720 likes | 1.05k Views
Goals. Configure Group Policy settings for a GPO Modify the order of Group Policy Objects Filter the scope of a Group Policy Object Link Group Policy Objects Delete GPO links and Group Policy Objects Examine the application of Group Policy using RSoP Use the Group Policy Management Wizard.
E N D
Goals • Configure Group Policy settings for a GPO • Modify the order of Group Policy Objects • Filter the scope of a Group Policy Object • Link Group Policy Objects • Delete GPO links and Group Policy Objects • Examine the application of Group Policy using RSoP • Use the Group Policy Management Wizard
(Skill 1) Configuring Group Policy Settings for a GPO • Group Policy • Used to set a consistent desktop environment • Used to configure both user and computer security settings • Other security options • Allowing automatic administrative logon to the Recovery Console • Shutting down the system immediately if the system is unable to log security audits
(Skill 1) Configuring Group Policy Settings for a GPO (2) • User Configuration settings node • You can use Administrative Templates to control access to the Control Panel or to specific Control Panel applets • You can control what Desktop items will appear or will be hidden, among many other policy settings • You set policies for a GPO using the Group Policy Object Editor for that GPO
(Skill 1) Figure 10-1 Setting Group Policy Object Properties
(Skill 1) Figure 10-2 The Enabled Hide Add New Programs page policy
(Skill 1) Figure 10-3 The Interactive logon: Do not display last user name Properties dialog box
(Skill 1) Figure 10-4 The Shutdown: Allow system to be shutdown without having to log on dialog box
(Skill 1) Figure 10-5 The Enabled policies in the Group Policy Object Editor
(Skill 2) Modifying the Order of Group Policy Objects • The order in which Group Policy settings apply to a user or computer depends on the priority order of the GPOs • GPOs, by default, are processed in accordance with the Active Directory hierarchy (LSDOU) • Local policy • Site policy • Domain policy • OU policy
(Skill 2) Modifying the Order of Group Policy Objects (2) • Using the Enforced option • Allows you to give preference to the policies at each level (except local) • When you set a GPO link to Enforced, the GPO link takes precedence over the settings for any child object • You can also disable a GPO link to completely block that GPO from being applied; this disables the GPO only for the selected container object
(Skill 2) Modifying the Order of Group Policy Objects (3) • Using the Block Inheritance option • Allows you to block the application of all policies applied at higher levels for a specific container • Using filtering • Allows you to specify that a particular GPO only applies to one or more specific groups of users within a container • Involves modifying the Apply Group Policypermission for the GPO
(Skill 2) Modifying the Order of Group Policy Objects (4) • Using the Link Order column on the Linked Group Policy Objects list in the GPMC • Allows you to change the priority order for the GPOs for a domain or an OU • Local policies have no prioritization options because they are always overwritten when a conflict occurs
(Skill 2) Modifying the Order of Group Policy Objects (5) • Creating and linking a GPO • You must have the Link GPOs permission for the domain or organizational unit for which you are creating the GPO • You also must have permission to create GPOs in that domain • The Domain Admins, Enterprise Admins and Group Policy Creator Owner groups have permission to create GPOs in a domain by default
(Skill 2) Modifying the Order of Group Policy Objects (6) • Using the Resultant Set of Policy (RSoP) • Allows you to see policy prioritization in action • RSoP is a new console in Windows Server 2003 • Provides the ability to analyze and display the result of Group Policy application for any object in the directory
(Skill 2) Modifying the Order of Group Policy Objects (7) • Applying a GPO to a site • You cannot create and link a GPO to a site because the operating system would not know in which domain to create the GPO • To apply a GPO to a site • Create a GPO in any domain in the forest • Use the Link an Existing GPO command to link the GPO to the site
(Skill 2) Figure 10-6 Changing the link order for a GPO
(Skill 2) Figure 10-7 The Group Policy Inheritance tab
(Skill 3) Filtering the Scope of a Group Policy Object • Filtering the scope • You might need to restrain the scope of a GPO by applying permissions to specific users and/or computers • This is called filtering the GPO scope • To filter the scope of a GPO, you use security groups
(Skill 3) Filtering the Scope of a Group Policy Object (2) • Security groups • Used to specify the users subject to the policies in a particular GPO • Used to define the rights and permissions users will have to access resources • You set different permissions for different security groups on the Security tab in the Properties dialog box for a GPO
(Skill 3) Filtering the Scope of a Group Policy Object (3) • Setting security groups permissions • Read and Apply Group Policypermissions • Are assigned for a particular GPO • By default, the Authenticated Users group is granted both permissions for all GPOs • To block a policy from applying to a specific group, set its Apply Group Policy permission to Deny • To allow the GPO to apply to a single group of users • Remove the Apply Group Policy permission from the Authenticated Users group • Allow the Apply Group Policy permission only for that group
(Skill 3) Filtering the Scope of a Group Policy Object (4) • When you are using filtering, only two group policy permissions are applicable • Read • Apply Group Policy
(Skill 3) Figure 10-8 Setting the Apply Group Policy permission for a security group
(Skill 3) Filtering the Scope of a Group Policy Object (5) • Two ways to filter the scope of a GPO directly in the GPMC • Select the GPO in its container object • Expand the Group Policy Objectsnode in the GPMC and select the GPO you want to filter
(Skill 3) Filtering the Scope of a Group Policy Object (6) • To add objects to the security filter • On the Scope tab, in the Security Filtering section, click the Add button to open the Select User, Computer, or Group dialog box • Click OK to add the object to the security filter • To apply the GPO only to the group or groups that have been added • In the Security Filtering section on the Scope tab, select Authenticated Users • Click the Remove button
