an OU Structure

WINDOWS 2000 Training Division, NIC

LT Auditor Windows Assessment SP1 Installation & Configuration Guide

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

Believe it or not, you ve already been working with Active Directory! If

MailStore Outlook Add-in Deployment

Secrets of Event Viewer for Active Directory Security Auditing Lepide Software

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

(Installation through ADSelfService Plus web portal and Manual Installation)

Expert Reference Series of White Papers. In the Trenches: Eight Tips-n-Tricks For Microsoft Windows Group Policy

Guide to Securing Microsoft Windows 2000 Group Policy

Install the Production Treasury Root Certificate (Vista / Win 7)

enter the administrator user name and password for that domain.

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Interact for Microsoft Office

Group Policy and Organizational Unit Re-Structuring Template

Quest GPOADmin 5.4. User Guide

Policy and the Windows Server 2003 Group Policy Management Console

Lab A: Deploying and Managing Software by Using Group Policy Answer Key

SHARING FILE SYSTEM RESOURCES

Password Manager Windows Desktop Client

Restructuring Active Directory Domains Within a Forest

CC4 TEN: Pre-installation instructions for Windows Server networks

Using Group Policy to Manage and Enforce ACL on VNX for File P/N REV A01 February 2011

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

How to use SURA in three simple steps:

Configuring Managing and Maintaining Windows Server 2008 Servers (6419B)

Installing, Configuring, and Managing a Microsoft Active Directory

G DATA TechPaper #0204. Installing G Data Security Client using GPOs and logon scripts. G DATA Service Team

ms-help://ms.technet.2005mar.1033/winnetsv/tnoffline/prodtechnol/winnetsv/maintain...

Symantec Endpoint Encryption Removable Storage

Pcounter for Windows

Transcription:

Managing Users with Local Security and Group Policies 573. Disable user or computer settings in GPOs Each GPO consists of a user and a computer section. If there are no settings in either of those sections, that section can be disabled and will be ignored. For example, if a GPO only has computer settings and the user settings are disabled, that GPO will be skipped at logon (which only deals with user settings). These guidelines can dramatically improve logon and startup performance. The last guideline suggested disabling the user setting or computer settings, as processing a GPO takes a certain amount of time for a computer at startup and for a user at logon. To enable or disable the entire GPO or the user/computer portion of the GPO, run the following steps: 1. Open the Group Policy Management console. 2. Expand the Forest folder, expand the Domains folder, select the specific domain, and select the Group Policy Objects. 3. Select the GPO to enable or disable it. 4. Right-click the GPO and select GPO Status. 5. Select the appropriate option: Enable, User Configuration Settings Disabled, Computer Configuration Settings Disabled, or All Settings Disabled. This will take effect immediately. The All Setting Disabled option is useful for troubleshooting when you want to completely disable a GPO without changing the ACLs or the settings. Block Policy Inheritance The Block Policy Inheritance option enables an administrator to prevent higher-level policies from applying to users and computers within a certain domain or OU. This capability can be useful to optimize Group Policy applications and protect sensitive user and/or computer accounts from organization-wide policy settings. To block policy inheritance, follow these steps: 5. Expand the Domains folder. 6. Select the specific domain, such as companyabc.com. 7. Locate and right-click the OU for which you want to block inheritance, and select Block Inheritance, as shown in Figure.7.

574 CHAPTER Windows Server 2008 R2 Administration FIGURE.7 Blocking policy inheritance for an OU. In this example, policy inheritance was blocked on the Servers OU. Group policies created above the OU will not affect objects within the OU (unless the group policy is enforced; see the next section). Note the blue exclamation mark icon on the OU to alert the administrator that policy inheritance is blocked. The Enforce Option Configuring the Enforce option prevents lower-level policies from blocking policy inheritance and from changing the parameters or configured settings in a policy. This option should be used only if a policy needs to be enforced on AD objects in every container and subcontainer with a link or inheritance to this policy object. To configure the Enforce option for a policy, follow these steps: 5. Expand the Domains folder. 6. Select the specific domain, such as companyabc.com. 7. Right-click the group policy to enforce, and select Enforce.

