100 likes | 258 Views
Managing Group Policies. Lecture 9. Group Policies . Group Policies are used to manage user/computer environments. Allow for central administration and management of multiple computers/users
E N D
Managing Group Policies Lecture 9
Group Policies • Group Policies are used to manage user/computer environments. • Allow for central administration and management of multiple computers/users • The goal of policy-based administration is for the administrator to state a wish about the state of users/computer environment once, then rely on the system to enforce that wish.
Group Policies • SOM - apply to users and computers depending on where they reside in the Active Directory (AD) (sites, domains, Organizational Units and computers) • Each collection of settings is called GPO • Default policies: local policy, default domain policy, default domain controllers policy • Group Policy Object Editor • Group Policy Management Console
GPO settings • Computer and user configuration settings • Both contain Software Settings, Windows Settings, Administrative Templates • Each setting needs to be configured as enabled or disabled before it can be used
Managing Security • Security settings: - Account Policies - Password Policies - Account Lockout Policies • Software Restriction Policies (new)
How GPOs are applied • Group Policies are applied based on a user's or computer's location in the AD container hierarchy -sites, domains, and organizational units (OUs). • By default settings applied by a GPO to a container are inherited by users/computers/containers inside • AD processes GPOs is by L->S->D->OU hierarchy.
Local Computer Policies • Every Win2K, XP or 2003 computer has a local GPO that you can't centrally manage • With a local GPO, you can modify local policy to provide security and desktop restrictions without the use of AD-based GPOs. • Local GPOs support all the default extensions except software installation and folder redirection.
AD GPOs • Within AD, you can define GPOs at three different levels—domain, OU, or site (A site is a collection of subnets on your network that high-speed links connect. ) • Only users and computers are subject to GPOs. • Multiple GPOs linked to a single SOM are processed in order they are listed (highest on the list has priority, it’s processed last). • GPOs are inherited – and default inheritance can be blocked
The order of policy inheritance Local Computer Policy Site PolicyGPO Site Domain A Domain Policy GPO Sales PolicyGPO PayrollOU Sales OU Public Docs PolicyGPO Product XOU
How GPOs are applied • By default, if conflicting settings exist in each of these containers, the last one processed is the setting that applies • You can change this inheritance by configuring either Block Inheritance or No Override. • If both settings are applied at different container levels within AD, No Override takes precedence over Block Inheritance • RSoP tool reports final effective policy result