10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

10.1 © 2004 Pearson Education, Inc.

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Lesson 10: Configuring Group Policy Settings

Configure Group Policy settings for a GPO

Modify the order of Group Policy Objects

Filter the scope of a Group Policy Object

Link Group Policy Objects

Delete GPO links and Group Policy Objects

Examine the application of Group Policy using RSoP

Use the Group Policy Management Wizard

Goals




Group Policy

Used to set a consistent desktop environment

Used to configure both user and computer security settings

Other security options

Allowing automatic administrative logon to the Recovery Console

Shutting down the system immediately if the system is unable to log security audits

Configuring Group Policy Settings for a GPO

(Skill 1)




User Configuration settings node

You can use Administrative Templates to control access to the Control Panel or to specific Control Panel applets

You can control what Desktop items will appear or will be hidden, among many other policy settings

You set policies for a GPO using the Group Policy Object Editor for that GPO

Configuring Group Policy Settings for a GPO (2)

(Skill 1)




Figure 10-1 Setting Group Policy Object Properties

(Skill 1)




Figure 10-2 The Enabled Hide Add New Programs page policy

(Skill 1)




Figure 10-3 The Interactive logon: Do not display last user name Properties dialog box

(Skill 1)




Figure 10-4 The Shutdown: Allow system to be shutdown without having to log on dialog box

(Skill 1)




Figure 10-5 The Enabled policies in the Group Policy Object Editor

(Skill 1)




The order in which Group Policy settings apply to a user or computer depends on the priority order of the GPOs

GPOs, by default, are processed in accordance with the Active Directory hierarchy (LSDOU)

Local policy

Site policy

Domain policy

OU policy

Modifying the Order of Group Policy Objects

(Skill 2)




Using the Enforced option

Allows you to give preference to the policies at each level (except local)

When you set a GPO link to Enforced, the GPO link takes precedence over the settings for any child object

You can also disable a GPO link to completely block that GPO from being applied; this disables the GPO only for the selected container object

Modifying the Order of Group Policy Objects (2)

(Skill 2)




Using the Block Inheritance option

Allows you to block the application of all policies applied at higher levels for a specific container

Using filtering

Allows you to specify that a particular GPO only applies to one or more specific groups of users within a container

Involves modifying the Apply Group Policy permission for the GPO


(Skill 2)




Using the Link Order column on the Linked Group Policy Objects list in the GPMC

Allows you to change the priority order for the GPOs for a domain or an OU

Local policies have no prioritization options because they are always overwritten when a conflict occurs


(Skill 2)




Creating and linking a GPO

You must have the Link GPOs permission for the domain or organizational unit for which you are creating the GPO

You also must have permission to create GPOs in that domain

The Domain Admins, Enterprise Admins and Group Policy Creator Owner groups have permission to create GPOs in a domain by default


(Skill 2)




Using the Resultant Set of Policy (RSoP)

Allows you to see policy prioritization in action

RSoP is a new console in Windows Server 2003

Provides the ability to analyze and display the result of Group Policy application for any object in the directory


(Skill 2)




Applying a GPO to a site

You cannot create and link a GPO to a site because the operating system would not know in which domain to create the GPO

To apply a GPO to a site

Create a GPO in any domain in the forest

Use the Link an Existing GPO command to link the GPO to the site


(Skill 2)




Figure 10-6 Changing the link order for a GPO

(Skill 2)




Figure 10-7 The Group Policy Inheritance tab

(Skill 2)




Filtering the scope

You might need to restrain the scope of a GPO by applying permissions to specific users and/or computers

This is called filtering the GPO scope

To filter the scope of a GPO, you use security groups

Filtering the Scope of a Group Policy Object

(Skill 3)




Security groups

Used to specify the users subject to the policies in a particular GPO

Used to define the rights and permissions users will have to access resources

You set different permissions for different security groups on the Security tab in the Properties dialog box for a GPO

Filtering the Scope of a Group Policy Object (2)

(Skill 3)




Setting security groups permissions

Read and Apply Group Policy permissions

Are assigned for a particular GPOBy default, the Authenticated Users group is granted both

permissions for all GPOsTo block a policy from applying to a specific group, set its

Apply Group Policy permission to Deny

To allow the GPO to apply to a single group of users

Remove the Apply Group Policy permission from the Authenticated Users group

Allow the Apply Group Policy permission only for that group


(Skill 3)




