Module 6 - Implementing A Group Policy Infrastructure

07/06/13
Module 6: Implementing a Group Policy Infrastructure
Module6:ImplementingaGroupPolicyInfrastructure
Contents: Lesson1: Lesson2: LabA: Lesson3: LabB: Lesson4: Lesson5: LabC: UnderstandGroupPolicy ImplementGPOs ImplementGroupPolicy ManageGroupPolicyScope ManageGroupPolicyScope GroupPolicyProcessing TroubleshootPolicyApplication TroubleshootPolicyApplication
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe
1/135
07/06/13
InModule1,youlearnedthatActiveDirectoryDomainServices(ADDS)provides thefoundationalservicesofanidentityandaccesssolutionforenterprisenetworks runningWindows,andthatADDSalsosupportsthemanagementand configurationofeventhelargest,mostcomplexnetworks.InModules2through5, youlearnedhowtoadministerADDSsecurityprincipals:users,groups,and computers.Now,youwillexaminethemanagementandconfigurationofusersand computersbyusingGroupPolicy.GroupPolicyprovidesaninfrastructurewithinwhich settingscanbedefinedcentrallyanddeployedtousersandcomputersinthe enterprise. InanenvironmentmanagedbyawellimplementedGroupPolicyinfrastructure,little ornoconfigurationneedstobemadebydirectlytouchingadesktop.Theentire
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 2/135
07/06/13
configurationisdefined,enforced,andupdatedbyusingthesettingsinGroupPolicy objects(GPOs)thataffectaportionoftheenterpriseasbroadasanentiresiteora domain,orasnarrowasasingleorganizationalunit(OU)oragroup.Inthismodule, youwilllearnwhatGroupPolicyis,howitworks,andhowbesttoimplementitin yourorganization.SeveralsubsequentmoduleswillapplyGroupPolicytospecific managementtaskssuchassecurityconfiguration,softwaredeployment,password policy,andauditing.
Objectives
Aftercompletingthismodule,youwillbeableto: DescribethecomponentsandtechnologiesthatcomprisetheGroupPolicy framework. ImplementGPOs. Configureandunderstandavarietyofpolicysettingtypes. UnderstandandconfigureGroupPolicypreferences. ScopeGPOsbyusinglinks,securitygroups,WindowsManagement Instrumentationfilters,loopbackprocessing,andpreferencetargeting. DescribehowGPOsareprocessed. LocatetheeventlogscontainingGroupPolicyrelatedeventsandtroubleshoot GroupPolicyapplication.
07/06/13
Lesson 1: Understand Group Policy
AGroupPolicyinfrastructurehasseveralmovingparts.Youneedtounderstandnot onlywhateachpartdoes,butalsohowtheyworktogetherandwhyyoumightwant toassembletheminvariousconfigurations.Inthislesson,youwillgeta comprehensiveoverviewofGroupPolicy:itscomponents,itsfunctions,anditsinner workings.
Objectives
07/06/13
Aftercompletingthislesson,youwillbeableto: Identifythebusinessdriversforconfigurationmanagement. UnderstandthecorecomponentsandterminologyofGroupPolicy. ExplainthefundamentalsofGroupPolicyprocessing.
What Is Configuration Management?
Ifyouhaveonlyonecomputerinyourenvironmentathome,forexampleandyou needtomodifythedesktopbackground,thereareseveralwaystodothat.Most
07/06/13
peoplewouldprobablyopenPersonalizationfromControlPanelandmakethechange byusingtheWindowsinterface.Thatworkswellforoneuser,butmaybecome tediousifyouwanttomakethechangeacrossmultipleusers.Say,forexample,that youwantthesamebackgroundforyourselfandyourfamily.Youhavetomakethe changemultipletimes,andthenifyoueverchangeyourmindandwanttochange thebackgroundyetagain,youhavetoreturntoeachuser'sprofileandmakethe change.Implementingthechangeandmaintainingaconsistentenvironmentbecomes evenmoredifficultacrossmultiplecomputers. Configurationmanagementisacentralizedapproachtoapplyingoneormorechanges tooneormoreusersorcomputers.Ifyourememberthat,everythingelsewillbe easiertounderstand.Thekeyelementsofconfigurationmanagementare: Acentralizeddefinitionofachange,whichisknownasasetting.Thesettingbrings auseroracomputertoadesiredstateofconfiguration. Adefinitionoftheuser(s)orcomputer(s)towhomthechangeapplies,whichis knownasthescopeofthechange. Amechanismorprocessthatensuresthatthesettingisappliedtousersand computerswithinthescope,whichisknownastheapplication.
GroupPolicyisaframeworkwithinWindowswithcomponentsthatresideinActive Directory,ondomaincontrollers,andoneachWindowsserverandclientthat
07/06/13
enablesyoutomanageconfigurationinanADDSdomain.Asweturnourattention toGroupPolicy,whichcanbecomeverycomplex,alwaysrememberthateverything boilsdown,intheend,tojustthesefewbasicelementsofconfiguration management.
Overview of Policies
ThemostgranularcomponentoftheGroupPolicyisanindividualpolicysetting,also knownsimplyasapolicythatdefinesaspecificconfigurationchangetoapply.For example,apolicysettingexiststhatpreventsauserfromaccessingregistryediting tools.Ifyoudefinethatpolicysettingandapplyittotheuser,theuserwillbeunable toruntoolssuchasRegedit.exe.Anotherpolicysettingisavailablethatyoucanuse

07/06/13
torenamethelocalAdministratoraccount.Youcanusethispolicysettingtorename theAdministratoraccountonalluserdesktopsandlaptops. Thesetwoexamplesillustrateanimportantpoint:thatsomepolicysettingsaffecta user,regardlessofthecomputertowhichtheuserlogson,andotherpolicysettings affectacomputer,regardlessofwhichuserlogsontothatcomputer.Policysettings suchasthesettingthatpreventsaccesstoregistryeditingtoolsareoftenreferredto asuserconfigurationsettingsorusersettings.Policysettingssuchastheonethat disablestheAdministratoraccountandsimilarsettingsareoftenreferredtoas computerconfigurationsettingsorcomputersettings.Youwillalsohearthese referredtoasuserpoliciesandcomputerpolicies.Theterminologyusedinthe industryisnotexact. TherearevariouspolicysettingsthatcanbemanagedbyGroupPolicy,andthe frameworkisextensible.So,intheend,youcouldmanagejustaboutanythingwith GroupPolicy. Todefineapolicysetting,doubleclickit. ThepolicysettingPropertiesdialogboxappears. Apolicysettingcanhavethreestates:NotConfigured,Enabled,andDisabled. InanewGPO,everypolicysettingissettoNotConfigured.Thismeansthatthe
07/06/13
GPOwillnotmodifytheexistingconfigurationofthatparticularsettingforauseror computer.Ifyouenableordisableapolicysetting,achangewillbemadetothe configurationofusersandcomputerstowhichtheGPOisapplied. Theeffectofthechangedependsonthepolicysetting.Forexample,ifyouenable thePreventAccessToRegistryEditingToolspolicysetting,userswillbeunable tolaunchtheRegedit.exeRegistryEditor.Ifyoudisablethepolicysetting,youensure thatuserscanlaunchtheRegistryEditor.Noticethedoublenegativeinthispolicy setting:Youdisableapolicythatpreventsanaction,soyouallowtheaction. Somepolicysettingsbundleseveralconfigurationsintoonepolicyandmightrequire additionalparameters.Inthescreenshotabove,youcanseethatbyenablingthe policytorestrictregistryeditingtools,youcanalsodefinewhetherregistryfilescan bemergedintothesystemsilentlybyusingregedit/s. NoteManypolicysettingsarecomplex,andtheeffectofenablingordisabling themmightnotbeimmediatelyclear.Also,somepolicysettingsaffectonly certainversionsofWindows.
BesuretoreviewapolicysettingsexplanatorytextintheGroupPolicyManagement Editor(GPME)detailpaneorontheExplaintabinthepolicysettingsProperties dialogbox.Inaddition,alwaystesttheeffectsofapolicysettinganditsinteractions withotherpolicy

07/06/13
settingsbeforedeployingachangeintheproductionenvironment. YouwillexplorepolicysettingsandhowtomanagetheminLesson3.
Benefits of Using Group Policy
GroupPoliciesareaverypowerfuladministrativetool.Youcanusethemtoenforce varioustypesofsettingstoalargenumberofusersandcomputers.Becausetheycan beappliedtovariouslevelsfromlocaltodomain,youcanalsofocusthesesettings veryprecisely. Primarily,youcanuseGroupPoliciestoconfiguresettingsthatyoudonotwantusers

07/06/13
toconfigure.Also,GroupPoliciesareusuallyusedtostandardizedesktop environmentsonallthecomputersinanorganizationalunitorwholeorganization. YoualsocanuseGroupPoliciestoprovideadditionalsecurityandsomeadvanced systemsettings. MostoftenGroupPoliciesareusedforfollowingpurposes.
Apply Security Settings

InWindowsServer2008R2,GPOsincludealargenumberofsecurityrelatedsettings thatyoucanapplytobothusersandcomputers.Forexample,youcanenforce settingsforWindowsFirewallandconfigureAuditing,EncryptingFileSystem(EFS) policiesandothersecuritysettings.Youcanalsoconfigurefullsetofuserrights assignments.
Manage Desktop and Application Settings

YoucanuseaGroupPolicytoprovideaconsistentdesktopandapplication environmenttoallusersinyourorganizationUsingGPOs,itispossibletoconfigure eachsettingthataffectsthelookandfeelofuserenvironmentandalsotoconfigure settingsforsomeapplicationsthatsupportGPOs.
Deploy Software
GroupPoliciescanalsobeusedtodeploysoftwareforusersorcomputers.All softwarethatisprovidedinthe.msiformatcanbedeployedbyusingGroupPolicy.
07/06/13
Youcanenforceautomaticsoftwareinstallationoryoucanletyourusersdecideif theywantthesoftwaretobedeployedtotheirmachinesornot.
Manage Folder Redirection

WithFolderRedirection,youcaneasilymanageandbackupdata.Byredirecting folders,youcanensurethatusershaveaccesstotheirdataregardlessofthe computerthattheyusetologon.Also,youcancentralizeallusersdatatooneplace onthenetworkserver,whilestillprovidingtheuseranexperiencesimilartostoring thesefoldersontheircomputers.
Configure Network Settings.

UsingGroupPolicies,youcanconfigurevariousnetworksettingsonclientcomputers. Forexample,youcanenforcesettingsforwirelessnetworkstoallowuserstoconnect onlytospecificSSIDsandwithpredefinedauthenticationandencryptionsettings. Youcanalsodeploypoliciesthatapplytowirednetworksettingsaswellasconfigure clientsideofservicessuchasNetworkAccessProtection
Group Policy Objects
12/135
07/06/13
PolicysettingsaredefinedandexistwithinaGPO.AGPOisanobjectthatcontains oneormorepolicysettingsandtherebyappliesoneormoreconfigurationsettings forauseroracomputer. GPOscanbemanagedinActiveDirectorybyusingtheGroupPolicyManagement console(GPMC),shownhere:
13/135
07/06/13
GPOsaredisplayedinacontainernamedGroupPolicyObjects. TocreateanewGPOinadomain,rightclicktheGroupPolicyObjectscontainer, andthenclickNew.TomodifytheconfigurationsettingsinaGPO,rightclickthe GPO,andthenclickEdit. TheGPOopensintheGPMEsnapin,formerlyknownastheGroupPolicyObject Editor(GPOEditor),shownhere:
14/135
07/06/13
TheGPMEdisplaysthethousandsofpolicysettingsavailableinaGPOinan organizedhierarchythatbeginswiththedivisionbetweencomputersettingsanduser settings,theComputerConfigurationnodeandtheUserConfigurationnode.The nextlevelsofthehierarchyaretwonodescalledPoliciesandPreferences.Youwill learnaboutthedifferencebetweenthesetwonodesasthislessonprogresses.Drilling deeperintothehierarchy,youwillseethattheGPMEdisplaysfolders,whicharealso callednodesorpolicysettinggroups.Withinthefoldersarethepolicysettings themselves.ThePreventAccessToRegistryEditingToolsoptionisselectedinthe screenshotshownhere. TheGPOmustbeappliedtodomain,site,orOUintheADDShierarchyforthe settingswithintheobjecttotakeeffect.
07/06/13
YouwilllearnhowtoimplementandmanageGPOsinLesson2.
GPO Scope
ConfigurationisdefinedbypolicysettingsinGPOs.However,theconfiguration changesinaGPOdonotaffectcomputersorusersinyourenterpriseuntilyouhave specifiedthecomputersoruserstowhichtheGPOapplies.Thisiscalledscopinga GPO.ThescopeofaGPOisthecollectionofusersandcomputersthatwillapplythe settingsintheGPO. YoucanuseseveralmethodstomanagethescopeofGPOs.ThefirstistheGPOlink. GPOscanbelinkedtosites,domains,andOUsinActiveDirectory.Thesite,domain,

07/06/13
orOUthenbecomesthemaximumscopeoftheGPO.Allcomputersanduserswithin thesite,domain,orOU,includingthoseinchildOUs,willbeaffectedbythe configurationsspecifiedbythepolicysettingsintheGPO.AsingleGPOcanbelinked tomorethanonesiteorOU. YoucanfurthernarrowthescopeoftheGPOwithoneoftwotypesoffilters:security filtersthatspecifyglobalsecuritygroupstowhichtheGPOshouldorshouldnot apply,andWindowsManagementInstrumentation(WMI)filtersthatspecifyascope byusingcharacteristicsofasystem,suchasoperatingsystemversionorfreedisk space.UsesecurityfiltersandWMIfilterstonarroworspecifythescopewithinthe initialscopecreatedbytheGPOlink. WindowsServer2008introducedanewcomponentofGroupPolicy:GroupPolicy Preferences.SettingsthatareconfiguredbyGroupPolicyPreferenceswithinaGPO canbefilteredortargetedbasedonseveralcriteria.Targetedpreferencesallowyouto furtherrefinethescopeofPreferenceswithinasingleGPO.
Group Policy Client and Client-Side Extensions
17/135
07/06/13
Howexactlyarethepolicysettingsapplied?WhenGroupPolicyrefreshbegins,a servicerunningonallWindowssystems,whichiscalledtheGroupPolicyClientin WindowsVista,Windows7,WindowsServer2008,andWindowsServer2008R2, determineswhichGPOsapplytothecomputeroruser.Thisservicedownloadsany GPOsthatarenotalreadycached.Then,aseriesofprocessescalledclientside extensions(CSEs)interpretthesettingsinaGPOandmakeappropriatechangesto thelocalcomputerortothecurrentlyloggedonuser.ThereareCSEsforeachmajor categoryofpolicysetting.Forexample,thereisasecurityCSEthatappliessecurity changes,aCSEthatexecutesstartupandlogonscripts,aCSEthatinstallssoftware, andaCSEthatmakeschangestoregistrykeysandvalues.EachversionofWindows hasaddedCSEstoextendthefunctionalreachofGroupPolicy.Thereareseveral dozenCSEsnowinWindows.
07/06/13
OneofthemoreimportantconceptstorememberaboutGroupPolicyisthatitis reallyclientdriven.TheGroupPolicyclientpullstheGPOsfromthedomain, triggeringtheCSEstoapplysettingslocally.GroupPolicyisnotapushtechnology. Infact,thebehaviorofCSEscanbeconfiguredbyusingGroupPolicy.MostCSEswill applysettingsinaGPOonlyifthatGPOhaschanged.Thisbehaviorimprovesoverall policyprocessingbyeliminatingredundantapplicationsofthesamesettings.Most policiesareappliedinsuchawaythatstandarduserscannotchangethesettingon theirsystemtheywillalwaysbesubjecttotheconfigurationenforcedbyGroup Policy.However,somesettingscanbechangedbystandardusers,andmanycanbe changedifauserisanadministratoronthatsystem.Ifusersinyourenvironmentare administratorsontheircomputers,considerconfiguringCSEstoreapplypolicy settingseveniftheGPOhasnotchanged.Thatway,ifanadministrativeuser changesaconfigurationsothatitisnolongercompliantwithpolicy,theconfiguration willberesettoitscompliantstateatthenextGroupPolicyrefresh. NoteYoucanconfigureCSEstoreapplypolicysettings,eveniftheGPOhas notchanged,atbackgroundrefresh.Todoso,configureaGPOscopedto computersanddefinethesettingsintheComputer Configuration\Policies\AdministrativeTemplates\System\GroupPolicynode. ForeachCSEyouwanttoconfigure,openitspolicyprocessingpolicysetting, suchasRegistryPolicyProcessingfortheRegistryCSE.ClickEnabledand selecttheProcesseveniftheGroupPolicyobjectshavenotchangedcheck box.
19/135
07/06/13
Animportantexceptiontothedefaultpolicyprocessingsettingsissettingsmanaged bythesecurityCSE.Securitysettingsarereappliedevery16hoursevenifaGPOhas notchanged. NoteEnabletheAlwaysWaitForNetworkAtStartupAndLogonpolicysetting forallWindowsclients.Withoutthissetting,bydefault,WindowsXP,Windows Vista,andWindows7clientsperformonlybackgroundrefreshesaclient mightstartup,andausermightlogonwithoutreceivingthelatestpolicies fromthedomain.ThesettingislocatedinComputer Configuration\Policies\AdministrativeTemplates\System\Logon.Besureto readthepolicysettingsexplanatorytext.Thecontoso.comdomainusedin thiscoursehasbeenpreconfiguredwiththisadditionalGroupPolicysetting.
Group Policy Refresh
20/135
07/06/13
Whenarepoliciesapplied?PolicysettingsintheComputerConfigurationnodeare appliedatsystemstartupandevery90120minutesthereafter.UserConfiguration policysettingsareappliedatlogonandevery90120minutesthereafter.The applicationofpoliciesiscalledGroupPolicyrefresh. YoucanalsoforceapolicyrefreshbyusingtheGPUpdatecommand. YouwilllearnmoreaboutGroupPolicyrefreshinLesson6.
Review the Components of Group Policy

