《岁月如歌》PPT课件.ppt

Microsoft Server 2008 R2,Active Directory and Group Policies,Active Directory Review/Updates,Now called Active Directory Domain Services in the 2008/R2 world Big database of objects and is used to centrally manage all objects of an organization. DNS is required or ADDS DNS SRV records are used to locate domain controllers running specific services 70% of AD problems are directly related to DNS,Active Directory Review/Updates,2008 R2 supports fine-grained password policies 2008 R2 Function level is required to support the Active Directory Recycle Bin,AD User Management,New GUI called Active Directory Administrative Center Administrative Tools on Server 2008 Available on Windows 7 by installing Remote Server Administration Tools Native PowerShell support for managing users and groups,AD with PowerShell,Creating users Command: new-aduser “Joe Smith” Getting help Command: help new-aduser Command: get-help new-aduser examples Command: get-help new-aduser -detailed,AD with PowerShell,Creating many users ADUC? ADAC? PowerShell at a time? CSVDE? (sorta) Command: import-csv c:users.csv | foreach new-aduser Name $_.Name SamAccountName $_.SamAccountName etc etc,AD with PowerShell,Unlocking user accounts Command: unlock-adaccount identity jsmith Resetting passwords Command: set-adaccountpassword identity jsmith reset newpassword (read-host “Please enter the new password” assecurestring) Display user attributes Command: get-aduser “joe smith” -properties * | more Command: get-aduser “joe smith” properties homedirectory,Group Policies,Policies are “all or nothing” Only policy settings that are enabled are read. If you choose to filter permissions, none of the GPO settings will apply, it is all or nothing. Policies are inherited and cumulative Policies are refreshed ever 90 minutes with a 30 minute randomization DCs are refreshed every 5 minutes,Benefits,Publish or assign software Assign startup, shutdown, logon, logoff scripts Define password, lockout and audit policies Standardize user settings Define and enforce Internet Explorer Settings Define and enforce restrictions on desktops Redirect folders Configure and standardize settings such as offline folders, quotas, etc.,GPO Concepts,Policies are applied from the bottom up. Rules that apply. Listen to the last policy you heard from Execute policies from the bottom up as they appear in the GUI Account Policies cannot be applied at the OUs, they can only be applied on the domains.,GPO Planning OU Design,Create separate OUs for computers and users Segment machines/users into roles by OU; Examples Servers: Exchange Servers, Terminal Servers, Web Servers, File and Print, etc Workstations: Desktops; Laptops, task stations etc. Domain Controllers: Leave in Domain Controllers OU (with Default Domain Controllers Policy GPO linked) Users: IT Staff, Engineers, Shop Floor, Laptop Users, etc. By default, all new accounts are created in cn=Users or cn=Computers (cannot link these to GPOs). However, if you have a Windows Server 2003 domain: Run “RedirUsr.exe” and “RedirCmp.exe” in your domain to specify the new default OUs in which all new user / computer accounts will be created Allows you to manage new accounts through Group Policy when you dont specify an OU at account creation1 Limit who can create / update / link GPOs (delegation),GPO Planning GPO Design,GPO naming conventions make it consistent and easy to interpret Simply use a clear name to describe intent of the GPO How significant is the number of GPOs applied? 999 is the maximum number of GPOs applied,Planning: Deployment Test, Stage, And Production,Its a “good thing” if you: Test - Stage - Test - Deploy - Validate Group Policy Modeling (more elegant face on RSoP Planning) Backup/Copy/Import (including migration tables) Documentation: HTML or XML Reports,Planning Disaster Recovery,GPMC Backup / Restore handles GPO as a logical entity Automate GPO backup using GPMC scripts - BackupAllGPOs or BackupGPO Regularly test GPO restore in your environment RestoreAllGPOs or RestoreGPO Think about building/rebuilding your staging environment,Planning Disaster Recovery,Be aware of what is NOT included in a backup of a GPO and plan accordingly IPSec Settings, which live in CN=IP Security, CN=System,DC=xxxx (AD backup handles this); The GPO includes just the link to this data WMI Filter (only the filter link is backed up); The filter itself is stored in AD so your AD backup covers this GPO links from sites, domains or OUs, since they are not an attribute of the GPO (again, AD backup covers this) Dont rely on DCGPOFix (last resort tool!) DCGPOFix returns default GPOs to the clean install state (not an upgrade) and they are unlinked; Use your own backup instead,Planning Group Policy Dependencies,DNS: Many “Group Policy problems” turn out to be related to DNS misconfiguration Dont touch the Policies directory in Sysvol (including playing with ACLs) manage through supported tools only; If you plan to delete Sysvol well, dont!,Planning Group Policy Dependencies,ICMP, at network routers or in TCP/IP configuration (clients or DCs) Used to validate connectivity to a DC and for slow link detection (uses Ping) Policy not applied if client cannot reach DC If you absolutely must disable ICMP, disable slow link detection; But then a “fast link” is assumed consider impact on software installation and folder redirection With no connectivity to a DC at logon (i.e. a remote machine) policy will not process, unless you check the “Logon using dial-up connection” check box at the logon prompt,So Many Policy Settings Where Do I Start?,Know the Policy Settings Reference Spreadsheet and use its filters /fwlink/?linkid=22031 PolicySettings.xls Consider the Group Policy Common Scenarios Iterative deployment. Start small and build Security Operating System/Application Configuration IE Maintenance Software Installation,Group Policies Administrative Templates,Know the benefits of a “true policy” (as compared to preferences) Security only local administrators can edit true policy settings No tattooing if the GPO goes out of scope its settings are removed Respect for user preferences after a policy setting is removed/unlinked, the original user preference remains,Group Policies Machine/User Scripts,Async logon/Logoff scripts finish in a non-deterministic order; Dont rely on one script completing before another Startup scripts run in the security context of the computer (requires access to script and referenced resources) Computer needs access to scripts and referenced resources over network at boot time If script uses only local machine resources then you can copy scripts to local hard disk and reference accordingly in the GPO (consider use of environment variables such as %windir% for machine differences),Group Policies Folder Redirection,Do not pre-create folders (ACL issues) If server is Windows 2000, do not redirect folders to same machine used for Roaming User Profiles (fixed in Windows Server 2003) Do not redirect Application Data folder (particularly if logged on from multiple computers) Exclusive locks Absolute paths Network latency You cannot redirect to a mapped drive (folder redirection occurs before mapping of drives),Group Policies RSoP,No Group Policy Results data available for IPSec, Wireless, and Disk Quota Windows 2000 (but you can simulate using Group Policy Modeling) Group Policy Modeling can only simulate the following Slow links status Loopback Also, Modeling doesnt know about the LGPO,Group Policies Software Installation,For machine assignment a reboot is necessary (to initiate the install); An application that should be installed through machine assignment is GPMC (since its an MMC snap-in) When assigning apps, keep async policy processing in mind. In some cases, two logons or reboots may be necessary; Consider the “Wait For Network At Computer Startup and Logon” policy setting (this extends boot and logon times) Limit use of security filtering with software distribution GPOs; Filtered out users may include users who need to have application admin rights,Troubleshooting,Know your reporting options Group Policy Modeling Group Policy Results Event Log (exposed through GPMC) Know your tools With Operating System: GPUpdate WS 2003 Resource Kit: GPOTool, GPMonitor Download Center: GPInventory Know your log files UserEnv (Core Engine), WinLogon (Security), FDeploy (Folder Redirection), Appmgmt.log (software installation), Gpmgmt (GPM