Section 4: Understanding the Architecture of Group Policy Processing
Group Policy Components in AD DSUnderstanding the Group Policy
Processing SequenceModifying Group Policy Processing
Managing Windows Environments with Group Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Section Objectives
After completing this section, you will be able to:Describe the Active Directory components that you can
use to deploy Group PolicyExplain the order in which Group Policy is deployed in
Active Directory Describe the methods that are available to modify
Group Policy processing
4-2
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Components in AD DS
4-3
The following AD DS components are an important part of Group Policy:Sysvol FolderPDC EmulatorGroup Policy ContainerGroup Policy TemplateGPO VersioningFile Replication ServicesDFS-R
© 2013 Global Knowledge Training LLC. All rights reserved.
Sysvol Folder
4-4
The Sysvol folder is where GPOs and their corresponding support files are stored.
© 2013 Global Knowledge Training LLC. All rights reserved.
PDC Emulator
The PDC emulator is the domain controller that GPOs are created on before they are replicated to other domain controllers.
4-5
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Container
4-7
Using ADSI Edit, we can see the Group Policy Container inside the AD database.
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Template
4-8
The GPT is the folder inside Sysvol that actually stores the policy settings.
© 2013 Global Knowledge Training LLC. All rights reserved.
GPO Versioning
Following are some guidelines about GPO versioning:
Every time a change is made to a GPO, the version number in an INI file called Gpt.ini is incremented.
For computer changes to a GPO, the version number increments by 1.
A user change to a GPO increments by 65536.
4-9
© 2013 Global Knowledge Training LLC. All rights reserved.
FRS Replication
The File Replication Service replicates the Sysvol directory structure separately from Active Directory replication.
4-10
Note: FRS is not utilized in a new Windows Server
2012 Domain installation. DFS-R is now the default.
© 2013 Global Knowledge Training LLC. All rights reserved.
DFS-R
4-11
DFS-R can be used to replicate the Sysvol structure instead of FRS
DFS-R is a Delta-based replication model that only replicates changes inside the files being replicated
To convert from FRS to DFS-R for Sysvol replication, follow the steps in the TechNet reference below:
http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx
New installations of a Windows Server 2012 Domain will already have DFS-R replication enabled
© 2013 Global Knowledge Training LLC. All rights reserved.
Site
Understanding the Group Policy Processing Sequence
Group Policy is processed from the top down:LocalSiteDomainOU
Domain
Local
OUThe last policy applied wins.
4-12
© 2013 Global Knowledge Training LLC. All rights reserved.
Modifying Group Policy Processing
4-15
Using Group Policy Inheritance
Using Block Inheritance and Enforce options Using Security Filtering Implementing WMI Filters Changing the GPO Link Order Using Loopback Processing
© 2013 Global Knowledge Training LLC. All rights reserved.
Using Group Policy Inheritance
Group Policy inheritance allows you to apply corporate standards and customized settings for different groups of users. Guidelines for Group Policy inheritance include:
Define a corporate standard GPO containing settings that apply to a top-level OU.
Typically, GPOs are assigned to the OU structure instead of the domain or site, so child OUs can be used to control which settings are applied.
4-16
© 2013 Global Knowledge Training LLC. All rights reserved.
Using the Block Inheritance and Enforce Options
Most policies are set per OU.A good OU structure makes policies easier to apply.The Group Policy Enforce option prevents policies
from being reversed at a lower level.The Group Policy Block Inheritance option prevents
higher level policies from being inherited.The Enforce option always wins.
4-17
© 2013 Global Knowledge Training LLC. All rights reserved.
Using Security Filtering
By default, a GPO affects all users and computers contained in the linked site, domain, or OU. However, you can use security filtering on a GPO to modify its effects.
You can modify the permissions on the GPO to apply only to a specific user or to the members of a security group.
Using a security group filter on a GPO applied to an OU, you can control who should not have the settings applied.
You can use security filtering to exempt administrators from GPO processing.
4-18
© 2013 Global Knowledge Training LLC. All rights reserved.
Implementing WMI Filters
Using the WBEMTest ToolThe WBEMTest Query Result Dialog BoxUsing PowerShell to Explore WMICreating a WMI Filter
4-19
© 2013 Global Knowledge Training LLC. All rights reserved.
