410 likes | 634 Views
Chapter 4. GROUP POLICY STRATEGY. OVERVIEW. Describe how you might configure the user environment using Group Policy Understand how the computer environment can be configured by using Group Policy Use the Resultant Set of Policy (RSoP) tool planning mode to develop Group Policy strategy
E N D
Chapter 4 GROUP POLICY STRATEGY
Chapter 4: GROUP POLICY STRATEGY OVERVIEW • Describe how you might configure the user environment using Group Policy • Understand how the computer environment can be configured by using Group Policy • Use the Resultant Set of Policy (RSoP) tool planning mode to develop Group Policy strategy • Troubleshoot the application of Group Policy security settings
Chapter 4: GROUP POLICY STRATEGY OVERVIEW (CONTINUED) • Use Group Policy to redirect special folders to alternative locations on the network • Describe IntelliMirror and its benefits • Describe Offline Files and Synchronization Manager • Describe roaming profiles
Chapter 4: GROUP POLICY STRATEGY REVIEWING GROUP POLICY COMPONENTS • Group Policy enables you to manage user and computer configuration from a single, central point of administration. • A Group Policy Object (GPO)isa collection of Group Policy settings. • GPOs can be applied, or linked, to a computer, site, domain, or organizational unit (OU).
Chapter 4: GROUP POLICY STRATEGY UNDERSTANDING GPOs • Local GPOs • Active Directory–based GPOs • GPO storage • Creating, linking, and editing GPOs
Chapter 4: GROUP POLICY STRATEGY LOCAL GPOs • Exist on every computer running Microsoft Windows 2000, Windows XP, or Windows Server 2003 • Stored in %Systemroot%\System32\GroupPolicy • Can be applied only to that computer
Chapter 4: GROUP POLICY STRATEGY ACTIVE DIRECTORY–BASED GPOs • GPOs are stored in the Active Directory directory service. • Two Active Directory GPOs are created by default: • Default Domain Policy • Default Domain Controllers Policy
Chapter 4: GROUP POLICY STRATEGY GPO STORAGE • GPOs have a corresponding object in Active Directory. • Each policy is physically stored in %Systemroot%\Sysvol\Domain Name\Policies\GPO GUID\Adm.
Chapter 4: GROUP POLICY STRATEGY CREATING GPOs
Chapter 4: GROUP POLICY STRATEGY LINKING GPOs • After creation, a GPO can be linked with one or more Active Directory objects. • GPOs created for one type of object can be linked with objects of another type. • More than one GPO can be linked to a single Active Directory object.
Chapter 4: GROUP POLICY STRATEGY EDITING GPOs
Chapter 4: GROUP POLICY STRATEGY EXPLORING GROUP POLICY SETTINGS • Computer and User Configuration nodes • Software Settings node • Windows Settings node • Administrative Templates node
Chapter 4: GROUP POLICY STRATEGY COMPUTER CONFIGURATION AND USER CONFIGURATION NODES Computer Configuration and User Configuration nodes: • Define settings for installing software, configuring and securing the Windows operating system, and registry settings • Are applied when the operating system starts up • Are supported by Microsoft Windows XP Professional, Windows 2000, and Windows Server 2003
Chapter 4: GROUP POLICY STRATEGY SOFTWARE SETTINGS NODE
Chapter 4: GROUP POLICY STRATEGY WINDOWS SETTINGS NODE
Chapter 4: GROUP POLICY STRATEGY ADMINISTRATIVE TEMPLATES NODE
Chapter 4: GROUP POLICY STRATEGY UNDERSTANDING GPO APPLICATION
Chapter 4: GROUP POLICY STRATEGY GROUP POLICY INHERITANCE • If a Group Policy setting is configured for a parent OU, and the same policy setting is set to Not Configured for child OUs, the users and computers in the child OUs inherit the parent’s policy setting. • If a Group Policy setting is configured for a parent OU, and the same policy setting isconfigured for a child OU, the child OU Group Policy setting overrides the setting from the parent OU. • If a policy setting of a parent OU is set to Not Configured, the child OU does not inherit that setting.
Chapter 4: GROUP POLICY STRATEGY EXCEPTIONS TO THE APPLICATION PROCESS Block Policy Inheritance • Prevents settings from all the GPOs higher in the hierarchy from being inherited No Override • Prevents a setting in a GPO from being overridden by a setting in a later GPO Loopback • Causes configuration of a user to be determined by the Computer Configuration node policies of GPOs that apply to the computerobject
Chapter 4: GROUP POLICY STRATEGY USING SECURITY GROUPS TO FILTERGPO SCOPE
Chapter 4: GROUP POLICY STRATEGY USING WMI QUERIES TO FILTER GPO SCOPE • Windows Management Instrumentation (WMI) provides unified access to the management functions of local and remote systems. • WMI allows GPO scope to be filtered by criteria such as hardware specifications. • WMI provides versatility in distribution of applications or operating system updates.
Chapter 4: GROUP POLICY STRATEGY PLANNING WITH THE RSoP TOOL • Analysis mode allows you to determine what the result of Group Policy application will be for a given user or computer object. • Planning mode allows you to create what-if scenarios that can simulate changes in Group Policy and their resultant effect on a user or computer object. • You must be a member of the Domain Admins or Enterprise Admins group or must have been delegated the Generate Resultant Set Of Policy (planning) right to run RSoP.
