View
217
Download
1
Tags:
Embed Size (px)
Citation preview
9.1 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Goals Introduce Group Policy
Introduce the types of Group Policy settings and the GPMC
Identify the role of a Group Policy at startup and logon
Plan a Group Policy implementation
Create a Group Policy Object
Delegate control for a Group Policy Object
9.2 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
An administrator must monitor user and computer settings regularly to make sure that they conform to the corporate standards
Group Policy is the primary Active Directory tool used by administrators to set the standard behavior for users’ desktops and to enforce those requirements
(Skill 1)
Introducing Group Policy
9.3 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Using Group Policies
Administrators define the work environment settings once
The settings are applicable regardless of the user’s location
Administrators can apply GPOs to various Active Directory containers to implement rules at various levels
To do this, you simply link the GPO to one of these containers
Introducing Group Policy (2)
(Skill 1)
9.4 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Group Policy is also referred to as a Group Policy Object (GPO)
A GPO is a storage place for a collection of Group Policy settings that enable an administrator to control various aspects of the computing environment
All Group Policy settings are stored in a GPO along with the properties associated with the objects in the Active Directory store
Introducing Group Policy (3)
(Skill 1)
9.5 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Policy settings for sites, domains, and organizational units are stored in GPOs
To create a GPO for a domain or an OU
Use the Active Directory Users and Computers console
Use the Group Policy Management Console (GPMC)
Introducing Group Policy (4)
(Skill 1)
9.6 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
To create a GPO for a site
Use the Active Directory Sites and Services console
Use the Group Policy Management Console (GPMC), which combines the functionality of various consoles
Active Directory Users and Computers
Active Directory Sites and Services
ACL Editor
Delegation Wizard
Resultant Set of Policy tool
Introducing Group Policy (5)
(Skill 1)
9.7 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-1 Download the GPMC
(Skill 1)
9.8 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Two types of GPOs
Local GPOs are stored on each Windows Server 2003 computer
Active Directory-based GPOs
Are stored on a domain controller in the Active Directory environment
Are replicated to all domain controllers in the domain
Introducing Group Policy (6)
(Skill 1)
9.9 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
GPO is made up of two parts
Group Policy Container (GPC)
GPO attributes
Extensions
Version information
Group Policy Template (GPT)
Collection of folders
Stored on each Windows Server 2003 domain controller
Introducing Group Policy (7)
(Skill 1)
9.10 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Group Policy Container (GPC)
An Active Directory component that contains GPO attributes, extensions, and version information
Domain controllers use this information to make sure they are using the most recent version of the GPO and to apply permissions to the GPO
For each GPO, there is a GPC container stored in the System\Policies folder in the Active Directory Users and Computers console
Each GPC container is identified by the Globally Unique Identifier (GUID) for the GPO
Introducing Group Policy (8)
(Skill 1)
9.11 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-2 GPC containers in the Active Directory Users and Computers console
(Skill 1)
9.12 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Group Policy Template (GPT)
A collection of folders stored on each Windows Server 2003 domain controller in the folder %Systemroot%\SYSVOL\sysvol\<domain_name>\Policies
For each GPO, a folder hierarchy composed of the physical files and settings required by the GPO is automatically created
These settings are applied to the Windows 2000, Windows Server 2003, and Windows XP clients on a network
Introducing Group Policy (9)
(Skill 1)
9.13 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Group Policy Template (GPT)
Contains all of the Registry entries, as well as the associated files and folder required to implement the various GPO functions
Like the GPC container, the GPT folder is identified by the GUID for the GPO
Introducing Group Policy (10)
(Skill 1)
9.14 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-3 The Add Standalone Snap-in dialog box
(Skill 1)
9.15 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-4 The Group Policy Wizard
(Skill 1)
9.16 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-5 The Add/Remove Snap-in dialog box
(Skill 1)
9.17 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-6 Configuring Local Computer Policy
(Skill 1)
9.18 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Group Policy settings are divided into two categories
