Planning and deploy GPO in Windows Server 2008

03/27/2008

Hi all, Microsoft have published a new guide that provides the information needed to successfully plan and deploy Group Policy using Windows Server 2008 and the Group Policy Management Console.

 

Read this document from source…

 

gpo planning
1 Comment
scritto da Alex

Enable Remote Desktop in Windows 2003 with ADM template

07/13/2007

Windows Server 2003 has the ability to allow two Remote Desktop connections for administrative purposes.  This can be enabled by going to the properties of "My Computer", clicking on the "Remote" tab and enabling "Remote Desktop".  This can also be enabled on each server individually, using the registry setting below, or by creating a custom ADM template and deploying the setting via Group Policy.

Registry Settings Involved:
Using regedit, navigate to
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server

If the value "fDenyTSConnections" does not exist, create it as a DWORD.

Setting it to 0 will permit remote desktop connections and setting it to 1 will prohibit them.

Below are before and after screenshots of Remote Desktop being enabled. 

NOTE: The setting does not become grayed out.

Before the policy setting is applied

 

After the policy setting is applied
 


Custom .adm Template

This can be deployed via Group Policy by creating an ADM file using the following code. 

**IMPORTANT**  This will be created as a preference, not a policy.  To revoke the settings this template performs, you must specifically "Disable" the setting and allow your clients to embrace the settings. This is the only way for clients to purge this registry key. It will not automatically be removed when they fall out of the Scope of Management of the policy. (See our FAQ on SOM: Scope of Management)

CLASS MACHINE

CATEGORY StartMenu

 POLICY "Enable Remote Desktop"

  KEYNAME "SYSTEMCurrentControlSetControlTerminal Server"

   EXPLAIN "Enabling this setting will allow Remote Desktop Connections to be made to the Server. Disabling this setting will prohibit Remote Desktop Connections from being made to the Server. Setting this to 'Not Configured' will keep the previous registry setting."

   VALUENAME "fDenyTSConnections"
   VALUEON NUMERIC 0
   VALUEOFF NUMERIC 1

 END POLICY

END CATEGORY

 

gpo remote
Comment
scritto da Alex

Can I copy the settings from a GPO to another GPO?

07/13/2007

The easiest way to do this is to make a copy of the original GPO, and then rename it.  Then you will have a new GPO with all of the settings of the original.  To do this, open the GPMC and drill down to the Group Policy Objects node. Right-click over the GPO you want to use, and select Copy. Then, immediately select Paste. It will create a new GPO named “Copy of oldname”. Simply rename it whatever you wish, and you’re in business!

 

gpo
Comment
scritto da Alex

Controlling Block (GPO) Inheritance via Delegation

04/18/2007

If you are like most companies, you have moved from your old Windows NT domains into Active Directory. When you made the switch, you made most of the Windows NT domains Active Directory Organizational Units (OUs). From there, the NT domain admins were delegated full control over their appropriate new OU. Did you know that you might be giving away too much control to these admins?

Establishing the Base Delegation

With a migration from Windows NT domains to Active Directory OUs, it only makes sense to allow the former NT domain admins to control their own OU. This is easily accomplished by creating OUs within Active Directory that matched the old NT domain infrastructure. This might mean that you have OUs named after physical cities or locations, departments, or some other form of logical delineation.

To establish this delegation allowing the NT domain admins control over their new OU is to use Delegation of Administration. This Delegation of Administration is established by using the Delegation Wizard. For example, say you have the following AD structure shown in Figure 1.


Figure 1: Active Directory OU structure example

You have a group for each of these departments. So, you have the HRIT staff group that is responsible for the HR Department OU. To delegate to the HRIT group, you will use the Delegation of Control Wizard. Right click on the HR Department OU and select the Delegate Control menu option, as shown in Figure 2.


