Configuring the User and Computer Environment Using Group Policy

Configuring the User Configuring the User and Computer and Computer

Environment Using Environment Using Group PolicyGroup Policy

Lesson 8

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Configuring Account Policies

Configure account policies

4.6

Planning and Configuring an Audit Policy

Configure Audit Policy by using GPOs

4.7

Lesson 8Lesson 8

Defining a Domain-Wide Account Policy

Open the GPMC. Click Forest: <Forest Name>.

Click Domains, click <Domain Name>, and then click Group Policy Objects.

Right-click the Default Domain Policy, and click Edit.

Lesson 8Lesson 8

Defining a Domain-Wide Account Policy (cont.)

In the left window pane, expand the Computer Configuration node, and then expand the Windows Settings folder.

Expand the Security Settings node.

In the Security Settings node, expand Account Policies, and select Password Policy.

Lesson 8Lesson 8

Defining a Domain-Wide Account Policy (cont.)

To modify a setting, double-click the setting in the right window pane to open the Properties dialog box for the setting. Then, make the desired value changes.

Click OK to close the setting's Properties dialog box.

Close the Group Policy Management Editor window for this policy.

Lesson 8Lesson 8

Configuring a Domain-Wide Account Lockout Policy



Right-click the Default Domain Policy, and click Edit. A Group Policy Management Editor window for this policy is displayed.

Lesson 8Lesson 8

Configuring a Domain-Wide Account Lockout Policy (cont.)



In the Security Settings node, expand Account Policies, and select Account Lockout Policy.

Lesson 8Lesson 8


In the right window pane, double-click the Account lockout duration policy setting to view the Properties dialog box.

Select the Define This Policy Setting checkbox. If you want to change the account lockout duration, you may do so here.

Lesson 8Lesson 8


Click OK to accept the specified lockout duration.

Click OK to automatically enable these other settings, or click Cancel to go back to the Account Lockout Duration Properties dialog box.

Click OK to accept the additional setting defaults.

Lesson 8Lesson 8


Make any additional changes, as necessary, to the other individual Account Lockout Policy settings.


Lesson 8Lesson 8

Configuring the Kerberos Policy



Right-click the Default Domain Policy, and click Edit. A Group Policy Management Editor window for this policy is displayed.

Lesson 8Lesson 8

Configuring the Kerberos Policy (cont.)



In the Security Settings node, expand Account Policies, and select Kerberos Policy.

Lesson 8Lesson 8

Configuring the Kerberos Policy (cont.)

To modify a setting, double-click the setting in the right window pane to open the Properties dialog box for the setting. Make the desired value changes.



Lesson 8Lesson 8

Configuring an Audit Policy



Right-click the Default Domain Policy, and click Edit.

Lesson 8Lesson 8

Configuring an Audit Policy (cont.)



In the Security Settings node, expand Local Policies, and select Audit Policy.

Lesson 8Lesson 8


In the right window pane, double-click the Audit Policy setting you want to modify. The Properties dialog box for the chosen setting is displayed.

Select the Define This Policy Setting checkbox.

Lesson 8Lesson 8


Select the appropriate checkboxes to audit Success, Failure, or both under the Audit These Attempts heading.



Lesson 8Lesson 8

Configuring Files and Folders for Auditing

In Windows Explorer, right-click the file or folder you want to audit.

Select Properties.

On the Security tab in the Properties dialog box for the selected file or folder, click Advanced.

Lesson 8Lesson 8

Configuring Files and Folders for Auditing (cont.)

In the Advanced Security Settings dialog box for the file or folder, select the Auditing tab, and then click Add.

Select the users and groups to be audited for file or folder access, and then click OK.

Lesson 8Lesson 8


Select Successful, Failed, or both checkboxes for the events you wish to audit.

In the Apply Onto list, specify which objects are to be audited.

Click OK to return to the Advanced Security Settings dialog box for the object.

Lesson 8Lesson 8


Choose whether you wish auditing entries from parent objects to be inherited to this object by selecting or deselecting the Allow Inheritable Auditing Entries From Parent To Propagate To This Object And All Child Objects checkbox.