07/06/13
Asdiscussedinprevioustopics,themostimportantcomponentstotakecareofwhen dealingwithGroupPoliciesare: Setting.ThisrepresentsaspecificsettingthatisconfigurableineachGroupPolicy object.InWindowsServer2008R2,therealmost3,000differentsettings.Group PolicysettingsprovidethemeaningandpurposeofGroupPolicy.Settingscanbe enabledordisabled,butbydefault,theyareNotConfigured.Theeffectofenabling ordisablingasettingcansometimesbecomplextoevaluate,sobesuretoread theexplanatorytextandtestallsettingsbeforedeployingtheminproduction. Scope.AfterGroupPolicysettingsareconfigured,youmustdecidewheretoapply theGPO.Thisisdefinedbyscope.AGPOcanbelinkedtoasite,domain,orOU.
07/06/13
Withinthelinkscope,aGPOcanbefilteredwithsecuritygroupsorWMIfilters. Application.WhenplanningGroupPolicyapplication,youmustbeawareofrefresh intervalsforvarioustypesofcomputers.Computersettingsareappliedatstartup andevery90120minutesthereafter.Usersettingsareappliedatlogonandevery 90120minutesthereafter. Tools.ThereareseveraltoolsformanagingGPOs.GPOsaremanagedthroughthe GroupPolicyManagementconsole.PolicysettingswithinaGPOareconfiguredby usingtheGPME.GPUpdateallowsyoutomanuallytriggerGroupPolicyrefresh. RSoPtoolsallowyoutoevaluateandmodelthesettingsthatwereappliedby GroupPolicy.
Demonstration: Exploring Group Policy Settings
23/135
07/06/13
GroupPolicysettings,alsoknownaspolicies,arecontainedinaGPOandareviewed andmodifiedbyusingtheGPME.Inthisdemonstration,youwilllookmorecloselyat thecategoriesofsettingsavailableinaGPO.
Computer Configuration and User Configuration

Therearetwomajordivisionsofpolicysettings:computersettings,containedinthe ComputerConfigurationnode,andusersettings,containedintheUserConfiguration node. TheComputerConfigurationnodecontainsthesettingsthatareappliedto computers,regardlessofwhologsontothem.Computersettingsareappliedwhen
07/06/13
theoperatingsystemstartsandduringbackgroundrefreshandevery90120 minutesthereafter. TheUserConfigurationnodecontainssettingsthatareappliedwhenauserlogson tothecomputerandduringbackgroundrefreshandevery90120minutes thereafter.
WithintheComputerConfigurationandUserConfigurationnodesarethePoliciesand Preferencesnodes.Policiesaresettingsthatareconfiguredandbehavesimilarlyto thepolicysettingsintheearlierversionsofWindows.Preferencesareintroducedin WindowsServer2008.Thefollowingsectionsexaminethesenodes. WithinthePoliciesnodeswithinComputerConfigurationandUserConfigurationarea hierarchyoffolderscontainingpolicysettings.Becausetherearethousandsof settings,itisbeyondthescopeoftheexamandofthiscoursetoexamineindividual settings.Itisworthwhile,however,todefinethebroadcategoriesofsettingsinthe folders.
Software Settings Node

TheSoftwareSettingsnodeisthefirstnode.ItcontainsonlytheSoftware Installationextension.Thisextensionhelpsyouspecifyhowapplicationsareinstalled andmaintainedwithinyourorganization.Itprovidesaplaceforindependentsoftware vendorstoaddsettings.SoftwaredeploymentwithGroupPolicyisdiscussedin
07/06/13
Module7.
Windows Settings Node

InbothComputerConfigurationandUserConfigurationnodes,thePoliciesnode containsaWindowsSettingsnode,whichincludestheScripts,SecuritySettings,and PolicyBasedQoSnodes. TheScriptsextensionenablesyoutospecifytwotypesofscripts,startup/shutdown (intheComputerConfigurationnode),andlogon/logoff(intheUserConfiguration node).Startup/shutdownscriptsrunatcomputerstartuporshutdown.Logon/logoff scriptsrunwhenauserlogsonoroff.Whenyouassignmultiplelogon/logoffor startup/shutdownscriptstoauserorcomputer,theScriptsCSEexecutesthescripts fromtoptobottom.Youcandeterminetheorderofexecutionformultiplescriptsin thePropertiesdialogbox.Whenacomputerisshutdown,theCSEfirstprocesses logoffscripts,followedbyshutdownscripts.Bydefault,thetimeoutvaluefor processingscriptsis10minutes.Ifthelogoffandshutdownscriptsrequiremorethan 10minutestoprocess,youmustadjustthetimeoutvaluewithapolicysetting.You canuseanyActiveXscriptinglanguagetowritescripts.Somepossibilitiesinclude MicrosoftVisualBasicScriptingEdition(VBScript),MicrosoftJScript,Perl,and MicrosoftMSDOSstylebatchfiles(.batand.cmd).Logonscriptsonashared networkdirectoryinanotherforestaresupportedfornetworklogonacrossforests.
Security Settings Node

07/06/13
TheSecuritySettingsnodeallowsasecurityadministratortoconfiguresecurityby usingGPOs.Thiscanbedoneafter,orinsteadof,usingasecuritytemplatetoset systemsecurity.ForadetaileddiscussionofsystemsecurityandtheSecuritySettings node,refertoModule7.
Policy-Based QoS Node

ThePolicyBasedQoSnodedefinespoliciesthatmanagenetworktraffic.Forexample, youmightwanttoensurethatusersintheFinancedepartmenthavepriorityfor runningacriticalnetworkapplicationduringtheendofyearfinancialreportingperiod. ThePolicyBasedQoSnodeenablesyoutodothat. IntheUserConfigurationnodeonly,theWindowsSettingsfoldercontainsthe additionalRemoteInstallationServices,FolderRedirection,andInternetExplorer Maintenancenodes.RemoteInstallationServices(RIS)policiescontrolthebehaviorof aremoteoperatingsysteminstallation.FolderRedirectionenablesyoutoredirectuser dataandsettingsfolderssuchasAppData,Desktop,Documents,Pictures,Music,and Favoritesfromtheirdefaultuserprofilelocationtoanalternatelocationonthe network,wheretheycanbecentrallymanaged.InternetExplorerMaintenanceenables youtoadministerandcustomizeMicrosoftInternetExplorer.
Administrative Templates Node

IntheComputerConfigurationandUserConfigurationnodes,theAdministrative TemplatesnodecontainsregistrybasedGroupPolicysettings.TheAdministrative
07/06/13
Templatesnodeisdiscussedindetaillaterinthismodule. Therearethousandsofsuchsettingsavailableforconfiguringtheuserandcomputer environment.Asanadministrator,youmightspendasignificantamountoftime manipulatingthesesettings.Toassistyouwiththesettings,adescriptionofeach policysettingisavailableintwolocations: OntheExplaintabinthePropertiesdialogboxforthesetting.Inaddition,the SettingstabinthePropertiesdialogboxforeachsettingalsoliststherequired operatingsystemorsoftwareforthesetting. OntheExtendedtaboftheGPME.TheExtendedtabappearsonthelowerright ofthedetailspaneandprovidesadescriptionofeachselectedsettinginacolumn betweentheconsoletreeandthesettingspane.Therequiredoperatingsystemor softwareforeachsettingisalsolisted.
Lesson 2: Implement GPOs
28/135
07/06/13
NowthatyouhaveabroadunderstandingofGroupPolicyanditscomponents,you canlookcloselyateachcomponent.Inthissection,youwillexamineGPOsindetail.
Objectives
Aftercompletingthislesson,youwillbeableto: Create,edit,andlinkGPOs. IdentifychangeandconfigurationmanagementcapabilitiesofGroupPolicy. Configurepolicysettings.
29/135
07/06/13
ExplainGPOstorage,replication,andversioning.
Local GPOs
Tomanageconfigurationforusersandcomputers,youcreateGPOsthatcontainthe policysettingsyourequire.EachcomputerhasseveralGPOsstoredlocallyonthe system,knownasthelocalGPOs,andcanbewithinthescopeofanynumberof domainbasedGPOs. ComputersthatrunWindows2000Server,WindowsXP,andWindowsServer2003 haveonelocalGPOeach,whichcanmanagethatsystemsconfiguration.Thelocal

07/06/13
GPOexistswhetherornotthecomputerispartofadomain,aworkgroup,oranon networkedenvironment.Itisstoredin%SystemRoot%\System3\GroupPolicy.The policiesinthelocalGPOaffectonlythecomputeronwhichtheGPOisstored.By default,onlytheSecuritySettingspoliciesareconfiguredonasystemslocalGPO.All otherpoliciesaresetatNotConfigured. WhenacomputerdoesnotbelongtoanActiveDirectorydomain,thelocalpolicyis usefultoconfigureandenforceconfigurationonthatcomputer.However,inanActive Directorydomain,settingsinGPOsthatarelinkedtothesite,domain,orOUswill overridelocalGPOsettingsandareeasiertomanagethanGPOsonindividual computers. WindowsVista,Windows7,WindowsServer2008,andlatersystemshavemultiple localGPOs.TheLocalComputerGPOisthesameastheGPOinthepreviousversions ofWindows.IntheComputerConfigurationnode,youcanconfigureallcomputer relatedsettings.IntheUserConfigurationnode,youcanconfiguresettingsyouwant toapplytoallusersonthecomputer.TheusersettingsintheLocalComputerGPO canbemodifiedbytheusersettingsintwonewlocalGPOs:AdministratorsandNon Administrators.ThesetwoGPOsapplyusersettingstologgedonusersaccordingto whethertheyaremembersofthelocalAdministratorsgroupinwhichcasetheywould usetheAdministratorsGPOornotmembersoftheAdministratorsgroup(andusethe NonAdministratorsGPO).YoucanfurtherrefinetheusersettingswithalocalGPO thatappliestoaspecificuseraccount.UserspecificlocalGPOsareassociatedwith local,notdomain,useraccounts.
07/06/13
RSoPiseasyforcomputersettings:TheLocalComputerGPOistheonlylocalGPO thatcanapplycomputersettings.UsersettingsinauserspecificGPOoverride conflictingsettingsintheAdministratorsandNonAdministratorsGPOs,which themselvesoverridesettingsintheLocalComputerGPO.Theconceptissimplethe morespecificthelocalGPO,thehighertheprecedenceofitssettings. TocreateandeditlocalGPOs: 1. ClicktheStartbuttonandintheStartSearchbox,typemmc.exe,andthen pressEnter. AnemptyMicrosoftManagementconsole(MMC)opens. 2. 3. ClickFile,andthenclickAdd/RemoveSnapin. SelecttheGroupPolicyObjectEditoroption,andthenclickAdd. Adialogboxappears,promptingyoutoselecttheGPOtoedit. 4. TheLocalComputerGPOisselectedbydefault.Ifyouwanttoeditanother localGPO,clicktheBrowsebutton.OntheUserstab,youwillfindtheNon AdministratorsandAdministratorsGPOsandoneGPOforeachlocaluser. SelecttheGPOandclickOK. 5. ClickFinish,andthenclickOKtocloseeachofthedialogboxes.
32/135
07/06/13
TheGroupPolicyObjectEditorsnapinisaddedandfocusedontheselectedGPO. Question:Ifdomainmemberscanbecentrallymanagedbyusingdomain linkedGPOs,inwhichscenarioscanyouuselocalGPOs?
Domain-Based GPOs
DomainbasedGPOsarecreatedinActiveDirectoryandstoredondomaincontrollers. Theyareusedtomanageconfigurationcentrallyforusersandcomputersinthe domain.TheremainderofthiscoursereferstodomainbasedGPOsratherthanlocal GPOs,unlessotherwisespecified.
33/135
07/06/13
WhenADDSisinstalled,twodefaultGPOsarecreated:DefaultDomainControllers PolicyandDefaultDomainPolicy.
Default Domain Policy

ThisGPOislinkedtothedomainandhasnosecuritygrouporWMIfilters.Therefore, itaffectsallusersandcomputersinthedomain,includingcomputersthataredomain controllers.ThisGPOcontainspolicysettingsthatspecifypassword,accountlockout, andKerberospolicies.InModule10,youwilllearnhowtomodifythedefaultsettings inthisGPOtoalignwithyourenterprisepasswordandaccountlockoutpolicies.You shouldnotaddunrelatedpolicysettingstothisGPO.Ifyouneedtoconfigureother settingstoapplybroadlyinyourdomain,createadditionalGPOslinkedtothe domain.
Default Domain Controllers Policy

ThisGPOislinkedtotheOUofthedomaincontrollers.Becausecomputeraccounts fordomaincontrollersarekeptexclusivelyintheDomainControllersOU,andother computeraccountsshouldbekeptinotherOUs,thisGPOaffectsonlydomain controllers.TheDefaultDomainControllersGPOshouldbemodifiedtoimplement yourauditingpolicies,asyouwillseeinModules8through10.Itshouldalsobe modifiedtoassignuserrightsrequiredondomaincontrollers.
Demonstration: Create, Link, and Edit GPOs

