Tài liệu Change Control and Policy and Workpace Management Chapter11 pptx

These include the following: ✦ Hardware configuration and administration ✦ Client administration and configuration desktop settings, logon, connection,and more ✦ Operating system options

Change Control and Policy and Workspace

Management

This chapter discusses workplace management andchange control services

What Is Change Control?

During the writing of this chapter, one of our clients almostlost a small fortune in business due to the lack of changecontrol Our client is a small (only five people) insurancebroker One of the brokers, Dave, writes marine insurance,and on a fine cool January day in Florida, he got the break the company was waiting for an order for a policy toinsure a $10 million yacht the premium would be a killer

He returned from the marina shaking and shivering, realizingthat he was about to write the policy of his career The com-mission would be staggering, and from this many more dealswould flow You get a name for writing big policies like this

Nothing would stand in his way nothing but his faithfulworkstation

Dave likes to fiddle with his computer When he is not lookingfor insurance business, he likes playing around with his desktopsettings, fonts, resolution, and more Dave lives in Control Panelmore than his apartment We had maintained a “loose” changemanagement policy in this company In other words, we main-tained minimal desktop control because Dave was the only wildcard and was considered an advanced user The company hadbeen our client for several years, and we had never had an issuewith users changing anything that could cause a problem

11C H A P T E R

In This Chapter

Group PolicyOverviewCreating Policy and ChangeManagement PlansApplying GroupPolicy

On the day that Dave needed to write up his policy, his desktop went berserk Helogged into his workstation as usual, but when he opened the insurance application,the application began to tremble and then the session froze If you know insurance,you know that if you cannot write the policy, the client will make another call Davewas getting ready to jump off the jetty with an anchor around his neck

We jumped in and disabled Dave’s account And because we were deploying theWindows Desktop and agency software applications through terminal services, wewere able to get Dave back to his policy writing in record time He admitted that hehad changed his font again and some other “things” that he could not remember.The client learned a lesson and advised that no employee (all four of them) wasallowed to tamper with the applications or desktop sessions But we learned abigger lesson Change control is as important for our small clients as it is for the big ones It cannot be ignored anywhere

Change control on Windows NT and other server environments has been lackingsince the invention of client/server Policy and profile maintenance is possible on

Windows NT and Windows 9x desktops, but it is not secure, and users can override

settings with little effort A Windows NT workstation/server environment is moresecure But change control empowerment is still lacking

Windows 2000 and Active Directory change all this with the introduction of GroupPolicy Group Policy governs change control policy on many facets of the operatingsystem These include the following:

✦ Hardware configuration and administration

✦ Client administration and configuration (desktop settings, logon, connection,and more)

✦ Operating system options and policy, such as IntelliMirror and remote OSinstallation

✦ Application options and policy (such as regional settings, language andaccessibility, deployment, and more)

✦ Security options and policy

✦ Network access

We are not going to take you through every detail of creating and managing GroupPolicy objects because the Windows 2000 Help system adequately handles that But we will show you how to take control of the change control issue, applysecurity policy, and more But before we get to that, let’s discuss the science and philosophy of change control and management

Understanding Change Management

In our highly complex worlds of information technology and information systems,the only constant is change The more complex and integrated our IS systemsbecome, the more important it is to have change control Managing change hasthus become one of the most important MIS functions in many organizations If you do not manage change, the unexpected results of an unmanaged change couldrender you extinct

Processes, routines, functions, algorithms, and the like do not exist in vacuums

or some form of digital isolation from the rest of the universe Just as in life, allprocesses depend on or are depended on by other routines or processes When youchange the way a process behaves, you alter its “event course.” In other words, youalter its destiny Altering the event course of a process is in itself not the problem

Problems arise when processes dependent on a particular course of events are nolonger afforded the opportunities they were expecting

Think about how you feel and are inconvenienced when a person you were going tomeet does not turn up or cancels the engagement unexpectedly In software andcomputer systems, such events can have catastrophic results They in turn fail, andtheir event courses are also altered When processes begin to crash, an unstop-pable domino effect takes place, leading to systems failure and disaster from oneend of the system to the other

Besides the first example when Dave’s job was almost toasted, here are otherexamples:

