Active Directory Overview Training
-
Upload
networksguy -
Category
Documents
-
view
2.938 -
download
5
description
Transcript of Active Directory Overview Training
Welcome!
Welcome
Introduction
Presenter- Jon Zelle [email protected]
HTTP://WWW.Trainingchannel.com
Certifications and experiences
Today’s Agenda
Morning Session breakdown Resource Review
Active Directory Overview
Active Directory Replication Process
Securing and Delegating Control to AD Objects
Questions and Answer time
Today’s Agenda cont.
Afternoon Session breakdown Managing Network Resources Managing Resource Access using security groups Group Policy Implementation Desktop Management using Policy Based
Administration Questions and Answers
Breaks and Questions
Session Breaks One in the morning and one in the afternoon
Lunch schedule – Lunch time around 12pm, lunch will also be provided to attendees
Questions and Answers – time for this will occur before each break and at the end of the day
Overview of your new Book!
Managing a Windows 2000 Network Environment CD Resources Online Resources
Managing a Windows 2000 Network Environment
Your book contains TONS of good information Chapter 1, "Networking with Windows 2000," describes the Windows 2000
networking architecture and introduces the primary Windows 2000 network administration tool, Microsoft Management Console.
Chapter 2, "Managing Client and Server Computers," examines the procedures for installing new hardware on a Windows 2000 computer, updating the operating system, obtaining and managing client access licenses, and troubleshooting problems that prevent the system from booting.
Chapter 3, "Managing Storage Resources," describes how to use the Windows 2000 storage subsystem, including basic and dynamic disks, and the various types of data storage techniques the operating system provides. You also learn how to manage your server disk space by imposing storage quotas on your network users and managing the compression and encryption of files and folders.
Chapter 4, "Managing NTFS Permissions," examines how to protect the files stored on your server drives using the permissions provided by the NTFS file system.
Managing a Windows 2000 Network Environment
Chapter 5, "Sharing Drives and Printers," contains procedures for sharing drives and printers with network users and describes how to use permissions to control access to those shared resources.
Chapter 6, "Monitoring Server Health and Security," describes how to use Windows 2000 tools such as the Performance console and Event Viewer to monitor the continued operation of your servers and your users' activities.
Chapter 7, "Managing Active Directory User and Computer Objects," contains procedures describing how to create and maintain user objects in Active Directory, as well as create the various types of user profiles.
Chapter 8, "Managing Active Directory Group Objects," examines the theory and practice behind the use of group objects to organize your users and simplify the process of assigning access permissions.
Managing a Windows 2000 Network Environment
Chapter 9, "Using Group Policies," describes how to use group policies to control the users and computers on your network.
Chapter 10, "Managing Resources with Active Directory Service," examines the process of publishing shared folders and printers in Active Directory, redirecting special folders, and using group policies to deploy software on your network.
Chapter 11, "Replicating Active Directory," contains information about the Active Directory replication process and how to create and configure site objects and their replication policies.
Chapter 12, "Active Directory Service Administration," teaches how to work with Active Directory objects by searching for them, moving them around the directory tree, and delegating control of specific objects to other administrators.
Managing a Windows 2000 Network Environment
Chapter 13, "TCP/IP Administration," introduces the basics of TCP/IP communications and describes how to configure a Microsoft TCP/IP client and use the utilities included with it.
Chapter 14, "Dynamic Host Configuration Protocol," explores the theory and practice of using DHCP to automatically assign TCP/IP configuration parameters to the computers on your network.
Chapter 15, "Windows Name Resolution," describes the various mechanisms that Windows systems use to resolve computer names into IP addresses, including the Windows Internet Naming System (WINS).
Chapter 16, "Domain Name System," introduces the underlying principles of the Domain Name System (DNS) and describes the procedures for deploying Microsoft DNS Server on your network.
Managing a Windows 2000 Network Environment
Chapter 17, "Managing Internet Information Services," describes how to create Web and FTP sites for your intranet or the Internet using Internet Information Services.
Chapter 18, "Remote Client Access," examines various alternative methods for connecting users to your network from long distances and with additional security.
Chapter 19, "Disaster Recovery and Prevention," describes backing up your network to prevent data loss due to natural disasters, drive failures, viruses, and so on.
Appendix, "Questions and Answers," lists all of the exercise questions and review questions from the book, showing the page number where the question appears and the suggested answer.
The Glossary provides definitions for many of the terms and concepts presented in this training kit.
