Windows Server 2008 R2 Unleashed (119 page)

filters by printer manufacturer such as HP, Xerox, and Sharp or by printer type such as

laser, color laser, and plotter to be able to view assets by make, model, or configuration.

Printer filters can even be created based on queue length and to run an automatic script to

take action in addition to notifying the administrator.

Summary

Managing Active Directory sites, groups, users, and printers in Windows Server 2008 R2

can be daunting if some of these tasks cannot be automated or simplified. This chapter

outlined ways and tools to create these objects and included the information necessary to

manage these objects from a standalone and enterprise level.

This chapter addressed options for administration that included centralized, decentralized,

and mixed administration, which provides a model that fits pretty much all organizations.

Some of the key criteria in administration are addressed when sites and groups are created

Best Practices

583

that identify administration boundaries and define the role of administration within and

across the boundaries.

In addition, policies better clarify how management and administration will be handled,

which ultimately trickle down to profiles and configuration settings to create a managed

and administered Windows Server 2008 R2 environment.

Best Practices

The following are best practices from this chapter:

. Clearly understand your roles and responsibilities in the enterprise network and

understand how the different components that make up the network communicate

and rely on one another.

. Choose the appropriate administrative model (central, distributed, or mixed) for the

organization based on required services and skill sets in each location.

. Always define the site for physical locations to accurately model the WAN and LAN

architecture, even if those locations don’t contain domain controllers.

. Always define all subnets in the Active Directory Sites and Services to ensure that all

ptg

domain computers can be located to their closest Active Directory resources.

. Use site links to accurately reflect the WAN and LAN topology.

. Use site policies to define custom network security settings for sites with higher

requirements or to delegate administrative rights when administration is performed

on a mostly geographic basis.

. Ensure that sites contain local network services, such as domain controllers, global

catalog servers, DNS servers, DHCP servers, and, if necessary, WINS servers.

. Use security groups to create distribution lists.

18

. Create a universal group to span domains, but have only a global group from each

domain as a member.

. Use local and group policies to manage users and desktops.

. Modify Group Policy security entries to limit Group Policy application to specific

users or computers.

. Reduce the OU levels and the number of GPOs by consolidating multiple GPOs into

a single GPO where possible to improve logon and startup performance.

. Use Group Policy Modeling to view and troubleshoot the way group policies are

applied.

. Use the Print Management console added in to Windows Server 2008 R2 to centrally

view, manage, and administer printers in the network environment.

This page intentionally left blank

ptg

CHAPTER 19

IN THIS CHAPTER

Windows Server 2008 R2
. Group Policy Overview

. Group Policy Processing—

Group Policies and

How Does It Work?

. Local Group Policies

Policy Management
. Security Templates

. Elements of Group Policy

. Group Policy Administrative

Since the inception of computer networks, there has been

Templates Explained

a need and a desire to centrally administer and configure

devices on the network. As small campus and corporate

. Policy Management Tools

networks evolved and became connected with other institu-

. Designing a Group Policy

tions, security concerns prompted the requirement to

Infrastructure

secure access to resources and to limit administration of

connected devices.

. GPO Administrative Tasks

With Microsoft networks, the solution to the security

ptg

concern was first addressed with the Windows NT file

system (NTFS) and with Windows domains, system policies

addressed the centralized security and configuration

requirements. Starting with Windows 2000 Server and the

introduction of Active Directory, system policies have now

evolved into what we now know as group policies, which

are discussed in this chapter.

This chapter presents an overview of the concepts and

application of the newly revised Windows Server 2008 R2

Group Policy infrastructure used to manage Windows

Active Directory networks.

Group Policy Overview

The Microsoft Group Policy infrastructure is a complex

system that utilizes several features and services included in

the Windows server and client operating systems and the IP

networks that these systems reside on.

In its simplest concept, Group Policy is a mechanism used

to centrally secure, configure, and deploy a common set of

computer and user configurations, security settings, and, in

586

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

some cases, software, to Windows servers, Windows workstations, and users in an Active

Directory forest.

The Group Policy infrastructure enables organizations to enforce configurations, simplify

desktop administration, secure access to network resources, and, in some cases, meet regu-

latory compliance requirements. As an example of this, group policies can be configured

to apply and enforce an end-user password policy that requires complex passwords that

must exceed seven characters and that must also be changed every 30 days. Another

sample policy can be configured to enable the Windows Firewall on client workstations,

remove an end user’s ability to disable it, including local administrators, and allow the

corporate desktop support team to remotely administer these workstations while they are

connected to the corporate network or virtual private network (VPN).

