Saturday, June 28, 2008

Windows Server 2008 Domain Group Policy

Domain-based GPs offer a much more flexible and configurable set of standards and settings for your organization than local GPs. In this section, I'll discuss the four most common methods of managing your IT assets centrally using domain GP: configuring a security standard, installing software using the IntelliMirror technology found in Windows Server 2008, redirecting folders present in the user interface to network locations, and writing and launching scripts triggered by events such as logons and logoffs.


Security Settings

As discussed earlier, one of the most useful aspects of GP is its ability to control security settings and configuration from a central location within the organization. Security policy comprises three key components: restricted groups, Registry settings, and filesystem settings. In this section, I'll take a look at each of them.


Restricted groups

The restricted groups option allows you to modify the current group configuration and membership on your client computers. When this policy is applied to workstations and servers, their individual group configurations are modified to match that configured inside the policy. The policy contains members and members of lists that overwrite any configuration on the target computers. For example, if you were to add the Administrator group to the policy but not add any users to the members of this group list, and then you applied the policy, Windows would remove any users currently in those groups on the client computers. However, the other facet of the policy, groups of which the added group is currently a member, is only additive: if the list is empty, no modifications are made to the client computers. Only additions are processed and changed.

Only the groups listed inside the Details window of the Restricted Groups policy branch can be modified using the policy, but it's a great way to keep individual users from modifying powerful groups on their own systems.

To modify the restricted groups policy, do the following:

1. Launch the GPMC, and then right-click on your target GPO in the left pane and select Edit.

2. Inside the Group Policy Object Editor, navigate through Computer Configuration, Policies, Windows Settings, and Security Settings.

3. Right-click the Restricted Group branch and select Add Group from the context menu.

4. Click the Browse button, and select any group currently inside your directory. Click OK.

5. Now, right-click the newly added group, and select Properties from the context menu.

6. Add the users that belong to this group to the "Members of this group" list, and add the groups within which this group is nested to the "This group is a member of" list. Use the Add button in both cases.

7. When you're finished, click OK to close out the boxes.


Filesystem and Registry policy

You also can use GPs to configure permissions on filesystem objects and Registry keys. You can set entries on the ACLs of individual files, folders, and Registry keys from a central location. If you make this change at the domain-wide level—one of the few changes I recommend and endorse at that level—registries are protected against meddling users all over the enterprise, which is definitely a benefit.

To add a Registry key to be protected to a GPO, follow these steps:

1. Launch the GPMC, and then right-click on your target GPO in the left pane and select Edit.

2. Inside the Group Policy Object Editor, navigate through the Computer Configuration, Policies, Windows Settings, Security Settings, and Registry. Right-click Registry and select Add Key from the context menu.

3. You can add one Registry key at a time, and you can selectively apply permissions to each key.

To add a file or folder to be protected to a GPO, follow these steps:

1. Launch the GPMC, and then right-click on your target GPO in the left pane and select Edit.

2. Inside the Group Policy Object Editor, navigate through the Computer Configuration, Policies, Windows Settings, Security Settings, and File System. Right-click File System and select Add File from the context menu.

3. You can explore the entire directory structure, select a file, and then selectively assign permissions to files and folders.

If you select the configure option, you also will need to select how permissions are applied. If you choose to apply inheritable security to this file or folder and to its subfolders, the new permissions are applied to all child objects that do not have a permission or ACL entry explicitly set. This preserves your custom permissions on a tree but also automatically overwrites permissions simply inherited by default. If you choose to replace existing security for this file or folder and its subfolders, you overwrite all permissions on any child folders, including those permissions explicitly set.

If you'd rather not have any of these methods used to apply permissions, simply choose the following option: "Prevent the application of security policies to this file or folder and its subfolders." Doing so will make child files and folders immune to the permissions assigned by this new policy.


*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide

No comments: