Module 6_ Implementing a Group Policy Infrastructure

07/06/13 Module 6: Implementing a Group Policy Infrastructure

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 1/135

Module6:ImplementingaGroupPolicyInfrastructure

Contents:

Lesson1: UnderstandGroupPolicy

Lesson2: ImplementGPOs

LabA: ImplementGroupPolicy

Lesson3: ManageGroupPolicyScope

LabB: ManageGroupPolicyScope

Lesson4: GroupPolicyProcessing

Lesson5: TroubleshootPolicyApplication

LabC: TroubleshootPolicyApplication

Module Overview



InModule1,youlearnedthatActiveDirectoryDomainServices(ADDS)providesthefoundationalservicesofanidentityandaccesssolutionforenterprisenetworksrunningWindows,andthatADDSalsosupportsthemanagementandconfigurationofeventhelargest,mostcomplexnetworks.InModules2through5,youlearnedhowtoadministerADDSsecurityprincipals:users,groups,andcomputers.Now,youwillexaminethemanagementandconfigurationofusersandcomputersbyusingGroupPolicy.GroupPolicyprovidesaninfrastructurewithinwhichsettingscanbedefinedcentrallyanddeployedtousersandcomputersintheenterprise.

InanenvironmentmanagedbyawellimplementedGroupPolicyinfrastructure,littleornoconfigurationneedstobemadebydirectlytouchingadesktop.Theentire



configurationisdefined,enforced,andupdatedbyusingthesettingsinGroupPolicyobjects(GPOs)thataffectaportionoftheenterpriseasbroadasanentiresiteoradomain,orasnarrowasasingleorganizationalunit(OU)oragroup.Inthismodule,youwilllearnwhatGroupPolicyis,howitworks,andhowbesttoimplementitinyourorganization.SeveralsubsequentmoduleswillapplyGroupPolicytospecificmanagementtaskssuchassecurityconfiguration,softwaredeployment,passwordpolicy,andauditing.

Objectives

Aftercompletingthismodule,youwillbeableto:

DescribethecomponentsandtechnologiesthatcomprisetheGroupPolicyframework.

ImplementGPOs.

Configureandunderstandavarietyofpolicysettingtypes.

UnderstandandconfigureGroupPolicypreferences.

ScopeGPOsbyusinglinks,securitygroups,WindowsManagementInstrumentationfilters,loopbackprocessing,andpreferencetargeting.

DescribehowGPOsareprocessed.

LocatetheeventlogscontainingGroupPolicyrelatedeventsandtroubleshootGroupPolicyapplication.



Lesson 1: Understand Group Policy

AGroupPolicyinfrastructurehasseveralmovingparts.Youneedtounderstandnotonlywhateachpartdoes,butalsohowtheyworktogetherandwhyyoumightwanttoassembletheminvariousconfigurations.Inthislesson,youwillgetacomprehensiveoverviewofGroupPolicy:itscomponents,itsfunctions,anditsinnerworkings.

Objectives



Aftercompletingthislesson,youwillbeableto:

Identifythebusinessdriversforconfigurationmanagement.

UnderstandthecorecomponentsandterminologyofGroupPolicy.

ExplainthefundamentalsofGroupPolicyprocessing.

What Is Configuration Management?

Ifyouhaveonlyonecomputerinyourenvironmentathome,forexampleandyouneedtomodifythedesktopbackground,thereareseveralwaystodothat.Most



peoplewouldprobablyopenPersonalizationfromControlPanelandmakethechangebyusingtheWindowsinterface.Thatworkswellforoneuser,butmaybecometediousifyouwanttomakethechangeacrossmultipleusers.Say,forexample,thatyouwantthesamebackgroundforyourselfandyourfamily.Youhavetomakethechangemultipletimes,andthenifyoueverchangeyourmindandwanttochangethebackgroundyetagain,youhavetoreturntoeachuser'sprofileandmakethechange.Implementingthechangeandmaintainingaconsistentenvironmentbecomesevenmoredifficultacrossmultiplecomputers.

Configurationmanagementisacentralizedapproachtoapplyingoneormorechangestooneormoreusersorcomputers.Ifyourememberthat,everythingelsewillbeeasiertounderstand.Thekeyelementsofconfigurationmanagementare:

Acentralizeddefinitionofachange,whichisknownasasetting.Thesettingbringsauseroracomputertoadesiredstateofconfiguration.

Adefinitionoftheuser(s)orcomputer(s)towhomthechangeapplies,whichisknownasthescopeofthechange.

Amechanismorprocessthatensuresthatthesettingisappliedtousersandcomputerswithinthescope,whichisknownastheapplication.

GroupPolicyisaframeworkwithinWindowswithcomponentsthatresideinActiveDirectory,ondomaincontrollers,andoneachWindowsserverandclientthat



enablesyoutomanageconfigurationinanADDSdomain.AsweturnourattentiontoGroupPolicy,whichcanbecomeverycomplex,alwaysrememberthateverythingboilsdown,intheend,tojustthesefewbasicelementsofconfigurationmanagement.

Overview of Policies

ThemostgranularcomponentoftheGroupPolicyisanindividualpolicysetting,alsoknownsimplyasapolicythatdefinesaspecificconfigurationchangetoapply.Forexample,apolicysettingexiststhatpreventsauserfromaccessingregistryeditingtools.Ifyoudefinethatpolicysettingandapplyittotheuser,theuserwillbeunabletoruntoolssuchasRegedit.exe.Anotherpolicysettingisavailablethatyoucanuse



torenamethelocalAdministratoraccount.YoucanusethispolicysettingtorenametheAdministratoraccountonalluserdesktopsandlaptops.

Thesetwoexamplesillustrateanimportantpoint:thatsomepolicysettingsaffectauser,regardlessofthecomputertowhichtheuserlogson,andotherpolicysettingsaffectacomputer,regardlessofwhichuserlogsontothatcomputer.Policysettingssuchasthesettingthatpreventsaccesstoregistryeditingtoolsareoftenreferredtoasuserconfigurationsettingsorusersettings.PolicysettingssuchastheonethatdisablestheAdministratoraccountandsimilarsettingsareoftenreferredtoascomputerconfigurationsettingsorcomputersettings.Youwillalsohearthesereferredtoasuserpoliciesandcomputerpolicies.Theterminologyusedintheindustryisnotexact.

TherearevariouspolicysettingsthatcanbemanagedbyGroupPolicy,andtheframeworkisextensible.So,intheend,youcouldmanagejustaboutanythingwithGroupPolicy.

Todefineapolicysetting,doubleclickit.

ThepolicysettingPropertiesdialogboxappears.

Apolicysettingcanhavethreestates:NotConfigured,Enabled,andDisabled.

InanewGPO,everypolicysettingissettoNotConfigured.Thismeansthatthe



GPOwillnotmodifytheexistingconfigurationofthatparticularsettingforauserorcomputer.Ifyouenableordisableapolicysetting,achangewillbemadetotheconfigurationofusersandcomputerstowhichtheGPOisapplied.

Theeffectofthechangedependsonthepolicysetting.Forexample,ifyouenablethePreventAccessToRegistryEditingToolspolicysetting,userswillbeunabletolaunchtheRegedit.exeRegistryEditor.Ifyoudisablethepolicysetting,youensurethatuserscanlaunchtheRegistryEditor.Noticethedoublenegativeinthispolicysetting:Youdisableapolicythatpreventsanaction,soyouallowtheaction.

Somepolicysettingsbundleseveralconfigurationsintoonepolicyandmightrequireadditionalparameters.Inthescreenshotabove,youcanseethatbyenablingthepolicytorestrictregistryeditingtools,youcanalsodefinewhetherregistryfilescanbemergedintothesystemsilentlybyusingregedit/s.

NoteManypolicysettingsarecomplex,andtheeffectofenablingordisablingthemmightnotbeimmediatelyclear.Also,somepolicysettingsaffectonlycertainversionsofWindows.

BesuretoreviewapolicysettingsexplanatorytextintheGroupPolicyManagementEditor(GPME)detailpaneorontheExplaintabinthepolicysettingsPropertiesdialogbox.Inaddition,alwaystesttheeffectsofapolicysettinganditsinteractionswithotherpolicy



settingsbeforedeployingachangeintheproductionenvironment.

YouwillexplorepolicysettingsandhowtomanagetheminLesson3.

Benefits of Using Group Policy

GroupPoliciesareaverypowerfuladministrativetool.Youcanusethemtoenforcevarioustypesofsettingstoalargenumberofusersandcomputers.Becausetheycanbeappliedtovariouslevelsfromlocaltodomain,youcanalsofocusthesesettingsveryprecisely.

Primarily,youcanuseGroupPoliciestoconfiguresettingsthatyoudonotwantusers



toconfigure.Also,GroupPoliciesareusuallyusedtostandardizedesktopenvironmentsonallthecomputersinanorganizationalunitorwholeorganization.YoualsocanuseGroupPoliciestoprovideadditionalsecurityandsomeadvancedsystemsettings.

MostoftenGroupPoliciesareusedforfollowingpurposes.

Apply Security Settings

InWindowsServer2008R2,GPOsincludealargenumberofsecurityrelatedsettingsthatyoucanapplytobothusersandcomputers.Forexample,youcanenforcesettingsforWindowsFirewallandconfigureAuditing,EncryptingFileSystem(EFS)policiesandothersecuritysettings.Youcanalsoconfigurefullsetofuserrightsassignments.

Manage Desktop and Application Settings

YoucanuseaGroupPolicytoprovideaconsistentdesktopandapplicationenvironmenttoallusersinyourorganizationUsingGPOs,itispossibletoconfigureeachsettingthataffectsthelookandfeelofuserenvironmentandalsotoconfiguresettingsforsomeapplicationsthatsupportGPOs.

Deploy Software

GroupPoliciescanalsobeusedtodeploysoftwareforusersorcomputers.Allsoftwarethatisprovidedinthe.msiformatcanbedeployedbyusingGroupPolicy.



Youcanenforceautomaticsoftwareinstallationoryoucanletyourusersdecideiftheywantthesoftwaretobedeployedtotheirmachinesornot.

Manage Folder Redirection

WithFolderRedirection,youcaneasilymanageandbackupdata.Byredirectingfolders,youcanensurethatusershaveaccesstotheirdataregardlessofthecomputerthattheyusetologon.Also,youcancentralizeallusersdatatooneplaceonthenetworkserver,whilestillprovidingtheuseranexperiencesimilartostoringthesefoldersontheircomputers.

Configure Network Settings.

UsingGroupPolicies,youcanconfigurevariousnetworksettingsonclientcomputers.Forexample,youcanenforcesettingsforwirelessnetworkstoallowuserstoconnectonlytospecificSSIDsandwithpredefinedauthenticationandencryptionsettings.YoucanalsodeploypoliciesthatapplytowirednetworksettingsaswellasconfigureclientsideofservicessuchasNetworkAccessProtection

Group Policy Objects



PolicysettingsaredefinedandexistwithinaGPO.AGPOisanobjectthatcontainsoneormorepolicysettingsandtherebyappliesoneormoreconfigurationsettingsforauseroracomputer.

GPOscanbemanagedinActiveDirectorybyusingtheGroupPolicyManagementconsole(GPMC),shownhere:



GPOsaredisplayedinacontainernamedGroupPolicyObjects.

TocreateanewGPOinadomain,rightclicktheGroupPolicyObjectscontainer,andthenclickNew.TomodifytheconfigurationsettingsinaGPO,rightclicktheGPO,andthenclickEdit.

TheGPOopensintheGPMEsnapin,formerlyknownastheGroupPolicyObjectEditor(GPOEditor),shownhere:



TheGPMEdisplaysthethousandsofpolicysettingsavailableinaGPOinanorganizedhierarchythatbeginswiththedivisionbetweencomputersettingsandusersettings,theComputerConfigurationnodeandtheUserConfigurationnode.ThenextlevelsofthehierarchyaretwonodescalledPoliciesandPreferences.Youwilllearnaboutthedifferencebetweenthesetwonodesasthislessonprogresses.Drillingdeeperintothehierarchy,youwillseethattheGPMEdisplaysfolders,whicharealsocallednodesorpolicysettinggroups.Withinthefoldersarethepolicysettingsthemselves.ThePreventAccessToRegistryEditingToolsoptionisselectedinthescreenshotshownhere.

TheGPOmustbeappliedtodomain,site,orOUintheADDShierarchyforthesettingswithintheobjecttotakeeffect.



YouwilllearnhowtoimplementandmanageGPOsinLesson2.

GPO Scope

ConfigurationisdefinedbypolicysettingsinGPOs.However,theconfigurationchangesinaGPOdonotaffectcomputersorusersinyourenterpriseuntilyouhavespecifiedthecomputersoruserstowhichtheGPOapplies.ThisiscalledscopingaGPO.ThescopeofaGPOisthecollectionofusersandcomputersthatwillapplythesettingsintheGPO.

YoucanuseseveralmethodstomanagethescopeofGPOs.ThefirstistheGPOlink.GPOscanbelinkedtosites,domains,andOUsinActiveDirectory.Thesite,domain,



orOUthenbecomesthemaximumscopeoftheGPO.Allcomputersanduserswithinthesite,domain,orOU,includingthoseinchildOUs,willbeaffectedbytheconfigurationsspecifiedbythepolicysettingsintheGPO.AsingleGPOcanbelinkedtomorethanonesiteorOU.

YoucanfurthernarrowthescopeoftheGPOwithoneoftwotypesoffilters:securityfiltersthatspecifyglobalsecuritygroupstowhichtheGPOshouldorshouldnotapply,andWindowsManagementInstrumentation(WMI)filtersthatspecifyascopebyusingcharacteristicsofasystem,suchasoperatingsystemversionorfreediskspace.UsesecurityfiltersandWMIfilterstonarroworspecifythescopewithintheinitialscopecreatedbytheGPOlink.

WindowsServer2008introducedanewcomponentofGroupPolicy:GroupPolicyPreferences.SettingsthatareconfiguredbyGroupPolicyPreferenceswithinaGPOcanbefilteredortargetedbasedonseveralcriteria.TargetedpreferencesallowyoutofurtherrefinethescopeofPreferenceswithinasingleGPO.

Group Policy Client and Client-Side Extensions



Howexactlyarethepolicysettingsapplied?WhenGroupPolicyrefreshbegins,aservicerunningonallWindowssystems,whichiscalledtheGroupPolicyClientinWindowsVista,Windows7,WindowsServer2008,andWindowsServer2008R2,determineswhichGPOsapplytothecomputeroruser.ThisservicedownloadsanyGPOsthatarenotalreadycached.Then,aseriesofprocessescalledclientsideextensions(CSEs)interpretthesettingsinaGPOandmakeappropriatechangestothelocalcomputerortothecurrentlyloggedonuser.ThereareCSEsforeachmajorcategoryofpolicysetting.Forexample,thereisasecurityCSEthatappliessecuritychanges,aCSEthatexecutesstartupandlogonscripts,aCSEthatinstallssoftware,andaCSEthatmakeschangestoregistrykeysandvalues.EachversionofWindowshasaddedCSEstoextendthefunctionalreachofGroupPolicy.ThereareseveraldozenCSEsnowinWindows.



OneofthemoreimportantconceptstorememberaboutGroupPolicyisthatitisreallyclientdriven.TheGroupPolicyclientpullstheGPOsfromthedomain,triggeringtheCSEstoapplysettingslocally.GroupPolicyisnotapushtechnology.

Infact,thebehaviorofCSEscanbeconfiguredbyusingGroupPolicy.MostCSEswillapplysettingsinaGPOonlyifthatGPOhaschanged.Thisbehaviorimprovesoverallpolicyprocessingbyeliminatingredundantapplicationsofthesamesettings.MostpoliciesareappliedinsuchawaythatstandarduserscannotchangethesettingontheirsystemtheywillalwaysbesubjecttotheconfigurationenforcedbyGroupPolicy.However,somesettingscanbechangedbystandardusers,andmanycanbechangedifauserisanadministratoronthatsystem.Ifusersinyourenvironmentareadministratorsontheircomputers,considerconfiguringCSEstoreapplypolicysettingseveniftheGPOhasnotchanged.Thatway,ifanadministrativeuserchangesaconfigurationsothatitisnolongercompliantwithpolicy,theconfigurationwillberesettoitscompliantstateatthenextGroupPolicyrefresh.

NoteYoucanconfigureCSEstoreapplypolicysettings,eveniftheGPOhasnotchanged,atbackgroundrefresh.Todoso,configureaGPOscopedtocomputersanddefinethesettingsintheComputerConfiguration\Policies\AdministrativeTemplates\System\GroupPolicynode.ForeachCSEyouwanttoconfigure,openitspolicyprocessingpolicysetting,suchasRegistryPolicyProcessingfortheRegistryCSE.ClickEnabledandselecttheProcesseveniftheGroupPolicyobjectshavenotchangedcheckbox.



AnimportantexceptiontothedefaultpolicyprocessingsettingsissettingsmanagedbythesecurityCSE.Securitysettingsarereappliedevery16hoursevenifaGPOhasnotchanged.

NoteEnabletheAlwaysWaitForNetworkAtStartupAndLogonpolicysettingforallWindowsclients.Withoutthissetting,bydefault,WindowsXP,WindowsVista,andWindows7clientsperformonlybackgroundrefreshesaclientmightstartup,andausermightlogonwithoutreceivingthelatestpoliciesfromthedomain.ThesettingislocatedinComputerConfiguration\Policies\AdministrativeTemplates\System\Logon.Besuretoreadthepolicysettingsexplanatorytext.Thecontoso.comdomainusedinthiscoursehasbeenpreconfiguredwiththisadditionalGroupPolicysetting.

Group Policy Refresh



Whenarepoliciesapplied?PolicysettingsintheComputerConfigurationnodeareappliedatsystemstartupandevery90120minutesthereafter.UserConfigurationpolicysettingsareappliedatlogonandevery90120minutesthereafter.TheapplicationofpoliciesiscalledGroupPolicyrefresh.

YoucanalsoforceapolicyrefreshbyusingtheGPUpdatecommand.

YouwilllearnmoreaboutGroupPolicyrefreshinLesson6.

Review the Components of Group Policy



Asdiscussedinprevioustopics,themostimportantcomponentstotakecareofwhendealingwithGroupPoliciesare:

Setting.ThisrepresentsaspecificsettingthatisconfigurableineachGroupPolicyobject.InWindowsServer2008R2,therealmost3,000differentsettings.GroupPolicysettingsprovidethemeaningandpurposeofGroupPolicy.Settingscanbeenabledordisabled,butbydefault,theyareNotConfigured.Theeffectofenablingordisablingasettingcansometimesbecomplextoevaluate,sobesuretoreadtheexplanatorytextandtestallsettingsbeforedeployingtheminproduction.

Scope.AfterGroupPolicysettingsareconfigured,youmustdecidewheretoapplytheGPO.Thisisdefinedbyscope.AGPOcanbelinkedtoasite,domain,orOU.



Withinthelinkscope,aGPOcanbefilteredwithsecuritygroupsorWMIfilters.

Application.WhenplanningGroupPolicyapplication,youmustbeawareofrefreshintervalsforvarioustypesofcomputers.Computersettingsareappliedatstartupandevery90120minutesthereafter.Usersettingsareappliedatlogonandevery90120minutesthereafter.

Tools.ThereareseveraltoolsformanagingGPOs.GPOsaremanagedthroughtheGroupPolicyManagementconsole.PolicysettingswithinaGPOareconfiguredbyusingtheGPME.GPUpdateallowsyoutomanuallytriggerGroupPolicyrefresh.RSoPtoolsallowyoutoevaluateandmodelthesettingsthatwereappliedbyGroupPolicy.

Demonstration: Exploring Group Policy Settings



GroupPolicysettings,alsoknownaspolicies,arecontainedinaGPOandareviewedandmodifiedbyusingtheGPME.Inthisdemonstration,youwilllookmorecloselyatthecategoriesofsettingsavailableinaGPO.

Computer Configuration and User Configuration

Therearetwomajordivisionsofpolicysettings:computersettings,containedintheComputerConfigurationnode,andusersettings,containedintheUserConfigurationnode.

TheComputerConfigurationnodecontainsthesettingsthatareappliedtocomputers,regardlessofwhologsontothem.Computersettingsareappliedwhen



theoperatingsystemstartsandduringbackgroundrefreshandevery90120minutesthereafter.

TheUserConfigurationnodecontainssettingsthatareappliedwhenauserlogsontothecomputerandduringbackgroundrefreshandevery90120minutesthereafter.

WithintheComputerConfigurationandUserConfigurationnodesarethePoliciesandPreferencesnodes.PoliciesaresettingsthatareconfiguredandbehavesimilarlytothepolicysettingsintheearlierversionsofWindows.PreferencesareintroducedinWindowsServer2008.Thefollowingsectionsexaminethesenodes.

WithinthePoliciesnodeswithinComputerConfigurationandUserConfigurationareahierarchyoffolderscontainingpolicysettings.Becausetherearethousandsofsettings,itisbeyondthescopeoftheexamandofthiscoursetoexamineindividualsettings.Itisworthwhile,however,todefinethebroadcategoriesofsettingsinthefolders.

Software Settings Node

TheSoftwareSettingsnodeisthefirstnode.ItcontainsonlytheSoftwareInstallationextension.Thisextensionhelpsyouspecifyhowapplicationsareinstalledandmaintainedwithinyourorganization.Itprovidesaplaceforindependentsoftwarevendorstoaddsettings.SoftwaredeploymentwithGroupPolicyisdiscussedin



Module7.

Windows Settings Node

InbothComputerConfigurationandUserConfigurationnodes,thePoliciesnodecontainsaWindowsSettingsnode,whichincludestheScripts,SecuritySettings,andPolicyBasedQoSnodes.

TheScriptsextensionenablesyoutospecifytwotypesofscripts,startup/shutdown(intheComputerConfigurationnode),andlogon/logoff(intheUserConfigurationnode).Startup/shutdownscriptsrunatcomputerstartuporshutdown.Logon/logoffscriptsrunwhenauserlogsonoroff.Whenyouassignmultiplelogon/logofforstartup/shutdownscriptstoauserorcomputer,theScriptsCSEexecutesthescriptsfromtoptobottom.YoucandeterminetheorderofexecutionformultiplescriptsinthePropertiesdialogbox.Whenacomputerisshutdown,theCSEfirstprocesseslogoffscripts,followedbyshutdownscripts.Bydefault,thetimeoutvalueforprocessingscriptsis10minutes.Ifthelogoffandshutdownscriptsrequiremorethan10minutestoprocess,youmustadjustthetimeoutvaluewithapolicysetting.YoucanuseanyActiveXscriptinglanguagetowritescripts.SomepossibilitiesincludeMicrosoftVisualBasicScriptingEdition(VBScript),MicrosoftJScript,Perl,andMicrosoftMSDOSstylebatchfiles(.batand.cmd).Logonscriptsonasharednetworkdirectoryinanotherforestaresupportedfornetworklogonacrossforests.

Security Settings Node



TheSecuritySettingsnodeallowsasecurityadministratortoconfiguresecuritybyusingGPOs.Thiscanbedoneafter,orinsteadof,usingasecuritytemplatetosetsystemsecurity.ForadetaileddiscussionofsystemsecurityandtheSecuritySettingsnode,refertoModule7.

Policy-Based QoS Node

ThePolicyBasedQoSnodedefinespoliciesthatmanagenetworktraffic.Forexample,youmightwanttoensurethatusersintheFinancedepartmenthavepriorityforrunningacriticalnetworkapplicationduringtheendofyearfinancialreportingperiod.ThePolicyBasedQoSnodeenablesyoutodothat.

IntheUserConfigurationnodeonly,theWindowsSettingsfoldercontainstheadditionalRemoteInstallationServices,FolderRedirection,andInternetExplorerMaintenancenodes.RemoteInstallationServices(RIS)policiescontrolthebehaviorofaremoteoperatingsysteminstallation.FolderRedirectionenablesyoutoredirectuserdataandsettingsfolderssuchasAppData,Desktop,Documents,Pictures,Music,andFavoritesfromtheirdefaultuserprofilelocationtoanalternatelocationonthenetwork,wheretheycanbecentrallymanaged.InternetExplorerMaintenanceenablesyoutoadministerandcustomizeMicrosoftInternetExplorer.

Administrative Templates Node

IntheComputerConfigurationandUserConfigurationnodes,theAdministrativeTemplatesnodecontainsregistrybasedGroupPolicysettings.TheAdministrative



Templatesnodeisdiscussedindetaillaterinthismodule.

Therearethousandsofsuchsettingsavailableforconfiguringtheuserandcomputerenvironment.Asanadministrator,youmightspendasignificantamountoftimemanipulatingthesesettings.Toassistyouwiththesettings,adescriptionofeachpolicysettingisavailableintwolocations:

OntheExplaintabinthePropertiesdialogboxforthesetting.Inaddition,theSettingstabinthePropertiesdialogboxforeachsettingalsoliststherequiredoperatingsystemorsoftwareforthesetting.

OntheExtendedtaboftheGPME.TheExtendedtabappearsonthelowerrightofthedetailspaneandprovidesadescriptionofeachselectedsettinginacolumnbetweentheconsoletreeandthesettingspane.Therequiredoperatingsystemorsoftwareforeachsettingisalsolisted.

Lesson 2: Implement GPOs



NowthatyouhaveabroadunderstandingofGroupPolicyanditscomponents,youcanlookcloselyateachcomponent.Inthissection,youwillexamineGPOsindetail.

Objectives


Create,edit,andlinkGPOs.

IdentifychangeandconfigurationmanagementcapabilitiesofGroupPolicy.

Configurepolicysettings.



ExplainGPOstorage,replication,andversioning.

Local GPOs

Tomanageconfigurationforusersandcomputers,youcreateGPOsthatcontainthepolicysettingsyourequire.EachcomputerhasseveralGPOsstoredlocallyonthesystem,knownasthelocalGPOs,andcanbewithinthescopeofanynumberofdomainbasedGPOs.

ComputersthatrunWindows2000Server,WindowsXP,andWindowsServer2003haveonelocalGPOeach,whichcanmanagethatsystemsconfiguration.Thelocal



GPOexistswhetherornotthecomputerispartofadomain,aworkgroup,oranonnetworkedenvironment.Itisstoredin%SystemRoot%\System3\GroupPolicy.ThepoliciesinthelocalGPOaffectonlythecomputeronwhichtheGPOisstored.Bydefault,onlytheSecuritySettingspoliciesareconfiguredonasystemslocalGPO.AllotherpoliciesaresetatNotConfigured.

WhenacomputerdoesnotbelongtoanActiveDirectorydomain,thelocalpolicyisusefultoconfigureandenforceconfigurationonthatcomputer.However,inanActiveDirectorydomain,settingsinGPOsthatarelinkedtothesite,domain,orOUswilloverridelocalGPOsettingsandareeasiertomanagethanGPOsonindividualcomputers.

WindowsVista,Windows7,WindowsServer2008,andlatersystemshavemultiplelocalGPOs.TheLocalComputerGPOisthesameastheGPOinthepreviousversionsofWindows.IntheComputerConfigurationnode,youcanconfigureallcomputerrelatedsettings.IntheUserConfigurationnode,youcanconfiguresettingsyouwanttoapplytoallusersonthecomputer.TheusersettingsintheLocalComputerGPOcanbemodifiedbytheusersettingsintwonewlocalGPOs:AdministratorsandNonAdministrators.ThesetwoGPOsapplyusersettingstologgedonusersaccordingtowhethertheyaremembersofthelocalAdministratorsgroupinwhichcasetheywouldusetheAdministratorsGPOornotmembersoftheAdministratorsgroup(andusetheNonAdministratorsGPO).YoucanfurtherrefinetheusersettingswithalocalGPOthatappliestoaspecificuseraccount.UserspecificlocalGPOsareassociatedwithlocal,notdomain,useraccounts.



RSoPiseasyforcomputersettings:TheLocalComputerGPOistheonlylocalGPOthatcanapplycomputersettings.UsersettingsinauserspecificGPOoverrideconflictingsettingsintheAdministratorsandNonAdministratorsGPOs,whichthemselvesoverridesettingsintheLocalComputerGPO.TheconceptissimplethemorespecificthelocalGPO,thehighertheprecedenceofitssettings.

TocreateandeditlocalGPOs:

1. ClicktheStartbuttonandintheStartSearchbox,typemmc.exe,andthenpressEnter.

AnemptyMicrosoftManagementconsole(MMC)opens.

2. ClickFile,andthenclickAdd/RemoveSnapin.

3. SelecttheGroupPolicyObjectEditoroption,andthenclickAdd.

Adialogboxappears,promptingyoutoselecttheGPOtoedit.

4. TheLocalComputerGPOisselectedbydefault.IfyouwanttoeditanotherlocalGPO,clicktheBrowsebutton.OntheUserstab,youwillfindtheNonAdministratorsandAdministratorsGPOsandoneGPOforeachlocaluser.SelecttheGPOandclickOK.

5. ClickFinish,andthenclickOKtocloseeachofthedialogboxes.



TheGroupPolicyObjectEditorsnapinisaddedandfocusedontheselectedGPO.

Question:IfdomainmemberscanbecentrallymanagedbyusingdomainlinkedGPOs,inwhichscenarioscanyouuselocalGPOs?

Domain-Based GPOs

DomainbasedGPOsarecreatedinActiveDirectoryandstoredondomaincontrollers.Theyareusedtomanageconfigurationcentrallyforusersandcomputersinthedomain.TheremainderofthiscoursereferstodomainbasedGPOsratherthanlocalGPOs,unlessotherwisespecified.



WhenADDSisinstalled,twodefaultGPOsarecreated:DefaultDomainControllersPolicyandDefaultDomainPolicy.

Default Domain Policy

ThisGPOislinkedtothedomainandhasnosecuritygrouporWMIfilters.Therefore,itaffectsallusersandcomputersinthedomain,includingcomputersthataredomaincontrollers.ThisGPOcontainspolicysettingsthatspecifypassword,accountlockout,andKerberospolicies.InModule10,youwilllearnhowtomodifythedefaultsettingsinthisGPOtoalignwithyourenterprisepasswordandaccountlockoutpolicies.YoushouldnotaddunrelatedpolicysettingstothisGPO.Ifyouneedtoconfigureothersettingstoapplybroadlyinyourdomain,createadditionalGPOslinkedtothedomain.

Default Domain Controllers Policy

ThisGPOislinkedtotheOUofthedomaincontrollers.BecausecomputeraccountsfordomaincontrollersarekeptexclusivelyintheDomainControllersOU,andothercomputeraccountsshouldbekeptinotherOUs,thisGPOaffectsonlydomaincontrollers.TheDefaultDomainControllersGPOshouldbemodifiedtoimplementyourauditingpolicies,asyouwillseeinModules8through10.Itshouldalsobemodifiedtoassignuserrightsrequiredondomaincontrollers.

Demonstration: Create, Link, and Edit GPOs



TocreateaGPO,rightclicktheGroupPolicyObjectscontainer,andthenclickNew.

YoumusthavepermissiontotheGroupPolicyObjectscontainertocreateaGPO.Bydefault,theDomainAdminsgroupandtheGroupPolicyCreatorOwnersgrouparedelegatedtheabilitytocreateGPOs.

TodelegatepermissiontocreateGPOstoothergroups,selecttheGroupPolicyObjectscontainerintheGPMCconsoletreeandthenclicktheDelegationtabintheconsoledetailspane.



AfteryouhavecreatedaGPO,youcancreatetheinitialscopeoftheGPObylinkingittoasite,domain,orOU.

TolinkaGPO,rightclickthesite,domain,orOU,andthenclickLinkAnExistingGPO.

