Issuu on Google+

Design a Group Policy strategy

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

1


Learning Objectives • Design Organizational Units to support an administrative model • Understand Group Policy basics • Design a Group Policy strategy • Configure different Group Policy settings • Configure advanced GPO settings • Implement fine-grained policies using a password settings object

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

2


Designing Organizational Units • Forest and domains design – Different for different goals

• Two important reasons to use OUs – Managing with Group Policy – Delegation of control

• Active Directory Domain Services (AD DS) structure – Supports autonomy and isolation goals

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

3


Using OUs for Group Policy • Group Policy Objects (GPOs) – Linked to sites, domains, OUs – Used to manage users and computers – Set different security policies, configure standards, restrict usage, deploy applications, etc.

• Organizing users and computers in OUs – Allows management with a single OU

• GPOs cannot be linked to: – The Users container – The Computers container MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

4


Figure 4-1 An example of how OUs can be created within a domain Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

5


Using OUs to Delegate Control • Administrative tasks often delegated to administrators – Perform tasks specific to their area of responsibility • Need appropriate permissions and privileges • Consider basic security principle of least privilege

• Delegation of Control Wizard – Available within Active Directory Users and Computers

• For specific users or groups: – Create OUs and move AD objects to the OU MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

6


Figure 4-2 Starting the Delegation of Control Wizard Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

7


Using OUs to Delegate Control (cont’d.) • Activity 4-1: Delegating Control with the Delegation of Control Wizard

Figure 4-3 Delegating permissions to change passwords Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

8


Using OUs to Delegate Control (cont’d.) • Activity 4-2: Delegating Full Control with the Delegation of Control Wizard

Figure 4-4 Delegating Full Control permissions to a group Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

9


Designing Organizational Units • Understand the two benefits and purposes of OUs – Makes design easier

• Technical reasons to design OUs – Delegate control or manage objects using Group Policy

• Another reason to create OUs – Logically organize users and computers

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

10


Designing Organizational Units (cont’d.) • OU design characteristics – OUs created for administrators’ use – OUs completely separate from DNS – OUs easy to modify

• OU design options – Organizational structure – Geography – Hybrid

• May further refine the OU structure – Objects separated in different OUs MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

11


Figure 4-5 A hybrid OU design based on geography and the organizational hierarchy Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

12


Designing Group Strategies • Assign permissions to groups - not users • Groups identified by their group scope – Universal – Global – Domain local

• Groups can be added together – Added to other global groups (nesting) – Added to universal groups – Added to domain local groups MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

13


Figure 4-6 Understanding groups Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

14


Figure 4-7 Group policy strategy using universal groups Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

15


Redirecting Placement of New Accounts • All new computers joined to the domain – Automatically added to the Computers container

• User accounts created without specifying the OU – Placed in the Users container by default

• Redircmp and redirusr commands – Redirect new account placement

• Distinguished name (DN) – Uniquely identify objects in any Lightweight Directory Access Protocol (LDAP)-based directory – Three most common elements: CN, OU, DC MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

16


Redirecting Placement of New Accounts (cont’d.) • Example: full DN of the AR OU (a child of the Accounting OU) within the Cengage.com domain – OU=AR, OU=Accounting, DC=Cengage, DC=com

• Ensure all new computers joined to the Cengage.com domain – Added to the NewComputers OU • redircmp OU=NewComputers, DC=Cengage, DC=com

• Ensure users created without specifying a target OU – Created in the New Users OU • redirusr OU=NewUsers, DC=Cengage, DC=com MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

17


Reviewing Group Policy Basics • Group Policy tool – Automates user and computer management

• Topics covered: – – – – – –

Group Policy scope Group Policy inheritance and order of precedence Group Policy setting categories Default Group policies Group Policy Management console Starter GPOs

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

18


Group Policy Scope • GPO applied to a site, a domain, OU – Applies to all user and computer objects at that level

• GPO applied to a site can affect: – One or more domains – Part of a domain – Entire domain

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

19


Figure 4-8 Comparing sites and groups with Group Policy Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

20


Group Policy Scope (cont’d.) • Can have a single domain in a single site – No difference between linking a GPO to the site or linking the GPO to the domain

• GPOs linked to the domain – Apply to all objects in the domain • Including objects in the Users and Computers container

• Common to link GPOs to OUs – Applies to: • All objects in that OU • All objects in children OUs (by default) MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

