Provide a detailed description of the server's policy regarding. GPResult command: diagnostics of resulting group policies

Lecture 4 Network Policy Server: RADIUS server, RADIUS proxy and security policy server

Lecture 4

Topic: Network Policy Server: RADIUS Server, RADIUS Proxy, and Network Access Protection Policy Server

Introduction

Windows Server 2008 and Windows Server 2008 R2 are advanced Windows Server operating systems designed to enable a new generation of networking, applications, and Web services. With these operating systems, you can develop, deliver, and manage flexible and comprehensive experiences for users and applications, create highly secure network infrastructures, and increase technological efficiency and organization in your organization.

Network Policy Server

Network Policy Server allows you to create and enforce organization-wide network access policies to ensure client health and authentication and authorization of connection requests. Additionally, NPS can be used as a RADIUS proxy to forward connection requests to NPS or other RADIUS servers configured in remote RADIUS server groups.

Network Policy Server allows you to centrally configure and manage client authentication, authorization, and health policies when granting network access, using the following three capabilities:

RADIUS server. Network Policy Server centrally handles authentication, authorization, and accounting for wireless connections, authenticated switch connections, dial-up connections, and virtual private network (VPN) connections. When using NPS as a RADIUS server, network access servers, such as wireless access points and VPN servers, are configured as RADIUS clients on NPS. Additionally, you configure the network policies that NPS uses to authorize connection requests. In addition, you can configure RADIUS accounting so that the data is recorded by the NPS server in log files stored on the local hard drive or in the database Microsoft data SQL Server.

RADIUS proxy. If NPS is used as a RADIUS proxy, you must configure connection request policies that determine which connection requests NPS will forward to other RADIUS servers, and which specific RADIUS servers these requests will be forwarded to. You can also configure Network Policy Server to redirect credentials to store them on one or more computers in a group of remote RADIUS servers.

Network Access Protection (NAP) policy server. When NPS is configured as an NAP policy server, NPS evaluates the health states sent by NAP-enabled client computers that attempt to connect to the network. The Network Policy Server, which is configured with Network Access Protection, acts as a RADIUS server to authenticate and authorize connection requests. On the Network Policy Server, you can configure network access protection policies and settings, including system health checkers, health policies, and update server groups that ensure that the configuration of client computers is updated according to your organization's network policy.

Network Policy Server can be configured with any combination of the above options. For example, a Network Policy Server can act as a Network Access Protection policy server using one or more enforcement methods, while simultaneously serving as a RADIUS server for remote access connections and as a RADIUS proxy for forwarding some connection requests to a group of remote RADIUS servers. which allows you to perform authentication and authorization on a different domain.

RADIUS server and RADIUS proxy

The Network Policy Server can be used as a RADIUS server, a RADIUS proxy, or both at the same time.

RADIUS server

Microsoft Network Policy Server is implemented in accordance with the RADIUS standard, as described in IETF RFC 2865 and RFC 2866. As a RADIUS server, Network Policy Server centrally performs authentication, authorization, and accounting of connections for various types of network access, including wireless access, switching authenticated, remote and VPN access, and connections between routers.

Network Policy Server enables a diverse set of wireless, dial-up, VPN, and switching equipment. Network Policy Server can be used with the Routing and Remote Access service that is available in operating systems Microsoft Windows 2000 Windows Server 2003, Standard Edition, Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition.

If the computer running NPS is a member of an Active Directory® domain, NPS uses this directory service as a user account database and is part of the single sign-on solution. The same set of credentials is used to control network access (authentication and authorization of network access) and to log into the Active Directory domain.

Internet service providers and organizations that provide network access face greater challenges in managing all types of networks from a single point of administration, regardless of the network access equipment used. The RADIUS standard supports this functionality in both homogeneous and heterogeneous environments. The RADIUS protocol is a client-server protocol that allows network access equipment (acting as RADIUS clients) to make authentication and accounting requests to a RADIUS server.

The RADIUS server has access to the user's account information and can validate credentials during authentication to grant network access. If the user's credentials are valid and the connection attempt is authorized, the RADIUS server authorizes the user's access based on the specified conditions and logs the connection information in the log. Using the RADIUS protocol allows you to collect and maintain authentication, authorization, and accounting information in a single location instead of having to perform this operation on each access server.

RADIUS proxy

As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers.

With Network Policy Server, organizations can outsource their remote access infrastructure to a service provider while maintaining control over user authentication, authorization, and accounting.

Network Policy Server configurations can be created for the following scenarios:

Wireless access

Connecting a remote access or virtual private network in an organization.

Remote access or wireless access provided by an external organization

Internet access

Authenticated access to external network resources for business partners

Examples of RADIUS server and RADIUS proxy configurations

The following configuration examples demonstrate how to configure NPS as a RADIUS server and RADIUS proxy.

NPS as a RADIUS server. In this example, the NPS server is configured as a RADIUS server, the only policy configured is the default connection request policy, and all connection requests are processed by the local NPS server. Network Policy Server can authenticate and authorize users whose accounts are in the server's domain or in trusted domains.

NPS as a RADIUS proxy. In this example, NPS is configured as a RADIUS proxy that forwards connection requests to groups of remote RADIUS servers in two different untrusted domains. The default connection request policy is removed and replaced by two new connection request policies that forward requests to each of the two untrusted domains. In this example, NPS does not process connection requests on the local server.

NPS as both RADIUS server and RADIUS proxy. In addition to the default connection request policy that processes requests locally, a new connection request policy is created that forwards them to NPS or another RADIUS server in an untrusted domain. The second policy is named Proxy. In this example, the Proxy policy appears first in the ordered list of policies. If a connection request matches the Proxy policy, the connection request is forwarded to a RADIUS server in the remote RADIUS server group. If a connection request does not match the Proxy policy, but does match the default connection request policy, Network Policy Server processes the connection request on the local server. If a connection request does not meet any of these policies, it is rejected.

NPS as a RADIUS server with remote accounting servers. In this example, the local NPS is not configured for accounting, and the default connection request policy is modified so that RADIUS accounting messages are forwarded to the NPS or another RADIUS server in the group of remote RADIUS servers. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and related functions for the local domain and all trusted domains are performed by the local NPS server.

NPS with remote RADIUS to Windows user mapping. In this example, NPS acts as both a RADIUS server and a RADIUS proxy for each individual connection request, forwarding the authentication request to a remote RADIUS server while simultaneously performing authorization using the local Windows user account. This configuration is implemented by setting the Remote RADIUS Server Mapping to Windows User attribute as a condition of the connection request policy. (In addition, you must create a local user account on the RADIUS server with the same name as the remote account that will be authenticated by the remote RADIUS server.)

Network Access Protection Policy Server

Network Access Protection is included in Windows Vista®, Windows® 7, Windows Server® 2008 and Windows Server® 2008 R2. It helps secure access to private networks by ensuring that client computers comply with the health policies in effect on the organization's network when allowing those clients to access network resources. In addition, the client computer's compliance with the administrator-defined health policy is monitored by Network Access Protection while the client computer is connected to the network. With the Network Access Protection auto-update feature, non-compliant computers can be automatically updated to the health policy, allowing them to later be granted network access.

System administrators define network health policies and create those policies using Network Access Protection components that are available from Network Policy Server or are provided by other companies (depending on the Network Access Protection implementation).

Health policies can have characteristics such as software requirements, security update requirements, and configuration parameter requirements. Network Access Protection enforces health policies by checking and assessing the health of client computers, restricting network access to computers that do not meet these requirements, and correcting the non-compliance to provide unrestricted network access.

GPResult utility.exe– is a console application designed to analyze settings and diagnose group policies that apply to a computer and/or user in an Active Directory domain. In particular, GPResult allows you to obtain data from the resulting set of policies (Resultant Set of Policy, RSOP), a list of applied domain policies (GPOs), their settings and detailed information about errors in their processing. The utility has been part of the Windows OS since Windows XP. The GPResult utility allows you to answer the following questions: whether a specific policy applies to the computer, which GPO changed this or that Windows setup, understand the reasons.

In this article, we will look at the features of using the GPResult command to diagnose and debug the application of group policies in an Active Directory domain.

Initially, to diagnose the application of group policies in Windows, the RSOP.msc graphical console was used, which made it possible to obtain the settings of the resulting policies (domain + local) applied to the computer and the user in a graphical form similar to the GPO editor console (you can see below in the example of the RSOP.msc console view, that the update settings are set).

However, it is not advisable to use the RSOP.msc console in modern versions of Windows, because it does not reflect settings applied by various client side extensions (CSEs), such as GPP (Group Policy Preferences), does not allow searching, and provides little diagnostic information. Therefore, at the moment, the GPResult command is the main tool for diagnosing the use of GPO in Windows (in Windows 10, a warning even appears that RSOP does not provide a complete report, unlike GPResult).

Using the GPResult.exe utility

The GPResult command is run on the computer on which you want to check the application of group policies. The GPResult command has the following syntax:

GPRESULT ]] [(/X | /H)<имя_файла> ]

To get detailed information about the group policies that apply to a given AD object (user and computer) and other settings related to the GPO infrastructure (that is, the resulting GPO policy settings - RsoP), run the command:

The results of the command are divided into 2 sections:

• COMPUTER SETTINGS (Computer Configuration) – the section contains information about GPO objects acting on the computer (as an Active Directory object);
• USER SETTINGS – user policies section (policies that apply to a user account in AD).

Let's briefly go over the main parameters/sections that may interest us in the GPResult output:

• SiteName(Site name:) – name of the AD site in which the computer is located;
• CN– full canonical user/computer for which the RSoP data was generated;
• LasttimeGroupPolicywasapplied(Last applied group policy) – time when group policies were last applied;
• GroupPolicywasappliedfrom(Group Policy was applied from) – the domain controller from which it was loaded latest version GPO;
• DomainNameand DomainType(Domain name, domain type) – name and version of the Active Directory domain schema;
• AppliedGroupPolicyObjects(Applied Group Policy Objects)– lists of active group policy objects;
• ThefollowingGPOswerenotappliedbecausetheywerefilteredout(The following GPO policies were not applied because they were filtered) - not applied (filtered) GPOs;
• Theuser/computerisapartofthefollowingsecuritygroups(The user/computer is a member of the following security groups) – domain groups in which the user is a member.

In our example, you can see that the user object is subject to 4 group policies.

• Default Domain Policy;
• Enable Windows Firewall;
• DNS Suffix Search List;

If you do not want information about both user and computer policies to be displayed in the console at the same time, you can use the /scope option to display only the section you are interested in. Only resulting user policies:

gpresult /r /scope:user

or only applied computer policies:

gpresult /r /scope:computer

Because The Gpresult utility outputs its data directly to the console command line, which is not always convenient for subsequent analysis, its output can be redirected to the clipboard:

Gpresult /r |clip

or text file:

Gpresult /r > c:\gpresult.txt

To display super-detailed RSOP information, you need to add the /z switch.

HTML RSOP report using GPResult

In addition, the GPResult utility can generate an HTML report of the resulting policies applied (available on Windows 7 and higher). This report will contain detailed information about all system parameters that are set by group policies and the names of specific GPOs that set them (the resulting report structure resembles the Settings tab in the Domain Group Policy Management Console - GPMC). You can generate an HTML GPResult report using the command:

GPResult /h c:\gp-report\report.html /f

To generate a report and automatically open it in a browser, run the command:

GPResult /h GPResult.html & GPResult.html

The gpresult HTML report contains quite a lot useful information: errors in GPO application, processing time (in ms) and application of specific policies and CSE are visible (in the Computer Details -> Component Status section). For example, in the screenshot above you can see that the policy with the 24 passwords remember settings is applied by the Default Domain Policy (Winning GPO column). As you can see, this HTML report is much more convenient for analyzing applied policies than the rsop.msc console.

Receiving GPResult data from a remote computer

GPResult can also collect data from a remote computer, eliminating the need for the administrator to log in locally or RDP to the remote computer. The command format for collecting RSOP data from a remote computer is as follows:

GPResult /s server-ts1 /r

Similarly, you can remotely collect data from both user policies and computer policies.

User username does not have RSOP data

When UAC is enabled, running GPResult without elevated privileges displays the settings of only the user group policy section. If you need to display both sections (USER SETTINGS and COMPUTER SETTINGS) at the same time, the command must be run. If the command line is elevated to a different system than the current user, the utility will issue a warning INFO:Theuser“domain\user”doesnothaveRSOPdata ( The user "domain\user" does not have RSOP data). This happens because GPResult tries to collect information for the user who launched it, but because... This user has not logged in and there is no RSOP information for him. To collect RSOP information for a user with an active session, you need to specify his account:

gpresult /r /user:tn\edward

If you do not know the name of the account that is logged in on the remote computer, you can get the account like this:

qwinsta /SERVER:remotePC1

Also check the time(s) on the client. The time must match the time on the PDC (Primary Domain Controller).

The following GPO policies were not applied because they were filtered out

When troubleshooting group policies, you should also pay attention to the section: The following GPOs were not applied because they were filtered out. This section displays a list of GPOs that, for one reason or another, do not apply to this object. Possible ways in which the policy may not apply:

You can also understand whether the policy should be applied to a specific AD object on the effective permissions tab (Advanced -> Effective Access).