07/06/13
TocreateaGPO,rightclicktheGroupPolicyObjectscontainer,andthenclick New. YoumusthavepermissiontotheGroupPolicyObjectscontainertocreateaGPO.By default,theDomainAdminsgroupandtheGroupPolicyCreatorOwnersgroupare delegatedtheabilitytocreateGPOs. TodelegatepermissiontocreateGPOstoothergroups,selecttheGroupPolicy ObjectscontainerintheGPMCconsoletreeandthenclicktheDelegationtabinthe consoledetailspane.
35/135
07/06/13
AfteryouhavecreatedaGPO,youcancreatetheinitialscopeoftheGPObylinking ittoasite,domain,orOU. TolinkaGPO,rightclickthesite,domain,orOU,andthenclickLinkAnExisting GPO. YoucanalsocreateandlinkaGPOwithasinglestep:rightclickasite,domain,or OU,andthenclickCreateAGPOInThisDomainAndLinkItHere. NotethatyouwillnotseeyoursitesintheSitesnodeoftheGPMCuntilyouright clickSites,clickShowSites,andthenselectthesitesyouwanttomanage. YoumusthavepermissiontolinkGPOstoasite,domain,orOU.IntheGPMC,select thecontainerintheconsoletree,andthenclicktheDelegationtabintheconsole detailspane.FromthePermissiondropdownlist,clickLinkGPOs.Theusersand groupsdisplayedholdthepermissionfortheselectedOU.ClicktheAddorRemove buttonstomodifythedelegation. ToeditaGPO,rightclicktheGPOintheGroupPolicyObjectscontainerandclick Edit. TheGPOisopenedintheGPME.YoumusthaveatleasttheReadpermissiontoopen theGPOinthisway.
36/135
07/06/13
TomakechangestoaGPO,youmusthavetheWritepermissiontotheGPO. PermissionsfortheGPOcanbesetbyselectingtheGPOintheGroupPolicyObjects containerandthenclickingtheDelegationtabinthedetailspane. TheGPMEwilldisplaythenameoftheGPOastherootnode.TheGPMEalso displaysthedomaininwhichtheGPOisdefinedandtheserverfromwhichtheGPO wasopenedandtowhichchangeswillbesaved.TherootnodeisintheGPOName [ServerName]format.InthescreenshotoftheGPMEonanearlierpageinthis module,therootnodeisCONTOSOStandards[SERVER01.contoso.com]Policy.The GPOnameisCONTOSOStandards,anditwasopenedfromSERVER01.contoso.com, meaningthattheGPOisdefinedinthecontoso.comdomain. Bydefault,boththeGPMCandtheGPMEconsoleconnecttoaspecificdomain controllerinyourenvironmentwiththedomaincontrolleractingasthePDCEmulator. Inalatermodule,youwilllearntoidentifyandmanagewhichdomaincontrollerhas thisrole. ThisisdonetoreducethepossibilitythatasingleGPOmightbechangedontwo differentdomaincontrollers,atwhichpointduringreplicationtherewouldbenoway toreconcilethechanges,andonlyoneversionoftheentireGPOwouldprevailandbe replicated.Focusingtheadministrativetoolsononedomaincontrollerhelpsensure thatchangesaremadeinoneplace. However,inalarge,distributedenvironment,thePDCEmulatormaybeinadistant
07/06/13
site,resultinginslowperformancefortheGPMCs.Youcanrightclicktherootnode ofeachconsoleandconnecttoaspecificdomaincontrollerclosertoyou.Justbe cognizantofthereplicationissue:IfyouaretheonlyonewhoiseditingaGPO,itis perfectlyacceptableforyoutodosoonalocal,higherperformingdomaincontroller.
Demonstration Steps
CreateaGPO. OpenaGPOforediting. LinkaGPO. DelegatethemanagementofGPOs. DeletetheGPO. DiscussthedefaultconnectiontoPDCemulator.
GPO Storage
38/135
07/06/13
GroupPolicysettingsarepresentedasGPOsinActiveDirectoryuserinterfacetools, butaGPOisactuallytwocomponents:aGroupPolicyContainer(GPC)andaGroup PolicyTemplate(GPT). TheGPCisanActiveDirectoryobjectstoredintheGroupPolicyObjectscontainer withinthedomainnamingcontextofthedirectory.LikeallActiveDirectoryobjects, eachGPCincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifies theobjectwithinActiveDirectory.TheGPCdefinesbasicattributesoftheGPO,butit doesnotcontainanyofthesettings.ThesettingsarecontainedintheGPTa collectionoffilesstoredintheSYSVOLofeachdomaincontrollerinthe %SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDisthe GUIDoftheGPC.WhenyoumakechangestothesettingsofaGPO,thechangesare
07/06/13
savedtotheGPToftheserverfromwhichtheGPOwasopened. Bydefault,whenGroupPolicyrefreshoccurs,theCSEsapplysettingsinaGPOonlyif theGPOhasbeenupdated. TheGroupPolicyclientcanidentifyanupdatedGPObyitsversionnumber.EachGPO hasaversionnumberthatisincrementedeachtimeachangeismade.Theversion numberisstoredasanattributeoftheGPCandinatextfile,GPT.ini,intheGPT folder.TheGroupPolicyclientknowstheversionnumberofeachGPOithas previouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyclientdiscovers thattheversionnumberoftheGPChasbeenchanged,theCSEswillbeinformedthat theGPOisupdated.
GPO Replication
GroupPolicyContainerandGroupPolicyTemplatearebothreplicatedbetweenall domaincontrollersinActiveDirectory.However,differentreplicationmechanismsare usedforthesetwoitems. TheGPCinActiveDirectoryisreplicatedbytheDirectoryReplicationAgent(DRA). TheDRAusesatopologygeneratedbytheKnowledgeConsistencyChecker(KCC) thatcanbedefinedorrefinedmanually.YouwilllearnmoreaboutActiveDirectory ReplicationinModule14.TheresultisthattheGPCisreplicatedwithinsecondstoall domaincontrollersinasiteandisreplicatedbetweensitesbasedonyourintersite replicationconfiguration.ThisprocesswillalsobediscussedinModule14.
07/06/13
TheGPTintheSYSVOLisreplicatedbyusingoneofthefollowingtwotechnologies. TheFileReplicationService(FRS)isusedtoreplicateSYSVOLindomainsrunning WindowsServer2008,WindowsServer2008R2,WindowsServer2003,and Windows2000.IfalldomaincontrollersarerunningWindowsServer2008orearlier, youcanconfigureSYSVOLreplicationbyusingDistributedFileSystemReplication (DFSR),whichisamuchmoreefficientandrobustmechanism. BecausetheGPCandGPTarereplicatedseparately,itispossibleforthemtobecome outofsyncforashorttime. Typically,whenthishappens,theGPCwillreplicatetoadomaincontrollerfirst. SystemsthatobtainedtheirorderedlistofGPOsfromthatdomaincontrollerwill identifythenewGPC,willattempttodownloadtheGPT,andwillnoticethatthe versionnumbersarenotthesame.Apolicyprocessingerrorwillberecordedinthe eventlogs.Ifthereversehappens,andtheGPOreplicatestoadomaincontroller beforetheGPC,clientsobtainingtheirorderedlistofGPOsfromthatdomain controllerwillnotbenotifiedofthenewGPOuntiltheGPChasreplicated.
Manage GPOs and Their Settings
41/135
07/06/13
WhenyourightclickaGPOintheGPMC,alistofusefulmanagementcommands appears. Copy.YoucancopyaGPOandthenrightclicktheGroupPolicyObjectscontainer andselectPastetocreateacopyoftheGPO.Thisisusefulwhenyouwantto createanewGPOinthesamedomainandtostartwiththesamesettingsasan existingGPO.ItisalsousefultocopyaGPOintoanotherdomain,forexample, betweenatestdomainandaproductiondomain.TocopyaGPObetween domains,addthetargettrusteddomaintotheGPMC.Youmusthavepermissionto createGPOsinthetargetdomain.WhenyoupasteaGPO,youaregiventhe optiontocopytheaccesscontrollist(ACL)fromtheoriginalGPO,whichpreserves thesecurityfiltering,ortousethedefaultACLfornewGPOsinthetargetdomain.
07/06/13
BackUp.Aswithanycriticaldata,itisimportanttobackupGPOs.BecauseaGPO consistsofseveralfiles,objects,permissions,andlinks,managingthebackupand restoreofGPOsisquitedifficult.Luckily,theBackUpcommandpullsallofthose piecesintoasingleplaceandmakesrestoreasimpletask. RestorefromBackup.RestoreanentireGPO,includingitsfiles,objects, permissions,andlinksintothesamedomaininwhichtheGPOoriginallyexisted. ImportSettings.ImportonlythesettingsfromabackedupGPO.Althoughthis optiondoesnotimportpermissionsorlinks,itcanbeusefulfortransferringGPOs betweennontrusteddomainsthatcannotusecopyandpaste.IfaGPOincludes potentiallydomainspecificsettings,includingtheUNCpathsornamesofsecurity groups,youwillbepromptedastowhetheryouwanttoimportthosesettings exactlyastheywerebackeduportouseamigrationtablethatmapssourceto destinationnames. SaveReport.UsethistosaveanHTMLreportoftheGPOsettings. Delete.UsethistodeleteaGPO. Rename.UsethistorenameaGPO.
Lab A: Implement Group Policy
43/135
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
44/135
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
5.
Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodo so.
Lab Scenario
YouareresponsibleformanagingchangeandconfigurationatContoso,Ltd.Contoso corporateITsecuritypoliciesspecifythatcomputerscannotbeleftunattendedand loggedontoformorethan10minutes.Youwillthereforeconfigurethescreensaver timeoutandpasswordprotectedscreensaverpolicysettings.Additionally,youwill lockdownaccesstoregistryeditingtools.
Exercise 1: Create, Edit, and Link Group Policy Objects

Inthisexercise,youwillcreateaGPOthatimplementsasettingmandated bythecorporatesecuritypolicyofContoso,Ltdandscopethesettingtoall usersandcomputersinthedomain.Youwillthenexaminetheeffectofthe GPO.Youcanalsoexploreothersettingsthataremadeavailablewithina
07/06/13
GPO. Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. 5. CreateaGPO. EditthesettingsofaGPO. ScopeaGPOwithaGPOlink. ViewtheeffectsofGroupPolicyapplication. ExploreGPOsettings.
Task 1: Create a GPO.
1.
OnNYCDC1,runGroupPolicyManagementasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
CreateaGroupPolicyObjectnamedCONTOSOStandardsintheGroup PolicyObjectscontainer.
Task 2: Edit the settings of a GPO.
1.
EdittheCONTOSOStandardsGPO.
46/135
07/06/13
2.
NavigatetotheUserConfiguration,Policies,AdministrativeTemplates, Systemfolder.
3. 4.
PreventusersfromrunningRegistryEditorandregedit/s. NavigatetotheUserConfiguration,Policies,AdministrativeTemplates, ControlPanel,Personalizationfolder.
5. 6. 7.
ExaminetheexplanatorytextfortheScreensavertimeoutpolicysetting. ConfiguretheScreensavertimeoutpolicyto600seconds. EnablethePasswordprotectthescreensaverpolicysetting.
Task 3: Scope a GPO with a GPO link.
LinktheCONTOSOStandardsGPOtothecontoso.comdomain.
Task 4: View the effects of Group Policy application.
1. 2.
LogontoNYCCL1asPat.Coleman. Attempttochangethescreensaverwaittimeandresumesettings.Youare preventedfromdoingsobyGroupPolicy.
47/135
07/06/13
3.
AttempttorunRegistryEditor.YouarepreventedfromdoingsobyGroup Policy.
Task 5: Explore GPO settings.
OnNYCDC1,edittheCONTOSOStandardsGPOandspendtimeexploringthe settingsthatareavailableinaGPO.Donotmakeanychanges.
Results:Inthisexercise,youcreatedaGPOnamedContosoStandardsthat configurespasswordprotectedscreensaver,screensavertimeout,andregistry editingtoolrestrictions
NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecause thesettingsyouhaveconfiguredherewillbeusedinsubsequentlabs.
Exercise 2: Use Filtering and Commenting

Inthisexercise,youwillusethenewcommentingandfilteringfeaturesof GroupPolicytolocateanddocumentpolicysettings.
48/135
07/06/13
Themaintasksforthisexerciseareasfollows: 1. 2. Searchandfilterpolicysettings. DocumentGPOsandsettingswithcomments.
Task 1: Search and filter policy settings.
1. 2.
Ifnecessary,opentheGPMCandthenedittheCONTOSOStandardsGPO. IntheUserConfiguration\Policies\AdministrativeTemplatesfolder,filter theviewtoshowonlypolicysettingsthatcontainthephrasescreensaver. Spendafewmomentsexaminingthosesettings.
3.
Filtertheviewtoshowonlyconfiguredpolicysettings.Spendafewmoments examiningthosesettings.
4.
TurnoffthefilterfromAdministrativeTemplates.
Task 2: Document GPOs and settings with comments.
1.
EditthecommenttotheCONTOSOStandardsGPOandaddthefollowing commenttotheGPO:Contosocorporatestandardpolicies.Settingsare scopedtoallusersandcomputersinthedomain.Personresponsible
49/135
07/06/13
forthisGPO:yourname. ThiscommentappearsontheDetailstaboftheGPOintheGPMC. 2. AddthefollowingcommenttotheScreensavertimeoutpolicysetting: CorporateITSecurityPolicyimplementedwiththispolicyin combinationwithPasswordProtecttheScreenSaver. 3. AddthefollowingcommenttothePasswordprotectthescreensaverpolicy setting:CorporateITSecurityPolicyimplementedwiththispolicyin combinationwithScreenSaverTimeout.
Results:Inthisexercise,youaddedcommentstoyourGroupPolicyobjectand settings.
Lab Review Questions Question:WhichpolicysettingsarealreadybeingdeployedbyusingGroup Policyinyourorganization? Question:Whichpolicysettingsdidyoudiscoverthatyoumightwantto implementinyourorganization?
Lesson 3: Manage Group Policy Scope

07/06/13
AGPOis,byitself,acollectionofconfigurationinstructionsthatwillbeprocessedby theCSEsofcomputers.UntiltheGPOisscoped,itdoesnotapplytoanyusersor computers.TheGPOsscopedeterminestheCSEsofwhichcomputerswillreceive andprocesstheGPOandonlythecomputersoruserswithinthescopeofaGPOwill applythesettingsinthatGPO.Inthislesson,youwilllearntomanagethescopeofa GPO.ThefollowingmechanismsareusedtoscopeaGPO: TheGPOlinktoasite,domain,orOUandwhetherthatlinkisenabled TheEnforceoptionofaGPO TheBlockInheritanceoptiononanOU

07/06/13
Securitygroupfiltering WMIfiltering Policynodeenablingordisabling Preferencestargeting Loopbackpolicyprocessing
Youmustbeabletodefinetheusersorcomputerstowhichconfigurationis deployed,andtherefore,youmustmastertheartofscopingGPOs.Inthislesson, youwilllearneachofthemechanismswithwhichyoucanscopeaGPOand,inthe process,youwillmastertheconceptsofGroupPolicyapplication,inheritance,and precedence.
Objectives
Aftercompletingthislesson,youwillbeableto: ManageGPOlinks. IdentifytherelationshipbetweenOUstructureandGPOapplication. EvaluateGPOinheritanceandprecedence. UnderstandtheBlockInheritanceandEnforcedlinkoptions.
07/06/13
ApplysecurityfilteringtonarrowthescopeofaGPO. ApplyaWMIfiltertoaGPO. TargetGroupPolicypreferences. IdentifybestpracticesforscopingGroupPolicy.
GPO Links
AGPOcanbelinkedtooneormoreActiveDirectorysites,domains,orOUs.Aftera policyislinkedtoasite,domain,orOU,theusersorcomputersandusersinthat
07/06/13
containerarewithinthescopeoftheGPO,includingcomputersandusersinchild OUs. AsyoulearnedinLesson1,youcanlinkaGPOtothedomain,siteortoanOU. TolinkaGPO,rightclickthedomainorOUintheGPMCconsoletree,andthenclick LinkasexistingGPO.IfyouhavenotyetcreatedaGPO,clickCreateAGPOIn This{Domain|OU|Site}AndLinkItHere. YoucanchoosethesamecommandstolinkaGPOtoasite,butbydefault,your ActiveDirectorysitesarenotvisibleintheGPMC. ToshowsitesintheGPMC,rightclickSitesintheGPMCconsoletreeandchoose ShowSites. NoteAGPOlinkedtoasiteaffectsallcomputersinthesitewithoutregardto thedomaintowhichthecomputersbelong(aslongasallcomputersbelong tothesameActiveDirectoryforest).Therefore,whenyoulinkaGPOtoasite, thatGPOcanbeappliedtomultipledomainswithinaforest.SitelinkedGPOs arestoredondomaincontrollersinthedomaininwhichtheGPOwascreated. Therefore,domaincontrollersforthatdomainmustbeaccessibleforsite linkedGPOstobeappliedcorrectly.Ifyouimplementsitelinkedpolicies,you mustconsiderpolicyapplicationwhenplanningyournetworkinfrastructure. EitherplaceadomaincontrollerfromtheGPOsdomaininthesitetowhich thepolicyislinked,orensurethatawideareanetwork(WAN)connectivity providesaccessibilitytoadomaincontrollerintheGPOsdomain.
07/06/13
WhenyoulinkaGPOtoasite,domain,orOU,youdefinetheinitialscopeofthe GPO.SelectaGPOandclicktheScopetabtoidentifythecontainerstowhichthe GPOislinked.InthedetailspaneoftheGPMC,theGPOlinksaredisplayedinthe firstsectionoftheScopetab,asseenhere:
TheimpactoftheGPOslinksisthattheGroupPolicyClientdownloadstheGPOif eitherthecomputerortheuserobjectsfallwithinthescopeofthelink.TheGPOwill bedownloadedonlyifitisneworupdated.TheGroupPolicyClientcachestheGPO tomakepolicyrefreshmoreefficient.
Link a GPO to Multiple OUs