✦ The FTP service on a server is turned off AS/400 connections expecting tofind the connection up are not able to transfer route information to a networkshare A process that was expecting the information to be in the FTP foldercannot calculate the daily routes for orders that need to go out The trucks donot arrive, and the orders do not get established The orders are not shipped

Clients place more than $10 million in business elsewhere

✦ A software engineer makes a change in source code that reintroduces theMillennium bug into the process pool Programs begin to collapse because the receiving data function does not know how to deal with data that appears

to be more than a hundred years old

✦ A user downloads new software from the Internet onto his company’s notebookcomputer The new software contains a backdoor virus that silently attacks the notebook’s anti-virus suite It inserts a replacement file into the anti-virussoftware and causes the software to reload the old inoculation data file, which

is akin to taking an antibiotic that has expired When the user connects back tothe corporate network, the hostile code moves to the network servers and doesthe same thing Once on the servers, the virus shuts down the companysystems, and the company almost goes insolvent as a result

These examples sound far-fetched, but they are not We have seen all three of them

on our networks Such is the need for change control In fact, the unit of time inwhich no change takes place is too small to be studied by humans

So, we have to control change; we have to manage it in such a way that the effects

of change are planned for and that all dependencies are informed and allowed tocompensate when change comes In a nutshell, no change can be allowed to takeplace without a) the proposed change being put to a board of change managementfor consideration; b) the consequences of the change are fully investigated, andthe change is deemed necessary Because change is always inevitable, anotherfactor comes into change control — contingency planning, of which disasterrecovery is a part

In the past, problems caused by unmanaged change affected standalone systems.Because computers were once islands and isolated, the effects of the change werelocal and confined When we started to network, change control problems began

to affect the global corporate or organizational environment But the effect was, and still is to a large extent, confined to the corporate or enterprise informationnetwork

However, in the world of e-commerce, change control has become critical becauseany change that causes an unplanned-for new course of events will affect the externalenvironment where systems crashes can have catastrophic results and cause untolddamages and liability In the world of Internet banking, for example, a change controldisaster can affect many people who have no relationship with the bank besidesits innocent account holders

In various parts of this book, we have also discussed service level and quality ofsupport As you know, more and more people are signing service level agreementsthat guarantee availability of systems all the time These agreements have to becovered with effective change control management

The change control or change management board reviews all changes and, based onthe board’s research, consultation, and findings, a change request is either approved

or denied (In the companies we consult for, all change management approvals have

to be signed off by the officer in charge.) But the problems arise when you have a fully functional board and compliant teamleaders, but no means of enforcing change control policy at all levels of the enterprise

To figure out how this all comes together, let’s look at change control conceptually.The respective parts of change control or change management systems resemble thejustice system, or at least the enforcement parts of it They include the items listed inTable 11-1

Table 11-1

Change Control

Description Purpose

Change Control Board A group of people in an organization responsible for

reviewing change requests, determining validity, deciding change of course or procedure, and so forth This board also determines regulation and enforcement protocol and deploys change management resources.

Change Management Functions to manage signed-off or approved change or

contingency Change management may include lab tests, sandpit projects, pilot projects, phased implementation, incremental change, performance monitoring, disaster recovery, backup/restore, and so on.

Change Control Policy Rules, and the formulation thereof, governing change

control and management.

Change Control Rules The enforcement of policy and the methods or techniques

Change Control Tools On Windows 2000 networks, this includes local security

policy to protect machines, Group Policy to enforce change policy throughout the forest, security policy throughout, auditing, and so on

Change Control Stack The change control “stack,” which comprises the various

layers that are covered by change control.

To better understand where in the information systems environment changecontrol needs to be enforced, consider the change control stack in Figure 11-1

At the bottom of the change control stack (CCS) is the hardware (physical) area

Objects in this layer that you place under change control enforcement are allhardware, computer components, and hardware requirements The following listprovides an idea of what is covered by change control at the hardware or physicallayer:

✦ Hardware compliance with the existing infrastructure

✦ Hardware acquisition and determination of hardware needs

✦ Technology deemed necessary or not

✦ Protection and security of storage, and access to media (such as FDDs and CD-ROMs)

Figure 11-1: The change control stack

✦ Protection of network interface cards

✦ Access to memory and system components

✦ Availability and stability of hardware device drivers

✦ Hardware problem abandonment point (when do you give up trying to fix a part or computer and buy a new one)

✦ Parts replacement (such as procedure for replacing media, and so on)

✦ Hardware availability (such as RAID, clustering, load balancing, and so on)Next up is the network layer, which encompasses change control on the data link,network, transport, and session layers of the OSI model

According to Newton’s Telecom Dictionary, The Open Systems Interconnect (OSI)model of the International Standards Organization (www.iso.ch) is the onlyaccepted framework of standards for interconnection for communication betweendifferent systems made by different vendors The OSI model organizes thecommunications process into a system of layers OSI has become the foundationmodel for many frameworks in both software and computer hardwareengineering The OSI model is also referred to as the OSI stack

Note

OS and Applications

Network

Hardware Layer

The following list includes areas that are targets of change control at the networklayer of the CCS:

✦ Security needs (encryption, IPSec, access to routers, circuits, hubs, and so on)

✦ Quality of service

✦ Network bandwidth

✦ Topology

✦ Transport technology (Ethernet, SNA, Token Ring)

✦ Routing, bridging, switching

As we get higher up the CCS, the number of variables begins to increase (there aremore opportunities for change and thus change control, because we are getting intothe area where the user lives) The following list includes areas that are targets ofchange control at the operating systems and applications layer of the CCS:

✦ Desktop configuration (menus, shortcuts, icons, access to folders, and so on)

✦ Access to information (such as access to the Internet)

✦ Cultural and regional options

✦ Accessibility

✦ Access to software/applications

✦ Access to dataNot only are there more factors or “opportunities” for change control in this top layer,but also it is the most vulnerable of the layers While certain parts of the operatingsystem and the lower layers provide a barrier to entry due to their complexity, thisdoes not mean that change control should be any more lax or less important Themore obscure the service, regardless of the layer it resides in, the higher the risk of

a skilled attacker doing undetectable and lasting damage However, it goes withoutsaying that the biggest threat to the stability or health of IT/IS systems comes fromusers Most of the time, it is just a case of “curiosity killed his computer” (rememberDave) But users also generate security threats, introduce viruses, download hostileapplications (most of the time unwittingly), and so on

The User

First, the term user rarely refers to a single biological unit This is why we have

security groups, as discussed in Chapter 10 As soon as you define or categorizethe levels of user groups that you need to support in your organization, you will

be able to apply change management procedures that can be enforced on thosegroups

If you are involved in client management, you should make an effort to become

a member of the change control team You should also get to know your users, the type of software and applications they need, and how they work with theircomputers, treat their computers, and interact with their computers

There are two main types of user or worker, as discussed in the following list:

✦ Knowledge workers: Your knowledge workers are usually the workers who are

applying a particular skill set or knowledge base in their job These people areyour engineers, technical support people, accountants, lawyers, designers, and

so on Knowledge workers usually have a permanent office These people usetheir computers for most of the day Their machines are constantly in use, and losing them would be costly for the company They can be consideredadvanced users

✦ Task-oriented workers: These workers are data entry personnel, receptionists,

office assistants (to varying degrees), order takers, and so on Most of theseusers would not need more than a terminal and a terminal service account toperform their duties These users can be considered your basic users

The two main types of user are further broken down into the following categories(by computer resource used):

✦ Stationary (office) workstation user: This user (usually a knowledge worker)

does not need a notebook computer because he or she only needs the machine

at work This machine is usually a small-footprint workstation running Windows

9x, Windows NT Workstation, or Windows 2000 Professional

✦ Remote workstation user: This worker connects to the network from home or

a remote office, over a WAN connection or modem The user still uses a fixeddesktop computer because he or she does not move around

✦ Notebook/docking station user: This user uses his or her computer at work

and at home The user is usually accommodated with a docking station at

home and at the office, which makes it easier to connect and disconnect fromthe network

✦ Multi-user workstation: This computer does not belong to any specific user.