Managing Users with Local Security and Group Policies 575 Now the group policy will be enforced even if the Block Policy Inheritance option is set on down-level OUs. Note that the group policy will now have a small lock icon associated with it to show that it is enforced. Troubleshooting Group Policy Applications When policies are used throughout an organization, sometimes the policy settings do not apply to a user or computer as originally intended. To begin basic troubleshooting of Group Policy application issues, you need to understand the policy application hierarchy. First, any local server or workstation policies are applied to the user or computer, followed by site group policies, domain group policies, and, finally, the organizational unit group policies. If nested OUs have group policies, the parent OU policies are processed first, followed by the child OUs, and, finally, the OU containing the Active Directory object (user or computer). You might find it easier to remember LSD-OU the acronym for local, site, domain, and then OU. Now that you know the order in which policies are applied, you can proceed to use the Group Policy testing and troubleshooting tools provided with Windows Server 2008 R2 namely the Group Policy Modeling tool in the Group Policy Management Console and the command-line utility GPResult.exe, which is the command-line version of the RSoP snap-in. The Group Policy Modeling Tool The Group Policy Modeling snap-in can be used to show the effective policy settings for a user who logs on to a server or workstation after all the respective policies have been applied. This tool is good for identifying which policies are being applied and what the effective setting is. To simulate the policies for a user, use the Group Policy Modeling snap-in as follows: 5. Select the Group Policy Modeling snap-in. 6. Select Action, Group Policy Modeling Wizard to launch the wizard. 7. Click Next. 8. Leave the default domain controller selection, which chooses any available domain controller. The domain controller must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Click Next. 9. Select the User option button in the User Information box, and click Browse. 10. Enter the name of a user to check, and click OK. Click Next to accept the user and computer selection.

576 CHAPTER Windows Server 2008 R2 Administration NOTE In the Group Policy Modeling Wizard, the net effect of the group policies can be modeled for specific users, computers, or entire containers for either object. This enables an administrator to see the effects for individual objects or for objects placed within the containers, making the tool very flexible. 11. Click Next on the Advanced Simulation Options page. The advanced simulation options enable you to model slow network connections or specific sites. 12. Click Next to skip the Alternate AD Paths. 13. The User Security Groups page shows the groups that the user is a member of. You can add additional groups to see the effects of changes. Leave as is and click Next. 14. Click Next to skip the WMI Filters for Users page. 15. Click Next to run the simulation. 16. Click Finish to view the results. 17. Click the Show link next to Group Policy Objects.. Click the Show link next to Denied GPOs. Within the console, you can review each particular setting to see whether a setting was applied or the desired setting was overwritten by a higher-level policy. The report shows why specific GPOs were denied. Figure.8 shows that one GPO was denied to the user object michellea. The Desktop Lockdown Group Policy Object was denied due to security filtering. This is the GPO created earlier in the chapter, which was applied only to members of the Oakland Help Desk group. The user michellea is not a member of this group and, hence, does not have the GPO applied. Managing Printers with the Print Management Console The Print Management console in Windows Server 2008 R2 helps organizations better manage and administer printers on an enterprise basis. Prior to the Print Management console, a network administrator would have to point to each network printer or printer server individually to manage and administer the device. For a large enterprise with hundreds of printers and dozens of printer servers, this was a very tedious task to select print servers each and every time a printer needed to be managed. Furthermore, if the administrator didn t remember which printer was attached to which print server, it could take a while to eventually find the printer and print server that needed management. The Print Management console provides a single interface where an administrator can open the Print Management console, and view all printers and print servers in the enterprise. Furthermore, it could be configured to group printers together so that certain administrators could manage and administer only certain printers. As an example, if an organization has an administrator for a particular building, the Print Management inter-

Managing Printers with the Print Management Console 577 FIGURE.8 The Group Policy Modeling report. face could be filtered to only list printers within the building. This would allow the administrator to only see certain printers they are responsible for, as well as consolidate multiple print server groups of printers into a single interface for management and administration. The Print Management component only needs to be installed on the system that the administrator is managing from it does not need to be installed on all print servers or systems in the enterprise. Functionally, Print Management could be installed on just one system. However, it is automatically installed on Windows Server 2008 R2 servers with the Print Service role installed. Installing the Print Management Console The Print Management console is installed as one of the Remote Server Administration Tools in the features or as part of the Print Server role of Windows Server 2008 R2. To install the Print Management console on a management server that is not a print server, complete the following steps: 1. Launch Server Manager. 2. Select the Features folder and click the Add Features link. 3. Expand the Remote Server Administration Tools. 4. Expand the Role Administration Tools. 5. Select the Print and Document Services Tools check box. 6. Click Next.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information