Intregrating With Active Directory - 50292 PDF

6
Integrating Windows 7 with Active

Directory
Section Topics
DNS Overview
Windows Server 2008 R2 Active Directory
Joining an Active Directory Domain
Using Active Directory Tools Remotely
Implementing Group Policy
Administering and Maintaining W Windows

indows 7
6-1

Global Knowledge Training

LLC
L

Integrating Windows 7 with Active Directory
Section Objectives
After completing this section, you will be able to:
Describe at a high level the DNS service for Windows Server

Define Windows Server 2008 R2 Active Directory
Explain how to join an Active Directory domain
Identify the tool used to configure the Windows 7 local security policy
List the Windows 7 Active Directory tools used to remotely administer Active
Directory
Explain the purpose of Windows 7 ADMX templates
List the Windows 7 Group Policy settings
Explain how to configure the Windows 7 Group Policy settings
Section Overview
The business environment is constantly changing. The operating systems that run smoothly are the
ones that can efficiently and securely operate under some of the most hostile and volatile
conditions. The client operating systems installed within large enterprise networks must be
manageable, both remotely and centrally. Windows Server products and Windows 7 client
operating systems can do this for you. This section introduces the server-side technologies
available with Windows Server 2008 R2 and the enterprise abilities of Windows 7. This
information helps you understand what you can do in your own network to make your job easier
and your data more available and secure.
6-2
Administering
Adminnistering
and Maintaining Windows 7

Global
Gloobal Knowledge Training LLC L
LL

DNS Overview
Figure 158: DNS Overview
DNS is one of the most important services in Active Directory environments. The DNS (Domain
Name System) is a service that translates user-friendly names into their associated numerical IP
addresses. DNS eliminates the need to remember all of the IP addresses for the systems
throughout an environment. Of course, this is crucial in communicating with systems on the
Internet since there are millions of IP addresses.
DNS is also required for communication with the outside world due to the Internets total reliance
on DNS as a name resolution platform.
The tight integration of DNS within Active Directory as a naming standard has enormous
advantages. The fact that you need to use only one name resolution service for either internal or
external name resolution greatly simplifies the administration process.
Figure 158 lists the subjects that are described in this topic.

indows 7
6-3

Global Knowledge Training L

LLC

DNS and Active Directory
Figure 159: DNS and Active Directory
DNS is a critical service for Active Directory. In fact, without DNS the Active Directory service
cannot function. DNS is used to find the addresses for Active Directory hosts and resources.
Special SRVs dynamically register these services in the DNS database.
DNS is also used to register sites for Active Directory. Widely dispersed environments use sites to
provide boundaries between physical locations.
6-4
Administering
Adminnistering

Global
LL

Types of Name Resolution
Figure 160: Types of Name Resolution
DNS is not the only method available to resolve names to IP addresses. Over the years, various
systems utilized several other types of name resolution. Windows Server 2008 R2 still supports
these alternative name resolution mechanisms for backward compatibility.
Hosts file
Since the early days of UNIX operating systems, Hosts files have been used to resolve names into
IP addresses. The Hosts file is a standard text file with host names and addresses created manually
for name resolution. The text file resides locally on every host and does not automatically update
when names or IP addresses on the network change.
Hosts files have a format like the following:
10.0.0.101 skunk
10.0.0.102 panda
10.0.0.125 tiger
NetBIOS
Originally, IBM introduced the NetBIOS naming standard for its mainframe environments. Later
Microsoft adopted this standard for its LAN Manager series of operating systems (of which
Windows Server 2008 is a descendant). NetBIOS was never meant for use in the large
environments where it is currently deployed. With a 15-character maximum to identify computers,
and no hierarchy, NetBIOS quickly runs into capacity problems.
Initially, NetBIOS name resolution was entirely broadcast-based. This meant that every computer
that wanted to communicate using those names had to exist on the same network segment.
Microsoft introduced LMHosts files as a way to initially integrate NetBIOS into the world of
TCP/IP, and allow NetBIOS resolution to reach computers on distant networks. Like the Hosts
file, LMHosts is a static file that must be updated by hand.

indows 7
6-5


LLC

Microsoft later introduced WINS as a centralized name resolution resource that dynamically
updates with the latest names and IP addresses of the computers throughout the environment.
However, WINS still relies on the 15 character or less, non-hierarchical structure.
DNS
DNS was introduced as an RFC standard in the mid-1980s to address the problems facing the
burgeoning Internet (still known as the ARPANET at that time). The network grew so rapidly that
the simple Hosts files just could not keep up. DNS was developed as a hierarchical, distributed
database of names. Although centralized, initially DNS was maintained manually. The latest
versions of DNS, however, can dynamically update with new or modified host names and IP
addresses. DNS focuses on the capacity and overhead issues that have plagued other name
resolution services.
Anatomy of a DNS Name
Figure 161: Anatomy of a DNS Name
A DNS name is made up of several components (shown in Figure 161) that represent the
hierarchical namespace of DNS. Analyzing these components is helpful in understanding the
structure of DNS and helps when troubleshooting DNS problems.
FQDN
The FQDN (fully qualified domain name) refers to the combination of all of the naming
components together. A domain name is fully qualified when the host, second-level, top-level, and
root portions of the name are combined.
Host
The host portion of the DNS name is the identity of the computer or computers that the name
relates to. This may not be the only identity for that computer. Other aliases or host names could
also point to the IP address of the computer.
6-6
Administering
Adminnistering

Global
LL

Second Level
The second level (sometimes called a sub-domain) is a subdivision of the DNS namespace. This
further compartmentalizes the DNS architecture into identifiers that represent the organizations
and entities that make up the namespace.
Top Level
The top-level names categorize different portions of the DNS namespace into collections of
different types of organizations. They also represent different parts of the world. Thousands of
top-level domain names, such as .us, .fr, .jp, .tw, and others, represent all of the different
countries around the world. The most recognized top-level domain names are those used for
businesses and organizations throughout the United States, such as .com, .net, .org, and so on.
Several widely known governmental top-level domain names, such as .gov, .mil, .edu, and many
others also exist.
Root
The root of the DNS namespace is simply the dot (.) at the end of every FQDN. Sometimes it is
not written or typed, but it is always there in the DNS hierarchy and is always used in name
resolution. Fifteen DNS servers process root queries. From there, all other queries are processed.