Chapter 4: GROUP POLICY STRATEGY TROUBLESHOOTING GROUP POLICY APPLICATION • Resultant Set Of Policy Wizard • Gpresult command-line tool • Gpupdate command-line tool • Event Viewer • Log files • Advanced System Information Policy tool • Group Policy Management Console
Chapter 4: GROUP POLICY STRATEGY TROUBLESHOOTING GROUP POLICY WITH THE RESULTANT SET OF POLICY WIZARD
Chapter 4: GROUP POLICY STRATEGY TROUBLESHOOTING GROUP POLICYWITH GPRESULT • Command-line utility that allows the RSoP to be calculated and the results to be displayed as text • Allows results to be written to a text file for logging or analysis
Chapter 4: GROUP POLICY STRATEGY TROUBLESHOOTING GROUP POLICYWITH GPUPDATE • Gpupdate allows Group Policy to be immediately refreshed. • Group Policy is automatically refreshed on member servers and workstations every 90 minutes. • Group Policy is automatically refreshed on domain controllers every 5 minutes.
Chapter 4: GROUP POLICY STRATEGY TROUBLESHOOTING GROUP POLICY WITH EVENT VIEWER
Chapter 4: GROUP POLICY STRATEGY TROUBLESHOOTING GROUP POLICY WITHLOG FILES
Chapter 4: GROUP POLICY STRATEGY TROUBLESHOOTING WITH THE GROUP POLICY MANAGEMENT CONSOLE
Chapter 4: GROUP POLICY STRATEGY GROUP POLICY TROUBLESHOOTING SCENARIOS Group Policy troubleshooting scenarios are summarized in the textbook in two tables: • Table 4-2, “Group Policy Object Editor Console Troubleshooting Scenarios” • Table 4-3, “Group Policy Settings Troubleshooting Scenarios”
Chapter 4: GROUP POLICY STRATEGY MANAGING SPECIAL FOLDERS USINGGROUP POLICY Folder redirection: • Allows key user data and configuration folders to be redirected to a central location • Enables centralized backup and administration of user data • Provides resiliency in the event of workstation failure
Chapter 4: GROUP POLICY STRATEGY FOLDER REDIRECTION Windows Server 2003 allows the following special folders to be redirected: • Application Data • Desktop • My Documents • My Pictures • Start Menu
Chapter 4: GROUP POLICY STRATEGY ADVANTAGES OF REDIRECTING FOLDERS • Even if a user logs on to various computers on the network, his or her documents are always available. • Data stored on a shared network server can be backed up as part of routine system administration. • Group Policy can be used to set disk quotas, limiting the amount of space taken up by users’ special folders. • Data specific to a user can be redirected to a hard disk on the user’s local computer different from the hard disk holding the operating system files.
Chapter 4: GROUP POLICY STRATEGY OFFLINE FILES • Offline Files lets users disconnect from the network and work as if they were still connected. • When the computer is offline, the files and folders appear in the same directory as they do when the system is online. • Offline Files works best in conjunction with folder redirection.
Chapter 4: GROUP POLICY STRATEGY SYNCHRONIZATION MANAGER • When using Offline Files and folders, users can synchronize all network resources by using the Synchronization Manager. • Only resources that have changed are updated.
Chapter 4: GROUP POLICY STRATEGY REDIRECTING MY DOCUMENTS TOHOME FOLDERS • With Windows Server 2003, you can redirect My Documents to a user’s home folder. • Such redirection only works with client systems running Windows XP Professional. • Redirecting My Documents to a user’s home folder is recommended only for organizations that have already deployed home folders and want to provide backward compatibility.
Chapter 4: GROUP POLICY STRATEGY SETTING UP FOLDER REDIRECTION You can set up folder redirection to operate in one of two ways: • Redirect special folders to one location • Redirect special folders to a location according to security group membership
Chapter 4: GROUP POLICY STRATEGY POLICY REMOVAL CONSIDERATIONS • When a folder redirection policy no longer applies to a user, that user’s folders are copied, moved, or left intact depending on the configuration. • When moving user accounts or reconfiguring GPOs, special consideration should be given to the potential effect on redirected folders.
Chapter 4: GROUP POLICY STRATEGY FOLDER REDIRECTION BEST PRACTICES • Allow the system to create the folders and accept default settings. • Use fully qualified Universal Naming Convention (UNC) paths for destination folders. • Place the My Pictures folder in the My Documents folder. • Consider what will happen if the policy is removed. • Enable Offline Files.
Chapter 4: GROUP POLICY STRATEGY SUMMARY • Group Policy enables administrators to manage change and configuration for users and computers centrally. • Configuration is specified by enabling or disabling Group Policy settings within one or more GPOs. • GPOs are applied by linking them to sites, domains, or OUs. The user and computer objects beneath the link are said to be within the scope of the GPO. • The Group Policy settings in a GPO are said to be inherited by users and computers below the linked site, domain, or OU.
Chapter 4: GROUP POLICY STRATEGY SUMMARY (CONTINUED) • RSoP analyses provide insight into the net effect of GPOs on a user or computer and can be used to plan, report, and troubleshoot Group Policy. • Folder redirection is a feature of IntelliMirror that enables users and administrators to redirect the path of any special folder. • Offline Files and Synchronization Manager are used to allow users of portable computers to work on network files when their computers are disconnected from the local area network (LAN). • Roaming profiles are used to allow users to access their data quickly and easily, regardless of which computer they log on to. • Windows Server 2003 provides a range of tools to assist you in verifying your configuration and in diagnosing and solving problems with Group Policy.