Click OK to complete this process.


Lesson 8Lesson 8

Customizing Event Log Policies

From the Administrative Tools menu, open Event Viewer.

Right-click the log for which you want to view or modify the settings, and select Properties.

Modify the desired settings, and click OK.

Lesson 8Lesson 8

Configuring Folder Redirection

Create a GPO or modify an existing GPO with the necessary Folder Redirection Policy setting.

Using the Group Policy Management Editor for the desired GPO, locate the Folder Redirection policy extension in the User Configuration/Windows Settings/node.

Right-click the Documents folder in the left window pane, and select Properties.

Lesson 8Lesson 8

Configuring Folder Redirection (cont.)

Use the Setting drop-down box of the Target tab to select one of the options in the My Documents Properties dialog box.

Lesson 8Lesson 8


If you choose Basic–Redirect Everyone's Folder To The Same Location, you must specify the Target folder location in the Settings dialog box.

If you choose Advanced–Specify Locations For Various User Groups, you must specify the target folder location for each group that you add in the Settings dialog box.

Lesson 8Lesson 8


The Settings tab of the Documents Properties dialog box provides several additional selections.

Select from the options in the Policy Removal box of the Settings tab.

Click OK.

Lesson 8Lesson 8

Optimizing Group Policy Processing

Open the Group Policy Management Console (GPMC). Click Forest: <Forest Name>.


Select the Default Domain Policy, and click Edit.

Lesson 8Lesson 8

Optimizing Group Policy Processing (cont.)

Right-click the Default Domain Policy node at the top of the left window pane.

Click GPO Status, and place a checkmark next to User Configuration Settings Disabled, Computer Configuration Settings Disabled, or All Settings Disabled.

Lesson 8Lesson 8

You Learned

Most security-related settings are found within the Windows Settings node of the Computer Configuration node of a GPO.

Policy settings that you wish to apply to all computers or users within a domain should be made within the Default Domain Policy GPO. Generally, domain-wide account policies, such as Password Policies, Account Lockout, and Kerberos settings, are modified here.

Lesson 8Lesson 8

You Learned (cont.)

Windows Server 2008 provides the ability to configure Fine-Grained Password Policies, which allow multiple password and account lockout policies within a single domain.

Local Policy settings govern the actions users can perform on a specific computer and determine whether the actions are recorded in an event log. Create Audit Policies here.

Lesson 8Lesson 8

You Learned (cont.)

Auditing can be configured to audit successes, failures, or both. Plan auditing carefully before implementation. Events that are not important to your documentation and information needs can cause unnecessary overhead when audited. Auditing can be a very important security tool when used prudently.

Lesson 8Lesson 8

You Learned (cont.)

Because audited events are recorded in the appropriate event log, it is necessary to understand the Event Log Policy setting area. This area allows control over maximum log sizes, log retention, and access rights to each log.

Lesson 8Lesson 8

You Learned (cont.)

Restrictions on group memberships can be accomplished using the Group Restriction Policy setting. Implementing this policy removes group members who are not part of the configured group membership list or adds group members according to a preconfigured list.

Lesson 8Lesson 8

You Learned (cont.)

Folder Redirection can be configured for folders located on a local computer within the Documents And Settings folder. The Offline Files settings allow redirected folders to be available when a network connection is not present. These two setting areas complement each other.

Lesson 8Lesson 8

You Learned (cont.)

Disk quotas can be used to control storage space on a network drive. Implementing disk quotas allows administrators to have tighter control over drive usage, which can affect tape backup and restore functionality.

Lesson 8Lesson 8

You Learned (cont.)

Computer configuration group policies are refreshed every 90 minutes by default. Domain controller group policies are refreshed every 2 minutes. These settings can be altered based on the frequency in which policy changes occur.

Disabling unused portions of a GPO decreases the time it takes to complete policy processing.

Configuring the User and Computer Environment Using Group Policy

Documents

Transcript of Configuring the User and Computer Environment Using Group Policy