Administering Group PolicyChapter Eleven

Exam Objectives in this Chapter Plan a Group Policy strategy using Resultant

Set of Policy Planning mode Troubleshoot Group Policy application

deployment issues Troubleshoot the application of Group Policy

security settings Redirect folders using Group Policy

In this Chapter: Managing Group Policy with RSoP Managing Special Folders with Group Policy Troubleshooting Group Policy

To Complete this Chapter: As outlined on pate 11-2

Understanding RSoP Resultant Set of Policy (RSoP) RSoP is the sum of the group policies applied

to a user or computer. RSoP is the sum of the policies applied to a

user or computer, including the application of filters, such as through security groups and Windows Management Instrumentation (WMI), and exceptions, such as No Override and Block Policy Inheritance.

Generating RSoP Queries The Resultant Set Of Policy Wizard uses

existing GPO settings to report the effects of GPOs on users and computers.

Resultant Set Of Policy Wizard uses two modes : Logging mode Planning mode

Logging Mode RSoP Logging mode enables you to review

existing GPO settings, software installation applications, and security for a computer account or a user account Use Logging mode to

Find failed or overwritten policy settings See how security groups affect policy settings Find out how local policy is affecting group policies

Planning Mode Using RSoP Planning mode, you can poll

existing GPOs for policy settings, software installation applications, and security, and you can use WMI filter queries to read hardware and software properties.

Planning mode Use Planning mode in the following

situations: You want to test policy precedence in cases

where… The user and the computer are in different security

groups The user and the computer are in different OUs The user or the computer is moving to a new location.

You want to simulate a slow link You want to simulate loopback.

RSoP Planning Mode Options Slow-network connection

This option simulates a slow connection. Loopback processing

This option simulates enabling of the GPO setting User Group Policy Loopback Processing Mode, located in Computer Configuration, Administrative Templates, System, Group Policy. can be set to Merge or Replace

RSoP Planning Mode Options Site name

This option simulates the application of alternate subnets for startup or logging on, enabling you to predict the RSoP if the subnet is changed.

Alternate user and computer locations This option simulates the application of alternate

locations for both users and computers, enabling you to predict the RSoP if the user and/or computer is moved.

RSoP Planning Mode Options Alternate user and computer security

groups This option simulates the application of alternate

security groups to both computer and user configurations, enabling you to predict the RSoP using security groups to filter GPO scope.

RSoP Planning Mode Options WMI filters for users and computers

This option simulates the use of WMI filters to help define the policy settings that are applied, enabling you to predict the RSoP using WMI queries to filter GPO scope.

Exam Tip Make sure you understand the differences

between using RSoP in Logging mode and in Planning mode.

Creating RSoP Queries Mode Selection:

Logging mode Planning mode

Creating RSoP Queries Computer Selection:

This computer Another computer

Creating RSoP Queries User Selection:

Current user Select a specific user

Creating RSoP Queries Summary of Selections

RSoP Wizard User and Computer

Selection:

RSoP Wizard Advanced Simulations

Options:

RSoP Wizard Alternate Active

Directory Paths:

RSoP Wizard User Security Groups: Computer Security:

RSoP Wizard WMI Filters for Users:

All linked filters Only these filters

RSoP Wizard Summary of Selections

Saving and Viewing RSoP Queries Steps on pages 14 – 15.

Administrative Templates Results Computer

Configuration Properties

Displaying filtering filtering statusstatus

Administrative Templates Results Computer

Configuration Properties

Displaying Scope Scope managementmanagement

Administrative Templates Results Computer

Configuration Properties

Displaying Revision Revision informationinformation

Gpresult Command-Line Tool Gpresult provides

general information about the operating system, user, and computer.

Gpresult Command-Line Tool Gpresult provides the following information about Group Policy:

The last time Group Policy was applied and the domain controller that applied policy—for the user and for the computer

The complete list of applied GPOs and their details, including a summary of the extensions that each GPO contains Registry settings that are applied and their details

Folders that are redirected and their details Software management information, including details about

assigned and published applications Disk quota information Internet Protocol (IP) security settings Scripts

Gpresult Command Parameters Gpresult has the following syntax:

gpresult [/s computer [/u domain\user /p password]]

[/user username] [/scope {user|computer}] [/v] [/z] Note table 11-4 Examples on page 11-21

Advanced System Information–Policy Tool The Advanced System Information–Policy

tool enables you to create an RSoP query and view the results in an HTML report that appears in the Help And Support Center window.

This report can be printed, and it can be saved to an .htm file.

Advanced System Information–Policy Tool The report generated displays policy-related information for

the following categories: Computer name, associated domain, and current site User name and associated domain Applied GPOs for the computer and user Security group memberships for the computer and user Microsoft Internet Explorer settings Scripts: logon, logoff, startup, shutdown Security settings Programs installed Folder redirection Registry settings

Advance System Information

Delegating Control of RSoP Permission for generating an RSoP query is

set for the domain or OU by selecting one of the Generate Resultant Set Of Policy Planning options in the Delegation Of Authority Wizard.

You must be a member of the Enterprise Administrators group to delegate RSoP control at the domain and site level

Practice: Generating RSoP Queries

Exercise 1: Creating an RSoP Query with the Resultant Set Of Policy Wizard Logging Mode Page 11-24

Exercise 2: Creating an RSoP Query with the Gpresult Command-Line Tool

Exercise 3: Creating an RSoP Query with the Advanced System Information– Policy Tool Page 11-25

Managing Special Folders with Group Policy Two ways to set up folder redirection:

1. One location for everyone in the site, domain, or OU

2. A location according to security group membership Folder Redirection Offline Folder

Folder Redirection You redirect users’ folders to provide a

centralized location for key Microsoft Windows XP Professional folders on a server or servers.

Special Folders To Be Redirected: Application Data Desktop My Documents My Pictures Start Menu

Advantages of Redirecting Folders Documents are always available When roaming user profiles are used, only the

network path to the My Documents folder is part of the roaming user profile, not the My Documents folder itself.

Offline File technology provides users with access to My Documents even when they are not connected to the network

Advantages of Redirecting Folders Data stored on a shared network server can be

backed up as part of routine system administration The system administrator can use Group Policy to

set disk quotas, limiting the amount of space taken up by users’ special folders

Data specific to a user can be redirected to a different hard disk on the user’s local computer from the hard disk holding the operating system files.

Redirecting My Documents to Home Folders When you redirect My Documents to a user’s

home folder, the system assumes that the administrator has set the following items correctly: Security Ownership Home directory property on the user object

Default Special Folder Locations Note table 11-5

Setting Up Folder Redirection Two ways to set up folder redirection:

Redirect special folders to one location for everyone in the site, domain, or OU.

Redirect special folders to a location according to security group membership.

Follow the steps on pages 30 – 37

Exam Tip Be sure you know the two ways to set up

folder redirection.

Policy Removal Considerations Note table 11-6 page 11-38

Folder Redirection and Offline Files The Offline Files feature provides users with access

to redirected folders even when they are not connected to the network.

Offline Files caches files accessed through folder redirection onto the hard drive of the local computer.

When a user accesses a file in a redirected folder, the file is accessed and modified locally.

When a user has finished working with the file and has logged off, only then does the file traverse the network for storage on the server.

Folder Redirection Best Practices Allow the system to create the folders Use fully qualified UNC paths, for example: \\

servername\sharename Accept defaults Place the My Pictures folder in the My Documents folder Consider what will happen if the policy is removed Do not redirect My Documents to the home folder unless

you have already deployed home directories in your organization

Enable Offline Files

Practice: Managing Special Folders

Exercise 1: Setting Up Folder Redirection Exercise 2: Setting Up Offline Files

Page 11-47

Troubleshooting Group Policy Troubleshooting Group Policy involves using

the Resultant Set Of Policy Wizard, the Gpresult and Gpupdate command-line tools, the Event Viewer, and log files to solve policy-related problems.

Tools include: Resultant Set Of Policy Wizard and Gpresult Gpupdate Event Viewer

To enable verbose logging for the event log, complete the steps on page 11-52

Log Files

Group Policy Troubleshooting Scenarios Pages 54 - 57

Summary Case Scenario Exercise

Pages 59 – 60. Troubleshooting Lab

Pages 60 - 64 Exam Highlights

Key points Key terms

Page 65