Upload
alexandreantunes
View
214
Download
0
Embed Size (px)
Citation preview
8/10/2019 4 Understanding the Architecture of Group Policy Processing
1/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 1/32
4 Understanding the Architecture of Group Policy Processing
Section Topics
Group Policy Components in AD DS
Understanding the Group Policy Processing Sequence
Modifying Group Policy Processing
Section Objectives
After completing this section, you will be able to:
Describe the Active Directory components that you can use to deploy Group Policy
Explain the order in which Group Policy is deployed in Active Directory
Describe the methods that are available to modify Group Policy processing
Section Overview
Troubleshooting Group Policy involves more than knowing when to use which tool. You also
eed to understand the Group Policy infrastructure, the GPO structure, and the Group Policy
deployment order. This section describes the concepts that you must grasp in order to
roubleshoot Group Policy. This section also describes the options that are available to change
he standard Group Policy processing sequence.
Group Policy Components in AD DS
8/10/2019 4 Understanding the Architecture of Group Policy Processing
2/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 2/32
igure 80: Group Policy Components in AD DS
All domain controllers and computers that are members of the domain use certain Active
irectory components to deploy Group Policy settings. Figure 80 lists these components.
You must have access to the physical and logical network diagrams of your Active Network
infrastructure to troubleshoot Group Policy.
Sysvol Folder
igure 81: Sysvol Folder
The Sysvolfolder is a system folder located in the NTFSfile system of every Active
irectory domain controller in %System Root%\ Sysvol. This folder contains administrative
emplates, security settings, applied scripts, and details about MSI packages that will be
installed.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
3/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 3/32
Sysvol Details
The domain where the user account is located also contains the Group Policy settings of the
authenticating user. These settings are stored in the Sysvolfolder on each domain controller
and replicated throughout the domain using the FRS.
The FRS monitors and updates the changes to Group Policy, startup and shutdown scripts,
and logon and logoff scripts. If your Active Directory is made up of multiple sites (subnets),
he location of your Sysvol folders will be separated by WAN links.
f you have multiple sites, and each site contains multiple domain controllers, your network
ap can get very complicated and much more dependent on the replication process.
PDC Emulator
igure 82: PDC Emulator
One domain controller per domain is assigned the role of a PDC (primary domain controller)
emulator. Only one domain controller can have this role per domain. The PDC emulator role
is automatically assigned to the first domain controller in an Active Directory domain.
hen Group Policy settings are first created or modified using the Active Directory Users and
Computers console, the current live Group Policy settings are pulled from the domain
8/10/2019 4 Understanding the Architecture of Group Policy Processing
4/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 4/32
controller in the domain that is the PDC emulator.
You can use a variety of tools and utilities to find out which domain controller is currently the
DC emulator. One of the most helpful methods is using the Netdom support tool with the
ollowing syntax at the command prompt:
\> netdom query fsmo
Another support tool is Addiag, which can tell you if all the domain controllers in the domain
now who the current PDC emulator is.
ote
You can use the Dcgpofix command-line tool to restore the Default Domain
olicy and Default Domain Controllers OU policy to their original state. This tool works only
in Windows 2003 or later domains.
Client-Side Extensions
Although the components of each GPO are stored in Active Directory, the client itself
rocesses each linked GPO using client-side extensions. Client-side extensions are a
collection of local DLLs that have one specific job task: to process all enabled GPOs found on
he server at logon or at a specific processing time.
The available policy settings are grouped into specific categories including administrative
emplates, security, folder redirection, wireless, IPSec, EFS, and software installation. After
he client determines which GPOs to apply, each GPO is passed to the client-side extensions.
The following topic describes registry client-side extensions, which apply the settings from
ithin the Administrative Templatessection to a client computer.
egistry Client-Side Extensions
8/10/2019 4 Understanding the Architecture of Group Policy Processing
5/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 5/32
egistry client-side extensions deal with the Group Policy settings contained in the
dministrative Templates section. Note that some settings are hidden by default; these
idden settings are defined as true policies. The settings that are available and loaded by
default are called preferences and are listed in Figure 83.
GUID Group Policy Component
25537BA6-77A8-11D2-9B6C 0000F8080861 Folder redirection
3610EDA5-77EF-11D2-8DC5-00C04FA31A66 Disk quota
42B5FAAE-6536-11D2-AE5A-0000F87571E3 Scripts
827D319E-6EAC-11D2-A4EA-00C04F79F83A Security
B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A EFS recovery
C6DC5466-785A-11D2-84D0-00C04FB169F7 Application management
A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B Internet Explorer settings
35378EAC-683F-11D2-A89A-00C04FBBCFA2 Registry settings
e437bc1c-aa7d-11d2-a382-00c04f991e27 IP Security
igure 83: Registry Client-Side Extensions
Group Policy Container
8/10/2019 4 Understanding the Architecture of Group Policy Processing
6/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 6/32
igure 84: Group Policy Container
The policy setting information for a GPO is stored in the GPC (Group Policy container) and
he GPT. The GPC stores the details of every GPO that is created in Active Directory. The
GPC contains the version number of each GPO, its current status, and the installed
components.
A portion of the GPO is stored in Active Directory and you can view it by using the Active
irectory Users and Computers console. The GPC Active Directory object is created from an
Active Directory class called the groupPolicyContainer.
ach created GPO creates a separate GPC and corresponding component in Active Directory.
You can link each GPO to other OUs in the same or remote domains. You can also create
links to sites or other domain roots.
The GPC is used by user and computer accounts within the Active Directory database to
rocess the GPO policies that will be applied.
ach GPO is assigned a unique 128-bit GUID. The GUID can be helpful in locating a policyobject when the friendly name of the policy is not displayed, such as when browsing for the
olicy files in the Sysvoldirectory structure.
Group Policy Template
8/10/2019 4 Understanding the Architecture of Group Policy Processing
7/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 7/32
igure 85: Group Policy Template
The GPT (Group Policy template) is also used to store policy settings. The GPT stores the
iles that are created by the GPO in the Sysvol folder. It stores these files on the PDC
emulator for each domain. The GPT stores the computer and user scripts, the GPO template
iles, and the Registry.pol files. The GPT is assigned a version number that tracks changes
hat are made to the policy.
The GPT and GPC are linked through the same GUID that is assigned to the GPO.
n order for group processing to properly process a computer and user, the contents of both
he GPC and the GPT must be synchronized. Figure 86 lists the details of the essential Group
olicy components and their location in Active Directory.
Active Directory Location Contents Active Directory
Container
Active Directory Binary and string information GPC
Sysvol\Policies\GUID\User or
Machine\registry.pol
Policy settings for user and computer GPT
Sysvol\Policies\GUID\User or
Machine\CustomFolder\Custom File(s)
Policy related files and data GPT
8/10/2019 4 Understanding the Architecture of Group Policy Processing
8/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 8/32
igure 86: Group Policy Components
GPO Versioning
igure 87: GPO Versioning
The number displayed on the properties of a GPO is not a version number; it is instead a
evision number listing the number of changes to the User or Computer sections.
The version number of the GPO is calculated based on the total user and computer changes,
and it is applied to both the GPC and the GPT.
f the version numbers of the GPT and GPC for a particular GPO are not the same, the GPO
ill not be processed until the version numbers match or are in sync. For the GPO to sync,
he version numbers of both the GPT and the GPC must be identical on each domain
controller in the domain.
ote
You can use the Replication Monitor to display the sync status of all GPOs usinghe Show Group Policy Object Status context menu option.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
9/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 9/32
The following topic describes how the GPO version information is used once the GPO has
een created.
ow Version Information Is Used
After the GPOs have been created, the respective site, domain, or OUs link to the created
GPOs using the Active Directory attribute found on each container object that references the
GUID of each site, domain, or OU.
After a policy is linked to a site, domain, or OU, the DN of the policy is entered into the
PLink property on the selected site, domain, or OU.
A Windows client then uses the GetGPOList API to discover which GPOs it should process
on the client. It also uses the computer name and IP address to identify the site that the user is
in, determining which GPOs to associate with the computer system. In addition, the Windows
client also uses the domain and OU location of the computer system to build the master list of
hich GPOs to apply.
ext, the version information and other GPO options (disabled, no override, and block
olicy inheritance) are read to determine what, if any, processing will take place. By default,
if the current GPO settings have already been deployed, no reprocessing will be done unless
andated.
The needed client-side extension DLLs then swing into processing mode and apply their
associated GPO settings.
FRS Replication
8/10/2019 4 Understanding the Architecture of Group Policy Processing
10/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 10/32
igure 88: FRS Replication
The process of replication is usually thought to dictate the movement of all changes in Active
irectory.
owever, the changes to Group Policy are replicated to the other domain controllers within
he domain using the FRS (File Replication Service). The process is:
1. When changes are made to Group Policy, the PDC emulator is located and the settings
are read from itsSysvol folder into cache.
2. After changes have been made, the Group Policy settings are saved back to the Sysvol
folder on the PDC emulator. These changes signal the FRS to replicate the changes.
3. At the allotted replication time (up to 15 minutes), the FRS replicates the settings to theother domain controllers throughout the domain.
DFS-R
8/10/2019 4 Understanding the Architecture of Group Policy Processing
11/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 11/32
igure 89: DFS-R
FS-R was introduced with Windows Server 2008 as a more efficient alternative to FRS.
FS-R only replicates the changes inside a file, instead of replicating an entire file each time a
change occurs.
n order to use DFS-R for Sysvol replication, you must go through a step-by-step migration
rocess to convert from FRS to DFS-R.
This process is thoroughly detailed in the following TechNet article:
http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx
f you have installed a new Windows Server 2012 Domain, the DFS-R replication process will
e enabled automatically.
Understanding the Group Policy Processing Sequence
http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx8/10/2019 4 Understanding the Architecture of Group Policy Processing
12/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 12/32
igure 90: Understanding the Group Policy Deployment Order
Group Policy is deployed in the following order:
1. Local Group Policy settings are deployed first: Local administrators or administrators
can configure local policies from the domain. Local policies can always be overridden by
conflicting options from other levels and, therefore, have the least amount of precedence.
2. Site policies are applied next: Enterprise administrators can configure site policies.
These policies apply to the subnet IDs that match the site that the computer or user is
located within. This allows for location-based GPO deployment.
3. Domain policies are applied after the site policies: Enterprise administrators and
domain administrators can configure domain policies. These policies apply to all users
and computers in the same domain. A Default Domain policy already exists at thislevel. Additional policies can be applied to the domain; however, they should be limited
because they can impact such a large portion of the environment.
. OU policies are applied last: All Administrators and any users that have been delegated
permissions to the OU can configure OU policies. OU policies apply to all users and
computers in the OU that the policy is linked to. Assigning policies to OUs provides more
granularity and flexibility when it comes to determining the users and computers for
which the policies should be effective.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
13/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 13/32
Local Computer System
emember that any local Group Policy settings deployed using the Gpedit.msclocal policy
editor or through the Local Security Policy console in the Administrative Toolmenu will be
deployed first, before any other network-based policy settings. The local Group Policy choices
are pulled from the local Windows\System32\Group Policyfolder.
t may be helpful to remember that the local registry hives, the logged in user profile
(NTUSER.DAT), and the Secedit.sdb security database are where all Group Policy settings
are eventually deployed to, even if the settings are deployed from the site, domain, or OU. In
he Local Security Policy console, the Effective Settingsand Local Settingscolumns in the
details pane indicate where the setting was applied.
f you, as a client, have read access to the local GPO, the settings apply to you even if you are
he local administrator. Setting the read access to no accessresults in the local GPO not being
applied to the local administrator.
Site GPOs
A GPO created within a site applies to all users and computers in the site. A site is one or
ultiple subnets joined together under an Active Directory site name.
Any Group Policy settings deployed at the Active Directory site level that are different from
any previously applied local Group Policy overwrite the previously applied local settings. For
example, if you enable a local setting to remove the Settingstab from the properties of the
isplayicon in Control Panel, it is deployed first.
f the exact same setting at the site level GPO is set to Not Configured, the end result at this
oint of the deployment cycle is that the Settingtab is now available.
Domain GPOs
A GPO created at the domain properties is applied to all users and computers in the domain,
and to all users and computers in all child OUs and user containers.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
14/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 14/32
f a conflict occurs with a previously applied local or site setting, the domain settings overwrite
he local and site settings.
Organizational Unit
The OU settings are deployed next, potentially overwriting the local, site, and domain settingsif a conflict occurs with a previously applied setting.
Child OU
f you use multiple OUs in your Active Directory design, any Group Policy settings deployed
at the top of an OU tree flow down through the OU child domains, similar to the
enforcement of permissions on an NTFS partition.
f you have multiple Group Policy settings applied from multiple sources, you have an
effective Group Policy built from the multiple GPOs applied to your network.
ote
For Group Policy to operate properly, the three key components that must be
orking are: Active Directory, DNS, and the FRS. Each Active Directory client uses the
QDN to attach to the domain controller and read the GPO.
Modifying Group Policy Processing
8/10/2019 4 Understanding the Architecture of Group Policy Processing
15/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 15/32
igure 91: Modifying Group Policy Processing
The standard group policy processing behavior is based upon inheritance. Policies
implemented at higher levels of the OU structure are inherited down the OU tree structure.
Using Group Policy Inheritance
igure 92: Using Group Policy Inheritance
To manage group policies most effectively, you must have a good foundation to apply them
o.
This foundation normally exists as a hierarchy of OUs within the domain environment. Group
olicies certainly can be applied to the site and the domain levels, but the real power of Group
olicy is in being able to apply it in a granular fashion.
hen you apply a GPO to an OU structure, remember that a policy applied at a parent OU
8/10/2019 4 Understanding the Architecture of Group Policy Processing
16/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 16/32
ill automatically be inherited by all child and grandchild OUs. Leverage this default behavior
so that settings that really should apply to a broad range of users and computers are applied at
a higher parent level, while settings that should affect only a subset of accounts are applied at
a child OU.
Structuring the OUs appropriately can make this process much easier.
An example of a useful corporate standard GPO is: Only authorized users can access the
command prompt or the registry editor. One way to define this GPO is to set the Prevent
access to the command prompt, and Prevent access to registry editing toolspolicy
settings and link these settings to an OU, for example Domain_User_Accounts OU. This
action will result in these settings being applied to all users in the Domain_User_Accounts OU.
Then create a GPO, such as an Administrator_Policy GPO, which explicitly allows
administrators access to the command prompt and registry editing through a security group
ilter applied to the Administrator_Policy GPO. Therefore, the GPO linked to the
Administrator_Policy GPO will override the settings configured in the Standard User Policy
GPO.
f another group of users requires access to the command prompt, but not the registry, youcan create another child GPO that allows access. Access to the registry editing tools is still
denied because the new GPO does not override the registry tools setting made in the
omain_User_Accounts GPO.
hen you set the default values for security-related settings, such as restricted group
embership and file system access and registry access permissions, remember that these
settings work on a last-write-wins principle; the settings in this case are not merged.
Changes to a GPO are saved immediately and, therefore, could be applied prematurely if a
client computer refreshes its policies. It is a good idea to keep the GPO unlinked from its
roduction location (site, domain, or OU) until you have fully tested the policy. While you are
developing the GPO, keep it either unlinked or linked to a test OU.
Sometimes, the default processing is not desired, and can therefore be disrupted using several
echanisms. The following topics discuss ways to modify Group Policy processing.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
17/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 17/32
Using the Block Inheritance and Enforce Options
igure 93: Using Block Inheritance and Enforce Options
Sometimes this normal inheritance process can be limiting. For that reason, you can disrupt
he inheritance of higher-level policies in three different ways:
Contradictory settings: If a child OU has the need to opt out of a particular Group Policy
setting, you can create a new GPO at that level that has the opposite setting. The last policy
applied in the processing sequence wins.
Block inheritance: When a large number of settings are configured at a higher level and
many of them should not apply to a child OU, you can enable the Block Inheritance
attribute on the OU so that no policies from above will apply.
Enforce: You can apply the Enforceoption at higher levels of the policy architecture to
ensure that certain policies cannot be overridden or blocked. The Enforceoption is applied
to an individual GPO. Some GPOs can be overridden or blocked while others can be
mandatory, so to speak. The Enforceoption always wins.
Using Security Filtering
8/10/2019 4 Understanding the Architecture of Group Policy Processing
18/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 18/32
igure 94: Using Security Filtering
n order for a GPO to apply to a given user or computer, that user or computer must have
oth readand apply Group Policypermissions on the GPO. By default, authenticated users
ave both readand apply Group Policypermissions set to Allow. If you want only a subset
of users within an OU to receive a GPO, remove the authenticated users from the ACL on the
desired GPO.
ext, add a new group with the security filtering permissions that contains the subset of usersho are to receive the GPO. Only members of this group that are within the site, domain, or
OU where the GPO is linked receive the GPO; members of the group in other sites, domains,
or OUs will not receive the GPO.
solating Administrators
You might want to prevent certain Group Policy settings from applying to the Administrator
roup. To accomplish this, you can do one of the following:
Create a separate OU for administrators and keep this OU out of the user infrastructure.
In this case, administrators will not receive most of the settings that you provide for
managed users. If this separate OU is a direct child of the domain, the only settings that
administrators possibly receive are settings from GPOs linked either to the domain or the
site.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
19/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 19/32
Because only broadly applicable settings should be linked here, it might be acceptable to let
the administrators receive these settings; otherwise, you can set the Block Inheritance
option on the AdministratorsOU.
ave administrators use separate administrative accounts only when administrative tasks are
eing carried out. Therefore, when not performing administrative tasks, they would still be
anaged by the applied Group Policy settings.
Implementing WMI Filters
igure 95: Implementing WMI Filters
Although you can filter the applied settings of GPOs by modifying the ACLs for the policy
links (security group filtering), there might be times that you want to apply a policy based onspecific attributes of an individual client computer. In such situations, you would use WMI
(Windows Management Instrumentation) filtering.
MI provides a mechanism to collect various details of a computers configuration through a
rogrammatic interface. In many respects, WMI is similar to SNMP.WMI runs on Windows
2000 and later platforms.
A WMI filter is a collection of one or more queries (really conditions) written in WQL. A
query might specify, for example that a computer be running at least a Pentium III processor,
or have a minimum OS version number. When you build a WMI filter and apply it to a GPO,
he GPO will apply only if the queries in the filter are all satisfied.
So, for example, you could create a GPO that would apply only to computers with at least a
entium III CPU. That sort of capability could come in handy, for example, when you are
hinking of deploying a processor-intensive application.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
20/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 20/32
MI is powerful, but is not appropriate in every situation. To help you create WMI filters,
ou can obtain the free WBEMTest tool from Microsoft. Once you have created the WMI
ilter, you must link it to a GPO.
estrictions
MI filtering has many conditions associated with it, making it unsuitable at present for
deployment in mixed-mode networks. Here is what you should know:
Windows 2000 Professional clients (and earlier) ignore WMI filters and always apply
policies just as if the WMI filter did not exist.
Only Windows Server 2003 and later domains that have been prepped via the adprep
/domainprepcommand support WMI filters.
WMI filters are domain-local in scope; that is, you cannot link a WMI filter to a GPO in a
different domain.
Any given GPO can have only one associated WMI filter. (That is not too much of a
restriction when you consider that a filter might have a long list of queries contained within
it.)
sing the WBEMTest Tool
igure 96: Using the WBEMTest Tool
8/10/2019 4 Understanding the Architecture of Group Policy Processing
21/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 21/32
You can use the WBEMTest tool to become familiar with the structure of WMI. The GPMC
does not provide any method to browse the WMI repository. The WBEMTest tool can be
sed to display the WMI structure as a reference to build a filter from.
Viewing WMI Classes
A good way to become familiar with the WMI classes is to use the graphical WBEMTest tool,
hich you can run from a command prompt.
You will need to specify the namespace via the Open Namespacebutton, if it is anything
other than root\cimv2.
To view all of the classes beneath a root namespace, click the Enum Classesbutton, select
ecursive, and then click OK. You will see a dialog box like the one shown in Figure 97.
The WBEMTest Query Result Dialog Box
igure 97: WBEMTest Query Result Dialog Box
Then, if you double-click the item and click the Instancesbutton, you can see the instances of
objects of that class on the computer. For example, you would see that the Nameproperty of
he Win32_BIOSclass on this computer is PhoenixBIOS 4.0 Release 6.0.3. Another way to
express this is:
8/10/2019 4 Understanding the Architecture of Group Policy Processing
22/32
8/10/2019 4 Understanding the Architecture of Group Policy Processing
23/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 23/32
igure 98: Using PowerShell to Explore WMI (1)
se PowerShell to output a listing of all WMI classes within the root\CIMv2 namespace by
sing the following command:
Get-WMIObject -list | Out-GridView
This will output the list of objects to the GridView application which allows for convenient
avigation of the hundreds of items returned.
sing PowerShell to Explore WMI (2)
igure 99: Using PowerShell to Explore WMI (2)
se PowerShell to output a listing of the items within a class by using the following command:
Get-WMIObject Win32_OperatingSystem
This will display the properties of the object to the screen. This information can then be used
o design the query you would like to use as a WMI Filter in a GPO.
sing PowerShell to Explore WMI (3)
8/10/2019 4 Understanding the Architecture of Group Policy Processing
24/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 24/32
igure 100: Using PowerShell to Explore WMI (3)
se PowerShell to test a WQL query before attempting to use it in a GPO. Write the
command as follows:
Get-WMIObject -query {Select * from Win32_OperatingSystem WHERE Version =
'6.2.9200' AND ProductType = '2'}
This command returns results only if the computer it is run against is version 6.2.9200 and the
roduct type is 2. These are the attributes of a Windows Server 2012 machine.
Creating a WMI Filter
8/10/2019 4 Understanding the Architecture of Group Policy Processing
25/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 25/32
igure 101: Creating a WMI Filter
To create a new WMI filter:
1. In the GPMC, right-click the WMI Filters node and select New.
2. Name the filter, provide a description, and create your queries using WQL.
3. Choose the WMI filter from the Scope tab of a GPO.
ote
WQL is similar to SQL, so if you are familiar with SQL, all you need are the
specifics for the WMI data classes.
Changing the GPO Link Order
8/10/2019 4 Understanding the Architecture of Group Policy Processing
26/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 26/32
igure 102: Changing the GPO Link Order
The GPO link order controls the order in which GPOs are applied within each domain, site,
and OU.
To change the GPO link order, you can change the link order, moving each link up or down in
he list to the appropriate location, by using the Upand Downbuttons.
inks with the lowest number have higher precedence for a given site, domain, or OU. For
example, if you add three GPOs, the GPO highest in the list has a link order of 1. This GPO
ill be deployed last, and only after the other two GPOs have been deployed. Because it is
deployed last, the settings contained in that policy have a higher priority and will override any
identical settings defined in the other two GPOs.
Using Loopback Processing
8/10/2019 4 Understanding the Architecture of Group Policy Processing
27/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 27/32
igure 103: Using Loopback Processing
The User Group Policy loopback processing modepolicy setting applies the same user
settings for all users who log on to the computer, based on the computer they log on to.
hen you apply GPOs to users, normally the same set of user policy settings applies to those
sers when they log on to any computer. By enabling the loopback processing policy setting in
a GPO, you can configure user policy settings based on the computer location that they log on
o.
Those settings are applied regardless of which user logs on.
You set the loopback policy inside each GPO by using the User Group Policy loopback
rocessing modepolicy setting under Computer Settings\Administrative
Settings\System\Group Policy. Two options are available:
Merge: In this mode, the list of GPOs for the user is gathered during the logon process.
First, the list of GPOs for the computer is gathered. Next, the list of GPOs for the computer
is added to the end of the GPOs for the user. As a result, the GPOs of the computer have
higher precedence than the GPOs of the user.
Replace: In this mode, the list of GPOs for the user is not gathered. Instead, only the list of
GPOs based on the computer object is used. The user configuration settings from this list
8/10/2019 4 Understanding the Architecture of Group Policy Processing
28/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 28/32
are applied to the user.
When you use the Replaceoption, you must ensure that both the computer and user
portions of the GPO are enabled.
cronyms
The following acronyms are used in this section:
ACL Access Control List
ADSI Active Directory Service Interfaces
API application programming interface
IOS basic input/output system
CD compact disc
CPU central processing unit
LL dynamic-link library
N distinguished name
NS Domain Name System
FS Encrypting File System
QDN fully qualified domain name
RS File Replication Service
GPC Group Policy container
GPMC Group Policy Management Console
GPO Group Policy object
GPT Group Policy template
GUID globally unique identifier
P Internet Protocol
PSec IP Security
SI Microsoft Windows Installer
TFS New Technology File System
OS operating system
OU organizational unitDC primary domain controller
SNMP Simple Network Management Protocol
8/10/2019 4 Understanding the Architecture of Group Policy Processing
29/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 29/32
SQL Structured Query Language
AN wide area network
MI Windows Management
Instrumentation
QL WMI Query Language
Section Review
Summary
Group Policy is based on the following components:
Sysvol folder: A system folder that is located in the NTFSfile system of every Active
Directory domain controller. It contains administrative templates, security settings,
applied scripts, and details about MSI packages that will be installed.
PDC emulator: A single domain controller per domain is assigned the role of a PDC
emulator. This role is automatically assigned to the first domain controller in an Active
Directory domain.
Group Policy Container: Stores the policy setting information for a GPO. It stores the
details of every GPO that is created in Active Directory. The GPC contains the version
number of each GPO, its current status, and the installed components.
Group Policy template: Stores the files that are created by the GPO in the Sysvol
folder on the PDC emulator for each domain. It stores computer and user scripts, the
GPO template files, and the Registry.polfiles.
Group Policy is deployed in the following order:
1. Local Group Policy settings
2. Site policies
3. Domain policies
4. OU policies
8/10/2019 4 Understanding the Architecture of Group Policy Processing
30/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 30/32
The methods used to modify Group Policy processing are:
Block Inheritance and Enforce Options: The Block Inheritanceattribute prevents
higher-level policies from being applied to lower levels.
Applied at higher levels of the policy architecture, the Enforceoption ensures that certain
policies cannot be overridden or blocked. This option is applied to an individual GPO.
Security Filtering: Sets the ACLs to prevent or allow policies from applying to specific
users or groups.
WMI Filters: Consist of a collection of one or more queries (conditions) written in
WQL. When you build a WMI filter and apply it to a GPO, the GPO will apply only ifthe queries in the filter are all satisfied.
GPO Link Order: Controls the order in which GPOs are applied within each domain,
site, and OU.
Loopback Processing: Configures the user policy settings based on the computer
location that the users log on to.
nowledge Check
1. Which Active Directory component does the following text describe?
A system folder that is located in the NTFSfile system of every Active Directory domain
controller. It contains administrative templates, security settings, applied scripts, anddetails about MSI packages that will be installed.
2. What is the Group Policy deployment order?
3. Match each method used to modify Group Policy processing with its correct description.
Write the letter of the description in the Answer column.
Answer Method Description
1.________
GPO Link Order A.It prevents higher-level policies from being applied to lower levels.
8/10/2019 4 Understanding the Architecture of Group Policy Processing
31/32
16/11/2014 4 Understanding the Architecture of Group Poli cy Processing
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 31/32
2.________
Security
Filtering
B.Controls the order in which GPOs are applied within each domain, site,
or OU.
3.________
WMI Filters C.Configures the user policy settings based on the computer location that
the users log on to.
4.________
BlockInheritance
Option
D.Consist of a collection of one or more queries (conditions) written inWQL.
5.________
Loopback
Processing
E.Sets the ACLs to prevent or allow policies from applying to specific
users or groups.
Knowledge Check Answer Key
The correct answers to the Knowledge Check questions are bolded.
1. Which Active Directory component does the following text describe?
A system folder that is located in the NTFS file system of every Active Directory domain
controller. It contains administrative templates, security settings, applied scripts, and
details about MSI packages that will be installed.
Sysvol folder
2. What is the Group Policy deployment order?
Local
Site
Domain
OU
3. Match each method used to modify Group Policy processing with its correct description.
Write the letter of the description in the Answer column.
Answer Method Description
8/10/2019 4 Understanding the Architecture of Group Policy Processing
32/32