11 PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY Chapter 10

11

PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY

Chapter 10

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 2

FILTERING GROUP POLICY’S SCOPE

By default, settings flow from site to domain to OU.

Three ways to control Group Policy settings inheritance Block Policy Inheritance:

Security filtering

WMI filters

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 3

SECURITY FILTERING

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 4

WMI FILTERS

Windows Management Instrumentation (WMI)

Used for queries and filters concerning Hardware

Software

Operating system type

Can be linked to multiple GPOs

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 5

WMI FILTER EXAMPLES

Table 10-1 WMI Filter Examples

TTaarrggeett CCoommppuutteerr SSaammppllee WWMMII All computers that arerunning Windows XPProfessional

Select * from Win32_OperatingSystemwhere Caption = "Microsoft WindowsXP Professional"

All computers that havemore than 10 MB ofavailable drive space

on a C: NTFS partition

Select * from Win32_LogicalDiskWHERE Name= "C:" AND DriveType = 3AND FreeSpace > 10485760 ANDFileSystem = "NTFS"

All computers with amodem installed

Select * from Win32_POTSModemWhere Name = " MyModem"

FFiilltteerr SSttrriinngg

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 6

CREATING WMI FILTERS

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 7

GROUP POLICY MANAGEMENT CONSOLE (GPMC)

Free add-on tool that can be used to manage Group Policy. Installs on: Windows XP with Service Pack 1

Any edition of Windows Server 2003

Can be used for: Importing and copying GPO settings

Backing up and restoring of GPOs

Executing the Resultant Set of Policy (RSoP) snap-in

Generating HTML reports

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 8

INSTALLING GPMC

GPMC is not on the Windows Server 2003 CD-ROM.

Can be downloaded for free from the Microsoft Web site.

In this course, gpmc.msi is on your supplemental CD-ROM. Double-click the gpmc.msi file and run

through the wizard.

Distribute through Group Policy.

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 9

GPMC CHANGES ACTIVE DIRECTORY USERS AND COMPUTERS

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 10

CREATING WMI FILTERS IN GPMC

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 11

LINKING WMI FILTERS

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 12

NAVIGATING WITH GROUP POLICY MANAGEMENT

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 13

INFORMATION DISPLAYED IN THE GPMC INTERFACE

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 14

DETERMINING AND TROUBLESHOOTING EFFECTIVE POLICY SETTINGS

Resultant Set Of Policy (RSoP) Wizard

Group Policy Results

Group Policy Modeling

Gpresult.exe command line tool

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 15

RSOP LOGGING MODE

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 16

RSOP PLANNING MODE

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 17

GROUP POLICY MODELING IN GPMC

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 18

GROUP POLICY RESULTS

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 19

Gpresult.exe

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 20

DELEGATING GROUP POLICY ADMINISTRATIVE CONTROL

Creation of GPOs

Permissions on GPOs

Linking of GPOs

Use of Group Policy Modeling and Group Policy Results

Creation of WMI filters

WMI permissions

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 21

DELEGATING GPO CREATION

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 22

DELEGATING PERMISSIONS TO AN INDIVIDUAL GPOGPMC Individual GPO Permissions

AAlllloowweedd PPeerrmmiissssiioonnssCCaatteeggoorryy UUnnddeerrllyyiinngg PPeerrmmiissssiioonnss aanndd EEffffeeccttss

Read Allows Read Access on the GPO.

Edit settings Includes Read, Write, Create Child Objects, andDelete Child Objects.

Edit, delete, andmodify security

Includes Read, Write, Create Child Objects, DeleteChild Objects, Delete, Modify Permissions, and Modify

Owner. Implies Full Control without the Apply GroupPolicy permission being set.

Read (fromSecurity Filtering)

An automatic setting that appears when a user hasRead and Apply Group Policy permissions to the GPO.

Custom These permissions include those set individuallyusing the ACL editor for the GPO. The ACL editor isinvoked by using the Advanced button and shows the

Security tab contents for the GPO.

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 23

DELEGATING LINKING, MODELING, AND RESULTS

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 24

DELEGATING WMI FILTERING

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 25

PLANNING GROUP POLICY INTEGRATION

Create policies at the highest level possible.

Limit the number of GPOs created.

Create specialized GPOs for policies.

Disable unnecessary portions (user or computer).

Only apply GPOs to sites when settings are required on a site basis.

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 26

RECOMMENDATIONS ON GROUP POLICY INHERITANCE

Limit use of the following: No Override

Block Policy Inheritance

Security filtering

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 27

PLANNING ADMINISTRATION AND IMPLEMENTATION OF GPOS

Determine which administrators will have policy delegation roles

Test policy settings

Document the plan

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 28

RESTORING DEFAULT SECURITY SETTINGS

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 29

CHAPTER SUMMARY

Name two methods you can use to filter GPOs.

How many WMI filters can be applied to each GPO?

What can you do with GPMC?

What two modes are available in RSoP?

List ways in which you can delegate Group Policy control.