indows 7
6-7


LLC
L

Internet Name Resolution
Figure 162: Internet Name Resolution
DNS is also the name resolution mechanism of the Internet. If DNS had not been developed, the
Internet would not exist as it does today. Imagine remembering 72.21.210.250 as the Internet IP
address instead of http://www.amazon.com. Imagine remembering the IP addresses for the
hundreds of Web sites you currently visit. Internet DNS is identical to the DNS you may use in
your network environment; however, it is designed to support hundreds of millions of users with
billions of queries for name resolution.
The Internet name resolution mechanism provides external access to your resources. So if you are
a large company, you can make your products available to the world, not just your local area. DNS
is the one service or mechanism that is single-handedly responsible for the explosion of the
Internet, besides the arrival of the personal computer.
DNS also helps to find other types of resources, not just Web sites or server names. DNS can also
provide access to many other types of resources and services within the network. These resources
are made available through the use of DNS resource records such as:
A: IPv4 host record

AAAA: IPv6 host record
CNAME: Alias record
DNAME: Delegation record
LOC: Location record
MX: Mail exchange record
NS: Name server record
PTR: Pointer record
SOA: Start of authority record
SRV: Service location record
TA: DNS server trust authority for secure DNS implementations
6-8
Administering
Adminnistering

Global
LL

Private Name Resolution
Figure 163: Private Name Resolution
DNS can both help and hurt a network. If you are not careful with its implementation and design,
you can inadvertently expose all of your internal resources to the outside world. Businesses can
operate in a safe manner because of the development of private name resolution techniques. You
can create private and public DNS namespace so that your internal resources are safe from the
outside world and your internal users can still access the Internet namespace.
Private name resolution starts with a private top-level domain name. Therefore, instead of using
the typical .com, .edu, .org, and so forth, you can configure a private TLD that is not accepted as a
valid top-level domain name. For example, you can assign local, internal, or private as the
domain name of all of your internal resources. Currently, 20 approved TLDs exist with countless
country designations that can also be used as TLDs. Of course, you have to complete the advanced
configurations to the Windows Server 2008 R2 DNS server so the internal clients can access the
Internet address space.

indows 7
6-9


LLC

Service Location Records
Figure 164: Service Location Records
In the Active Directory environment, SRVs (service location records) locate the critical services
that are necessary for directory service functionality. Domain controllers automatically update the
DNS database with the following record types:
Kerberos
LDAP
Global catalog
Clients and servers also use DNS to determine which site they are in and the servers running the
critical services that they should communicate with.
6-10
Administering
Adminnistering

Global
LL

Troubleshooting Tools
Figure 165: Troubleshooting Tools
Many tools are available for troubleshooting the Windows 7 operating system in general. A few of
these tools are more focused on resolving issues with DNS. The following topics describe these
tools.
Adapter Status
The Adapter Status and corresponding Network Connection Details are useful for displaying basic
information related to the network card and its IP address settings. This tool is sometimes easier to
perform when troubleshooting with another individual over the phone.
The ipconfig /all Command

The ipconfig /all utility is the command-line counterpart of the graphical Network Connection
Details tool. For experienced administrators, the ipconfig commands are more useful, especially
when using other tools at the command-line.
The ipconfig /displaydns Command

The /displaydns switch in the ipconfig command shows all cached DNS queries performed by the
DNS client. Sometimes these cached entries can cause problems with name resolution when IP
addresses change on the DNS server before the cache expires. By default, entries on Windows
Server 2008 DNS have a cache lifetime of 60 minutes.
The ipconfig /flushdns Command

The /flushdns switch in the ipconfig command clears the cached DNS entries on the client
resolver. Keep in mind that this command does not take into account entries cached on upstream
DNS servers. The cache on these DNS servers must be cleared in the DNS console.

indows 7
6-11


LLC

The ipconfig /registerdns

The /registerdns switch in the ipconfig command forces the DNS client to register its name and
IP address with a dynamic update-capable DNS server. When the name and address of a computer
do not appear immediately, this command can accelerate the normal waiting period and register
early.
The nbtstat -c Command

While not a DNS-related command, there are times when names are resolved through NetBIOS
and are cached. These entries can cause troubleshooting headaches when dealing with DNS
resolution issues. The nbtstat -c (lowercase c) command displays any NetBIOS names that are
cached.
The nbtstat -R Command

The -R switch (uppercase R) purges the NetBIOS cache on the local computer.
The NSLookup Tool

The NSLookup tool is the definitive DNS troubleshooting utility. This tool communicates directly
with the DNS server, bypassing the client caching resolver. This eliminates much of the headache
caused by cache, and allows for much more powerful troubleshooting.
The best way to use NSLookup is to simply type nslookup, and then press the ENTER key. The
NSLookup console lists all of your subsequent commands. To obtain more help inside the
NSLookup tool, type ?, and then press ENTER.
Ping
The Ping tool is the ubiquitous connectivity testing utility found on almost any TCP/IP-based
operating system. This tool is not strictly for name resolution troubleshooting. However, if you use
the Ping tool against a name, expect to see the corresponding IP address echoed back. If not, name
resolution may be failing.
6-12
Administering
Adminnistering

Global
LL

Windows Server 2008 R2 Active Directory
Figure 166: Windows Server 2008 R2 Active Directory
Active Directory is a distributed database that stores information about objects such as user
accounts. It also provides information about network resources and application data for directory-
enabled applications and services. You can organize Active Directory into a hierarchical structure
that reflects the layout of your organization and possibly matches the DNS architecture as well.
Active Directory promotes the use of a single-sign-on to the environment for ease of use and a
more top-down administrative model. Within an Active Directory forest, you can permit a user
access to resources that exist on any computer in any domain.
Following topics describe the goals, objects, and architecture of Active Directory as well as the
naming standards used by Active Directory.

indows 7
6-13


LLC

Active Directory Goals
Figure 167: Active Directory Goals
Active Directory is very flexible and extensible. The Active Directory platform has many potential
uses. Following is a description of the most important goals for Active Directory.
Store Object Information

Active Directory stores information for dozens of different object types. The most important are
Users, Groups, and Computer objects.
Authenticate Users
Before gaining access to any part of the Active Directory infrastructure, users must prove their
identity. It is the responsibility of the DC (domain controller) to provide this authentication.
Before anyone is allowed access, the DC must check the users credentials against the Active
Directory database. If the information provided is correct, the user receives a TGT as the pass to
get STs before accessing any resources.
Implement Group Policies and Security Policies