Using the WBEMTest Tool
Use the WBEMTest tool to become familiar with the WMI structure.
4-20
© 2013 Global Knowledge Training LLC. All rights reserved.
Viewing the instances exposes the properties within WMI.
WBEMTest Query Result Dialog Box
4-21
© 2013 Global Knowledge Training LLC. All rights reserved.
Using PowerShell to Explore WMI (1)
PowerShell can also be used to explore the WMI repository
4-22
© 2013 Global Knowledge Training LLC. All rights reserved.
Using PowerShell to Explore WMI (2)
Use PowerShell to enumerate the items in a WMI class
4-23
© 2013 Global Knowledge Training LLC. All rights reserved.
Using PowerShell to Explore WMI (3)
Use PowerShell to test a WQL query for Group Policy
4-24
This query returns results for Version 6.2.9200 and ProductType “2”, which is Windows Server 2012.
© 2013 Global Knowledge Training LLC. All rights reserved.
Creating a WMI Filter
This WMI filter returns only Windows 8 computers.
4-25
© 2013 Global Knowledge Training LLC. All rights reserved.
Changing the GPO Link Order
The link order in a policy at a specific level determines the order in which policies are processed.
The policy with the lowestlink order number will be processedlast.
Settings in the policy with the lowest link order number take precedence.
4-26
© 2013 Global Knowledge Training LLC. All rights reserved.
Using Loopback Processing
The User Group Policy loopback processing mode retains the User Configuration settings based upon the OU that the Computer is in and not the User.
This option can be very useful in environments such as classrooms, public kiosks, and reception areas.
4-27
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary
Group Policy is based on the following components:Sysvol folder: A system folder that is located in the
NTFS file system of every Active Directory domain controller. It contains administrative templates, security settings, applied scripts, and details about MSI packages that will be installed.
PDC emulator: A single domain controller per domain is assigned the role of a PDC emulator. This role is automatically assigned to the first domain controller in an Active Directory domain.
4-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Group Policy Container: Stores the policy setting information for a GPO. It stores the details of every GPO that is created in Active Directory. The GPC contains the version number of each GPO, its current status, and the installed components.
Group Policy template: Stores the files that are created by the GPO in the Sysvol folder on the PDC emulator for each domain. It stores computer and user scripts, the GPO template files, and the Registry.pol files.
4-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Group Policy is deployed in the following order:1. Local Group Policy settings
2. Site policies
3. Domain policies
4. OU policies
4-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
The methods to modify Group Policy processing are:Block Inheritance and Enforce Options: The Block
Inheritance attribute prevents higher-level policies from being applied to lower levels.
Applied at higher levels of the policy architecture, the Enforce option ensures that certain policies cannot be overridden or blocked. This option is applied to an individual GPO.
Security Filtering: Sets the ACLs to prevent or allow policies from applying to specific users or groups.
4-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
WMI Filters: Consist of a collection of one or more queries (conditions) written in WQL. When you build a WMI filter and apply it to a GPO, the GPO will apply only if the queries in the filter are all satisfied.
GPO Link Order: Controls the order in which GPOs are applied within each domain, site, and OU.
Loopback Processing: Configures the user policy settings based on the computer location that the users log on to.
4-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check
1. Which Active Directory component does the following text describe?
A system folder that is located in the NTFS file system of every Active Directory domain controller. It contains administrative templates, security settings, applied scripts, and details about MSI packages that will be installed.
Sysvol folder
4-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
2. What is the Group Policy deployment order?Local
Site
Domain
OU
4-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
3. Match each method used to modify Group Policy processing with its correct description.
4-31
Method Description
GPO Link Order A. It prevents higher-level policies from being applied to lower levels.
Security Filtering B. Controls the order in which GPOs are applied within each domain, site, or OU.
WMI Filters C. Configures the user policy settings based on the computer location that the users log on to.
Block Inheritance Option
D. Consist of a collection of one or more queries (conditions) written in WQL.
Loopback Processing
E. Sets the ACLs to prevent or allow policies from applying to specific users or groups.
B
E
D
A
C