So, in this article we looked at the features of diagnosing the application of group policies using the GPResult utility and looked at typical scenarios for its use.

When installing Windows, most of the minor subsystems are not activated or installed. This is done for security reasons. Because the system is secure by default, system administrators can focus on designing a system that will perform exactly its intended functions and nothing else. To help you enable the features you need, Windows prompts you to select a Server Role.

Roles

A server role is a set of programs that, when properly installed and configured, allow a computer to perform a specific function for multiple users or other computers on a network. In general, all roles have the following characteristics.

• They define the main function, purpose or purpose of using a computer. You can designate a computer to perform a single role that is used heavily in your enterprise, or to perform multiple roles if each is used only occasionally.
• Roles give users throughout your organization access to resources that are managed by other computers, such as websites, printers, or files stored on different computers.
• They typically have their own databases that queue user or computer requests or record information about network users and computers that are relevant to the role. For example, Active Directory Domain Services contains a database to store the names and hierarchical relationships of all computers on a network.
• Once properly installed and configured, roles function automatically. This allows the computers on which they are installed to perform assigned tasks with limited user interaction.

Role Services

Role services are programs that provide functionality roles. When you install a role, you can choose which services it provides to other users and computers in the enterprise. Some roles, such as DNS server, only perform one function, so there are no role services for them. Other roles, such as Remote Desktop Services, have multiple services that can be installed depending on your business's remote access needs. A role can be viewed as a collection of closely related, complementary role services. In most cases, installing a role means installing one or more of its services.

Components

Components are programs that are not directly part of roles, but support or extend the functionality of one or more roles or an entire server, regardless of which roles are installed. For example, the Failover Cluster feature extends the functionality of other roles, such as File Services and DHCP Server, by allowing them to join server clusters, providing increased redundancy and performance. Another component - "Telnet Client" - provides remote communication with the Telnet server via network connection. This feature enhances the communication capabilities of the server.

When Windows Server is running in Server Core mode, the following server roles are supported:

• Active Directory Certificate Services;
• Active Directory Domain Services;
• DHCP server;
• DNS server;
• file services (including file server resource manager);
• Active Directory Lightweight Directory Services;
• Hyper-V;
• printing and document services;
• streaming media services;
• web server (including a subset of ASP.NET);
• server Windows updates Server;
• Active Directory Rights Management Server;
• Routing and Remote Access Server and the following subordinate roles:
  • Remote Desktop Services Connection Broker;
  • licensing;
  • virtualization.

When Windows Server is running in Server Core mode, the following server components are supported:

• Microsoft .NET Framework 3.5;
• Microsoft .NET Framework 4.5;
• Windows PowerShell;
• background intelligent transfer service (BITS);
• BitLocker disk encryption;
• BitLocker network unlock;
• BranchCache
• data center bridge;
• Enhanced Storage;
• failover clustering;
• Multipath I/O;
• network load balancing;
• PNRP protocol;
• qWave;
• remote differential compression;
• simple TCP/IP services;
• RPC via HTTP proxy;
• SMTP server;
• SNMP service;
• Telnet client;
• Telnet server;
• TFTP client;
• internal base Windows data;
• Windows PowerShell Web Access;
• Windows Activation Service;
• standardized Windows storage management;
• IIS WinRM extension;
• WINS server;
• WoW64 support.

Installing server roles using Server Manager

To add, open Server Manager, and in the Manage menu click Add Roles and features:

The Add Roles and Features Wizard opens. Click Next

Installation Type, select Role-based or feature-based installation. Next:

Server Selection - select our server. Click Next Server Roles - Select roles, if necessary, select role services and click Next to select components. During this procedure, the Add Roles and Features Wizard automatically informs you if there are any conflicts on the destination server that might prevent the selected roles or features from installing or functioning properly. You are also prompted to add the roles, role services, and features that are required for the selected roles or features.

Installing roles using PowerShell

Open Windows PowerShell Enter the Get-WindowsFeature command to view a list of available and installed roles and features on the local server. The results of this cmdlet contain the command names for the roles and features that are installed and available for installation.

Type Get-Help Install-WindowsFeature to view the syntax and valid parameters for the Install-WindowsFeature (MAN) cmdlet.

Enter the following command (-Restart will restart the server if a reboot is required when installing the role).

Install-WindowsFeature –Name -Restart

Description of roles and role services

All roles and role services are described below. Let's look at advanced configuration for the most common ones in our practice: Web Server Role and Remote Desktop Services

Detailed description of IIS

• Common HTTP Features - Basic HTTP components
  • Default Document - allows you to set an index page for the site.
  • Directory Browsing - Allows users to see the contents of a directory on a web server. Use Directory Browsing to automatically generate a list of all directories and files present in a directory when users do not specify a file in the URL and the index page is disabled or not configured
  • HTTP Errors - allows you to configure error messages returned to clients in the browser.
  • Static Content - allows you to post static content, for example, pictures or html files.
  • HTTP Redirection - provides support for redirecting user requests.
  • WebDAV Publishing allows you to publish files from a web server using the HTTP protocol.
• Health and Diagnostics Features - Diagnostic components
  • HTTP Logging provides logging of website activity for a given server.
  • Custom Logging provides support for creating custom logs that are different from “traditional” logs.
  • Logging Tools provides an infrastructure for managing web server logs and automating common logging tasks.
  • ODBC Logging provides an infrastructure that supports logging of web server activity in an ODBC-compliant database.
  • Request Monitor provides an infrastructure for monitoring the health of web applications by collecting information about HTTP requests in the IIS worker process.
  • Tracing provides a framework for diagnosing and troubleshooting web applications. By using failed request tracing, you can track hard-to-capture events such as poor performance or authentication failures.
• Performance components increase web server performance.
  • Static Content Compression provides the infrastructure for setting up HTTP compression of static content
  • Dynamic Content Compression provides the infrastructure for setting up HTTP compression of dynamic content.
• Security security components
  • Request Filtering allows you to record all incoming requests and filter them based on rules set by the administrator.
  • Basic Authentication allows you to set additional authorization
  • Centralized SSL Certificate Support is a feature that allows you to store certificates in a centralized location, like a file share.
  • Client Certificate Mapping Authentication uses client certificates to authenticate users.
  • Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. If you need more high level security compared to basic authentication, consider using Digest authentication
  • IIS Client Certificate Mapping Authentication uses client certificates to authenticate users. A client certificate is a digital ID obtained from a trusted source.
  • IP and Domain Restrictions allows you to allow/deny access based on the requested IP address or domain name.
  • URL Authorization allows you to create rules that restrict access to web content.
  • Windows Authentication This authentication scheme allows Windows domain administrators to take advantage of the domain infrastructure to authenticate users.
• Application Development Features application development components
• FTP Server
  • FTP Service Enables FTP publishing to the web server.
  • FTP Extensibility Includes support for FTP functions that extend the capabilities of
• Management Tools
  • IIS Management Console installs IIS Manager, which allows you to manage the Web server through a graphical interface
  • IIS 6.0 Management Compatibility provides forward compatibility for applications and scripts that use the Admin Base Object (ABO) and Active Directory Directory Service Interface (ADSI) APIs. This allows existing IIS 6.0 scripts to be used by an IIS 8.0 web server
  • IIS Management Scripts and Tools provide the infrastructure for managing the IIS Web server programmatically, using commands in a Command Prompt window, or by running scripts.
  • Management Service provides the infrastructure for configuring the IIS Manager user interface.

Detailed description of RDS

• Remote Desktop Connection Broker - Provides reconnection of the client device to programs based on desktop computer sessions and virtual desktops.
• Remote Desktop Gateway - Allows authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on a corporate network or over the Internet.
• Remote Desktop Licensing - RDP license management tool
• Remote Desktop Session Host - Enables a server to host RemoteApp programs or a desktop-based session.
• Remote Desktop Virtualization Host - allows you to configure RDP on virtual machines
• Remote Desktop WebAccess - Allows users to connect to desktop resources using the Start menu or a web browser.

Let's look at installing and configuring a terminal license server. The above describes how to install roles, installing RDS is no different from installing other roles; in Role Services we will need to select Remote Desktop Licensing and Remote Desktop Session Host. After installation, the Terminal Services item will appear in Server Manager-Tools. Terminal Services has two items: RD Licensing Diagnoser, which is a diagnostic tool for remote desktop licensing, and Remote Desktop Licensing Manager, which is a license management tool.

Let's launch RD Licensing Diagnoser

Here we see that there are no licenses available yet because the licensing mode for the Remote Desktop Session Host server is not set. The licensing server is specified in local group policies. To launch the editor, run the gpedit.msc command. The Local Group Policy Editor will open. In the tree on the left, let's open the tabs:

• Computer Configuration
• Administrative Templates
• Windows Components
• "Remote Desktop Services"
• "Remote Desktop Session Host"
• "Licensing"

Open the parameters Use the specified Remote Desktop license servers

In the policy settings editing window, enable the licensing server (Enabled). Next, you need to determine the licensing server for Remote Desktop Services. In my example, the licensing server is located on the same physical server. Specify the network name or IP address of the license server and click OK. If you change the server name in the future, the license server will need to be changed in the same section.

After this, in RD Licensing Diagnoser you can see that the terminal license server is configured, but not enabled. To enable, launch Remote Desktop Licensing Manager

Select a licensing server with the status Not Activated. To activate, right-click on it and select Activate Server. The Server Activation Wizard will launch. On the Connection Method tab, select Automatic Connection. Next, fill in information about the organization, after which the license server is activated.

Active Directory Certificate Services

AD CS provides customizable digital certificate services that are used in software security systems that leverage technology public keys, and the management of these certificates. Digital certificates provided by AD CS can be used for encryption and digital signing electronic documents and messages. These digital certificates can be used to verify the authenticity of computer, user, and device accounts online. Digital certificates are used to ensure:

• privacy through encryption;
• integrity using digital signatures;
• authentication by associating certificate keys with computer, user, and device accounts on the network.

AD CS can be used to improve security by associating a user, device, or service identity with the appropriate private key. Uses supported by AD CS include Secure Multipurpose Internet Mail Extensions (S/MIME), protected wireless network, Virtual Private Networks (VPN), IPsec, Encrypting File System (EFS), Smart Card Login, Secure Protocol and Transport Layer Security (SSL/TLS), and Digital Signatures.

Active Directory Domain Services

Using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and managed infrastructure for managing users and resources; You can also support directory-aware applications, such as Microsoft Exchange Server. Active Directory Domain Services provides a distributed database that stores and manages information about network resources and directory-enabled application data. The server that runs AD DS is called a domain controller. Administrators can use AD DS to organize network elements such as users, computers, and other devices into a hierarchical, nested structure. The hierarchical nested structure includes the Active Directory forest, the domains within the forest, and the organizational units within each domain. Security features are integrated into AD DS in the form of authentication and access control to resources in the directory. With network single sign-on, administrators can manage directory data and organization across the network. Authorized network users can also use network single sign-on to access resources located anywhere on the network. Active Directory Domain Services provides the following additional features.

• A rule set is a schema that defines the object classes and attributes that are contained in a directory, the constraints and limits on instances of those objects, and the format for their names.
• A global catalog that contains information about each object in the catalog. Users and administrators can use the global catalog to search for directory data, regardless of which domain in the directory actually contains the data they are looking for.
• A query and indexing engine through which objects and their properties can be published and located by network users and applications.
• A replication service that distributes directory data across a network. All writable domain controllers in the domain participate in replication and maintain a complete copy of all directory data for their domain. Any changes to directory data are replicated across the domain to all domain controllers.
• Operations master roles (also known as flexible single-master operations, or FSMO). Domain controllers, which act as operations masters, are designed to perform specific tasks to ensure data consistency and eliminate conflicting directory entries.

Active Directory Federation Services

AD FS provides simplified and secure identity federation and web-based single sign-on (SSO) capabilities to end users who need to access applications in an AD FS-protected enterprise, federation partner, or cloud. On Windows Server, AD FS includes the role service Federation Services acting as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (applies tokens from other identity providers and then provides security tokens to applications that trust AD FS).

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is an LDAP protocol that provides flexible support for directory applications without the dependencies and domain limitations of Active Directory Domain Services. AD LDS can be run on member or standalone servers. You can run multiple instances of AD LDS on a single server with independently managed schemas. By using the AD LDS service role, you can provide directory services to directory-aware applications without the overhead of domains and forests and without requiring a single forest-wide schema.

Active Directory Rights Management Services

AD RMS can be used to enhance an organization's security strategy by protecting documents using information rights management (IRM). AD RMS allows users and administrators to assign access permissions to documents, workbooks, and presentations using IRM policies. This helps protect confidential information from being printed, forwarded, or copied by unauthorized users. Once file permissions are restricted using IRM, access and use restrictions are enforced regardless of the location of the information because the file permission is stored in the document file itself. With AD RMS and IRM, individual users can apply their own personal preferences regarding the sharing of personal and sensitive information. They will also help the organization apply corporate policies to govern the use and dissemination of confidential and personal information. IRM solutions supported by AD RMS services are used to provide the following capabilities.

