Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Managing Computers with Domain Policies (part 1)

3/26/2011 3:38:06 PM
Managing the configuration and settings of domain servers and workstations can be standardized using domain group policies. Domain group policies offer the advantage of taking user error and mistakes out of the loop by pushing out the configuration and security of computers from a single or a set of group policies. Of course, with this much control it is essential that group policies are tested and tested again to verify that the correct configuration and desired results are achieved with the policies. In the early days of Active Directory domain based group policies, a few organizations, which will go unnamed in this book, found themselves locked out of their own computers and Active Directory domain controllers because of overrestrictive Group Policy security settings and application of these settings to all computers and users, including the domain administrators. When this situation occurs, a domain controller can be rebooted into Directory Services Restore mode and an authoritative restore of Active Directory might be required.

Before domain group policies can be created and managed, the Group Policy Management Console needs to be installed. Also, if printers will be installed using the Deploy Printer function of Group Policy, the Print Services Tools should also be installed. To install the GPMC and Print Services Tools, perform the following steps:

1.
Log on to a designated administrative system running Windows Server 2008 R2.

2.
Open Server Manager from the Administrative Tools menu.

3.
After Server Manager loads, click on the Features node in the tree pane.

4.
Select Add Features in the right pane.

5.
Scroll down and check the box next to Group Policy Management.

6.
Expand Remote Server Administration Tools and expand Role Administration Tools.

7.
Check the box next to Print and Document Services Tools and click Next.

8.
Confirm the selection and click Install to begin the process.

9.
After the process completes, click Close to complete the installation.

Creating a New Domain Group Policy Object

To create a new domain Group Policy Object, perform the following steps:

1.
Log on to a designated Windows Server 2008 R2 administrative server.

2.
Click Start, click All Programs, click Administrative Tools, and click on Group Policy Management.

3.
If necessary, expand the forest node, the domains node, and the correct domain.

4.
Right-click the Group Policy Objects container, and select New.

5.
Type in a name for the new GPO.

6.
If the starter GPO functionality in the domain is enabled and if a suitable starter GPO exists, click the Source Starter GPO drop-down list arrow, and select either (None) or the desired starter GPO.

7.
Click OK to create the GPO. In the tree pane of the Group Policy Management Console window, expand the Group Policy Objects container to reveal the newly created GPO.

8.
After the GPO is created, it can be edited by right-clicking on the GPO and selecting Edit.

9.
Close the Group Policy Management Console and log off of the server.

Creating and Configuring GPO Links

After a GPO is created and configured, the next step is to link the GPOs to the desired Active Directory containers. To link an existing GPO to an Active Directory container, perform the following steps:

1.
Log on to a designated Windows Server 2008 R2 administrative server.

2.
Click Start, click All Programs, click Administrative Tools, and click on Group Policy Management.

3.
Add the necessary domains or sites to the GPMC as required.

4.
Expand the Domains or Sites node to expose the container to which the GPO will be linked.

5.
Right-click the desired site, domain, or organizational unit, and select Link an Existing GPO.

6.
In the Select GPO window, select the desired domain and GPO, and click OK to link it.

Managing User Account Control Settings

Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 contain a security feature called User Account Control (UAC). UAC was created primarily to reduce or prevent unauthorized changes to the operating system configuration or file system. UAC interacts with both nonadministrators and administrators in their desktop environment and runs almost all applications in Standard User mode. When an administrator, regular user, or application attempts to perform an action that can result in a system configuration change or require access to sensitive areas of the operating system or file system, UAC interrupts the change and prompts for authorization or credentials to validate the change or requested access or elevation desired by the end user.

UAC settings are pretty flexible in allowing applications to run as desired but can require some tuning on the part of the desktop administrator. Many independent software vendors have been able to produce applications that can interact with UAC but in some cases where functionality or usability of a PC is impacted by UAC, some administrators or organizations may decide to disable UAC completely or just certain UAC settings to optimize the user experience. For situations when UAC is causing undesired issues with applications, if adjusting file security, user rights assignments, or running applications in legacy XP mode do not work, it might be necessary to adjust or disable User Account Control settings. The likely candidates are applications that formerly required the end user to be a member of the local Power Users or Administrators group. UAC settings should not adversely affect the functionality and operation of standard users. On the contrary, UAC actually allows standard users to be prompted for credentials to allow elevation of rights to install software or components that would have failed with previous operating systems with an Access Denied message. If, for some reason, the end user requires local administrator rights to run a legacy application and all other options have failed, then changing UAC security settings in a local computer policy or domain group policy object is required. When UAC security setting changes are required, perform the following steps:

1.
Log on to a designated Windows Server 2008 R2 administrative server.

2.
Open the Group Policy Management Console from the Administrative Tools menu.

3.
Add the necessary domains to the GPMC as required.

4.
Expand the Domains node to reveal the Group Policy Objects container.

5.
Either create a new GPO or edit an existing GPO.

6.
After the GPO is opened for editing in the Group Policy Management Editor, expand the Computer Configuration node, expand the Policies node, select the Windows Settings node, and expand it.

