Entendendo Diretivas de Grupo Parte 3

Entendendo Diretivas de Grupo Parte 3
Apresentador: Paulo Sant’anna MVP, MCT, MCP, MCSA e MCSE Moderador: Josué Vidal MCT, MCP e MCSA

Tópicos Gerenciamento de Diretivas de Grupo
Segurança Avançada de Diretiva de Grupo Scripts de Diretiva de Grupo Planejamento de Diretiva de Grupo

Pré Requisitos Nível 300 Experiência no suporte Windows Server
Familiaridade com Diretiva de Grupo Familiaridade com Active Directory Conceito básico de scripts Nível 300

Agenda Gerenciando arquivos .ADM Scripts de Diretiva de Grupo
Implementando Segurança Avançada Usando Filtros WMI Migrando GPOs através de Domínios Planejamento de Diretiva de Grupo

Extensão do Modelo Administrativo
Modo simples de configurar a diretiva Maior extensão da Diretiva de Grupo Arquivos .ADM habilitam a interface do usuário [BUILD 1] The Administrative Template Extension is an add-in for the Group Policy Object Editor, and it helps administrators by providing a simple way to configure policy settings and apply those changes to many users and computers throughout the network. You need to be able to modify policy settings quickly and be able to delete policy settings and remove them from all target computers without the risk of old policy settings remaining in the registry. In addition, developers need a way to integrate policy management into new applications. Administrative Templates provides dynamic management capabilities to administrators and an infrastructure for developers to policy-enable their applications. Through the Administrative Template Extension, you can configure settings that lockdown users’ desktops and Start menus, configure logon to computers, and configure Windows components, such as Internet Explorer, Task Scheduler, Windows Messenger, Windows Update, and many more. [BUILD 2] The Administrative Templates Extension is the largest of all available Group Policy extensions and includes more than 700 policy settings for applications and operating system components. These policy settings are applied by modifying the registry on target clients. The Administrative Template Extension consists of a server-side snap-in that is loaded by default in Group Policy Object Editor and a client-side extension that writes policy settings that manipulate registry keys on target client computers. The server-side snap-in loads a predefined set of Administrative Template files, which are text files with an .adm extension that define the registry settings that can be configured in a Group Policy object. [BUILD 3] The .ADM files are Unicode files that consist of a hierarchy of categories and subcategories that define how the options are displayed through the Group Policy Object Editor and GPMC. They also indicate the registry locations where changes should be made if a particular selection is made, specify any options or restrictions that are associated with the selection, and, in some cases, indicate a default value to use if a selection is activated. The only purpose of .adm files is to enable a user interface to configure policy settings. These .adm files do not contain actual policy settings; these are contained in registry.pol files located in the Sysvol directory on the domain controllers. Administrative Template files are stored in two locations by default: inside GPOs in the Sysvol folder and in the Windows\inf directory on the target computer. These files contain all the settings initially displayed in the Administrative Templates node. It’s possible to create custom administrative templates or edit the previous templates to configure settings that are not available in the current templates. Additional Information:

Usando Modelo ADM 2 3 1 Stored on domain controller
Policy applied to client 3 Modify Group Policy 1 SYSVOL Domain Controller Administrative Templates are the primary means of configuring the client computer’s registry settings through Group Policy. Let’s examine how they are modified and applied to the client computer. The first step is for an administrator to create or modify a Group Policy using the Administrative Templates snap-in Extension in the Group Policy Object Editor. [BUILD 1] The policy is stored on the domain controller in the Active Directory database and SYSVOL folder. This makes the policy available for any computers in the domain. [BUILD 2] When a client computer logs on to the domain, it reads the policy, and the settings are applied. Active Directory Database

Modelos ADM Customizados
Uso Não usar para Custom ADM files can be created to extend the use of registry-based policy settings to new programs and components. Fundamentally, the application or service that you’re trying to configure must store settings or other information in the registry. If it does, you can write a custom ADM template that exposes policy settings that can be configured. An administrator should consider creating a policy setting for the following purposes: To help administrators manage and increase security of their desktop computers. To hide or disable a user interface that can lead users into a situation in which they must call the Help Desk for support—in other words, to reduce support overhead. To hide or disable new behavior that might confuse users. This allows administrators to manage the introduction of new features until after user training has taken place. To hide settings and options that might take up too much of users’ time. To control data. You can create policy settings to populate data for your application. Such data usually exists in small sets in the form of numbers, text strings, and so on. For example, a phone dialer could use policy settings to enable administrators to mandate that certain items exist in the phone directory. There are also some circumstances where its use is not recommended to create custom ADM files. For example: Do not create a policy for all of your application settings. Large applications can contain hundreds or even thousands of settings. Be selective about the features you want to enable or disable. Only use Group Policy to manage those features that need to be managed. Do not create a policy if you do not intend to provide support for the policy setting. Treat each policy as a feature that needs to be tested, validated, and supported. Additional Information: Aumentar segurança Desabilitar opções da interface Desabilitar ítens confusos Controlar dados Configurar todos parâmetros Criar diretiva não suportada

