Windows Server 2008 R2 Unleashed (116 page)

BOOK: Windows Server 2008 R2 Unleashed
3.21Mb size Format: txt, pdf, ePub

2. Expand the Roles folder.

3. Expand the Active Directory Domain Services folder.

4. Expand the Active Directory Users and Computers snap-in.

5. Expand the domain folder (in this example, the companyabc.com folder).

6. Select the Users container that was used in the previous section. In the right pane,

right-click the group that was created earlier, and select Properties.

7. Enter a description for the group on the General tab and then click the Members tab.

8. Click Add to add members to the group.

9. In the Select Users, Contacts, Computers, or Groups window, type in the name of

each group member separated by a semicolon and click OK to add these users to the

group. If you don’t know the names, clicking the Advanced button opens a window

ptg

where you can perform a search to locate the desired members.

10. When all the members are listed on the Members tab of the group’s property page,

click OK to complete the operation.

Group Management

After a group is created, it needs to be managed by an administrator, users, or a combina-

tion of both, depending on the dynamics of the group.

To delegate control of a group to a particular user, follow these steps:

18

1. Launch Server Manager on a domain controller.

2. Expand the Roles folder.

3. Expand the Active Directory Domain Services folder.

4. Select Active Directory Users and Computers and select Advanced Features from

the View menu.

5. Expand the Active Directory Users and Computers snap-in.

6. Expand the domain folder (in this example, the companyabc.com folder).

7. Select the Users container that was used in the previous section. In the right pane,

right-click the group that was created earlier, and select Properties.

8. Select the Security tab.

9. At the bottom of the page, click the Advanced button.

10. In the Advanced Security Settings for Group dialog box, select the Permissions tab.

568

CHAPTER 18

Windows Server 2008 R2 Administration

11. Click Add. In the Select User, Computer, or Group window, type in the name of the

account for which you want to grant permissions, and click OK.

12. When the Permissions Entry for Group window appears, select the Properties tab.

13. Click the Apply To drop-down list arrow, and then select This Object Only.

14. In the Permissions section, check the Allow boxes for Read Members and Write

Members, as shown in Figure 18.5. Then click OK.

ptg

FIGURE 18.5

Granting permissions to modify group membership.

15. Click OK to close the Advanced Security Settings for Group dialog box.

16. Click OK to close the group’s property pages.

Managing Users with Local Security and Group

Policies

Windows Server 2008 R2 systems provide local security policies to manage user and group

administrative access on a per-server basis. Within Active Directory, you can use group

policies to set configurations and security on a specified collection of computers, users, or

groups of users from a single policy. These policies can be used to deliver standard desktop

configurations and security settings for server access and application functionality. Also,

policies can set user configurations to deliver software on demand, redirect desktop

folders, plus affect many more settings. Many settings within each policy explain what the

setting controls and whether computer-based settings apply to only Windows XP,

Windows Vista, or Windows 7 workstations. Chapter 15, “Security Policies, Network Policy

Managing Users with Local Security and Group Policies

569

Server, and Network Access Protection,” describes security policy in more depth, but the

best way to discover and learn about all the Group Policy settings is to open an actual

Group Policy Object and start browsing each section.

Viewing Policies with the Group Policy Management Console

You can view Active Directory-based group policies or server and workstation local security

policies with very little effort by using a single console, the Group Policy Management

Console (GPMC). This tool is added to the Server Manager console when the Active

Directory Domain Services role is added to a server. The GPMC enables administrators to

view group policies, edit group policies, and model the effects of combinations of group

policies (that is, model the resulting configuration).

To open an existing policy, follow these steps:

1. Launch Server Manager on a domain controller.

2. Expand the Features folder.

3. Expand the Group Policy Management Console.

4. Expand the Forest folder.

5. Expand the Domains folder.

6. Expand the specific domain, such as companyabc.com.

ptg

7. Select a Group Policy Object, such as the Default Domain Policy. Click OK to close

the linked policy warning window.

8. Select the Settings tab to review the settings. Or right-click the Group Policy Object,

and select Edit to change the settings.

After you access the policy, you can view each setting or settings container to determine

the default value and, in some cases, learn what the setting controls. Keep in mind that,

with the correct level of permissions, any changes you make to this policy are live

changes; there is no undo other than reversing the individual setting changes or perform-

18

ing an authoritative restore of Active Directory.

Creating New Group Policies

When changes need to be made or tested using group policies, the administrator should

leave the production environment untouched and create test policies in isolated test lab

environments. When test labs are not available or cannot replicate the production envi-

ronment, the administrator can test policies in isolated organizational units within a

domain. Also, if domain- or site-based policies need to be created for testing, security

filtering could be modified to apply the policy only to a specific set of test users or groups.