21


Figure 4-9 Identifying the scope of GPOs assigned to OUs Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

22


GPO Inheritance and Order of Precedence • GPOs applied at domain level – Inherited by all OUs in the domain – Applied to Users and Computers containers in the domain

• GPOs applied to parent OU – Apply to all child OUs

• Occurs because of GPO inheritance – Unless Block Inheritance option used

• GPO inheritance – GPO settings applied at higher levels • Inherited and applied at lower levels MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

23


GPO Inheritance and Order of Precedence (cont’d.) • GPO order of precedence – How Group Policy applied – What settings take precedence • If problems with two conflicting settings

• Order of precedence: – – – –

Site Domain Parent OUs Children OUs

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

24


Figure 4-10 Group Policy and order of precedence Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

25


GPO Inheritance and Order of Precedence (cont’d.) • Figure 4-10 summary – IT OU: Telnet service disabled (GPO1 wins) – Computers container: Telnet service disabled (GPO1 wins) – Sales OU: Telnet service enabled (GPO2 wins) – Direct OU: Telnet service disabled (GPO3 wins)

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

26


Group Policy Setting Categories • Commonly used categories of GPO settings – – – – –

Software settings Windows settings Security settings Administrative templates Preferences

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

27


Default Group Policies • Promotion of first server in the domain to a domain controller – Two default Group Policy objects created • Default Domain policy • Default Domain Controllers policy

• Policies have several different settings – Mostly related to security

• Policies provide a starting point • Policies can be modified • Additional group policies can be added MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

28


Figure 4-11 Group Policy Management console showing Default Domain policy Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

29


Default Group Policies (cont’d.) • Default Domain policy – Linked at the domain level – Applies to all users and computers in the domain

• Default Domain Controllers policy – Linked to the Domain Controllers OU – Has more stringent security applied • Adds a stronger layer of security for domain controllers

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

30


Group Policy Management Console • Group Policy Management Console (GPMC) – Primary tool used to create and manipulate Group Policy

• GPMC tasks – Create and modify GPOs – Link and unlink GPOs – Modify advanced options • Enforced and Block Inheritance

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

31


Group Policy Management Console (cont’d.) • GPMC tasks (cont’d.) – – – –

Modify permissions on GPOs View the settings of GPOs Backup and restore GPOs Plan and document GPOs

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

32


Starter GPOs • Templates of GPOs – Can accelerate the use of GPOs in an organization

• Collections of preconfigured Administrative templates – Only include settings within the Administrative Templates node of a Group Policy

• Can create Starter GPOs • Can download preconfigured Starter GPOs – Add them to the GPMC

• Activity 4-3: Applying a Starter GPO MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

33


Figure 4-12 Adding a Starter GPO cabinet file to the GPMC Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

34


Figure 4-13 Viewing the Starter GPO settings Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

35


Group Policy Settings • Group Policy settings covered: – – – – – –

Device installation restrictions Restricting group membership Deploying applications Internet Explorer proxy settings Implementing printer location policies Configuring IPSec settings

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

36


Device Installation Restrictions • Most risky device in an organization – USB flash drive

• Organizations seek ways to control device installation • Group Policy – Provides several settings to • Restrict installation of devices and/or device drivers

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

37


Device Installation Restrictions (cont’d.) • Settings – Allow administrators to override Device installation Restriction policies – Allow installation of devices using drivers matching these device setup classes – Prevent installation of devices using drivers that match these device setup classes – Display a custom message when installation prevented by policy (balloon text) – Display a custom message when installation prevented by policy (balloon title) MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

38


Figure 4-14 Identifying a Device Class GUID using Device Manager Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

39


Device Installation Restrictions (cont’d.) • Settings (cont’d.) – Allow installation of devices that match any of these device IDs – Prevent installation of devices that match any of these device IDs – Prevent installation of removable devices – Prevent installation of devices not described by other policy settings

• Settings policy can prevent new device installation – Settings won’t stop devices already installed MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

40


Figure 4-15 Controlling the use of removable storage devices Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

41


Restrict Group Membership • Restrict Group Membership setting – Useful to control group membership in AD

• Group Policy checks group membership – If extra member added • Group Policy removes member

– If member removed that should be in group • Group Policy adds member

• Group Policy applied every 90 to 120 minutes – Use GPUpdate /force command for immediate refresh MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

