Tip:
Highlight text to annotate it
X
Welcome to ASO taster lab in English.
Configuring group policy with Windows server 2008. Part one.
In this video I want to show you how to configure a group policy
with Windows server 2008 and give you a few tips along the way.
Group policy enables network administrators to specify
a whole bunch of configuration settings from a central location,
and apply them to a Windows Operating System on our client workstations and servers.
We can control the user's desktop experience.
For example, we might wish to remove access to the "Control Panel"
to prevent users from making accidental changes.
Or, we might want to configure Internet Explorer
to give users the same homepage, to create a more uniform environment.
We can specify security settings such as the minimum length of passwords
and even use it to deploy software.
Let's close the group policy management editor for a second
and take a look at Active Directory users and computers.
Now, before we begin working with group policy,
you need to be aware that the group policies that we create
will normally be applied to organisational units.
Organisational units have a book icon within the yellow folder,
and that's how we can tell the difference between an organisational unit,
such as domain controllers,
and an ordinary Active Directory container like users.
I have created two organisational units,
one for ASOTaster Computers and one for ASOTaster Users.
Inside the Computer's OU, I have placed a computer,
and within the ASOTaster Users OU, I've created a user.
This is important because group policies are linked to organisational units
and the configuration settings are applied to the user or computer objects
that we put in the OU.
To open our group policy management we need to click start,
administrative tools,
click group policy management,
and bring down our forest to our domain.
Notice the default domain policy.
It's not a good idea to go messing around in there
until you get really familiar with how group policy works
because it takes the highest precedence over all the other group policies.
Settings in there are applied to the whole domain;
that means all objects, users, including the administrator;
computers, servers and your domain controller.
So you need to be careful.
Also notice we've got a default domain controllers policy.
Now again, with the default domain controllers policy
you need to take a little bit more care with this.
It is there to ensure domain controllers have the same security policies.
I'll expand this a little bit and I will get on with creating a new policy.
To create a new group policy object and link it to an organisational unit
we need to right click the organisational unit,
choose create a GPO in this domain and link it here.
Give your new GPO a meaningful name.
I'm going to call it: ASOTaster Users GPO, and click okay.
If we expand our group policy objects container,
there we can see our newly created ASOTaster Users group policy object.
If we expand the ASOTaster Users organisational unit,
we can also see that the ASOTaster Users group policy object is linked to it.
To configure our group policy object we need to right click it, and choose edit.
Now, you'll notice the policy has two main sections
and it's important to understand the difference.
Computer configuration settings are applied to computers when the computer first starts up.
User configuration settings are applied to the users when the user logs on.
And, we've also got policies and preferences.
And the difference between these is that
Policies are strictly enforced, and the users cannot change the settings you specify.
Preferences aren't strictly enforced and users can change the settings you specify.
These offer more flexibility to the end user.
Let's specify some users configuration policies first
by expanding our policies folder in the user configuration,
now there are loads of things we can set in here.
I'm just going to make a few changes, so that you get the general idea
and then leave it in order for you to explore things further yourself.
I'll just make the screen a little bigger.
One of the things I'm going to do is restrict access to the "Control Panel"
on a user's workstations to prevent them from going in there
and messing around with things.
So, to do that, we need to click on "Control Panel",
and we need to go across to "prohibit access to the control panel".
To work on it, you can either double-click on it, or right click on it and choose Properties.
It's important to look at the screen carefully because it tells us
the minimum operating system this setting will work with.
We are fairly safe though, because this goes back as far as Windows 2000.
Over here we've got three settings:
Not configured, means exactly that. It's a neutral type setting.
Enabled wil set a policy, and disabled will disable a policy.
Read through the "Explain" section carefully because this tells us what the policy actually does.
This one is pretty clear, but sometimes they're a bit ambiguous,
so it's best to think of it this way.
Enabling "prohibit access to the control panel" turns the policy on,
and prevents access to the control panel.
Disabling "prohibit access to the control panel" turns the policy off,
and allows access to the control panel.
I don't think of it as enabling or disabling the control panel,
you are enabling or disabling what the policy says it will do.
I want to prohibit access to the control panel,
so I'm going to click enabled and click okay,
and we can see our policy is now enabled.
Next, let's configure some proxy server settings in Internet Explorer for our users,
and will prevent them from changing the settings.
So, I'm going to go across to Windows settings,
Internet Explorer maintenance, I'm going to double-click connection, and proxy settings.
I'm going to put a tick next to "enable proxy settings",
specify a proxy server, and a port, and click okay.
I want to turn off the option to automatically detect proxy settings.
So, I'm going to untick "Automatically detect configuration settings" and click okay.
I also want to specify the users homepage.
So, click on URLs, and go to "important URLs".
Tick "Customise Home page URL", specify the homepage URL and click okay.
And finally we want to prevent our users from changing those proxy settings.
So, we need to click on "Windows components",
we need to click on "Internet Explorer".
And we need to choose "Disable changing proxy settings".
Read through the policy "Explain" carefully:
"if you enable this policy the user will not be able to configure proxy settings",
so we click enabled, and click okay.
As we can see our policy is now enabled.
So far we've configured a Windows application "Internet Explorer".
We've prevented our users from accessing the "Control Panel" and changing things in there,
which should hopefully help reduce the number of support calls to the IT helpdesk.
Let's now configure a computer group policy.
I could configure computer settings here,
but I want to create a new group policy to hold my computer policy settings.
You don't have to do it this way.
You can create everything in one policy and link the same group policy object
to the OU containing all of the users and computers,
but I like to keep them separate to make management much easier.
Let's close group policy management editor.
We need to right click our ASOTaster Computers OU,
click create a GPO in this domain and link it here,
give our new GPO a meaningful name,
I'm going to call it: ASOTaster Computers GPO, and click okay.
Our new ASOTaster Computers GPO appears in the group policy objects,
and if we expand our ASOTaster Computers organisational unit
we can see that our ASOTaster Computers GPO is linked to it.
To configure the GPO, I need to right click it, and choose edit.
I'm going to configure just one computer-based settings, so you get the general idea.
I'm going to turn off the ability to do a system restore.
So I'm going to expand policies, go to administrative templates, expand system,
click on system restore, and double-click on "turn off system restore" to edit it.
Read through the policy "Explain"
"if you enable this setting system restore is turn off",
click enabled, and click okay.
Our policy is enabled.
So let's log onto the client computer so you can see things from a user's perspective.
We are now on our client workstation
I'm going to select log-on as Pedrosa.
If we click start, notice we've not got "Control Panel".
If we try to search for it,
and click "Control Panel",
we're prohibited from accessing the "Control Panel".
If we go to "Internet Explorer"
there is the default homepage that we configured.
If we go to tools, Internet options,
connections, and LAN settings,
there is the proxy server settings we specified,
and as you can see the grey fileds, so we can't change them.
And now I'm going to log-on as the domain administrator.
Now, if we click start
you notice we've got "Control Panel" back, and we can access it.
But, if we click start
and go to "all programs, accessories, system tools,
and click on system restore,
the computer policy we set prevents us from doing a system restore.
Even though we logged on as a domain administrator,
we are still prevented from doing a system restore,
and this is why you have to be careful
particularly if you make any changes to things like the default domain policy,
because you could engineer yourself out of the system.
The reason why we are able to access our "Control Panel" again
is because the "Control Panel" was a user-based policy setting
that we linked to the ASOTaster Users OU.
The administrator account doesn't reside within the ASOTaster Users OU.
So that policy simply isn't applied.
Remember that group policies are linked to OUs and the configuration settings
are applied to the users and computers objects that you place within that OU.