CD Resources
Your book contains 2 CD’s Windows 2000 Server 120-Day Evaluation
E-Book version of the bookE-Book is searchableOnline Glossary
Additional Resources
Some of My Favorite Internet spots Technet.microsoft.com
Msdn.microsoft.com
www.labmice.com
www.ntfaq.com
www.sysinternals.com
More resources
Here are two great papers around designing and implementing sound group policy within an organization:
http://www.microsoft.com/technet/ittasks/maintain/s1impgp.asp http://www.microsoft.com/technet/ittasks/maintain/s2impgp.asp
The Group Policy Management Console is available for download! GPMC is the tool we’ve all been asking and waiting for, bringing all the information and tools for creating, deploying, and managing group policy into one management console. Remember, it works in both Windows 2000 AD and Windows Server 2003 AD environments. Get it here:http://www.microsoft.com/downloads/details.aspx?FamilyID=f39e9d60-7e41-4947-82f5-3330f37adfeb&DisplayLang=en
More Resources
Group Policy “Portals” (Microsoft.com and TechNet)
http://www.microsoft.com/technet/grouppolicy http://www.microsoft.com/grouppolicy
Group Policy Settings Spreadsheet
http://go.microsoft.com/fwlink/?LinkId=15165
Active Directory Overview
Using Active Directory for Centralized Management
OU1
Domain
Computers
Users
OU2
Users
Printers
Computer1
User1
Printer1
User2
DomainOU2OU1
User1 Computer1 Printer1User2
SearchSearch
Active Directory: Enables a single administrator to manage resources centrally Allows administrators to locate information easily Allows administrators to group objects into organizational units Uses Group Policy to specify policy-based settings
Delegating Administrative Control
Assign Permissions:For specific organizational units to other
administratorsTo modify specific attributes of
an object in a single organizational unitTo perform the same task in all
organizational units
Customize Administrative Tools to:Map to delegated administrative tasksSimplify interface design
Domain
Admin1
Admin2
Admin3
OU2
OU3
OU1
Overview
Overview of Active Directory Active Directory Logical Structure Active Directory Physical Structure
Overview of Active Directory
What Is Active Directory? Active Directory Objects Active Directory Schema Lightweight Directory Access Protocol (LDAP) Groups in Active Directory Active Directory Support for Client Computers
What Is Active Directory?
Directory Service Directory Service FunctionalityFunctionality
Organize Manage Control
Resources
Centralized ManagementCentralized Management
Single point of administration Full user access to directory
resources by logging on once
Active Directory Objects
Objects represent network resources Attributes define information about an object
AttributesAttributesFirst NameLast NameLogon Name
AttributesAttributes
Printer NamePrinter Location
Active DirectoryActive Directory
Printers
Printer1
Printer2
Suzan Fine
Users
Don Hall
AttributeAttributeValueValue
ObjectsObjects
Printers
Users
Printer3
Active Directory Schema
ObjectObjectClass ExamplesClass Examples
Computers
Users
Printers
PropertiesProperties
10/02/03SalesCN=Wendy Kahn, OU=Beth
ExampleExamplePropertiesProperties
Defined in the Schema Naming Context of Active Directory
Stored in the Domain Naming Context of Active Directory
Attributes of Users:Attributes of Users:
accountExpiresdepartmentdistinguishedNamemiddleName
Example Example AttributesAttributes
Lightweight Directory Access Protocol
LDAP provides a way to communicate with Active Directory by specifying unique naming paths for each object in the directory
LDAP naming paths include: Distinguished names
Relative distinguished names
CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft Suzan Fine
Groups in Active Directory
Global GroupGlobal Group Members from own domain only Use for access to resources in any domain
Domain Local GroupDomain Local Group Members from any domain in the forest Use for access to resources in own domain
Universal GroupUniversal Group Members from any domain in the forest Use for access to resources in any domain
Active Directory Logical Structure
Domains Organizational Units Trees and Forests Global Catalog
Domains
A domain is a security boundary A domain administrator can administer only within the domain,
unless explicitly granted administration rights in other domains
A domain is a unit of replication Domain controllers in a domain participate in replication and
contain a complete copy of the directory information for their domain
Windows 2000Domain
User1
User2User1
User2ReplicationReplication
Organizational UnitsOrganizational Units
Organizational structureOrganizational structure
Sales
Vancouver
Repair
Users
Sales
Computers
Network administrative modelNetwork administrative model
Use organizational units to group objects into a logical hierarchy that best suits the needs of your organization
Delegate administrative control over the objects within an organizational unit by assigning specific permissions to users and groups
Trees, Forests, and Two-Way Transitive Trusts
contoso.msft
(root)
au. contoso.msft
asia. contoso.msft
Tree
Two-Way, Transitive TrustsTwo-Way, Transitive Trusts
au. nwtraders.msft
asia. nwtraders.msft
nwtraders.msft
Forest
Tree
Two-Way, Transitive TrustTwo-Way, Transitive Trust
Global CatalogGlobal Catalog
Global Catalog Server
Global CatalogGlobal Catalog
Subset of the attributes of all
objects
DomainDomain
Domain
DomainDomain
Domain
QueriesQueries
Group membershipGroup membershipwhen user logs onwhen user logs on
Active Directory Physical Structure
The Active Directory physical structure is made up of: Domain Controllers Sites
Domain ControllersDomain Controllers
Domain Controller
Domain Controller
Domain
ReplicationReplicationUser1
User2User1
User2
= A writeable copy of the active directory database
Domain Controllers: Host the SYSVOL folder
Participate in Active Directory replication
Perform single master operations roles in a domain
SitesSites
Sites: Optimize replication traffic
Enable users to log on to a domain controller by using a reliable, well-connected network connection
SiteIP subnetIP subnet
IP subnetIP subnet
Los Angeles
Seattle
ChicagoNew York
Active Directory Replication
Overview
Introduction to Active Directory Replication Replication Components and Processes
Introduction to Active Directory Replication
Replication
DomainController B
DomainController C
Domain Controller A
Multi-master replication with a loose convergence
Replication Components and Processes
How Replication Works Replication Latency Resolving Replication Conflicts Single Master Operations
How Replication Works
ReplicationOriginating Update
Domain Controller A
DomainController B
DomainController C
Replicated Update
Replicated Update
Active Directory Update Move Delete
Add Modify
Replication Latency
Replication
Domain Controller A
Change Notification
Change Notification
Domain Controller C
DomainController B
Replicated Update
Replicated Update
Default replication latency (change notification) = five minutes When no changes, scheduled replication = one hour Urgent replication = immediate change notification
Originating Update
Resolving Replication Conflicts
Domain Controller A
Originating Update
Domain Controller B
Conflict
Originating UpdateStampStamp StampStamp
Conflict
Version Number TimestampTimestamp Server GUID
StampStamp
Conflicts may arise because of: Attribute value Adding/moving under a deleted container object or the deletion
of a container object Sibling name
Single Master Operations
Only a domain controller that holds a specific operations master role can perform associated Active Directory changes
Changes made by an operations master are replicated to other domain controllers
Any domain controller can hold an operations master role Operations master roles can be transferred to other domain
controllers
Single Master Operations
Operations Master
Replication
Using Sites to Optimize Active Directory Replication
What Are Sites? Replication Within Sites Replication Between Sites
What Are Sites?
