1. Trang chủ
  2. » Công Nghệ Thông Tin

Windows Server 2003 Best Practices for Enterprise Deployments phần 6 potx

53 282 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 53
Dung lượng 2,02 MB

Nội dung

11. Close the GPE when done. You can also close the PCs OU Property dialog box since no other action needs to be performed on the GPO. (For example, No Override is not required since T&T will not delegate GPO creation to other users.) 12. Repeat this process for each GPO you need to create. This includes the Global Desktop GPO, the Global Mobile GPO (for EFS mostly), the Global External GPO, and the Global Kiosk GPO (for more security and to enable Loopback). 13. Move to the PCs/External/Unmanaged OU. Right-click on this OU and select Properties. Move to the Group Policy tab and click the Block Policy inheritance checkbox. T&T has decided to leave all external unmanaged systems without any significant GPO assignment. Two more tasks are required to complete the PCs OU setup: delegating authority and creating software category groups. Both are relatively simple. T&T has decided that the only tasks they will delegate to technicians are the ability to modify group memberships for PCs and the ability to manage PC location information. The latter is tied to the WS03 Printer Location Tracking Service which links the nearest printer to users’ PCs. More on this subject is covered in Chapter 7. The former will ensure that they will be able to modify a PC’s vocation when it is reassigned to a new user. Once again, this is done in AD Users and Computers. 1. The first thing you need to do is create a group to which you can delegate authority. It doesn’t matter if you don’t know who will be in this group yet, all you need is the group with the proper delegation rights. You can assign members to the group later. Since Windows Server 2003 uses Domain Local Groups for rights assignments (more in Chapter 6), you will create a Domain Local group called PC Technicians (Local). To do so, right-click on the Users object Chapter 5: Building the PC Organizational Unit Infrastructure 237 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 5 P:\010Comp\Tip&Tec\343-x\ch05.vp Tuesday, March 25, 2003 4:19:15 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com in the directory and select New | Group. Click the Domain Local radio button, make sure that Security Group is selected, and type in the group name. The down-level (or pre-Windows 2000) group name is L_PC_Technicians. This is not really required since there are no down-level systems in the parallel network, but it pays to be structured anyway. Click OK to create the group. 2. Right-click on the PCs OU (top-level) and select Delegate Control from the context menu. 3. Follow the steps provided by the wizard. Add the PC Technicians (Local) group, and then click Next. 4. Delegate a Custom task and then click Next. 5. In the Active Directory Object Type window, select Only the following objects in this folder. Click the Computer Objects checkbox, and then click Next. 6. Uncheck General and check Property-specific. Then scroll down the list to check appropriate values. The technicians require the right to read most object properties and the right to write group memberships as well as write PC location information. Use your judgment to apply appropriate rights. For example, it will be useful for technicians to be able to write descriptions for computers that change vocation, but it will not be a good idea to let them change the computer name. Make a note of each security property you assign. 7. Click Next when done. Click Finish once you have reviewed the wizard’s task list. Delegation is now complete, but you still need to create a delegation console for the technicians. Use the instructions outlined earlier in “Creating Custom Microsoft Management Consoles” for console creation and be sure that you set the focus for the console on the PCs OU. Store the console in the PCs OU as well. Finally, use Terminal Services to distribute the console to technicians. 238 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 5 P:\010Comp\Tip&Tec\343-x\ch05.vp Tuesday, March 25, 2003 4:19:16 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The final activity for the PCs OU strategy is the creation of Global Security groups that correspond to the software categories in your organization. You can have several of these, but most organizations try to keep them to a bare minimum. If you have designed your PC kernel properly, you should be able to satisfy a very large clientele with it—all generic or common users, in fact. Then your software categories include only the systems that require additional software. This software should be grouped by common need. An organization that has more than 3,000 users, for example, only uses nine software categories over and above the kernel. Another with 12,500 users has 15 categories, mostly because they are distributed worldwide and special software products are required in different geographic regions. The first thing you need to do is create the groups. It doesn’t matter if you don’t know which machines will be in this group yet; all you need is the group itself. You can assign members to the group later. If you are using SMS 2.0, you’ll need to create Global Security groups. To create your software category groups, use the following procedure: 1. Right-click on the PCs OU object in the directory and select New | Group. Make sure the Global radio button is selected, determine if you need a Security or a Distribution group, and then type in the group name. Use significant names for both the actual name and the down-level group name. Remember that down-level names are usually linked together since down-level systems do not like names with spaces. Click OK to create the group. 