• Persistent usage policies that remain with information regardless of whether it is moved, sent, or forwarded.
• An additional layer of privacy to protect sensitive data - such as reports, product specifications, customer information and email messages - from falling into the wrong hands, either intentionally or accidentally.
• Prevent authorized recipients from unauthorized forwarding, copying, modification, printing, faxing, or pasting of restricted content.
• Prevent copying of restricted content using the PRINT SCREEN feature in Microsoft Windows.
• Support for file expiration, which prevents the contents of documents from being viewed after a specified period of time.
• Implement enterprise policies that govern the use and distribution of content within the organization

Application Server

Application Server provides an integrated environment for deploying and running custom server-based business applications.

DHCP Server

DHCP is a client-server technology in which DHCP servers can assign or lease IP addresses to computers and other devices that are DHCP clients. Deploying DHCP servers on a network automatically provides client computers and other network devices based on IPv4 and IPv6 valid IP addresses and additional configuration parameters required by these clients and devices. The DHCP Server service in Windows Server includes support for policy-based assignments and DHCP failure handling.

DNS Server

The DNS service is a hierarchical, distributed database containing mappings of DNS domain names to various types of data, such as IP addresses. DNS allows you to use friendly names, such as www.microsoft.com, to make it easier to locate computers and other resources on TCP/IP-based networks. Windows Server DNS provides additional, enhanced support for DNS Security Extensions (DNSSEC), including online registration and automated settings management.

FAX Server

The fax server sends and receives faxes, and also gives you the ability to manage fax resources such as jobs, settings, reports, and fax devices on your fax server.

File and Storage Services

Administrators can use the File and Storage Services role to configure multiple file servers and their storage, and to manage those servers using Server Manager or Windows PowerShell. Some specific apps include the following features.

• Work folders. Use to allow users to store and access work files on personal computers and devices other than corporate PCs. Users get a convenient place to store work files and access them from anywhere. Organizations control corporate data by storing files on centrally managed file servers and optionally setting user device policies (such as encryption and screen lock passwords).
• Data deduplication. Use to reduce disk space requirements for storing files, saving on storage costs.
• iSCSI target server. Use to create centralized, software and hardware-independent iSCSI disk subsystems in storage area networks (SAN).
• Disk Spaces. Use to deploy highly available storage that is resilient and scalable using cost-effective, industry-standard disks.
• Server Manager. Use for remote control multiple file servers from one window.
• Windows PowerShell. Use to automate the management of most file server administration tasks.

Hyper-V

The Hyper-V role allows you to create and manage a virtualized computing environment using the virtualization technology built into Windows Server. Installing the Hyper-V role installs prerequisites as well as optional management tools. Required components include hypervisor Windows Management Service virtual machines Hyper-V, WMI virtualization provider, and virtualization components such as VMbus, virtualization service provider (VSP), and virtual infrastructure driver (VID).

Network Policy and Access Services

Network Policy and Access Services provides the following solutions for network connections:

• Network Access Protection is a technology for creating, enforcing, and repairing client health policies. With Network Access Protection, system administrators can set and automatically enforce health policies that include software requirements, security updates, and other settings. Client computers that do not meet the health policy requirements can be restricted from accessing the network until their configuration is updated to meet the health policy requirements.
• If you have deployed 802.1X-enabled wireless access points, you can use Network Policy Server (NPS) to deploy certificate-based authentication methods, which are more secure than password-based authentication. Deploying 802.1X-enabled hardware with an NPS server allows intranet users to be authenticated before they can connect to the network or obtain an IP address from a DHCP server.
• Instead of configuring a network access policy on each network access server, you can centrally create all policies that define all aspects of network connection requests (who can connect, when the connection is allowed, the level of security that must be used to connect to the network ).

Print and Document Services

Print and Document Services allows you to centralize print server and network printer tasks. This role also allows you to receive scanned documents from network scanners and upload documents to network shares such as a Windows SharePoint Services site or e-mail.

Remote Access

The Remote Access Server role is a logical grouping of the following technologies network access.

• DirectAccess
• Routing and remote access
• Web Application Proxy

These technologies are role services Remote access server roles. When you install the Remote Access Server role, you can install one or more role services by running the Add Roles and Features Wizard.

In Windows Server, the Remote Access Server role provides the ability to centrally administer, configure, and monitor DirectAccess remote access services and VPN with Routing and Remote Access Service (RRAS). DirectAccess and RRAS can be deployed on the same edge server and managed using Windows PowerShell commands and the Remote Access Management Console (MMC).

Remote Desktop Services

Remote Desktop Services accelerates and expands the deployment of desktops and applications on any device, increasing remote worker productivity while securing critical intellectual property and simplifying regulatory compliance. Remote Desktop Services includes virtual desktop infrastructure (VDI), session-based desktops, and applications, giving users the ability to work from anywhere.

Volume Activation Services

Volume Activation Services is a server role in Windows Server starting in Windows Server 2012 that automates and simplifies the issuance of volume licenses for software Microsoft, as well as managing such licenses in various scenarios and environments. Along with Volume Activation Services, you can install and configure Key Management Service (KMS) and Active Directory activation.

Web Server (IIS)

The Web Server (IIS) role in Windows Server provides a platform for hosting Web sites, services, and applications. Using a web server makes information available to users on the Internet, intranet, and extranet. Administrators can use the Web Server (IIS) role to configure and manage multiple websites, web applications, and FTP sites. Accessibility features include the following.

• Use Internet Information Services Manager to configure IIS components and administer websites.
• Uses FTP to allow website owners to send and download files.
• Use website isolation to prevent one website on a server from affecting others.
• Customization of web applications developed using various technologies such as Classic ASP, ASP.NET and PHP.
• Use Windows PowerShell to automatically manage most web server administration tasks.
• Combine multiple web servers into a server farm that can be managed using IIS.

Windows Deployment Services

Windows Deployment Services allows you to deploy Windows operating systems over a network, which means you don't have to install each operating system directly from a CD or DVD.

Windows Server Essentials Experience

This role allows you to solve the following tasks:

• protect server and client data by creating backups server and all client computers on the network;
• manage users and user groups through a simplified server dashboard. Additionally, integration with Windows Azure Active Directory *provides users with easy access to online Microsoft Online Services (such as Office 365, Exchange Online, and SharePoint Online) using their domain credentials;
• store company data in a centralized location;
• integrate the server with Microsoft Online Services (such as Office 365, Exchange Online, SharePoint Online, and Windows Intune):
• Use ubiquitous access features on the server (for example, remote web access and virtual private networks) to access the server, network computers, and data from remote locations with a high degree of security;
• access data from anywhere and from any device using the organization's own web portal (via remote web access);
• Manage mobile devices that access your organization's email using Office 365 via the Active Sync protocol from the dashboard;
• Monitor network health and receive custom health reports; reports can be generated on demand, customized and emailed to specific recipients.

Windows Server Update Services

The WSUS server provides the components that administrators need to manage and distribute updates through the management console. In addition, the WSUS server can be the source of updates for other WSUS servers in the organization. When you implement WSUS, at least one WSUS server on your network must be connected to Microsoft Update to receive information about available updates. Depending on your network security and configuration, your administrator can determine how many other servers are directly connected to Microsoft Update.

The functionality in the Windows Server operating system is calculated and improved from version to version, there are more and more roles and components, so in today’s material I will try to briefly describe description and purpose of each role in Windows Server 2016.

Before we move on to describing Windows Server server roles, let's find out what " Server role» in the Windows Server operating system.

What is a "Server Role" in Windows Server?

Server Role is a software package that ensures that the server performs a certain function, and this function is the main one. In other words, " Server role" is the purpose of the server, i.e. what is it for? So that the server can perform its main function, i.e. a certain role in " Server role» all the software necessary for this is included ( programs, services).

The server can have one role if it is actively used, or several if each of them does not heavily load the server and is rarely used.

A server role can include multiple role services that provide the functionality of the role. For example, in the server role " Web server (IIS)"a fairly large number of services are included, and the role " DNS server» role services are not included because this role performs only one function.

Role services can be installed together or individually depending on your needs. At its core, installing a role means installing one or more of its services.

In Windows Server there are also " Components» servers.

Server components (Feature)- This software, which are not a server role but extend the capabilities of one or more roles, or manage one or more roles.

Some roles cannot be installed if the required services or components that are required for these roles to function are not installed on the server. Therefore, at the time of installing such roles " Add Roles and Features Wizard" itself, will automatically prompt you to install the necessary additional role services or components.

Description of Windows Server 2016 server roles

You are probably already familiar with many of the roles that are in Windows Server 2016, since they have existed for quite a long time, but as I already said, with each new Windows version Server, new roles are being added that you may not have worked with yet, but would like to know what they are for, so let's start looking at them.

Note! About new features operating system You can read Windows Server 2016 in the material “Installing Windows Server 2016 and an overview of new features".

Since very often the installation and administration of roles, services and components occurs using Windows PowerShell, for each role and its service I will indicate a name that can be used in PowerShell, respectively, to install or manage it.

DHCP server

This role allows you to centrally configure dynamic IP addresses and associated settings for computers and devices on your network. The DHCP Server role does not have role services.

The name for Windows PowerShell is DHCP.

DNS server

This role is intended for name resolution on TCP/IP networks. The DNS Server role provides and maintains DNS. To make DNS server management easier, it is typically installed on the same server as Active Directory Domain Services. The DNS Server role does not have role services.

The role name for PowerShell is DNS.

Hyper-V

Using the Hyper-V role, you can create and manage a virtualized environment. In other words, it is a tool for creating and managing virtual machines.

The role name for Windows PowerShell is Hyper-V.

Device performance certification

Role " » allows you to evaluate device health based on measured security parameters, such as secure boot status and Bitlocker on the client.

For this role to function, quite a lot of role services and components are required, for example: several services from the role " Web server (IIS)", component " ", component " .NET Framework 4.6 features».

During installation, all required role services and components will be selected automatically. The role " Device performance certification» there are no services of their own.

The name for PowerShell is DeviceHealthAttestationService.

Web server (IIS)

Provides a reliable, manageable and scalable web application infrastructure. Consists of a fairly large number of services (43).

The name for Windows PowerShell is Web-Server.

Includes the following role services ( in brackets I will indicate the name for Windows PowerShell):

Web server (Web-WebServer)– A group of role services that provides support for HTML websites, ASP.NET extensions, ASP and web server. Consists of the following services:

