200 likes | 297 Views
More GPO’s & GPP. Chapter 7. Agenda. Group Policies (the day after) Group Policy Preferences. Group Policies (the day after). How can we keep track of what we have done or changed? We can name the policy appropriately based on function or grouping of settings Interactive_Logon_Policy
E N D
More GPO’s & GPP Chapter 7
Agenda • Group Policies (the day after) • Group Policy Preferences
Group Policies (the day after) • How can we keep track of what we have done or changed? • We can name the policy appropriately based on function or grouping of settings • Interactive_Logon_Policy • Internet_Explorer_Policy • The GPMC allows us to make comments regarding a particular policy. • What should we comment on? • Who’s in charge of the GPO • Who to call if there is a problem? • Who is supposed to be affected by this GPO? • Detailed information about what this GPO should do • Who will get fired if this doesn’t work
Group Policies (the day after) • Comments… • GPMCSelect PolicyEditRight click on Policy name (see below)Properties
Group Policies (the day after) • Comments…
Group Policies (the day after) • Controlling how GPO’s run • Disable local GPOs from applying • CCPoliciesAdmin TemplatesSystemGroup Policy
Group Policies (the day after) • Controlling how GPO’s run • Disable Link Enabled Status • Disable “half” of a Group Policy • Will speed up processing (not very noticeable)
Group Policies (the day after) • Controlling how GPO’s run • The Enforced Function • Guarantees that policy settings within a GPO from a higher level are always inherited by lower levels • Right click on Policy and choose Enforce
Group Policy Preferences • Group Policy Preferences (GPP) • Extensions or “new settings” • Adds more than 3000 policy settings! • Modify the local administrator password on every desktop • Create a shortcut on the desktop • Different than normal GPO settings as they are “sorta” duplicate under user and computer settings
Group Policy Preferences • What’s the difference between Group Policies and Preferences? • *Group Policy settings will: • not tattoo. In other words, when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used. • supersede an application's configuration setting. In other words, when a GP policy is configured to a value, the application is aware of that value and always uses it over the configurable value. • be recognized by an application. In other words, the display of the configuration item under control of a GP policy setting will be unavailable through the user interface. This is where graying out a configuration item on a menu, not displaying a dialog box, or providing a pop-up message explaining the current feature is under administrator control is used to inform the user they can't configure an option. • *http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx
Group Policy Preferences • Group Policy Preference settings will: • tattoo. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value. • overwrite an application's configuration setting. This is accomplished by overwriting the original user configured-value for the application. No effort is made to retain the original value before overwriting the value with the preference setting. And, as was noted in 1, the overwritten value will not be removed when the GPO goes out of scope. • not be recognized by an application. In other words, the application's user interface will allow a user to change the configuration item. Most importantly, the Group Policy engine only recognizes when a GPO changes, not when the preference value has been changed. This means the preference setting will be applied once and not automatically reapplied if the user changes the value of the configuration item.
Group Policy Preferences • Group Policy PreferencesSettings are the similar for both user and computer configurations
Group Policy Preferences • Group Policy Preferences (GPP) are essentially an extension DLL (dynamic link library) that does a bunch of stuff. • Can be “undone” by the user
Group Policy Preferences • Computer Configuration PreferencesWindows Settings • Environment: • Set user and system environment variables • Change the Windows system path variable • Files • Copy files from point A to point B • Server share to %Documents% on the local system • Folders • Create, delete or empty folders • Network Shares • Create shares on workstations or servers • Shorcuts • Place program or URL on desktops, startup folder, Programs folders, etc etc.
Group Policy Preferences • Computer/User ConfigurationPreferencesControl Panel
Group Policy Preferences Common Control Panel Settings • Local users and groups • Create/change local users • Modify local user passwords • Change local user group membership • Power Options • Create power options for XP • Create power plans for Vista and later
Group Policy Preferences • Printers • ComputerLocal/IP • UserLocal/IP/Shared
Summary • You can add comments to help document GPOs • Enforced Function overrules blocking of inheritance • You can disable “half” of a GPO • Group Policy settings are “undone” when the system or user falls out of scope (Group Policy is changed/link removed or User/Computer is moved to another container) • GPP’s are extensions and stay with the system (tattoo’d) regardless of the Group Policy falling out of scope (Group Policy removed/unlinked from OU) • GPP’s can be undone by the users