(Skill 3) Figure 10-9 Security Filtering
(Skill 4) Linking Group Policy Objects • A GPO, by default, is linked to the container in which it is created • You can link GPOs to additional sites, domains, or OUs in order to increase the scope of the GPO • To link a GPO to an additional container, you use the Link an Existing GPO command and the Select GPO dialog box for that container
(Skill 4) Linking Group Policy Objects (2) • To link an existing GPO to a site, domain, or organizational unit, you must have the Link GPOs permission for that container object • The Domain Admins and Enterprise Admins groups are granted this permission by default for domains and organizational units • For sites, only the Domain Admins and Enterprise Admins groups for the forest root domain are granted this permission by default
(Skill 4) Figure 10-10 Linking an existing GPO
(Skill 4) Figure 10-11 The Select GPO dialog box
(Skill 4) Figure 10-12 The GPO linked to the domain
(Skill 5) Deleting GPO Links and Group Policy Objects • You might need to link a GPO to additional containers for only a certain period of time, or policies that were once applicable may no longer be needed • In these situations, you can remove the GPO link from a container object or even delete the GPO • If there is more than one GPO link associated with the object, you should remove the GPO link and not delete the GPO • If the GPO is associated with a single object, you can delete the GPO, which also deletes all links to the GPO in the domain
(Skill 5) Deleting GPO Links and Group Policy Objects (2) • To delete a link to a GPO • You must have permission to link Group Policy Objects for the OU or the domain • If you do not have this level of permission • The links are not deleted • Links to other domains and sites (called orphan links) remain and appear in the GPMC as Not Found • To delete Not Found links, you must have permission to link Group Policy Objects in the site, domain, or OU where the links are located
(Skill 5) Deleting GPO Links and Group Policy Objects (3) • After deleting a GPO • You cannot create a GPO with the same name in the GPMC • A unique GUID is created for each GPO, and the GUID can never be repeated, but if you create GPOs with older tools, the same common name could be repeated • Replication latency and the use of scripts to execute tasks on GPOs can also cause a common name to be repeated
(Skill 5) Deleting GPO Links and Group Policy Objects (4) • If you are considering deleting a GPO, check for cross-domain links on the Scope tab for the GPO • In the Display links in this location list box, select [Entire Forest] • All links for the GPO are displayed in the The following sites, domain, and OUs are linked to this GPO box • Select all of the links, right-click the selection, and click Delete link to delete all cross-domain links before you delete the GPO
(Skill 5) Figure 10-13 Deleting a GPO link
(Skill 5) Figure 10-14 Confirming the GPO link deletion
(Skill 5) Figure 10-15 Deleting a GPO
(Skill 5) Figure 10-16 Confirming the GPO deletion
(Skill 5) Figure 10-17 The Delete dialog box
(Skill 6) Examining the Application of Group Policy Using RSoP • RSoP is a useful new tool that allows you to visually examine the application of Group Policy • To use RSoP (if you have not installed the GPMC) • Open MMC and create a new console • Query Active Directory for the Group Policies applying to a specific level of the hierarchy or for a specific object • RSoP returns a list of all Group Policy settings • Shows the configuration for that setting • Identifies Group Policy that configured that particular setting
(Skill 6) Examining the Application of Group Policy Using RSoP (2) • Using RSoP in troubleshooting Group Policy application • It allows you to quickly and easily determine the source of GPO conflicts on your network • RSoP identifies • The final group of policies that are applied, for which GPO set the final value for each policy • The details for the policies that were not applied, including all other GPOs that attempted to set the policy and the setting they tried to impose
(Skill 6) Examining the Application of Group Policy Using RSoP (3) • In the GPMC, the functionality of RSoP is broken down into two distinct capabilities, which are controlled by two Wizards • Group Policy Results Wizard • Group Policy Modeling Wizard
(Skill 6) Examining the Application of Group Policy Using RSoP (4) • Group Policy Results Wizard • Queries the target computer for the RSoP data that was applied to that computer • Displays the policies that are applied to that computer or to a particular user on that computer • The client being queried must be running Windows XP Professional or Windows Server 2003 or later • In the RSoP snap-in, this functionality is called logging mode
(Skill 6) Figure 10-18 The Group Policy Results Wizard
(Skill 6) Examining the Application of Group Policy Using RSoP (5) • Group Policy Modeling Wizard • Provides a simulation tool • Allows administrators to test to see what would happen to policy application for a particular user or computer under certain conditions • The security group memberships are changed • The location of the object in Active Directory is changed
(Skill 6) Examining the Application of Group Policy Using RSoP (6) • Group Policy Modeling Wizard • The modeling functionality is controlled by a service that is only installed on a Windows Server 2003 domain controller • There must be at least one Windows Server 2003 domain controller in the domain • In the RSoP snap-in, this functionality is called planning mode
(Skill 6) Figure 10-19 The Group Policy Modeling Wizard
(Skill 6) Examining the Application of Group Policy Using RSoP (7) • After you have run one of the wizards, the RSoP data is generated as an HTML report • HTML report • Displays the policy settings that are applied • Identifies the GPO that sets the policy value • The report is added to either the Group Policy Results or Group Policy Modeling node in the GPMC
(Skill 6) Examining the Application of Group Policy Using RSoP (8) • Viewing the HTML report • Right-click a report • Click Advanced View to open the RSoP console • You can view each policy setting and the source GPO • You can open the Properties dialog box for each policy on the Precedence tab • Allows you to verify the GPO that “won” • Allows you to view all GPOs that attempted to set the policy and the value they attempted to set
(Skill 6) Figure 10-20 The RSoP console