1 / 77

Goals

Goals Introduce Group Policy Introduce the types of Group Policy settings and the GPMC Identify the role of a Group Policy at startup and logon Plan a Group Policy implementation Create a Group Policy Object Delegate control for a Group Policy Object (Skill 1) Introducing Group Policy

niveditha
Download Presentation

Goals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Goals • Introduce Group Policy • Introduce the types of Group Policy settings and the GPMC • Identify the role of a Group Policy at startup and logon • Plan a Group Policy implementation • Create a Group Policy Object • Delegate control for a Group Policy Object

  2. (Skill 1) Introducing Group Policy • An administrator must monitor user and computer settings regularly to make sure that they conform to the corporate standards • Group Policy is the primary Active Directory tool used by administrators to set the standard behavior for users’ desktops and to enforce those requirements

  3. (Skill 1) Introducing Group Policy (2) • Using Group Policies • Administrators define the work environment settings once • The settings are applicable regardless of the user’s location • Administrators can apply GPOs to various Active Directory containers to implement rules at various levels • To do this, you simply link the GPO to one of these containers

  4. (Skill 1) Introducing Group Policy (3) • Group Policy is also referred to as a Group Policy Object (GPO) • A GPO is a storage place for a collection of Group Policy settings that enable an administrator to control various aspects of the computing environment • All Group Policy settings are stored in a GPO along with the properties associated with the objects in the Active Directory store

  5. (Skill 1) Introducing Group Policy (4) • Policy settings for sites, domains, and organizational units are stored in GPOs • To create a GPO for a domain or an OU • Use the Active Directory Users and Computers console • Use the Group Policy Management Console (GPMC)

  6. (Skill 1) Introducing Group Policy (5) • To create a GPO for a site • Use the Active Directory Sites and Services console • Use the Group Policy Management Console (GPMC), which combines the functionality of various consoles • Active Directory Users and Computers • Active Directory Sites and Services • ACL Editor • Delegation Wizard • Resultant Set of Policy tool

  7. (Skill 1) Figure 9-1 Download the GPMC

  8. (Skill 1) Introducing Group Policy (6) • Two types of GPOs • Local GPOs are stored on each Windows Server 2003 computer • Active Directory-based GPOs • Are stored on a domain controller in the Active Directory environment • Are replicated to all domain controllers in the domain

  9. (Skill 1) Introducing Group Policy (7) • GPO is made up of two parts • Group Policy Container (GPC) • GPO attributes • Extensions • Version information • Group Policy Template (GPT) • Collection of folders • Stored on each Windows Server 2003 domain controller

  10. (Skill 1) Introducing Group Policy (8) • Group Policy Container (GPC) • An Active Directory component that contains GPO attributes, extensions, and version information • Domain controllers use this information to make sure they are using the most recent version of the GPO and to apply permissions to the GPO • For each GPO, there is a GPC container stored in the System\Policies folder in the Active Directory Users and Computers console • Each GPC container is identified by the Globally Unique Identifier (GUID) for the GPO

  11. (Skill 1) Figure 9-2 GPC containers in the Active Directory Users and Computers console

  12. (Skill 1) Introducing Group Policy (9) • Group Policy Template (GPT) • A collection of folders stored on each Windows Server 2003 domain controller in the folder %Systemroot%\SYSVOL\sysvol\<domain_name>\Policies • For each GPO, a folder hierarchy composed of the physical files and settings required by the GPO is automatically created • These settings are applied to the Windows 2000, Windows Server 2003, and Windows XP clients on a network

  13. (Skill 1) Introducing Group Policy (10) • Group Policy Template (GPT) • Contains all of the Registry entries, as well as the associated files and folder required to implement the various GPO functions • Like the GPC container, the GPT folder is identified by the GUID for the GPO

  14. (Skill 1) Figure 9-3 The Add Standalone Snap-in dialog box

  15. (Skill 1) Figure 9-4 The Group Policy Wizard

  16. (Skill 1) Figure 9-5 The Add/Remove Snap-in dialog box

  17. (Skill 1) Figure 9-6 Configuring Local Computer Policy

  18. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC • Group Policy settings are divided into two categories • Computer Configuration settings • These settings refer to Group Policies that apply to computers, regardless of what user logs on • These settings apply to a computer during the initialization of the operating system • User Configuration settings • These settings refer to Group Policies for users, regardless of what computer the users log on to • These settings apply at user logon

  19. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (2) • Both Computer Configuration settings and User Configuration settings contain three main containers that include a number of related policies • Software Settings • Windows Settings • Administrative Templates

  20. (Skill 2) Figure 9-7 The three main categories of User Configuration and Computer Configuration Group Policy

  21. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (3) • Software Settings • This configuration setting node is used to determine the applications distributed to computers or users via a GPO • You use Software Settings to assign applications to computers or to assign or publish applications to users • If you use the Computer Configuration node to assign an application to a computer, the application appears on the Start menu for all computers in the domain, site, or OU

  22. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (4) • Software Settings • If you publish an application to users, it appears in the Add/Remove Programs Wizard for all users in the domain, site, or OU • If you assign an application to users using the User Configuration node • It displays on the Start menu for all users in the site, domain, or OU • It does not install until the user invokes it • This functionality is called “advertising”

  23. (Skill 2) Figure 9-8 Software installation

  24. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (5) • Windows Settings • In the Computer Configuration node, the Windows Settings node contains the Scripts and Security Settings extensions • Scripts extension: Used to specify startup and shutdown scripts for computers, as well as logon and logoff scripts for users on a network • Security Settings extension: Used by administrators to configure security settings for the local computer or for a GPO

