Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
27
but on a domain controller (or any server for that matter), this might be risky. For a
small business, allowing for autoinstall and autoreboot might present more of a risk
than having a tech regularly perform a manual update task.
Delegated Administration
Delegating administration to perform Active Directory functions is becoming a very
common task in medium- and large-size organizations. Delegation tasks, such as allowing
the telecom group to update telephone numbers for all Active Directory user accounts or
allowing help desk staff to unlock user accounts and reset user passwords, are simple to
implement using the Active Directory Users and Computers snap-in. To configure delega-
tion of Active Directory objects such as user accounts, security and distribution groups,
and computer objects, this task is not best handled with domain policies. Instead, these
delegation tasks are handled by configuring security permissions at the domain level,
organizational unit level, or on the particular object itself. One way to simplify or clarify
this concept is to remember that if the task will be performed using the Active Directory
Users and Computers snap-in, this is delegated by configuring security permissions on a
container or object. If the task would normally be performed by logging on to a computer
and configuring settings or configuring the profile of a user or group of users, most func-
tions related to this type of task can be performed using domain policies.
1044
CHAPTER 27
Group Policy Management for Network Clients
Group Policy Objects are, in fact, Active Directory objects and delegating Group Policy
administration rights is also performed by configuring security access on Active Directory
containers, such as domains and organizational units. Group Policy management includes
several tasks, which can be delegated in the following configurations:
.
New domain group policy creation—
This is performed by adding the user
account or security group to the domain Group Policy Creator Owners security
group or delegating this right using the Group Policy Management Console (GPMC)
at the Group Policy Objects container. Although delegating this right allows the user
to create new policies, this user or group is not granted the right to edit settings or
modify security on existing GPOs.
.
Edit settings on an existing GPO—
After a GPO is created, the right to edit that
particular GPO can be delegated using the GPMC.
.
Edit settings, modify security, and delete a GPO—
These tasks are delegated
using the GPMC on a single GPO at a time. The Modify security right allows the
designated user to change the security filtering, basically defining which users and
computer objects will apply the policy if these objects are in containers linked to
that particular GPO.
.
Link existing GPOs—
The ability to link GPOs to Active Directory containers is
ptg
performed by editing the security settings on the particular Active Directory site,
domain, or OU. This is known as the Manage Group Policy Links security right.
.
Create and edit WMI filters—
The right to create new WMI filters or have full
control over all WMI filters in a domain can be delegated at the WMI Filters
container using the GPMC. Also, the right to edit or grant full control over an exist-
ing WMI filter can be delegated to a user or group. Delegating the right to edit or to
grant full control does not enable linking WMI filters to GPOs as that requires edit
rights permissions on a particular GPO.
.
Perform GPO modeling using GPMC—
GPO modeling delegation is performed by
editing the security settings on the particular Active Directory site, domain, or OU.
This task allows a designated user the ability to perform dry runs or simulated tests
to determine the results of linking a policy to a particular container or moving a user
or computer object to a different container in Active Directory. This is also known as
the Generate Resultant Set of Policy (Planning) security right. If the user running
GPMC is not running GPMC on the domain controller, the user needs to be added
to the domain’s Distributed COM Users security group to run Group Policy Modeling
from another system.
.
Perform GPO results using GPMC—
This task can be performed on local machines
if the user is a local administrator and the GPMC is installed. It can also be run by
using the GPresult.exe from the command line or by loading the rsop.msc Microsoft
Management Console snap-in. By default, local administrators can run this tool
against all users on a machine. To delegate this right in Active Directory, edit the
security settings on the particular Active Directory domain or OU that contains the
computer and user accounts. This task allows the user to remotely connect to the
Managing Computers with Domain Policies
1045
computer to query the Group Policy logs to generate a historical report of previously
logged Group Policy processing events. This is also known as the Generate Resultant
Set of Policy (Logging) security right. To run this task against a remote computer,
aside from having this right in Active Directory, the user also needs to be a member
of the computer’s local Distributed COM Users security group, or the domain group
if running modeling or results against a domain controller. Additional configuration
might also include possible firewall policy changes on the required computers to
enable the remote administration firewall exception.
Managing Computers with Domain Policies
Managing the configuration and settings of domain servers and workstations can be stan-
dardized using domain group policies. Domain group policies offer the advantage of
taking user error and mistakes out of the loop by pushing out the configuration and secu-
rity of computers from a single or a set of group policies. Of course, with this much
control it is essential that group policies are tested and tested again to verify that the
correct configuration and desired results are achieved with the policies. In the early days
of Active Directory domain based group policies, a few organizations, which will go
unnamed in this book, found themselves locked out of their own computers and Active
Directory domain controllers because of overrestrictive Group Policy security settings and
ptg
application of these settings to all computers and users, including the domain administra-
tors. When this situation occurs, a domain controller can be rebooted into Directory
Services Restore mode and an authoritative restore of Active Directory might be required.