YoucanlinkaGPOtomorethanonesiteorOU.Itiscommon,forexample,toapply configurationtocomputersinseveralOUs.Youcandefinetheconfigurationina singleGPOandlinkthatGPOtoeachOU.IfyoulaterchangesettingsintheGPO, yourchangeswillapplytoallOUstowhichtheGPOislinked.
07/06/13
Delete or Disable a GPO Link

AfteryouhavelinkedaGPO,theGPOlinkappearsintheGPMCunderneaththesite, domain,orOU.TheiconfortheGPOlinkhasasmallshortcutarrow.Whenyou rightclicktheGPOlink,acontextmenuappears,asshownhere:
TodeleteaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthenclick Delete. DeletingaGPOlinkdoesnotdeletetheGPOitself,whichremainsinthatGPO container.DeletingthelinkdoeschangethescopeoftheGPOsothatitnolonger appliestocomputersanduserswithinasite,domain,orOUtowhichitwas previouslylinked. YoucanalsomodifyaGPOlinkbydisablingit. TodisableaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthen deselecttheLinkEnabledoption.

07/06/13
DisablingthelinkalsochangestheGPOscopesothatitnolongerappliesto computersanduserswithinthatcontainer.However,thelinkremainssothatitcan beeasilyreenabled.
Group Policy Processing Order
TheGPOsthatapplytoauser,computer,orbothdonotallapplyatonce.GPOsare appliedinaparticularorder.Thisordermeansthatsettingsthatareprocessedfirst maybeoverwrittenbyconflictingsettingsthatareprocessedlater. GroupPolicyfollowsthefollowinghierarchicalprocessingorder:
57/135
07/06/13
1.
Localgrouppolicies.EachcomputerrunningWindows2000orlaterhasat leastonelocalgrouppolicy.Thelocalpoliciesareappliedfirst.
2.
Sitegrouppolicies.Policieslinkedtositesareprocessedsecond.Ifthereare multiplesitepolicies,theyareprocessedsynchronouslyinthelistedpreference order.
3.
Domaingrouppolicies.Policieslinkedtodomainsareprocessedthird.Ifthere aremultipledomainpolicies,theyareprocessedsynchronouslyinthelisted preferenceorder.
4.
OUgrouppolicies.PolicieslinkedtotoplevelOUsareprocessedfourth.If therearemultipletoplevelOUpolicies,theyareprocessedsynchronouslyinthe listedpreferenceorder.
5.
ChildOUgrouppolicies.PolicieslinkedtochildOUsareprocessedfifth.If therearemultiplechildOUpolicies,theyareprocessedsynchronouslyinthe listedpreferenceorder.WhentherearemultiplelevelsofchildOUs,policiesfor higherlevelOUsareappliedfirstandpoliciesforthelowerlevelOUsareapplied next.
InGroupPolicyapplication,thegeneralruleisthatthelastpolicyappliedwins.For example,apolicythatrestrictsaccesstoControlPanelappliedatthedomainlevel couldbereversedbyapolicyappliedattheOUlevelfortheobjectscontainedinthat particularOU.

07/06/13
IfyoulinkseveralGPOstoanorganizationalunit,theirprocessingoccursintheorder thattheadministratorspecifiesontheLinkedGroupPolicyObjectstabforthe organizationalunitintheGroupPolicyManagementConsole(GPMC). Bydefault,processingisenabledforallGPOlinks.Youcancompletelyblockthe applicationofaGPOforagivensite,domain,ororganizationalunitbydisablingthat containersGPOlink.NotethatiftheGPOislinkedtoothercontainers,theywill continuetoprocesstheGPOiftheirlinksareenabled. YoucanalsodisabletheuserorcomputerconfigurationofaparticularGPO independentofeithertheuserorcomputer.Ifonesectionofapolicyisknowntobe empty,disablingtheothersidespeedsuppolicyprocessing.Forexample,ifyouhave apolicythatonlydeliversuserdesktopconfiguration,youcoulddisablethecomputer sideofthepolicy.
GPO Inheritance and Precedence
59/135
07/06/13
ApolicysettingcanbeconfiguredinmorethanoneGPO,andGPOscanbeinconflict withoneanother.Forexample,apolicysettingcanbeenabledinoneGPO,disabled inanotherGPO,andnotconfiguredinathirdGPO.Inthiscase,theprecedenceof theGPOsdetermineswhichpolicysettingtheclientapplies.AGPOwithhigher precedenceprevailsoveraGPOwithlowerprecedence.Precedenceisshownasa numberintheGPMC.Thesmallerthenumberthatis,thecloserto1thehigherthe precedence,soaGPOwithaprecedenceof1willprevailoverotherGPOs.Selectthe domainorOUandthenclicktheGroupPolicyInheritancetabtoviewthe precedenceofeachGPO. WhenapolicysettingisenabledordisabledinaGPOwithhigherprecedence,the configuredsettingtakeseffect.However,rememberthatpolicysettingsaresettoNot
07/06/13
Configuredbydefault.IfapolicysettingisnotconfiguredinaGPOwithhigher precedence,thepolicysetting(eitherenabledordisabled)inaGPOwithlower precedencewilltakeeffect. Asite,domain,orOUcanhavemorethanoneGPOlinkedtoit.Thelinkorderof GPOsdeterminestheprecedenceofGPOsinsuchascenario.GPOswithahigherlink ordertakeprecedenceoverGPOswithalowerlinkorder.WhenyouselectanOUin theGPMC,theLinkedGroupPolicyObjectstabshowsthelinkorderofGPOslinked tothatOU. ThedefaultbehaviorofGroupPolicyisthatGPOslinkedtoahigherlevelcontainer areinheritedbylowerlevelcontainers.Whenacomputerstartsuporauserlogson, theGroupPolicyClientexaminesthelocationofthecomputeroruserobjectinActive DirectoryandevaluatestheGPOswithscopesthatincludethecomputeroruser. Then,theclientsideextensionsapplypolicysettingsfromtheseGPOs.Policiesare appliedsequentially,beginningwiththepolicieslinkedtothesite,followedbythose linkedtothedomain,followedbythoselinkedtoOUsfromthetoplevelOUdown totheOUinwhichtheuserorcomputerobjectexists.Itisalayeredapplicationof settings,soaGPOthatisappliedlaterintheprocess,becauseithashigher precedence,overridessettingsappliedearlierintheprocess. ThesequentialapplicationofGPOscreatesaneffectcalledpolicyinheritance.Policies areinherited,sotheresultantsetofgrouppoliciesforauserorcomputerwillbethe cumulativeeffectofsite,domain,andOUpolicies.
07/06/13
Bydefault,inheritedGPOshavelowerprecedencethanGPOslinkeddirectlytothe container.Forexample,youmightconfigureapolicysettingtodisabletheuseof registryeditingtoolsforallusersinthedomainbyconfiguringthepolicysettingina GPOlinkedtothedomain.ThatGPO,anditspolicysetting,isinheritedbyallusers withinthedomain.However,youprobablywantadministratorstobeabletouse registryeditingtools,soyouwilllinkaGPOtotheOUthatcontainsadministrators accountsandconfigurethepolicysettingtoallowtheuseofregistryeditingtools. BecausetheGPOlinkedtotheadministratorsOUtakeshigherprecedencethanthe inheritedGPO,administratorswillbeabletouseregistryeditingtools.Thefollowing figureillustratesGroupPolicyInheritance:
Precedence of Multiple Linked GPOs

AnOU,domain,orsitecanhavemorethanoneGPOlinkedtoit.Iftherearemultiple GPOs,theobjectslinkorderdeterminestheirprecedence.Inthefollowingfigure,two GPOsarelinkedtothePeopleOU:
62/135
07/06/13
Theobjecthigheronthelist,withalinkorderof1,hasthehighestprecedence. Therefore,settingsthatareenabledordisabledinthePowerUserConfiguration POhasprecedenceoverthesamesettingsintheStandardUserConfigurationGPO. TochangetheprecedenceofaGPOlink: 1. 2. 3. 4. SelecttheOU,site,ordomainintheGPMCconsoletree. ClicktheLinkedGroupPolicyObjectstabinthedetailspane. SelecttheGPO. UsetheUp,Down,MoveToTop,andMoveToBottomarrowstochangethe linkorderoftheselectedGPO.
Block Inheritance
AdomainorOUcanbeconfiguredtopreventtheinheritanceofpolicysettings. Toblockinheritance,rightclickthedomainorOUintheGPMCconsoletreeand selectBlockInheritance. TheBlockInheritanceoptionisapropertyofadomainorOU,soitblocksallGroup PolicysettingsfromGPOslinkedtoparentsintheGroupPolicyhierarchy.Whenyou
07/06/13
blockinheritanceonanOU,forexample,GPOapplicationbeginswithanyGPOs linkeddirectlytothatOUGPOslinkedtohigherlevelOUs,thedomain,orthesite willnotapply. TheBlockInheritanceoptionshouldbeusedsparingly.Blockinginheritancemakesit moredifficulttoevaluateGroupPolicyprecedenceandinheritance.Inalatertopic, youwilllearnhowtoscopeaGPOsothatitappliestoonlyasubsetofobjectsorso thatitispreventedfromapplyingtoasubsetofobjects.Withsecuritygroupfiltering, youcancarefullyscopeaGPOsothatitappliestoonlythecorrectusersand computersinthefirstplace,makingitunnecessarytousetheBlockInheritance option.
Enforce a GPO Link

Inaddition,aGPOlinkcanbesettoEnforced. ToenforceaGPOlink,rightclicktheGPOlinkintheconsoletreeandchoose Enforcedfromthecontextmenu. WhenaGPOlinkissettoEnforced,theGPOtakesthehighestlevelofprecedence policysettingsinthatGPOwillprevailoveranyconflictingpolicysettingsinother GPOs.Inaddition,alinkthatisenforcedwillapplytochildcontainersevenwhen thosecontainersaresettoBlockInheritance.TheEnforcedoptioncausesthepolicy toapplytoallobjectswithinitsscope.Enforcedwillcausepoliciestooverrideany conflictingpoliciesandwillapplyregardlessofwhetheraBlockInheritanceoptionis
07/06/13
set. Inthefigureonthefollowingpage,BlockInheritancehasbeenappliedtothe BusinessOU.Asaresult,GPOD,whichisappliedtothedomain,isblockedanddoes notapplywhenauserfromtheEmployeesOUlogsontoacomputerintheClients OU.However,intheSecurityGPO,GPOslinkedtothedomainwiththeEnforced optiondoesapply.Infact,itisappliedlastintheprocessingorder,meaningits settingswilloverridethoseofGPOsB,C,andE. WhenyouconfigureaGPOthatdefinesconfigurationmandatedbyyourcorporateIT securityandusagepolicies,youwanttoensurethatthosesettingsarenotoverridden byotherGPOs.YoucandothisbyenforcingthelinkoftheGPO.Thefigurehere showsjustthisscenario:
ConfigurationmandatedbycorporatepoliciesisdeployedintheCONTOSOCorporate ITSecurity&UsageGPO,whichislinkedwithanenforcedlinktotheContoso.com domain.TheiconfortheGPOlinkhasapadlockonitthevisualindicatorofan enforcedlink.OnthePeopleOU,theGroupPolicyInheritancetabshowsthatthe GPOtakesprecedenceevenovertheGPOslinkedtothePeopleOUitself.
65/135
07/06/13
Evaluating Precedence
TofacilitateevaluationofGPOprecedence,youcansimplyselectanOU(ordomain) andclicktheGroupPolicyInheritancetab.Thistabwilldisplaytheresulting precedenceofGPOs,accountingforGPOlink,linkorder,inheritanceblocking,and linkenforcement.Thistabdoesnotaccountforpoliciesthatarelinkedtoasite,nor doesitaccountforGPOsecurityorWMIfiltering.
Use Security Filtering to Modify GPO Scope
Bynow,youvelearnedthatyoucanlinkaGPOtoasite,domain,orOU.However, youmightneedtoapplyGPOsonlytocertaingroupsofusersorcomputersrather
07/06/13
thantoallusersorcomputerswithinthescopeoftheGPO.Althoughyoucannot directlylinkaGPOtoasecuritygroup,thereisawaytoapplyGPOstospecific securitygroups.ThepoliciesinaGPOapplyonlytouserswhohaveAllowReadand AllowApplyGroupPolicypermissionstotheGPO. EachGPOhasanACLthatdefinespermissionstotheGPO.Twopermissions,Allow ReadandAllowApplyGroupPolicy,arerequiredforaGPOtoapplytoauseror computer.Forexample,ifaGPOisscopedtoacomputerbyitslinktothecomputers OU,butthecomputerdoesnothaveReadandApplyGroupPolicypermissions,itwill notdownloadandapplytheGPO.Therefore,bysettingtheappropriatepermissions forsecuritygroups,youcanfilteraGPOsothatitssettingsapplyonlytothe computersandusersyouspecify. Bydefault,AuthenticatedUsersaregiventheAllowApplyGroupPolicypermissionon eachnewGPO.Thismeansthatbydefault,allusersandcomputersareaffectedby theGPOssetfortheirdomain,site,orOU,regardlessoftheothergroupsinwhich theymightbemembers.Therefore,therearetwowaysoffilteringGPOscope: RemovetheApplyGroupPolicypermission(currentlysettoAllow)forthe AuthenticatedUsersgroupbutdonotsetthispermissiontoDeny.Then,determine thegroupstowhichtheGPOshouldbeappliedandsettheReadandApplyGroup PolicypermissionsforthesegroupstoAllow. DeterminethegroupstowhichtheGPOshouldnotbeappliedandsettheApply GroupPolicypermissionforthesegroupstoDeny.IfyoudenytheApplyGroup
07/06/13
PolicypermissiontoaGPO,theuserorcomputerwillnotapplysettingsinthe GPO,eveniftheuserorcomputerisamemberofanothergroupthatisallowed theApplyGroupPolicyPermission.
Filtering a GPO to Apply to Specific Groups

ToapplyaGPOtoaspecificsecuritygroup: 1. 2. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree. IntheSecurityFilteringsection,selecttheAuthenticatedUsersgroupand clickRemove.
NoteGPOscanbefilteredonlywithglobalsecuritygroupsnotwith domainlocalsecuritygroups.
3. 4. 5.
ClickOKtoconfirmthechange. ClickAdd. SelectthegrouptowhichyouwantthepolicytoapplyandclickOK.
TheresultwilllooksimilartothefigureshownheretheAuthenticatedUsersgroupis
07/06/13
notlisted,andthespecificgrouptowhichthepolicyshouldapplyislisted.
Filtering a GPO to Exclude Specific Groups

