ebook img

Windows Group Policy Troubleshooting PDF

225 Pages·2016·14.681 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Windows Group Policy Troubleshooting

CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY Figure 1-10. A dding your domain credentials 4. You can then add an account for the person who is using the machine. The Account type can be chosen on the screen, depending upon the situation (see Figure 1 -11 ). Click N ext . Figure 1-11. Adding the account you want to use 10 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY Figure 1-4. Running the g pedit.msc command to open GPO using the command prompt ■ Note The Local Group Policy Editor is available on Windows desktop editions, but on Windows Server editions you can manage Group Policy through the Group Policy Management Console . To open it, run the g pmc.msc command via the Run menu item or a command prompt. How to Configure a GPO You should now be able to launch the Group Policy Editor. Let’s learn how to configure a Group Policy Object in the snap-in. On a modern operating system, such as Windows 10 , there are over 3,500 available GPOs. In order to modify the status of a Group Policy setting, you need to locate it on the editor. The editor policies are split between settings that are applied to the computer and settings that affect the user that logs on to the device. The two corresponding sections of the policy are Computer Configuration and User Configuration , as was shown in Figure 1 -1 . If a setting is configured within the Computer Configuration tree, it will affect system-wide operations and is applied to all users that use the system. In other words, you can think of it as deploying a global setting for your system. Alternatively, if the policy setting is located within the User Configuration tree, then it will only affect operations for the logged-in user. You can configure settings in both areas. Many settings can be found in both areas; this allows you to control how the settings are applied. 4 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY The majority of GPO settings are used to modify the behavior of Windows. Administrative templates are used to provide logical groupings of settings such as Windows components, Internet Explorer, printers, networking, and the like. Administrative templates are basically registry-based policy settings, and each GPO setting can be configured with the help of them. These files have an .admx extension and utilize XML markup. There are two types of admx files used in GPOs. First, the language- neutral file, . admx , determines the policy settings, the location, and the category. The .adml file is the language resource file. It provides language-specific information to the language-neutral . admx file. By default, there are three status options that a Group Policy Setting can exhibit: Enabled , Not Configured , and D isabled . The default status for all Group Policy settings is Not Configured . This is the state when you view a GPO for the first time, such as just after installing Windows. To understand how and why you should configure a policy setting, let’s use an example. Suppose you want to block third-party cookies in the Microsoft Edge browser. You want to achieve this by configuring a Group Policy setting. Luckily, there is a Group Policy setting available for this, and the setting is available for both the computer and user area separately. Follow these steps to configure this policy: 1. Launch GPO by typing g pedit.msc into the Search box and pressing Enter. If you want to configure the policy for computer, navigate to Computer Configuration ➤ Administrative Templates ➤ Windows Components ➤ Microsoft Edge. If you want to configure the policy for the user, navigate to User Configuration ➤ Administrative Templates ➤ Windows Components ➤ Edge UI. 2. Within the Microsoft Edge folder on either configuration, you will notice several settings listed on the right pane. On a newly installed device, all of the settings will exhibit the Not Configured status by default, as shown in Figure 1 -5 . 5 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY Figure 1-5. Locating the Configure how Microsoft Edge treats cookies policy in Local Group Policy Editor 3. Locate the Configure how Microsoft Edge treats cookies policy and double-click the setting to modify its status. 4. The window shown in Figure 1 -6 allows you to configure the status for the Configure how Microsoft Edge treats cookies policy. The text mentioned under the H elp section is useful when determining the effect of each configuration option. To illustrate how to set the GPO, select the Enabled option to turn on the policy and then under the C onfigure Cookies setting section, select Block only 3rd-party cookies option. 6 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY Figure 1-6. GPO configuration setting options. To save the GPO, click the O K button In this way you have successfully configured a policy for your Windows system, under which third-party cookies are blocked for the Microsoft Edge browser. ■ Tip You can download the Group Policy Settings reference available for your operating system from the Microsoft Download Center at w ww.microsoft.com/en-in/download/ details.aspx?id=25250 . The Windows 10 reference contains details about more than 3,500 Group Policies you can configure. 