YoucanalsocreateandlinkaGPOwithasinglestep:rightclickasite,domain,orOU,andthenclickCreateAGPOInThisDomainAndLinkItHere.

NotethatyouwillnotseeyoursitesintheSitesnodeoftheGPMCuntilyourightclickSites,clickShowSites,andthenselectthesitesyouwanttomanage.

YoumusthavepermissiontolinkGPOstoasite,domain,orOU.IntheGPMC,selectthecontainerintheconsoletree,andthenclicktheDelegationtabintheconsoledetailspane.FromthePermissiondropdownlist,clickLinkGPOs.TheusersandgroupsdisplayedholdthepermissionfortheselectedOU.ClicktheAddorRemovebuttonstomodifythedelegation.

ToeditaGPO,rightclicktheGPOintheGroupPolicyObjectscontainerandclickEdit.

TheGPOisopenedintheGPME.YoumusthaveatleasttheReadpermissiontoopentheGPOinthisway.



TomakechangestoaGPO,youmusthavetheWritepermissiontotheGPO.PermissionsfortheGPOcanbesetbyselectingtheGPOintheGroupPolicyObjectscontainerandthenclickingtheDelegationtabinthedetailspane.

TheGPMEwilldisplaythenameoftheGPOastherootnode.TheGPMEalsodisplaysthedomaininwhichtheGPOisdefinedandtheserverfromwhichtheGPOwasopenedandtowhichchangeswillbesaved.TherootnodeisintheGPOName[ServerName]format.InthescreenshotoftheGPMEonanearlierpageinthismodule,therootnodeisCONTOSOStandards[SERVER01.contoso.com]Policy.TheGPOnameisCONTOSOStandards,anditwasopenedfromSERVER01.contoso.com,meaningthattheGPOisdefinedinthecontoso.comdomain.

Bydefault,boththeGPMCandtheGPMEconsoleconnecttoaspecificdomaincontrollerinyourenvironmentwiththedomaincontrolleractingasthePDCEmulator.Inalatermodule,youwilllearntoidentifyandmanagewhichdomaincontrollerhasthisrole.

ThisisdonetoreducethepossibilitythatasingleGPOmightbechangedontwodifferentdomaincontrollers,atwhichpointduringreplicationtherewouldbenowaytoreconcilethechanges,andonlyoneversionoftheentireGPOwouldprevailandbereplicated.Focusingtheadministrativetoolsononedomaincontrollerhelpsensurethatchangesaremadeinoneplace.

However,inalarge,distributedenvironment,thePDCEmulatormaybeinadistant



site,resultinginslowperformancefortheGPMCs.Youcanrightclicktherootnodeofeachconsoleandconnecttoaspecificdomaincontrollerclosertoyou.Justbecognizantofthereplicationissue:IfyouaretheonlyonewhoiseditingaGPO,itisperfectlyacceptableforyoutodosoonalocal,higherperformingdomaincontroller.

Demonstration Steps

CreateaGPO.

OpenaGPOforediting.

LinkaGPO.

DelegatethemanagementofGPOs.

DeletetheGPO.

DiscussthedefaultconnectiontoPDCemulator.

GPO Storage



GroupPolicysettingsarepresentedasGPOsinActiveDirectoryuserinterfacetools,butaGPOisactuallytwocomponents:aGroupPolicyContainer(GPC)andaGroupPolicyTemplate(GPT).

TheGPCisanActiveDirectoryobjectstoredintheGroupPolicyObjectscontainerwithinthedomainnamingcontextofthedirectory.LikeallActiveDirectoryobjects,eachGPCincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifiestheobjectwithinActiveDirectory.TheGPCdefinesbasicattributesoftheGPO,butitdoesnotcontainanyofthesettings.ThesettingsarecontainedintheGPTacollectionoffilesstoredintheSYSVOLofeachdomaincontrollerinthe%SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDistheGUIDoftheGPC.WhenyoumakechangestothesettingsofaGPO,thechangesare



savedtotheGPToftheserverfromwhichtheGPOwasopened.

Bydefault,whenGroupPolicyrefreshoccurs,theCSEsapplysettingsinaGPOonlyiftheGPOhasbeenupdated.

TheGroupPolicyclientcanidentifyanupdatedGPObyitsversionnumber.EachGPOhasaversionnumberthatisincrementedeachtimeachangeismade.TheversionnumberisstoredasanattributeoftheGPCandinatextfile,GPT.ini,intheGPTfolder.TheGroupPolicyclientknowstheversionnumberofeachGPOithaspreviouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyclientdiscoversthattheversionnumberoftheGPChasbeenchanged,theCSEswillbeinformedthattheGPOisupdated.

GPO Replication

GroupPolicyContainerandGroupPolicyTemplatearebothreplicatedbetweenalldomaincontrollersinActiveDirectory.However,differentreplicationmechanismsareusedforthesetwoitems.

TheGPCinActiveDirectoryisreplicatedbytheDirectoryReplicationAgent(DRA).TheDRAusesatopologygeneratedbytheKnowledgeConsistencyChecker(KCC)thatcanbedefinedorrefinedmanually.YouwilllearnmoreaboutActiveDirectoryReplicationinModule14.TheresultisthattheGPCisreplicatedwithinsecondstoalldomaincontrollersinasiteandisreplicatedbetweensitesbasedonyourintersitereplicationconfiguration.ThisprocesswillalsobediscussedinModule14.



TheGPTintheSYSVOLisreplicatedbyusingoneofthefollowingtwotechnologies.TheFileReplicationService(FRS)isusedtoreplicateSYSVOLindomainsrunningWindowsServer2008,WindowsServer2008R2,WindowsServer2003,andWindows2000.IfalldomaincontrollersarerunningWindowsServer2008orearlier,youcanconfigureSYSVOLreplicationbyusingDistributedFileSystemReplication(DFSR),whichisamuchmoreefficientandrobustmechanism.

BecausetheGPCandGPTarereplicatedseparately,itispossibleforthemtobecomeoutofsyncforashorttime.

Typically,whenthishappens,theGPCwillreplicatetoadomaincontrollerfirst.SystemsthatobtainedtheirorderedlistofGPOsfromthatdomaincontrollerwillidentifythenewGPC,willattempttodownloadtheGPT,andwillnoticethattheversionnumbersarenotthesame.Apolicyprocessingerrorwillberecordedintheeventlogs.Ifthereversehappens,andtheGPOreplicatestoadomaincontrollerbeforetheGPC,clientsobtainingtheirorderedlistofGPOsfromthatdomaincontrollerwillnotbenotifiedofthenewGPOuntiltheGPChasreplicated.

Manage GPOs and Their Settings



WhenyourightclickaGPOintheGPMC,alistofusefulmanagementcommandsappears.

Copy.YoucancopyaGPOandthenrightclicktheGroupPolicyObjectscontainerandselectPastetocreateacopyoftheGPO.ThisisusefulwhenyouwanttocreateanewGPOinthesamedomainandtostartwiththesamesettingsasanexistingGPO.ItisalsousefultocopyaGPOintoanotherdomain,forexample,betweenatestdomainandaproductiondomain.TocopyaGPObetweendomains,addthetargettrusteddomaintotheGPMC.YoumusthavepermissiontocreateGPOsinthetargetdomain.WhenyoupasteaGPO,youaregiventheoptiontocopytheaccesscontrollist(ACL)fromtheoriginalGPO,whichpreservesthesecurityfiltering,ortousethedefaultACLfornewGPOsinthetargetdomain.



BackUp.Aswithanycriticaldata,itisimportanttobackupGPOs.BecauseaGPOconsistsofseveralfiles,objects,permissions,andlinks,managingthebackupandrestoreofGPOsisquitedifficult.Luckily,theBackUpcommandpullsallofthosepiecesintoasingleplaceandmakesrestoreasimpletask.

RestorefromBackup.RestoreanentireGPO,includingitsfiles,objects,permissions,andlinksintothesamedomaininwhichtheGPOoriginallyexisted.