The first site is set up automatically, and is called Default-First-Site-Name
Sites can consist of zero, one, or more subnets Sites are used to control replication traffic, logon traffic,
and application trafficAD Sites and Services
Console Window Help
Active View
Tree
Active Directory Sites and ServicesSites
Default-First-Site-NameServers
Inter-Site Transports
Subnets
SiteInter-Site Transport ContainerSiteSubnets Container
Name Type
Redmond-Site
Default-First-Site-NameInter-Site TransportsRedmond-SiteSubnets
DENVERNTDS Settings
Replication Within Sites
Replication within sites: Assumes fast and highly reliable network links Does not compress replication traffic Uses a change notification mechanism
IP SubnetIP Subnet
DomainController A
Domain Controller B
IP SubnetIP Subnet
Site
Replication
Replication Between Sites
Replication between sites: Occurs on a manually defined
schedule Is designed to optimize
bandwidth Contains one or more replicas
in eachsite that act as bridgeheads
SiteIP SubnetIP Subnet
IP SubnetIP Subnet
Bridgehead Server
Replication
SiteIP SubnetIP Subnet
IP SubnetIP Subnet
Bridgehead Server
Replication
Replication
Question Time!
?
Break Time
Securing and Delegating to AD Objects
Overview
Introduction to Delegating Administrative Control Controlling Access to Active Directory Objects Delegating Administrative Control of Active Directory
Objects Examining Computer Accounts Customizing MMC Consoles Setting Up Taskpads Best Practices
Introduction to Delegating Administrative Control
Decentralize administration Assign permissions to
organizational unit Delegate the following types
of control: Assign all permissions for
an organizational unit Assign permissions to
modify specific attributes
Introduction to Delegating Administrative Control
Domain
OU1
OU2
OU3
Admin1
Admin2
Admin3
Controlling Access to Active Directory Objects
Active Directory Permissions Controlling Inheritance of Permissions Setting Active Directory Permissions
Active Directory Permissions
Access Control Settings for Domain Controllers
Permissions Owner
Permission Entries:Type Name Permission
AllowAllowAllowAllowAllow
Authenticated Users SpecialDomain Admins…SYSTEMAdministrators…Enterprise Admins…
SpecialFull ControlSpecialFull Control
This permission is defined directly on this object. This permission is not inherited by child objects.
Add... Remove View/Edit...
Auditing
Apply toThis object onlyThis object onlyThis object onlyThis object and all child…This object and all child…
Allow inheritable permissions from parent to propagate to this object.
Permissions: Can be allowed or denied Can be implicitly or explicitly denied Can be set as standard or special permission
Controlling Inheritance of Permissions
Objects inherit permissions that exist at the time of creation
Inheritance of permissions can be blocked Copy previously
inherited permissions to the object
Remove previously inherited permissions from the object
Full Control
Full ControlOU
OU
OU
Full Control
Read
Full ControlOU
OU
OU
Read
Setting Active Directory PermissionsUsers Properties
General Objects Security
Name
EveryoneAdd...
RemoveAdministrators (domain_name\Acct...
Allow inheritable permissions from parent to propagate to this object.
Advanced...
OK Cancel Apply
Full ControlReadWriteCreate all child objectsDelete all child objects
Authenticated Users
Allow Deny
SpecialPermissions
StandardPermissions
Delegating Administrative Control of Active Directory Objects
Overview of Delegating Administrative Control Using the Delegation of Control Wizard Guidelines for Delegating Administrative Control
Overview of Delegating Administrative Control
Delegation of administration means: Changing properties on a
particular container Creating and deleting objects
of a specific type under an organizational unit
Updating specific properties on objects of a specific type under an organizational unit
Domain
OU1
OU2
OU3
Admin1
Admin2
Admin3
Using the Delegation of Control Wizard
Tasks for delegating control to users or groupsTasks for delegating control to users or groups
Start the Delegation of Control Wizard
Select groups to which to delegate control
Assign tasks to delegate
Select Active Directory object type
Assign permissions to users or groups
Guidelines for Delegating Administrative Control
Assign control at the organizational unit level
Use the Delegation of Control Wizard
Track the delegation of permission assignments
Delegate control to groups
Examining Computer Accounts
Overview of Computer Accounts Managing Computer Accounts
Overview of Computer Accounts
Functions of Computer Accounts Computer Account Passwords
Computer contoso.msftAccountingBuiltinComputersDomain Controllers
SalesHuman Resources
InformationInformation
SecuritySecurity
Managing Computer Accounts
Resetting Computer Accounts Pre-Creating Computer Accounts User Ability/Rights for Creating Computer Accounts
Customizing MMC Consoles
Creating Customized MMC Consoles Distributing Customized MMC Consoles Installing Windows 2000 Snap-ins
Creating Customized MMC Consoles
Tasks for customizing MMC consolesTasks for customizing MMC consoles
Open MMC
Add and configure the required snap-ins in the MMC console
Configure the MMC console mode
Configure the MMC console view
Save the MMC console
To prevent a console from being changed, do not assign the NTFS Write permission to the file
Distributing Customized MMC Consoles
Group Policy
SharedFolder
To use a distributed MMC console:The administrator must have the Read
permission for the consoleSnap-ins must be installed on all computers
where the administrator uses the console
Installing Windows 2000 Snap-ins
AdministerAdminister
Windows 2000 Administration Tools
(Adminpak.msi)Windows 2000 Professional
InstallInstall
Snap-ins: Are contained in Windows 2000 Administrative Tools Are required for remote administration from a client
computer running Windows 2000 Professional
Setting Up Taskpads
What Is a Taskpad? Creating and Configuring a Taskpad Adding Tasks in a Taskpad
What Is a Taskpad?