• Security (Web Security)— a set of services to ensure web server security.
  • Request filtering (Web-Filtering) - using these tools you can process all requests arriving on the server and filter these requests based on special rules set by the web server administrator;
  • IP address and domain restrictions (Web-IP-Security) - these tools allow you to allow or deny access to content on the web server based on the IP address or domain name of the source in the request;
  • URL Authorization (Web-Url-Auth) - Tools allow you to develop rules to restrict access to web content and associate them with users, groups, or HTTP header commands;
  • Digest Authentication (Web-Digest-Auth) – This authentication provides a higher level of security than basic authentication. Digest verification works by passing a password hash to a Windows domain controller to authenticate users;
  • Basic Authentication (Web-Basic-Auth) - This authentication method provides strong web browser compatibility. Recommended for use in small internal networks. The main disadvantage of this method is that passwords transmitted over the network can be intercepted and decrypted quite easily, so use this method in combination with SSL;
  • Windows Authentication (Web-Windows-Auth) – is an authentication based on authentication in Windows domain. In other words, you can use Accounts Active Directory to authenticate users of your Web sites;
  • Authentication with client certificate matching (Web-Client-Auth) – This authentication method involves the use of a client certificate. This type uses Active Directory to provide certificate mapping;
  • IIS Client Certificate Mapping Authentication (Web-Cert-Auth) – This method also uses client certificates for authentication, but uses IIS to provide certificate mapping. This type provides higher performance;
  • Centralized SSL certificate support (Web-CertProvider) – these tools allow you to centrally manage SSL server certificates, which greatly simplifies the process of managing these certificates;
• Health and Diagnostics (Web-Health)– a set of services to provide control, management and troubleshooting of web servers, sites and applications:
  • http logging (Web-Http-Logging) - Tools provide logging of website activity on this server, i.e. log entry;
  • ODBC Logging (Web-ODBC-Logging) – These tools also provide logging of website activity, but they support logging that activity to an ODBC-compliant database;
  • Request Monitor (Web-Request-Monitor) is a tool that allows you to monitor the health of a web application by intercepting information about HTTP requests in the IIS worker process;
  • Web-Custom-Logging—These tools allow you to configure web server activity to be logged in a format that differs significantly from the standard IIS format. In other words, you can create your own logging module;
  • Logging tools (Web-Log-Libraries) are tools for managing web server logs and automating logging tasks;
  • Tracing (Web-Http-Tracing) is a tool for diagnosing and eliminating problems in the operation of web applications.
• Common http functions (Web-Common-Http)– a set of services that provide basic HTTP functionality:
  • Default Document (Web-Default-Doc) – This feature allows you to configure the web server to return a default document when users do not specify a specific document in the request URL, making it easier for users to access website, for example, by domain, without specifying the file;
  • Directory Browsing (Web-Dir-Browsing) - This tool can be used to configure a web server so that users can view a list of all directories and files on a website. For example, for cases where users do not specify a file in the request URL, and documents are either disabled or not configured by default;
  • http errors (Web-Http-Errors) – this feature allows you to configure error messages that will be returned to users' web browsers when the web server detects an error. This feature is used to better present error messages to users;
  • Static content (Web-Static-Content) – this remedy allows content in the form of static file formats to be used on a web server, e.g. HTML files or image files;
  • http redirection (Web-Http-Redirect) – using this feature, you can redirect the user request to a specific destination, i.e. this is Redirect;
  • WebDAV Publishing (Web-DAV-Publishing) – allows you to use WebDAV technology on the IIS WEB server. WebDAV ( Web Distributed Authoring and Versioning) is a technology that allows users to work together ( read, edit, read properties, copy, move) above the files on remote web servers using the HTTP protocol.
• Performance (Web-Performance)– a set of services to achieve higher web server performance through output caching and common compression mechanisms such as Gzip and Deflate:
  • Web-Stat-Compression is a tool for customizing the compression of static http content, it allows more efficient use of bandwidth without unnecessary CPU load;
  • Dynamic Content Compression (Web-Dyn-Compression) is a tool for configuring HTTP dynamic content compression. This feature allows for more efficient use of bandwidth, but the server CPU load associated with dynamic compression may cause the site to slow down if the CPU load is high without compression.
• Application Development (Web-App-Dev)– a set of services and tools for developing and hosting web applications, in other words, website development technologies:
  • ASP (Web-ASP) is an environment for supporting and developing web sites and web applications using ASP technology. Currently, there is a newer and more advanced website development technology - ASP.NET;
  • ASP.NET 3.5 (Web-Asp-Net) is an object-oriented development environment for web sites and web applications using ASP.NET technology;
  • ASP.NET 4.6 (Web-Asp-Net45) is also an object-oriented environment for developing web sites and web applications using new version ASP.NET;
  • CGI (Web-CGI) is the ability to use CGI to transmit information from a web server to an external program. CGI is a certain interface standard for connecting an external program with a web server. The downside is that using CGI affects performance;
  • Server-side inclusions (SSI) (Web-Includes) are support for the SSI scripting language ( server side enablers), which is used to dynamically generate HTML pages;
  • Application initialization (Web-AppInit) – this tool performs the task of initializing web applications before forwarding the web page;
  • WebSocket Protocol (Web-WebSockets) - adding the ability to create server applications that communicate using the WebSocket protocol. WebSocket is a protocol that can send and receive data simultaneously between a browser and a web server over a TCP connection, a kind of extension of the HTTP protocol;
  • ISAPI Extensions (Web-ISAPI-Ext) – support for dynamic development of web content using the ISAPI application programming interface. ISAPI is an API for the IIS web server. ISAPI applications are much faster than ASP files or files that call COM+ components;
  • .NET 3.5 Extensibility (Web-Net-Ext) is a .NET 3.5 extensibility feature that allows you to change, add, and extend web server functionality throughout the request processing pipeline, configuration, and user interface;
  • .NET 4.6 Extensibility (Web-Net-Ext45) is the .NET 4.6 extensibility feature that also allows you to change, add, and extend web server functionality throughout the request processing pipeline, configuration, and user interface;
  • ISAPI filters (Web-ISAPI-Filter) – adding support for ISAPI filters. ISAPI filters are programs that are called when the web server receives a specific HTTP request that needs to be processed by the filter.

FTP - server (Web-Ftp-Server)– services that provide support for the FTP protocol. We talked about the FTP server in more detail in the material – “Installing and configuring an FTP server on Windows Server 2016”. Contains the following services:

• FTP Service (Web-Ftp-Service) – adds support for the FTP protocol on the web server;
• FTP Extensibility (Web-Ftp-Ext) – Extends standard FTP capabilities, such as adding support for features such as custom providers, ASP.NET users, or IIS Manager users.

Management Tools (Web-Mgmt-Tools)- These are tools for managing the IIS 10 web server. These include: the IIS user interface, command line tools and scripts.

• The IIS Management Console (Web-Mgmt-Console) is the user interface for managing IIS;
• IIS character sets and tools (Web-Scripting-Tools) are tools and scripts for managing IIS using the command line or scripts. They can be used, for example, to automate control;
• Management service (Web-Mgmt-Service) – this service adds the ability to manage the web server remotely from another computer using the IIS manager;
• IIS 6 Compatibility Management (Web-Mgmt-Compat) - Ensures compatibility between applications and scripts that use the two IIS APIs. Existing IIS 6 scripts can be used to control the IIS 10 web server:
  • IIS 6 Compatibility Metabase (Web-Metabase) is a compatibility tool that allows you to run applications and character sets ported from earlier versions of IIS;
  • IIS 6 Scripting Tools (Web-Lgcy-Scripting) - These tools allow you to use the same IIS 6 scripting services that were created to manage IIS 6 in IIS 10;
  • IIS 6 Services Management Console (Web-Lgcy-Mgmt-Console) – a tool for administering remote IIS 6.0 servers;
  • Compatible with IIS 6 WMI (Web-WMI) - Toolkit Script Interfaces Windows management(WMI) to programmatically control and automate IIS 10.0 web server tasks using a set of scripts created in the WMI provider.

Active Directory Domain Services

Role " Active Directory Domain Services» (AD DS) provides a distributed database that stores and processes information about network resources. This role is used to organize network elements, such as users, computers, and other devices, into a hierarchical secure shell structure. The hierarchical structure includes forests, domains within the forest, and organizational units (OUs) within each domain. A server running AD DS is called a domain controller.

The role name for Windows PowerShell is AD-Domain-Services.

Windows Server Essentials Mode

This role represents the computer infrastructure and provides convenient and efficient functions, for example: storing client data in a centralized location and protecting this data by Reserve copy server and client computers, remote web access, allowing you to access data from almost any device. This role requires several role services and components, such as: BranchCache components, Windows Server Backup, management group policy, role service " DFS Namespaces».

The name for PowerShell is ServerEssentialsRole.

Network Controller

This role was introduced in Windows Server 2016 and provides a single point of automation for managing, monitoring and diagnosing the physical and virtual network infrastructure in the data center. Using this role, you can configure IP subnets, VLANs, physical network adapters Hyper-V hosts, manage virtual switches, physical routers, firewall settings and VPN gateways.

The name for Windows PowerShell is NetworkController.

Node Guardian Service

This is the Hosted Guardian Service (HGS) server role and provides attestation and key protection services that enable protected hosts to run shielded virtual machines. For this role to function, several additional roles and components are required, for example: Active Directory Domain Services, Web Server (IIS), component " Failover Clustering" and others.

The name for PowerShell is HostGuardianServiceRole.

Active Directory Lightweight Directory Services

Role " Active Directory Lightweight Directory Services" (AD LDS) - is a lightweight version of AD DS that has less functionality, but does not require the deployment of domains or domain controllers, and does not have the dependencies and domain restrictions that AD DS services require. AD LDS works over the LDAP protocol ( Lightweight Directory Access Protocol). You can deploy multiple AD LDS instances with independently managed schemas on a single server.

The name for PowerShell is ADLDS.

MultiPoint Services

This is also a new role that was introduced in Windows Server 2016. MultiPoint Services (MPS) provides basic remote desktop functionality that allows multiple users to work simultaneously and independently on the same computer. To install and operate this role, you need to install several additional services and components, for example: Print Server, Windows Search service, XPS Viewer and others, all of which will be selected automatically when MPS is installed.

The role name for PowerShell is MultiPointServerRole.

Windows Server Update Services

With this role (WSUS), system administrators can manage Microsoft updates. For example, create separate groups of computers for different sets of updates, and also receive reports about computer compliance and updates that need to be installed. To function " Windows Server Update Services» we need such role services and components as: Web server (IIS), Windows internal database, activation service Windows processes.

The name for Windows PowerShell is UpdateServices.

• WID Connectivity (UpdateServices-WidDB) – set to WID ( Windows Internal Database) database used by WSUS. In other words, WSUS will store its service data in WID;
• WSUS Services (UpdateServices-Services) are the WSUS role services, such as Update Service, Reporting Web Service, API Remoting Web Service, Client Web Service, Simple Internet Authentication Web Service, Server Synchronization Service and DSS Web Authentication Service;
• SQL Server Connectivity (UpdateServices-DB) is the installation of a component that allows the WSUS service to connect to a Microsoft SQL Server database. This option involves storing service data in a Microsoft SQL Server database. In this case, you must already have at least one instance of SQL Server installed.

Volume Activation Services

This server role automates and simplifies the issuance of volume licenses for Microsoft software and allows you to manage those licenses.

The name for PowerShell is VolumeActivation.

Print and Document Services

This server role is designed to share printers and scanners on a network, centrally configure and manage print and scan servers, and manage network printers and scanners. Print and Document Services also allows you to send scanned documents via email, network shares, or Windows SharePoint Services sites.

The name for PowerShell is Print-Services.

• Print-Server – This role service includes the “ Print management", which is used to manage printers or print servers, as well as to migrate printers and other print servers;
• Print over the Internet (Print-Internet) - to implement printing over the Internet, a website is created through which users can manage print jobs on the server. For this service to work, as you understand, you need to install “ Web server (IIS)" All required components will be selected automatically when you check this box during the installation process for the role service " Online printing»;
• Distributed Scan Server (Print-Scan-Server) is a service that allows you to receive scanned documents from network scanners and send them to their destination. This service also contains the " Scan Control", which is used to manage network scanners and to configure scanning;
• LPD Service (Print-LPD-Service) - LPD service ( Line Printer Daemon) allows UNIX-based computers and other computers that use the Line Printer Remote (LPR) service to print to shared server printers.

Network Policy and Access Services

Role " » (NPAS) allows you to use Network Policy Server (NPS) to set and enforce policies for network access, authentication and authorization, and client health, in other words, to ensure network security.

The name for Windows PowerShell is NPAS.

Windows Deployment Services

Using this role, you can install the Windows operating system remotely over a network.

The role name for PowerShell is WDS.

• Deployment Server (WDS-Deployment) – this role service is designed for remote deployment and configuration of Windows operating systems. It also allows you to create and customize images for reuse;
• Transport Server (WDS-Transport) - this service contains the main network components with which you can transfer data by multicast on a standalone server.

Active Directory Certificate Services

This role is designed to create certificate authorities and associated role services that allow you to issue certificates for various applications and manage such certificates.

The name for Windows PowerShell is AD-Certificate.

Includes the following role services:

• Certificate Authority (ADCS-Cert-Authority) – using this role service, you can issue certificates to users, computers and services, and also manage the validity of the certificate;
• Certificate Enrollment Policy Web Service (ADCS-Enroll-Web-Pol) – This service allows users and computers to obtain certificate enrollment policy information using a Web browser, even if the computer is not part of a domain. For its functioning it is necessary " Web server (IIS)»;
• Certificate Enrollment Web Service (ADCS-Enroll-Web-Svc) – This service allows users and computers to enroll and renew certificates using a web browser over HTTPS, even if the computer is not a domain member. For its functioning it is also necessary " Web server (IIS)»;
• Online Responder (ADCS-Online-Cert) – A service designed to check certificate revocation for clients. In other words, it accepts a request for revocation status for specific certificates, evaluates the status of those certificates, and sends back a signed response with status information. For the service to function you need " Web server (IIS)»;
• Internet Certificate Authority Enrollment Service (ADCS-Web-Enrollment) – This service provides a web-based interface for users to perform tasks such as requesting and renewing certificates, obtaining certificate revocation lists, and enrolling smart card certificates. For the service to function you need " Web server (IIS)»;
• Network Device Enrollment Service (ADCS-Device-Enrollment) – Using this service, you can issue and manage certificates for routers and other network devices that do not have network accounts. For the service to function you need " Web server (IIS)».

Remote Desktop Services

A server role that can be used to provide access to virtual desktops, session-based desktops, and remote applications RemoteApp.

The role name for Windows PowerShell is Remote-Desktop-Services.

Consists of the following services:

• Remote Desktop Web Access (RDS-Web-Access) - This role service allows users to access remote desktops and RemoteApp applications through the " Start» or using a web browser;
• Remote Desktop Licensing (RDS-Licensing) is a service designed to manage the licenses that are required to connect to a Remote Desktop Session Host server or virtual desktop. It can be used to install, issue licenses, and track their availability. This service requires " Web server (IIS)»;
• Remote Desktop Connection Broker (RDS-Connection-Broker) is a role service that provides the following capabilities: reconnecting a user to an existing virtual desktop, RemoteApp application, and session-based desktop, and load balancing among remote session host servers desktops or between virtual desktops in a pool. This service requires the " »;
• Remote Desktop Virtualization Host (DS-Virtualization) - A service that allows users to connect to virtual desktops using RemoteApp and Desktop Connection. This service works in conjunction with Hyper-V, i.e. this role must be established;
• Remote Desktop Session Host (RDS-RD-Server) – This service allows you to host RemoteApp applications and session-based desktops on a server. For access, use the Remote Desktop Connection client or RemoteApp;
• Remote Desktop Gateway (RDS-Gateway) - The service allows authorized remote users to connect to virtual desktops, RemoteApps, and session-based desktops on a corporate network or over the Internet. The following additional services and components are required for this service to function: " Web server (IIS)», « Network Policy and Access Services», « RPC over HTTP proxy».

