Windows Server 2008 R2 Unleashed (204 page)

27

but on a domain controller (or any server for that matter), this might be risky. For a

small business, allowing for autoinstall and autoreboot might present more of a risk

than having a tech regularly perform a manual update task.

Delegated Administration

Delegating administration to perform Active Directory functions is becoming a very

common task in medium- and large-size organizations. Delegation tasks, such as allowing

the telecom group to update telephone numbers for all Active Directory user accounts or

allowing help desk staff to unlock user accounts and reset user passwords, are simple to

implement using the Active Directory Users and Computers snap-in. To configure delega-

tion of Active Directory objects such as user accounts, security and distribution groups,

and computer objects, this task is not best handled with domain policies. Instead, these

delegation tasks are handled by configuring security permissions at the domain level,

organizational unit level, or on the particular object itself. One way to simplify or clarify

this concept is to remember that if the task will be performed using the Active Directory

Users and Computers snap-in, this is delegated by configuring security permissions on a

container or object. If the task would normally be performed by logging on to a computer

and configuring settings or configuring the profile of a user or group of users, most func-

tions related to this type of task can be performed using domain policies.

1044

CHAPTER 27

Group Policy Management for Network Clients

Group Policy Objects are, in fact, Active Directory objects and delegating Group Policy

administration rights is also performed by configuring security access on Active Directory

containers, such as domains and organizational units. Group Policy management includes

several tasks, which can be delegated in the following configurations:

.
New domain group policy creation—
This is performed by adding the user

account or security group to the domain Group Policy Creator Owners security

group or delegating this right using the Group Policy Management Console (GPMC)

at the Group Policy Objects container. Although delegating this right allows the user

to create new policies, this user or group is not granted the right to edit settings or

modify security on existing GPOs.

.
Edit settings on an existing GPO—
After a GPO is created, the right to edit that

particular GPO can be delegated using the GPMC.

.
Edit settings, modify security, and delete a GPO—
These tasks are delegated

using the GPMC on a single GPO at a time. The Modify security right allows the

designated user to change the security filtering, basically defining which users and

computer objects will apply the policy if these objects are in containers linked to

that particular GPO.

.
Link existing GPOs—
The ability to link GPOs to Active Directory containers is

ptg

performed by editing the security settings on the particular Active Directory site,

domain, or OU. This is known as the Manage Group Policy Links security right.

.
Create and edit WMI filters—
The right to create new WMI filters or have full

control over all WMI filters in a domain can be delegated at the WMI Filters

container using the GPMC. Also, the right to edit or grant full control over an exist-

ing WMI filter can be delegated to a user or group. Delegating the right to edit or to

grant full control does not enable linking WMI filters to GPOs as that requires edit

rights permissions on a particular GPO.

.
Perform GPO modeling using GPMC—
GPO modeling delegation is performed by

editing the security settings on the particular Active Directory site, domain, or OU.

This task allows a designated user the ability to perform dry runs or simulated tests

to determine the results of linking a policy to a particular container or moving a user

or computer object to a different container in Active Directory. This is also known as

the Generate Resultant Set of Policy (Planning) security right. If the user running

GPMC is not running GPMC on the domain controller, the user needs to be added

to the domain’s Distributed COM Users security group to run Group Policy Modeling

from another system.

.
Perform GPO results using GPMC—
This task can be performed on local machines

if the user is a local administrator and the GPMC is installed. It can also be run by

using the GPresult.exe from the command line or by loading the rsop.msc Microsoft

Management Console snap-in. By default, local administrators can run this tool

against all users on a machine. To delegate this right in Active Directory, edit the

security settings on the particular Active Directory domain or OU that contains the

computer and user accounts. This task allows the user to remotely connect to the

Managing Computers with Domain Policies

1045

computer to query the Group Policy logs to generate a historical report of previously

logged Group Policy processing events. This is also known as the Generate Resultant

Set of Policy (Logging) security right. To run this task against a remote computer,

aside from having this right in Active Directory, the user also needs to be a member

of the computer’s local Distributed COM Users security group, or the domain group

if running modeling or results against a domain controller. Additional configuration

might also include possible firewall policy changes on the required computers to

enable the remote administration firewall exception.

Managing Computers with Domain Policies

Managing the configuration and settings of domain servers and workstations can be stan-

dardized using domain group policies. Domain group policies offer the advantage of

taking user error and mistakes out of the loop by pushing out the configuration and secu-

rity of computers from a single or a set of group policies. Of course, with this much

control it is essential that group policies are tested and tested again to verify that the

correct configuration and desired results are achieved with the policies. In the early days

of Active Directory domain based group policies, a few organizations, which will go

unnamed in this book, found themselves locked out of their own computers and Active

Directory domain controllers because of overrestrictive Group Policy security settings and

ptg

application of these settings to all computers and users, including the domain administra-

tors. When this situation occurs, a domain controller can be rebooted into Directory

Services Restore mode and an authoritative restore of Active Directory might be required.