Demo demonstração Customizando modelos .ADM

Scripts de Diretiva de Grupo
GPMC Backup de GPOs Criação nova GPO Windows Server 2003 offers some great new scripting opportunities, not the least of which is automation support in the GPMC. As a result, you can now script GPOs to perform common policy-based tasks. The GPMC provides a comprehensive set of COM interfaces for scripting many Group Policy-related operations. You can use standard scripting languages such as VBScrpt and Jscript. A set of sample scripts illustrating the use of these interfaces is also installed with the GPMC. The sample scripts address real-world administrative problems and scenarios, such as deleting a GPO or listing GPOs that are orphaned in SYSVOL. They also illustrate the use of the key scripting objects and methods, providing an overview of the wide variety of tasks that administrators can accomplish with the GPMC. [BUILD 1] The sample scripts include examples written in scripting languages such as VBScript and JScript. They all have the .wsf extension and are executed through Windows Script Host (WSH), which is included with Windows Server 2003 and other recent versions of Windows. The sample scripts include common administrative tasks, such as: Backing up the GPOs in a domain Creating a new GPO Creating a policy environment using an XML file Importing a GPO Setting GPO permissions Listing disabled GPOs in a domain Listing GPO information And more… Criação ambiente usando XML Importação da GPO Interfaces COM Scripts Exemplo Lista GPOs desabilitadas Lista informações GPO

demonstração Demo Scripts da Diretiva de Grupo
Usando Scripts GPMC Mudando o Script Host Engine Usando Scripts para Backup de GPOs

Excluir Contas da Diretiva de Grupo
Domain Controller Typically, if you want Group Policy to apply only to specific accounts, you can put the accounts in an Organizational Unit, and then apply Group Policy at that Organizational Unit level. However, there may be situations where you configure a domain-level policy but you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. [BUILD 1] If you set domain-wide policies to control the computers and users in your enterprise, it is possible that you can restrict, or even lock out, the administrator account or other members of your IT staff to whom you've given administrative permissions. [BUILD 2] To resolve this, you can edit the Access Control List for the policy and exclude any user or group from that policy. This allows you to create domain-wide policies to restrict all users and groups except for your administrators. Additional Information: Administrator

demonstração Demo Configurando ACLs da Diretiva de Grupo
Protegendo o Administrador da Diretiva de Grupo

Delegando Controle da GPOs
Domain Controller In a small or medium-sized organization, administration is typically handled by a few people. As the organization grows, there is an increased need to spread the authority to local administrators. Usually, granting those local administrators access to everything violates corporate rules. You need to be able to delegate permission for specific GPOs, domains, or OUs without giving away everything. The Group Policy Management Console enables you to do just that. At the domain and OU level, you can delegate permissions to users allowing them to link GPOs, run Group Policy Modeling, and view data from Group Policy Results. At the GPO level, you can grant permissions to modify that GPO only. If you are familiar with Windows 2000 GPO administration and miss that way of assigning rights, you can still get to that kind of tool by clicking the Advanced button in the Delegation windows. This gives you very specific permission sets. Additional Information: Help topic: Delegate policy-related permissions on a domain, Organizational Unit, or site Delegate Administrator Delegate

demonstração Demo Delegando a Administração Delegando GPO de Usuário
Delegando “criação GPOs” para ITGroup Delegando GPO de Usuário

Análise e Configuração de Segurança
Funcionamento com Segurança Alta Habilita uma Revisão Rápida [BUILD 1] You can control security on your local computer or on multiple computers by controlling password policies, account lockout policies, Kerberos policies, auditing policies, user rights, and other policies. To create a system-wide policy, you can use predefined security templates that are provided as a starting point for creating security policies that can be customized to meet different organizational requirements. Once you customize the predefined security templates, you can use them to configure security on an individual computer or on thousands of computers. There are several predefined templates that can help you to secure your system based on your needs. These templates are for: Reapplying default settings Implementing a highly secure environment Implementing a less secure but more compatible environment Securing the systemroot [BUILD 2] There are a lot of variables to consider when locking down a system, and if you do it manually there’s a possibility you might miss something. Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. [BUILD 3] The state of the operating system and applications on a computer is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security. Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk-management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time. [BUILD 4] Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template. Additional Information: Garanta que a Diretiva seja Forçada Permite a configuração de segurança local

Demo demonstração Aplicando Modelos de Segurança

Filtros WMI Apenas XP Professional Windows XP Filtro WMI
Domain Controller Filtro WMI Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of GPOs based on attributes of the target computer. This was covered briefly in Part two of this series. When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. [BUILD 1] Filtering can be applied so that it restricts policy applications based on user settings, computer settings, or both. WMI filtering can be used to prevent application of a GPO based on the hardware and software configuration of the desktop client. [BUILD 2] For example, you can create filters that apply a policy on computers that have a specific hotfix, apply a policy on all servers located in a specific time zone, assign software only on computers already having either of two software packages, or only target computers running Windows XP Professional. You can also filter on more than one setting, for example, target all computers in the domain running Windows XP Professional that have 512 MB RAM or more and have at least 250 MB free space on their hard drives. A GPO can only be linked to one WMI filter; however, the same WMI filter can be linked to multiple GPOs. WMI filtering uses Windows Management Instrumentation Query Language (WQL), which is based on ANSI SQL. The queries are similar to SQL queries. Additional Information: Windows 2000 Windows XP

demonstração Demo Usando Filtros WMI Aplicando Filtros WMI
Criando Filtros WMI Aplicando Filtros WMI Planejando Filtros WMI