A Taskpad: Is a customized administrative tool Contains tasks that are shortcuts to specific
commands in an MMC console Provides advantages:
Makes it easier for novice users to perform their jobs
Makes complex tasks easier
Creating and Configuring a Taskpad
To create a taskpad:To create a taskpad:
Create a customized MMC console
Create a taskpad
Configure a task in the taskpad
Customize the taskpad view
Adding Tasks in a Taskpad
contoso.msft
AccountingBuiltin
ComputersDomain Controllers
Sales
Human Resources
Manila
Kim Yoshida
Luis Bonifaz
Associate with an item in the console tree
Associate with an item in the details pane
New user Disable accountStart a shortcut menu command
Each task is a shortcut to a command in the MMC console
Best Practices
Delegate administration at the container level
Delegate control as high in the hierarchy as practical
Delegate control to a group
Provide training for users
Question Time!
?
Lunch Time!
Break Time
Managing Shared Network Resources
Overview
Introduction to Publishing Resources Setting Up and Managing Published Printers Implementing Printer Locations Maintaining Printer Resources Setting Up and Managing Published Shared Folders Monitoring Access to Shared Folders Troubleshooting User Access to Network File Resources Troubleshooting Published Resources Best Practices
Introduction to Publishing Resources
What Are Published Resources? Comparing Published Objects with Shared Resources Using Groups for Object and Resource Access
What Are Published Resources?
PublishedPublished
Resource
Server1
Resource
Active Directory
Publish to Publish to Active DirectoryActive Directory
Publish resources: That do not already exist in Active Directory That are relatively static and change infrequently To enable administrators and users to locate resources
even if the physical location of resources changes
Comparing Published Objects with Shared ResourcesComparing Published Objects with Shared ResourcesPublished Object in Published Object in
Active DirectoryActive DirectoryShared ResourcesShared Resources
Accounting Properties
General Managed By Object Security
Name Add…
Remove
Permission: Allow Deny
Full ControlReadWrite
Administrators (NWTRADERS…..Authenticated UsersDomain Admins (NWTRADERS…Enterprise Admins (NWTRADER…Pre-Windows 2000 Compatible A…
Accounting Properties
General Web Sharing Sharing Security
Name Add…
Remove
Permission: Allow Deny
Full ControlModifyRead & ExecuteList Folder ContentsReadWrite
Administrators (NWTRADERS…CREATOR OWNEREveryone
Printer1
AccountingOU2
OU1 Namerica
Accounting
Sales
Using Groups for Object and Resource Access
Group Planning Strategy
Assign Users to Global Groups
Assign Global Groups to Domain Local Groups
and then Grant Permissions
AA GGDLDL
PPGG
AA GG DLDL PP
Expanding the Group Planning Strategy
Assign Users to Global Groups
Assign Global Groups to Universal Groups
Assign Universal Groups to Domain Local Groups
and then Grant Permissions
AA GG DLDL PP
AA GGUU
DLDLPP
UU
Setting Up and Managing Published Printers
Introduction to Printer Publishing Managing Printer Publishing Publishing Printers on Computers Not Running
Windows 2000 Managing Published Printers
Introduction to Printer Publishing
PublishedPublished
Printer
Default behavior of printers Any printer shared by a
Windows 2000-based print server is automatically published in Active Directory
A printer is automatically removed from Active Directory when a Windows 2000 print server is removed from the network
Each print server is responsible for its printers being published in Active Directory
Windows 2000 automatically updates the printer object’s attributes in Active Directory
Managing Printer Publishing
Viewing Printer Objects in Active Directory On the View Menu, click Users, Groups, and Computers
as containers Controlling Printer Publishing
Select or clear the List in the Directory check box Configure the Automatically publish new printers in
Active Directory Group Policy setting Managing Orphaned Printers
Active Directory removes orphaned printer objects through the orphan pruner process
Orphan pruner deletes printer objects for nonexistent printers at frequent intervals
Publishing Printers on Computers Not Running Windows 2000
To publish a printer on a computer that is not running To publish a printer on a computer that is not running Windows 2000:Windows 2000:
Install and share a printer
Publish the printer in Active Directory, by using Active Directory Users and Computers
Active Directory
PublishedPublished
Printer
Printer
Install and Share
PublishPublish
Managing Published Printers
Move related printers that are installed on multiple computers into a single organizational unit
Perform other administrative tasks on the published printers
Active Directory Users and Computers
Printer
Console Window Help
Active View
Tree LONDON 1 objects
nwtraders.msftActive Directory Users and
AccountingBuiltinComputersDomain Controllers
LONDONUsers
Name Type
Moves the current selection to another
MoveConnectOpen
All Tasks
DeleteRenameRefresh
Help
Properties
Open and manage theprint queue
Move printers within a domain
Change print queue properties
Install the printeron a computer
Implementing Printer Locations
What Are Printer Locations? Requirements for Printer Locations Defining Location Names Configuring Printer Locations
What Are Printer Locations?