Before domain group policies can be created and managed, the Group Policy Management

Console needs to be installed. Also, if printers will be installed using the Deploy Printer

27

function of Group Policy, the Print Services Tools should also be installed. To install the

GPMC and Print Services Tools, perform the following steps:

1. Log on to a designated administrative system running Windows Server 2008 R2.

2. Open Server Manager from the Administrative Tools menu.

3. After Server Manager loads, click on the Features node in the tree pane.

4. Select Add Features in the right pane.

5. Scroll down and check the box next to Group Policy Management.

6. Expand Remote Server Administration Tools and expand Role Administration Tools.

7. Check the box next to Print and Document Services Tools and click Next.

8. Confirm the selection and click Install to begin the process.

9. After the process completes, click Close to complete the installation.

Creating a New Domain Group Policy Object

To create a new domain Group Policy Object, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative server.

2. Click Start, click All Programs, click Administrative Tools, and click on Group Policy

Management.

1046

CHAPTER 27

Group Policy Management for Network Clients

3. If necessary, expand the forest node, the domains node, and the correct domain.

4. Right-click the Group Policy Objects container, and select New.

5. Type in a name for the new GPO.

6. If the starter GPO functionality in the domain is enabled and if a suitable starter

GPO exists, click the Source Starter GPO drop-down list arrow, and select either

(None) or the desired starter GPO.

7. Click OK to create the GPO. In the tree pane of the Group Policy Management

Console window, expand the Group Policy Objects container to reveal the newly

created GPO.

8. After the GPO is created, it can be edited by right-clicking on the GPO and selecting

Edit.

9. Close the Group Policy Management Console and log off of the server.

Creating and Configuring GPO Links

After a GPO is created and configured, the next step is to link the GPOs to the desired

Active Directory containers. To link an existing GPO to an Active Directory container,

perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative server.

ptg

2. Click Start, click All Programs, click Administrative Tools, and click on Group Policy

Management.

3. Add the necessary domains or sites to the GPMC as required.

4. Expand the Domains or Sites node to expose the container to which the GPO will be

linked.

5. Right-click the desired site, domain, or organizational unit, and select Link an

Existing GPO.

6. In the Select GPO window, select the desired domain and GPO, and click OK to link it.

Managing User Account Control Settings

Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 contain

a security feature called User Account Control (UAC). UAC was created primarily to reduce

or prevent unauthorized changes to the operating system configuration or file system.

UAC interacts with both nonadministrators and administrators in their desktop environ-

ment and runs almost all applications in Standard User mode. When an administrator,

regular user, or application attempts to perform an action that can result in a system

configuration change or require access to sensitive areas of the operating system or file

system, UAC interrupts the change and prompts for authorization or credentials to vali-

date the change or requested access or elevation desired by the end user.

UAC settings are pretty flexible in allowing applications to run as desired but can require

some tuning on the part of the desktop administrator. Many independent software

vendors have been able to produce applications that can interact with UAC but in some

cases where functionality or usability of a PC is impacted by UAC, some administrators or

Managing Computers with Domain Policies

1047

organizations may decide to disable UAC completely or just certain UAC settings to opti-

mize the user experience. For situations when UAC is causing undesired issues with appli-

cations, if adjusting file security, user rights assignments, or running applications in legacy

XP mode do not work, it might be necessary to adjust or disable User Account Control

settings. The likely candidates are applications that formerly required the end user to be a

member of the local Power Users or Administrators group. UAC settings should not

adversely affect the functionality and operation of standard users. On the contrary, UAC

actually allows standard users to be prompted for credentials to allow elevation of rights

to install software or components that would have failed with previous operating systems

with an Access Denied message. If, for some reason, the end user requires local administra-

tor rights to run a legacy application and all other options have failed, then changing

UAC security settings in a local computer policy or domain group policy object is

required. When UAC security setting changes are required, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative server.

2. Open the Group Policy Management Console from the Administrative Tools menu.

3. Add the necessary domains to the GPMC as required.

4. Expand the Domains node to reveal the Group Policy Objects container.

5. Either create a new GPO or edit an existing GPO.

ptg

6. After the GPO is opened for editing in the Group Policy Management Editor, expand

the Computer Configuration node, expand the Policies node, select the Windows

Settings node, and expand it.

7. Expand the Security Settings node, expand Local Policies, and select Security Options.

8. In the Settings pane, scroll to the bottom of the pane to locate the UAC settings. The

27

following list displays the default UAC settings in the Local Computer Policy for

Windows Server 2008 R2:

.
Admin Approval Mode for the Built-In Administrator Account—
Disabled

.
Allow UIAccess Applications to Prompt for Elevation Without Using

the Secure Desktop—
Disabled

.
Behavior of the Elevation Prompt for Administrators in Admin

Approval Mode—
Prompt for consent for non-Windows binaries