Group Policy settings and reliability have changed tremendously since they were first

introduced in Windows 2000 Server. In the Windows 2000 Server version, Group Policy

Objects (GPOs) lacked many features and basically were not as resilient to network

changes and many of the advanced functions just did not work. With Windows XP and

Windows Server 2003, many features were fixed and new settings were introduced. With

Windows Server 2008 and Windows Vista, many of the pain points realized in the previ-

ous versions were resolved and the infrastructure was in many ways rebuilt from the

ground up to improve network performance and add functionality. Now with the release

ptg

of Windows Server 2008 R2 and Windows 7, many of the new Group Policy features of

the Windows Vista and Windows Server 2008 infrastructure have been further improved

and extended to provide more out-of-the-box functionality.

This chapter addresses the administration and management of GPOs for Windows XP,

Windows Vista, and Windows 7 client operating systems as well as Windows Server 2003,

Windows Server 2008, and Windows Server 2008 R2 server operating systems.

Group Policy Processing—How Does It Work?

The way a group policy is processed is determined by a number of different settings and

criteria. Computers and users process policies differently; furthermore, each policy also

can contain specific settings to define how and when a policy will be processed.

GPOs contain a revision number for both the computer and user configuration section of

the policy. By default, if the revision number has not changed since the last application of

the GPO, most of the GPO processing is skipped. Certain portions, however, such as the

computer startup and shutdown scripts and the user logon and logoff scripts, are

processed each time a GPO is processed during that cycle.

Computer GPO Processing

Computers process policies in a predetermined order and during certain events. Group

policies are applied to computer objects during startup, shutdown, and periodically during

the background refresh interval. By default, the refresh interval is every 90 minutes on

member servers and workstations with an offset of 0 to 30 minutes. On domain

controllers, group policies are refreshed every 5 minutes. The offset ensures that not all

Group Policy Processing—How Does It Work?

587

domain computers refresh or process group policies simultaneously. When a computer

starts up, if the computer can successfully locate and communicate with an authenticating

domain controller, GPO processing will occur. During GPO processing, the system checks

each linked or inherited GPO to verify if the policy has changed since the last processing

cycle, to run any startup scripts and check for any other requirement to reapply policy.

During the shutdown and refresh interval, the GPOs are processed again to check for any

updates or changes since the last application cycle.

Computer GPO processing is determined by GPO links, security filtering, and Windows

Management Instrumentation (WMI) filters.

User GPO Processing

GPO processing for users is very similar to GPO processing for computers. The main differ-

ences are that GPO processing for users occurs at user logon, logoff, and periodically. The

default refresh interval for user GPO processing is 90 minutes plus a 0- to 30-minute offset.

User GPO processing is determined by GPO links and security filtering.

Network Location Awareness

ptg

Network Location Awareness (NLA) is a service built in to Windows that is used to deter-

mine when the computer has connectivity to the Active Directory infrastructure. The

Group Policy infrastructure utilizes NLA to determine whether to attempt to download

and apply GPOs. This Group Policy function is called slow link detection.

In previous versions, Group Policy processing used slow link detection to determine if the

network was reliable enough to process and apply policies. Slow link detection relied on

the Internet Control Message Protocol (ICMP) or Ping to test for network connectivity and

was not very reliable. Due to this specification, Group Policy processing on mobile and

remote client workstations was very unreliable. When a mobile client workstation

connected to the corporate network through a VPN connection or after waking from

hibernation or sleep mode, the change in network connectivity usually passed by unno-

ticed and GPOs were not applied or refreshed. In these cases, the only way to get these

clients to apply their GPOs was to have them manually run a Group Policy update from

the command line or have these machines reboot while connected to the corporate

19

network via wired Ethernet connections.

Group Policy processing on Windows Vista, Windows 7, Windows Server 2008, and

Windows Server 2008 R2 now utilize the rebuilt Network Location Awareness (NLA)

service to detect network changes. The new NLA service is much better at detecting

changes to network connections, and when a connection is established, NLA checks for

domain controller connectivity. If a domain controller can be contacted, the NLA service

notifies the computer Group Policy service, which, in turn, triggers Group Policy process-

ing for both computer- and user-based Group Policy settings. The NLA service is not

dependent on ICMP or Ping, which on its own makes it more reliable. The NLA service

should run on most networks without any special configuration on the network devices or

network firewalls, even if ICMP communication is disabled or blocked by the firewall.

588

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

Managing Group Policy Processing with GPO Settings

Within the Policies\Administrative Templates\System\GroupPolicy section of both the

Computer Configuration and User Configuration nodes of a GPO, as shown in Figure

19.1, an administrator can review and control how group policies will be processed. These

Other books

Monster Hunter Nemesis by Larry Correia
Earth to Emily by Pamela Fagan Hutchins
Date With the Devil by Don Lasseter
Shaken (Colorado Bold Book 1) by McCullough, Maggie
Deadly Call by Martha Bourke
Begin Again by Christy Newton