Active Directory can be used to deploy both group policies and security policies to enforce the
standards of the organization. Group policies can be used to incorporate standardization for the
desktop look and feel, operating system settings, and many other user and computer specific items.
For security policies, settings such as password strength, account lockout settings, restricted
software, auditing guidelines, event log settings, and much more can be configured. These policies
are passed down to any users and computers within the scope of the policies.
6-14
Administering
Adminnistering

Global
LL

Active Directory Objects
Figure 168: Active Directory Objects
The heart of Active Directory is a database that stores meaningful object information. The Active
Directory contains many different object types. Administrators create and interact with only a
handful of the following objects:
Users: User accounts are the most prominent object within Active Directory. They
establish the list of known individuals allowed to log on to the system.
Groups: Groups are very important in the reduction of administrative overhead.
Collecting users together into groups allows the administrator to assign privileges to
the group instead of each individual.
Computers: Administrators either create computer objects ahead of time or when a
computer joins the domain. Computers use computer objects to participate in the
domains security context.
Contacts: Contacts do not have a user name and cannot log on to the domain
environment. Administrators use contacts to establish e-mail aliases for individuals
outside the organization.
Printers: Printer objects exist within the directory as a convenient method to locate a
shared printer within the network.
Shared folders: Shared folders are for convenience. A shared folder in Active
Directory points to physical shared folder on a server or workstation. Creating a shared
folder in Active Directory does not create the shared folder on the target computer. The
destination shared folder must already exist.

indows 7
6-15


LLC

Active Directory Architecture
Figure 169: Active Directory Architecture
Active Directory is made of a collection of components that work at different hierarchical levels.
You should understand the designations of these levels even when you are implementing an
Active Directory structure of a smaller size:
Forest: A forest could be a single domain. However, the word forest generally depicts
something larger. A forest could be made up of two or more trees with different
namespaces, for example hq.local and widget.com. Trees and domains in the forest are
bound together by links known as trusts.
Tree: A tree is a collection of one or more domains in the same namespace, for
example hq.local. Domains in the tree are linked together by trust relationships.
Domain: The domain is the basic building block and security boundary for the Active
Directory environment. The domain also establishes a storage area for Active Directory
objects within the DCs in that domain.
Global catalog: The GC for an Active Directory forest summarizes all the objects
stored on each domain in the forest. Since each domain contains its own database
separate from other domains, the GC binds multiple domain directories into one larger
searchable directory.
Organizational unit: OUs are containers in which other objects, such as users and
groups, are stored. OUs are a very important organizational technique for dealing with
very large numbers of objects. It is difficult to manage thousands of user accounts all in
one flat list. Instead, gather objects into meaningful subdivisions called OUs that you
can manage more efficiently.
Domain controller: A DC is a computer that runs the Active Directory service and is
able to answer logon requests and queries about objects. The DC replicates any
changes to the Active Directory database to and from other DCs for redundancy.
Site: Sites provide an indication of the physical architecture of the environment.
Usually administrators establish sites for each physical location, and then place a GC
on a DC within each of the sites. Sites provide a foundation for replication and for
local logons.
6-16
Administering
Adminnistering

Global
LL

Naming Standards
Figure 170: Naming Standards
Active Directory uses a combination of different naming technologies to provide access to the
directory database:
DNS: DNS is one of the most important pieces of the Active Directory puzzle. Not
only does DNS provide the host name to TCP/IP address resolution necessary to
communicate with all of the Active Directory Services, it also provides the naming
structure for Active Directory itself.
DNS is critical in locating the LDAP, Kerberos, and global catalog resources necessary
for domain functionality through the use of SRV records.
LDAP: LDAP is used to query and access the directory database. LDAP is an open
standard used by other vendors for their own directory services and follows a common
access scheme. Using LDAP, other network computers and services can leverage
Active Directory for their own purposes.
X.500: The X.500 standard is a naming specification that defines the hierarchical
structure of a directory database. Active Directory loosely conforms to the X.500
specifications making it easier to convert objects from other directory services to
Active Directory and vice versa.
The X.500 specification lays out the use of containment qualifiers for the different
levels of the hierarchy. The following is an example of an X.500 DN.
cn=Jane Doe, ou=Sales, o=hq, l=atl, st=ga, c=us
cn: common name
ou: organizational unit
o: organization
l: locality
st: state
c: country
Active Directory naming architecture: When Microsoft first designed Active
Directory, it did not adopt the entire X.500 naming scheme for the Active Directory
database. Instead, the developers took part of the X.500 architecture (the cn= and ou=)
and appended the naming scheme used on the Internet today: DNS. The DNS domain
name information, for example gk.com, is turned into a series of dc= qualifiers.
The following is an example of an Active Directory DN:
cn=JaneD, ou=Sales, dc=atl, dc=hq, dc=local
indows 7
6-17


LLC

Joining an Active Directory Domain
Figure 171: Joining an Active Directory Domain
To take advantage of single sign-on, Group Policy, security, resource access, and the many other
features of Active Directory, the user's computer must join the Active Directory domain.
Following is a description of how to join a Windows 7 client computer to the Active Directory
Domain environment, how to change the computer identify, the placement of the computer object,
and how to log on to the domain.
Requirements to Join
Figure 172: Requirements to Join
To join an Active Directory domain, the computer must be configured with a proper DNS server
address that allows the client to contact a domain controller. The user must log on to the local
computer as a local administrator equivalent.
It is not necessary, however, to log on as an administrator from the domain. A normal user can
join computers to the domain up to 10 times. Domain administrators and enterprise administrators
can join an unlimited number of times.
6-18
Administering
Adminnistering

Global
LL

Changing the Computer Identity
Figure 173: Changing the Computer Identity
To change the computers identity, follow these steps:

1. Click the Start button, right-click Computer, and then select Properties.
2. Click the Change Settings link, and then click the Change button.
3. Choose the Domain option and type the name of the domain you want to join.
4. Type the credentials of an Active Directory user account to join the domain with.
Unlike Windows XP, you can now change the computer name and the domain membership at the
same time. Previously, this took two separate steps with two reboots.

indows 7
6-19


LLC

Computer Object Placement
Figure 174: Computer Object Placement
When you join the domain, by default, the computer object is placed in the Computers container.
The domain administrator can move this later. It is also possible to create the computer object
ahead of time in an OU that is appropriate. When the computer joins the domain later, it
immediately adopts any group policies on the OU that the computer is in.
6-20
Administering
Adminnistering