TheScopetabofaGPOdoesnotallowyoutoexcludespecificgroups.Toexcludea groupthatis,todenytheApplyGroupPolicypermissionyoumustusethe Delegationtab. TodenyagrouptheApplyGroupPolicypermission: 1. 2. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree. ClicktheDelegationtab.
69/135
07/06/13
3.
ClicktheAdvancedbutton. TheSecuritySettingsdialogboxappears.
4. 5.
ClicktheAddbutton. SelectthegroupyouwanttoexcludefromtheGPO.Remember,itmustbea globalgroup.GPOscopecannotbefilteredbydomainlocalgroups.
6.
ClickOK. ThegroupyouselectedisgiventheAllowReadpermissionbydefault.
7. 8.
CleartheAllowReadpermissioncheckbox. SelecttheDenyApplyGroupPolicycheckbox.
ThefigurehereshowsanexamplethatdeniestheHelpDeskgrouptheApplygroup policypermissionand,therefore,excludesthegroupfromthescopeoftheGPO.
70/135
07/06/13
9.ClickOK. YouarewarnedthatDenypermissionsoverrideotherpermissions. BecauseDenypermissionsoverrideAllowpermissions,itisrecommendedthatyou usethemsparingly.MicrosoftWindowsremindsyouofthisbestpracticewiththe warningmessage.TheprocesstoexcludegroupswiththeDenyApplyGroupPolicy permissionisfarmorelaboriousthantheprocesstoincludegroupsintheSecurity FilteringsectionoftheScopetab. 10. Confirmthatyouwanttocontinue.
71/135
07/06/13
ImportantDenypermissionsarenotexposedontheScopetab. Unfortunately,whenyouexcludeagroup,theexclusionisnotshownin theSecurityFilteringsectionoftheScopetab.
ThisisyetonemorereasontouseDenypermissionssparingly.
WMI Filters
WMIisamanagementinfrastructuretechnologythatenablesadministratorsto monitorandcontrolmanagedobjectsinthenetwork.AWMIqueryiscapableof
07/06/13
filteringsystemsbasedoncharacteristics,includingRAM,processorspeed,disk capacity,IPaddress,operatingsystemversionandservicepacklevel,installed applications,andprinterproperties.BecauseWMIexposesalmosteverypropertyof everyobjectwithinacomputer,thelistofattributesthatcanbeusedinaWMIquery isvirtuallyunlimited.WMIqueriesarewrittenbyusingWMIQueryLanguage(WQL). YoucanuseaWMIquerytocreateaWMIfilter,withwhichaGPOcanbefiltered.A goodwaytounderstandthepurposeofaWMIfilter,bothforthecertificationexams andforrealworldimplementation,isthroughexamples.GroupPolicycanbeusedto deploysoftwareapplicationsandservicepacksacapabilitythatisdiscussedin Module7.YoumightcreateaGPOtodeployanapplicationandthenuseaWMIfilter tospecifythatthepolicyshouldapplyonlytocomputerswithacertainoperating systemandservicepackWindowsXPSP3,forexample.TheWMIquerytoidentify suchsystemsis:
S e l e c t*F R O MW i n 3 2 _ O p e r a t i n g S y s t e mW H E R E C a p t i o n = " M i c r o s o f tW i n d o w sX PP r o f e s s i o n a l "A N D C S D V e r s i o n = " S e r v i c eP a c k3 "
WhentheGroupPolicyClientevaluatesGPOsithasdownloadedtodeterminewhich shouldbehandedofftotheCSEsforprocessing,itperformsthequeryagainstthe localsystem.Ifthesystemmeetsthecriteriaofthequery,thequeryresultisalogical True,andtheCSEsprocesstheGPO.

07/06/13
WMIexposesnamespaces,withinwhichareclassesthatcanbequeried.Manyuseful classes,includingWin32_OperatingSystem,arefoundinaclasscalledroot\CIMv2. TocreateaWMIfilter: 1. RightclicktheWMIFiltersnodeintheGPMCconsoletree,andthenclick New. Typeanameanddescriptionforthefilter,andthenclicktheAddbutton. 2. 3. 4. IntheNamespacebox,typethenamespaceforyourquery. IntheQuerybox,enterthequery. ClickOK. TofilteraGPOwithaWMIfilter: 1. 2. 3. SelecttheGPOorGPOlinkintheconsoletree. ClicktheScopetab. ClicktheWMIdropdownlist,andselecttheWMIfilter.
AGPOcanbefilteredbyonlyoneWMIfilter,butthatWMIfiltercanbeacomplex querythatusesmultiplecriteria.AsingleWMIfiltercanbelinkedto,andthereby usedtofilter,oneormoreGPOs.TheGeneraltabofaWMIfilter,showninthe

07/06/13
figurehere,displaystheGPOsthatusetheWMIfilter:
TherearethreesignificantcaveatsregardingWMIfilters. First,theWQLsyntaxofWMIqueriescanbechallengingtomaster.Youcanoften findexamplesontheInternetwhenyousearchbyusingthekeywordsWMIfilter andWMIquery,alongwithadescriptionofthequeryyouwanttocreate. Second,WMIfiltersareexpensiveintermsofGroupPolicyprocessingperformance. BecausetheGroupPolicyClientmustperformtheWMIqueryateachpolicy processinginterval,thereisaslightimpactonsystemperformanceevery90120 minutes.Withtheperformanceoftodayscomputers,theimpactmightnotbe noticeable,butyoushouldcertainlytesttheeffectsofaWMIfilterpriorto

07/06/13
deployingitwidelyinyourproductionenvironment. NotethattheWMIqueryisprocessedonlyonetime,evenifitisusedtofilterthe scopeofmultipleGPOs. Third,WMIfiltersarenotprocessedbycomputersrunningWindows2000Server. IfaGPOisfilteredwithaWMIfilter,aWindows2000Serversystemignoresthe filterandprocessestheGPOasiftheresultsofthefilterweretrue.
Enable or Disable GPOs and GPO Nodes
YoucanpreventthesettingsintheComputerConfigurationorUserConfiguration
07/06/13
nodesfrombeingprocessedduringpolicyrefreshbychangingtheGPOStatus.
ToenableordisableaGPO'snodes,selecttheGPOorGPOlinkintheconsoletree, clicktheDetailstab,showninthefigure,andthenselectoneofthefollowingfrom theGPOStatusdropdownlist: Enabled.Bothcomputerconfigurationsettingsanduserconfigurationsettingswill beprocessedbyCSEsduringpolicyrefresh. AllSettingsDisabled.CSEswillnotprocesstheGPOduringpolicyrefresh. ComputerConfigurationSettingsDisabled.Duringcomputerpolicyrefresh, computerconfigurationsettingsintheGPOwillnotbeapplied.

07/06/13
UserConfigurationSettingsDisabled.Duringuserpolicyrefresh,user configurationsettingsintheGPOwillnotbeapplied.
YoucanconfigureGPOstatustooptimizepolicyprocessing.IfaGPOcontainsonly usersettings,forexample,settingtheGPOStatusoptiontodisablecomputersettings preventstheGroupPolicyclientfromattemptingtoprocesstheGPOduringcomputer policyrefresh.BecausetheGPOcontainsnocomputersettings,thereisnoneedto processtheGPO,andyoucansaveafewcyclesoftheprocessor. NoteYoucandefineaconfigurationthatshouldtakeeffectincaseofan emergency,securityincident,orotherdisastersinaGPOandlinktheGPOso thatitisscopedtoappropriateusersandcomputers.Then,disabletheGPO. Ifyourequiretheconfigurationtobedeployed,enabletheGPO.
Target Preferences
78/135
07/06/13
Preferences,whicharenewtoWindowsServer2008,haveabuiltinscoping mechanismcalleditemleveltargeting.Youcanhavemultiplepreferenceitemsina singleGPO,andeachpreferenceitemcanbetargetedorfiltered.So,forexample, youcouldhaveasingleGPOwithapreferencethatspecifiesfolderoptionsfor engineersandanotheritemthatspecifiesfolderoptionsforsalespeople.Youcan targettheitemsbyusingasecuritygrouporOU.Thereareoveradozenother criteriathatcanbeused,includinghardwareandnetworkcharacteristics,dateand time,LightweightDirectoryAccessProtocol(LDAP)queries,andmore.
79/135
07/06/13
NoteWhatsnewaboutpreferencesisthatyoucantargetmultiplepreference itemswithinasingleGPOinsteadofrequiringmultipleGPOs.Withtraditional policies,youoftenneedmultipleGPOsfilteredtoindividualgroupstoapply variationsofsettings.
LikeWMIfilters,itemleveltargetingofpreferencesrequirestheCSEtoperforma querytodeterminewhethertoapplythesettingsinapreferencesitem.Youmustbe awareofthepotentialperformanceimpactofitemleveltargeting,particularlyifyou useoptionssuchasLDAPqueries,whichrequireprocessingtimeandaresponsefrom adomaincontrollertoprocess.AsyoudesignyourGroupPolicyinfrastructure,

07/06/13
balancetheconfigurationmanagementbenefitsofitemleveltargetingagainstthe performanceimpactyoudiscoverduringtestinginalab.
Loopback Policy Processing
Bydefault,auserssettingscomefromGPOsscopedtotheuserobjectinActive Directory.Regardlessofwhichcomputertheuserlogsonto,theresultantsetof policiesthatdeterminetheusersenvironmentisthesame.Therearesituations, however,inwhichyoumightwanttoconfigureauserdifferently,dependingonthe computerinuse.Forexample,youmightwanttolockdownandstandardizeuser desktopswhenuserslogontocomputersincloselymanagedenvironmentssuchas conferencerooms,receptionareas,laboratories,classrooms,andkiosks.Itisalso

07/06/13
importantforvirtualdesktopinfrastructure(VDI)scenarios,includingremotevirtual machinesandRemoteDesktopServices(RDS),knownasTerminalServicesin previousversions. Imagineascenarioinwhichyouwanttoenforceastandardcorporateappearancefor theWindowsdesktoponallcomputersinconferenceroomsandotherpublicareasof youroffice.HowwillyoucentrallymanagethisconfigurationbyusingGroupPolicy? PolicysettingsthatconfiguredesktopappearancearelocatedintheUser ConfigurationnodeofaGPO.Therefore,bydefault,thesettingsapplytousers, regardlessofwhichcomputertheylogonto.Thedefaultpolicyprocessingdoesnot giveyouawaytoscopeusersettingstoapplytocomputers,regardlessofwhichuser logson.Thatswhereloopbackpolicyprocessingcomesin. LoopbackpolicyprocessingaltersthedefaultalgorithmusedbytheGroupPolicy clienttoobtaintheorderedlistofGPOsthatshouldbeappliedtoausers configuration.InsteadofuserconfigurationbeingdeterminedbytheUser ConfigurationnodeofGPOsthatarescopedtotheuserobject,userconfiguration canbedeterminedbytheUserConfigurationnodepoliciesofGPOsthatarescoped tothecomputerobject. TheUserGroupPolicyloopbackprocessingmodepolicy,locatedintheComputer Configuration\Policies\AdministrativeTemplates\System\GroupPolicyfolderinGPME, canbe,likeallpolicysettings,settoNotConfigured,Enabled,orDisabled.
82/135
07/06/13
Whenenabled,thepolicycanspecifytheReplaceorMergemode. Replace.Inthiscase,theGPOlistfortheuser(obtainedinstep5intheGroup PolicyProcessing,thenextsection)isreplacedentirelybytheGPOlistalready obtainedforthecomputeratcomputerstartup(instep2).ThesettingsinUser ConfigurationpoliciesofthecomputersGPOsareappliedtotheuser.TheReplace modeisusefulinasituationsuchasaclassroomwhereusersshouldreceivea standardconfigurationratherthantheconfigurationappliedtothoseusersinaless managedenvironment. Merge.Inthiscase,theGPOlistobtainedforthecomputeratcomputerstartup (step2intheGroupPolicyProcessingsection)isappendedtotheGPOlist obtainedfortheuserwhenloggingon(step5).BecausetheGPOlistobtainedfor thecomputerisappliedlater,settingsinGPOsonthecomputerslisthave
07/06/13
precedenceiftheyconflictwithsettingsintheuserslist.Thismodewouldbe usefultoapplyadditionalsettingstouserstypicalconfigurations.Forexample,you mightallowausertoreceivetheuserstypicalconfigurationwhenloggingontoa computerinaconferenceroomorreceptionarea,butreplacethewallpaperwitha standardbitmapanddisabletheuseofcertainapplicationsordevices.
NoteItisalessdocumentedfactthatwhenyoucombinetheloopback processingwithsecuritygroupfiltering,theapplicationofusersettings duringpolicyrefreshusesthecredentialsofthecomputertodetermine whichGPOstoapplyaspartoftheloopbackprocessing.However,the loggedonusermustalsohavetheApplyGroupPolicypermissionforthe GPOtobesuccessfullyapplied.
Lab B: Manage Group Policy Scope
84/135
07/06/13
Lab Setup
85/135
07/06/13
4.
5.
Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodo so.
Lab Scenario
Youareanadministratorofthecontoso.comdomain.TheContosoStandardsGPO, linkedtothedomain,configuresapolicysettingthatrequiresatenminutescreen savertimeout.Anengineerreportsthatacriticalapplicationthatperformslengthy calculationscrasheswhenthescreenssaverstarts,andtheengineerhasaskedyouto preventthesettingfromapplyingtotheteamofengineersthatusestheapplication everyday.Youhavealsobeenaskedtoconfigureconferenceroomcomputerstouse a45minutetimeoutsothatthescreensaverdoesnotlaunchduringameeting.
Exercise 1: Configure GPO Scope with Links

Inthisexercise,youwillmodifythescopeofGPOsbyusingGPOlinks,and youwillexploreinheritance,precedence,andtheeffectsofEnforcedlinks
07/06/13
andBlockInheritance. Themaintasksforthisexerciseareasfollows: 1. CreateaGPOwithapolicysettingthattakesprecedenceoveraconflicting setting. 2. 3. ViewtheeffectofanenforcedGPOlink. ApplyBlockInheritance.
Task 1: Create a GPO with a policy setting that takes precedence over a conflicting setting. 1. OnNYCDC1,runActiveDirectoryUsersandComputersasan administrator,withtheusernamePat.Coleman_Adminandthepassword Pa$$w0rd. 2. IntheUserAccounts\EmployeesOU,createasubOUcalledEngineers,and thencloseActiveDirectoryUsersandComputers. 3. RuntheGroupPolicyManagementConsoleasanadministrator,withtheuser namePat.Coleman_AdminandthepasswordPa$$w0rd. 4. CreateanewGPOlinkedtotheEngineersOUcalledEngineering ApplicationOverride.
07/06/13
5.
ConfiguretheScreensavertimeoutpolicysettingtobedisabled,andthen closetheGPME.
6.
SelecttheEngineersOU,andthenclicktheGroupPolicyInheritancetab. NoticethattheEngineeringApplicationOverrideGPOhasprecedenceover theCONTOSOStandardsGPO.Thescreensavertimeoutpolicysettingyou justconfiguredintheEngineeringApplicationOverrideGPOwillbeapplied afterthesettingintheCONTOSOStandardsGPO.Therefore,thenewsetting willoverwritethestandardssetting,andwill"win."Screensavertimeoutwillbe disabledforuserswithinthescopeoftheEngineeringApplicationOverride GPO.
Task 2: View the effect of an enforced GPO link.
1.
IntheGPMCconsoletree,selecttheDomainControllersOU,andthenclick theGroupPolicyInheritancetab.
2.
NoticethattheGPOnamed6425Chasthehighestprecedence.Settingsinthis GPOwilloverrideanyconflictingsettingsinanyoftheotherGPOs. TheDefaultDomainControllersGPOspecifies,amongotherthings,which groupsaregiventherighttologonlocallytodomaincontrollers.Toenhance thesecurityofdomaincontrollers,standardusersarenotgiventherighttolog onlocally.toallowanonprivilegeduseraccountsuchasPat.Colemantologon
88/135
07/06/13
todomaincontrollers.Inthiscourse,the6425CGPOgivesDomainUsersthe righttologonlocallytoacomputer.The6425CGPOislinkedtothedomain,so itssettingswouldnormallybeoverriddenbysettingsintheDefaultDomain ControllersGPO.Therefore,the6425CGPOlinktothedomainisconfiguredas Enforced.Inthisway,theconflictinuserrightsassignmentbetweenthetwo GPOsis"won"bythe6425CGPO.
Task 3: Apply Block Inheritance.
1.
IntheGPMCconsole,selecttheEngineersOUandexaminetheprecedence andinheritanceofGPOsontheGroupPolicyInheritancetab.
2.
BlocktheinheritanceofGPOstotheEngineersOU. Question:WhichGPOscontinuetoapplytousersintheEngineersOU? WherearethoseGPOslinked?Whydidtheycontinuetoapply?
3.
TurnoffBlockInheritancefromtheEngineersOU.
Results:Inthisexercise,youcreatedaGPOcalledEngineeringApplication OverrideandlinkedittotheEngineersOU.Youalsohaveanunderstandingof inheritance,precedence,andtheeffectsofanEnforcedlinkandBlockInheritance.
89/135
07/06/13
Exercise 2: Configure GPO Scope with Filtering