Copiando GPOs entre Domínios
us.contoso.com us.fabrikam.com GPO Backup us.contoso.com uk.contoso.com Many companies have restrictions on testing in the production environment. Separate domains, and sometimes separate forests, can be used to safely test GPO settings without impacting existing users and computers. [BUILD 1] The GPO Copy function allows GPOs to be copied between domains in the same forest. First, a new GPO is created in the target domain with a new GUID, and then the settings of the source GPO are copied to the new GPO. Links and other external objects are not copied. [BUILD 2] Between forests, a two-stage process must be performed. First, back up the source GPO. Then, create a new, empty GPO in the target forest or domain. You then import the backed up GPO to the new GPO. The primary difference between a copy and an import is that a GPO must already exist to perform an import. [BUILD 3] In either a copy or import operation, a migration table may need to be configured to ensure correct settings in the destination domain. This maps hard-coded values in the source GPO to the appropriate values for the production environment. For example, if you were testing a software-deployment GPO that used testing servers as a source path for deploying the software, you would need to create a migration table that searched for all occurrences of the testing deployment server and replaced them with production-deployment server path names. Additional Information: GPMC help for information on GP Results, modeling, backup and restore. GPMC Whitepaper GPMC_Administering.doc in Essential Reading. GPO Import GPO Copy

Demo demonstração Migrando GPOs através de Domínios

Processamento Loopback
Altera ordem de processamento da GPO Processa apenas configurações do computador Combina as configurações do usuário e do computador Group Policy applies to the user or computer in a manner that depends on where the user and the computer objects are located in Active Directory. However, in some cases, users may need policies applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply GPOs that depend only on which computer the user logs on to. [Build 1] Normal user Group Policy-processing specifies that computers located in their OU have the GPOs applied in order during computer startup. Users in their OU have GPOs applied in order during logon, regardless of which computer they log on to. In some cases, this processing order may not be appropriate; for example, when you do not want applications that have been assigned to the users in their OU to be installed while they are logged on to the computers in a specific OU. Depending on the settings for the loopback policy, either the computer object’s policies will be applied last or the user object’s policies will be ignored. Either way, the user configuration associated with the computer object will have the higher precedence. [BUILD2] With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific OU. The replace mode tells the system not to query Active Directory for GPOs associated with the user object. It only processes the results of the GPOs that would apply to the computer object. For example, if a user normally has his or her My Documents redirected, it would not be using the replace mode. The only settings that will be applied in this scenario is the one set for the computer object. [BUILD 3] The merge setting takes the results of the GPOs that would be applied to the user object and the results that would apply to the computer object and merges them together. It does this by appending the computer’s list to the end of the user’s list. For example, if a user object has My Documents folder redirected and the Remove Run menu from Start menu disabled, while the computer object only has Remove Run menu from Start menu enabled, the user will have My Documents folder redirected but will not have the Run menu displayed on the Start menu.

Demo demonstração Planejamento do Loopback da GPO

Resumo Gerenciamento e Controle da rede de modo simplificado
Aprimorando a Segurança da rede Planejamento da Diretiva de Grupo simula o comportamento das GPOs antes da implementação [BUILD1] Use Group Policy to deliver managed computing environments through the centralized, one-to-many management it enables. Group Policy saves administration time because you don't have to visit every workstation or write complex scripts to configure these settings. [BUILD 2] Group Policy can be used to enhance the security of your environment. Implementing security is also made easier by using Group Policy. [BUILD 3] The Group Policy Modeling Wizard is a powerful tool for analyzing the impact of making changes to your environment and how those changes will affect your users.

Onde posso obter ajuda? TechNet Brasil
Fóruns TechNet Brasil Grupos de Usuários apoiados pelo TechNet Brasil Colunas TechNet

Contatos Paulo Sant´anna – prscardoso@yahoo.com.br
Josué Vidal –

Entendendo Diretivas de Grupo Parte 3

Apresentações semelhantes

Apresentação em tema: "Entendendo Diretivas de Grupo Parte 3"— Transcrição da apresentação:

Apresentações semelhantes

Sobre projeto

Feedback

Login

Autorizar-se através da rede social:

Entendendo Diretivas de Grupo Parte 3

Apresentações semelhantes

Apresentação em tema: "Entendendo Diretivas de Grupo Parte 3"— Transcrição da apresentação:

Apresentações semelhantes

Sobre projeto

Feedback