When a user searches for printers:
Subnet Location Object Security
Location: USA/Seattle/Building 1 Browse…
192.168.30.0/20 Properties
111. Active Directory finds the subnet object that corresponds to the IP subnet in which the user’s computer is located PRIV0118 Properties
Device Settings Printer Commands Font SelectionGeneral Sharing Ports Advanced Security
PRIV0118
USA/Seattle/Building 1/Near 1134Location:
2. Active Directory uses the value in the Location attribute of the subnet object to search for printers with the same value
22
3. Active Directory displays a list of printers whose Location value matches the Location value of the subnet object
Name Location ModelPRIV0080PRIV0039PRIV0118CORP0071CORP0032CORP0099CORP0026CORP0051
USA/Seattle/Building 1/Near 1119 USA/Seattle/Building 1/Near 2005USA/Seattle/Building 1/Near 1134USA/Seattle/Building 1/Near COPY ROOMUSA/Seattle/Building 1/Near 1280USA/Seattle/Building 1/Near 1218USA/Seattle/Building 1/Near 1218USA/Seattle/Building 1/Near 1182
HP ColorHP LaserHP Laser HP Laser HP LaserHP ColorHP LaserHP Laser
33
Requirements for Printer Locations
An Active Directory network with IP subnets An IP addressing scheme that corresponds to the
physical topology of the network A subnet object for each site
Represents an IP subnet in Active Directory
Contains a Location attribute that Active Directory uses to find printers in the same physical location as a client computer
Client computers that can search Active Directory
Defining Location Names
Each location name corresponds to an IP subnet The values for the Location attribute for subnet objects and printers must use the same
naming convention
USA
DenverSeattle
Building 1192.168.30.*
Building 2192.168.32.*
USA/Seattle/Building 1
USA/Seattle/Building 2
Floor 2192.168.10.*
Floor 3192.168.11.*
USA/Denver/Floor 2
USA/Denver/Floor 3
Entire DirectoryUSA
Building 1
Denver
Building 2
Seattle
Add more levels to the Location attribute for the printer to better define the physical location
Configuring Printer Locations
TasksTasks
Enable location tracking by using Group Policy
Create a subnet object in Active Directory
Set the Location attribute for the subnet object
Set the Location attribute for printers
Maintaining Printer Resources
Installing Printer Drivers Troubleshooting Printers
Installing Printer Drivers
The client computers running the following operating systems automatically download the printer driver Windows 95, Windows 98, Windows NT,
Windows 2000, Windows XP
Other operating systems will require the printer driver to be updated manually
Troubleshooting Printers
How to fix a print job that is stuck in the queue
How to relocate a print queue to a new print device
Err or
Err or
Setting Up and Managing Published Shared Folders
PublishedPublished
Resource
Server1
Shared Folder
Active Directory
Publish to Publish to Active DirectoryActive Directory
Publish a shared folder
1. Share the folder
2. Publish the shared folder in Active Directory
Add description and keywords to the shared folder object to facilitate search operations
Move the published shared folder object to another container or organizational unit whenever required
Monitoring Access to Shared Folders
Introduction to Monitoring User Access to Shared Folders
Monitoring Shared Folders Monitoring User Sessions Monitoring Open Files
Introduction to Monitoring User Access to Shared Folders
Monitor access to shared folders for Maintenance
Security
Group membership required to monitor shared folders Administrators or System Operators for a domain
Administrators or Power Users for a member server, stand-alone server, or computer running Windows 2000 Professional
Monitoring Shared Folders
Monitoring User Sessions
Console1 - (Console Root\Computer Management (Local)\System Tools\File Service ...
Console Window Help
Action View
ADMIN Admin1 Win... 2 00h07m42s 00h00m37s NoUser1 Client50 Win... 0 00h00m12s 00h00,11s No
Console RootComputer Management
System ToolsFile Service Man
SharesSessions
Open FilesStorageServer Applications
User Computer Type Open Files Connected Time Idle Time Guest
Monitoring Open Files
Troubleshooting User Access to Network File Resources
Troubleshooting Combined NTFS and Shared Folder Permissions
Troubleshooting User Access to File Resources by Tracing Group Membership
Troubleshooting Combined NTFS and Shared Folder Permissions
Users Group
Engineer
Accountant
FC
NTFS Partition C:\
Accounting Full Control
Engineering No Access
Engineering Full Control
Accounting No Access
Users Read Only
ACCTPKG
ENGPKG
FC
FC
Applications
RO
Share Permissions
Troubleshooting User Access to File Resources by Tracing Group Membership
Best Practices
Publish frequently used shared folders and printers
Define simple and easily recognizable printer location names
Use easily recognizable descriptions and keywords
Place published printers and folders in the organizational units that contain the user accounts
Use DACLs on published resources to limit access
Assign Read permissions on published objects to limited Groups
Questions
Implementing Group Policy
Overview
Group Policy Structure Working with Group Policy Objects How Group Policy Settings Are Applied in
Active Directory Modifying Group Policy Inheritance Troubleshooting Group Policy Best Practices
Group Policy Structure
Introduction to Group Policy Group Policy Objects Types of Group Policy Settings Group Policy Settings for Computers and Users How Group Policy Is Applied Examining Group Policy Object Links
Introduction to Group Policy
You can use Group Policy to: Set centralized and decentralized policies Ensure that users have their required environments Control user and computer environments Enforce corporate policies
Site
DomainOrganizational
Unit
Group Policy
Administrator Sets Group Policy Initially
Windows 2000 Applies Continually
Users
Computers
Group Policy Objects
Group Policy Object
Contains Group Policy settings Content stored in two locations
Stored in domain controller shared SYSVOL folder
Provides Group Policy settings
Stored in Active Directory Provides version information
Group Policy Template
Group Policy Container
Types of Group Policy Settings
Types of Group Policy SettingsTypes of Group Policy Settings
AdministrativeTemplates Registry-based Group Policy settings
Security Settings for local, domain, and network security
Software Installation
Settings for central management of software installation
Scripts Startup, shutdown, logon, and logoff scripts
Remote Installation Services
Settings that control the options available to users when running the Client Installation Wizard used by RIS
Internet Explorer Maintenance
Settings to administer and customize Microsoft Internet Explorer on Windows-based computers
Folder Redirection Settings for storing users’ folders on a network server
Group Policy Settings for Computers and Users
Group Policy Settings for Computers Processed when the operating system
initializes and during the periodic refresh cycle
Use Computer Configuration node
Group Policy Settings for Users Processed when users log on to the
computer and during the periodic refresh cycle
Use User Configuration node
How Group Policy Is Applied
Client computer starts, or user logs on, and the computer retrieves a list of GPOs that apply
Client computer connects to SYSVOL and locates the Registry.pol files
Client computer writes to the registry subtrees
Logon dialog box (for computer) or the desktop (for user) appears
11GPO List
Registry.pol
GPT
SYSVOL
22
Registry.pol
HKEY_CURRENT_
USER Registry.pol
HKEY_LOCAL_
MACHINE
33
Examining Group Policy Object Links
Link one GPO to multiple sites, domains, or organizational units Link multiple GPOs to one site, domain, or organizational unit
Domain
OrganizationalUnit GPO
DomainGPO
SiteGPO
OrganizationalUnit GPO
Site
Working with Group Policy Objects
Creating Linked and Unlinked Group Policy Objects Linking an Existing Group Policy Object Specifying a Domain Controller for Managing Group
Policy Objects
Creating Linked and Unlinked Group Policy Objects
Creating Linked Group Policy Objects For sites, use Active Directory Sites and Services
For domains and organizational units, use Active Directory Users and Computers
Creating Unlinked Group Policy Objects Add a Group Policy snap-in to the MMC console
Linking an Existing Group Policy Object
contoso.msft Properties
General Managed By Object Security Group Policy
Current Group Policy Object Links for contoso.msft
Group Policy Object Links No Override DisabledDefault Domain PolicyAccount Lockout PolicyPasswords Policy
Group Policy Objects higher in the list have the highest priority. This list obtained from: London.contoso.msft
New
Options...
Add...
Delete...
Edit
Properties
Up
Down
Add a Group Policy Object Link
Domains/OUs Sites All
Look in:
Group Policy Objects linked to this container:Name Domain
Domain Controllers.nwtraders.msftAccounting.nwtraders.msftHuman Resources.nwtraders.msftDefault Domain PolicyRedirect My Document PolicyLogon Attempts PolicyPasswords PolicyStart Menu Policy
OK Cancel
contoso.msft
To link an existing GPO
Select container in which GPO resides
Select GPO to link
Select appropriate tab
Specifying a Domain Controller for Managing Group Policy Objects
Options for Selecting a Domain Controller The one with the Operations Master token for the PDC
emulator
The one used by the Active Directory snap-ins
Any available domain controller
Methods for Specifying a Domain Controller Use the DC Options command on the View menu in the
Group Policy snap-in
Enable a Group Policy setting
How Group Policy Settings Are Applied in Active Directory
Group Policy Inheritance Controlling the Processing of Group Policy Group Policy and Slow Network Connections Resolving Conflicts Between Group Policy Settings Discussion: How Group Policy Is Applied
Group Policy Inheritance
Windows 2000 Applies GPO Settings in a Specific Order
Organizational Unit: Sales
Site
Domain
Inside Sales
Outside Sales
Controlling the Processing of Group Policy
Refreshing Group Policy at Established Intervals Five minutes for domain controllers
90 minutes for computers running Windows 2000 Professional, Windows XP Professional or for member servers running Windows 2000 Server
Processing Unchanged Group Policy Settings You can configure each client-side extension to process
unchanged Group Policy settings
Group Policy and Slow Network Connections
Group Policy Can detect a slow network connection
Uses an algorithm to determine whether a link should be considered slow
Sets a flag to indicate a slow link to the client-side extensions
Resolving Conflicts Between Group Policy Settings
All Group Policy settings take effect unless there are conflicts
The last setting processed applies When settings from different GPOs in the
Active Directory hierarchy conflict, the child container GPO settings apply
When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply
Discussion: How Group Policy Is Applied
What are the resultant Group Policy settings for the organizational unit???
OrganizationalUnit
Site
Domain
GPO1 Ensures that Favoritesappears on the Start menu
GPO2Requires a password of 11characters.
GPO4 Removes Favorites from the Start menu and adds the Windows Update icon
GPO3 Removes theWindows Update icon
Modifying Group Policy Inheritance
Enabling Block Inheritance Enabling the No Override Option Filtering Group Policy Settings Discussion: Changing Group Policy Inheritance
Enabling Block Inheritance
Block Inheritance:Stops inheritance of
all GPOs from all parent containers
Cannot selectively choose which GPOs are blocked
Sales
Production
Domain
GPOs
No GPO settings apply
Enabling the No Override Option
No Override:Overrides Block
Policy Inheritance
Is applicable to links and not to GPOs
Cannot stop No Override
Sales
Production
Domain
Domain GPO settings apply
No OverrideGPO Settings
ConflictingGPO Settings
Filtering Group Policy Settings
Sales
Production
Domain
GPO
Deny Apply Group Policy
Mengph
Kimyo
Group
Allow Read and Apply Group Policy
Discussion: Changing Group Policy Inheritance
Required Settings Anti-virus application on all computers
Office XP on all computers except for Payroll
Accounting application on all computers in Payroll, except for those used by Payroll administrators
Payroll
Sales
Contoso.comHow do you set up your GPOs???
Troubleshooting Group Policy
Cannot access or open the Group Policy Object
Group Policy settings not taking effect as expected
Err or
Err or
Tools for troubleshootingErr or
Best Practices
Disable unused portions of a Group Policy object
Use the Block Inheritance and No Override features sparingly
Use common sense naming conventions
Minimize the number of Group Policy objects
Filter policies based on security group membership
Avoid cross-domain Group Policy assignments
Question Time!
?
Take a Break
Using Group Policy to Manage the Desktop
Environment
Overview
Introduction to Managing User Environments Using Administrative Templates in Group Policy Assigning Scripts by Using Group Policy Using Group Policy to Redirect Folders Troubleshooting User Environment Management Introduction to Managing Software Deployment Deploying Software Managing Software Identifying Solutions to Software Deployment Problems Best Practices
Control user desktops, user interfaces, and network access Use Group Policy settings
Apply Group Policy to a site, domain, or organizational unit User environment settings automatically apply to a new user
or computer
Introduction to Managing User Environments
Manage User Environments
AdministrativeTemplates
SettingsScript
SettingsRedirecting User Folders
SecuritySettings
HKEY_LOCAL_MACHINEHKEY_CURRENT_USER
RegistryRegistryMy Documents
Using Administrative Templates in Group Policy
Types of Administrative Template Settings Settings for Securing the Desktop Settings for Securing User Access to Network
Resources Settings for Securing User Access to Administrative
Tools and Applications Implementing Administrative Templates
Types of Administrative Template Settings
Setting TypeSetting Type ControlsControls Available forAvailable for
WindowsComponents
The parts of Windows 2000 and its tools and components to which users can gain access, including MMC
System Logon and logoff, Group Policy, refresh intervals, disk quotas, and loopback policy
Network The properties of network connections and dial-in connections
Printers Printer settings that can force printers to be published in Active Directory and disable Web-based printing
Start Menu & Taskbar
Settings that control the appearance and access to the Start menu and the taskbar
DesktopThe Active Desktop, including what appears on desktops, and what users can do with the My Documents folder
Control Panel
The use of Add/Remove Programs, Display, and Printers
Settings for Securing the Desktop
Hide all icons on desktop
Don’t save settings at exit
Hide these specified drives in My Computer
Remove Run menu from Start menu
Prohibit access to Display in Control Panel
Disable and remove links to Windows Update
Common Group Policy Settings for Securing the DesktopCommon Group Policy Settings for Securing the Desktop
Disable changes to Taskbar and Start Menu settings
Disable/Remove the Shut Down command
Hide My Network Places icon on desktop
Remove the Map Network Drive and Disconnect Network Drive options
Tools menu: Disable Internet Options… menu option
Common Group Policy Settings for Securing Common Group Policy Settings for Securing User Access to Network ResourcesUser Access to Network Resources
Settings for Securing User Access to Network Resources
Remove Search menu from Start menu
Remove Run command from Start menu
Disable Task Manager
Run only allowed Windows applications
Remove the Documents menu from the Start menu
Disable changes to Taskbar and Start Menu settings
Common Group Policy Settings for Securing the DesktopCommon Group Policy Settings for Securing the Desktop
Hide common program groups in Start menu
Settings for Securing User Access to Administrative Tools and Applications
Implementing Administrative Templates
Selecting the State to Configure a Setting
Accessing an Administrative Template Setting
Hide My Network Places icon on desktop Properties
Policy Explain
Hide My Network Places icon on desktop
Not ConfiguredEnabledDisabled
Contains information about what this policy can do
Applies the setting
Prevents the setting
Ignores the setting (default)
Introduction to Group Policy Script Settings Applying Script Settings in Group Policy Assigning Group Policy Script Settings
Assigning Scripts by Using Group Policy
Introduction to Group Policy Script Settings
You can use Group Policy script settings to: Run pre-existing scripts Run scripts that perform tasks you cannot configure by using
other Group Policy settings Use scripts to clean up desktops when users log off and shut
down computers
Computer
User
Startup/ShutdownStartup/Shutdown
Logon/LogoffLogon/Logoff
Scripts
Computer Configuration
User Configuration
Startup/ShutdownStartup/Shutdown
Logon/LogoffLogon/Logoff
Applying Script Settings in Group Policy
Windows processes multiple scripts from top to bottom
Processing OrderProcessing Order
When a user starts a computer and logs on:a. Startup scripts runb. Logon scripts run
When a user logs off and shuts down a computer:a. Logoff scripts runb. Shutdown scripts run
Assigning Group Policy Script SettingsLogon Properties
Scripts
Logon Scripts for Log On Script[AUCKLAND.contoso.msft]
Name Parameters
Development.vbsInformation Services.vbs
Up
Down
Add...