Computer Configuration settingsThese settings refer to Group Policies that apply to
computers, regardless of what user logs on
These settings apply to a computer during the initialization of the operating system
User Configuration settingsThese settings refer to Group Policies for users,
regardless of what computer the users log on to
These settings apply at user logon
Introducing the Types of Group Policy Settings and the GPMC
(Skill 2)
9.19 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Both Computer Configuration settings and User Configuration settings contain three main containers that include a number of related policies
Software Settings
Windows Settings
Administrative Templates
Introducing the Types of Group Policy Settings and the GPMC (2)
(Skill 2)
9.20 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-7 The three main categories of User Configurationand Computer Configuration Group Policy
(Skill 2)
9.21 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Software Settings
This configuration setting node is used to determine the applications distributed to computers or users via a GPO
You use Software Settings to assign applications to computers or to assign or publish applications to users
If you use the Computer Configuration node to assign an application to a computer, the application appears on the Start menu for all computers in the domain, site, or OU
Introducing the Types of Group Policy Settings and the GPMC (3)
(Skill 2)
9.22 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Software Settings
If you publish an application to users, it appears in the Add/Remove Programs Wizard for all users in the domain, site, or OU
If you assign an application to users using the User Configuration nodeIt displays on the Start menu for all users in the site,
domain, or OU
It does not install until the user invokes it
This functionality is called “advertising”
Introducing the Types of Group Policy Settings and the GPMC (4)
(Skill 2)
9.23 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-8 Software installation
(Skill 2)
9.24 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Windows Settings
In the Computer Configuration node, the Windows Settings node contains the Scripts and Security Settings extensions
Scripts extension: Used to specify startup and shutdown scripts for computers, as well as logon and logoff scripts for users on a network
Security Settings extension: Used by administrators to configure security settings for the local computer or for a GPO
Introducing the Types of Group Policy Settings and the GPMC (5)
(Skill 2)
9.25 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-9 Scripts
(Skill 2)
9.26 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Windows Settings
In the User Configuration node, the Windows Settings node has five folders
Remote Installation Services
Scripts
Security Settings
Internet Explorer Maintenance
Folder Redirection
Introducing the Types of Group Policy Settings and the GPMC (6)
(Skill 2)
9.27 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Windows Settings
Remote Installation Services Group Policies control the RIS installation options available to the user when the Client Installation Wizard is initiated
Folder Redirection Group Policies relocate special folders, such as My Documents, Start Menu, or Desktop
You can redirect these folders from their default locations in a user profile to alternate locations
Introducing the Types of Group Policy Settings and the GPMC (7)
(Skill 2)
9.28 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-10 Types of Folder Redirection policies
(Skill 2)
9.29 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Administrative Templates
Contains all Registry-based Group Policy settings, including settings for Windows Components, System, and Network
Group Policy settings for Printers are available only in the Computer Configuration container
Other settings, including Start Menu and Taskbar, Desktop, Control Panel, and Shared Folders are available only in the User Configuration container
Introducing the Types of Group Policy Settings and the GPMC (8)
(Skill 2)
9.30 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-11 Types of Administrative Templates policies
(Skill 2)
9.31 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Group Policy Management Console (GPMC)
Comprehensive tool for Group Policy administration for Windows 2000 and Windows Server 2003 domains
Provides administrators with the ability to backup, restore, import, and copy/paste GPOs, as well as to create, delete, and rename them
Use it to link GPOs and search for GPOs
Use it to delegate Group Policy-related features and for policy-related permission for sites, domains, and OUs
Introducing the Types of Group Policy Settings and the GPMC (9)
(Skill 2)
9.32 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-12 Group Policy Objects in the GPMC
(Skill 2)
9.33 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
GPMC installation requirements
Requires Windows Server 2003 or Windows XP Service Pack 1 or above computers