When you are using filtering, only two group policy permissions are applicable

Read

Apply Group Policy


(Skill 3)




Figure 10-8 Setting the Apply Group Policy permission for a security group

(Skill 3)




Two ways to filter the scope of a GPO directly in the GPMC

Select the GPO in its container object

Expand the Group Policy Objects node in the GPMC and select the GPO you want to filter


(Skill 3)




To add objects to the security filter

On the Scope tab, in the Security Filtering section, click the Add button to open the Select User, Computer, or Group dialog box

Click OK to add the object to the security filter

To apply the GPO only to the group or groups that have been added

In the Security Filtering section on the Scope tab, select Authenticated Users

Click the Remove button


(Skill 3)




Figure 10-9 Security Filtering

(Skill 3)




A GPO, by default, is linked to the container in which it is created

You can link GPOs to additional sites, domains, or OUs in order to increase the scope of the GPOTo link a GPO to an additional container, you use the

Link an Existing GPO command and the Select GPO dialog box for that container

Linking Group Policy Objects

(Skill 4)




To link an existing GPO to a site, domain, or organizational unit, you must have the Link GPOs permission for that container object

The Domain Admins and Enterprise Admins groups are granted this permission by default for domains and organizational units

For sites, only the Domain Admins and Enterprise Admins groups for the forest root domain are granted this permission by default

Linking Group Policy Objects (2)

(Skill 4)




Figure 10-10 Linking an existing GPO

(Skill 4)




Figure 10-11 The Select GPO dialog box

(Skill 4)




Figure 10-12 The GPO linked to the domain

(Skill 4)




You might need to link a GPO to additional containers for only a certain period of time, or policies that were once applicable may no longer be needed

In these situations, you can remove the GPO link from a container object or even delete the GPO

If there is more than one GPO link associated with the object, you should remove the GPO link and not delete the GPO

If the GPO is associated with a single object, you can delete the GPO, which also deletes all links to the GPO in the domain

Deleting GPO Links and Group Policy Objects

(Skill 5)




To delete a link to a GPO

You must have permission to link Group Policy Objects for the OU or the domain

If you do not have this level of permission

The links are not deleted

Links to other domains and sites (called orphan links) remain and appear in the GPMC as Not Found

To delete Not Found links, you must have permission to link Group Policy Objects in the site, domain, or OU where the links are located

Deleting GPO Links and Group Policy Objects (2)

(Skill 5)




After deleting a GPO

You cannot create a GPO with the same name in the GPMC

A unique GUID is created for each GPO, and the GUID can never be repeated, but if you create GPOs with older tools, the same common name could be repeated

Replication latency and the use of scripts to execute tasks on GPOs can also cause a common name to be repeated


(Skill 5)




If you are considering deleting a GPO, check for cross-domain links on the Scope tab for the GPO

In the Display links in this location list box, select [Entire Forest]

All links for the GPO are displayed in the The following sites, domain, and OUs are linked to this GPO box

Select all of the links, right-click the selection, and click Delete link to delete all cross-domain links before you delete the GPO


(Skill 5)




Figure 10-13 Deleting a GPO link

(Skill 5)




Figure 10-14 Confirming the GPO link deletion

(Skill 5)




Figure 10-15 Deleting a GPO

(Skill 5)




Figure 10-16 Confirming the GPO deletion

(Skill 5)




Figure 10-17 The Delete dialog box

(Skill 5)




RSoP is a useful new tool that allows you to visually examine the application of Group Policy

To use RSoP (if you have not installed the GPMC)

Open MMC and create a new console

Query Active Directory for the Group Policies applying to a specific level of the hierarchy or for a specific object

RSoP returns a list of all Group Policy settings

Shows the configuration for that setting

Identifies Group Policy that configured that particular setting

Examining the Application of Group Policy Using RSoP

(Skill 6)




Using RSoP in troubleshooting Group Policy application

It allows you to quickly and easily determine the source of GPO conflicts on your network

RSoP identifies

The final group of policies that are applied, for which GPO set the final value for each policy

The details for the policies that were not applied, including all other GPOs that attempted to set the policy and the setting they tried to impose

Examining the Application of Group Policy Using RSoP (2)