7 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY How Group Policy Works in Detail The Group Policy engine starts acting when your computer boots up. However, the user side configuration is effective only after the user has logged in. Unlike the registry, the Group Policy Management Console cannot be started from the command prompt at boot time . Group Policy cannot be accessed during Advanced Recovery Options scenarios, using the command prompt in the Windows Recovery Environment, or during the boot phase of Windows. If you try to launch g pedit.msc from a command prompt during the Windows boot phase, the command prompt will return an unrecognized command message, as shown in Figure  1-7 . Figure 1-7. Running g pedit.msc produces an error during the boot process Within a domain environment, Active Directory Directory Services (AD DS) controls how Group Policy settings are applied. The engine that processes Group Policy settings is also referred as the core of Group Policy. The subsets of this engine are client-side extensions (CSEs) and server-side snap- in extensions (SSEs) . The Group Policy engine on the client evaluates Active Directory to understand and prioritize the policies it should apply. ■ Note For user-dedicated Windows operating systems, Group Policy is only provided on Professional and Enterprise editions. This means if you’ve got a Windows 10 Home or Basic version, you won’t be able to access Group Policy. Let’s look “under the hood” to see how the Group Policy engine works. After reading this section, you will have a better understanding about how GPOs work. 8 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY Connecting Windows to a Server Before delving deeper into how GPOs are applied to your system, let’s review the steps required to connect a Windows 10 machine to a domain. 1. On a Windows 10 machine , go to Settings app ➤ System ➤ About. In the right pane of the window (see Figure 1 -8 ), click the J oin a domain button. Figure 1-8. Joining a domain 2. In the Join a domain prompt, type the domain name and click Next .(see Figure 1 -9 ). Figure 1-9. Entering a domain name 3. Next, you’ll be asked to enter you domain credentials in order to verify your identity. Enter your details and hit O K (see Figure 1 -10 ). 9 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY 5. Then you will be asked to restart your machine, as shown in Figure  1-12 , so that your connection to domain can be completed. Figure 1-12. Restart prompt 6. After rebooting the system, the login screen will ask you to input your domain credentials (see Figure  1-13 ). After entering valid details, you can finally log in as a domain user . Figure 1-13. Windows 10 logon screen for domain accounts 11 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY Now that you have joined your workstation to AD DS, let’s explore how GPOs work within a domain environment. During the computer boot-up process : When your domain-joined workstation boots up, it will obtain an Internet Protocol (IP) address automatically from the Dynamic Host Configuration Protocol (DHCP) . If the IP address is statically configured, the IP address for the D omain Name System (DNS) must be the DNS server that relates to your Domain Controller (DC) server itself, for example dc.a press.com. At this point, your workstation will be configured with the correct IP address information, which will include: • IP address and s ubnet mask • DNS Server IP address for the AD Once the desktop has the IP address for the DNS server, it will look up the necessary records in DNS and will try to establish a connection to the N ETLOGON service running on a DC. The DCs are listed in the DNS database under the S ervice Resource Locator (SRV) records. When the domain controller is upgraded from a server to a domain controller for that domain, the entries are entered dynamically. ■ Note You can locate the NETLOGON service under the Services snap-in, which can be found by running the s ervices.msc command. If this service is not running, you will not be able to connect to a DC. Communication between the desktop and DC: After obtaining list of DCs and identifying a DC, the desktop will then communicate with it to authenticate. This communication occurs via a secure channel between the desktop and the DC. The communication occurs through the shared folders available on the DC. These folders are generally found at the following locations: Share Location SYSVOL %SYSTEMROOT%\SYSVOL\sysvol NETLOGON %SYSTEMROOT%\SYSVOL\sysvol\<domain name>\SCRIPTS The GPOs are stored under the S YSVOL share and the logon scripts are stored under the N ETLOGON share. Once the computer and user have been authenticated and a connection to these shares has been established, the appropriate GPO settings are made available for download. Identifying Group Policy Objects for devices: This section focuses on the policies that will affect the computer. Only GPOs found in the Computer Configuration portion of the Group Policy tree will affect the computer object . The DC which the computer is connected to will determine which GPOs should 12 CHAPTER 1 ■ GETTING STARTED WITH GROUP POLICY apply to the device based on the computer account status and location within Active Directory. An administrator is able to create three distinct logical boundary areas within Active Directory, and the computer account object can exist at one of the following levels: • Domain : A logical group of network objects such as computers, users, and devices sharing the same Active Directory database. • Site : A logical grouping of a set of well-connected subnets. • Organizational Unit (OU) : This is the smallest logical unit within Active Directory that can contain users, groups, computers, and other organizational units. The DC will also determine which site the computer belongs to, so the GPOs linked to this site are also applied to the device. All of the GPOs that are linked to the domain, site, and organizational unit where the computer account resides will be delivered to the device. For more advanced control of objects within Active Directory, there are several other factors that can come into play, including security filtering, nested OUs, network topology considerations, and more. These topics will be explored later in this book. ■ Info When talking about Active Directory , you should be familiar with the concepts of domain, tree, and forest. All of these components are the levels in AD that hold objects. The domain is the smallest entity and a collection of domains makes up a tree. A forest is collection of many trees sharing the same directory information, directory schema, global catalog, etc. This can be easily understood with the help of Figure 1 -14 . Figure 1-14. Relationship between domain, tree, and forest 13

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.