2. Repeat as many times as required. Your PCs OU structure is now in place. Machine groups have been created directly in the PCs OU so that they will be subject to machine policies. You will also need to complete your software distribution strategy within SMS. Now the only thing you need to do is ensure that machines are placed within the appropriate OU and the appropriate software category group when you integrate them into the parallel network. Preparing the OU structure before integrating new machines into the network also ensures that they will be managed as soon as they join the network. Mistakes are minimized when you use this procedure because everything is ready before PCs are integrated into the network. Chapter 7 will identify how you can coordinate this OU strategy with the use of RIS to install PCs. You can also script the addition of PC names into your directory before installing the actual machines. Next, you’ll begin to look at how you can use this same approach to prepare for users within your enterprise network. Using the Group Policy Management Console Microsoft has released the Group Policy Management Console (GPMC) as an add-on to WS03. This console can be downloaded from the Microsoft Windows Server 2003 Web site (http:// www.microsoft.com/windowsserver2003/). The best feature of the GPMC is that it provides a single, integrated interface for the management of all GPO activities within the enterprise. As mentioned earlier, it is not as complete as commercial consoles, but for a free add-on, it provides a lot more functionality than the traditional GPO management approach. Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 5 Chapter 5: Building the PC Organizational Unit Infrastructure 239 P:\010Comp\Tip&Tec\343-x\ch05.vp Tuesday, March 25, 2003 4:19:16 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 240 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 5 The GPMC is a Windows Installer file that can be installed either on WS03 or Windows XP. If you install it on a server, you can use it through Terminal Services (this is the recommended approach). Once installed, the traditional GPO management method will no longer be available. The GPOs created in this chapter are illustrated in Figure 5-12. As you can see, the GPMC allows you to configure everything in a much more simple and straightforward manner.  NOTE The traditional approach to GPO management has been used throughout this chapter because it is important for you to understand how to manage GPOs without the GPMC. But from now on, all GPO-related activities will be managed through the GPMC. Best Practice Summary This chapter recommends the following best practices: • Segregate by object type at the first OU level. This makes it easier to manage objects. • Do not move domain controllers from their default OU. Figure 5-12 Using the GPMC to manage PC GPOs P:\010Comp\Tip&Tec\343-x\ch05.vp Tuesday, March 25, 2003 4:19:16 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com • Integrate your PCs OU strategy with your GPO, delegation, and software management strategies. • Minimize the use of the No Override and Block Policy Inheritance settings because they complicate the use of policies. • Always document all of the GPOs you create and make sure your entire GPO/OU solution is completely documented. • Use a standard naming strategy for all GPOs and maintain a complete GPO registry. • Keep to the GPO KISS (Keep It Simple, Stupid) rule. Don’t complicate matters if you can help it. For example, apply general settings at the top of the GPO application hierarchy, and then refine them further at each lower level. • Adjust the default GPOs in the forest root domain before creating any of the child domains. • Try to avoid linking policies between domains. • Set local GPOs once and stabilize them. Since they are distributed (on each computer system), you’ll want to modify them as little as possible. • Modify GPOs to always refresh, but do not disable Fast Logon Optimization. This ensures that security settings are always applied but that logon speed is not impacted. • Turn to GPO filtering if you find your OU design becomes too complex because of your GPO application strategy. • Always make sure your kiosk PCs are highly secure. • If you use the Loopback setting, make sure you create a special GPO and link it to a special OU that will be used to store the PCs the GPO applies to. • Be thorough when you create your Delegation Plan. • Make sure you assign the delegation manager role in your organization. • Support your delegation strategy with appropriate custom MMCs. • Custom consoles are an important part of a WS03 delegation strategy. Make sure your consoles are secure and well documented. • Custom MMCs should be deployed through