GPAT12 Module 1 Fundamentals of Management

Windows Server: Group Policy Administration and
Troubleshooting
Module 1: Fundamentals of Management
Microsoft Confidential
Conditions and Terms of Use
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software
is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content
and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind,
whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-
infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft
must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should
be inferred.
Copyright and Trademarks

2013 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft, Internet Explorer, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Module Agenda
Lesson 1: Group Policy Management Console
Lesson 2: Security Compliance Manager
Lesson 3: Advanced Group Policy Management (AGPM)
2 Microsoft Confidential
Troubleshooting
Lesson 1: Group Policy Management Console
Group Policy Management Console Objectives
Understand how to work with the console
Understand the features of the GPMC
Introduce PowerShell for group policy
Understand the installation process
Explain the creation of policies
Understand delegation processes
Explain best practices for planning
Group Policy Management Overview
Group Policy Management Console
Group Policy Management Console Installation
Group Policy Management
Delegation
Group Policy Planning
GPMC Essentials
Key Features
Architecture
Scriptable APIs
Performance Improvements
GPMC Essentials?
Primary tool for GPO management
Built into the Server OS
Included in the Remote Server Administration Tools (RSAT)
for clients
Version of GPMC to use
Common Key Features
GUI for managing Group Policy
Reporting
Search and filtering
Resultant Set of Policy (RSOP) Integration
Backup/Restore
Import/Export
Copy/Paste
Default Target
Architecture
Scriptable APIs
PowerShell, Scripting or .Net
Many PowerShell cmdlets for GPO
Get-Help *-GP*
Backup-GPO
Get-GPOReport
Invoke-GPUpdate [-RandomDelayinMinutes]
Remove-GPLink
Set-GPPermission
Many others
Web updated help files
Performance Improvements
Legacy GPMC versions wrote item by item changes
Small data changes
Many individual changes
Very slow
Current GPMC uses write buffering
Condenses change transmission frequency
99.4% performance improvement
Installing on Clients
Installing on Servers
Installing On Clients
Installing On Servers
Group Policy Objects Properties
Group Policy Properties
Organizational Unit Properties
Organizational Unit Attributes
Group Policy Link Properties
Containers and Links
Group Policy Objects Properties
New
Back Up all
Manage Backups
Open Migration Table Editor
Group Policy Properties
Edit
GPO Status
Backup
Restore from Backup
Import Settings
Save Report
Organizational Unit Properties
Create a GPO in this domain and Link it here
Link an Existing GPO
Block Inheritance
Group Policy Update
Group Policy Modelling Wizard
Search
Domain Level
Search Item
Display Name
GPO Link
Security Group
WMI Filter
User Configuration
Computer Configuration
GUID
Group Policy Link Properties
Containers and Links
Container objects cannot have Group Policies linked
No gPLink Attribute or gPOptions
Default domain join location is Computers container
Use RedirUsr or RedirCmp to redirect
WellKnownObjects attribute in the domains Naming Context (DN)
eg.: DC=<Domain>,DC=<Domain>
Delegation
Delegate Control
Delegate Policies
Delegating Creation of Policy
Advanced Security
Delegate Control
Delegate Policies
Delegation Tab
Permission
Link GPOs
Perform Group Policy Modeling Analyses
Read Group Policy Results data
Delegating Creation of Policy
Three Methods
Setting the delegation within GPMC and rights
Group Policy Owners Creators
Advanced Group Policy Management Editor
Advanced Security
Read and Apply Group Policy
DA and EA do not have Apply Group Policy
Authenticated Users
Planning Considerations
Planning Best Practice Guidelines
Planning Considerations
Administrative Model
Security Requirements
Delegation type
Policy Volume
Simplicity
Planning Best Practice Guidelines
Choose Stable upper-level OU names
Implement Standard setting Policies
Leverage Inheritance
Minimize unique circumstances
Security Filtering, Enforcing Policies, Block Inheritance and WMI
Object Class Separation
Avoid changing default policies
Disable non-required policy components
Avoid assigning cross domain policies
Group Policy Management Review
Delegation
Troubleshooting
Lesson 2: Security Compliance Manager
Security Compliance Manager Objectives
Understand the Security Configuration Manager
Installation of Security Compliance Manager
Using Security Compliance Manager
Security Compliance Manager Overview
What is the Security Compliance Manager

Installing the Security Compliance Manager
Using the Security Compliance Manager
Integration with the System Center 2012
Gold master support
Configure stand-alone machines
Updated security guides
Compare against industry best practices
Installation of Security Compliance

Prerequisites
Installing SCM
Installing SQL Express
Finish The Install
Installation of Security Compliance Manager
Installation Procedure
Microsoft_Security_Compliance_Manager_Setup.exe
LocalGPO.msi
This tool is designed to manage the local Group Policy of a computer
Prerequisites
Supported operating systems
Windows 7, Windows 8
Microsoft Visual C++ 2010 Redistributable package
Microsoft Word or Microsoft Word Viewer
Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint File Formats
Installing SCM
Installing SQL Express
Finish the Install
Security Compliance Manager

Security Guides
Demonstration
Using Security Compliance Manager
Security Guides
Available for multiple versions

Office
Windows Client
Windows Server
Exchange
Internet Explorer
Demonstration

A Look around the tool
Examine the existing templates
Security Compliance Manager Review