  25. (Skill 2) Figure 9-9 Scripts

  26. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (6) • Windows Settings • In the User Configuration node, the Windows Settings node has five folders • Remote Installation Services • Scripts • Security Settings • Internet Explorer Maintenance • Folder Redirection

  27. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (7) • Windows Settings • Remote Installation Services Group Policies control the RIS installation options available to the user when the Client Installation Wizard is initiated • Folder Redirection Group Policies relocate special folders, such as My Documents, Start Menu, or Desktop • You can redirect these folders from their default locations in a user profile to alternate locations

  28. (Skill 2) Figure 9-10 Types of Folder Redirection policies

  29. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (8) • Administrative Templates • Contains all Registry-based Group Policy settings, including settings for Windows Components, System, and Network • Group Policy settings for Printers are available only in the Computer Configuration container • Other settings, including Start Menu and Taskbar, Desktop, Control Panel, and Shared Folders are available only in the User Configuration container

  30. (Skill 2) Figure 9-11 Types of Administrative Templates policies

  31. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (9) • Group Policy Management Console (GPMC) • Comprehensive tool for Group Policy administration for Windows 2000 and Windows Server 2003 domains • Provides administrators with the ability to backup, restore, import, and copy/paste GPOs, as well as to create, delete, and rename them • Use it to link GPOs and search for GPOs • Use it to delegate Group Policy-related features and for policy-related permission for sites, domains, and OUs

  32. (Skill 2) Figure 9-12 Group Policy Objects in the GPMC

  33. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (10) • GPMC installation requirements • Requires Windows Server 2003 or Windows XP Service Pack 1 or above computers • To run the tool on Windows XP Service pack 1 or above computers, you must also install the QFE update Q326469 and the Microsoft .NET Framework • The domain controllers must all be running Windows 2000 Service Pack 2 or later

  34. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (11) • GPMC requirements for domain controllers • GPMC requires that all LDAP communications be signed and encrypted • To access domain controllers in an external forest, they must be running Windows 2000 Service Pack 3 or later • If you want to access domain controllers in an external forest that are not yet running Service Pack 3 or later, edit the Registry on the computer running GPMC to relax LDAP signing and encryption requirements

  35. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (12) • System Policies • Used in Windows 9.x and Windows NT to change Registry settings and to control the user environment • Still useful for managing Windows 9x and NT computers • Windows 9.x: you can run the Poledit.exe version on the Windows 98 installation CD to create config.pol files • Windows NT 4.0 Workstation or Server: use the Windows NT System Policy Editor or the Poledit.exe included with Windows Server 2003 to create config.pol files

  36. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (13) • System Policies • System Policy Editor (Poledit.exe) has been mostly replaced by Group Policy in Windows 2000 and Windows Server 2003 • If you create policy settings with Windows Server 2003 version, you cannot edit them using the Windows NT 4.0 version

  37. (Skill 2) Figure 9-13 The System Policy Editor

  38. (Skill 2) Introducing the Types of Group Policy Settings and the GPMC (14) • Each of the Group Policy Object Editor extensions is a MMC snap-in extension itself • All Group Policy setting folders are loaded by default when Group Policy Object Editor is started • You can create custom consoles for each of these extensions • Use the Microsoft Management Consolefolder in the User Configuration\Administrative Templates container in the Group Policy Object Editor to apply these policies

  39. (Skill 2) Figure 9-14 The Microsoft Management Console folder

  40. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon • The role of a Group Policy begins when a computer starts up or when a user logs on • During startup and logon, both Computer Configuration and User Configuration settings are applied in a specific sequence

  41. (Skill 3) Figure 9-15 The sequence in which Computer Configuration and User Configuration settings are applied

  42. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon (2) • Every computer has one GPO that is stored locally • This local Group Policy Object (LPGO) is applied first • The processing sequence becomes very important when dealing with multiple policies • If there are no conflicts between the policies, all settings from all of the policies apply • However, if a conflict occurs the policy to apply last wins

  43. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon (3) • Sequence in which Group Policy settings are processed • Local GPO • Site GPOs • Domain GPOs • OU GPOs (LSDOU)

  44. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon (4) • If more than one GPO is linked • The policies are processed in reverse order for each individual container • This is done so that the policy that is considered to be the most important is displayed at the top of the list of all GPOs applied to a particular container

  45. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon (5) • Like files and folders, Group Policies are also inherited from parent containers to child containers • You can specifically set a separate Group Policy setting for a child container to override the settings it inherits from its parent container • It is extremely importantto note that like OU structures, Group Policies do notflow between domains

  46. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon (6) • Group Policy applied to a parent domain • Does notapply to its child domain or domains • The only container that can apply Group Policies to multiple domains is the site container • Group Policy applied to a site • Affects allusers and computers in the site, regardless of domain • For this reason, you must be an Enterprise Admin in order to apply a Group Policy to a site

  47. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon (7) • Exceptions to the order in which GPOs are processed • If a computer belongs to a workgroup, it processes only local GPOs • You can modify the default behavior using the Block Inheritance option, but this can make GPO administration more complicated and it should be used sparingly • You can block inheritance for GPO links for an entire domain, for all domain controllers, or for an OU

  48. (Skill 3) Figure 9-16 Blocking Inheritance for the GPO links for all domain controllers

  49. (Skill 3) Identifying the Role of a Group Policy at Startup and Logon (8) • Exceptions to the order in which GPOs are processed • The default order for processing Group policy settings is also affected when you set the GPO link to Enforced • Policy settings in the GPO link take precedence over child object settings • Gives the parent GPO link precedence so that the default behavior does not apply (formerly called the No Override option) • GPO administration is more complex • GPOs cannot have their inheritance blocked

  50. (Skill 3) Figure 9-17 The Enforced setting

More Related