Active Directory Rights Management Services

This is a server role that will allow you to protect information from unauthorized use. It verifies user identities and grants authorized users licenses to access protected data. Additional services and components are required for this role to function: " Web server (IIS)», « Windows Process Activation Service», « .NET Framework 4.6 features».

The name for Windows PowerShell is ADRMS.

• Active Directory Rights Management Server (ADRMS-Server) is the main role service and is required for installation;
• Identity Federation Support (ADRMS-Identity) is an optional role service that allows federated identities to consume protected content using Active Directory Federation Services.

Active Directory Federation Services

This role provides simplified and secure identity federation capabilities, as well as browser-based single sign-on (SSO) to websites.

The name for PowerShell is ADFS-Federation.

Remote access

This role provides connectivity through DirectAccess, VPN, and Web Application Proxy. Also the role of " Remote access» provides traditional routing capabilities, including Network Address Translation (NAT) and other connection options. This role requires additional services and components: " Web server (IIS)», « Windows Internal Database».

The role name for Windows PowerShell is RemoteAccess.

• DirectAccess and VPN (RAS) (DirectAccess-VPN) - the service allows users to connect to the corporate network at any time if they have access to the Internet via DirectAccess, and also organize VPN connections in combination with tunneling and data encryption technologies;
• Routing - the service provides support for NAT routers, routers local network with BGP, RIP and routers with multicast support (IGMP proxy);
• Web Application Proxy Server (Web-Application-Proxy) - the service allows you to publish applications based on the HTTP and HTTPS protocols from the corporate network to client devices that are located outside the corporate network.

File and Storage Services

This is a server role that can be used to provide general access access files and folders, manage and control shares, replicate files, provide fast file searches, and provide access to UNIX client computers. We looked at file services and in particular the file server in more detail in the material “Installing a File Server on Windows Server 2016”.

The name for Windows PowerShell is FileAndStorage-Services.

Storage Services– This service provides storage management functionality that is always installed and cannot be removed.

File Services and iSCSI Services (File-Services)– these are technologies that simplify the management of file servers and storage, save disk space, provide replication and caching of files in branches, and also provide file sharing using the NFS protocol. Includes the following role services:

• File Server (FS-FileServer) is a role service that manages shared folders and provides users with access to files on this computer over the network;
• Data deduplication (FS-Data-Deduplication) – this service saves disk space by storing only one copy of identical data on a volume;
• File Server Resource Manager (FS-Resource-Manager) – Using this service, you can manage files and folders on a file server, create storage reports, categorize files and folders, configure folder quotas, and define file blocking policies;
• iSCSI Target Storage Provider (Hardware VDS and VSS Providers) (iSCSITarget-VSS-VDS) – The service allows applications on a server connected to an iSCSI target to shadow copy volumes on iSCSI virtual disks;
• DFS namespaces (FS-DFS-Namespace) - using this service, you can group shared folders located on different servers into one or more logically structured namespaces;
• Working folders (FS-SyncShareService) – the service allows you to use working files on various computers, including work and personal. You can store your files in work folders, synchronize them, and access them from a local network or the Internet. For the service to function, the component " IIS In-Process Web Engine»;
• DFS Replication (FS-DFS-Replication) is a data replication module between multiple servers that allows you to synchronize folders over a local or global network connection. This technology uses the Remote Differential Compression (RDC) protocol to update only those portions of files that have changed since the last replication. DFS Replication can be used in conjunction with DFS namespaces or separately;
• Server for NFS (FS-NFS-Service) - a service that allows this computer to share files with UNIX-based computers and other computers that use the network protocol file system(NFS);
• iSCSI Target Server (FS-iSCSITarget-Server) – Provides services and management tools for iSCSI targets;
• BranchCache Service for Network Files (FS-BranchCache) - The service provides BranchCache support on this file server;
• File Server VSS Agent Service (FS-VSS-Agent) - The service enables volume shadow copying for applications that store data files on this file server.

Fax server

The role sends and receives faxes and allows you to manage fax resources, such as jobs, settings, reports, and fax devices, on this computer or network. To work you need " Print server».

The role name for Windows PowerShell is Fax.

This concludes the review of Windows Server 2016 server roles, I hope the material was useful to you, bye!

Before developing a socket server, you need to create a policy server that tells Silverlight which clients are allowed to connect to the socket server.

As shown above, Silverlight does not allow content to be loaded or a web service to be called unless the domain has a clientaccesspolicy .xml or crossdomain file. xml, which explicitly allows these operations. A similar restriction is imposed on the socket server. If you do not provide the client device with the opportunity to load the clientaccesspolicy .xml file that allows remote access, Silverlight will refuse to establish a connection.

Unfortunately, providing the clientaccesspolicy. cml to a socket application is a more difficult task than providing it via a website. When using a website, the web server software may provide a clientaccesspolicy .xml file, you just need to remember to add it. However, when using a socket application, you must open a socket to which client applications can make policy requests. In addition, you must manually create the code that serves the socket. To solve these problems, you need to create a policy server.

As we'll see next, the policy server works in the same way as the message server, it just handles slightly simpler interactions. Message and policy servers can be created separately or combined in one application. In the second case, they must listen for requests in different threads. In this example, we will create a policy server and then combine it with a message server.

To create a policy server, you must first create a .NET application. Any type of .NET application can serve as a policy server. The easiest way is to use a console application. Once you've debugged your console application, you can move the code to a Windows service so that it runs continuously in the background.

Policy file

Below is the policy file provided by the policy server.

The policy file defines three rules.

Allows access to all ports from 4502 to 4532 (this is the full range of ports supported by the Silverlight add-on). To change the range of available ports, you need to change the value of the element's port attribute.

Allows TCP access (the permission is defined in the protocol attribute of the element).

Allows calling from any domain. Therefore, the Silverlight application that makes the connection can be hosted by any website. To change this rule, you need to edit the element's uri attribute.

To make the task easier, policy rules are placed in the clientaccess-ploi.cy.xml file, which is added to the project. IN Visual Studio The Copy to Output Directory setting of the policy file should be set to Copy Always. All you have to do is find the file on your hard drive, open it, and return the contents to the client device.

PolicyServer class

Policy Server functionality is based on two key classes: PolicyServer and PolicyConnection. The PolicyServer class handles waiting for connections. Once it receives a connection, it passes control to a new instance of the PoicyConnection class, which passes the policy file to the client. This two-part procedure is common in network programming. You will see it more than once when working with message servers.

The PolicyServer class loads the policy file from hard drive and stores it in the field as a byte array.

public class PolicyServer

private byte policy;

public PolicyServer(string policyFile) (

To start listening, the server application must call the PolicyServer. Start(). It creates a TcpListener object that listens for requests. The TcpListener object is configured to listen on port 943. In Silverlight, this port is reserved for policy servers. When requests are made for policy files, Silverlight automatically forwards them to port 943.

private TcpListener listener;

public void Start()

// Create a listening object

listener = new TcpListener(IPAddress.Any, 943);

// Start listening; the Start() method returns immediately after listener.Start() is called;

// Waiting for connection; the method returns immediately;

II the wait is performed in a separate thread

To accept the offered connection, the policy server calls the BeginAcceptTcpClient() method. Like all Beginxxx() methods of the .NET framework, it returns immediately after being called, performing the necessary operations on a separate thread. For network applications This is a very significant factor because it allows many requests for policy files to be processed simultaneously.

Note. Novice network programmers often wonder how it is possible to handle more than one request at a time, and think that this requires multiple servers. However, it is not. With this approach, client applications would quickly exhaust the available ports. In practice, server applications process many requests through a single port. This process is invisible to applications because Windows' built-in TCP subsystem automatically identifies messages and routes them to the appropriate objects in application code. Each connection is uniquely identified based on four parameters: client IP address, client port number, server IP address, and server port number.

On each request, the OnAcceptTcpClient() callback method is fired. It calls O's BeginAcceptTcpClient method again to start waiting for the next request on a different thread, and then begins processing the current request.

public void OnAcceptTcpClient(IAsyncResult ag) (

if (isStopped) return;

Console.WriteLine("Policy request received."); // Waiting for the next connection.

listener.BeginAcceptTcpClient(OnAcceptTcpClient, null);

// Process the current connection.

TcpClient client = listener.EndAcceptTcpClient(ag); PolicyConnection policyConnection = new PolicyConnection(client, policy); policyConnection.HandleRequest() ;

catch (Exception err) (

Each time a new connection is received, a new PolicyConnection object is created to handle it. Additionally, the PolicyConnection object maintains the policy file.

The last component of the PolicyServer class is the Stop() method, which stops waiting for requests. The application calls it when it exits.

private bool isStopped;

public void StopO (

isStopped = true;

listener. Stop();

catch (Exception err) (

Console.WriteLine(err.Message);

To start the policy server, the following code is used in the Main() method of the application server.

static void Main(string args) (

PolicyServer policyServer = new PolicyServer("clientaccesspolicy.xml"); policyServer.Start();

Console.WriteLine("The policy server is running."); Console.WriteLine("Press Enter to exit.");

// Waiting for a key press; using the // Console.ReadKey() method, you can set the expectation for a specific // line (for example, quit) or pressing any key Console.ReadLine();

policyServer.Stop();

Console.WriteLine("End policy server.");

PolicyConnection class

The PolicyConnection class does a simpler job. The PolicyConnection object stores a reference to the policy file data. Then, after calling the HandleRequest() method, the PolicyConnection object fetches a new connection from the network stream and tries to read it. The client device must pass a string containing the text. After reading this text, the client device writes the policy data to the stream and closes the connection. Below is the code for the PolicyConnection class.

public class PolicyConnection(

private TcpClient client; private byte policy;

public PolicyConnection(TcpClient client, byte policy) (

this.client = client; this.policy = policy;

// Create a client request private static string policyRequestString = "

public void HandleRequest() (

Stream s = client.GetStream(); // Read the policy query string

byte buffer = new byte;

// Wait only 5 seconds client.ReceiveTimeout = 5000;’

s.Read(buffer, 0, buffer.Length);

// Passing the policy (you can also check if the policy // request has the required content) s.Write(policy, 0, policy.Length);

//Close the connection client.Close();

Console.WriteLine("Policy file served.");

So we have a fully functional policy server. Unfortunately, it can't be tested yet because the Silverlight add-on doesn't allow you to explicitly request policy files. Instead, it automatically requests them when you try to use a socket application. Before you can create a client application for a given socket application, you must create a server.

In the previous articles in this series, you learned how to effectively use the functionality of local security policies, which allows you to maximally protect your organization’s infrastructure from attacks from outside ill-wishers, as well as from most actions of incompetent employees. You already know how to effectively set up account policies that allow you to manage the complexity of your users' passwords, set up audit policies for subsequent analysis of your users' authentication in the security log. In addition, you learned how to assign rights to your users to avoid causing damage to your system and even computers on your intranet, and you also know how to effectively configure event logs, groups with limited access, system services, registry and file system. In this article, we'll continue exploring local security policies and you'll learn about wired security settings for your business.

Microsoft server operating systems, starting with Windows Server 2008, introduced a wired network policies (IEEE 802.3) component that provides automatic configuration for deploying IEEE 802.1X authenticated wired access services to 802.3 Ethernet network clients. To implement security settings for wired networks using group policies, operating systems use the Wired AutoConfig service (DOT3SVC). The current service is responsible for IEEE 802.1X authentication when connecting to Ethernet networks using 802.1X compatible switches, and also manages the profile used to configure the network client for authenticated access. It is also worth noting that if you use these policies, it is advisable to prevent users of your domain from changing the startup mode of this service.

Configuring Wired Network Policy

You can set wired network policy settings directly from the snap-in. To configure these settings, follow these steps:

1. Open the snap-in and select a node in the console tree, right-click on it and select the command from the context menu "Create a new wired network policy for Windows Vista and later", as shown in the following illustration:

   Rice. 1. Create a wired network policy

2. In the dialog box that opens "New Policy for Wired Network Properties", on the tab "Are common", you can set the Wired Network AutoConfig service to be used to configure LAN adapters to connect to a wired network. In addition to the policy settings that apply to Windows Vista and later operating systems, there are some options that will only apply to Windows 7 and Windows Server 2008 R2 operating systems. On this tab you can do the following:
   • Policy name. In this text field you can specify a name for your wired network policy. You can see the policy name in the node details pane "Wired Network Policies (IEEE 802.3)" rigging "Group Policy Management Editor";
   • Description. This text field is intended to fill in a detailed description of the purpose of the wired network policy;
   • Use wired auto-configuration service Windows networks for clients. This option does the actual setup and connects clients to the wired 802.3 network. If you disable this option, the Windows operating system will not monitor the wired network connection and the policy settings will not take effect;
   • Prevent the use of generic user credentials for network authentication. This setting determines whether the user should be prevented from storing general user credentials for network authentication. Locally, you can change this parameter using the command netsh lan set allowexplicitcreds;
   • Enable lockout period. This setting determines whether to prevent the computer from automatically connecting to a wired network for the number of minutes you specify. The default is 20 minutes. The blocking period is adjustable from 1 to 60 minutes.