To run the tool on Windows XP Service pack 1 or above computers, you must also install the QFE update Q326469 and the Microsoft .NET Framework
The domain controllers must all be running Windows 2000 Service Pack 2 or later
Introducing the Types of Group Policy Settings and the GPMC (10)
(Skill 2)
9.34 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
GPMC requirements for domain controllers
GPMC requires that all LDAP communications be signed and encrypted
To access domain controllers in an external forest, they must be running Windows 2000 Service Pack 3 or later
If you want to access domain controllers in an external forest that are not yet running Service Pack 3 or later, edit the Registry on the computer running GPMC to relax LDAP signing and encryption requirements
Introducing the Types of Group Policy Settings and the GPMC (11)
(Skill 2)
9.35 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
System Policies
Used in Windows 9.x and Windows NT to change Registry settings and to control the user environment
Still useful for managing Windows 9x and NT computers
Windows 9.x: you can run the Poledit.exe version on the Windows 98 installation CD to create config.pol files
Windows NT 4.0 Workstation or Server: use the Windows NT System Policy Editor or the Poledit.exe included with Windows Server 2003 to create config.pol files
Introducing the Types of Group Policy Settings and the GPMC (12)
(Skill 2)
9.36 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
System Policies
System Policy Editor (Poledit.exe) has been mostly replaced by Group Policy in Windows 2000 and Windows Server 2003
If you create policy settings with Windows Server 2003 version, you cannot edit them using the Windows NT 4.0 version
Introducing the Types of Group Policy Settings and the GPMC (13)
(Skill 2)
9.37 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-13 The System Policy Editor
(Skill 2)
9.38 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Each of the Group Policy Object Editor extensions is a MMC snap-in extension itself
All Group Policy setting folders are loaded by default when Group Policy Object Editor is started
You can create custom consoles for each of these extensions
Use the Microsoft Management Console folder in the User Configuration\Administrative Templates container in the Group Policy Object Editor to apply these policies
Introducing the Types of Group Policy Settings and the GPMC (14)
(Skill 2)
9.39 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-14 The Microsoft Management Console folder
(Skill 2)
9.40 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
The role of a Group Policy begins when a computer starts up or when a user logs on
During startup and logon, both Computer Configuration and User Configuration settings are applied in a specific sequence
Identifying the Role of a Group Policy at Startup and Logon
(Skill 3)
9.41 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-15 The sequence in which Computer Configuration and User Configuration settings
are applied
(Skill 3)
9.42 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Every computer has one GPO that is stored locally
This local Group Policy Object (LPGO) is applied first
The processing sequence becomes very important when dealing with multiple policies
If there are no conflicts between the policies, all settings from all of the policies apply
However, if a conflict occurs the policy to apply last wins
Identifying the Role of a Group Policy at Startup and Logon (2)
(Skill 3)
9.43 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Sequence in which Group Policy settings are processed Local GPO
Site GPOs
Domain GPOs
OU GPOs (LSDOU)
Identifying the Role of a Group Policy at Startup and Logon (3)
(Skill 3)
9.44 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
If more than one GPO is linked
The policies are processed in reverse order for each individual container
This is done so that the policy that is considered to be the most important is displayed at the top of the list of all GPOs applied to a particular container
Identifying the Role of a Group Policy at Startup and Logon (4)
(Skill 3)
9.45 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Like files and folders, Group Policies are also inherited from parent containers to child containers
You can specifically set a separate Group Policy setting for a child container to override the settings it inherits from its parent container
It is extremely important to note that like OU structures, Group Policies do not flow between domains
Identifying the Role of a Group Policy at Startup and Logon (5)
(Skill 3)
9.46 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Group Policy applied to a parent domain
Does not apply to its child domain or domains
The only container that can apply Group Policies to multiple domains is the site container
Group Policy applied to a site
Affects all users and computers in the site, regardless of domain
For this reason, you must be an Enterprise Admin in order to apply a Group Policy to a site
Identifying the Role of a Group Policy at Startup and Logon (6)