Users making use of this resource are usually guests, users that move aroundfrom location to location, temp staff, shift staff (such as call center or

customer service representatives), and so on

✦ Mobile computer: This is usually a notebook or laptop computer, sans docking

station, that spends most of its life in a carrying case stuffed inside the cubby

of a jetliner Mobile users can either connect to the office from the road (such

as a hotel or conference center) or from branch locations where they will beable to connect to the corporate network

In each of these cases, you will need to establish workstation and user managementpolicy with respect to each user and computer Also note that it often makes moresense to further tag your user as being advanced or basic in the literacy level ofcomputer usage We have had knowledge workers who cause endless problems forthe administrators, and basic workers who should be writing software instead ofusing it

Create a list or database of these categories and in each category list a computername and a user name (pay close attention to these lists because we will return tothem later) For example:

✦ Mobile Computer Users

A second list next to the first one will be an advanced user choice list The user (ifpolicy allows) will be able to choose a specialized list of software for which he or shemust justify deployment This justification, by the way, is presented to change control

or management for review A good example is a software engineer who is hired tocreate a certain application He or she will then request that a development tool orcomponent be installed or made available to complete the task

Managing software is a daunting task for anyone In a small organization, one personcan typically be saddled with the job of managing anywhere in the region of 10 to 20applications In large companies, the number of software components can run intothe thousands Defining and enforcing policy regarding installation and configuration

of applications is thus critical Why do you have to do this? Consider the following ifyou allow users to install their own applications:

✦ The application may be unstable and could damage existing systems Forexample: During the early beta testing of Windows 2000 Professional, atechnical support engineer at one of our clients installed the ReleaseCandidate 3 code on his workstation to check it out The code corrupted the databases belonging to help desk and shut down the call center for three days

✦ Applications may not be legally obtained If you do not enforce change controlpolicy, your enterprise may be risking lawsuits and criminal charges You cannotclaim ignorance of users using illegal or pirated software Your boss goes awayfor 20 years or more if your users steal software

✦ The act of installing the software can introduce viruses and security risks tothe network If the user installs from a source on the Internet, there is the risk that the download may bring with it hostile applications We have seenbackdoor viruses pop out of downloaded zip files and kill a machine in under

a minute

✦ Increased cost of support Users are likely to run into problems and will come

to you for help with an application you likely know nothing about It is amazinghow the network or server administrator is expected to know everything aboutevery application that has ever been invented

Application Management

Another category in addition to applications is application management andconfiguration This involves determining and managing the deployment process,local and remote installation, configuring the software, user education, usersupport, and so on Windows 2000 provides nifty services to manage deploymentand configuration

Information for Workstation Lockdown

You now have a lot of information with which to determine how best to lock downworkstations Let’s recap what you know, or should know, before you learn aboutGroup Policy:

1 You should know what type of user you support.

2 You should know the category of workstation the user uses.

3 You should also know what applications are required and how they are used

(usage level) For example: Is the user advanced or basic?

4 You should know the list of applications your classes of users need.

In addition to this list, it is imperative to understand the following informationbefore you can begin to determine how best to lock down a workstation

1 Have users logged onto their computers as the local administrator? This is

common practice on NT workstations because it is not possible to log on as adomain user in an offline state, or if a domain controller cannot be found Ifusers have access to the local account and registry, they may circumventchange management policy Decide which users fall into this category andwhich may be candidates to obtain a Windows 2000 desktop or session

2 Do your users install their own unauthorized software on their computers? If

you do not have policy to control this malady in an enterprise, you need toformulate this policy as soon as possible

3 Do your users store data on their own workstations? If they do, you need to

plan or devise a strategy to have them move the data to network share points

or folder resources published in Active Directory folders Understand that the data is at risk in such practice, because workstations do not typically getbacked up, which means data can be lost when a computer crashes or isstolen In Windows 2000, we talk about folder redirection, which is a way ofmaking sure that a user’s documents or data folders reside on the serverwhere the data is backed up More about this later

4 How often do users call with “broken” workstations or desktop

configura-tions? A broken configuration is usually the outcome of a user trying to install his or her software or hardware on the machine Another form ofbroken configuration results from users tampering with the operatingsystems, fiddling with registry settings, Control Panel applets, and so on The problem stems from users who have a false sense of security becausethey have a home computer they have mastered They then eschew policythat strips them of that power at work However, only your administrators,and only a few at that, or power users who are testing software as part ofchange management board activity, should have such rights over theenterprise or corporate computer property The risk of a change causingdamage to the workstation or network services is just too high to be up for discussion with users who consider themselves king of computers