Astimepasses,youdiscoverthatonlyasmallnumberofengineersrequire thescreensavertimeoutoverridethatiscurrentlyappliedtoallusersin theEngineersOU.Inaddition,youdiscoverthatafewusersmustbe exemptedfromthescreensavertimeoutpolicyandothersettings configuredbytheCONTOSOStandardsGPO.Youdecidetousesecurity filteringtomanagethescopeoftheGPOs. Inthisexercise,youwillmodifythescopeofGPOsbyusingfiltering. Themaintasksforthisexerciseareasfollows: 1. 2. Configurepolicyapplicationwithsecurityfiltering. Configureanexemptionwithsecurityfiltering.
Task 1: Configure policy application with security filtering.
1.
RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
IntheGroups\ConfigurationOU,createaglobalsecuritygroupnamed
90/135
07/06/13
GPO_EngineeringApplicationOverride_Apply. 3. IntheGPMCconsole,selecttheEngineeringApplicationOverrideGPO. NoticethatintheSecurityFilteringsection,theGPOappliesbydefaulttoall authenticatedusers. 4. ConfiguretheGPOtoapplyonlytotheGPO_EngineeringApplication Override_Applygroup.
Task 2: Configure an exemption with security filtering.
1.
RunActiveDirectoryUsersandComputersasanadministratorwiththeuser namePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
IntheGroups\ConfigurationOU,createaglobalsecuritygroupnamed GPO_CONTOSOStandards_Exempt.
3.
IntheGPMCconsole,selecttheCONTOSOStandardsGPO.Noticethatinthe SecurityFilteringsection,theGPOappliesbydefaulttoallauthenticated users.
4.
ConfiguretheGPOtodenyApplyGroupPolicypermissiontothe GPO_CONTOSOStandards_Exemptgroup.
91/135
07/06/13
Results:Inthisexercise,youconfiguredtheEngineeringApplicationOverride GPOtoapplyonlytothemembersofGPO_EngineeringApplication Override_Apply.YoualsoconfiguredagroupwiththeDenyApplyGroupPolicy permission,whichoverridestheAllowpermission.Ifanyuserrequiresexemption fromthepoliciesintheCONTOSOStandardsGPO,youcansimplyaddthe computertothegroupGPO_CONTOSOStandards_Exempt.
Exercise 3: Configure Loopback Processing

Youneedtoconfigurethescreensavertimeoutinconferenceroomsto45 minutessothatascreensaverdoesnotappearinthemiddleofameeting. Inthisexercise,youwillconfigureloopbackGPOprocessing. Themaintaskforthisexerciseisasfollows: Configureloopbackprocessing.
Task 1: Configure loopback processing.
1.
CreateanewGPOnamedConferenceRoomPoliciesandlinkittothe Kiosks\ConferenceRoomsOU.
92/135
07/06/13
2.
ConfirmthattheConferenceRoomPoliciesGPOisscopedto AuthenticatedUsers.
3.
ModifytheScreenSavertimeoutpolicytolaunchthescreensaverafter45 minutes.ModifytheUserGroupPolicyloopbackprocessingmodepolicy settingtouseMergemode.
Results:Inthisexercise,youcreatedaConferenceRoomPoliciesGPOthat appliesa45minutescreensavertimeouttouserswhentheylogontoconference roomcomputers.
NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecause thesettingsyouhaveconfiguredherewillbeusedinsubsequentlabs.
Lab Review Questions Question:Manyorganizationsrelyheavilyonsecuritygroupfilteringtoscope GPOs,ratherthanlinkingGPOstospecificOUs.Intheseorganizations,GPOsare typicallylinkedveryhighintheActiveDirectorylogicalstructuretothedomain itselfortoafirstlevelOU.Whatadvantagesaregainedbyusingsecuritygroup filteringratherthanGPOlinkstomanagethescopeoftheGPO? Question:Whymightitbeusefultocreateanexemptiongroupagroupthat isdeniedtheApplyGroupPolicypermissionforeveryGPOyoucreate?
07/06/13
Question:Doyouuseloopbackpolicyprocessinginyourorganization?In whichscenariosandforwhichpolicysettingscanloopbackpolicyprocessingadd value?
Lesson 4: Group Policy Processing
Nowthatyouhavelearnedmoreabouttheconcepts,components,andscopingof GroupPolicy,youarereadytoexamineGroupPolicyprocessingclosely.
Objectives
07/06/13
Aftercompletingthislesson,youwillbeableto: Understand,improve,andmanuallytriggerpolicyrefresh. Implementloopbackpolicyprocessing.
Detailed Review of Group Policy Processing
ThistopicdetailsGroupPolicyprocessing.Asyoureadit,rememberthatGroupPolicy isallaboutapplyingconfigurationsdefinedbyGPOs,thatGPOsareappliedinan order(site,domain,andOU),andthatGPOsappliedlaterintheorderhavehigher

07/06/13
precedencetheirsettings,whenapplied,willoverridesettingsappliedearlier.The followingsequencedetailstheprocessthroughwhichsettingsinadomainbasedGPO areappliedtoaffectacomputeroruser. 1. Thecomputerstarts,andthenetworkstarts.RemoteProcedureCallSystem Service(RPCSS)andMultipleUniversalNamingConventionProvider(MUP)are started.TheGroupPolicyClientisstarted. 2. TheGroupPolicyClientobtainsanorderedlistofGPOsscopedtothecomputer. TheorderofthelistdeterminestheorderofGPOprocessing,whichis,by default,local,site,domain,andOU. LocalGPOs.EachcomputerrunningWindowsServer2003,WindowsXP,and Windows2000hasexactlyoneGPOstoredlocally.WindowsVista,Windows Server2008,andWindows7havemultiplelocalGPOs.Theprecedenceof localGPOsisdiscussedintheLocalGPOssectioninLesson2. SiteGPOs.AnyGPOsthathavebeenlinkedtothesiteareaddedtothe orderedlistnext.WhenmultipleGPOsarelinkedtoasite,adomain,oran OU,thelinkorder,configuredontheScopetab,determinestheorderin whichtheyareaddedtothelist.TheGPOthatishighestonthelist,withthe numberclosestto1,hasthehighestprecedence,andisaddedtothelistlast. Itwill,therefore,beappliedlast,anditssettingswilloverridethoseofthe GPOsappliedearlier. DomainGPOs.MultipledomainlinkedGPOsareaddedasspecifiedbythelink
07/06/13
order. NoteDomainlinkedpoliciesarenotinheritedbychilddomains.Policies fromaparentdomainarenotinheritedbyachilddomain.Eachdomain maintainsdistinctpolicylinks.However,computersinseveraldomains mightbewithinthescopeofaGPOlinkedtoasite.
OUGPOs.GPOslinkedtotheOUhighestintheActiveDirectoryhierarchyare addedtotheorderedlist,followedbyGPOslinkedtoitschildOU,andsoon. Finally,theGPOslinkedtotheOUthatcontainsthecomputerareadded.If severalgrouppoliciesarelinkedtoanOU,theyareaddedintheorder specifiedbythelinkorder. EnforcedGPOsareaddedattheendoftheorderedlist,sotheirsettingswill beappliedattheendoftheprocessandwill,therefore,overridesettingsof GPOsearlierinthelistandintheprocess.Asapointoftrivia,enforcedGPOs areaddedtothelistinthereverseorder:OU,domain,andsite.Thisis relevantwhenyouapplycorporatesecuritypoliciesinadomainlinked enforcedGPO.ThatGPOwillbeattheendoftheorderedlistandwillbe appliedlast,soitssettingswilltakeprecedence. 3. TheGPOsareprocessedsynchronouslyintheorderspecifiedbytheorderedlist. ThismeansthatsettingsinthelocalGPOsareprocessedfirst,followedbyGPOs linkedtothesite,thedomain,andtheOUscontainingtheuserorcomputer. GPOslinkedtotheOUofwhichthecomputeroruserisadirectmemberare
07/06/13
processedlast,followedbyenforcedGPOs. AseachGPOisprocessed,thesystemdetermineswhetheritssettingsshould beappliedbasedontheGPOstatusforthecomputernode(enabledor disabled)andwhetherthecomputerhastheAllowGroupPolicypermission.If aWMIfilterisappliedtotheGPO,andifthecomputerisrunningWindowsXP orlater,itperformstheWQLqueryspecifiedinthefilter. 4. IftheGPOshouldbeappliedtothesystem,CSEstriggertoprocesstheGPO settings.PolicysettingsinGPOsoverwritepoliciesofpreviouslyappliedGPOsin thefollowingways: Ifapolicysettingisconfigured(settoEnabledorDisabled)inaGPOlinkedto aparentcontainer(OU,domain,orsite),andthesamepolicysettingisNot ConfiguredinGPOslinkedtoitschildcontainer,theresultantsetofpolicies forusersandcomputersinthechildcontainerwillincludetheparentspolicy setting.IfthechildcontainerisconfiguredwiththeBlockInheritanceoption, theparentsettingisnotinheritedunlesstheGPOlinkisconfiguredwiththe Enforcedoption. Ifapolicysettingisconfigured(settoEnabledorDisabled)foraparent container,andthesamepolicysettingisconfiguredforachild,thechild containerssettingoverridesthesettinginheritedfromtheparent.Ifthe parentGPOlinkisconfiguredwiththeEnforcedoption,theparentsettinghas precedence. IfapolicysettingofGPOslinkedtoparentcontainersisNotConfigured,and
07/06/13
thechildOUsettingisalsoNotConfigured,theresultantpolicysettingisthe settingthatresultsfromtheprocessingoflocalGPOs.Iftheresultantsetting oflocalGPOsisalsoNotConfigured,theresultantconfigurationisthe Windowsdefaultsetting. 5. Whentheuserlogson,theprocessisrepeatedforusersettings.Theclient obtainsanorderedlistofGPOsscopedtotheuser,examineseachGPO synchronously,andhandsoverGPOsthatshouldbeappliedtotheappropriate CSEsforprocessing.ThisstepismodifiedifUserLoopbackGroupPolicy Processingisenabled.Loopbackpolicyprocessingisdiscussedinthenexttopic.
NoteSomePolicysettingsareinbothComputerConfigurationandUser Configurationnodes.MostpolicysettingsarespecifictoeithertheUser ConfigurationorComputerConfigurationnode.Afewsettingsappearin bothnodes.Althoughinmostsituations,thesettingintheComputer ConfigurationnodeoverridesthesettingintheUserConfigurationnode, itisimportanttoreadtheexplanatorytextaccompanyingthepolicy settingtounderstandthesettingseffectanditsapplication.
6.
Every90120minutesaftercomputerstartup,computerpolicyrefreshoccurs, andtheprocessisrepeatedforcomputersettings.
7.
Every90120minutesafteruserlogon,userpolicyrefreshoccurs,andthe processisrepeatedforusersettings.
99/135
07/06/13
Slow Links and Disconnected Systems
OneofthetasksthatcanbeautomatedandmanagedwithGroupPolicyissoftware installation.InModule7,you'lllearnaboutGroupPolicySoftwareInstallation(GPSI), whichisprovidedbythesoftwareinstallationCSE.YoucanconfigureaGPOtoinstall oneormoresoftwarepackages. Imagine,however,thatauserconnectstoyournetworkoveraslowconnection.You wouldnotwantlargesoftwarepackagestobetransferredovertheslowlinkbecause performancewouldbeproblematic. TheGroupPolicyClientaddressesthisconcernbydetectingthespeedofthe

07/06/13
connectiontothedomainanddeterminingwhethertheconnectionshouldbe consideredaslowlink.ThatdeterminationisthenusedbyeachCSEtodecide whethertoapplysettings.Thesoftwareextension,forexample,isconfiguredtoforgo policyprocessingsothatsoftwareisnotinstalledifaslowlinkisdetected.Bydefault, alinkisconsideredtobeslowifitislessthan500kilobitspersecond(kbps). IfGroupPolicydetectsaslowlink,itsetsaflagtoindicatetheslowlinktotheCSEs. TheCSEscanthendeterminewhethertoprocesstheapplicableGroupPolicysettings. Thedefaultslowlinkspeedis500kilobitspersecond(Kbps),butyoucanconfigure this.Thefollowingtabledescribesthedefaultbehavioroftheclientsideextensions:
ClientSide Extension
Registrypolicyprocessing InternetExplorermaintenance SoftwareInstallationpolicy FolderRedirectionpolicy Scriptspolicy Securitypolicy InternetProtocolSecurity (IPSec)policy
Slowlinkprocessing
Canitbechanged?
On Off Off Off Off On Off
No Yes Yes Yes Yes No Yes
101/135
07/06/13
Wirelesspolicy EFSRecoverypolicy DiskQuotapolicy
Off On Off
Yes Yes Yes
Ifauserisworkingwhiledisconnectedfromthenetwork,thesettingspreviously appliedbyGroupPolicycontinuetotakeeffect,soausersexperienceisidentical, irrespectiveofwhetherheorsheisonthenetworkoraway.Thereareexceptionsto thisrule,mostnotablythatstartup,logon,logoff,andshutdownscriptswillnotrunif theuserisdisconnected. Ifaremoteuserconnectstothenetwork,theGroupPolicyclientwakesupand determineswhetheraGroupPolicyrefreshwindowhasbeenmissed.Ifso,it performsaGroupPolicyrefreshtoobtainthelatestGPOsfromthedomain.Again, theCSEsdetermine,basedontheirpolicyprocessingsettings,whethersettingsin thoseGPOsareapplied.ThisprocessdoesnotapplytoWindowsXPorWindows Server2003systems.ItappliesonlytoWindowsVista,WindowsServer2008, Windows7,andneweroperatingsystems.
Identify When Settings Take Effect
102/135
07/06/13
ThereareseveralprocessesthatmustbecompletedbeforeGroupPolicysettingsare actuallyappliedtoauseroracomputer.Wewilldiscusstheseprocessesinthistopic
GPO Replication Must Happen

BeforeaGPOcantakeeffect,theGroupPolicycontainer(GPC)inActiveDirectory mustbereplicatedtothedomaincontrollerfromwhichtheGroupPolicyClient obtainsitsorderedlistofGPOs.Additionally,theGroupPolicytemplate(GPT)in SYSVOLmustreplicatetothesamedomaincontroller.
Group Changes Must Be Incorporated

07/06/13
Finally,ifyouhaveaddedanewgrouporchangedthemembershipofagroupthatis usedtofiltertheGPO,thatchangemustalsobereplicated,andthechangemustbe inthesecuritytokenofthecomputerandtheuser,whichrequiresarestart(forthe computertoupdateitsgroupmembership)oralogoffandlogon(fortheuserto updateitsgroupmembership).
User or Computer Group Policy Refresh Must Occur

Asyouknow,refreshhappensatstartup(forcomputersettings)andlogon(foruser settings)andevery90120minutesthereafter,bydefault. NoteRememberthatthepracticalimpactoftheGroupPolicyrefreshinterval isthatwhenyoumakeachangeinyourenvironment,itwillbeonaverage onehalfthattime,or45to60minutes,beforethechangestartstotake effect.
Bydefault,WindowsXP,WindowsVista,andWindows7clientsperformonly backgroundrefreshesatstartupandlogon,whichmeansthataclientmightstartup andausermightlogonwithoutreceivingthelatestpoliciesfromthedomain.We highlyrecommendthatyouchangethisdefaultbehaviorsothatpolicychangesare implementedinamanaged,predictableway.EnablethepolicysettingAlwaysWait ForNetworkAtStartupAndLogonforallWindowsclients.Thesettingislocated inComputerConfiguration\Policies\AdministrativeTemplates\System\Logon.Besure

07/06/13
toreadthepolicysettingsexplanatorytext.Notethatthisdoesnotaffectthestartup orlogontimeforcomputersthatarenotconnectedtoanetwork.Ifthecomputer detectsthatitisdisconnected,itdoesnot"wait"foranetwork.Thecontoso.com domainusedinthiscoursehasbeenpreconfiguredwiththisadditionalGroupPolicy setting.
Settings Might Not Take Effect Immediately

Althoughmostsettingsareappliedduringabackgroundpolicyrefresh,someCSEsdo notapplythesettinguntilthenextstartuporlogonevent.Forexample,newlyadded startupandlogonscriptpoliciesdonotrununtilthenextcomputerstartuporlogon. Softwareinstallation,whichisdiscussedinModule7,willoccuratthenextstartupif thesoftwareisassignedincomputersettings.Changestofolderredirectionpolicies willnottakeeffectuntilthenextlogon.
Manually Refresh Group Policy with GPUpdate

WhenyouareexperimentingwithGroupPolicyortryingtotroubleshootGroupPolicy processing,youmightneedtoinitiateaGroupPolicyrefreshmanuallysothatyoudo nothavetowaitforthenextbackgroundrefresh.TheGPUpdatecommandcanbe usedtoinitiateaGroupPolicyrefresh.Usedonitsown,thiscommandtriggers processingidenticaltoabackgroundGroupPolicyrefresh.Bothcomputerpolicyand userpolicyarerefreshed.Usethe/target:computeror/target:userparametertolimit therefreshtocomputerorusersettings,respectively.Duringbackgroundrefresh,by default,settingsareappliedonlyiftheGPOhasbeenupdated.The/forceswitch
07/06/13
causesthesystemtoreapplyallsettingsinallGPOsscopedtotheuserorcomputer. Somepolicysettingsrequirealogofforrebootbeforetheyactuallytakeeffect.The /logoffand/bootswitchesofGPUpdatecausealogofforreboot,respectively.You canusetheseswitcheswhenyouapplysettingsthatrequirealogofforreboot. So,thecommandthatwillcauseatotalrefreshapplication,and(ifnecessary)reboot andlogontoapplyupdatedpolicysettingsis:
g p u p d a t e/ f o r c e/ l o g o f f/ b o o t
InWindows2000Server,theSecedit.execommandwasusedtorefreshpolicy,so youmightencounteramentionoftheSecedit.execommandontheexam.
Most CSEs Do Not Reapply Settings if the GPO Has Not Changed
RememberthatmostCSEsapplysettingsinaGPOonlyiftheGPOversionhas changed.Thismeansifausercanchangeasettingthatwasoriginallyspecifiedby GroupPolicy,thesettingwillnotbebroughtbackintocompliancewiththesettings specifiedbytheGPOuntiltheGPOchanges.Luckily,mostpolicysettingscannotbe changedbyanonprivilegeduser.However,ifauserisanadministratoroftheir computer,orifthepolicysettingaffectsapartoftheregistryorofthesystemthat theuserhaspermissionstochange,thiscouldbearealproblem.
106/135
07/06/13
YouhavetheoptionofinstructingeachCSEtoreapplythesettingsofGPOsevenif theGPOshavenotbeenchanged.ProcessingbehaviorofeachCSEcanbeconfigured inthepolicysettingsfoundinComputerConfiguration\Administrative Templates\System\GroupPolicy.
Lesson 5: Troubleshoot Policy Application
WiththeinteractionofmultiplesettingsinmultipleGPOsscopedbyusingavarietyof methods,GroupPolicyapplicationcanbecomplextoanalyzeandunderstand. Therefore,youmustbeequippedtoeffectivelyevaluateandtroubleshootyourGroup Policyimplementation,identifypotentialproblemsbeforetheyarise,andsolve

07/06/13
unforeseenchallenges.MicrosoftWindowsprovidestwotoolsthatareindispensible forsupportingGroupPolicy,ResultantSetofPolicy(RSoP)andtheGroupPolicy OperationalLogs.Inthislesson,youwillexploretheuseofthesetoolsinboth proactiveandreactivetroubleshootingandsupportscenarios.
Objectives
Aftercompletingthislesson,youwillbeableto: AnalyzethesetofGPOsandpolicysettingsthathavebeenappliedtoauseror computer. ProactivelymodeltheimpactofGroupPolicyorActiveDirectorychangesonthe ResultantSetofPolicy(RSOP). LocatetheeventlogscontainingGroupPolicyrelatedevents.
Resultant Set of Policy
108/135
07/06/13
InLesson4,youlearnedthatauserorcomputercanbewithinthescopeofmultiple GPOs.GroupPolicyinheritance,filters,andexceptionsarecomplex,anditsoften difficulttodeterminewhichpolicysettingswillapply. RSoPistheneteffectofGPOsappliedtoauserorcomputertakingintoaccountGPO links,exceptions,suchasEnforcedandBlockInheritance,andapplicationofsecurity andWMIfilters. RSoPisalsoacollectionoftoolsthathelpyouevaluate,model,andtroubleshootthe applicationofGroupPolicysettings.RSoPcanqueryalocalorremotecomputerand reportbacktheexactsettingsthatwereappliedtothecomputerandtoanyuserwho

07/06/13
hasloggedontothecomputer.RSoPcanalsomodelthepolicysettingsthatare anticipatedtobeappliedtoauserorcomputerunderavarietyofscenarios,including movingtheobjectbetweenOUsorsitesorchangingtheobjectsgroupmembership. Withthesecapabilities,RSoPcanhelpyoumanageandtroubleshootconflicting policies. WindowsServer2008providesthefollowingtoolsforperformingRSoPanalysis: TheGroupPolicyResultsWizard TheGroupPolicyModelingWizard GPResult.exe
Generate RSoP Reports
110/135
07/06/13
TohelpyouanalyzethecumulativeeffectofGPOsandpolicysettingsonauseror computerinyourorganization,theGPMCincludestheGroupPolicyResultsWizard.If youwanttounderstandexactlywhichpolicysettingshaveappliedtoauserora computer,andwhy,theGroupPolicyResultsWizardisthetooltouse. TheGroupPolicyResultsWizardcanreachintotheWMIprovideronalocalor remotecomputerrunningWindowVista,WindowsXP,WindowsServer2003, WindowsServer2008,orWindows7.TheWMIprovidercanreporteverythingthere istoknowaboutthewayGroupPolicywasappliedtothesystem.Itknowswhen processingoccurred,whichGPOswereapplied,whichGPOswerenotappliedand why,errorsthatwereencountered,andtheexactpolicysettingsthattookprecedence andtheirsourceGPO.
07/06/13
ThereareseveralrequirementsforrunningtheGroupPolicyResultsWizard,as follows: Youmusthaveadministrativecredentialsonthetargetcomputer. ThetargetcomputermustberunningWindowsXPornewer.TheGroupPolicy ResultsWizardcannotaccessWindows2000systems. YoumustbeabletoaccessWMIonthetargetcomputer.Thismeansitmustbe poweredon,connectedtothenetwork,andaccessiblethroughports135and445.
NotePerformingRSoPanalysisbyusingGroupPolicyResultsWizardisjust oneexampleofremoteadministration.Toperformremoteadministration, youmayneedtoconfigureinboundrulesforthefirewallusedbyyour clientsandservers.
TheWMIservicemustbestartedonthetargetcomputer. IfyouwanttoanalyzeRSoPforauser,thatusermusthaveloggedonatleast oncetothecomputer.Itisnotnecessaryfortheusertobecurrentlyloggedon.
Afteryouhaveensuredthattherequirementsaremet,youarereadytorunanRSoP analysis.
112/135
07/06/13
TorunanRSoPreport,rightclickGroupPolicyResultsintheGPMCconsoletree andthenclickGroupPolicyResultsWizard. Thewizardpromptsyoutoselectacomputer.ItthenconnectstotheWMIprovider onthatcomputerandprovidesalistofusersthathaveloggedontoit.Youcanthen selectoneoftheusersoropttoskipRSoPanalysisforuserconfigurationpolicies. ThewizardproducesadetailedRSoPreportinadynamicHTMLformat.IfInternet ExplorerEnhancedSecurityConfigurationisset,youwillbepromptedtoallowthe consoletodisplaythedynamiccontent.Youcanexpandorcollapseeachsectionof thereportbyclickingtheShoworHidelink,orbydoubleclickingtheheadingofthe section. Thereportisdisplayedonthreetabs: Summary.TheSummarytabdisplaysthestatusofGroupPolicyprocessingat thelastrefresh.Youcanidentifyinformationthatwascollectedaboutthesystem, theGPOsthatwereappliedanddenied,securitygroupmembershipthatmight haveaffectedGPOsfilteredwithsecuritygroups,WMIfiltersthatwereanalyzed, andthestatusofCSEs. Settings.TheSettingstabdisplaystheresultantsetofpolicysettingsappliedto thecomputeroruser.Thistabshowsyouexactlywhathashappenedtotheuser throughtheeffectsofyourGroupPolicyimplementation.Atremendousamountof informationcanbegleanedfromtheSettingstab,butsomedataisntreported,
07/06/13
suchasIPSec,wireless,anddiskquotapolicysettings. PolicyEvents.ThePolicyEventstabdisplaysGroupPolicyeventsfromthe eventlogsofthetargetcomputer.
AfteryouhavegeneratedanRSoPreportwiththeGroupPolicyResultsWizard,you canrightclickthereporttorerunthequery,printthereport,orsavethereportas eitheranXMLfileoranHTMLfilethatmaintainsthedynamicexpandingand collapsingsections.BothfiletypescanbeopenedwithInternetExplorer,sotheRSoP reportisportableoutsidetheGPMC. Ifyourightclickthenodeofthereportitself,undertheGroupPolicyResultsfolderin theconsoletree,youcanswitchtoAdvancedView.InAdvancedView,RSoPis displayedbyusingtheRSoPsnapin,whichexposesallappliedsettings,including IPSec,wireless,anddiskquotapolicies.
Generate RSoP Reports with GPResult.exe

TheGPResult.execommandisthecommandlineversionoftheGroupPolicyResults Wizard.GPResulttapsintothesameWMIproviderasthewizard,producesthesame informationand,infact,enablesyoutocreatethesamegraphicalreports.GPResult runsonWindowsVista,WindowsXP,WindowsServer2003,WindowsServer2008, andWindows7.Windows2000includesaGPResult.execommand,whichproducesa limitedreportofGroupPolicyprocessing,butisnotassophisticatedasthecommand
07/06/13
includedinlaterversionsofWindows. WhenyouruntheGPResultcommand,youarelikelytousethefollowingoptions.
/ s c o m p u t e r n a m e
ThisoptionspecifiesthenameorIPaddressofaremotesystem.Ifyouuseadot(.) asthecomputername,ordonotincludethe/soption,theRSoPanalysisis performedonthelocalcomputer.
/ s c o p e[ u s e r|c o m p u t e r ]
ThisdisplaysRSoPanalysisforuserorcomputersettings.Ifyouomitthe/scope option,RSoPanalysisincludesbothuserandcomputersettings.
/ u s e r u s e r n a m e
ThisspecifiesthenameoftheuserforwhichRSoPdataistobedisplayed.
115/135
07/06/13
/ r
ThisoptiondisplaysasummaryofRSoPdata.
/ v
ThisoptiondisplaysverboseRSoPdata,whichpresentsthemostmeaningful information.
/ z
Thisdisplayssuperverbosedata,includingthedetailsofallpolicysettingsappliedto thesystem.Often,thisismoreinformationthanyouwillrequirefortypicalGroup Policytroubleshooting.
/ u d o m a i n \ u s e r / p p a s s w o r d
ThisprovidescredentialsthatareintheAdministratorsgroupofaremotesystem.
07/06/13
Withoutthesecredentials,GPResultrunsbyusingthecredentialswithwhichyouare loggedon.
[ / x|/ h ]f i l e n a m e
ThisoptionsavesthereportsintheXMLorHTMLformat.Theseoptionsareavailable inWindowsVistaSP1andlater,WindowsServer2008andlater,andWindows7.
Troubleshoot Group Policy with the Group Policy Results Wizard and GPResult.exe
Asanadministrator,youwilllikelyencounterscenariosthatrequireGroupPolicy troubleshooting.Youmightneedtodiagnoseandsolveproblems,includingthe following: GPOsarenotbeingappliedatall. Theresultantsetofpoliciesforacomputeroruserisnotwhatwasexpected.
TheGroupPolicyResultsWizardandGPResult.exewilloftenprovidethemost valuableinsightintoGroupPolicyprocessingandapplicationproblems.Remember thatthesetoolsexaminetheWMIRSoPprovidertoreportexactlywhathappenedon asystem.ExaminingtheRSoPreportwilloftenpointyoutoGPOsthatarescoped

07/06/13
incorrectlyorpolicyprocessingerrorsthatpreventedtheapplicationofGPOsettings.
Perform What-If Analyses with the Group Policy Modeling Wizard
Ifyoumoveacomputeroruserbetweensites,domains,orOUs,orchangeits securitygroupmembership,theGPOsscopedtothatuserorcomputerwillchange. Therefore,theRSoPforthecomputeroruserwillbedifferent.TheRSoPwillalso changeifslowlinkorloopbackprocessingoccurs,orifthereisachangetoasystem characteristicthatistargetedbyaWMIfilter. Beforeyoumakeanyofthesechanges,youshouldevaluatethepotentialimpactto