Global
LL

Logging On to the Domain
Figure 175: Logging On to the Domain
In Windows 7, the account name of the last logged on user displays by default on the logon
screen. To log on as a different user, or to force a domain versus local logon, click the Switch
User button, and then select Other User. You can then type any valid user name for the local
computer or for the domain.
If you type a user account name that does not exist on the local computer, the context
automatically changes to the domain that the computer belongs to. You can also specify the
context in the following ways:
HQ\Joe
Joe@hq.local

indows 7
6-21


LLC

Using Active Directory Tools Remotely
Figure 176: Using Active Directory Tools Remotely
It is not always convenient or desirable to use domain management tools on the server console.
Instead, it is possible to install the tools on a Windows 7 console that you can use for
administration.
However, when these tools are unavailable, or the computer you are using is not a domain
member, other methods of remote administration are available.
Active Directory Remote Management
Figure 177: Active Directory Remote Management
An Active Directory environment has several possible options for remote management:
Remote command-line tools: Many command-line tools are available to use against
either the local computer or remote computers. To find out if a tool has remote
management capabilities, run the command with a /? switch, and look for a server or
computer name switch that allows you to change the focus of the command.
Remote Desktop: Any computer with a Remote Desktop client can connect to the
server and run tools and utilities as if sitting at the server console. This is a great option
for non-domain member computers, and for non-Windows computers.
Windows 7 MMC tools: Most of the built-in MMC tools have the ability to focus on
remote computers. The Computer Management Console is one example.
RSAT: Dozens of additional MMC tools are available in the Remote Server
Administration Tools package. This is a free download from Microsoft.
6-22
Administering
Adminnistering

Global
LL

Installing the RSAT Package
Figure 178: Installing the RSAT Package
To install the RSAT, go to the Microsoft Web site and search for RSAT. Choose the version that
matches your version of Windows (32 bit or 64 bit), and download it. To install the package, run
the MSU file and follow the prompts.

indows 7
6-23


LLC

Enabling the RSAT Tools
Figure 179: Enabling the RSAT Tools
After installing the RSAT MSU file, the tools do not appear on the administrative tools listing by
default. You must add the individual RSAT tools that you need, or add them all.
To add the RSAT tools, follow these steps:
1. Click Start, Control Panel, and Programs and Features.
2. Click the Turn Windows Features on or off link.
3. Scroll down to the Remote Server Administration Tools section.
4. Expand and select each individual check box for the items you need.
Note
The list of RSAT tools do not automatically select the lower check
boxes when you select an item higher on the list. You must select
each individual item to install it.
6-24
Administering
Adminnistering

Global
LL

Implementing Group Policy
Figure 180: Implementing Group Policy
Microsoft introduced Group Policy with Windows 2000 as a replacement for the system policies
of older Windows environments. The system policies used in the past were very inflexible and
difficult to reverse once put in place.
The new Group Policy in Windows Server 2008 builds upon the foundation established with
Windows 2000. Group Policy enhancements made in Windows Server 2003 were minor compared
to the new features and hundreds of new settings in Group Policy for Windows Server 2008.
Group Policy may be enhanced with new features but the basic architecture remains the same. To
properly deploy and troubleshoot Group Policy, you must understand its capabilities and
components.
This topic describes the Group Policy features of Windows 7 in the Active Directory environment.

indows 7
6-25


LLC

What Is Group Policy?
Figure 181: What Is Group Policy?
Policies are very important to the network administrator. Policies allow you to pass down many
security or configuration settings to your Windows 7 workstations in a centralized manner, which
makes it easy for you to administer the network. Without policies, you would literally have to visit
thousands of computers either through remote access technologies or by traveling to the location
of the computer, which is not efficient and very costly.
Windows 7 provides you access to several types of policies and utilities for creating and managing
them. Windows 7 provides the local security policy and the Group Policy settings that are passed
down from your Windows Server 2008 R2 computers.
Helpful Hint
You can find many important configuration items in the Windows 7
local security policy, such as the UAC and the Windows Firewall with
Advanced Features.
6-26
Administering
Adminnistering

Global
LL

Computer and User Configuration Items
Figure 182: Computer and User Configuration Items
Each Group Policy object is broken down into two primary sections:
Computer Configuration: These configuration types apply only to computer objects

that are within the scope of the policy.
User Configuration: These configuration types apply only to user objects that are
within the scope of the policy.

indows 7
6-27


LLC

Desktop Settings and Restrictions
Figure 183: Desktop Settings and Restrictions
In the previous Group Policy Management Editor, the Administrative Templates section for both
the user or computer configurations contained most of the desktop settings and restrictions. Now,
there are two new layers:
Policies: This layer contains Software Settings, Windows Settings, and

Administrative Templates.
Preferences: This layer contains Windows Settings and Control Panel Settings.
The Policies, Administrative Templates, Preferences, Windows Settings, and Preferences,
Control Panel Settings containers include most of the desktop-related settings and restrictions as
shown in Figure 183.
The settings can range from the benign background logo to a complete lockdown of the system.
6-28
Administering
Adminnistering

Global
LL

Local Policies
Figure 184: Local Policies
Local policies are those settings configured only on the local computer. These are usually
implemented on a stand-alone or workgroup computer.
Use the Group Policy Management Editor or gpedit.msc tool to edit local policies.

indows 7
6-29


LLC

Security Policies
Figure 185: Security Policies
One section within Group Policy deals specifically with security settings. The security policies
section contains settings that can be used to secure or lock down computers in the environment
through Group Policy instead of having to implement those settings on each individual system.
The main headings of the security policy are:
Security Settings Password Policy and Account Lockout Policy: Contains the
password history, password age, password length, complexity requirements, and
encryption options
Local Policies Audit Policy, User Rights Assignments and Security Options:
Contains the auditing settings, user rights to the system, and UAC settings
Windows Firewall with Advanced Security: Contains the inbound and outbound rule
creation, IPSec security rules, and NAP rules
Network List Manager Policies: Contains the policy settings that control the listing of
identified, unidentified, all networks, and identifying networks
Public Key Policies: Contains EFS policies, BitLocker Drive Encryption policies, and
certificate settings
Software Restriction Policies: Allows and blocks software from the network
Application Control Policies: Contains AppLocker policies
IP Security Policies on Local Computer: Contains the wizard for creating IP security
policies
Advanced Audit Policy Configuration: Contains 40 or more advanced audit policies
for many categories and subcategories such as auditing file shares, registry, and the file
system
6-30
Administering
Adminnistering

Global
LL

Folder Redirection
Figure 186: Folder Redirection
The process of folder redirection makes it possible to store a user's personal My Documents files
on a server instead of locally. The user is unaware of this change, and the documents are also
cached on the user's local hard drive using offline synchronization.
You can also set up many other folders for folder redirection:
AppData (Roaming): Contains files used to store some application configuration data.
Desktop: Contains all files and shortcuts stored on the Windows desktop.
Start Menu: Refers to the Personal section of the Start Menu with all of the program
groups and shortcuts. (You cannot redirect the All Users section.)
Documents: Contains the bulk of any user-created files. (Formerly known as My
Documents)
Pictures: Stores photos by default. You can reduce replication traffic by disabling
some of these less work-related folders.
Music: Stores music by default. You can reduce replication traffic by disabling some
of these less work-related folders.
Videos: Stores videos by default. You can reduce replication traffic by disabling some
of these less work-related folders.
Favorites: Stores Internet favorites to Web sites.
Contacts: Refers to the built-in contacts database for Windows Vista.
Downloads: Stores files downloaded through Windows Messenger and other programs
by default.
Links: Stores quick shortcuts to other folders in the personal and public folders of
the user.
Searches: Stores predefined search criteria for new files, recently viewed files,
recently changed documents, and so forth.
Saved Games: Stores the users games. Some games are now designed to save the
users games here by default.

indows 7
6-31


LLC

Software Deployment
Figure 187: Software Deployment
A powerful feature of Group Policy is the ability to distribute software packages and to restrict
access to unauthorized software. Other more powerful tools also provide these features, such as
Microsoft Systems Management Server, but for the small to mid-sized environment, the built-in
software management tools in Group Policy may be all that are needed.
Distributing Software Packages

The Software Installation section within a Group Policy Object allows the distribution of
software packages. This capability relies on the Windows Installer service that is present on all
Windows operating systems from Windows 2000 to the present.
In order to distribute software using Group Policy, the package must be in MSI format. This
means that an application that is not currently packaged as an MSI file cannot be distributed unless
it is repackaged or a new package is built for it. Many commercially available tools can do this
packaging.
It is possible (but not desirable) to distribute legacy installer packages using a special file called a
ZAP. A ZAP file is a simple text file that contains the name of the executable command that runs
at installation. Unfortunately, it does not have any of the powerful features of the MSI format,
such as self-healing, reporting, and clean uninstall.
Software can be distributed to either the User Configuration section of a Group Policy, or to the
Computer Configuration section. If software is distributed to the user, the package follows the
user from one computer to another. If the package is configured in the Computer Configuration
section, it is available to anyone that logs on to the computer.
When you distribute software to the User Configuration section of Group Policy, you can
distribute it as either an assigned package or a published package. Software packages created in
the Computer Configuration section can only be assigned.
Assigned packages are mandatory and are installed at computer boot time in the case of software
assigned to the Computer Configuration. When packages are assigned to the User
Configuration, they are either installed at first logon or the first time the user attempts to use the
application in the package.
6-32
Administering
Adminnistering

Global
LL

Published packages are optional. The end user must install published packages using
Add/Remove Programs on Windows XP and Windows Server 2003, or using Programs and
Features on Windows Vista, Windows 7, and Windows Server 2008.
Software Restrictions
Figure 188: Software Restrictions
Because of the growing threat of viruses and rogue software, tight control over the software that
users run is greatly needed. Antivirus software is certainly a necessity, but it only catches known
software threats. Any new viruses or Trojan horses that slip under the radar can still be a huge
problem. You can use the Software Restriction feature of Group Policy to prevent users from
running prohibited or malicious programs, or prevent certain programs from starting.
The following topics describe the software restriction and AppLocker policies.
Software Restriction Policies

The software restriction policies available in Group Policy can prevent suspect software from
running before it ever becomes an issue. Software restrictions can also enforce corporate standards
regarding the type of software that end users can install and run. This could lead to greater
productivity or, at the very least, reduce downtime due to software that causes stability problems.
The four different types of software restriction policies are: path rule, network zone rule, hash rule,
and certificate rule.
Path Rule
The path rule is the easiest type to set up. You can use this type in a broad fashion. All you need to
define is the name of the restricted file or a wildcard that matches certain characters in the file
name, or all extensions that match a certain type. The downside to the path rule is that users can
circumvent the policy by renaming the file.
Network Zone Rule
Using the network zone rule, you can define the Internet zones (Internet, Intranet, or Trusted) from
which to allow or prevent software, ActiveX controls, or Java applets from being downloaded.
You can not prevent users from running the application if they obtain it from a different source,
such as a CD/DVD ROM, USB drive, or floppy disk.

indows 7
6-33


LLC

Hash Rule
A hash rule is a more secure mechanism used to permit or deny access to specific files. An MD5
hash is a unique value generated from the bits and bytes of the file. This value is unique among
files. You can use this value to identify whether or not the file is allowed to run. Unfortunately, a
very knowledgeable individual can circumvent the hash rule by hex-editing the file in question and
changing it by a tiny amount.
Certificate Rule
The certificate rule is by far the most secure, but also the most cumbersome to implement. To
properly implement certificate rules, a PKI must be in place to generate and verify certificates.
To use a certificate rule, a special code-signing certificate must be issued by a Certification
Authority. The private key portion of the certificate is then used to sign the files that are allowed
to run. The public key portion of the certificate is then made available to all who need to use the
signed files.
The certificate rules are normally used in a situation where no software is allowed to run except
those files signed by a trusted code-signing certificate. This exclusive model requires constant
oversight as new software or revisions to existing software come along. It is, however, the most
secure computing model available.
AppLocker Policies
Microsoft provided software restriction policies in Windows XP to control the software allowed to
run on computers in the environment. A new, more advanced version of software restriction
policies, AppLocker, is now available for Windows Server 2008 R2 and Windows 7.
The following are AppLocker features:
More powerful publisher rules: AppLocker has the ability to create a rule for a
product name. This eliminates the need to regenerate the hash rule for every update of
an application. Based on publisher, product name, file name, or version, this
information is taken from the digital signature of the application.
Simplified rule processing structure: AppLocker removes the complex precedence
rules for different rule types. Now, all deny rules take precedence over allow rules.
User rules for non-interactive logons: With AppLocker, a help desk administrator
who is remotely administering a user's desktop has the rules enforced whether they are
interactively logged on or not.
Separate policies for .exe files, .msi files, scripts, and DLLs: In AppLocker,
executable rules apply to executable code; path rules created for executable programs
do not apply to DLLs. To control DLL behavior, simply create a DLL rule.
Auditing mode: In AppLocker, enable an audit-only mode to watch or track the
AppLocker process without actually blocking access to files.
Wizard for rule creation: In AppLocker, use a rule creation wizard to generate rules
that allow all applications in a specified folder to run.
6-34
Administering
Adminnistering

Global
LL

Logon Scripts
Figure 189: Logon Scripts
In the past, actions that could not be configured as Group Policy settings were performed by logon
scripts. More and more of these settings are now incorporated into Group Policy as individual
configurable items.
For instance, historically, logon scripts were used to create a mapped network drive for users at
logon. With Windows 7 and Windows Server 2008 R2, Group Policy now contains a User
Configuration, Preferences, Windows Settings, Drive Maps option that allows you to configure
the mapped drives.
In addition to logon scripts, Group Policy can also provide computer startup and shutdown scripts
that execute when the computer starts, or is shut down. These can be cleanup or maintenance
related activities.
Using familiar batch file programming or VBScript, you can still write scripts. However, it is now
possible to design the scripts using Windows PowerShell. Since Windows PowerShell is now
automatically installed on Windows 7 and Windows Server 2008 R2, Windows PowerShell scripts
will be more common in the future.

indows 7
6-35


LLC

ADMX Templates
Figure 190: ADMX Templates
ADMX files contain the settings that are represented in the Administrative Templates section of
a Group Policy. These templates, as their name implies, are based on standard XML and have an
.admx file extension. This file type replaced the .adm standard for administrative templates.
Windows 7 stores these .admx files in the %Windir%\Policy Definitions folder. If you need to,
you can also download additional policy definitions directly from Microsoft.
These policies are passed down to the Windows 7 workstations from a Windows Server 2008 R2
central store. A central store is a location that lives within the SYSVOL folder. You need to create
the central store only once. The store is then replicated to all of the other domain controllers via
the replication process.
The central store contains a root-level folder that houses all of the non-language-specific policy
definitions and lower level folders that contain any language-specific policy definitions. You can
copy the .admx files into the appropriate location using any copy method, such as Xcopy or copy
and paste.
6-36
Administering
Adminnistering

Global
LL

Figure 191: ADMX Templates (cont.)
You can open .admx or .adm files with any text editor, including Notepad. However, you must
ensure that your text editor does in fact understand the .xml syntax. You can also use Visual
Studio or the easy-to-use and navigate XML Notepad 2007. This is a simple and free download
from the Microsoft software download site.

indows 7
6-37


LLC

Group Policy Processing (LSDOU)
Figure 192: Group Policy Processing (LSDOU)
Group Policy, as you learned, affects many different computer and user settings. It is important to
realize that Group Policy also affects many different locations. Administrators can apply policies
to many locations, such as the Active Directory site, domain, and the OU. Remember,
administrators can also configure local policy on the workstations as well.
Administrators need to figure out how all of these policies may or may not affect each other.
Microsoft has provided a simple Group Policy application procedure.
The acronym is: LSDOU (Local, Site, Domain, Organizational Unit). This simply states that
policies are applied to the Windows 7 workstations in that order.
1. Local: Local policies are applied first. Local policies apply only to the local computer
or workstation.
2. Site: ADDS site policies are applied second. Site policies apply to the subnet IDs that
match the site that the computer or user is located within.
3. Domain: ADDS domain policies are applied third. Domain policies apply to all users
and computers in the same domain.
4, OU: ADDS OU policies are applied last. OU policies apply to all users and computers
in the OU that the policy is linked to. Sometimes OUs are nested within other OUs
because they are easy to manage this way. Any policies within the nested OUs are
applied one at a time after the initial OU policy.
The Group Policy application model is a simple one to master, until policies start to conflict. For
example, a domain administrator applies a policy to the domain that prevents access to Windows 7
Control Panel. However, a branch office administrator has a policy that allows access to Windows 7
Control Panel of the OU that he or she is responsible for. What happens? Again, Microsoft has an
easy-to-understand rule of Group Policy precedence. The rule simply states that the policy that is
applied last wins. So in the previous example where the OU lives within the domain, the users
within the OU would not be affected by the policy and they would have access to Control Panel.
6-38
Administering
Adminnistering

Global
LL

Group Policy and OUs
Figure 193: Group Policy and OUs
To manage group policies most effectively, there should be a good foundation to apply them to.
This foundation normally exists as a hierarchy of OUs within the domain environment. Group
policies certainly can be applied to the site and the domain levels, but the real power of Group
Policy is in being able to apply it in a granular fashion.
When applying a GPO to an OU structure, it is important to remember that a policy applied at a
parent OU is automatically inherited by all child and grandchild OUs. This default behavior
should be leveraged so that settings that really should apply to a broad range of users and
computers are applied at a higher parent level, while settings that should affect only a subset of
accounts are applied at a child OU. Structuring the OUs appropriately can make this process
much easier.
Sometimes this normal inheritance process can be limiting. For that reason, there are three ways to
disrupt the inheritance of higher-level policies:
Contradictory Settings
If a child OU has the need to opt out of a particular Group Policy setting, a new GPO can be
created at that level that has the opposite setting. The last policy applied in the processing
sequence wins.
Block Inheritance
When a very large number of settings are configured at a higher level and many of them should
not apply to a child OU, enable the Block Inheritance attribute on the OU so that no policies from
above apply.
Enforce
The Enforce option is applied at higher levels of the policy architecture to ensure that certain
policies cannot be overridden or be blocked. The Enforce option is applied to an individual GPO.
Depending on the options you enable, some GPOs can be overridden or blocked while others can
be made mandatory. The Enforce option always wins.