Windows 2000 Group Policy

The change control tool on Windows 2000 is the Group Policy Editor (GPE) As trated in Figure 11-2, this application is an MMC snap-in from which policy can beapplied to the security principals — computer, users, and groups — of a Windows

illus-2000 network And as discussed earlier, Group Policy can be applied to items such

as security management and hardware configuration as well

Figure 11-2: The Group Policy Editor snap-in

Group Policy is applied by creating an object that contains the properties that extendcontrol of the computer and user’s access to network and machine resources Thisobject is known as the Group Policy Object or GPO When a security principal is amember of a container that is associated (linked) to the GPO, that security principalfalls under the influence of that GPO When a container is linked to multiple GPOs, the result is that the effects of all GPOs on the linked container are merged This isillustrated in Figure 11-3.

Figure 11-3: Multiple Group Policy Object policies merge to affect the container.

Sophisticated object-oriented engineering is at work in the GPO applicationprocess The Group Policy architecture is complex, spans hundreds of pages, and isbeyond the scope of this book It is, however, well worth studying if you are anengineer at heart, because such advanced knowledge can only make you a betterserver or network administrator You can search for the GPO architecture papers

on the Microsoft Web site

Group Policy is not applied directly to an individual security principal (although youcan attain such granular control by creating specific OUs), but rather it is applied tocollections of security principals As you are aware, there are three places where

security principals gather under one roof on a Windows 2000 Network: the site, the

domain, and the organization unit As GP applies to all three types of containers, you

can refer to this as a GP hierarchy.

Windows 2000 Group Policy is vast and extremely powerful It will take some gettingused to, and you will need to spend a lot of time trying different things, as you will later see In large companies, the role of managing GP should be assigned toindividuals, possibly members of the Change Management Board Managing GP caneasily become a full-time occupation for an administrator GP will become your maintechnology with which to manage change, user configuration and desktop settings,workstation lockdown security, software installation, and so on

Note

ContainerGP

GPOs have more than 100 security-related settings and more than 450 based settings, and the GP technology can also be extended or enhanced withcertain APIs Specifically, GP technology provides you with the followingfunctionality:

registry-✦ The GPO is configured and stored in Active Directory, or it can be defined as alocal policy object Standalone computers are secured or locked down with localGPOs GP, however, depends on Active Directory

✦ You apply GPOs to users and computers in AD containers (domains, sites, and OUs)

✦ The GPO is secure You can lock down a GPO just like any other object inWindows 2000 (by now, you should be familiar with the Security tab on theproperty page of any object)

✦ The GPO can be filtered or controlled by membership in security groups.This, in fact, speeds up application of policy on the membership of thesecurity group

✦ The GPO is where the concentration of security power is located on Windows

2000 networks

✦ The GPO is used to maintain Microsoft Internet Explorer

✦ The GPO is used to apply logon, logoff, and startup scripts

✦ The GPO is used to maintain software and software installation

✦ The GPO is used to redirect folders (such as My Documents)

✦ The GPO does not expose the user profile to tampering when policy ischanged, as was the case with Windows NT 4.0

Types of Group Policy

Group Policy has influence over just about every process, application, or service on

a Windows 2000 network Both servers and workstations are influenced by GP, and

therefore, unless you deploy Windows 2000 Professional, GP will not be pervasive throughout the enterprise Windows 9x and NT 4.0 Workstations are not influenced

to the same extent as Windows 2000 clients because client-side extensions are notpresent in these legacy desktop operating systems

This means that a network consisting of many different versions of Windows (insome cases, as many as five versions) is also going to be less secure, or at least not as manageable Obviously, a hard-to-manage or control network is going to be

a lot more expensive to maintain in the long run The initial cost of upgrading toWindows 2000 throughout the enterprise will pay off in the long run In terms ofsecurity, such as being able to stave off a hacker thanks to encryption or being able to save critical data thanks to folder redirection — and there are many moreexamples — you can not only save a bundle going “native,” you may even save thecompany The more versions you eliminate, the more secure and more manageablelife is going to be for you