Edit...
Remove
Show Files...
OK Cancel Apply
To view the script files stores in this Group Policy Object, press the button below.
Copy the script to the appropriate GPT
Add the script tothe appropriate GPO
Folder Redirection Overview Selecting the Folders to Redirect Redirecting Folders to a Server Location
Using Group Policy to Redirect Folders
Folder Redirection Overview
Advantages of folder redirection: Data is always available
Data is centrally stored
Files are not saved on the client computer
Redirected Personal Folders
My Documents
My Documents
Documents are stored
on the server but appear to be stored locally
Selecting the Folders to Redirect
FolderFolder ContainsContains Reason to redirectReason to redirect
My Documents
Users’ personal work data
Users can access their data from any computer, and this data can be backed up and managed centrally
Start Menu Folders and shortcuts on the Start menu
Users’ Start menus are standardized
DesktopAll files and folders that users place on the desktop
Users have the same desktop regardless of the computer to which they log on
ApplicationData
User-specific data storedby applications
Applications use the same user-specific data for users regardless of the computer to which the user logs on
Redirecting Folders to a Server LocationDesktop PropertiesTarget Settings
You can specify the location of the Desktop folder
No administrative policy specifiedSetting:
OK Cancel Apply
The Group Policy Object will have no effect on the location of this folder.
Desktop PropertiesTarget Settings
You can specify the location of the Desktop folder
Basic – Redirect everyone’s folder to the dame locSetting:
OK Cancel Apply
This folder will be redirected to the specified location. An example target path is: \\server\share\%username%.
Target folder location
\\london\desktops\%username%
Browse
Desktop PropertiesTarget Settings
You can specify the location of the Desktop folder
Advanced – Specify locations for various user grouSetting:
OK Cancel Apply
This folder will be redirected to different locations based on the security group membership of the users. An example target path is \\server\share\%username%
Security Group Membership
GroupNWTRADERS\acct \\london\acct\%username%NWTRADERS\sales \\london\sales\%username%
Path
Add Edit Remove
Use the%username% variable
Troubleshooting User Environment Management
Registry Settings Are Not Applied
Scripts Do Not Execute
Folders Are Not Being Redirected
Introduction to Managing Software Deployment
Software Management Technologies The Software Life Cycle
Software Management Technologies
Windows InstallerWindows Installer
Service allows for: Custom installations Resilient applications Clean removal Users to only need
read access to installation folders
Software Installation Software Installation and Maintenance and Maintenance
Install applications on user computers
Upgrade the application or automatically apply software patches or service packs
Remove applications
Group Policy objects can:
The Software Life Cycle
PreparationPackages are acquired
DeploymentPackages are installed
MaintenancePackages are upgraded
RemovalPackages are removed
Deploying Software
Deploying a New Application Assigning Software Packages Publishing Software Packages
Deploying a New Application
StepsSteps
Create or modify a GPO
Acquire a Windows Installer package file
Place the package on a software distribution point
Select a deployment option
Assigning Software Packages
The application is installed the first time the user starts the application
Assigning to a UserAssigning to a User
Start
The application is installed the next time the computer is started
Assigning to a ComputerAssigning to a Computer
Publishing Software Packages
The application is installed when the user selects it from Add/Remove Programs in Control Panel
Add/Remove ProgramsAdd/Remove Programs
The application is installed when the user double-clicks an unknown file type
Document InvocationDocument Invocation
Managing Software
Deploying a Mandatory Upgrade Deploying an Optional Upgrade Redeploying Software Removing Software
Deploying a Mandatory Upgrade
Version 2.0 of the program is deployed as a mandatory upgrade
Users are running version 1.0 of a program 1.0
2.0
Users are able to use only version 2.0 of the program
2.0
Example
Deploying an Optional Upgrade
Version 2.0 of the program is deployed as an optional upgrade
Users are running version 1.0 of a program 1.0
2.0
Users may now use either version of the program
2.01.0
Example
Redeploying Software
The softwarepatch is on the server
The GroupPolicy objectis redeployed
The user logs on and invokes the application
The softwarepatch isapplied
Patch
Patch
Example
Removing Software
Forced RemovalSoftware is automatically deleted from a computer, and cannot be reinstalled
Removal ProcessOnly software that was installed from a Windows Installer package file can be removed through Group Policy
Optional RemovalSoftware is not deleted from a computer, but can no longer be installed
Identifying Solutions to Software Deployment Problems
Verify that the application appears in Add/Remove Programs
Verify user access to the network distribution point
Look for Group Policy conflicts
Best Practices
Best Practices for Managing Group Policy Best Practices for Folder Redirection Best Practices for Software Installation and
Management
Best Practices for Managing Group Policy
Use Windows XP .adm Files to Manage a Mixed Environment
Apply the Same Policies to Windows XP and Windows 2000
Test Settings Before Deployment
Only use GPOs for Editing the Registry
Best Practices for Folder Redirection
Enable Client-Side Caching
Incorporate %Username% Variable
My Pictures Follow My Documents
Policy Removal Considerations
Best Practices for Software Installation and Management
Use Application Categories
Use Transform Files for Packages
Use Only One Deployment Option per Group Policy
Repackage Existing Software
Deploy Software as High in the Hierarchy as Possible
Question Time!
?
Time to go home!