Troubleshooting
Lesson 3: Advanced Group Policy Management

(AGPM)
AGPM Objectives
Understand MDOP components
Understand the features of Advanced Group Policy
Management
Understand the extended features of Advanced Group
Policy Management
Explain how Advanced Group Policy Management works
Advanced Group Policy Management Overview
Microsoft Desktop Optimization Pack (MDOP)
AGPM Features
AGPM principles
Installing the Advanced Group Policy Manager
Troubleshooting
Application Virtualization (App-V)

User Experience Virtualization(UE-V)
Microsoft Enterprise Desktop
Virtualization(MED-V)
Microsoft Bit locker Administration
and Monitoring (MBAM)
Advanced Group Policy Management
(AGPM)
Diagnostics and Recovery Toolset
(DART)
AGPM Features
Core AGPM Features
Extended Features
Core AGPM Features
Extension of the GPMC
Role based delegation
Check-out/Check-in
Offline editing
Change control
Historical track of changes
Deployment process
Roll-back and Roll-forward
Recycle bin
Advanced GPO Link Restore
SMTP notifications
Extended Features
Allows Listening Port modification
Versions of policies can be limited in the store
SMTP over SSL can be used
Available in 11 Languages
Import/Export between AGPM server to AGPM server
Enhanced reporting for changes in the archive
Compatibility
AGPM Principles
How does it work?
Less Privilege Service Account
AGPM Architecture
Checkout Process
How does it work?
AGPM Client AGPM Service Domain Controller

Service account
Performs the write
to AD.
Production GPOs
Offline GPOs
AGPM Archive
Least Privilege Service account
Does not require domain admin

Full access to the AGPM archive folder
Full access to the local computer's temp folder
(%systemroot%\temp)
Full access to GPOs created prior to using AGPM
Must be a member of the Group Policy Creator Owners and
Backup Operators Group
Removing all account rights
AGPM Architecture
Checkout Process
When checking out a Group Policy object the following
occurs:
Advanced Group Policy Server Service Generates a new GUID
Copies the GPO from the archive to the temp folder
Connects to Active Directory
Creates an unlinked GPO called [AGPM]<Policy Name>
Connects to SYSVOL
Creates a new folder using the new GUID as the name
All edits occur
When checked in, the changes are written to the AGPM database
Changes are only written to production GPO once approved
Managing AGPM server
Using AGPM server
Create the Service Account

Separate Client and server agent
Can be installed on the same
machine
Install the Server agent first,
then the client agent
Install Server on the same site as
the PDCe
AGPM version 4 Service pack 1
needed for Windows Server
2012
Managing AGPM Server
Uncontrolled GPOs are in Production environment only
Use Controlled tab to add GPO into vault
Makes a copy of GPO
All edits to controlled GPO are made offline
Once controlled, they are managed by AGPM
Only the account that installed the tool and the AGPM service
account retain permissions
Demonstration
Using AGPM Server

A walkthrough of the management console
Check out, edit and check in policies
Deploying policies
Generation of reports and reviewing historical changes
View difference reports
Deleting policies from the archive
Troubleshooting
Troubleshooting AGPM
Modifying AGPM Configuration
Troubleshooting AGPM
Event Logging
AGPMServ.log/AGPM.log can be enabled
To enable via the registry
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\AGPM
TraceLevel Type: REG_DWORD
The following Data Values are used:
0 = No tracing (Same effect as if this registry entry does not exist.)
1 = Trace errors
2 = Trace errors and warnings
3 = Trace errors, warnings, and general information
4 = Trace all information
For Servers: %ProgramData%\Microsoft\AGPM\agpmserv.log
For Clients: %LocalAppData%\Microsoft\AGPM\agpm.log
To enable via AGPM.ADMX file
Computer Configuration\Administrative Templates\Windows
Components\AGPM Logging
Set to Enabled
Modifying AGPM Configuration
Many hidden settings are stored in XML
%CommonAppData%\Microsoft\AGPM\gpostate.xml
Modify the listening port for AGPM

Use UI where possible
Change the XML files directly
agpm:port="4600"
Advanced Group Policy Management Review
AGPM Features
AGPM principles
Troubleshooting
Lab
Labs
Review
In the module, we looked at:
Security Compliance Manager
Advanced Group Policy Management (AGPM)
2013 Microsoft Corporation. All rights reserved.

GPAT12 Module 1 Fundamentals of Management

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

GPAT12 Module 1 Fundamentals of Management

Enviado por

Direitos autorais:

Formatos disponíveis

Windows Server: Group Policy Administration and

Module 1: Fundamentals of Management

Copyright and Trademarks

Module 1: Fundamentals of Management

Lesson 1: Group Policy Management Console

Module 1: Fundamentals of Management

Lesson 2: Security Compliance Manager

What is the Security Compliance Manager

Installation of Security Compliance

Security Compliance Manager

Available for multiple versions

Using the Security Compliance Manager

What is the Security Compliance Manager

Module 1: Fundamentals of Management

Lesson 3: Advanced Group Policy Management

Application Virtualization (App-V)

AGPM Client AGPM Service Domain Controller

Does not require domain admin

Create the Service Account

Using AGPM Server

Modify the listening port for AGPM

Você também pode gostar