Before domain group policies can be created and managed, the Group Policy Management
Console needs to be installed. Also, if printers will be installed using the Deploy Printer
27
function of Group Policy, the Print Services Tools should also be installed. To install the
GPMC and Print Services Tools, perform the following steps:
1. Log on to a designated administrative system running Windows Server 2008 R2.
2. Open Server Manager from the Administrative Tools menu.
3. After Server Manager loads, click on the Features node in the tree pane.
4. Select Add Features in the right pane.
5. Scroll down and check the box next to Group Policy Management.
6. Expand Remote Server Administration Tools and expand Role Administration Tools.
7. Check the box next to Print and Document Services Tools and click Next.
8. Confirm the selection and click Install to begin the process.
9. After the process completes, click Close to complete the installation.
Creating a New Domain Group Policy Object
To create a new domain Group Policy Object, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative server.
2. Click Start, click All Programs, click Administrative Tools, and click on Group Policy
Management.
1046
CHAPTER 27
Group Policy Management for Network Clients
3. If necessary, expand the forest node, the domains node, and the correct domain.
4. Right-click the Group Policy Objects container, and select New.
5. Type in a name for the new GPO.
6. If the starter GPO functionality in the domain is enabled and if a suitable starter
GPO exists, click the Source Starter GPO drop-down list arrow, and select either
(None) or the desired starter GPO.
7. Click OK to create the GPO. In the tree pane of the Group Policy Management
Console window, expand the Group Policy Objects container to reveal the newly
created GPO.
8. After the GPO is created, it can be edited by right-clicking on the GPO and selecting
Edit.
9. Close the Group Policy Management Console and log off of the server.
Creating and Configuring GPO Links
After a GPO is created and configured, the next step is to link the GPOs to the desired
Active Directory containers. To link an existing GPO to an Active Directory container,
perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative server.
ptg
2. Click Start, click All Programs, click Administrative Tools, and click on Group Policy
Management.
3. Add the necessary domains or sites to the GPMC as required.
4. Expand the Domains or Sites node to expose the container to which the GPO will be
linked.
5. Right-click the desired site, domain, or organizational unit, and select Link an
Existing GPO.
6. In the Select GPO window, select the desired domain and GPO, and click OK to link it.
Managing User Account Control Settings
Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 contain
a security feature called User Account Control (UAC). UAC was created primarily to reduce
or prevent unauthorized changes to the operating system configuration or file system.
UAC interacts with both nonadministrators and administrators in their desktop environ-
ment and runs almost all applications in Standard User mode. When an administrator,
regular user, or application attempts to perform an action that can result in a system
configuration change or require access to sensitive areas of the operating system or file
system, UAC interrupts the change and prompts for authorization or credentials to vali-
date the change or requested access or elevation desired by the end user.
UAC settings are pretty flexible in allowing applications to run as desired but can require
some tuning on the part of the desktop administrator. Many independent software
vendors have been able to produce applications that can interact with UAC but in some
cases where functionality or usability of a PC is impacted by UAC, some administrators or
Managing Computers with Domain Policies
1047
organizations may decide to disable UAC completely or just certain UAC settings to opti-
mize the user experience. For situations when UAC is causing undesired issues with appli-
cations, if adjusting file security, user rights assignments, or running applications in legacy
XP mode do not work, it might be necessary to adjust or disable User Account Control
settings. The likely candidates are applications that formerly required the end user to be a
member of the local Power Users or Administrators group. UAC settings should not
adversely affect the functionality and operation of standard users. On the contrary, UAC
actually allows standard users to be prompted for credentials to allow elevation of rights
to install software or components that would have failed with previous operating systems
with an Access Denied message. If, for some reason, the end user requires local administra-
tor rights to run a legacy application and all other options have failed, then changing
UAC security settings in a local computer policy or domain group policy object is
required. When UAC security setting changes are required, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative server.
2. Open the Group Policy Management Console from the Administrative Tools menu.
3. Add the necessary domains to the GPMC as required.
4. Expand the Domains node to reveal the Group Policy Objects container.
5. Either create a new GPO or edit an existing GPO.
ptg
6. After the GPO is opened for editing in the Group Policy Management Editor, expand
the Computer Configuration node, expand the Policies node, select the Windows
Settings node, and expand it.
7. Expand the Security Settings node, expand Local Policies, and select Security Options.
8. In the Settings pane, scroll to the bottom of the pane to locate the UAC settings. The
27
following list displays the default UAC settings in the Local Computer Policy for
Windows Server 2008 R2:
.
Admin Approval Mode for the Built-In Administrator Account—
Disabled
.
Allow UIAccess Applications to Prompt for Elevation Without Using
the Secure Desktop—
Disabled
.
Behavior of the Elevation Prompt for Administrators in Admin
Approval Mode—
Prompt for consent for non-Windows binaries