indows 7
6-39


LLC

Group Policy Tools
Figure 194: Group Policy Tools
There are several tools, some graphical and some command-line based, that are used in managing
and troubleshooting the Group Policy process. The following topics describe these tools.
GPMC.msc
The Group Policy Management Console is the primary tool for viewing and managing all of the
policies that exist in a given Active Directory forest. All of the sites, domains and OUs can be
viewed from one console interface. The tool also displays a listing of all GPOs defined in each
domain, even if they are not currently applied to anything.
In addition to displaying the structure of the group policies, the GPMC tool allows the
administrator to quickly see which policy settings are being applied at each level of the OU
structure without opening each policy in the Group Policy Management Editor.
There are also built-in tools for viewing Group Policy modeling and Group Policy results. These
tools are invaluable in testing and troubleshooting policy application.
Gpedit.msc
The Group Policy Management Editor is a tool that can be launched from within the Group Policy
Management console, or stand-alone. When launched by itself, the local policies of a computer
can be viewed.
Using the editor, you can view and modify all of the policy settings within a GPO. Many settings
within the editor are simply On, Off or Not Configured. Other settings may require selections
from drop-down lists, while others may require text entry.
Gpupdate.exe
The Group Policy Update tool is a command-line tool used to force policy application. When
troubleshooting policies, it may sometimes be necessary to apply policies ahead of the normal
refresh interval of 30 to 90 minutes.
6-40
Administering
Adminnistering

Global
LL

Gpresult.exe
The Group Policy Results tool is a command-line tool that can display all of the policy settings
that are active for a computer or user. The output from the tool can be redirected to a file for later
viewing.
RSoP Snap-in
Another tool that can be used to troubleshoot policy application is the Resultant Set of Policy
Snap-in. This tool displays policies in a graphical fashion much like that of the Group Policy
Management Editor. The RSoP snap-in has largely been replaced by similar functionality built
into the Group Policy Management Console.
Figure 195: Group Policy Tools (cont.)
In the past, the GPMC was a feature pack download for Windows Server 2003. Now, the GPMC
is the standard tool for managing group policies.

indows 7
6-41


LLC

Acronyms
The following acronyms are used in this section:
A address (IPv4 host record)

AAAA address (IPv6 host record)
ADDS Active Directory Directory Services
ADMX Administrative Templates
ARPANET Advanced Research Projects Agency Network
CD compact disc
CNAME Canonical name record, alias record
DC domain controller
DLL dynamic-link library
DNAME Delegation name record
DNS Domain Name System
DVD-ROM digital versatile disc read-only memory
EFS Encrypting File System
FQDN fully qualified domain name
GC global catalog
GPMC Group Policy Management Console
GPO Group Policy object
IP Internet Protocol
IPSec IP Security
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
LAN local area network
LDAP Lightweight Directory Access Protocol
LOC Location record
LSDOU Local, Site, Domain, Organizational Unit
MD5 Message Digest 5
MMC Microsoft Management Console
MSI Microsoft Software Installer
MSU Microsoft Update Standalone Package
MX Mail exchange record
NAP Network Access Policy
NetBIOS Network Basic Input/Output System
NS name server record
OU organizational unit
PKI public key infrastructure
6-42
Administering
Adminnistering

Global
LL

PTR Pointer record

RFC Request for Comments
RSAT Remote Server Administration Tools
RSoP Resultant Set of Policy
SOA Start of authority record
SRV Service location record
ST service ticket
TA Trust authority record
TCP Transmission Control Protocol
TGT ticket-granting ticket
TLD top-level domain
UAC User Account Control
USB Universal Serial Bus
WINS Windows Internet Naming Service
XML Extensible Markup Language
ZAP ZAW Down-level applications package

indows 7
6-43


LLC
L

Section Review
Summary
The DNS Service is used to resolve DNS domain names into their corresponding IP
addresses. This is the naming standard used for the Internet at large and also for the
internal Active Directory environment.
Windows Server 2008 R2 Active Directory stores object information, authenticates
user identification, and implements group and security policies. The heart of Active
Directory is a distributed database that stores meaningful object information for the
Users, Groups, Computers, Contacts, Printers, and Shared folders objects. Active
Directory is made up of the following hierarchical collection of components: Forest,
Tree, Domain, Global catalog, Organizational Unit, Domain controller, and Site.
Before joining an Active Directory domain, the following requirements must be met:
The computer must be configured with a proper DNS server address.
The server address must allow the client to contact a domain controller.
The user must log on as a local administrative or equivalent.
To join an Active Directory, follow these steps:
1. Click Start, right-click Computer, and then select Properties.
2. Click the Change Settings link, and then click the Change button.
3. Select the Domain option, type the name of the domain you want to join, and then
click OK.
4. Type user name and password and then click OK.
5. Restart the computer.
To configure and edit Windows 7 local security policies, open the gpedit.msc console
and expand Computer Configuration, Windows Settings, and Security Settings.
To remotely administer Active Directory, use the following Windows 7 Active
Directory tools :
Tool Description
Remote command-line Remotely manages either the local computer or the remote
tools computers; many command-line tools are available
Remote Desktop Connects to the server and runs tools and utilities as if sitting at
server console
Windows 7 MMC tools Focuses on remote computer management; the Computer
Management Console is one example of the many tools available
RSAT Downloads and installs dozens of remote server MMC tools for
free; each tool must be enabled in the administrative tools listing.
Figure 196: Windows 7 Active Directory Tools
ADMX templates house policy definitions for the Administrative Templates section
of a Group Policy. Using ADMX templates, you can configure thousands of possible
desktop and user settings.
6-44
Administering
Adminnistering

Global
LL

To configure the Windows 7 Group Policy objects, open the gpmc.msc and either edit
an existing Group Policy object, or create a new one.
The four levels at which Group Policy objects can be applied are:
Local: These policies apply to the local computer or workstation.
Site: These policies apply to the subnet IDs that match the site that the computer
or user is located within.
Domain: These policies apply to all users and computers in the same domain.
Organizational Unit: These policies apply to all users and computers in the OU
that the policy is linked to.
Knowledge Check
1. Which of the following examples are fully qualified DNS names? (Choose all that apply.)
a. www.mycompany.westernstates.local
b. http://joe.com
c. Http://joe.com
d. Server1.managementdept.newyorkcity.manhattan.us
e. Server21
2. How are ADMX templates used to configure Administrative Templates settings?
3. Susan Winters has been tasked to configure the network settings on 34 Windows 7 computers. She
logs on to her Windows 7 management workstation named wks1.ziffcom.local. She clicks the
Start button and then types LOC in the Search box. She opens the local security policy as an
administrator. Has she begun to handle this task correctly?
4. Which criteria must be met before you can join an Active Directory domain?

