View
223
Download
2
Category
Tags:
Preview:
Citation preview
Administering Group PolicyChapter Eleven
Exam Objectives in this Chapter Plan a Group Policy strategy using Resultant
Set of Policy Planning mode Troubleshoot Group Policy application
deployment issues Troubleshoot the application of Group Policy
security settings Redirect folders using Group Policy
In this Chapter: Managing Group Policy with RSoP Managing Special Folders with Group Policy Troubleshooting Group Policy
To Complete this Chapter: As outlined on pate 11-2
Understanding RSoP Resultant Set of Policy (RSoP) RSoP is the sum of the group policies applied
to a user or computer. RSoP is the sum of the policies applied to a
user or computer, including the application of filters, such as through security groups and Windows Management Instrumentation (WMI), and exceptions, such as No Override and Block Policy Inheritance.
Generating RSoP Queries The Resultant Set Of Policy Wizard uses
existing GPO settings to report the effects of GPOs on users and computers.
Resultant Set Of Policy Wizard uses two modes : Logging mode Planning mode
Logging Mode RSoP Logging mode enables you to review
existing GPO settings, software installation applications, and security for a computer account or a user account Use Logging mode to
Find failed or overwritten policy settings See how security groups affect policy settings Find out how local policy is affecting group policies
Planning Mode Using RSoP Planning mode, you can poll
existing GPOs for policy settings, software installation applications, and security, and you can use WMI filter queries to read hardware and software properties.
Planning mode Use Planning mode in the following
situations: You want to test policy precedence in cases
where… The user and the computer are in different security
groups The user and the computer are in different OUs The user or the computer is moving to a new location.
You want to simulate a slow link You want to simulate loopback.
RSoP Planning Mode Options Slow-network connection
This option simulates a slow connection. Loopback processing
This option simulates enabling of the GPO setting User Group Policy Loopback Processing Mode, located in Computer Configuration, Administrative Templates, System, Group Policy. can be set to Merge or Replace
RSoP Planning Mode Options Site name
This option simulates the application of alternate subnets for startup or logging on, enabling you to predict the RSoP if the subnet is changed.
Alternate user and computer locations This option simulates the application of alternate
locations for both users and computers, enabling you to predict the RSoP if the user and/or computer is moved.
RSoP Planning Mode Options Alternate user and computer security
groups This option simulates the application of alternate
security groups to both computer and user configurations, enabling you to predict the RSoP using security groups to filter GPO scope.
RSoP Planning Mode Options WMI filters for users and computers
This option simulates the use of WMI filters to help define the policy settings that are applied, enabling you to predict the RSoP using WMI queries to filter GPO scope.
Exam Tip Make sure you understand the differences
between using RSoP in Logging mode and in Planning mode.
Creating RSoP Queries Mode Selection:
Logging mode Planning mode
Creating RSoP Queries Computer Selection:
This computer Another computer
Creating RSoP Queries User Selection:
Current user Select a specific user
Creating RSoP Queries Summary of Selections
RSoP Wizard User and Computer
Selection:
RSoP Wizard Advanced Simulations
Options:
RSoP Wizard Alternate Active
Directory Paths:
RSoP Wizard User Security Groups: Computer Security:
RSoP Wizard WMI Filters for Users:
All linked filters Only these filters
RSoP Wizard Summary of Selections
Saving and Viewing RSoP Queries Steps on pages 14 – 15.
Administrative Templates Results Computer
Configuration Properties
Displaying filtering filtering statusstatus
Administrative Templates Results Computer
Configuration Properties
Displaying Scope Scope managementmanagement
Administrative Templates Results Computer
Configuration Properties
Displaying Revision Revision informationinformation
Gpresult Command-Line Tool Gpresult provides
general information about the operating system, user, and computer.
Gpresult Command-Line Tool Gpresult provides the following information about Group Policy:
The last time Group Policy was applied and the domain controller that applied policy—for the user and for the computer
The complete list of applied GPOs and their details, including a summary of the extensions that each GPO contains Registry settings that are applied and their details
Folders that are redirected and their details Software management information, including details about
assigned and published applications Disk quota information Internet Protocol (IP) security settings Scripts
Gpresult Command Parameters Gpresult has the following syntax:
gpresult [/s computer [/u domain\user /p password]]
[/user username] [/scope {user|computer}] [/v] [/z] Note table 11-4 Examples on page 11-21
Advanced System Information–Policy Tool The Advanced System Information–Policy
tool enables you to create an RSoP query and view the results in an HTML report that appears in the Help And Support Center window.
This report can be printed, and it can be saved to an .htm file.
Advanced System Information–Policy Tool The report generated displays policy-related information for
the following categories: Computer name, associated domain, and current site User name and associated domain Applied GPOs for the computer and user Security group memberships for the computer and user Microsoft Internet Explorer settings Scripts: logon, logoff, startup, shutdown Security settings Programs installed Folder redirection Registry settings
Advance System Information
Delegating Control of RSoP Permission for generating an RSoP query is
set for the domain or OU by selecting one of the Generate Resultant Set Of Policy Planning options in the Delegation Of Authority Wizard.
You must be a member of the Enterprise Administrators group to delegate RSoP control at the domain and site level
Practice: Generating RSoP Queries
Exercise 1: Creating an RSoP Query with the Resultant Set Of Policy Wizard Logging Mode Page 11-24
Exercise 2: Creating an RSoP Query with the Gpresult Command-Line Tool
Exercise 3: Creating an RSoP Query with the Advanced System Information– Policy Tool Page 11-25
Managing Special Folders with Group Policy Two ways to set up folder redirection:
1. One location for everyone in the site, domain, or OU
2. A location according to security group membership Folder Redirection Offline Folder
Folder Redirection You redirect users’ folders to provide a
centralized location for key Microsoft Windows XP Professional folders on a server or servers.
Special Folders To Be Redirected: Application Data Desktop My Documents My Pictures Start Menu
Advantages of Redirecting Folders Documents are always available When roaming user profiles are used, only the
network path to the My Documents folder is part of the roaming user profile, not the My Documents folder itself.
Offline File technology provides users with access to My Documents even when they are not connected to the network
Advantages of Redirecting Folders Data stored on a shared network server can be
backed up as part of routine system administration The system administrator can use Group Policy to
set disk quotas, limiting the amount of space taken up by users’ special folders
Data specific to a user can be redirected to a different hard disk on the user’s local computer from the hard disk holding the operating system files.
Redirecting My Documents to Home Folders When you redirect My Documents to a user’s
home folder, the system assumes that the administrator has set the following items correctly: Security Ownership Home directory property on the user object
Default Special Folder Locations Note table 11-5
Setting Up Folder Redirection Two ways to set up folder redirection:
Redirect special folders to one location for everyone in the site, domain, or OU.
Redirect special folders to a location according to security group membership.
Follow the steps on pages 30 – 37
Exam Tip Be sure you know the two ways to set up
folder redirection.
Policy Removal Considerations Note table 11-6 page 11-38
Folder Redirection and Offline Files The Offline Files feature provides users with access
to redirected folders even when they are not connected to the network.
Offline Files caches files accessed through folder redirection onto the hard drive of the local computer.
When a user accesses a file in a redirected folder, the file is accessed and modified locally.
When a user has finished working with the file and has logged off, only then does the file traverse the network for storage on the server.
Folder Redirection Best Practices Allow the system to create the folders Use fully qualified UNC paths, for example: \\
servername\sharename Accept defaults Place the My Pictures folder in the My Documents folder Consider what will happen if the policy is removed Do not redirect My Documents to the home folder unless
you have already deployed home directories in your organization
Enable Offline Files
Practice: Managing Special Folders
Exercise 1: Setting Up Folder Redirection Exercise 2: Setting Up Offline Files
Page 11-47
Troubleshooting Group Policy Troubleshooting Group Policy involves using
the Resultant Set Of Policy Wizard, the Gpresult and Gpupdate command-line tools, the Event Viewer, and log files to solve policy-related problems.
Tools include: Resultant Set Of Policy Wizard and Gpresult Gpupdate Event Viewer
To enable verbose logging for the event log, complete the steps on page 11-52
Log Files
Group Policy Troubleshooting Scenarios Pages 54 - 57
Summary Case Scenario Exercise
Pages 59 – 60. Troubleshooting Lab
Pages 60 - 64 Exam Highlights
Key points Key terms
Page 65
Recommended