There are many different types of Group Policy “collections.” The following listdescribes the “intent” of these collections (the term “policy collection” is not aMicrosoft term as far as we know, but it is useful for describing the policy types)

✦ Application deployment: These policies are used to govern user access to

applications Application deployment or installation is controlled or managed

in the following ways:

• Assignment: GP installs or upgrades applications and software on the client

computers The assignment can also be used to publish an icon or shortcut

to an application and to ensure that the user cannot delete the icon

• Application publication: Applications can be published in Active

Directory These applications are then “advertised” in the list ofcomponents that appears when a user clicks the Add/Remove icon

in Control Panel

✦ File deployment: These policies let you place files in certain folders on your user’s

computer You can, for example, take aim at the user’s My Documents folder andprovide him or her with files that he or she needs to complete a project

✦ Scripting: These policies allow you to select scripts to run at predetermined

times They are especially useful for ensuring that scripts get processed duringstartup and shutdown, or when a user logs off a machine and a new user logsonto the same machine (refer to the earlier discussion in this chapter on thedifferent types of users) Windows 2000 is able to process VB scripts, Jscripts,and scripts written to the Windows scripting host

✦ Software: These policies allow you to configure software on user workstations

on a global or targeted scale This is achieved by configuring settings in userprofiles, such as the desktop settings, Start menu structure, and the otherapplication menus

✦ Security: Perhaps no other collection in Windows 2000 is as important as the

security policies, given that in current times, the next hacker who wipes outthe assets could be the kid next door

Besides being able to eventually reduce the total cost of ownership (through

lower-ing the cost of administration), there is a piece of advice you should consider withrespect to Group Policy It exists not to create problems for users and administrators,but to secure the environment and enhance the work and user environment You thus need to be sure that you have the wherewithal to balance the two needs, or you could end up with cold pizza instead of rare sirloin for dinner

In your endeavors to secure the environment, you will no doubt come across flicts that violate the tenet to maintain a “user friendly” environment Going wild onpass-word length is a good example If you set password length too long to increasesecurity, users will not only get peeved, they will also start sticking the passwords

con-on their mcon-onitors because they are hard to remember That is not security If youmust have tight security, your choice in such a matter might be to take the securityneed to management and suggest smart cards or biometrics Remember thatlocking down an environment should not lock out the user at the same time

The environment can be enhanced in many different ways When users need access

to new software, which of the following three methods of delivery is more pleasing

or enhancing to the user, from the user’s perspective?

1 Waiting hours or days for the administrator to show up at your desk with the

new software

2 Being asked to log on to a network distribution point and install the software

yourself

3 Taking a break while the software mysteriously installs itself onto your

machine with seemingly no human intervention

Enhancing the users’ environment also means helping them easily locate applications,intelligently redirecting folders or mapping their folders to resources, and automatingprocesses during the twilight times of the workstation, logoff and logon

Before you study how Group Policy works, you should at least take some time toget familiar with the technology

The Elements of Group Policy

A programmatic discussion of the elements is beyond the scope of this book However,

it helps to understand the various elements with which you interact Several nents make up GP from the administrator’s perspective These components include the following:

compo-✦ The Group Policy Object

✦ Active Directory containers

✦ Group Policy links

✦ The Policy or Group Policy

✦ Explain text

✦ The Group Policy Editor

✦ Computer Configuration and User Configuration nodes

✦ GP Containers and GP Templates

✦ The gpt.inifile

The Group Policy Object

The Group Policy Object or GPO is the object that contains Group Policy properties.The GPO is really a container, at the highest level, into which properties or attributesare stored Policy is conveyed by association with a GPO that is, its properties

“rub off” on a user or computer object contained inside a GP target GPOs have to

be created and named for a particular container before their policies can be used

Active Directory containers

Active Directory containers are the targets of the GPO By establishing a link with aGPO, a container falls under the influence of the GPO and its policies The containers

that can be linked to GPOs are sites, domains, and organization units But GP can also

be associated with a standalone or computer; and all computers can be linked totheir local GPO

Group Policy links

GP links are the means by which containers are associated with GPOs You canresearch links for a particular domain, as discussed later in this chapter By

“discovering” the links, you can establish which GPO is influencing a particularcontainer and therefore its members (see the section “How Group Policy Works,”

later in this chapter)

The Policy

The Policy or Group Policy (GP) is the property of the GPO The policy is the actualsetting that is applied through the association discussed earlier All GPOs have thesame policies You do not add or remove a policy from a GPO But policy is activated

in several ways The policy first has to be defined and then possibly enabled or

disabled or otherwise activated in the particular GPO Once it has been enabled

or defined, you can then manipulate the settings that comprise the policy

Figure 11-4 illustrates a policy that needs to be defined before it can be made useful

In the figure, we have chosen to define a policy for the DNS Server Once the policyhas been defined, you can set its startup criteria In this case, we have defined the

DNS Server and set its startup parameter to Automatic Other policies require you

to simply enable or disable the policy, while others require definition, enabling, andthen further configuration or setup

Figure 11-4: Defining a policy

Explain text

The explain text is accessed on the Explain tab of a policy Not all policies have anexplain text tab Explain text essentially describes what the policy achieves and anyinstructions as to how to apply the policy, and even circumstances where youshouldn’t apply the policy

The Group Policy Editor

The Group Policy Editor (GPE) is the MMC snap-in that provides access to theconfiguration of a GPO To edit or create a GPO for a container, you first have toload a used or new GPO into the GPE The GPE is illustrated in Figure 11-5

Figure 11-5: The Group Policy Editor

Computer Configuration and User Configuration

A GPO is divided into two nodes These nodes are known as the Computer uration and User Configuration Each node contains the policies for the respectivesecurity principal You can apply policy to either of the nodes for any GPO

Config-Where GPOs Live

All GPOs store their information in two locations: the GP Container (GPC) and a GPTemplate (GPT) These objects are identified by a globally unique identifier (GUID),which keeps the objects in the two locations synchronized When a GPO is born,information associated with it is transferred to the two locations

For the GPT, the OS creates a folder for its use in the Sysvolstructure in thesystemroot The actual folder name of the GPT is its GUID A typical GPT folderlooks like this:

systemroot\SYSVOL\sysvol\genesis.mcity.org\Policies\

{31B2F340-016D-11D2-945F-00C04FB984F9}

The GPC lives in the Active Directory It builds itself a hierarchy of containers in thespace it is given in the directory in which to store computer and user configurationinformation

The GPC deals with the version (used for synchronization), status (enabled/

disabled), and settings (of extensions) and any policy settings defined byextensions The SYSVOL side of the GPO holds a list of client-side extensions, User Configuration state, Computer Configuration state (registry.pol), andregistry settings that derive from administrative templates

As a general rule, policy data that is small and seldom changes is stored in the GPC,while data that is large and changes often is stored in the GPT

GPT structure

The default contents of the GPT structure are security related, but as you configurethe user and machine environment, the GPT structure will begin to fill up withfolders and information related to a broad range of GP and change managementinformation

Table 11-2 lists some of the folders and information that find their way into the GPTstructure

that relates to machine registry settings.

the Microsoft Windows Installer.

Continued

Table 11-2 (continued)

Folder Purpose

\MACHINE\DOCUMENTS & SETTINGS This holds files that are used to

configure a user’s desktop when he/she logs on to this computer.

\MACHINE\MICROSOFT\WINDOWSNT\SECEDIT This holds the GPTTMPL.INI

Security Editor file.

shutdown folders.

related to startup scripting.

related to shutdown scripting.

that relates to user registry settings.

the Microsoft Windows Installer.

\USER\DOCUMENTS & SETTINGS This holds files that are used to

configure a user’s desktop.

scripts.

related to logon scripting.

related to logoff scripting.

The GPT.INI file

In the root folder of each GPT, you will also find a file called the gpt.ini There aretwo important entries in this file that are related to local GPOs:

1.Version=xThis entry is the version number of the GPO, and x is theplaceholder for a number placed by a version counter function Typically, the version number is zero-based, and each time that you modify the GPO this counter is incremented by 1

2.Disabled=yThis entry refers to the local GPO and tells the dependant functions

if the local GPO is disabled or not If you disable the GPO, the value placed here

is 0, and when you enable it, the value is changed to 1