42


Restrict Group Membership (cont’d.) • Activity 4-4: Implementing Restricted Groups

Figure 4-16 Restricting the membership of the Domain Admins group Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

43


Deploying Applications • Must be packaged as: – Windows Installer file (.msi) – Transform file (.mst) – Patch file (.msp)

• Large organizations will use more sophisticated enterprise applications – System Center Configuration Manager (SCCM)

• Any organization can use Group Policy to deploy applications MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

44


Deploying Applications (cont’d.) • Two methods – Assigned – Published

• Applications assigned or published to users – Can also be installed through file extension activation

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

45


Figure 4-17 Deploying the same application to different sites Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

46


Deploying Applications (cont’d.) • Activity 4-5: Deploying an Application

Figure 4-18 Deploying the same application to different sites Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

47


Internet Explorer Proxy Settings • Proxy server – Middleman to retrieve the data from the Internet

• Proxy server benefits – Network Address Translation (NAT) – Caching • Conserves bandwidth usage

– Site access restrictions

• Often used in corporate networks – Clients need to be configured to use them MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

48


Figure 4-19 Configuring a proxy server on IE Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

49


Internet Explorer Proxy Settings (cont’d.) • Activity 4-6: Implementing Internet Explorer Proxy Server Settings

Figure 4-20 Configuring proxy server settings via a GPO Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

50


Printer Location Policies • Implemented to provide users with a list of printers – Close to them in an office

• User can see the location of the printer in the search results • Primary Group Policy setting to enable printer locations – Called “Pre-populate printer search location text”

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

51


Figure 4-21 Configuring printer location settings Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

52


Printer Location Policies (cont’d.) • Configuring setting to Enabled – Enables the Location Tracking feature

• Additional required steps – Ensure network IP Addressing corresponds to the physical layout – Site and subnet objects created in Active Directory Sites and Services • Must match actual sites in the organization

– Naming convention follows a format of location\location • Entered in the sites, subnets, printer properties MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

53


IPSec • Internet Protocol Security (IPSec) protocol – Provides both confidentiality and authentication • When data transmitted on a network

• Provides confidentiality by encrypting the data – Uses Encapsulated Security Payload (ESP)

• Provides authentication with an Authentication Header (AH) • Used with Network Access Protection (NAP)

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

54


Figure 4-22 Default IPSec policies Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

55


IPSec (cont’d.) • Three default policies – Client (Respond Only) – Server (Request Security) – Secure Server (Require Security)

• When IPSec needed – Not uncommon to configure a GPO at the domain level with the Client (Respond Only) GPO • All clients can communicate using IPSec

– Specific systems will have a GPO applied with the Server (Require Security) IPSec policy MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

56


Manipulating GPO Deployments with Advanced Options • Advanced options covered – – – –

Enforcing GPOs Blocking Inheritance Filtering GPOs Loopback processing

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

57


Blocking Inheritance • Might not want inherited Group Policies to apply to an OU – Achieved by setting the Block Inheritance

• Group Policy design using Block Inheritance – Can only block inheritance at the OU level – All inherited GPOs blocked – GPOs applied directly to the OU still apply

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

58


Figure 4-23 Configuring Block Inheritance Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

59


Enforcing GPOs • May have policies that should not be: – Overwritten due to conflicts – Blocked by the Block Inheritance setting

• Use the Enforced option • Two points about the Enforced option – Enforced can only be set on a per-GPO basis – Settings in the enforced GPO • Cannot be overwritten or blocked

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

60


Figure 4-24 Configuring the Enforced option Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

61


Filtering GPOs • Filter a GPO to apply a GPO to select group of users based on group membership • Two most important permissions to understand – Read – Apply Group Policy

• GPO can be filtered in two ways – Select Deny for Apply Group Policy – Remove the Authenticated Users group and add another group

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

62


Figure 4-25 Viewing the underlying permissions for a Group Policy Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

63


Filtering GPOs (cont’d.) • Advanced permissions page – Can use to manually assign permissions – Not needed to remove the Authenticated Users group and add another group

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

64


Figure 4-26 Viewing the underlying permissions for a Group Policy Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

65


Filtering GPOs (cont’d.) • Activity 4-7: Filtering a GPO

Figure 4-27 Filtering the Domain Admins group for a GPO Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

66


WMI Filtering • Windows Management Instrumentation (WMI) filtering – Used to control how GPOs applied – Allows the inspection of systems • Look for specific conditions on a computer