Figure 2: Delegate Control menu option will allow configuration for delegation of administration

This will open the Delegation of Control Wizard, which will allow you to configure Full Control to the HRIT group. This is a bit tricky, as you don’t have Full Control as an option when you come to the initial delegation list. You will need to configure a custom task of delegation, as shown in Figure 3.


Figure 3: Full Control of an OU requires custom delegation options

Since you want the delegation to be over all objects in the OU, you will then select the option for all files, folders, etc within the OU. The next screen will then ask you what level of delegation. You of course want Full Control, as shown in Figure 4.


Figure 4: Full Control delegation will grant the user all access to all objects in the OU

From a user within the HRIT group standpoint, they will see the following options when they right click on the HR Department OU, as seen in Figure 5.


Figure 5: Delegation over an OU grants all functionality to the objects in the OU

What Else Does Full Control Delegation Provide

After the delegation is established over an OU and therefore the contents of that OU, the OU administrator only needs to have access to the Active Directory Users and Computers snap-in to perform the administration of the included objects. Figure 5 illustrates what that would look like.

The problem is that the administrator does not only have control over the objects in the OU, the administrator has control over tangential objects and features related to the OU. These additional controls include those related to Group Policy. This would include the following:

  • Linking a GPO to the OU
  • Establishing Block Inheritance at the OU

The first of these, Linking a GPO to the OU, is typically a desired task of an OU administrator. This would mean that the administrator could dictate which GPOs would affect both the user and computer accounts in their OU. This might include security, desktop management, software deployment, etc. controls.

The second task is typically not desired by an OU administrator. Blocking Inheritance, as seen in Figure 6, will block higher level GPOs from applying to objects in the OU.


Figure 6: Block Inheritance is set at Active Directory nodes

With too much delegated power, the administrator could block all of the GPOs that were configured at a site, the domain, and all higher level OUs. This could leave the user or computer in the OU with weakened security, too much control of their desktop, and/or missing software installs. With no mechanism for the administrator higher in the Active Directory structure to know that this Block Inheritance was set.

Removing the Block Inheritance Delegated Privilege

Once Full Control is granted to an OU, it is not all that easy to “remove” certain capabilities. The reason for this is that there are over 1000, possibly 1500, individual permissions that can be set on the OU. For you to find the magic set of permissions that will remove a specific task is not easy to do. The Delegation of Control Wizard is not robust enough to include all tasks, so some tasks must be customized.

In the instance of the Block Inheritance task, a complex array of permissions must be manually removed so the OU administrator can perform all desired tasks within the OU, sans the Block Inheritance for the OU. In order to successfully deny the Block Inheritance capability, you must configure the following granular permissions for the user/group on the OU.

On the “HR” OU, right-click and select the Properties menu option. Then select the Security tab, then the Advanced button on that tab. From there, you will need to edit the security to ensure the permissions are set as shown in Table 1.

Security Tab

Apply to:

Allow/Deny

Specific Permission

Properties

Organizational Unit objects

Deny

Write gPLink

Properties

Organizational Unit objects

Deny

Write gPOptions

Properties

This Object Only

Deny

Write gPLink

Properties

This Object Only

Deny

Write gPOptions

Objects

Organizational Unit objects

Deny

Modify Permissions

Objects

Organizational Unit objects

Deny

Modify Owner

Objects

This Object Only

Deny

Modify Permissions

Objects

This Object Only

Deny

Modify Owner

Objects

This Object and all child objects

Allow

Full Control
Table 1: Permissions for each Security Group controlling the OU

Summary

Delegation of Administration is a very important aspect of Active Directory. It provides an excellent method for narrowing down what tasks administrators can perform in the Active Directory structure. However, if too much delegation is provided, too many tasks can be performed. There are some cases where these tasks are outside of the Active Directory interface, such as with Block Inheritance. With some due diligence, the delegation can be narrowed, but it will require some work to determine which permissions need to be restricted. Here, you can deny Block Inheritance, while maintaining the other Active Directory tasks for OU administrators.

controlling delegation gpo inheritance
Comment
scritto da Alex