1 / 20

More GPO’s & GPP

More GPO’s & GPP. Chapter 7. Agenda. Group Policies (the day after) Group Policy Preferences. Group Policies (the day after). How can we keep track of what we have done or changed? We can name the policy appropriately based on function or grouping of settings Interactive_Logon_Policy

halona
Download Presentation

More GPO’s & GPP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. More GPO’s & GPP Chapter 7

  2. Agenda • Group Policies (the day after) • Group Policy Preferences

  3. Group Policies (the day after) • How can we keep track of what we have done or changed? • We can name the policy appropriately based on function or grouping of settings • Interactive_Logon_Policy • Internet_Explorer_Policy • The GPMC allows us to make comments regarding a particular policy. • What should we comment on? • Who’s in charge of the GPO • Who to call if there is a problem? • Who is supposed to be affected by this GPO? • Detailed information about what this GPO should do • Who will get fired if this doesn’t work 

  4. Group Policies (the day after) • Comments… • GPMCSelect PolicyEditRight click on Policy name (see below)Properties

  5. Group Policies (the day after) • Comments…

  6. Group Policies (the day after) • Controlling how GPO’s run • Disable local GPOs from applying • CCPoliciesAdmin TemplatesSystemGroup Policy

  7. Group Policies (the day after) • Controlling how GPO’s run • Disable Link Enabled Status • Disable “half” of a Group Policy • Will speed up processing (not very noticeable)

  8. Group Policies (the day after) • Controlling how GPO’s run • The Enforced Function • Guarantees that policy settings within a GPO from a higher level are always inherited by lower levels • Right click on Policy and choose Enforce

  9. Group Policy Preferences

  10. Group Policy Preferences • Group Policy Preferences (GPP) • Extensions or “new settings” • Adds more than 3000 policy settings! • Modify the local administrator password on every desktop • Create a shortcut on the desktop • Different than normal GPO settings as they are “sorta” duplicate under user and computer settings

  11. Group Policy Preferences • What’s the difference between Group Policies and Preferences? • *Group Policy settings will: • not tattoo. In other words, when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used. • supersede an application's configuration setting. In other words, when a GP policy is configured to a value, the application is aware of that value and always uses it over the configurable value. • be recognized by an application. In other words, the display of the configuration item under control of a GP policy setting will be unavailable through the user interface. This is where graying out a configuration item on a menu, not displaying a dialog box, or providing a pop-up message explaining the current feature is under administrator control is used to inform the user they can't configure an option. • *http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx

  12. Group Policy Preferences • Group Policy Preference settings will: • tattoo. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value. • overwrite an application's configuration setting. This is accomplished by overwriting the original user configured-value for the application. No effort is made to retain the original value before overwriting the value with the preference setting. And, as was noted in 1, the overwritten value will not be removed when the GPO goes out of scope. • not be recognized by an application. In other words, the application's user interface will allow a user to change the configuration item. Most importantly, the Group Policy engine only recognizes when a GPO changes, not when the preference value has been changed. This means the preference setting will be applied once and not automatically reapplied if the user changes the value of the configuration item.

  13. Group Policy Preferences • Group Policy PreferencesSettings are the similar for both user and computer configurations

  14. Group Policy Preferences • Group Policy Preferences (GPP) are essentially an extension DLL (dynamic link library) that does a bunch of stuff. • Can be “undone” by the user

  15. Group Policy Preferences • Computer Configuration PreferencesWindows Settings • Environment: • Set user and system environment variables • Change the Windows system path variable • Files • Copy files from point A to point B • Server share to %Documents% on the local system • Folders • Create, delete or empty folders • Network Shares • Create shares on workstations or servers • Shorcuts • Place program or URL on desktops, startup folder, Programs folders, etc etc.

  16. Group Policy Preferences • Computer/User ConfigurationPreferencesControl Panel

  17. Group Policy Preferences Common Control Panel Settings • Local users and groups • Create/change local users • Modify local user passwords • Change local user group membership • Power Options • Create power options for XP • Create power plans for Vista and later

  18. Group Policy Preferences

  19. Group Policy Preferences • Printers • ComputerLocal/IP • UserLocal/IP/Shared

  20. Summary • You can add comments to help document GPOs • Enforced Function overrules blocking of inheritance • You can disable “half” of a GPO • Group Policy settings are “undone” when the system or user falls out of scope (Group Policy is changed/link removed or User/Computer is moved to another container) • GPP’s are extensions and stay with the system (tattoo’d) regardless of the Group Policy falling out of scope (Group Policy removed/unlinked from OU) • GPP’s can be undone by the users

More Related