ImportSettings.ImportonlythesettingsfromabackedupGPO.Althoughthisoptiondoesnotimportpermissionsorlinks,itcanbeusefulfortransferringGPOsbetweennontrusteddomainsthatcannotusecopyandpaste.IfaGPOincludespotentiallydomainspecificsettings,includingtheUNCpathsornamesofsecuritygroups,youwillbepromptedastowhetheryouwanttoimportthosesettingsexactlyastheywerebackeduportouseamigrationtablethatmapssourcetodestinationnames.

SaveReport.UsethistosaveanHTMLreportoftheGPOsettings.

Delete.UsethistodeleteaGPO.

Rename.UsethistorenameaGPO.

Lab A: Implement Group Policy



Lab Setup

Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:

1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.

2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.

3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.



4. Logonbyusingthefollowingcredentials:

Username:Pat.Coleman

Password:Pa$$w0rd

Domain:Contoso

5. Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodoso.

Lab Scenario

YouareresponsibleformanagingchangeandconfigurationatContoso,Ltd.ContosocorporateITsecuritypoliciesspecifythatcomputerscannotbeleftunattendedandloggedontoformorethan10minutes.Youwillthereforeconfigurethescreensavertimeoutandpasswordprotectedscreensaverpolicysettings.Additionally,youwilllockdownaccesstoregistryeditingtools.

Exercise 1: Create, Edit, and Link Group Policy Objects

Inthisexercise,youwillcreateaGPOthatimplementsasettingmandatedbythecorporatesecuritypolicyofContoso,Ltdandscopethesettingtoallusersandcomputersinthedomain.YouwillthenexaminetheeffectoftheGPO.Youcanalsoexploreothersettingsthataremadeavailablewithina



GPO.

Themaintasksforthisexerciseareasfollows:

1. CreateaGPO.

2. EditthesettingsofaGPO.

3. ScopeaGPOwithaGPOlink.

4. ViewtheeffectsofGroupPolicyapplication.

5. ExploreGPOsettings.

Task 1: Create a GPO.

1. OnNYCDC1,runGroupPolicyManagementasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2. CreateaGroupPolicyObjectnamedCONTOSOStandardsintheGroupPolicyObjectscontainer.

Task 2: Edit the settings of a GPO.

1. EdittheCONTOSOStandardsGPO.



2. NavigatetotheUserConfiguration,Policies,AdministrativeTemplates,Systemfolder.

3. PreventusersfromrunningRegistryEditorandregedit/s.

4. NavigatetotheUserConfiguration,Policies,AdministrativeTemplates,ControlPanel,Personalizationfolder.

5. ExaminetheexplanatorytextfortheScreensavertimeoutpolicysetting.

6. ConfiguretheScreensavertimeoutpolicyto600seconds.

7. EnablethePasswordprotectthescreensaverpolicysetting.

Task 3: Scope a GPO with a GPO link.

LinktheCONTOSOStandardsGPOtothecontoso.comdomain.

Task 4: View the effects of Group Policy application.

1. LogontoNYCCL1asPat.Coleman.

2. Attempttochangethescreensaverwaittimeandresumesettings.YouarepreventedfromdoingsobyGroupPolicy.



3. AttempttorunRegistryEditor.YouarepreventedfromdoingsobyGroupPolicy.

Task 5: Explore GPO settings.

OnNYCDC1,edittheCONTOSOStandardsGPOandspendtimeexploringthesettingsthatareavailableinaGPO.Donotmakeanychanges.

Results:Inthisexercise,youcreatedaGPOnamedContosoStandardsthatconfigurespasswordprotectedscreensaver,screensavertimeout,andregistryeditingtoolrestrictions

NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinsubsequentlabs.

Exercise 2: Use Filtering and Commenting

Inthisexercise,youwillusethenewcommentingandfilteringfeaturesofGroupPolicytolocateanddocumentpolicysettings.




1. Searchandfilterpolicysettings.

2. DocumentGPOsandsettingswithcomments.

Task 1: Search and filter policy settings.

1. Ifnecessary,opentheGPMCandthenedittheCONTOSOStandardsGPO.

2. IntheUserConfiguration\Policies\AdministrativeTemplatesfolder,filtertheviewtoshowonlypolicysettingsthatcontainthephrasescreensaver.Spendafewmomentsexaminingthosesettings.

3. Filtertheviewtoshowonlyconfiguredpolicysettings.Spendafewmomentsexaminingthosesettings.

4. TurnoffthefilterfromAdministrativeTemplates.

Task 2: Document GPOs and settings with comments.

1. EditthecommenttotheCONTOSOStandardsGPOandaddthefollowingcommenttotheGPO:Contosocorporatestandardpolicies.Settingsarescopedtoallusersandcomputersinthedomain.Personresponsible



forthisGPO:yourname.

ThiscommentappearsontheDetailstaboftheGPOintheGPMC.

2. AddthefollowingcommenttotheScreensavertimeoutpolicysetting:CorporateITSecurityPolicyimplementedwiththispolicyincombinationwithPasswordProtecttheScreenSaver.

3. AddthefollowingcommenttothePasswordprotectthescreensaverpolicysetting:CorporateITSecurityPolicyimplementedwiththispolicyincombinationwithScreenSaverTimeout.

Results:Inthisexercise,youaddedcommentstoyourGroupPolicyobjectandsettings.

Lab Review Questions

Question:WhichpolicysettingsarealreadybeingdeployedbyusingGroupPolicyinyourorganization?

Question:Whichpolicysettingsdidyoudiscoverthatyoumightwanttoimplementinyourorganization?

Lesson 3: Manage Group Policy Scope



AGPOis,byitself,acollectionofconfigurationinstructionsthatwillbeprocessedbytheCSEsofcomputers.UntiltheGPOisscoped,itdoesnotapplytoanyusersorcomputers.TheGPOsscopedeterminestheCSEsofwhichcomputerswillreceiveandprocesstheGPOandonlythecomputersoruserswithinthescopeofaGPOwillapplythesettingsinthatGPO.Inthislesson,youwilllearntomanagethescopeofaGPO.ThefollowingmechanismsareusedtoscopeaGPO:

TheGPOlinktoasite,domain,orOUandwhetherthatlinkisenabled

TheEnforceoptionofaGPO

TheBlockInheritanceoptiononanOU



Securitygroupfiltering

WMIfiltering

Policynodeenablingordisabling

Preferencestargeting

Loopbackpolicyprocessing

Youmustbeabletodefinetheusersorcomputerstowhichconfigurationisdeployed,andtherefore,youmustmastertheartofscopingGPOs.Inthislesson,youwilllearneachofthemechanismswithwhichyoucanscopeaGPOand,intheprocess,youwillmastertheconceptsofGroupPolicyapplication,inheritance,andprecedence.

Objectives


ManageGPOlinks.

IdentifytherelationshipbetweenOUstructureandGPOapplication.

EvaluateGPOinheritanceandprecedence.

UnderstandtheBlockInheritanceandEnforcedlinkoptions.



ApplysecurityfilteringtonarrowthescopeofaGPO.

ApplyaWMIfiltertoaGPO.

TargetGroupPolicypreferences.

IdentifybestpracticesforscopingGroupPolicy.

GPO Links

AGPOcanbelinkedtooneormoreActiveDirectorysites,domains,orOUs.Afterapolicyislinkedtoasite,domain,orOU,theusersorcomputersandusersinthat



containerarewithinthescopeoftheGPO,includingcomputersandusersinchildOUs.

AsyoulearnedinLesson1,youcanlinkaGPOtothedomain,siteortoanOU.

TolinkaGPO,rightclickthedomainorOUintheGPMCconsoletree,andthenclickLinkasexistingGPO.IfyouhavenotyetcreatedaGPO,clickCreateAGPOInThis{Domain|OU|Site}AndLinkItHere.

YoucanchoosethesamecommandstolinkaGPOtoasite,butbydefault,yourActiveDirectorysitesarenotvisibleintheGPMC.

ToshowsitesintheGPMC,rightclickSitesintheGPMCconsoletreeandchooseShowSites.

