1 / 18

Managing Group Policy Conflicts in Windows Server 2003

Learn about resolving conflicts, applying GPO settings, inheritance options, enforcing rules, loopback processing, WMI filters, slow link detection, and managing GPOs efficiently in an Active Directory environment.

annahoffman
Download Presentation

Managing Group Policy Conflicts in Windows Server 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2003群組原則設定與管理 林寶森 jeffl@ms11.hinet.net

  2. What Happens When GPOs Conflict • How conflicts are resolved • All Group Policy Settings Apply Unless There Are Conflicts • The Last Setting Processed Applies • When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply • When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply • A Computer Setting Applies When It Conflicts with a User Setting • Options for modifying inheritance • No Override (Enforce) • Block Policy inheritance

  3. Domain Production GPOs Sales No GPO settings apply Blocking the Deployment of a GPO • Stops inheritance of all GPOs from all parent containers • Cannot selectively choose which GPOs are blocked • Cannot stop No Override

  4. Domain Production Conflicting GPO Settings No Override GPO Settings Sales Domain GPO settings apply Enabling No Override No Override: • Overrides Block Inheritance and GPO conflicts • Should be set high in the Active Directory tree • Is applicable to links and not to GPOs • Enforces corporate-wide rules

  5. How to Configure Group Policy Enforcement

  6. Enforced Conflicting Links Attributes of a GPO Link

  7. Domain Production GPO Sales Mengph Read and Apply Group Policy Allow Kimyo Apply Group Policy Deny Group Filtering the Deployment of a GPO

  8. What Is Loopback Processing?

  9. What Are WMI Filters? InstallOffice? 500 MB free disk space? WMI Filter Administrator GPO 10 GB 35 GB 400 MB 750 MB

  10. Example of WMI Query • Select * FROM Win32LogicalDisk WHERE (Name = “C:” OR Name = “D:” OR Name = “E:”) AND DriveType = 3 AND FreeSpace > 10485760 AND FileSystem = “NTFS” • Note: • DriveType Value = 3 is a Hard Disk • 10MB = 10,485,760 bytes

  11. Controlling the Processing of Group Policy • Synchronous and Asynchronous Processing • By default, the processing of Group Policy is synchronous • You can change the processing of Group Policy to asynchronous by using a Group Policy setting for both computers and users • Refreshing Group Policy at Established Intervals of: • 5 minutes for domain controllers • 90 minutes for member servers running Windows Server 2003 and for computers running Windows 2000 & XP Professional • Processing Unchanged Group Policy Settings • You can configure each client-side extension to process all applicable Group Policy settings

  12. Group Policy and Slow Network Connections • Group Policy Can Detect a Slow Link • Group Policy Uses an Algorithm to Determine Whether a Link Should Be Considered Slow • Default is 500 kbps • Group Policy Sets a Flag to Indicate a Slow Link to the Client-side Extensions • userenv.dll, dskquota.dll, fdeploy.dll, gptext.dll, appmgmts.dll, scecli.dll, iedkcs32.dll, etc.

  13. Default Settings for Slow Link Processing

  14. Why Specify a Domain Controller for Managing GPOs? • When You Create a New GPO or Edit an Existing GPO, by Default, the Domain Controller That Holds the PDC Emulator Role Performs the Operation • The Options Available to Specify a Domain Controller for Managing GPOs Include: • The one with the Operations Master token for the PDC emulator • The one used by the Active Directory snap-ins • Use any available domain controller • To Specify a Domain Controller for Managing Group Policy Objects: • Use the DC Options command on the View menu in the Group Policy snap-in • Enable a Group Policy setting that specifies which domain controller should be used

  15. Options Specifying a Domain Controller for Managing Group Policy Objects Choose a domain controller to avoid replication conflicts

  16. What Is Group Policy Modeling?

  17. What Is Group Policy Results?

  18. What Is Gpupdate and Gpresult? Syntax of gpupdate gpupdate [/Target:{Computer | User}] [/Force] [/Wait:Value] [/Logoff] [/Boot] [/Sync] Syntax of gpresult gpresult [/s Computer [/u Domain\User /p Password]] [/user TargetUserName] [/scope {user|computer}] [/v] [/z]

More Related