– Widely used with scripting

• WMI filter used with a GPO – GPO only applied if WMI filter condition met

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

67


WMI Filtering (cont’d.) • Work on any computers running Windows XP or later – Not Windows 2000

• Can create a WMI filter to identify the operating system • Most common use of WMI filters – Exception management

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

68


Loopback Processing • Allows GPO settings for a computer to override the settings applied to a user • Any computer – Can have multiple GPOs applied • Based on the site, domain OU of a computer object

– Conflict resolution • Last GPO applied wins

• User can have multiple GPOs applied – Can have multiple GPOs applied – Conflict resolution • Last GPO applied wins MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

69


Loopback Processing (cont’d.) • Conflicts between GPOs applying to the computer and GPOs applying to the user – Resolved by user settings

• This conflict resolution may not be desirable – Example: computer placed in a public place for company employees

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

70


Loopback Processing (cont’d.) • GPOs could be applied for a public computer and a user in the IT Admins group – Public Computer: • GPO1 applied to ensure tight security for this computer

– User in the IT Admins group • GPO2 applied to unlock most of the settings locked down on the public computer

• Use loopback processing to: – Ensure public computer stays locked down • No matter who accesses it MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

71


Loopback Processing (cont’d.) • Loopback Process mode – Two possible settings when enabled • Replace • Merge

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

72


Figure 4-28 Using loopback processing Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

73


Fine-Grained Account Policies • Significant addition to Windows Server 2008 – Allow more than one account policy within a single domain

• Prior to Windows Server 2008 – Need for group of users to have a more stringent account policy • Handled with a separate domain

• Three groups of Account policies settings – Password Policy – Account Lockout Policy – Kerberos Policy MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

74


Figure 4-29 Account policies configured in the Default Domain policy Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

75


Requirements for Fine-Grained Policies • Can support fine-grained policies – When domain functional level raised to Windows Server 2008

• Allows some organizations to consolidate multiple domain forests – To single-domain forests

• Requirement – All domain controllers in the domain • Must be running at least Windows Server 2008

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

76


Requirements for Fine-Grained Policies (cont’d.) • For extra domains specifically designed to support extra account policies: – Upgrade all DCs in the target domain • To Windows Server 2008

– Raise domain functional level to Windows Server 2008 – Create a fine-grained policy – Migrate accounts to the target domain – Delete older domain

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

77


Requirements for Fine-Grained Policies (cont’d.) • Password settings object (PSO) – Created to implement a f ne-grained policy

• To create a PSO – Must be a member of the Domain Admins group

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

78


Creating Fine-Grained Policies • Two-step process – Create a PSO – Link the PSO to a group

• Not recommended – Linking the PSO to individual users – Assigning permissions to individual users • Use groups instead of users

• Active Directory Service Interfaces Editor (ADSI Edit) tool – Used to create PSOs MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

79


Creating Fine-Grained Policies (cont’d.) • Several attributes must be entered

Table 4-1 PSO “mustHave” attributes MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

80


Creating Fine-Grained Policies (cont’d.) • Activity 4-8: Creating and Applying a PSO

Figure 4-30 Accessing the Password Settings Container in ADSI Edit Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

81


Figure 4-31 Linking the PSO to the G_Researchers group Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

82


Summary • Technical reasons to create an OU – Delegate control to a group of users and apply GPOs

• Delegation of Control Wizard – Used to delegate control of OUs to groups

• Group Policy Management console – Used to manage GPOs

• GPOs cannot be linked to the Users and Computers containers in Active Directory • Redircmp and redirusr command-line commands – Used to redirect default location of accounts MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

83


Summary (cont’d.) • Group Policy objects (GPOs) – Can be linked to sites, domains, OUs – Settings of OUs take precedence over site GPOs or domain GPOs settings

• Two GPOs created by default in a domain – Default Domain policy – Default Domain Controllers policy

• Block Inheritance setting – Established on an OU to block all inherited OUs

• Enforced setting configured on a GPO – Ensures its settings applied within GPO scope MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

84


Summary (cont’d.) • Filter GPOs by modifying the permissions • Fine-grained policies – Implemented when the domain in the functional level of Windows Server 2008

• Password settings object (PSO) – Created with ADSI Edit and applied to groups

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

85


Windows Group Policy