NoteAGPOlinkedtoasiteaffectsallcomputersinthesitewithoutregardtothedomaintowhichthecomputersbelong(aslongasallcomputersbelongtothesameActiveDirectoryforest).Therefore,whenyoulinkaGPOtoasite,thatGPOcanbeappliedtomultipledomainswithinaforest.SitelinkedGPOsarestoredondomaincontrollersinthedomaininwhichtheGPOwascreated.Therefore,domaincontrollersforthatdomainmustbeaccessibleforsitelinkedGPOstobeappliedcorrectly.Ifyouimplementsitelinkedpolicies,youmustconsiderpolicyapplicationwhenplanningyournetworkinfrastructure.EitherplaceadomaincontrollerfromtheGPOsdomaininthesitetowhichthepolicyislinked,orensurethatawideareanetwork(WAN)connectivityprovidesaccessibilitytoadomaincontrollerintheGPOsdomain.



WhenyoulinkaGPOtoasite,domain,orOU,youdefinetheinitialscopeoftheGPO.SelectaGPOandclicktheScopetabtoidentifythecontainerstowhichtheGPOislinked.InthedetailspaneoftheGPMC,theGPOlinksaredisplayedinthefirstsectionoftheScopetab,asseenhere:

TheimpactoftheGPOslinksisthattheGroupPolicyClientdownloadstheGPOifeitherthecomputerortheuserobjectsfallwithinthescopeofthelink.TheGPOwillbedownloadedonlyifitisneworupdated.TheGroupPolicyClientcachestheGPOtomakepolicyrefreshmoreefficient.

Link a GPO to Multiple OUs

YoucanlinkaGPOtomorethanonesiteorOU.Itiscommon,forexample,toapplyconfigurationtocomputersinseveralOUs.YoucandefinetheconfigurationinasingleGPOandlinkthatGPOtoeachOU.IfyoulaterchangesettingsintheGPO,yourchangeswillapplytoallOUstowhichtheGPOislinked.



Delete or Disable a GPO Link

AfteryouhavelinkedaGPO,theGPOlinkappearsintheGPMCunderneaththesite,domain,orOU.TheiconfortheGPOlinkhasasmallshortcutarrow.WhenyourightclicktheGPOlink,acontextmenuappears,asshownhere:

TodeleteaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthenclickDelete.

DeletingaGPOlinkdoesnotdeletetheGPOitself,whichremainsinthatGPOcontainer.DeletingthelinkdoeschangethescopeoftheGPOsothatitnolongerappliestocomputersanduserswithinasite,domain,orOUtowhichitwaspreviouslylinked.

YoucanalsomodifyaGPOlinkbydisablingit.

TodisableaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthendeselecttheLinkEnabledoption.



DisablingthelinkalsochangestheGPOscopesothatitnolongerappliestocomputersanduserswithinthatcontainer.However,thelinkremainssothatitcanbeeasilyreenabled.

Group Policy Processing Order

TheGPOsthatapplytoauser,computer,orbothdonotallapplyatonce.GPOsareappliedinaparticularorder.Thisordermeansthatsettingsthatareprocessedfirstmaybeoverwrittenbyconflictingsettingsthatareprocessedlater.

GroupPolicyfollowsthefollowinghierarchicalprocessingorder:



1. Localgrouppolicies.EachcomputerrunningWindows2000orlaterhasatleastonelocalgrouppolicy.Thelocalpoliciesareappliedfirst.

2. Sitegrouppolicies.Policieslinkedtositesareprocessedsecond.Iftherearemultiplesitepolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.

3. Domaingrouppolicies.Policieslinkedtodomainsareprocessedthird.Iftherearemultipledomainpolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.

4. OUgrouppolicies.PolicieslinkedtotoplevelOUsareprocessedfourth.IftherearemultipletoplevelOUpolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.

5. ChildOUgrouppolicies.PolicieslinkedtochildOUsareprocessedfifth.IftherearemultiplechildOUpolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.WhentherearemultiplelevelsofchildOUs,policiesforhigherlevelOUsareappliedfirstandpoliciesforthelowerlevelOUsareappliednext.

InGroupPolicyapplication,thegeneralruleisthatthelastpolicyappliedwins.Forexample,apolicythatrestrictsaccesstoControlPanelappliedatthedomainlevelcouldbereversedbyapolicyappliedattheOUlevelfortheobjectscontainedinthatparticularOU.



IfyoulinkseveralGPOstoanorganizationalunit,theirprocessingoccursintheorderthattheadministratorspecifiesontheLinkedGroupPolicyObjectstabfortheorganizationalunitintheGroupPolicyManagementConsole(GPMC).

Bydefault,processingisenabledforallGPOlinks.YoucancompletelyblocktheapplicationofaGPOforagivensite,domain,ororganizationalunitbydisablingthatcontainersGPOlink.NotethatiftheGPOislinkedtoothercontainers,theywillcontinuetoprocesstheGPOiftheirlinksareenabled.

YoucanalsodisabletheuserorcomputerconfigurationofaparticularGPOindependentofeithertheuserorcomputer.Ifonesectionofapolicyisknowntobeempty,disablingtheothersidespeedsuppolicyprocessing.Forexample,ifyouhaveapolicythatonlydeliversuserdesktopconfiguration,youcoulddisablethecomputersideofthepolicy.

GPO Inheritance and Precedence



ApolicysettingcanbeconfiguredinmorethanoneGPO,andGPOscanbeinconflictwithoneanother.Forexample,apolicysettingcanbeenabledinoneGPO,disabledinanotherGPO,andnotconfiguredinathirdGPO.Inthiscase,theprecedenceoftheGPOsdetermineswhichpolicysettingtheclientapplies.AGPOwithhigherprecedenceprevailsoveraGPOwithlowerprecedence.PrecedenceisshownasanumberintheGPMC.Thesmallerthenumberthatis,thecloserto1thehighertheprecedence,soaGPOwithaprecedenceof1willprevailoverotherGPOs.SelectthedomainorOUandthenclicktheGroupPolicyInheritancetabtoviewtheprecedenceofeachGPO.

WhenapolicysettingisenabledordisabledinaGPOwithhigherprecedence,theconfiguredsettingtakeseffect.However,rememberthatpolicysettingsaresettoNot



Configuredbydefault.IfapolicysettingisnotconfiguredinaGPOwithhigherprecedence,thepolicysetting(eitherenabledordisabled)inaGPOwithlowerprecedencewilltakeeffect.

Asite,domain,orOUcanhavemorethanoneGPOlinkedtoit.ThelinkorderofGPOsdeterminestheprecedenceofGPOsinsuchascenario.GPOswithahigherlinkordertakeprecedenceoverGPOswithalowerlinkorder.WhenyouselectanOUintheGPMC,theLinkedGroupPolicyObjectstabshowsthelinkorderofGPOslinkedtothatOU.

ThedefaultbehaviorofGroupPolicyisthatGPOslinkedtoahigherlevelcontainerareinheritedbylowerlevelcontainers.Whenacomputerstartsuporauserlogson,theGroupPolicyClientexaminesthelocationofthecomputeroruserobjectinActiveDirectoryandevaluatestheGPOswithscopesthatincludethecomputeroruser.Then,theclientsideextensionsapplypolicysettingsfromtheseGPOs.Policiesareappliedsequentially,beginningwiththepolicieslinkedtothesite,followedbythoselinkedtothedomain,followedbythoselinkedtoOUsfromthetoplevelOUdowntotheOUinwhichtheuserorcomputerobjectexists.Itisalayeredapplicationofsettings,soaGPOthatisappliedlaterintheprocess,becauseithashigherprecedence,overridessettingsappliedearlierintheprocess.

ThesequentialapplicationofGPOscreatesaneffectcalledpolicyinheritance.Policiesareinherited,sotheresultantsetofgrouppoliciesforauserorcomputerwillbethecumulativeeffectofsite,domain,andOUpolicies.