7.
Expand the Security Settings node, expand Local Policies, and select Security Options.

8.
In the Settings pane, scroll to the bottom of the pane to locate the UAC settings. The following list displays the default UAC settings in the Local Computer Policy for Windows Server 2008 R2:

  • Admin Approval Mode for the Built-In Administrator Account— Disabled

  • Allow UIAccess Applications to Prompt for Elevation Without Using the Secure Desktop— Disabled

  • Behavior of the Elevation Prompt for Administrators in Admin Approval Mode— Prompt for consent for non-Windows binaries

  • Behavior of the Elevation Prompt for Standard Users— Prompt for credentials

  • Detect Application Installations and Prompt for Elevation— Enabled

  • Only Elevate Executables That Are Signed and Validated— Disabled

  • Only Elevate UIAccess Applications That Are Installed in Secure Locations— Enabled

  • Run All Administrators in Admin Approval Mode— Enabled

  • Switch to the Secure Desktop When Prompting for Elevation— Enabled

  • Virtualize File and Registry Write Failures to Per-User Locations— Enabled

9.
To disable all UAC functionality using domain policies, create and link a new GPO for UAC and edit the setting named Run All Administrators in Admin Approval Mode, and configure the setting value to Disabled. If this setting is configured as Disabled, all other UAC settings are ignored. Also, this setting change will be applied during startup, shutdown, and background refresh, but a reboot will be required to complete the setting change.

10.
To disable UAC prompts when logged on with an account with Local Administrator rights and leave all other settings functional, using domain policies, create and link a new GPO for UAC and edit the setting named Behavior of the Elevation Prompt for Administrators in Admin Approval Mode, and configure the setting value to Elevate Without Prompting, as shown in Figure 1. Click OK to save the setting and close the Group Policy Management Editor window.

Figure 1. Configuring User Account Control to allow administrators to elevate privileges without prompting.


11.
After the GPO is configured as desired, save the GPO and link it to an organizational unit that has a test Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 system to verify that the desired functionality has been achieved.

12.
After the testing is completed, configure security filtering and possibly also WMI filtering to limit the application scope of this policy and link it to the desired organizational unit(s).
Other -----------------
- BizTalk 2010 Recipes : Document Schemas - Defining Regular Expressions
- BizTalk 2010 Recipes : Creating Complex Types
- Windows Server 2008 High Availability : Load Balancing (part 2) - Load-Balancing Hardware & Load Balancing and SharePoint Farm Topology
- Windows Server 2008 High Availability : Load Balancing (part 1) - Load-Balancing Software
- Windows Server 2003 : Troubleshooting Internet Connectivity (part 2) - Verifying the Computer’s Network Settings
- Windows Server 2003 : Troubleshooting Internet Connectivity (part 1) - Identifying the Specific Networking Issue
- Exchange Server 2010 : Securing Windows for the Edge Transport Server Role
- Exchange Server 2010 : Edge Transport Server Connectors
- BizTalk 2010 Recipes : Creating Envelopes to Split Inbound Data
- BizTalk 2010 Recipes : Referencing Schemas
- BizTalk 2010 Recipes : Importing Schemas
- BizTalk 2010 Recipes : Creating Property Schemas
- Windows Server 2008 Server Core : Managing System Users - Obtaining User Login Information with the QUser Utility
- Windows Server 2008 Server Core : Managing System Users - Obtaining Session Status Information with the Query Utility
- Windows Server 2008 Server Core : Managing System Users - Managing Group Policies with the GPUpdate Utility
- SharePoint 2010 : Testing Office Web Apps Functionality (part 2)
- SharePoint 2010 : Testing Office Web Apps Functionality (part 1)
- Exchange Server 2010 SMTP Connectors
- Exchange Server 2010 : Transport-Level Security Defined
- Exchange Server 2010 : Exchange Server-Level Security Features
 
 
Most view of day
- Windows Phone 7 : The Silverlight Controls (part 8) - Layout Controls - StackPanel Controls, Canvas Controls
- Microsoft Exchange Server 2010 : Getting Started with Email Archiving - Placing a Mailbox on Retention Hold, Litigation or Legal Hold
- Windows Server 2008 Server Core : Renaming a File with the Ren and Rename Commands, Sorting File Content with the Sort Utility
- Microsoft Exchange Server 2013 : Mailbox management - Setting mailbox permissions (part 5) - Outlook delegate access
- Sharepoint 2013 : Working with the CSOM (part 4) - Working with the JavaScript client object model - Returning collections
- SQL Server 2008 R2 : Configuring Resource Governor (part 2) - Defining Workload Groups, Creating Workload Groups in T-SQL
- Microsoft Dynamics Ax 2009 : RunBase Framework Extension (part 3) - Adding Property Methods, Adding Constructors
- Extending Dynamics AX 2009 (part 2) - Creating a New Wizard
- Using Voice and Sounds : Directing Your Computer with Voice Commands, Dictating Text
- Microsoft Lync Server 2013 : Director Troubleshooting (part 2) - DNS Records, Logs
Top 10
- Configuring and Troubleshooting IPv6 in Windows Vista (part 4) - Troubleshooting IPv6 Connectivity
- Configuring and Troubleshooting IPv6 in Windows Vista (part 3) - Configuring IPv6 in Windows Vista Using Netsh , Other IPv6 Configuration Tasks
- Configuring and Troubleshooting IPv6 in Windows Vista (part 2) - Configuring IPv6 in Windows Vista Using the User Interface
- Configuring and Troubleshooting IPv6 in Windows Vista (part 1) - Displaying IPv6 Address Settings
- Deploying IPv6 : IPv6 Enhancements in Windows Vista
- Games and Windows 7 : Games for Windows - LIVE (part 2) - Accessing Games for Windows - LIVE from within Compatible Games
- Games and Windows 7 : Games for Windows - LIVE (part 1) - Using the Games for Windows - LIVE Marketplace
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 3)
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 2) - Working with the REST API in JavaScript
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 1) - Understanding REST fundamentals
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro