11 PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY Chapter 10

11

PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY

Chapter 10

Chapter 10: PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY 2

FILTERING GROUP POLICY’S SCOPE

By default, settings flow from site to domain to OU.

Three ways to control Group Policy settings inheritance Block Policy Inheritance:

Security filtering

WMI filters


SECURITY FILTERING


WMI FILTERS

Windows Management Instrumentation (WMI)

Used for queries and filters concerning Hardware

Software

Operating system type

Can be linked to multiple GPOs


WMI FILTER EXAMPLES

Table 10-1 WMI Filter Examples

TTaarrggeett CCoommppuutteerr SSaammppllee WWMMII All computers that arerunning Windows XPProfessional

Select * from Win32_OperatingSystemwhere Caption = "Microsoft WindowsXP Professional"

All computers that havemore than 10 MB ofavailable drive space

on a C: NTFS partition

Select * from Win32_LogicalDiskWHERE Name= "C:" AND DriveType = 3AND FreeSpace > 10485760 ANDFileSystem = "NTFS"

All computers with amodem installed

Select * from Win32_POTSModemWhere Name = " MyModem"

FFiilltteerr SSttrriinngg


CREATING WMI FILTERS


GROUP POLICY MANAGEMENT CONSOLE (GPMC)

Free add-on tool that can be used to manage Group Policy. Installs on: Windows XP with Service Pack 1

Any edition of Windows Server 2003

Can be used for: Importing and copying GPO settings

Backing up and restoring of GPOs

Executing the Resultant Set of Policy (RSoP) snap-in

Generating HTML reports


INSTALLING GPMC

GPMC is not on the Windows Server 2003 CD-ROM.

Can be downloaded for free from the Microsoft Web site.

In this course, gpmc.msi is on your supplemental CD-ROM. Double-click the gpmc.msi file and run

through the wizard.

Distribute through Group Policy.


GPMC CHANGES ACTIVE DIRECTORY USERS AND COMPUTERS


CREATING WMI FILTERS IN GPMC


LINKING WMI FILTERS


NAVIGATING WITH GROUP POLICY MANAGEMENT


INFORMATION DISPLAYED IN THE GPMC INTERFACE


DETERMINING AND TROUBLESHOOTING EFFECTIVE POLICY SETTINGS

Resultant Set Of Policy (RSoP) Wizard

Group Policy Results

Group Policy Modeling

Gpresult.exe command line tool


RSOP LOGGING MODE


RSOP PLANNING MODE


GROUP POLICY MODELING IN GPMC


GROUP POLICY RESULTS


Gpresult.exe


DELEGATING GROUP POLICY ADMINISTRATIVE CONTROL

Creation of GPOs

Permissions on GPOs

Linking of GPOs

Use of Group Policy Modeling and Group Policy Results

Creation of WMI filters

WMI permissions


DELEGATING GPO CREATION


DELEGATING PERMISSIONS TO AN INDIVIDUAL GPOGPMC Individual GPO Permissions

AAlllloowweedd PPeerrmmiissssiioonnssCCaatteeggoorryy UUnnddeerrllyyiinngg PPeerrmmiissssiioonnss aanndd EEffffeeccttss

Read Allows Read Access on the GPO.

Edit settings Includes Read, Write, Create Child Objects, andDelete Child Objects.

Edit, delete, andmodify security

Includes Read, Write, Create Child Objects, DeleteChild Objects, Delete, Modify Permissions, and Modify

Owner. Implies Full Control without the Apply GroupPolicy permission being set.

Read (fromSecurity Filtering)

An automatic setting that appears when a user hasRead and Apply Group Policy permissions to the GPO.

Custom These permissions include those set individuallyusing the ACL editor for the GPO. The ACL editor isinvoked by using the Advanced button and shows the

Security tab contents for the GPO.


DELEGATING LINKING, MODELING, AND RESULTS


DELEGATING WMI FILTERING


PLANNING GROUP POLICY INTEGRATION

Create policies at the highest level possible.

Limit the number of GPOs created.

Create specialized GPOs for policies.

Disable unnecessary portions (user or computer).

Only apply GPOs to sites when settings are required on a site basis.


RECOMMENDATIONS ON GROUP POLICY INHERITANCE

Limit use of the following: No Override

Block Policy Inheritance

Security filtering


PLANNING ADMINISTRATION AND IMPLEMENTATION OF GPOS

Determine which administrators will have policy delegation roles

Test policy settings

Document the plan


RESTORING DEFAULT SECURITY SETTINGS


CHAPTER SUMMARY

Name two methods you can use to filter GPOs.

How many WMI filters can be applied to each GPO?

What can you do with GPMC?

What two modes are available in RSoP?

List ways in which you can delegate Group Policy control.

Documents

11 PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY Chapter 10