(Skill 6)




In the GPMC, the functionality of RSoP is broken down into two distinct capabilities, which are controlled by two Wizards

Group Policy Results Wizard

Group Policy Modeling Wizard


(Skill 6)




Group Policy Results Wizard

Queries the target computer for the RSoP data that was applied to that computer

Displays the policies that are applied to that computer or to a particular user on that computer

The client being queried must be running Windows XP Professional or Windows Server 2003 or later

In the RSoP snap-in, this functionality is called logging mode


(Skill 6)




Figure 10-18 The Group Policy Results Wizard

(Skill 6)





Provides a simulation tool

Allows administrators to test to see what would happen to policy application for a particular user or computer under certain conditions

The security group memberships are changed

The location of the object in Active Directory is changed


(Skill 6)





The modeling functionality is controlled by a service that is only installed on a Windows Server 2003 domain controller

There must be at least one Windows Server 2003 domain controller in the domain

In the RSoP snap-in, this functionality is called planning mode


(Skill 6)




Figure 10-19 The Group Policy Modeling Wizard

(Skill 6)




After you have run one of the wizards, the RSoP data is generated as an HTML report

HTML report

Displays the policy settings that are applied

Identifies the GPO that sets the policy value

The report is added to either the Group Policy Results or Group Policy Modeling node in the GPMC


(Skill 6)




Viewing the HTML report

Right-click a report

Click Advanced View to open the RSoP console

You can view each policy setting and the source GPO

You can open the Properties dialog box for each policy on the Precedence tab

Allows you to verify the GPO that “won”

Allows you to view all GPOs that attempted to set the policy and the value they attempted to set


(Skill 6)




Figure 10-20 The RSoP console

(Skill 6)




Gpresult.exe command-line tool

An additional tool for troubleshooting Group Policy application in Windows Server 2003

It is stored in %Systemroot%\System32

Performs nearly the same functions as RSoP


(Skill 6)




Gpresult.exe

When you run Gpresult with no parameters, the results are for the user currently logged on the local computer

Gpresult-Logging mode displays details about the user

Operating system type

Version and configuration

Site

Roaming and local user profile locations


(Skill 6)




Gpresult-Logging mode also displays Computer Configuration and User Configuration settings Computer/user DN

Last time Group Policy was applied and the location from which it was applied to the user/computer

Domain name and type

GPOs

That were applied to the computer/user

That were filtered out

Security groups to which the computer/user belongs


(Skill 6)




Figure 10-21 The Summary of Selections screen in the Group Policy Results Wizard

(Skill 6)




Figure 10-22 The Applied and Denied GPOs

(Skill 6)




Figure 10-23 The Interactive Logon and Shutdown policies

(Skill 6)




Figure 10-24 The Control Panel/Add or Remove Programs policy

(Skill 6)




Figure 10-25 The Policy Events tab

(Skill 6)




The Group Policy Modeling Wizard (GPMW) analyzes the effects of a hypothetical GPO structure

You can perform “what-if” scenarios

To examine the potential effects of inherited Group Policies on users or computers if you redesign your OU structure

To determine the effects if you change security group memberships or move user or computer objects to different Active Directory containers

Using the Group Policy Management Wizard

(Skill 7)




Using the GPMW to evaluate Windows Management Instrumentation (WMI) filters

A WMI filter is built from query strings

Query strings filter the application of Group Policy based on customizable metrics

Using the Group Policy Management Wizard (2)

(Skill 7)




Requirements for using the GPMW

You must have at least one Windows Server 2003 server on your network

You must also have the Perform Group Policy Modeling analyses permission for the domain or OU that contains the objects you want to query

Using the Group Policy Management Wizard (3)

(Skill 7)




Figure 10-26 2-level OU structure

(Skill 7)




Figure 10-27 Domain Controller Selection

(Skill 7)




Figure 10-28 User and Computer Selection

(Skill 7)




Figure 10-29 Advanced Simulation Options

(Skill 7)




Figure 10-30 User Security Groups

(Skill 7)




Figure 10-31 Computer Security Groups

(Skill 7)




Figure 10-32 WMI Filters for Users

(Skill 7)




Figure 10-33 Summary of Selections

(Skill 7)




Figure 10-34 User and Computer Selection

(Skill 7)

Documents

10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure