9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

9.1 © 2004 Pearson Education, Inc.

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Lesson 9: Implementing Group Policy

Goals Introduce Group Policy

Introduce the types of Group Policy settings and the GPMC

Identify the role of a Group Policy at startup and logon

Plan a Group Policy implementation

Create a Group Policy Object

Delegate control for a Group Policy Object




An administrator must monitor user and computer settings regularly to make sure that they conform to the corporate standards

Group Policy is the primary Active Directory tool used by administrators to set the standard behavior for users’ desktops and to enforce those requirements

(Skill 1)

Introducing Group Policy




Using Group Policies

Administrators define the work environment settings once

The settings are applicable regardless of the user’s location

Administrators can apply GPOs to various Active Directory containers to implement rules at various levels

To do this, you simply link the GPO to one of these containers

Introducing Group Policy (2)

(Skill 1)




Group Policy is also referred to as a Group Policy Object (GPO)

A GPO is a storage place for a collection of Group Policy settings that enable an administrator to control various aspects of the computing environment

All Group Policy settings are stored in a GPO along with the properties associated with the objects in the Active Directory store


(Skill 1)




Policy settings for sites, domains, and organizational units are stored in GPOs

To create a GPO for a domain or an OU

Use the Active Directory Users and Computers console

Use the Group Policy Management Console (GPMC)


(Skill 1)




To create a GPO for a site

Use the Active Directory Sites and Services console

Use the Group Policy Management Console (GPMC), which combines the functionality of various consoles

Active Directory Users and Computers

Active Directory Sites and Services

ACL Editor

Delegation Wizard

Resultant Set of Policy tool


(Skill 1)




Figure 9-1 Download the GPMC

(Skill 1)




Two types of GPOs

Local GPOs are stored on each Windows Server 2003 computer

Active Directory-based GPOs

Are stored on a domain controller in the Active Directory environment

Are replicated to all domain controllers in the domain


(Skill 1)




GPO is made up of two parts

Group Policy Container (GPC)

GPO attributes

Extensions

Version information

Group Policy Template (GPT)

Collection of folders

Stored on each Windows Server 2003 domain controller


(Skill 1)




Group Policy Container (GPC)

An Active Directory component that contains GPO attributes, extensions, and version information

Domain controllers use this information to make sure they are using the most recent version of the GPO and to apply permissions to the GPO

For each GPO, there is a GPC container stored in the System\Policies folder in the Active Directory Users and Computers console

Each GPC container is identified by the Globally Unique Identifier (GUID) for the GPO


(Skill 1)




Figure 9-2 GPC containers in the Active Directory Users and Computers console

(Skill 1)





A collection of folders stored on each Windows Server 2003 domain controller in the folder %Systemroot%\SYSVOL\sysvol\<domain_name>\Policies

For each GPO, a folder hierarchy composed of the physical files and settings required by the GPO is automatically created

These settings are applied to the Windows 2000, Windows Server 2003, and Windows XP clients on a network


(Skill 1)





Contains all of the Registry entries, as well as the associated files and folder required to implement the various GPO functions

Like the GPC container, the GPT folder is identified by the GUID for the GPO


(Skill 1)




Figure 9-3 The Add Standalone Snap-in dialog box

(Skill 1)




Figure 9-4 The Group Policy Wizard

(Skill 1)




Figure 9-5 The Add/Remove Snap-in dialog box

(Skill 1)




Figure 9-6 Configuring Local Computer Policy

(Skill 1)




Group Policy settings are divided into two categories

Computer Configuration settingsThese settings refer to Group Policies that apply to

computers, regardless of what user logs on

These settings apply to a computer during the initialization of the operating system

User Configuration settingsThese settings refer to Group Policies for users,

regardless of what computer the users log on to

These settings apply at user logon

Introducing the Types of Group Policy Settings and the GPMC

(Skill 2)




Both Computer Configuration settings and User Configuration settings contain three main containers that include a number of related policies

Software Settings

Windows Settings

Administrative Templates

Introducing the Types of Group Policy Settings and the GPMC (2)

(Skill 2)




Figure 9-7 The three main categories of User Configurationand Computer Configuration Group Policy

(Skill 2)




Software Settings

This configuration setting node is used to determine the applications distributed to computers or users via a GPO

You use Software Settings to assign applications to computers or to assign or publish applications to users

If you use the Computer Configuration node to assign an application to a computer, the application appears on the Start menu for all computers in the domain, site, or OU


(Skill 2)




Software Settings

If you publish an application to users, it appears in the Add/Remove Programs Wizard for all users in the domain, site, or OU

If you assign an application to users using the User Configuration nodeIt displays on the Start menu for all users in the site,

domain, or OU

It does not install until the user invokes it

This functionality is called “advertising”


(Skill 2)




Figure 9-8 Software installation

(Skill 2)




Windows Settings

In the Computer Configuration node, the Windows Settings node contains the Scripts and Security Settings extensions

Scripts extension: Used to specify startup and shutdown scripts for computers, as well as logon and logoff scripts for users on a network

Security Settings extension: Used by administrators to configure security settings for the local computer or for a GPO


(Skill 2)




Figure 9-9 Scripts

(Skill 2)




Windows Settings

In the User Configuration node, the Windows Settings node has five folders

Remote Installation Services

Scripts

Security Settings

Internet Explorer Maintenance

Folder Redirection


(Skill 2)




Windows Settings

Remote Installation Services Group Policies control the RIS installation options available to the user when the Client Installation Wizard is initiated

Folder Redirection Group Policies relocate special folders, such as My Documents, Start Menu, or Desktop

You can redirect these folders from their default locations in a user profile to alternate locations


(Skill 2)




Figure 9-10 Types of Folder Redirection policies

(Skill 2)




Administrative Templates

Contains all Registry-based Group Policy settings, including settings for Windows Components, System, and Network

Group Policy settings for Printers are available only in the Computer Configuration container

Other settings, including Start Menu and Taskbar, Desktop, Control Panel, and Shared Folders are available only in the User Configuration container


(Skill 2)




Figure 9-11 Types of Administrative Templates policies

(Skill 2)




Group Policy Management Console (GPMC)

Comprehensive tool for Group Policy administration for Windows 2000 and Windows Server 2003 domains

Provides administrators with the ability to backup, restore, import, and copy/paste GPOs, as well as to create, delete, and rename them

Use it to link GPOs and search for GPOs

Use it to delegate Group Policy-related features and for policy-related permission for sites, domains, and OUs


(Skill 2)




Figure 9-12 Group Policy Objects in the GPMC

(Skill 2)




GPMC installation requirements

Requires Windows Server 2003 or Windows XP Service Pack 1 or above computers

To run the tool on Windows XP Service pack 1 or above computers, you must also install the QFE update Q326469 and the Microsoft .NET Framework

The domain controllers must all be running Windows 2000 Service Pack 2 or later


(Skill 2)




GPMC requirements for domain controllers

GPMC requires that all LDAP communications be signed and encrypted

To access domain controllers in an external forest, they must be running Windows 2000 Service Pack 3 or later

If you want to access domain controllers in an external forest that are not yet running Service Pack 3 or later, edit the Registry on the computer running GPMC to relax LDAP signing and encryption requirements


(Skill 2)




System Policies

Used in Windows 9.x and Windows NT to change Registry settings and to control the user environment

Still useful for managing Windows 9x and NT computers

Windows 9.x: you can run the Poledit.exe version on the Windows 98 installation CD to create config.pol files

Windows NT 4.0 Workstation or Server: use the Windows NT System Policy Editor or the Poledit.exe included with Windows Server 2003 to create config.pol files


(Skill 2)




System Policies

System Policy Editor (Poledit.exe) has been mostly replaced by Group Policy in Windows 2000 and Windows Server 2003

If you create policy settings with Windows Server 2003 version, you cannot edit them using the Windows NT 4.0 version


(Skill 2)




Figure 9-13 The System Policy Editor

(Skill 2)




Each of the Group Policy Object Editor extensions is a MMC snap-in extension itself

All Group Policy setting folders are loaded by default when Group Policy Object Editor is started

You can create custom consoles for each of these extensions

Use the Microsoft Management Console folder in the User Configuration\Administrative Templates container in the Group Policy Object Editor to apply these policies


(Skill 2)




Figure 9-14 The Microsoft Management Console folder

(Skill 2)




The role of a Group Policy begins when a computer starts up or when a user logs on

During startup and logon, both Computer Configuration and User Configuration settings are applied in a specific sequence

Identifying the Role of a Group Policy at Startup and Logon

(Skill 3)




Figure 9-15 The sequence in which Computer Configuration and User Configuration settings

are applied

(Skill 3)




Every computer has one GPO that is stored locally

This local Group Policy Object (LPGO) is applied first

The processing sequence becomes very important when dealing with multiple policies

If there are no conflicts between the policies, all settings from all of the policies apply

However, if a conflict occurs the policy to apply last wins

Identifying the Role of a Group Policy at Startup and Logon (2)

(Skill 3)




Sequence in which Group Policy settings are processed Local GPO

Site GPOs

Domain GPOs

OU GPOs (LSDOU)


(Skill 3)




If more than one GPO is linked

The policies are processed in reverse order for each individual container

This is done so that the policy that is considered to be the most important is displayed at the top of the list of all GPOs applied to a particular container


(Skill 3)




Like files and folders, Group Policies are also inherited from parent containers to child containers

You can specifically set a separate Group Policy setting for a child container to override the settings it inherits from its parent container

It is extremely important to note that like OU structures, Group Policies do not flow between domains


(Skill 3)




Group Policy applied to a parent domain

Does not apply to its child domain or domains

The only container that can apply Group Policies to multiple domains is the site container

Group Policy applied to a site

Affects all users and computers in the site, regardless of domain

For this reason, you must be an Enterprise Admin in order to apply a Group Policy to a site


(Skill 3)




Exceptions to the order in which GPOs are processed

If a computer belongs to a workgroup, it processes only local GPOs

You can modify the default behavior using the Block Inheritance option, but this can make GPO administration more complicated and it should be used sparingly

You can block inheritance for GPO links for an entire domain, for all domain controllers, or for an OU


(Skill 3)



Lesson 9: Implementing Group Policy (Skill 3)

Figure 9-16 Blocking Inheritance for the GPO links for all domain controllers





The default order for processing Group policy settings is also affected when you set the GPO link to Enforced

Policy settings in the GPO link take precedence over child object settings

Gives the parent GPO link precedence so that the default behavior does not apply (formerly called the No Override option)

GPO administration is more complex

GPOs cannot have their inheritance blocked


(Skill 3)




Figure 9-17 The Enforced setting

(Skill 3)





If Block Inheritance option is set for a domain or OU

The GPOs above that point in the structure do not affect users or computers in that structure; they are blocked

If there is a conflict between Enforced and Block Inheritance, Enforced always wins


(Skill 3)





You can disable a GPO link to block that GPO from being applied for the selected site, domain, or OU

Disables the GPO only for the selected container object; it does not disable the GPO itself

If the GPO is linked to other sites, domains, or OUs, they continue to process the GPO as long as their links are enabled

Processing is enabled for all GPO links by default

To disable a GPO link, right-click it and select the Link Enabled command (a check mark indicates it is enabled)


(Skill 3)




Figure 9-18 The Link Enabled command

(Skill 3)





When GPOs are linked to the same container, policies are evaluated based on the link order set on the Linked Group Policy Objects tab for the container object

The policy settings in the GPO with the lowest link order (Link Order 1) are processed last

Link Order 1 has the highest precedence and is used to settle a conflict

Use the arrow buttons to change the link order


(Skill 3)





Group Policies are never applied to Windows NT, 95, 98, or Windows Me computers


(Skill 3)




User Group Policy loopback processing mode

This policy is referred to as the loopback feature

Enforced when both the user account and the computer account are members of a Windows 2000 or later domain

You can configure loopback so that the User Configuration settings in GPOs are applied to every user logging on to that computer


(Skill 3)




Figure 9-19 The User Group Policy loopback processing mode policy

(Skill 3)




User Group Policy loopback processing mode

In Merge mode, the Computer Configuration GPO settings are appended to the default list of GPOs

In Replace mode, the User Configuration GPO settings are completely replaced by the Computer Configuration GPO settings


(Skill 3)




Figure 9-20 Merge or Replace mode

(Skill 3)




After you decide on a Group Policy setting design, you devise a Group Policy implementation strategy

Factors to consider

Location of GPOs

Delegation of authority

Organization structure

Planning a Group Policy Implementation

(Skill 4)




Types of Group Policy implementation strategies

Centralized GPO design

An organization’s network is maintained by a small number of large GPOs

Decentralized GPO design

Uses separate GPOs for specific policy settings

Planning a Group Policy Implementation (2)

(Skill 4)





Functional Role (or Team Design)

Functional roles of users are considered to apply Group Policies

Steps to implement this strategy

Create an OU structure that corresponds to the actual team structure of your organization

Create a customized GPO for each OU that is tailored to the needs of the OU


(Skill 4)





Delegation with Central Control Design or Distributed Control Design

Based on delegating administrative control over OUs to various administrators in an organization

When you implement this strategy, you maintain centralized control while distributing managerial control to a number of OU administrators


(Skill 4)




Regardless of which approach (or combination) you choose, it is important to try to avoid using certain tools and options

Enforced and Block Inheritance options

Filtering

Troubleshooting GPOs can be very difficult when these tools are used


(Skill 4)




When you install Active Directory on your network, two GPOs are created automatically

Default Domain Policy, which is linked to the domain

Default Domain Controllers Policy, which is linked to the Domain Controllers OU

You can use these policies to assign standard settings to the domain and the domain controllers in a domain, respectively

Creating a Group Policy Object

(Skill 5)




GPOs can be linked to sites, domains, and OUs

To link a GPO to a site, use the Active Directory Sites and Services console or the GPMC

To link GPOs to domains and OUs, use either the Active Directory Users and Computers console or the GPMC

Creating a Group Policy Object (2)

(Skill 5)




You can create a stand-alone GPO console for a GPO and access it directly from the All Programs/Administrative Tools menu

Steps to create a GPO console

1. Open Add Standalone Snap-in dialog box from an MMC console

2. Select Group Policy Object Editor from the list of available snap-ins


(Skill 5)




Steps to create a GPO console

3. Click the Browse button in the Group Policy Wizard

4. In the Browse for a Group Policy Object dialog box, select the GPO for which you want to create a console

The selected GPO name is added to the Group Policy Object text box on the Select Group Policy Object screen in the wizard

3. From the File menu, save the console for the GPO to make it available on the All Programs/Administrative Tools menu


(Skill 5)




Figure 9-21 Creating a GPO

(Skill 5)




Figure 9-22 The New GPO dialog box

(Skill 5)




Figure 9-23 New Group Policy Object in a domain

(Skill 5)




Assign permissions to delegate administrative control over a GPO on the Delegation tab in the GPMC

There are three standard permissions you can assign to a GPO

However, five permission levels display on the Delegation tab

Each of these permission levels represents a combination of Active Directory permissions

Delegating Control for a Group Policy Object

(Skill 6)




To delegate permissions for a GPO, you must have the Edit settings, delete, and modify security permission for the GPO

To view the permissions for groups with custom permissions or to set custom permissions, click the Advanced button to open the ACL Editor for the GPO (<GPO_name> Security Settings dialog box)

Delegating Control for a Group Policy Object (2)

(Skill 6)




You must assign the Edit settings, delete, and modify security permission to at least one group or user for each GPO

If there is only one user or group with this permission level, you cannot remove this user or group

Permissions inherited from parent containers cannot be removed


(Skill 6)




To change the permissions assigned to a user or group

Right-click the user or group in the Groups and users box

Select from the three standard permissions on the context menu

You can also use the Remove command to remove a user or group from the Groups and users box


(Skill 6)




Figure 9-24 Setting GPO permissions

(Skill 6)




Figure 9-25 The Delegation tab in the GPMC

(Skill 6)