(Skill 3)
9.47 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Exceptions to the order in which GPOs are processed
If a computer belongs to a workgroup, it processes only local GPOs
You can modify the default behavior using the Block Inheritance option, but this can make GPO administration more complicated and it should be used sparingly
You can block inheritance for GPO links for an entire domain, for all domain controllers, or for an OU
Identifying the Role of a Group Policy at Startup and Logon (7)
(Skill 3)
9.48 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy (Skill 3)
Figure 9-16 Blocking Inheritance for the GPO links for all domain controllers
9.49 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Exceptions to the order in which GPOs are processed
The default order for processing Group policy settings is also affected when you set the GPO link to Enforced
Policy settings in the GPO link take precedence over child object settings
Gives the parent GPO link precedence so that the default behavior does not apply (formerly called the No Override option)
GPO administration is more complex
GPOs cannot have their inheritance blocked
Identifying the Role of a Group Policy at Startup and Logon (8)
(Skill 3)
9.50 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-17 The Enforced setting
(Skill 3)
9.51 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Exceptions to the order in which GPOs are processed
If Block Inheritance option is set for a domain or OU
The GPOs above that point in the structure do not affect users or computers in that structure; they are blocked
If there is a conflict between Enforced and Block Inheritance, Enforced always wins
Identifying the Role of a Group Policy at Startup and Logon (9)
(Skill 3)
9.52 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Exceptions to the order in which GPOs are processed
You can disable a GPO link to block that GPO from being applied for the selected site, domain, or OU
Disables the GPO only for the selected container object; it does not disable the GPO itself
If the GPO is linked to other sites, domains, or OUs, they continue to process the GPO as long as their links are enabled
Processing is enabled for all GPO links by default
To disable a GPO link, right-click it and select the Link Enabled command (a check mark indicates it is enabled)
Identifying the Role of a Group Policy at Startup and Logon (10)
(Skill 3)
9.53 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-18 The Link Enabled command
(Skill 3)
9.54 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Exceptions to the order in which GPOs are processed
When GPOs are linked to the same container, policies are evaluated based on the link order set on the Linked Group Policy Objects tab for the container object
The policy settings in the GPO with the lowest link order (Link Order 1) are processed last
Link Order 1 has the highest precedence and is used to settle a conflict
Use the arrow buttons to change the link order
Identifying the Role of a Group Policy at Startup and Logon (11)
(Skill 3)
9.55 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Exceptions to the order in which GPOs are processed
Group Policies are never applied to Windows NT, 95, 98, or Windows Me computers
Identifying the Role of a Group Policy at Startup and Logon (12)
(Skill 3)
9.56 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
User Group Policy loopback processing mode
This policy is referred to as the loopback feature
Enforced when both the user account and the computer account are members of a Windows 2000 or later domain
You can configure loopback so that the User Configuration settings in GPOs are applied to every user logging on to that computer
Identifying the Role of a Group Policy at Startup and Logon (13)
(Skill 3)
9.57 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-19 The User Group Policy loopback processing mode policy
(Skill 3)
9.58 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
User Group Policy loopback processing mode
In Merge mode, the Computer Configuration GPO settings are appended to the default list of GPOs
In Replace mode, the User Configuration GPO settings are completely replaced by the Computer Configuration GPO settings
Identifying the Role of a Group Policy at Startup and Logon (14)
(Skill 3)
9.59 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-20 Merge or Replace mode
(Skill 3)
9.60 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
After you decide on a Group Policy setting design, you devise a Group Policy implementation strategy
Factors to consider
Location of GPOs
Delegation of authority
Organization structure
Planning a Group Policy Implementation
(Skill 4)
9.61 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Types of Group Policy implementation strategies
Centralized GPO design
An organization’s network is maintained by a small number of large GPOs
Decentralized GPO design
Uses separate GPOs for specific policy settings
Planning a Group Policy Implementation (2)
(Skill 4)
