Active Directory domain infrastructure configuration 1

Active Directory domainThe infrastructure configuration is described as follows:

Content of this module

This module introducesGroup PolicyConcepts required for Windows XP Professional clients in Windows Server 2003 and Windows 2000 Server domains. The Group Policy is Microsoft Active Directory. A function of directory service that allows administrators to modify user and computer settings and manage configurations. However, before applying group policies to Windows XP Professional clients in the environment, perform some basic steps in the domain.

Group Policy is an important tool to ensure Windows XP security. This module provides detailed information on how to use group policies to apply and maintain consistent security policies across the network from the central location.

This Guide provides options for enterprise and high security environments. For desktop and portable computer clients, the recommended settings in this module are the same.

Target

This module can achieve the following goals:

Describes how to apply Group Policy objects to Active Directory.

Design organizational unit structure to support security management

Design Group Policy objects to support security management

Manage Security templates

Manage Management Templates

Use group policies to implement valid password policies

Use a group policy to implement a valid account lock Policy

Determine which users can add workstations to the domain

Ensure that the user is logged out at the end of the permitted logon time

Use the Group Policy management tool to update policies and view results of group policy applications

Applicability

This module applies to the following products and technologies:

Windows XP Professional client in Windows Server 2003 Domain

Windows XP Professional client in Windows 2000 Domain

How to use this module

This module provides a method and describes the steps required to ensure the security of the Windows XP Professional client in the Windows Server 2003 or Windows 2000 Active Directory domain by using group policies.

To fully understand the content of this module, read "Windows XP security guide ". This module defines the enterprise client environment and high security level environment referenced in this module.

Use the checklist. In the checklist section of this Guide, the checklist "Configure Active Directory domain Infrastructure" provides printable job guidance for quick reference. You can use the task-based checklist to quickly evaluate the required steps and help you step by step.

Use the "Windows XP security guide Settings" workbook provided with this guide. It helps you compile the settings in the environment as a document.

Use the included solution. This guide references the following articles in English ):

"How To: Prevent Users from Changing a Password should t When Required in Windows Server 2003"

"How To: Prevent Users from Changing a Password should t When Required in Windows 2000"

Group Policy

A group policy is a function of Microsoft Active Directory service that allows you to change user and computer settings, and manage configurations in Microsoft Windows Server 2003 and Microsoft Windows 2000 Server domains. However, before applying the Group Policy to the Microsoft Windows XP Professional client in the environment, you need to perform some basic steps in the domain.

Group Policy settings are stored in the Group Policy object (GPO) on the domain controller in the environment. GPO links to containers, which include Active Directory Sites, domains, and organization units (OU ). Because group policies are closely integrated with Active Directory, it is necessary to have a basic understanding of the Active Directory structure and the security meaning of configuring different design options in the group policies before implementing the group policies. For more information about Active Directory design, see Module 2 "locking the Domain Infrastructure" in the "Windows Server 2003 Security Guide ).

　 Table 2.1: Baseline Security Template

OU design Supporting Security Management

OU is a container in the Active Directory domain. OU can contain users, groups, computers, and other organizational units. You can link GPO to OU, which is the lowest container in the Active Directory hierarchy. You can also assign management permissions to OU. OU provides a simple way to group users, computers, and other security subjects. It also provides an effective way to divide management boundaries. Assign users and computers to separate OU, because some settings only apply to users, while others apply only to computers.

You can use the delegate Wizard to delegate control to a group or a single OU, which can be obtained as part of the Active Directory user and computer Microsoft Management Console (MMC) snap-in tool. For links to the document on granting permissions, see "other information" at the end of this module.

One of the main goals of designing an OU structure for any environment is to provide the foundation for creating seamless group policy implementations covering all workstations residing in Active Directory while ensuring that they comply with the security standards of your organization. Another goal of designing the OU structure is to provide appropriate security settings for specific types of users in the Organization. For example, developers can be allowed to perform operations on workstations that are generally not permitted by users. Compared with desktop computer users, portable computer users have different security requirements. The simple OU structure is sufficient to discuss the Group Policy in this module. The structure of this OU may be different from the Organization requirements of your environment.

Figure 2.1 OU structure of Windows XP

Department OU

Due to frequent changes in security requirements within the organization, it is necessary to create a department OU in the environment. The Department security settings can be applied to computers and users in the OU of their respective departments through GPO.

Secure XP user OU

This OU contains the accounts of users who participate in both the enterprise client environment and the high security level environment. In Module 4, the "user configuration" section in the "Windows XP management template" discusses the settings for this OU application.

Windows XP OU

This OU contains the sub-OU of each Windows XP client in the environment. Here, the guide for desktop and portable computer clients is included. For this reason, you have created a desktop computer OU and a portable computer OU.

Desktop Computer OU: This OU contains a desktop computer that is always connected to the company network. Module 3 "Windows XP Client Security Settings" and Module 4 "Windows XP management template" details the settings for this OU application.

Portable computer OU: This OU contains a portable computer for a mobile user who is not always connected to the company network. Module 3 "Windows XP Client Security Settings" and Module 4 "Windows XP management template" details the settings for this OU application.

For more information, click Active Directory domain infrastructure configuration 2.