indows 7
6-45


LLC
L

5. What is the correct Group Policy processing order?

a. Domain, Site, OU, Group, OU, and OU.
b. Site, OU, OU, Domain, and Local.
c. They are processed in the order that they are written.
d. Local, Site, Domain, OU, and OU.
6. Which tool is used to configure and edit Windows 7 local security policies?
a. Remote Desktop
b. RSoP snap-in
c. gpedit.msc
d. Windows 7 MMC tools
7. Match each Windows 7 Active Directory tool with its correct description. Write the letter of the
description in the Answer column.
Answer Active Directory Description

Tool
Remote command- A. Connects to the server and runs tools and
1._________ line tools utilities as if sitting at server console.
Remote Desktop B. Remotely manages either the local computer

2._________ or the remote computers; many command-line
tools are available.
Windows 7 MMC C. Downloads and installs dozens of remote
3._________ tools server MMC tools for free; each tool must be
enabled in the administrative tools listing.
RSAT D. Focuses on remote computer management;
4._________ the Computer Management Console is one
example of the many tools available.
8. What are the main goals of Windows Server 2008 R2 Active Directory? (Choose all that apply).
a. Stores object information
b. Authenticates user identification
c. Distributes software packages
d. Implements group and security policies
9. Briefly describe the process used to configure the Windows 7 local policy.
6-46
Administering
Adminnistering

Global
LL

Knowledge Check Answer Key

The correct answers to the Knowledge Check questions are bolded.
1. Which of the following examples are fully qualified DNS names? (Choose all that apply.)
a. www.mycompany.westernstates.local
b. http://joe.com
c. Http://joe.com
d. Server1.managementdept.newyorkcity.manhattan.us
e. Server21
2. How are ADMX templates used to configure Administrative Templates Settings?
The security or configuration settings stored in ADMX templates are housed in the Windows
Server 2008 R2 central store and passed down to your Windows 7 workstations.
3. Susan Winters has been tasked to configure the network settings on 34 Windows 7 computers. She
logs on to her Windows 7 management workstation named wks1.ziffcom.local. She clicks the
Start button and then types LOC in the Search box. She opens the local security policy as an
administrator. Has she begun to handle this task correctly?
No, she would need to open up the Group Policy Management Console and configure a
Group Policy. The local security policy affects only the local machine that she is working on.
4. Which criteria must be met before you can join an Active Directory domain?
The computer must be configured with a proper DNS server address.
The server address must allow the client to contact a domain controller.
The user must log on as a local administrator or equivalent.
5. What is the correct Group Policy processing order?
a. Domain, Site, OU, Group, OU, and OU.
b. Site, OU, OU, Domain, and Local.
c. They are processed in the order that they are written.
d. Local, Site, Domain, OU, and OU.
6. Which tool is used to configure and edit Windows 7 local security policies?
a. Remote Desktop
b. RSoP snap-in
c. gpedit.msc
d. Windows 7 MMC tools

indows 7
6-47


LLC
L

7. Match each Windows 7 Active Directory tool with its correct description. Write the letter of the
description in the Answer column.
Answer Active Directory Description

Tool
1. B Remote command- A. Connects to the server and runs tools and
line tools utilities as if sitting at server console.
2. A Remote Desktop B. Remotely manages either the local computer
or the remote computers; many command-line
tools are available.
3. D Windows 7 MMC C. Downloads and installs dozens of remote
tools server MMC tools for free; each tool must be
enabled in the administrative tools listing.
4. C RSAT D. Focuses on remote computer management;
the Computer Management Console is one
example of the many tools available.
8. What are the main goals of Windows Server 2008 R2 Active Directory? (Choose all that apply).
a. Stores object information
b. Authenticates user identification
c. Distributes software packages
d. Implements group and security policies
9. Briefly describe the process used to configure the Windows 7 local policy.
Open the gpedit.msc console and expand Computer Configuration, Windows Settings, and
Security Settings to configure and edit Windows 7 local security policies.
6-48
Administering
Adminnistering

Global
LL

Intregrating With Active Directory - 50292 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Intregrating With Active Directory - 50292 PDF

Загружено:

Авторское право:

Доступные форматы

6

Integrating Windows 7 with Active

Administering and Maintaining W Windows

Global Knowledge Training

Integrating Windows 7 with Active Directory

After completing this section, you will be able to:

Describe at a high level the DNS service for Windows Server

Integrating Windows 7 with Active Directory

Figure 158: DNS Overview

Administering and Maintaining W Windows

Global Knowledge Training L

DNS and Active Directory

Figure 159: DNS and Active Directory

Integrating Windows 7 with Active Directory

Types of Name Resolution

Figure 160: Types of Name Resolution

Administering and Maintaining W Windows

Global Knowledge Training L

Integrating Windows 7 with Active Directory

Anatomy of a DNS Name

Figure 161: Anatomy of a DNS Name

Integrating Windows 7 with Active Directory

Administering and Maintaining W Windows

Global Knowledge Training

Integrating Windows 7 with Active Directory

Internet Name Resolution

Figure 162: Internet Name Resolution

A: IPv4 host record

Integrating Windows 7 with Active Directory

Private Name Resolution

Figure 163: Private Name Resolution

Administering and Maintaining W Windows

Global Knowledge Training L

Integrating Windows 7 with Active Directory

Service Location Records

Figure 164: Service Location Records

Integrating Windows 7 with Active Directory

Figure 165: Troubleshooting Tools

The ipconfig /all Command

The ipconfig /displaydns Command

The ipconfig /flushdns Command

Administering and Maintaining W Windows

Global Knowledge Training L

Integrating Windows 7 with Active Directory

The ipconfig /registerdns

The nbtstat -c Command

The nbtstat -R Command

The NSLookup Tool

Integrating Windows 7 with Active Directory

Windows Server 2008 R2 Active Directory

Figure 166: Windows Server 2008 R2 Active Directory

Administering and Maintaining W Windows

Global Knowledge Training L

Integrating Windows 7 with Active Directory

Active Directory Goals

Figure 167: Active Directory Goals

Store Object Information

Implement Group Policies and Security Policies

Integrating Windows 7 with Active Directory

Active Directory Objects

Figure 168: Active Directory Objects

Administering and Maintaining W Windows

Global Knowledge Training L