"Are common" Wired Network Policies:

Rice. 2. General tab of the wired network policy settings dialog box

3. On the tab "Safety" Provides configuration options for authentication method and wired connection mode. You can configure the following security settings:
   • Enable IEEE 802.1X authentication for network access. This option is used directly to enable or disable 802.1X network access authentication. By default this option is enabled;
   • Select a network authentication method. Using this drop-down list, you can specify one of the network client authentication methods to be applied to your wired network policy. The following two options are available for selection:
     • Microsoft: Protected EAP (PEAP). For this authentication method, the window "Properties" contains configuration parameters for the authentication method to use;
     • Microsoft: smart cards or other certificate. For this authentication method, in the window "Properties" Provides configuration options that allow you to specify the smart card or certificate to connect to, as well as a list of trusted root certification authorities.

   The default method is Microsoft: Protected EAP (PEAP);

4. Authentication Mode. This drop-down list is used to perform network authentication. The following four options are available for selection:
   • User or computer authentication. If this option is selected, security credentials will be used based on the current state of the computer. Even if no user is logged in, authentication will be performed using the computer's credentials. When a user logs in, the logged in user's credentials will be used. Microsoft recommends using this authentication mode setting in most cases.
   • PC only. In this case, authentication is performed only against the computer's credentials;
   • User Authentication. Selecting this option forces user authentication only when connecting to a new 802.1X device. In all other cases, authentication is performed only on the computer;
   • Guest authentication. This option allows you to connect to the network using a guest account.
5. Maximum number of authentication errors. This setting allows you to specify the maximum number of authentication failures. The default value is 1;
6. Cache user data for subsequent connections to this network. When this option is enabled, user credentials will be stored in system registry, the user will not be prompted for credentials when logging out and logging in again.

The following illustration shows the tab "Safety" of this dialog box:

Rice. 3. Security tab of the wired network policy settings dialog box

Authentication Mode Properties

As discussed in the previous section, both authentication methods have additional settings, which are called when a button is pressed "Properties". In this section we will look at everything possible settings for authentication methods.

Microsoft: Protected EAP (PEAP) authentication method settings

EAP (Extensible Authentication Protocol) is an extensible authentication infrastructure that defines the send format. The following options are available to configure this authentication method:

Enable fast reconnection. This option allows users with wireless computers to quickly move between access points without re-authenticating to new network. This switching can only work for access points that are configured as RADIUS clients. By default this option is enabled;

Enable Network Access Protection. When this option is selected, appropriate checks will be performed to determine health requirement checks before allowing EAP supplicants to connect to the network;

Disable if server does not support encrypted binding via TLV mechanism. This option is responsible for causing connecting clients to abort the authentication process if the RADIUS server does not provide a cryptographic TLV binding value, which enhances the security of the TLS tunnel in PEAP by combining internal and external authentication methods to prevent attackers from performing tampering attacks. third party;

Enable privacy certificate. This setting ensures that clients cannot submit their identity before the client has authenticated the RADIUS server, and optionally provides space to enter an anonymous identity value.

The Secure EAP Properties dialog box is shown in the following illustration:

Rice. 5. Secure EAP Properties Dialog Box

Authentication Method Settings "Smart Card or Other Certificate - EAP-TLS Settings"

The following options are available to configure this authentication method:

• When connecting, use my smart card. If you select this option, clients making authentication requests will present the smart card certificate for network authentication;
• When connecting, use the certificate on this computer. When you select this option, the certificate located in the current user or local computer store will be used when checking client connections;
• Use simple certificate selection. This option allows the Windows operating system to filter out certificates that do not meet authentication requirements;
• Check server certificate. This option allows you to specify a check of the server certificate that is provided to client computers for the presence of a valid, not expired signature, as well as the presence of a trusted root certification authority that issued the certificate to this server
• Connect to servers. This option is identical to the option of the same name described in the previous section;
• Trusted Root Certification Authorities. Just like in the Secure EAP properties dialog, in this list you can find all the trusted root certification authorities that are installed in the user and computer certificate stores;
• Do not prompt the user to authorize new servers or trusted Certificate Authorities. By checking this option, if there is a server certificate that is not configured correctly or is listed for the user, the dialog box prompting you to authorize that certificate will not be displayed. By default this option is disabled;
• Use a different username to connect. This setting determines whether a username other than the username in the certificate should be used for authentication. If you enable the Use a Different Username option, you must select at least one certificate from the list of Trusted Root Certification Authorities.

The dialog box for setting up smart cards or other certificates is shown in the following illustration:

Rice. 6. Smart cards or other certificates settings dialog box

If you are not sure about the certificate you choose, then click on the button "View certificate" You will be able to view all the details of the selected certificate as shown below:

Rice. 7. View the certificate from the list of trusted root certification authorities

Wired Network Policy Advanced Security Settings

You probably noticed that on the tab "Safety" In the Wired Network Policy settings dialog box, there are additional security settings that are designed to change the behavior of network clients requesting access with 802.1X authentication. Additional wired network policy settings can be divided into two groups - IEEE 802.1X settings and single sign-on settings. Let's look at each of these groups:

In the IEEE 802.1X settings group, you can specify the characteristics of wired network requests with 802.1X authentication. The following parameters are available for change:

• Apply advanced 802.1X settings. This option allows you to activate the following four settings;
• Max. EAPOL messages. EAPOL is the EAP protocol, which is used before the computer has time to authenticate, and only after successful “login” can all other traffic pass through the switch port to which it is connected this computer. This parameter controls the maximum number of EAPOL-Start messages to be sent;
• Delay period (sec). This setting controls the delay in seconds before making the next 802.1X authentication request after receiving an authentication failure notification;
• Start Period. This parameter controls the time to wait before resending successive EAPOL-Start messages;
• Check period (sec). This parameter specifies the number of seconds between retransmitting successive initial EAPOL messages after 802.1X end-to-end access inspection has been initiated;
• EAPOL-Start message. With this parameter you can specify the following characteristics for the transmission of initial EAPOL messages:
  • Do not transmit. When this option is selected, EAPOL messages will not be transmitted;
  • Transferred. If you select this option, the client will need to manually send the initial EAPOL messages;
  • Transfer by IEEE protocol 802.1X. When this option is selected (it is the default), EAPOL messages will be sent to automatic mode while waiting for 802.1X authentication to start.

When using single sign-on, authentication must be performed based on the network security configuration when the user logs into the operating system. The following options are available to fully customize single sign-on profiles:

• Enable single sign-on for the network. When this option is enabled, single sign-on settings are activated;
• Enable immediately before user login. If you check this option, 802.1X authentication will be performed before the user completes login;
• Enable immediately after user login. If you check this option, 802.1X authentication will be performed after the user completes login;
• Max. connection delay. This setting specifies the maximum time in which authentication must be completed and therefore how long the user must wait before the user login window appears;
• Allow additional dialogs to be displayed during single sign-on. This option is responsible for displaying the user login dialog box;
• This network uses different VLANs to authenticate against computer and user credentials. When you specify this setting, at startup, all computers will be placed in one virtual network, and after the user successfully logs in, depending on the permissions, they will be transferred to different virtual networks. It makes sense to activate this option only if your enterprise uses several VLANs.

The Wired Network Policy Advanced Security Settings dialog box is shown in the following illustration:

Rice. 8. Wired Network Policy Advanced Security Settings Dialog Box

Conclusion

This article introduced you to all the IEE 802.1X wired network policy settings. You learned how to create such a policy and also learned about EAP authentication methods and verification using smart cards or other certificates. In the following article, you will learn about Network List Manager local security policies.

Policies in Exchange Server 2003 are designed to increase administrative flexibility while reducing the burden on administrators. A policy is a set of configuration settings that apply to one or more objects of the same class in Exchange. For example, you can create a policy that affects specific settings on some or all Exchange servers. If you need to change these settings, you can simply modify this policy and it will be applied to the appropriate server organization.

There are two types of policies: system policy and recipient policy. Recipient policies apply to mail-accessible objects and specify how email addresses are generated. Recipient policies are discussed in “Creating and managing recipients”. System policies are applied to servers, storage mailboxes and public folder stores. These policies appear in the Policies container within the group responsible for administration this policy (Figure 12.10).

Rice. 12.10. System policy object

Note. When you install Exchange Server 2003, a default container for system policies is not created. It must be created before building system policies. Right-click the administration group in which you want to create the policy folder, point to New, and select System Policy Container.

Creating a system policy

To create a system policy, you need to go to the appropriate System Policies container, right-click on the container, and then select the type of policy to create: server policy, mailbox store policy, or public folder store policy.

When working with system policies, be sure to create a policy object in the group that is responsible for administering the policy. Otherwise, errors may occur in the selection of people who exercise administrative control over critical policies. Let's look at how each of the three types of policies is created, starting with server policies.

Create a server policy

Server policy defines settings for message tracking and log file maintenance. It does not apply to security settings or other settings of servers in this administration group. To create a server policy, right-click the System Policies container, point to New, and then select Server Policy. The New Policy dialog box appears, shown in Figure 1. 12.11, which specifies the tabs that appear on the properties page for this policy. There is only one option for Server Policy: the General tab. Check the option for this tab and then click OK. A configuration window will appear in which this policy will be created.

Rice. 12.11.

After this, you need to enter the name of the policy in the General tab window of the properties page for this policy. As shown in Figure 12.12, there are actually two General tabs. The first tab is used to enter the policy name. Select a name to describe the task the policy is intended to perform, such as Message Tracking Policy or Enable Subject Logging Policy. An appropriate name chosen at this stage will save time by not having to open the properties page of the policy to determine its purpose.

The General (Policy) tab, shown in Fig. 12.13 contains the actual policy settings that apply to the organization's Exchange servers. The tab is called General (Policy) because it potentially configures the General tab of the property pages for all existing servers. (We'll look at how to apply this policy to all servers in your organization later in this lecture.) If you compare this tab to the General tab on a server's properties page, you'll see that the tabs are the same, except for the identifying information at the top of the tab.

The General (Policy) tab enables subject logging and display for all existing Exchange 2003 servers. This setting works in conjunction with the Enable Message Tracking option, which allows you to track messages sent In the organisation. These options are useful for finding and troubleshooting the source of problems that occur when some users are not receiving messages from other users. It is possible to track a message through an organization to determine where there are communication problems. For more information about message tracking and message subject logging, see Lecture 6, Exchange Server 2003 Functionality, Security, and Support.

Rice. 12.12.

Rice. 12.13.

Once a policy is in effect, it cannot be changed at the local servers. The message tracking policy we used as an example was created on the EX-SRV1 server in the Arizona administration group. On

The functionality in the Windows Server operating system is calculated and improved from version to version, there are more and more roles and components, so in today’s material I will try to briefly describe description and purpose of each role in Windows Server 2016.

Before we move on to describing Windows Server server roles, let's find out what " Server role» in the Windows Server operating system.

What is a "Server Role" in Windows Server?

Server Role is a software package that ensures that the server performs a certain function, and this function is the main one. In other words, " Server role" is the purpose of the server, i.e. what is it for? So that the server can perform its main function, i.e. a certain role in " Server role» all the software necessary for this is included ( programs, services).

The server can have one role if it is actively used, or several if each of them does not heavily load the server and is rarely used.

A server role can include multiple role services that provide the functionality of the role. For example, in the server role " Web server (IIS)"a fairly large number of services are included, and the role " DNS server» role services are not included because this role performs only one function.

Role services can be installed together or individually depending on your needs. At its core, installing a role means installing one or more of its services.

In Windows Server there are also " Components» servers.

Server components (Feature)- These are software tools that are not a server role, but extend the capabilities of one or more roles, or manage one or more roles.

Some roles cannot be installed if the required services or components that are required for these roles to function are not installed on the server. Therefore, at the time of installing such roles " Add Roles and Features Wizard" itself, will automatically prompt you to install the necessary additional role services or components.

Description of Windows Server 2016 server roles

You are probably already familiar with many of the roles that are in Windows Server 2016, since they have been around for quite a long time, but as I said, with each new version of Windows Server, new roles are added that you may not have worked with yet. but we would like to know what they are for, so let's start looking at them.

Note! You can read about the new features of the Windows Server 2016 operating system in the material “ Windows installation Server 2016 and an overview of new features ».

Since very often the installation and administration of roles, services and components occurs with using Windows PowerShell, for each role and its service I will indicate a name that can be used in PowerShell, respectively, to install or manage it.

DHCP server

This role allows you to centrally configure dynamic IP addresses and associated settings for computers and devices on your network. The DHCP Server role does not have role services.

The name for Windows PowerShell is DHCP.

