Windows Server 2008 R2 Unleashed (119 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
filters by printer manufacturer such as HP, Xerox, and Sharp or by printer type such as
laser, color laser, and plotter to be able to view assets by make, model, or configuration.
Printer filters can even be created based on queue length and to run an automatic script to
take action in addition to notifying the administrator.
Managing Active Directory sites, groups, users, and printers in Windows Server 2008 R2
can be daunting if some of these tasks cannot be automated or simplified. This chapter
outlined ways and tools to create these objects and included the information necessary to
manage these objects from a standalone and enterprise level.
This chapter addressed options for administration that included centralized, decentralized,
and mixed administration, which provides a model that fits pretty much all organizations.
Some of the key criteria in administration are addressed when sites and groups are created
Best Practices
583
that identify administration boundaries and define the role of administration within and
across the boundaries.
In addition, policies better clarify how management and administration will be handled,
which ultimately trickle down to profiles and configuration settings to create a managed
and administered Windows Server 2008 R2 environment.
The following are best practices from this chapter:
. Clearly understand your roles and responsibilities in the enterprise network and
understand how the different components that make up the network communicate
and rely on one another.
. Choose the appropriate administrative model (central, distributed, or mixed) for the
organization based on required services and skill sets in each location.
. Always define the site for physical locations to accurately model the WAN and LAN
architecture, even if those locations don’t contain domain controllers.
. Always define all subnets in the Active Directory Sites and Services to ensure that all
ptg
domain computers can be located to their closest Active Directory resources.
. Use site links to accurately reflect the WAN and LAN topology.
. Use site policies to define custom network security settings for sites with higher
requirements or to delegate administrative rights when administration is performed
on a mostly geographic basis.
. Ensure that sites contain local network services, such as domain controllers, global
catalog servers, DNS servers, DHCP servers, and, if necessary, WINS servers.
. Use security groups to create distribution lists.
18
. Create a universal group to span domains, but have only a global group from each
domain as a member.
. Use local and group policies to manage users and desktops.
. Modify Group Policy security entries to limit Group Policy application to specific
users or computers.
. Reduce the OU levels and the number of GPOs by consolidating multiple GPOs into
a single GPO where possible to improve logon and startup performance.
. Use Group Policy Modeling to view and troubleshoot the way group policies are
applied.
. Use the Print Management console added in to Windows Server 2008 R2 to centrally
view, manage, and administer printers in the network environment.
This page intentionally left blank
ptg
IN THIS CHAPTER
Windows Server 2008 R2
. Group Policy Overview
. Group Policy Processing—
How Does It Work?
. Local Group Policies
Policy Management
. Security Templates
. Elements of Group Policy
. Group Policy Administrative
Since the inception of computer networks, there has been
Templates Explained
a need and a desire to centrally administer and configure
devices on the network. As small campus and corporate
. Policy Management Tools
networks evolved and became connected with other institu-
. Designing a Group Policy
tions, security concerns prompted the requirement to
Infrastructure
secure access to resources and to limit administration of
connected devices.
. GPO Administrative Tasks
With Microsoft networks, the solution to the security
ptg
concern was first addressed with the Windows NT file
system (NTFS) and with Windows domains, system policies
addressed the centralized security and configuration
requirements. Starting with Windows 2000 Server and the
introduction of Active Directory, system policies have now
evolved into what we now know as group policies, which
are discussed in this chapter.
This chapter presents an overview of the concepts and
application of the newly revised Windows Server 2008 R2
Group Policy infrastructure used to manage Windows
Active Directory networks.
The Microsoft Group Policy infrastructure is a complex
system that utilizes several features and services included in
the Windows server and client operating systems and the IP
networks that these systems reside on.
In its simplest concept, Group Policy is a mechanism used
to centrally secure, configure, and deploy a common set of
computer and user configurations, security settings, and, in
586
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
some cases, software, to Windows servers, Windows workstations, and users in an Active
Directory forest.
The Group Policy infrastructure enables organizations to enforce configurations, simplify
desktop administration, secure access to network resources, and, in some cases, meet regu-
latory compliance requirements. As an example of this, group policies can be configured
to apply and enforce an end-user password policy that requires complex passwords that
must exceed seven characters and that must also be changed every 30 days. Another
sample policy can be configured to enable the Windows Firewall on client workstations,
remove an end user’s ability to disable it, including local administrators, and allow the
corporate desktop support team to remotely administer these workstations while they are
connected to the corporate network or virtual private network (VPN).
Group Policy settings and reliability have changed tremendously since they were first
introduced in Windows 2000 Server. In the Windows 2000 Server version, Group Policy
Objects (GPOs) lacked many features and basically were not as resilient to network
changes and many of the advanced functions just did not work. With Windows XP and
Windows Server 2003, many features were fixed and new settings were introduced. With
Windows Server 2008 and Windows Vista, many of the pain points realized in the previ-
ous versions were resolved and the infrastructure was in many ways rebuilt from the
ground up to improve network performance and add functionality. Now with the release
ptg
of Windows Server 2008 R2 and Windows 7, many of the new Group Policy features of
the Windows Vista and Windows Server 2008 infrastructure have been further improved
and extended to provide more out-of-the-box functionality.
This chapter addresses the administration and management of GPOs for Windows XP,
Windows Vista, and Windows 7 client operating systems as well as Windows Server 2003,
Windows Server 2008, and Windows Server 2008 R2 server operating systems.
Group Policy Processing—How Does It Work?
The way a group policy is processed is determined by a number of different settings and
criteria. Computers and users process policies differently; furthermore, each policy also
can contain specific settings to define how and when a policy will be processed.
GPOs contain a revision number for both the computer and user configuration section of
the policy. By default, if the revision number has not changed since the last application of
the GPO, most of the GPO processing is skipped. Certain portions, however, such as the
computer startup and shutdown scripts and the user logon and logoff scripts, are
processed each time a GPO is processed during that cycle.
Computer GPO Processing
Computers process policies in a predetermined order and during certain events. Group
policies are applied to computer objects during startup, shutdown, and periodically during
the background refresh interval. By default, the refresh interval is every 90 minutes on
member servers and workstations with an offset of 0 to 30 minutes. On domain
controllers, group policies are refreshed every 5 minutes. The offset ensures that not all
Group Policy Processing—How Does It Work?
587
domain computers refresh or process group policies simultaneously. When a computer
starts up, if the computer can successfully locate and communicate with an authenticating
domain controller, GPO processing will occur. During GPO processing, the system checks
each linked or inherited GPO to verify if the policy has changed since the last processing
cycle, to run any startup scripts and check for any other requirement to reapply policy.
During the shutdown and refresh interval, the GPOs are processed again to check for any
updates or changes since the last application cycle.
Computer GPO processing is determined by GPO links, security filtering, and Windows
Management Instrumentation (WMI) filters.
User GPO Processing
GPO processing for users is very similar to GPO processing for computers. The main differ-
ences are that GPO processing for users occurs at user logon, logoff, and periodically. The
default refresh interval for user GPO processing is 90 minutes plus a 0- to 30-minute offset.
User GPO processing is determined by GPO links and security filtering.
Network Location Awareness
ptg
Network Location Awareness (NLA) is a service built in to Windows that is used to deter-
mine when the computer has connectivity to the Active Directory infrastructure. The
Group Policy infrastructure utilizes NLA to determine whether to attempt to download
and apply GPOs. This Group Policy function is called slow link detection.
In previous versions, Group Policy processing used slow link detection to determine if the
network was reliable enough to process and apply policies. Slow link detection relied on
the Internet Control Message Protocol (ICMP) or Ping to test for network connectivity and
was not very reliable. Due to this specification, Group Policy processing on mobile and
remote client workstations was very unreliable. When a mobile client workstation
connected to the corporate network through a VPN connection or after waking from
hibernation or sleep mode, the change in network connectivity usually passed by unno-
ticed and GPOs were not applied or refreshed. In these cases, the only way to get these
clients to apply their GPOs was to have them manually run a Group Policy update from
the command line or have these machines reboot while connected to the corporate
19
network via wired Ethernet connections.
Group Policy processing on Windows Vista, Windows 7, Windows Server 2008, and
Windows Server 2008 R2 now utilize the rebuilt Network Location Awareness (NLA)
service to detect network changes. The new NLA service is much better at detecting
changes to network connections, and when a connection is established, NLA checks for
domain controller connectivity. If a domain controller can be contacted, the NLA service
notifies the computer Group Policy service, which, in turn, triggers Group Policy process-
ing for both computer- and user-based Group Policy settings. The NLA service is not
dependent on ICMP or Ping, which on its own makes it more reliable. The NLA service
should run on most networks without any special configuration on the network devices or
network firewalls, even if ICMP communication is disabled or blocked by the firewall.
588
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
Managing Group Policy Processing with GPO Settings
Within the Policies\Administrative Templates\System\GroupPolicy section of both the
Computer Configuration and User Configuration nodes of a GPO, as shown in Figure
19.1, an administrator can review and control how group policies will be processed. These