The preceding section described how to locate a group policy. Using the Group Policy

Management Console, you can also create, configure, and open site, domain, and organi-

zational unit (OU) group policies for editing.

In some cases, it will be necessary to prevent a GPO from being applied to a user or

computer. That is, there might be a GPO that applies to all members of a department, but

it is necessary to make a single exception to the rule. Rather than create a specific OU to

570

CHAPTER 18

Windows Server 2008 R2 Administration

apply the GPO, security filtering can be used to allow or deny the application of the

Group Policy Object.

The following steps outline how to create a new domain-based policy and configure its

security filtering to apply to a single user:

1. Launch Server Manager on a domain controller.

2. Expand the Features folder.

3. Expand the Group Policy Management Console.

4. Expand the Forest folder.

5. Expand the Domains folder.

6. Select the specific domain, such as companyabc.com.

7. Right-click on the domain and select Create a GPO in This Domain, and Link It Here.

8. Type in a descriptive policy name, leave the source starter GPO set to None, and

click OK to create the policy.

NOTE

Source starter GPOs are GPO templates that can be used to prepopulate settings in

GPOs. If there are common settings that will go into GPOs, they can be created in

ptg

starter GPOs and then seeded into new GPOs as they are created.

The starter GPOs are stored in a common folder named StarterGPOs. Any GPOs creat-

ed in this folder are available for seeding GPOs. There are no starter GPOs in a domain

by default.

9. The new policy will be displayed in the right pane. Right-click the new policy and

select Edit to launch the Group Policy Management Editor snap-in.

10. Right-click the GPO name in the Group Policy Management Editor, and select

Properties.

11. Select the Security tab and highlight the Authenticated Users entry.

12. In the Permissions section, scroll down and uncheck the Allow check box for Apply

Group Policy. This means that the GPO will not take effect on any user or computer.

13. Select each entry in the Group Policy access control list and verify that no existing

groups are allowed to apply Group Policy.

14. Click Add and type in the name of a user or group. To find a list of users and groups

within the current domain, click the Advanced button, and in the search window,

click Find Now to return the complete list. Scroll down and select the users or

groups you want, and click OK.

15. Click OK to add the entries to the policy.

16. Back in the security window, select the respective entry and check the Allow check

box for Apply Group Policy, as shown in Figure 18.6. This means that the GPO will

Managing Users with Local Security and Group Policies

571

take effect on the members of this group, which could include both users and

computers. Click OK when you’re finished.

ptg

FIGURE 18.6

Modifying a group policy’s application scope.

17. Close the Group Policy Management Editor snap-in.

Now the group policies set in the GPO will affect only the users or computers that were

specified—in this case, members of the Oakland Help Desk. This allows for fine-grained

application of group policies to targeted groups.

18

Configuring and Optimizing Group Policy

After a Group Policy Object is created, a few steps should be taken to configure how the

policy will be applied and to optimize the time to apply the policy. Group policies can be

limited to computer- or user-specific settings. To determine whether either type of setting

can be disabled, the administrator should determine which settings are necessary to

provide the desired policy settings. In many cases, a policy uses settings for both types. To

disable either user or computer policy settings, open the properties as described in the

section “Viewing Policies with the Group Policy Management Console” earlier in this

chapter. When the policy is listed, select the Details tab. Adjust the GPO status field to

disable computer or user settings as required.

When multiple group policies exist, they are applied in a predefined order. For a particu-

lar user or computer, the order can be derived using the Resultant Set of Policies snap-in.

The results of standard policies are that if setting X is enabled on a top-level policy and

572

CHAPTER 18

Windows Server 2008 R2 Administration

disabled on the last policy to apply to an object, the resulting setting will disable setting

X. Many policy settings have three states: enabled, disabled, and the default of not

configured.

You can limit group policies to apply to specific users or computers by modifying the secu-

rity entries. In addition to disabling portions of each GPO, policy inheritance can be

blocked at the domain or OU container level using a setting called Block Policy

Inheritance. When blocking or precedence rules need to be ignored for the settings of a

particular group policy, the group policy can be configured as Enforced.

Group Policy Objects and Logon Performance

It is important that policies be effectively placed to avoid slow logon performance. For

each level in the OU structure where a group policy is linked, the download and applica-

Other books

Genesis of a Hero by Chris Smith
Forbidden by Fate by Kristin Miller
Covenant (Paris Mob Book 1) by Michelle St. James
Murder Comes Calling by C. S. Challinor
Money Boy by Paul Yee
Ventajas de viajar en tren by Antonio Orejudo
Lunamae by April Sadowski
Skippy Dies by Paul Murray
The Gift by Jess C Scott
The Eden Express by Mark Vonnegut