DNS server

This role is intended for name resolution on TCP/IP networks. The DNS Server role provides and maintains DNS. To make DNS server management easier, it is typically installed on the same server as Active Directory Domain Services. The DNS Server role does not have role services.

The role name for PowerShell is DNS.

Hyper-V

Using the Hyper-V role, you can create and manage a virtualized environment. In other words, it is a tool for creating and managing virtual machines.

The role name for Windows PowerShell is Hyper-V.

Device performance certification

Role " » allows you to evaluate device health based on measured security parameters, such as secure boot status and Bitlocker on the client.

For this role to function, quite a lot of role services and components are required, for example: several services from the role " Web server (IIS)", component " ", component " .NET Framework 4.6 features».

During installation, all required role services and components will be selected automatically. The role " Device performance certification» there are no services of their own.

The name for PowerShell is DeviceHealthAttestationService.

Web server (IIS)

Provides a reliable, manageable and scalable web application infrastructure. Consists of a fairly large number of services (43).

The name for Windows PowerShell is Web-Server.

Includes the following role services ( in brackets I will indicate the name for Windows PowerShell):

Web server (Web-WebServer)– A group of role services that provides support for HTML websites, ASP.NET extensions, ASP and web server. Consists of the following services:

• Security (Web Security)- a set of services to ensure web server security.
  • Request filtering (Web-Filtering) - using these tools you can process all requests arriving on the server and filter these requests based on special rules set by the web server administrator;
  • IP address and domain restrictions (Web-IP-Security) - these tools allow you to allow or deny access to content on the web server based on the IP address or domain name of the source in the request;
  • URL Authorization (Web-Url-Auth) - Tools allow you to develop rules to restrict access to web content and associate them with users, groups, or HTTP header commands;
  • Digest Authentication (Web-Digest-Auth) – This authentication provides a higher level of security than basic authentication. Digest verification works by passing a password hash to a Windows domain controller to authenticate users;
  • Basic Authentication (Web-Basic-Auth) - This authentication method provides strong web browser compatibility. Recommended for use in small internal networks. The main disadvantage of this method is that passwords transmitted over the network can be intercepted and decrypted quite easily, so use this method in combination with SSL;
  • Windows Authentication (Web-Windows-Auth) is an authentication based on Windows domain authentication. In other words, you can use Active Directory accounts to authenticate users of your Web sites;
  • Authentication with client certificate matching (Web-Client-Auth) – This authentication method involves the use of a client certificate. This type uses Active Directory to provide certificate mapping;
  • IIS Client Certificate Mapping Authentication (Web-Cert-Auth) – This method also uses client certificates for authentication, but uses IIS to provide certificate mapping. This type provides higher performance;
  • Centralized SSL certificate support (Web-CertProvider) – these tools allow you to centrally manage SSL server certificates, which greatly simplifies the process of managing these certificates;
• Health and Diagnostics (Web-Health)– a set of services to provide control, management and troubleshooting of web servers, sites and applications:
  • http logging (Web-Http-Logging) - tools provide logging of website activity on a given server, i.e. log entry;
  • ODBC Logging (Web-ODBC-Logging) – These tools also provide logging of website activity, but they support logging that activity to an ODBC-compliant database;
  • Request Monitor (Web-Request-Monitor) is a tool that allows you to monitor the health of a web application by intercepting information about HTTP requests in the IIS worker process;
  • Web-Custom-Logging—These tools allow you to configure web server activity to be logged in a format that differs significantly from the standard IIS format. In other words, you can create your own logging module;
  • Logging tools (Web-Log-Libraries) are tools for managing web server logs and automating logging tasks;
  • Tracing (Web-Http-Tracing) is a tool for diagnosing and eliminating problems in the operation of web applications.
• Common http functions (Web-Common-Http)– a set of services that provide basic HTTP functionality:
  • Default Document (Web-Default-Doc) – This feature allows you to configure the web server to return a default document when users do not specify a specific document in the request URL, making it easier for users to access website, for example, by domain, without specifying the file;
  • Directory Browsing (Web-Dir-Browsing) - This tool can be used to configure a web server so that users can view a list of all directories and files on a website. For example, for cases where users do not specify a file in the request URL, and documents are either disabled or not configured by default;
  • http errors (Web-Http-Errors) – this feature allows you to configure error messages that will be returned to users' web browsers when the web server detects an error. This feature is used to better present error messages to users;
  • Static content (Web-Static-Content) - this tool allows you to use content in the form of static file formats, for example, HTML files or image files, on a web server;
  • http redirection (Web-Http-Redirect) – using this feature, you can redirect the user request to a specific destination, i.e. this is Redirect;
  • WebDAV Publishing (Web-DAV-Publishing) – allows you to use WebDAV technology on the IIS WEB server. WebDAV ( Web Distributed Authoring and Versioning) is a technology that allows users to work together ( read, edit, read properties, copy, move) over files on remote web servers using the HTTP protocol.
• Performance (Web-Performance)– a set of services to achieve higher web server performance through output caching and common compression mechanisms such as Gzip and Deflate:
  • Web-Stat-Compression is a tool for customizing the compression of static http content, it allows more efficient use of bandwidth without unnecessary CPU load;
  • Dynamic Content Compression (Web-Dyn-Compression) is a tool for configuring HTTP dynamic content compression. This feature allows for more efficient use of bandwidth, but the server CPU load associated with dynamic compression may cause the site to slow down if the CPU load is high without compression.
• Application Development (Web-App-Dev)– a set of services and tools for developing and hosting web applications, in other words, website development technologies:
  • ASP (Web-ASP) is an environment for supporting and developing web sites and web applications using ASP technology. Currently, there is a newer and more advanced website development technology - ASP.NET;
  • ASP.NET 3.5 (Web-Asp-Net) is an object-oriented development environment for web sites and web applications using ASP.NET technology;
  • ASP.NET 4.6 (Web-Asp-Net45) is also an object-oriented development environment for web sites and web applications using the new version of ASP.NET;
  • CGI (Web-CGI) is the ability to use CGI to transmit information from a web server to an external program. CGI is a certain interface standard for connecting an external program with a web server. The downside is that using CGI affects performance;
  • Server-side inclusions (SSI) (Web-Includes) are support for the SSI scripting language ( server side enablers), which is used to dynamically generate HTML pages;
  • Application initialization (Web-AppInit) – this tool performs the task of initializing web applications before forwarding the web page;
  • WebSocket Protocol (Web-WebSockets) - adding the ability to create server applications that interact using the WebSocket protocol. WebSocket is a protocol that can send and receive data simultaneously between a browser and a web server over a TCP connection, a kind of extension of the HTTP protocol;
  • ISAPI Extensions (Web-ISAPI-Ext) – support for dynamic development of web content using the ISAPI application programming interface. ISAPI is an API for the IIS web server. ISAPI applications are much faster than ASP files or files that call COM+ components;
  • .NET 3.5 Extensibility (Web-Net-Ext) is a .NET 3.5 extensibility feature that allows you to change, add, and extend web server functionality throughout the request processing pipeline, configuration, and user interface;
  • .NET 4.6 Extensibility (Web-Net-Ext45) is the .NET 4.6 extensibility feature that also allows you to change, add, and extend web server functionality throughout the request processing pipeline, configuration, and user interface;
  • ISAPI filters (Web-ISAPI-Filter) – adding support for ISAPI filters. ISAPI filters are programs that are called when the web server receives a specific HTTP request that needs to be processed by the filter.

FTP server (Web-Ftp-Server)– services that provide support for the FTP protocol. We talked about the FTP server in more detail in the material – “Installing and configuring an FTP server on Windows Server 2016”. Contains the following services:

• FTP Service (Web-Ftp-Service) – adds support for the FTP protocol on the web server;
• FTP Extensibility (Web-Ftp-Ext) – Extends standard FTP capabilities, such as adding support for features such as custom providers, ASP.NET users, or IIS Manager users.

Management Tools (Web-Mgmt-Tools)- These are tools for managing the IIS 10 web server. These include: the IIS user interface, command line tools and scripts.

• The IIS Management Console (Web-Mgmt-Console) is the user interface for managing IIS;
• IIS character sets and tools (Web-Scripting-Tools) are tools and scripts for managing IIS using the command line or scripts. They can be used, for example, to automate control;
• Management service (Web-Mgmt-Service) – this service adds the ability to manage the web server remotely from another computer using the IIS manager;
• IIS 6 Compatibility Management (Web-Mgmt-Compat) - Ensures compatibility between applications and scripts that use the two IIS APIs. Existing IIS 6 scripts can be used to control the IIS 10 web server:
  • IIS 6 Compatibility Metabase Metabase (Web-Metabase) is a compatibility tool that allows you to run applications and character sets ported from earlier versions of IIS;
  • IIS 6 Scripting Tools (Web-Lgcy-Scripting) - These tools allow you to use the same IIS 6 scripting services that were created to manage IIS 6 in IIS 10;
  • IIS 6 Services Management Console (Web-Lgcy-Mgmt-Console) – a tool for administering remote IIS 6.0 servers;
  • WMI Compatible IIS 6 (Web-WMI) are Windows Management Instrumentation (WMI) scripting interfaces for programmatically controlling and automating IIS 10.0 web server tasks using a set of scripts created in the WMI provider.

Active Directory Domain Services

Role " Active Directory Domain Services» (AD DS) provides a distributed database that stores and processes information about network resources. This role is used to organize network elements, such as users, computers, and other devices, into a hierarchical secure shell structure. The hierarchical structure includes forests, domains within the forest, and organizational units (OUs) within each domain. A server running AD DS is called a domain controller.

The role name for Windows PowerShell is AD-Domain-Services.

Windows Server Essentials Mode

This role represents the computer infrastructure and provides convenient and efficient functions, for example: storing client data in a centralized location and protecting this data by backing up the server and client computers, remote web access, allowing you to access data from almost any device. This role requires several role services and components to function, for example: BranchCache components, Windows Server Backup, Group Policy Management, role service " DFS Namespaces».

The name for PowerShell is ServerEssentialsRole.

Network Controller

This role was introduced in Windows Server 2016 and provides a single point of automation for managing, monitoring and diagnosing the physical and virtual network infrastructure in the data center. Using this role, you can configure IP subnets, VLANs, physical network adapters of Hyper-V hosts, manage virtual switches, physical routers, firewall settings and VPN gateways from one point.

The name for Windows PowerShell is NetworkController.

Node Guardian Service

This is the Hosted Guardian Service (HGS) server role and provides attestation and key protection services that enable protected hosts to run shielded virtual machines. For this role to function, several additional roles and components are required, for example: Active Directory Domain Services, Web Server (IIS), component " Failover Clustering" and others.

The name for PowerShell is HostGuardianServiceRole.

Active Directory Lightweight Directory Services

Role " Active Directory Lightweight Directory Services" (AD LDS) - is a lightweight version of AD DS that has less functionality, but does not require the deployment of domains or domain controllers, and does not have the dependencies and domain restrictions that AD DS services require. AD LDS works over the LDAP protocol ( Lightweight Directory Access Protocol). You can deploy multiple AD LDS instances with independently managed schemas on a single server.

The name for PowerShell is ADLDS.

MultiPoint Services

This is also a new role that was introduced in Windows Server 2016. MultiPoint Services (MPS) provides basic remote desktop functionality that allows multiple users to work simultaneously and independently on the same computer. To install and operate this role, you need to install several additional services and components, for example: Print Server, Windows Search service, XPS Viewer and others, all of which will be selected automatically when MPS is installed.

The role name for PowerShell is MultiPointServerRole.

Windows Server Update Services

With this role (WSUS), system administrators can manage Microsoft updates. For example, create separate groups of computers for different sets of updates, and also receive reports about computer compliance and updates that need to be installed. To function " Windows Server Update Services"We need such role services and components as: Web server (IIS), Windows internal database, Windows process activation service.

The name for Windows PowerShell is UpdateServices.

• WID Connectivity (UpdateServices-WidDB) – set to WID ( Windows Internal Database) database used by WSUS. In other words, WSUS will store its service data in WID;
• WSUS Services (UpdateServices-Services) are the WSUS role services, such as Update Service, Reporting Web Service, API Remoting Web Service, Client Web Service, Simple Internet Authentication Web Service, Server Synchronization Service and DSS Web Authentication Service;
• SQL Server Connectivity (UpdateServices-DB) is the installation of a component that allows the WSUS service to connect to a Microsoft SQL Server database. This option involves storing service data in a Microsoft SQL Server database. In this case, you must already have at least one instance of SQL Server installed.

Volume Activation Services

This server role automates and simplifies the issuance of volume licenses for Microsoft software and allows you to manage those licenses.

The name for PowerShell is VolumeActivation.

Print and Document Services

This server role is designed to share printers and scanners on a network, centrally configure and manage print and scan servers, and manage network printers and scanners. Print and Document Services also allows you to send scanned documents via email, network shares, or Windows SharePoint Services sites.

The name for PowerShell is Print-Services.