9.62 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Types of Group Policy implementation strategies
Functional Role (or Team Design)
Functional roles of users are considered to apply Group Policies
Steps to implement this strategy
Create an OU structure that corresponds to the actual team structure of your organization
Create a customized GPO for each OU that is tailored to the needs of the OU
Planning a Group Policy Implementation (3)
(Skill 4)
9.63 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Types of Group Policy implementation strategies
Delegation with Central Control Design or Distributed Control Design
Based on delegating administrative control over OUs to various administrators in an organization
When you implement this strategy, you maintain centralized control while distributing managerial control to a number of OU administrators
Planning a Group Policy Implementation (4)
(Skill 4)
9.64 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Regardless of which approach (or combination) you choose, it is important to try to avoid using certain tools and options
Enforced and Block Inheritance options
Filtering
Troubleshooting GPOs can be very difficult when these tools are used
Planning a Group Policy Implementation (5)
(Skill 4)
9.65 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
When you install Active Directory on your network, two GPOs are created automatically
Default Domain Policy, which is linked to the domain
Default Domain Controllers Policy, which is linked to the Domain Controllers OU
You can use these policies to assign standard settings to the domain and the domain controllers in a domain, respectively
Creating a Group Policy Object
(Skill 5)
9.66 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
GPOs can be linked to sites, domains, and OUs
To link a GPO to a site, use the Active Directory Sites and Services console or the GPMC
To link GPOs to domains and OUs, use either the Active Directory Users and Computers console or the GPMC
Creating a Group Policy Object (2)
(Skill 5)
9.67 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
You can create a stand-alone GPO console for a GPO and access it directly from the All Programs/Administrative Tools menu
Steps to create a GPO console
1. Open Add Standalone Snap-in dialog box from an MMC console
2. Select Group Policy Object Editor from the list of available snap-ins
Creating a Group Policy Object (3)
(Skill 5)
9.68 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Steps to create a GPO console
3. Click the Browse button in the Group Policy Wizard
4. In the Browse for a Group Policy Object dialog box, select the GPO for which you want to create a console
The selected GPO name is added to the Group Policy Object text box on the Select Group Policy Object screen in the wizard
3. From the File menu, save the console for the GPO to make it available on the All Programs/Administrative Tools menu
Creating a Group Policy Object (4)
(Skill 5)
9.69 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-21 Creating a GPO
(Skill 5)
9.70 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-22 The New GPO dialog box
(Skill 5)
9.71 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-23 New Group Policy Object in a domain
(Skill 5)
9.72 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Assign permissions to delegate administrative control over a GPO on the Delegation tab in the GPMC
There are three standard permissions you can assign to a GPO
However, five permission levels display on the Delegation tab
Each of these permission levels represents a combination of Active Directory permissions
Delegating Control for a Group Policy Object
(Skill 6)
9.73 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
To delegate permissions for a GPO, you must have the Edit settings, delete, and modify security permission for the GPO
To view the permissions for groups with custom permissions or to set custom permissions, click the Advanced button to open the ACL Editor for the GPO (<GPO_name> Security Settings dialog box)
Delegating Control for a Group Policy Object (2)
(Skill 6)
9.74 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
You must assign the Edit settings, delete, and modify security permission to at least one group or user for each GPO
If there is only one user or group with this permission level, you cannot remove this user or group
Permissions inherited from parent containers cannot be removed
Delegating Control for a Group Policy Object (3)
(Skill 6)
9.75 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
To change the permissions assigned to a user or group
Right-click the user or group in the Groups and users box
Select from the three standard permissions on the context menu
You can also use the Remove command to remove a user or group from the Groups and users box
Delegating Control for a Group Policy Object (4)
(Skill 6)
9.76 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-24 Setting GPO permissions
(Skill 6)
9.77 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Figure 9-25 The Delegation tab in the GPMC
(Skill 6)