Terminal Services to maintain central control of all custom consoles. • Integrate your software management system with your Active Directory and use AD as the source of enterprise software delivery. • Manage Software Lifecycles by integrating all application installs to the Windows Installer service. • To use the self-healing capabilities of Windows Installer, you must maintain a permanent software installation depot. • Ensure the machines are placed within the appropriate OU and the appropriate software category group when they are integrated into the parallel network. • Assign PCs to primary users and use the Remote Desktop to give them access to their software when they are away from their PC. • Use the GPMC to manage all GPOs within the enterprise. Chapter 5: Building the PC Organizational Unit Infrastructure 241 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 5 P:\010Comp\Tip&Tec\343-x\ch05.vp Tuesday, March 25, 2003 4:19:16 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter Roadmap Use the illustration in Figure 5-13 to review the contents of this chapter. 242 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 5 Figure 5-13 Chapter Roadmap P:\010Comp\Tip&Tec\343-x\ch05.vp Tuesday, March 25, 2003 4:19:17 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Blind Folio 243 P:\010Comp\Tip&Tec\343-x\ch05.vp Tuesday, March 25, 2003 4:19:17 PM Color profile: Generic CMYK printer profile Composite Default screen This page intentionally left blank Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com CHAPTER 6 Preparing the User Organizational Unit Infrastructure Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Blind Folio 6:244 IN THIS CHAPTER  Managing User Objects with Active Directory 245  Managing and Administering Groups 257  Creating an OU Design for User Management Purposes 266  Completing the People OU Structure 279  Best Practice Summary 282  Chapter Roadmap 283 P:\010Comp\Tip&Tec\343-x\ch06.vp Monday, March 24, 2003 11:51:34 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com C hapter 5 outlined how to prepare your management environment for PC objects. This chapter continues the Parallel Network Implementation Process by helping you identify how to create a user management environment within the Active Directory. When this infrastructure is in place, you will be able to migrate users from your existing network into the new parallel environment. Three activities are required for the creation of a user organizational unit infrastructure: • The User and Group Management Strategy • The User Delegation Strategy • The User Group Policy Management Strategy The first forms the core of traditional user management strategies. The second identifies how your organization plans to use the decentralized management features of Windows Server 2003 to provide relief to central management and administration groups, and assign administrative activities where responsibility centers are located. The third activity is very similar to the same activity in Chapter 5. This time though, you will focus on the user portion of Group Policy objects. Once these strategies are defined and in place, they’ll form the basis of the different strategies you can use to massively migrate users from your existing network to the parallel environment. Managing User Objects with Active Directory User objects are special objects within the directory. After all, if it wasn’t for users, there wouldn’t be much need for enterprise networks. In traditional networks such as Windows NT, User objects are mostly managed through the groups they belong to. Groups are also present in Active Directory. In fact, it is essential to have a comprehensive group management strategy within your WS03 network if you want to be able to administer user-related events within it. But group management is not the only requirement anymore. Like computers, users are also affected by Group Policy. The GPO strategy you design for users will complement the group strategy you intend to use. In addition, you will need to consider how and to whom you will delegate some administrative tasks, since user management is by far the heaviest workload in the directory. Each of these strategies serves as the input for the design of your User Organizational Unit infrastructure. As outlined in Chapter 3, a User object can only be contained within a single OU. Chapter 5 illustrated how the location of this OU could affect the User object through the hierarchical application of Group Policy objects. It also illustrated how GPOs can be filtered through the use of security groups. Though the user account can only be within a single OU, it can be included within a multitude of groups. Thus, OUs are usually seen as a means to provide vertical user management while groups provide horizontal management. This cross-management structure is illustrated in Figure 6-1. This element will have a direct impact on the way you design your User Object Management Strategy. 245 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 6 P:\010Comp\Tip&Tec\343-x\ch06.vp Monday, March 24, 2003 11:51:34 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The Active Directory User Object The Windows Server 2003 User object is much the same as its Windows 2000 counterpart, but quite different from its Windows NT counterpart. This is because of the nature of a directory service. One of the basic functions of a directory service is to store information in order to make it available to users, administrators, even applications. While the Windows NT User object basically stored the user’s name, password, and account particularities, the WS03 User object can store more than 200 properties. Many of these are generated automatically. Nevertheless, there are almost 100 properties that can be set interactively for each user. This means that you must determine which properties you will manage and who will be responsible for each of these properties within your network. 246 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 6 Figure 6-1 The cross-management relationship of OUs and groups P:\010Comp\Tip&Tec\343-x\ch06.vp Monday, March 24, 2003 11:51:34 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... they migrate from Windows NT to Windows Server 2003, they need to perform an extensive group rationalization— they need to inventory all groups, find out who is responsible for the group, find out the group purpose, find out if it is still necessary If answers cannot be found for these questions, then the group is a good candidate for rationalization and elimination The best way to avoid this type of... Table 6- 3 details the user portion of a GPO and applicable settings for the enterprise network GPO Section Comment Applicable Software Settings This section deals with software installations If you want to assign a software product to a user instead of a computer using Windows Server 2003 software delivery, you set the parameters here No, see Chapter 5 Windows Settings This section deals with general Windows. .. as Windows Components, Start Menu and Taskbar, Desktop, Control Panel, Shared Folders, Network, and System Windows Components Yes Controls settings such as NetMeeting (for remote assistance), Yes Internet Explorer behavior, Help and Support Center, Windows Explorer, Microsoft Management Console, Task Scheduler, Terminal Services, Windows Installer behavior, Windows Messenger, Windows Update, and Windows. .. understand how default groups have been defined within the directory QUICK TIP One of the best ways to become familiar with default groups in WS03 is to use the default group information table located on the companion Web site at http://www.Reso-Net.com/WindowsServer/ Figure 6- 3 Group scopes within a forest 2 6 0 W i n d o Merge vand2 Split Unregistered sVersiont - rhttp://www.simpopdf.com Simpo PDF... very first versions of Windows NT and are supported in Windows Server 2003 There are some significant differences, though To create a template account, you use the standard user account creation process, but you assign different properties to the account For one thing, the template account must always be disabled It is not designed for regular use; it is designed to be the basis for the creation of other... know who is responsible for the group at all times Filling out these fields is essential in an enterprise network group management strategy QUICK TIP Microsoft provides excellent reference information on this topic at http://www.microsoft.com/ technet/treeview/default.asp?url=/technet/prodtechnol/ad /windows2 000/maintain/adusers.asp WS03 Groups Types and Group Scopes Windows Server 2003 boasts two main... account’s properties Retained properties are outlined in Table 6- 1 QUICK TIP For profile path and home folder names to be modified, the setting used to create the template account’s profile path and home folder must be performed with the %username% variable (that is, using a UNC plus the variable, for example: \ \server\ sharename\%username%) C a p t e 6 : P r p a r i g t h Unregistered a t i o n a l n i t... PDF w s S e r e r 0 0 3 : B e s t P r a c t i c e f o r E n e p r i s e D e p l o y m e n t s Best Practices for Group Management/Creation Group management practices can become quite complex This is why a group management strategy is essential to the operation of an enterprise network This strategy begins with best practice rules and guidelines It is complemented by a strategic use of Global groups or... maintain strict records that help you track when the user name for a SID was modified, you will not be able to know who owned that SID before the current user Worse, you won’t know when the current user became owner of the SID This could cause problems for the user, especially if the former owner performed some less than honest actions before leaving Once again, strict record-keeping is an important... capabilities of WS03 and Internet Information Server) , validate that the information they enter is in the appropriate format, and automatically update the directory when completed Such a Web page can easily be designed using the Active Directory Services Interface (ADSI) and simple content validation rules to ensure that all values are entered in a standard format Figure 6- 2 displays an example of such . Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 6 Figure 6- 2. 6- 1. 254 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 6  QUICK. users. 2 56 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 6 P:10CompTip&Tec343-xch 06. vp Monday,

Ngày đăng: 14/08/2014, 01:20

TỪ KHÓA LIÊN QUAN