2.25k likes | 4.38k Views
Introduction to Group Policy. BAI516. Group Policy. Group Policy is a method of controlling settings across your network.
E N D
Introduction to Group Policy BAI516
Group Policy • Group Policy is a method of controlling settings across your network. • Group Policy consists of user and computer settings on all versions of Windows since Windows 2000 that can be implemented during computer startup and shutdown and user logon and logoff.
Group Policy • Group Policy is a method of controlling settings across your network. • You can configure one or more GPOs within a domain and then use a process called linking, which applies these settings to various containers (domain, sites and OUs) within Active Directory.
Group Policy • Group Policy is a method of controlling settings across your network. • You can link multiple GPOs to a single container or link one GPO to multiple containers throughout the Active Directory structure.
Group Policy • The following managed settings can be defined or changed through Group Policies: • Registry-based policies - As the name implies, these settings modify the Windows Registry. • Software installation policies can be used to ensure that users always have the latest versions of applications. • Folder redirection allows files to be redirected to a network drive for backup and makes them accessible from anywhere on the network.
Group Policy • Scripts – Including logon, logoff, startup, and shutdown scripts, these can assist in configuring the user environment. • Microsoft Internet Explorer settings – Provide quick links and bookmarks for user accessibility, in addition to browser options such as proxy use, acceptance of cookies, and caching options. • Security settings – Protect resources on computers in the enterprise.
Group Policy • Group Policies can be linked to sites, domains, or OUs (not groups) to apply those settings to all users and computers within these Active Directory containers.
Group Policy Objects (GPOs) • Contain all of the Group Policy settings that you wish to implement to user and computer objects within a site, domain, or OU. • Must be associated (linking) with the container to which it is applied. • There are three types of GPOs: • Local GPOs. • Domain GPOs. • Starter GPOs.
Default Group Policies • When Active Directory is installed, two domain GPOs are created by default. • Default Domain Policy— It is linked to the domain, and its settings affect all users and computers in the domain. • Default Domain Controller Policy— It is linked to the Domain Controllers OU and its settings affect all domain controllers in the domain.
Creating and Managing Group Policies • The Group Policy Management Console (GPMC) is the Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings. • The GPMC was not pre-installed in Windows Server 2003 • The GPCM is included in Windows Server 2008 by default. • When you configure a GPO, you will use the Group Policy Management Editor, which can be accessed through the GPMC or through Active Directory Users and Computers.
Group Policy Settings • Configuring Group Policy settings enables you to customize the configuration of a user’s desktop, environment, and security settings. • The actual settings are divided into two subcategories: • Computer Configuration • User Configuration
Group Policy Settings • The Computer Configuration and the User Configuration nodes contain three subnodes: • Software Settings • Used to install software. • Windows Settings • Used for define security settings and scripts. • Administrative Templates • Windows Server 2008 includes thousands of Administrative Template policies, which contain all registry-based policy settings. • They are used to generate the user interface for the Group Policy settings.
GPO Inheritance • You link a GPO to a domain, site, or OU or create and link a GPO to one of these containers in a single step. The settings within that GPO apply to all child objects within the object.
Group Policy Processing (LSDOU) • Local policies. • Site policies. • Domain policies. • OU policies. Any conflicting GPO settings are overwritten by the later running GPO. Good To Know!
Understanding Group Policy Processing • When a computer is initialized during startup, it establishes a secure link between the computer and a domain controller. • Then the computer obtains a list of GPOs to be applied. • Computer configuration settings are applied synchronously during computer startup before the Logon dialog box is presented to the user.
Understanding Group Policy Processing • Any startup scripts set to run during computer startup are processed. These scripts also run synchronously and have a default timeout of 600 seconds (10 minutes) to complete. • When the Computer Configuration scripts and startup scripts are complete, the user is prompted to press Ctrl+Alt+Del to log on.
Understanding Group Policy Processing • Upon successful authentication, the user profile is loaded based on the Group Policy settings in effect. • A list of GPOs specific for the user is obtained from the domain controller. • User Configuration settings also are processed in the LSDOU sequence.
Understanding Group Policy Processing • After the user policies run, any logon scripts run. • The user's desktop appears after all policies and scripts have been processed.
Configuring Exceptions to GPO Processing • Enforce — Configuring this setting on an individual GPO link forces a particular GPO’s settings to flow down through the Active Directory without being blocked by any child OUs. • Block Policy Inheritance — Configuring this setting on a container object such as a site, domain, or OU will block all policies from parent containers from flowing to this container.
GPUpdate Command • If you make changes to a group policy, users may not see changes take effect until: • They log off or log back in. • They Reboot the computer. • They wait 90 minutes (+/- 30 minutes) for stand-alone servers/workstations and 2 minutes for domain controllers. • To manually push group policies, you need to use the gpupdate command: Gpupdate /force
Summary • Group Policy consists of user and computer settings that can be implemented during computer startup and user logon.
Summary • In Active Directory, Group Policies can be assigned to sites, domains, and OUs. • By default, there is one local policy per computer. Local policy settings are overwritten by Active Directory policy settings.
Summary • The Default Domain Policy and the Default Domain Controller Policy are created by default when Active Directory is installed. • The Group Policy Management Console is the tool used to create and modify Group Policies and their settings.
Summary • The order of Group Policy processing can be remembered using the acronym LSDOU: • Local • Site • Domain • OU • This order is an important part of understanding how to implement Group Policies for an object.
Summary • Group Policies applied to parent containers are inherited by all child containers and objects. • Inheritance can be altered by using the Enforce, Block Policy Inheritance, or Loopback settings.