07/06/13
theRSoPoftheuserorcomputer.TheGroupPolicyResultsWizardcanperformRSoP analysisonlyonwhathasactuallyhappened.Topredictthefutureandtoperform whatifanalyses,youcanusetheGroupPolicyModelingWizard. ToperformGroupPolicyModeling,rightclicktheGroupPolicyModelingnodeinthe GPMCconsoletree,clickGroupPolicyModelingWizard,andthenperformthestepsin thewizard. Modelingisperformedbyconductingasimulationonadomaincontroller,soyouare firstaskedtoselectadomaincontrollerthatisrunningWindowsServer2003orlater. Youdonotneedtobeloggedonlocallytothedomaincontroller,butthemodeling requestwillbeperformedonthedomaincontroller.Youarethenaskedtospecifythe settingsforthesimulation. Selectauserorcomputerobjecttoevaluate,orspecifytheOU,site,ordomainto evaluate. Choosewhetherslowlinkprocessingshouldbesimulated. Specifytosimulateloopbackprocessingand,ifso,chooseReplaceorMergemode. Selectasitetosimulate. Selectsecuritygroupsfortheuserandforthecomputer. ChoosewhichWMIfilterstoapplyinthesimulationofuserandcomputerpolicy
07/06/13
processing.
Whenyouhavespecifiedthesettingsforthesimulation,areportisproducedthatis verysimilartotheGroupPolicyResultsreportdiscussedearlier.TheSummarytab showsanoverviewofwhichGPOswillbeprocessed,andtheSettingstabdetailsthe policysettingsthatwillbeappliedtotheuserorcomputer.Thisreport,too,canbe savedbyrightclickingitandchoosingSaveReport.
Examine Policy Event Logs
WindowsVista,WindowsServer2008,andWindows7improveyourabilityto
07/06/13
troubleshootGroupPolicynotonlywithRSoPtools,butalsowithimprovedlogging ofGroupPolicyevents. IntheSystemlog,youwillfindhighlevelinformationaboutGroupPolicy, includingerrorscreatedbytheGroupPolicyclientwhenitcannotconnecttoa domaincontrollerorlocateGPOs. TheApplicationlogcaptureseventsrecordedbyCSEs. Anewlog,calledtheGroupPolicyOperationalLog,providesdetailedinformation aboutGroupPolicyprocessing.
TofindGroupPolicylogs,opentheEventViewersnapinorconsole.TheSystemand ApplicationlogsareintheWindowsLogsnode.TheGroupPolicyOperationalLogis foundin ApplicationsAndServicesLogs\Microsoft\Windows\GroupPolicy\Operational.
Lab C: Troubleshoot Policy Application
121/135
07/06/13
Lab Setup
122/135
07/06/13
4.
5.
Start6425CNYCCL1.LogontoNYCCL1asPat.Colemanwiththepasswordof Pa$$w0rd.
Lab Scenario
YouareresponsibleforadministeringandtroubleshootingtheGroupPolicy infrastructureatContoso,Ltd.Youwanttoevaluatetheresultantsetofpoliciesfor usersinyourenvironmenttoensurethattheGroupPolicyinfrastructureishealthy, andthatallpoliciesareappliedastheywereintended.
Exercise 1: Perform RSoP Analysis

Inthisexercise,youwillevaluatetheresultantsetofpolicybyusingboth theGroupPolicyResultsWizardandtheGPResultscommand. Themaintasksforthisexerciseareasfollows:
123/135
07/06/13
1. 2. 3.
RefreshGroupPolicy. CreateaGroupPolicyresultsRSoPreport. AnalyzeRSoPwithGPResults.
Task 1: Refresh Group Policy.
1.
OnNYCCL1,runthecommandpromptasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
Runthegpupdate/forcecommand.Afterthecommandhascompleted,make anoteofthecurrentsystemtime,whichyouwillneedtoknowforatasklaterin thislab.
3.
RestartNYCCL1andwaitforittorestartbeforeproceedingwiththenexttask.
Task 2: Create a Group Policy results RSoP report.
1.
OnNYCDC1,runtheGroupPolicyManagementconsoleasanadministrator, withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
UsetheGroupPolicyResultsWizardtorunanRSoPreportfor Pat.ColemanonNYCCL1.
124/135
07/06/13
3.
ReviewGroupPolicySummaryresults.Forbothuserandcomputer configuration,identifythetimeofthelastpolicyrefreshandthelistofallowed anddeniedGPOs.Identifythecomponentsthatwereusedtoprocesspolicy settings.
4.
ClicktheSettingstab.Reviewthesettingsthatwereappliedduringuserand computerpolicyapplication,andidentifytheGPOfromwhichthesettingswere obtained.
5.
ClickthePolicyEventstab,andlocatetheeventthatlogsthepolicyrefresh youtriggeredwiththeGPUpdatecommandinTask1.
6.
ClicktheSummarytab,rightclickthepage,andchooseSaveReport.Save thereportasanHTMLfiletodriveDwithanameofyourchoice.Thenopenthe RSoPreportfromdriveD.
Task 3: Analyze RSoP with GPResults.
1. 2. 3.
LogontoNYCCL1asPat.Coleman_AdminwiththepasswordPa$$w0rd. Runthecommandpromptwithadministrativecredentials. Typegpresult/randpressEnter. RSoPsummaryresultsaredisplayed.Theinformationisverysimilartothe SummarytaboftheRSoPreportproducedbytheGroupPolicyResultsWizard.
125/135
07/06/13
4.
Typegpresult/vandpressEnter. AmoredetailedRSoPreportisproduced.NoticethatmanyoftheGroupPolicy settingsappliedbytheclientarelistedinthisreport.
5.
Typegpresult/zandpressEnter. ThemostdetailedRSoPreportisproduced.
6.
Typegpresult/h:"%userprofile%\Desktop\RSOP.html"andpressEnter. AnRSoPreportissavedasanHTMLfiletoyourdesktop.
7. 8.
OpenthesavedRSoPreportfromyourdesktop. Comparethereport,itsinformation,anditsformattingwiththeRSoPreportyou savedintheprevioustask.
Results:Inthisexercise,youlearnedhowtodoaresultantsetofpolicyintwo ways,usingawizardandfromthecommandline.
Exercise 2: Use the Group Policy Modeling Wizard

BeforeyourollouttheConferenceRoomPoliciesGPOforproduction,you wanttoevaluatetheeffectitwillhaveonuserswhologontoconference
07/06/13
roomcomputers.Inthisexercise,youwillusetheGroupPolicyModeling Wizardtomodeltheresultantsetofpoliciesappliedtoauser,Mike Danseglio,ifheweretologontoaconferenceroomcomputer,NYCCL1. Themaintaskforthisexerciseisasfollows: PerformGroupPolicyresultsmodeling.
NoteThistaskrequiresgreaterlevelofdetailinthehighlevelsteps comparetoothertasksinthemodule..
Task 1: Perform Group Policy results modeling.
1. 2.
SwitchtoNYCDC1. IntheGroupPolicyManagementconsoletree,expandForest:Contoso.com, andthenclickGroupPolicyModeling.
3.
RightclickGroupPolicyModeling,andthenclickGroupPolicyModeling Wizard. TheGroupPolicyModelingWizardappears.
4.
ClickNext.
127/135
07/06/13
5. 6.
OntheDomainControllerSelectionpage,clickNext. OntheUserAndComputerSelectionpage,intheUserInformation section,clickUser,andthenclickBrowse. TheSelectUserdialogboxappears.
7. 8.
TypeMike.DanseglioandthenpressEnter. IntheComputerInformationsection,clicktheComputeroptionbutton, andthenclickBrowse. TheSelectComputerdialogboxappears.
9.
TypeNYCCL1andthenpressEnter.
10. ClickNext. 11. OntheAdvancedSimulationOptionspage,selecttheLoopback Processingcheckbox,andthenclickMerge. EventhoughtheConferenceRoomPolicesGPOspecifiesloopback processing,youmustinstructtheGroupPolicyModelingWizardtoconsider loopbackprocessinginitssimulation. 12. ClickNext. 13. OntheAlternateActiveDirectoryPathspage,clicktheBrowsebuttonnext toComputerlocation.
07/06/13
TheChooseComputerContainerdialogboxappears. 14. Expandcontoso.comandKiosks,andthenclickConferenceRooms. YouaresimulatingtheeffectofNYCCL1asaconferenceroomcomputer. 15. ClickOK. 16. ClickNext. 17. OntheUserSecurityGroupspage,clickNext. 18. OntheComputerSecurityGroupspage,clickNext. 19. OntheWMIFiltersforUserspage,clickNext. 20. OntheWMIFiltersforComputerspage,click.Next. 21. ReviewyoursettingsontheSummaryofSelectionspage,andthenclick Next. 22. ClickFinish. 23. OntheSummarytab,scrolltoandexpand,ifnecessary,UserConfiguration, GroupPolicyObjects,andAppliedGPOs. 24. CheckwhethertheConferenceRoomPoliciesGPOapplytoMikeDanseglio asaUserpolicywhenhelogsontoNYCCL1ifNYCCL1isintheConference RoomsOU.
129/135
07/06/13
Ifnot,checkthescopeoftheConferenceRoomPoliciesGPO.Itshouldbe linkedtotheConferenceRoomsOUwithsecuritygroupfilteringthatapplies theGPOtotheAuthenticatedUsersspecialidentity.Youcanrightclickthe modelingquerytorerunthequery.IftheGPOisstillnotapplying,trydeleting andrebuildingtheGroupPolicyModelingreport,andbeverycarefulto followeachstepprecisely. 25. ClicktheSettingstab. 26. Scrollto,andexpandifnecessary,UserConfiguration,Policies, AdministrativeTemplatesandControlPanel/Personalization. 27. Confirmthatthescreensavertimeoutis2,700seconds(45minutes),thesetting configuredbytheConferenceRoomPoliciesGPOthatoverridesthe10 minutestandardconfiguredbytheCONTOSOStandardsGPO.
Results:Inthisexercise,youusedtheGroupPolicyModelingWizardtoconfirm thattheConferenceRoomPoliciesGPOinfactappliesitssettingstouserslogging ontoconferenceroomcomputers.
Exercise 3: View Policy Events

Asaclientperformsapolicyrefresh,GroupPolicycomponentslogentries
07/06/13
totheWindowseventlogs.Inthisexercise,youwilllocateandexamine GroupPolicyrelatedevents. Themaintaskforthisexerciseisasfollows: Viewpolicyevents.
Task 1: View policy events.
1.
OnNYCCL1,whereyouareloggedonasPat.Coleman_Admin,runEvent Viewerasanadministrator.
2. 3.
LocateandreviewGroupPolicyeventsintheSystemlog. LocateandreviewGroupPolicyeventsintheApplicationlog.
NoteDependingonhowlongthevirtualmachinehasbeenrunning,you maynothaveanyGroupPolicyEventsintheapplicationlog.
IntheGroupPolicyOperationallog,locatethefirsteventrelatedintheGroup PolicyrefreshyouinitiatedinExercise1,withtheGPUpdatecommand.Reviewthat eventandtheeventsthatfollowedit.

07/06/13
Results:Inthisexercise,youidentifiedGroupPolicyeventsintheeventlogs.
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick Revert.
3. 4.
IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCCL1.
Lab Review Questions Question:InwhichsituationshaveyouusedRSoPreportstotroubleshoot GroupPolicyapplicationinyourorganization? Question:Inwhichsituationshaveyouused,orcouldyouanticipateusing, GroupPolicymodeling?
132/135
07/06/13
Question:HaveyoueverdiagnosedaGroupPolicyapplicationproblembased oneventsinoneoftheeventlogs?
Module Review and Takeaways
Review Questions
1. YouhaveassignedalogonscripttoanOUviaGroupPolicy.Thescriptislocated inasharednetworkfoldernamedScripts.SomeusersintheOUreceivethe script,whereasothersdonot.Whatmightbethepossiblecauses?
07/06/13
2. 3.
WhatGPOsettingsareappliedacrossslowlinksbydefault? Youneedtoensurethatadomainlevelpolicyisenforced,buttheManagers globalgroupneedstobeexemptfromthepolicy.Howwouldyouaccomplish this?
Common Issues Related to Group Policy Management

Issue
GroupPolicysettingsarenotappliedtoallusersor computersinOUwhereGPOisapplied Grouppolicysettingssometimesneedtworestarts toapply
Troubleshootingtip
Best Practices Related to Group Policy Management

NameGroupPolicyobjects,soyoucaneasilyidentifythembyname ApplyGroupPolicyObjectashighaspossibleinADDShierarchy UseBlockInheritanceandEnforcedoptionsonlywhenreallynecessary MakecommentsonGPOsettings
134/135
07/06/13
Tools
Tool
Grouppolicyreporting RSoP
Usefor
Reportinginformationabout thecurrentpoliciesbeing deliveredtoclients.
Wheretofindit
GroupPolicyManagementConsole
GPResult
Acommandlineutilitythat displaysRSoPinformation.
Commandlineutility
GPUpdate
RefreshinglocalandADDS basedGroupPolicysettings.
Commandlineutility
Dcgpofix
RestoringthedefaultGroup Policyobjectstotheiroriginal stateafterinitialinstallation.
Commandlineutility
GPOLogView
ExportingGroupPolicyrelated eventsfromthesystemand operationallogsintotext, HTML,orXMLfiles.Foruse withWindowsVista,Windows 7,andlaterversions.
Commandlineutility
GroupPolicy Managementscripts
Samplescriptsthatperforma numberofdifferent troubleshootingand maintenancetasks.
135/135

Module 6 - Implementing A Group Policy Infrastructure

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Module 6 - Implementing A Group Policy Infrastructure

Diunggah oleh

Hak Cipta:

Format Tersedia

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Lesson 1: Understand Group Policy

AGroupPolicyinfrastructurehasseveralmovingparts.Youneedtounderstandnot onlywhateachpartdoes,butalsohowtheyworktogetherandwhyyoumightwant toassembletheminvariousconfigurations.Inthislesson,youwillgeta comprehensiveoverviewofGroupPolicy:itscomponents,itsfunctions,anditsinner workings.

Module 6: Implementing a Group Policy Infrastructure

Aftercompletingthislesson,youwillbeableto: Identifythebusinessdriversforconfigurationmanagement. UnderstandthecorecomponentsandterminologyofGroupPolicy. ExplainthefundamentalsofGroupPolicyprocessing.

What Is Configuration Management?

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

enablesyoutomanageconfigurationinanADDSdomain.Asweturnourattention toGroupPolicy,whichcanbecomeverycomplex,alwaysrememberthateverything boilsdown,intheend,tojustthesefewbasicelementsofconfiguration management.

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

BesuretoreviewapolicysettingsexplanatorytextintheGroupPolicyManagement Editor(GPME)detailpaneorontheExplaintabinthepolicysettingsProperties dialogbox.Inaddition,alwaystesttheeffectsofapolicysettinganditsinteractions withotherpolicy

Module 6: Implementing a Group Policy Infrastructure

Benefits of Using Group Policy

Module 6: Implementing a Group Policy Infrastructure

toconfigure.Also,GroupPoliciesareusuallyusedtostandardizedesktop environmentsonallthecomputersinanorganizationalunitorwholeorganization. YoualsocanuseGroupPoliciestoprovideadditionalsecurityandsomeadvanced systemsettings. MostoftenGroupPoliciesareusedforfollowingpurposes.

Apply Security Settings

Manage Desktop and Application Settings

Module 6: Implementing a Group Policy Infrastructure

Manage Folder Redirection

Configure Network Settings.

Group Policy Objects

Module 6: Implementing a Group Policy Infrastructure

PolicysettingsaredefinedandexistwithinaGPO.AGPOisanobjectthatcontains oneormorepolicysettingsandtherebyappliesoneormoreconfigurationsettings forauseroracomputer. GPOscanbemanagedinActiveDirectorybyusingtheGroupPolicyManagement console(GPMC),shownhere:

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Group Policy Client and Client-Side Extensions

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Group Policy Refresh

Module 6: Implementing a Group Policy Infrastructure

Review the Components of Group Policy

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Demonstration: Exploring Group Policy Settings

Module 6: Implementing a Group Policy Infrastructure

GroupPolicysettings,alsoknownaspolicies,arecontainedinaGPOandareviewed andmodifiedbyusingtheGPME.Inthisdemonstration,youwilllookmorecloselyat thecategoriesofsettingsavailableinaGPO.

Computer Configuration and User Configuration

Module 6: Implementing a Group Policy Infrastructure

theoperatingsystemstartsandduringbackgroundrefreshandevery90120 minutesthereafter. TheUserConfigurationnodecontainssettingsthatareappliedwhenauserlogson tothecomputerandduringbackgroundrefreshandevery90120minutes thereafter.

Software Settings Node

Module 6: Implementing a Group Policy Infrastructure

Windows Settings Node

Security Settings Node

Module 6: Implementing a Group Policy Infrastructure

TheSecuritySettingsnodeallowsasecurityadministratortoconfiguresecurityby usingGPOs.Thiscanbedoneafter,orinsteadof,usingasecuritytemplatetoset systemsecurity.ForadetaileddiscussionofsystemsecurityandtheSecuritySettings node,refertoModule7.

Policy-Based QoS Node

Administrative Templates Node

Module 6: Implementing a Group Policy Infrastructure

Lesson 2: Implement GPOs

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure

Module 6: Implementing a Group Policy Infrastructure