• Print-Server – This role service includes the “ Print management", which is used to manage printers or print servers, as well as to migrate printers and other print servers;
• Printing over the Internet (Print-Internet) - to implement printing over the Internet, a website is created through which users can manage print jobs on the server. For this service to work, as you understand, you need to install “ Web server (IIS)" All required components will be selected automatically when you check this box during the installation process for the role service " Online printing»;
• Distributed Scan Server (Print-Scan-Server) is a service that allows you to receive scanned documents from network scanners and send them to their destination. This service also contains the " Scan Control", which is used to manage network scanners and to configure scanning;
• LPD Service (Print-LPD-Service) - LPD service ( Line Printer Daemon) allows UNIX-based computers and other computers that use the Line Printer Remote (LPR) service to print to shared server printers.

Network Policy and Access Services

Role " » (NPAS) allows you to use Network Policy Server (NPS) to set and enforce policies for network access, authentication and authorization, and client health, in other words, to ensure network security.

The name for Windows PowerShell is NPAS.

Windows Deployment Services

Using this role, you can install the Windows operating system remotely over a network.

The role name for PowerShell is WDS.

• Deployment Server (WDS-Deployment) – this role service is designed for remote deployment and configuration of Windows operating systems. It also allows you to create and customize images for reuse;
• Transport Server (WDS-Transport) - this service contains the main network components with which you can transfer data by multicast on a standalone server.

Active Directory Certificate Services

This role is designed to create certificate authorities and associated role services that enable you to issue and manage certificates for various applications.

The name for Windows PowerShell is AD-Certificate.

Includes the following role services:

• Certificate Authority (ADCS-Cert-Authority) – using this role service, you can issue certificates to users, computers and services, and also manage the validity of the certificate;
• Certificate Enrollment Policy Web Service (ADCS-Enroll-Web-Pol) – This service allows users and computers to obtain certificate enrollment policy information using a Web browser, even if the computer is not part of a domain. For its functioning it is necessary " Web server (IIS)»;
• Certificate Enrollment Web Service (ADCS-Enroll-Web-Svc) – This service allows users and computers to enroll and renew certificates using a web browser over HTTPS, even if the computer is not a domain member. For its functioning it is also necessary " Web server (IIS)»;
• Online Responder (ADCS-Online-Cert) – A service designed to check certificate revocation for clients. In other words, it accepts a request for revocation status for specific certificates, evaluates the status of those certificates, and sends back a signed response with status information. For the service to function you need " Web server (IIS)»;
• Internet Certificate Authority Enrollment Service (ADCS-Web-Enrollment) – This service provides a web-based interface for users to perform tasks such as requesting and renewing certificates, obtaining certificate revocation lists, and enrolling smart card certificates. For the service to function you need " Web server (IIS)»;
• Network Device Enrollment Service (ADCS-Device-Enrollment) – Using this service, you can issue and manage certificates for routers and other network devices that do not have network accounts. For the service to function you need " Web server (IIS)».

Remote Desktop Services

A server role that allows you to provide access to virtual desktops, session-based desktops, and RemoteApps.

The role name for Windows PowerShell is Remote-Desktop-Services.

Consists of the following services:

• Remote Desktop Web Access (RDS-Web-Access) - This role service allows users to access remote desktops and RemoteApp applications through the " Start» or using a web browser;
• Remote Desktop Licensing (RDS-Licensing) - a service designed to manage the licenses that are required to connect to a Remote Desktop Session Host server or virtual desktop. It can be used to install, issue licenses, and track their availability. This service requires " Web server (IIS)»;
• Remote Desktop Connection Broker (RDS-Connection-Broker) is a role service that provides the following capabilities: reconnecting a user to an existing virtual desktop, RemoteApp application, and session-based desktop, and load balancing among remote session host servers desktops or between virtual desktops in a pool. This service requires the " »;
• Remote Desktop Virtualization Host (DS-Virtualization) is a service that allows users to connect to virtual desktops using RemoteApp and Desktop Connection. This service works in conjunction with Hyper-V, i.e. this role must be established;
• Remote Desktop Session Host (RDS-RD-Server) – This service allows you to host RemoteApp applications and session-based desktops on a server. For access, use the Remote Desktop Connection client or RemoteApp;
• Remote Desktop Gateway (RDS-Gateway) - The service allows authorized remote users to connect to virtual desktops, RemoteApps, and session-based desktops on a corporate network or over the Internet. The following additional services and components are required for this service to function: " Web server (IIS)», « Network Policy and Access Services», « RPC over HTTP proxy».

Active Directory Rights Management Services

This is a server role that will allow you to protect information from unauthorized use. It verifies user identities and grants authorized users licenses to access protected data. Additional services and components are required for this role to function: " Web server (IIS)», « Windows Process Activation Service», « .NET Framework 4.6 features».

The name for Windows PowerShell is ADRMS.

• Active Directory Rights Management Server (ADRMS-Server) is the main role service and is required for installation;
• Identity Federation Support (ADRMS-Identity) is an optional role service that allows federated identities to consume protected content using Active Directory Federation Services.

Active Directory Federation Services

This role provides simplified and secure identity federation capabilities, as well as browser-based single sign-on (SSO) to websites.

The name for PowerShell is ADFS-Federation.

Remote access

This role provides connectivity through DirectAccess, VPN, and Web Application Proxy. Also the role of " Remote access» provides traditional routing capabilities, including Network Address Translation (NAT) and other connection options. This role requires additional services and components: " Web server (IIS)», « Windows Internal Database».

The role name for Windows PowerShell is RemoteAccess.

• DirectAccess and VPN (RAS) (DirectAccess-VPN) - the service allows users to connect to the corporate network at any time if they have access to the Internet via DirectAccess, as well as organize VPN connections in combination with tunneling and data encryption technologies;
• Routing - the service provides support for NAT routers, LAN routers with BGP, RIP protocols and routers with multicast support (IGMP proxy);
• Web Application Proxy Server (Web-Application-Proxy) - the service allows you to publish applications based on the HTTP and HTTPS protocols from the corporate network on client devices that are located outside the corporate network.

File and Storage Services

This is a server role that can be used to share files and folders, manage and control shares, replicate files, provide fast file searches, and provide access to UNIX client computers. We looked at file services and in particular the file server in more detail in the material “Installing a File Server on Windows Server 2016”.

The name for Windows PowerShell is FileAndStorage-Services.

Storage Services– This service provides storage management functionality that is always installed and cannot be removed.

File Services and iSCSI Services (File-Services)– these are technologies that simplify the management of file servers and storage, save disk space, provide replication and caching of files in branches, and also provide file sharing using the NFS protocol. Includes the following role services:

• File Server (FS-FileServer) is a role service that manages shared folders and provides users with access to files on this computer over the network;
• Data deduplication (FS-Data-Deduplication) – this service saves disk space by storing only one copy of identical data on a volume;
• File Server Resource Manager (FS-Resource-Manager) – Using this service, you can manage files and folders on a file server, create storage reports, categorize files and folders, configure folder quotas, and define file blocking policies;
• iSCSI Target Storage Provider (Hardware VDS and VSS Providers) (iSCSITarget-VSS-VDS) – The service allows applications on a server connected to an iSCSI target to shadow copy volumes on iSCSI virtual disks;
• DFS namespaces (FS-DFS-Namespace) - using this service, you can group shared folders located on different servers into one or more logically structured namespaces;
• Working Folders (FS-SyncShareService) – the service allows you to use work files on various computers, including work and personal. You can store your files in work folders, synchronize them, and access them from a local network or the Internet. For the service to function, the component " IIS In-Process Web Engine»;
• DFS Replication (FS-DFS-Replication) is a data replication module between multiple servers that allows you to synchronize folders over a local or global network connection. This technology uses the Remote Differential Compression (RDC) protocol to update only those portions of files that have changed since the last replication. DFS Replication can be used in conjunction with DFS namespaces or separately;
• Server for NFS (FS-NFS-Service) - a service that allows this computer to share files with UNIX-based computers and other computers that use the Network File System (NFS) protocol;
• iSCSI Target Server (FS-iSCSITarget-Server) – Provides services and management tools for iSCSI targets;
• BranchCache Service for Network Files (FS-BranchCache) - The service provides BranchCache support on this file server;
• File Server VSS Agent Service (FS-VSS-Agent) - The service allows you to perform volume shadow copies for applications that store data files on this file server.

Fax server

The role sends and receives faxes and allows you to manage fax resources, such as jobs, settings, reports, and fax devices, on this computer or network. To work you need " Print server».

The role name for Windows PowerShell is Fax.

This concludes the review of Windows Server 2016 server roles, I hope the material was useful to you, bye!

Applying Group Policies (Part 3)

Typically, GPOs are assigned to a container (domain, site, or OU) and apply to all objects in that container. With a well-organized domain structure, this is quite enough, but sometimes it is necessary to further limit the application of policies to a certain group of objects. To do this, you can use two types of filters.

Security filters

Security filters allow you to limit the application of policies to a specific security group. For example, let's take GPO2, which is used to centrally configure the Start menu on workstations with Windows 8.1\Windows 10. GPO2 is assigned to the Employees OU and applies to all users without exception.

Now let’s go to the “Scope” tab, where in the “Security Filtering” section the groups to which this GPO can be applied are indicated. By default, the Authenticated Users group is specified here. This means that the policy can be applied to anyone a user or computer that has successfully authenticated to the domain.

In fact, each GPO has its own access list, which can be seen on the Delegation tab.

To apply a policy, an object must have the rights to read it (Read) and apply it (Apply group policy), which the Authenticated Users group has. Accordingly, in order for the policy to apply not to everyone, but only to a specific group, you need to remove Authenticated Users from the list, then add the desired group and give it the appropriate rights.

So in our example, the policy can only be applied to the Accounting group.

WMI filters

Windows Management Instrumentation (WMI) is one of the most powerful tools for operating room management Windows system. WMI contains great amount classes with which you can describe almost any user and computer parameters. You can view all available WMI classes in a list using PowerShell by running the command:

Get-WmiObject -List

For example, let's take the class Win32_OperatingSystem, which is responsible for the properties of the operating system. Let's assume that you want to filter out all operating systems except Windows 10. We go to a computer with Window 10 installed, open the PowerShell console and display the name, version and type of the operating system using the command:

Get-WmiObject -Class Win32_OperatingSystem | fl Name, Version, ProductType

For the filter we use the OS version and type. The version is the same for client and server operating systems and is defined as follows:

Windows Server 2016\Windows 10 - 10.0
Window Server 2012 R2\Windows 8.1 - 6.3
Windows Server 2012\Windows 8 - 6.2
Windows Server 2008 R2\Windows 7 - 6.1
Windows Server 2008\Windows Vista - 6.0

The product type is responsible for the purpose of the computer and can have 3 values:

1 - workstation;
2 - domain controller;
3 - server.

Now let's move on to creating the filter. To do this, open the “Group Policy Management” snap-in and go to the “WMI Filters” section. Right-click on it and select “New” from the context menu.

In the window that opens, give the filter a name and description. Then click the “Add” button and enter the WQL query in the “Query” field, which is the basis of the WMI filter. We need to select OS version 10.0 with type 1, so the request will look like this:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE ″10.0%″ AND ProductType = ″1″

Note. Windows Query Language (WQL) is the WMI query language. You can find out more about it on MSDN.

Save the resulting filter.

Now all that remains is to assign the WMI filter to a group policy object, for example to GPO3. Go to the GPO properties, open the “Scope” tab and in the “WMI Filtering” field, select the desired filter from the list.

Analysis of Group Policy Applications

With so many ways to filter GPOs, you need to be able to diagnose and analyze their use. The easiest way to check the effect of group policies on a computer is to use a command line utility gpresult.

For example, let's go to the wks2 computer on which Windows 7 is installed and check whether the WMI filter has worked. To do this, open the cmd console with administrator rights and run the command gpresult /r, which displays summary information about group policies applied to the user and computer.

Note. The gpresult utility has many settings, which you can view with the command gpresult /?.

As you can see from the data obtained, the GPO3 policy was not applied to the computer because it was filtered using the WMI filter.

You can also check the effect of GPO from the “Group Policy Management” snap-in, using a special wizard. To launch the wizard, right-click on the “Group Policy Results” section and select “Group Policy Results Wizard” from the menu that opens.

Specify the name of the computer for which the report will be generated. If you only want to view user Group Policy settings, you don't have to collect settings for your computer. To do this, you need to check the box below (display user policy settings only).

Then we select the user name for which data will be collected, or you can specify not to include group policy settings for the user in the report (display computer policy settings only).

We check the selected settings, click “Next” and wait while the data is collected and the report is generated.

The report contains comprehensive information about the GPOs applied (or not applied) to the user and computer, as well as the filters used.

For example, let's create reports for two different users and compare them. Let's first open the report for the user Kirill and go to the user settings section. As you can see, the GPO2 policy was not applied to this user because he does not have rights to apply it (Reason Denied - Inaccessible).

Now let’s open the report for the user Oleg. This user is a member of the Accounting group, so the policy was successfully applied to him. This means that the security filter has worked successfully.

This is where I’ll probably end the “fascinating” story about using group policies. I hope this information will be useful and help you in the difficult task of system administration :)