CN1276 ServerKemtis KunanuraksapongMSIS with DistinctionMCTS, MCDST, MCP, A+
Agenda•Chapter 8: Configuring the User and
Computer Environment Using Group Policy
•Quiz•Exercise
Security Settings•Most of the settings are found in the
Windows Settings folder with in the Policies node in the Computer Configuration node of a GPO▫See Table 8-1 on Page 156-157 for more
information
Account Policies•Account policies influence how a user
interacts with a computer or a domain. ▫By default, they are linked to the Default
Domain Policy.•You create one or more Fine-Grained
Password Policies (FGPP) that override the domain-wide policy. ▫A new feature in Windows Server 2008
Account Policies (Cont.)•Prior to Windows Server 2008, you can
configure a single Password Policy and Account Lockout Policy for any Active Directory domain.
Fine-Grained Password Policy•To enable FGPP, you have to create
Password Settings Object (PSO), which also called msds-PasswordSettings
•Each PSO has mandatory attributes:▫Cn▫msDS-PasswordSettingsPrecedence
A tie breaker to determine which PSO should apply
▫msDS-PasswordReversibleEncryptionEnabled To allows passwords to be stored in AD using
reversible encryption▫See full list on Page 160
Kerberos Policy•Default mechanism for authenticating domain
users in Windows Server 2008, 2003, and 2000
•Ticket-based system that allows domain access by using a Key Distribution Center (KDC), which is used to issue Kerberos tickets to users, computers, or network services▫These tickets have a finite lifetime and are
based in part on system time clocks▫Kerberos has a 5-minute clock skew tolerance
between the client and the domain controller. The client will not be able to log on, if time are off by more than 5 minutes
Kerberos Policy (Cont.)•Enforce User Logon Restrictions tells
Windows Server 2008 to validate each request for a session ticket against the rights associated with the user account.
•Enforce User Logon Restrictions is enabled by default.
•See Figure 8-3 on Page 161
Local Policies•Allow administrators to set user privileges
on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log (auditing):▫User Rights Assignment.▫Security Options.▫Audit Policy.
Audit Policy•Allows administrator to log successful and
failed security events•Planning requires that you determine the
computers to be audited and the type of events you wish to track
Audit Policy (Cont.)• System events — Events that trigger a log entry in
this category include:▫System startups and shutdowns▫System time changes▫System event resources exhaustion, such as when an
event log is filled and can no longer append entries▫Security log cleaning▫Any event that affects system security or the security
log. • In the Default Domain Controllers GPO, this setting
is set to log successes by default
Audit Policy (Cont.)•Policy change events
▫By default, this policy is set to audit successes in the Default Domain Controllers GPO.
▫Triggered by events such as: User rights assignment changes Establishment or removal of trust
relationships IPSec policy agent changes Grants or removals of system access
privileges.
Audit Policy (Cont.)•Account management events
▫Triggers an event that is written based on changes to account properties and group properties.
▫Log entries written due to this policy setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling.
Audit Policy (Cont.)•Logon events
▫This setting logs events related to successful user log-ons on a computer
▫The event is logged to the Event Viewer Security Log on the computer that processes the request
Audit Policy (Cont.)•Account logon events
▫This setting logs events related to successful user logons to a domain.
▫The event is logged to the domain controller that processes the request. The default setting is to log successes in the Default Domain Controllers GPO.
Audit Policy (Cont.)•Audit Directory Service Access
▫logs user access to Active Directory objects, such as other user objects or OUs.
•Audit Object Access▫logs user access to files, folders, registry
keys, and printers.▫After you enable Audit Object Access, you
need to then specify what you are going to audit
Audit Policy (Cont.)•Events produced by auditing can be
viewed by looking at the Security logs in the Event Viewer.
Restricted Groups Policy•Allows an administrator to specify group
membership lists. ▫You can control membership in important
groups, such as the local Administrators and Backup Operators groups
▫removes group members who are not part of the configured group membership list or adds group members according to a preconfigured list
Folder Redirection Policy•To redirect the contents of certain folders
to a network location or to another location on the user’s local computer ▫Contents of folders on a local computer
located in the Documents and Settings folder, including the Documents, Application Data, Desktop, and Start Menu folders, can be redirected
▫Such as Home drive
Configuring Folder Redirection•If you choose Basic–Redirect Everyone's
Folder To The Same Location▫You must specify the Target folder location
in the Settings dialog box•If you choose Advanced–Specify Locations
For Various User Groups▫You must specify the target folder location
for each group that you add in the Settings dialog box
Offline Files Policy• Allow files to be available to users, even when
the users are disconnected from the network. ▫When the network connection is restored,
changes made to any documents are updated to the server.
▫Folders can be configured so that either all files or only selected files within the folder are available for offline use. When it is combined with Folder Redirection, users have the benefits of being able to redirect files to a network location and still have access to the files when the network connection is not present.
Disk Quotas•Limit the amount of space available on
the server for user data•Required that disk or storage is NTFS•See Figure 8-16 on Page 175
▫Enforce Disk Quota Limit▫Default Quota Limit and Warning Level▫Log Event When Quota Limit Exceeded▫Log Event When Quota Warning Level
Exceeded
Group Policy Refresh•Computer configuration group policies
are refreshed every 90 minutes (+/- 30 minutes) by default.
•Domain controller group policies are refreshed every 2 minutes.
•You can force group policies by using the gpupdate command:
gpupdate /force
Assignment•Fill in the blank
▫1-10•Multiple Choice
▫1-10•Online Lab 8