Bydefault,inheritedGPOshavelowerprecedencethanGPOslinkeddirectlytothecontainer.Forexample,youmightconfigureapolicysettingtodisabletheuseofregistryeditingtoolsforallusersinthedomainbyconfiguringthepolicysettinginaGPOlinkedtothedomain.ThatGPO,anditspolicysetting,isinheritedbyalluserswithinthedomain.However,youprobablywantadministratorstobeabletouseregistryeditingtools,soyouwilllinkaGPOtotheOUthatcontainsadministratorsaccountsandconfigurethepolicysettingtoallowtheuseofregistryeditingtools.BecausetheGPOlinkedtotheadministratorsOUtakeshigherprecedencethantheinheritedGPO,administratorswillbeabletouseregistryeditingtools.ThefollowingfigureillustratesGroupPolicyInheritance:

Precedence of Multiple Linked GPOs

AnOU,domain,orsitecanhavemorethanoneGPOlinkedtoit.IftherearemultipleGPOs,theobjectslinkorderdeterminestheirprecedence.Inthefollowingfigure,twoGPOsarelinkedtothePeopleOU:



Theobjecthigheronthelist,withalinkorderof1,hasthehighestprecedence.Therefore,settingsthatareenabledordisabledinthePowerUserConfiguration

POhasprecedenceoverthesamesettingsintheStandardUserConfigurationGPO.

TochangetheprecedenceofaGPOlink:

1. SelecttheOU,site,ordomainintheGPMCconsoletree.

2. ClicktheLinkedGroupPolicyObjectstabinthedetailspane.

3. SelecttheGPO.

4. UsetheUp,Down,MoveToTop,andMoveToBottomarrowstochangethelinkorderoftheselectedGPO.

Block Inheritance

AdomainorOUcanbeconfiguredtopreventtheinheritanceofpolicysettings.

Toblockinheritance,rightclickthedomainorOUintheGPMCconsoletreeandselectBlockInheritance.

TheBlockInheritanceoptionisapropertyofadomainorOU,soitblocksallGroupPolicysettingsfromGPOslinkedtoparentsintheGroupPolicyhierarchy.Whenyou



blockinheritanceonanOU,forexample,GPOapplicationbeginswithanyGPOslinkeddirectlytothatOUGPOslinkedtohigherlevelOUs,thedomain,orthesitewillnotapply.

TheBlockInheritanceoptionshouldbeusedsparingly.BlockinginheritancemakesitmoredifficulttoevaluateGroupPolicyprecedenceandinheritance.Inalatertopic,youwilllearnhowtoscopeaGPOsothatitappliestoonlyasubsetofobjectsorsothatitispreventedfromapplyingtoasubsetofobjects.Withsecuritygroupfiltering,youcancarefullyscopeaGPOsothatitappliestoonlythecorrectusersandcomputersinthefirstplace,makingitunnecessarytousetheBlockInheritanceoption.

Enforce a GPO Link

Inaddition,aGPOlinkcanbesettoEnforced.

ToenforceaGPOlink,rightclicktheGPOlinkintheconsoletreeandchooseEnforcedfromthecontextmenu.

WhenaGPOlinkissettoEnforced,theGPOtakesthehighestlevelofprecedencepolicysettingsinthatGPOwillprevailoveranyconflictingpolicysettingsinotherGPOs.Inaddition,alinkthatisenforcedwillapplytochildcontainersevenwhenthosecontainersaresettoBlockInheritance.TheEnforcedoptioncausesthepolicytoapplytoallobjectswithinitsscope.EnforcedwillcausepoliciestooverrideanyconflictingpoliciesandwillapplyregardlessofwhetheraBlockInheritanceoptionis



set.

Inthefigureonthefollowingpage,BlockInheritancehasbeenappliedtotheBusinessOU.Asaresult,GPOD,whichisappliedtothedomain,isblockedanddoesnotapplywhenauserfromtheEmployeesOUlogsontoacomputerintheClientsOU.However,intheSecurityGPO,GPOslinkedtothedomainwiththeEnforcedoptiondoesapply.Infact,itisappliedlastintheprocessingorder,meaningitssettingswilloverridethoseofGPOsB,C,andE.

WhenyouconfigureaGPOthatdefinesconfigurationmandatedbyyourcorporateITsecurityandusagepolicies,youwanttoensurethatthosesettingsarenotoverriddenbyotherGPOs.YoucandothisbyenforcingthelinkoftheGPO.Thefigurehereshowsjustthisscenario:

ConfigurationmandatedbycorporatepoliciesisdeployedintheCONTOSOCorporateITSecurity&UsageGPO,whichislinkedwithanenforcedlinktotheContoso.comdomain.TheiconfortheGPOlinkhasapadlockonitthevisualindicatorofanenforcedlink.OnthePeopleOU,theGroupPolicyInheritancetabshowsthattheGPOtakesprecedenceevenovertheGPOslinkedtothePeopleOUitself.



Evaluating Precedence

TofacilitateevaluationofGPOprecedence,youcansimplyselectanOU(ordomain)andclicktheGroupPolicyInheritancetab.ThistabwilldisplaytheresultingprecedenceofGPOs,accountingforGPOlink,linkorder,inheritanceblocking,andlinkenforcement.Thistabdoesnotaccountforpoliciesthatarelinkedtoasite,nordoesitaccountforGPOsecurityorWMIfiltering.

Use Security Filtering to Modify GPO Scope

Bynow,youvelearnedthatyoucanlinkaGPOtoasite,domain,orOU.However,youmightneedtoapplyGPOsonlytocertaingroupsofusersorcomputersrather



thantoallusersorcomputerswithinthescopeoftheGPO.AlthoughyoucannotdirectlylinkaGPOtoasecuritygroup,thereisawaytoapplyGPOstospecificsecuritygroups.ThepoliciesinaGPOapplyonlytouserswhohaveAllowReadandAllowApplyGroupPolicypermissionstotheGPO.

EachGPOhasanACLthatdefinespermissionstotheGPO.Twopermissions,AllowReadandAllowApplyGroupPolicy,arerequiredforaGPOtoapplytoauserorcomputer.Forexample,ifaGPOisscopedtoacomputerbyitslinktothecomputersOU,butthecomputerdoesnothaveReadandApplyGroupPolicypermissions,itwillnotdownloadandapplytheGPO.Therefore,bysettingtheappropriatepermissionsforsecuritygroups,youcanfilteraGPOsothatitssettingsapplyonlytothecomputersandusersyouspecify.

Bydefault,AuthenticatedUsersaregiventheAllowApplyGroupPolicypermissiononeachnewGPO.Thismeansthatbydefault,allusersandcomputersareaffectedbytheGPOssetfortheirdomain,site,orOU,regardlessoftheothergroupsinwhichtheymightbemembers.Therefore,therearetwowaysoffilteringGPOscope:

RemovetheApplyGroupPolicypermission(currentlysettoAllow)fortheAuthenticatedUsersgroupbutdonotsetthispermissiontoDeny.Then,determinethegroupstowhichtheGPOshouldbeappliedandsettheReadandApplyGroupPolicypermissionsforthesegroupstoAllow.

DeterminethegroupstowhichtheGPOshouldnotbeappliedandsettheApplyGroupPolicypermissionforthesegroupstoDeny.IfyoudenytheApplyGroup



PolicypermissiontoaGPO,theuserorcomputerwillnotapplysettingsintheGPO,eveniftheuserorcomputerisamemberofanothergroupthatisallowedtheApplyGroupPolicyPermission.

Filtering a GPO to Apply to Specific Groups

ToapplyaGPOtoaspecificsecuritygroup:

1. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree.

2. IntheSecurityFilteringsection,selecttheAuthenticatedUsersgroupandclickRemove.

NoteGPOscanbefilteredonlywithglobalsecuritygroupsnotwithdomainlocalsecuritygroups.

3. ClickOKtoconfirmthechange.

4. ClickAdd.

5. SelectthegrouptowhichyouwantthepolicytoapplyandclickOK.

TheresultwilllooksimilartothefigureshownheretheAuthenticatedUsersgroupis



notlisted,andthespecificgrouptowhichthepolicyshouldapplyislisted.

Filtering a GPO to Exclude Specific Groups

TheScopetabofaGPOdoesnotallowyoutoexcludespecificgroups.Toexcludeagroupthatis,todenytheApplyGroupPolicypermissionyoumustusetheDelegationtab.

TodenyagrouptheApplyGroupPolicypermission:

1. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree.

2. ClicktheDelegationtab.



3. ClicktheAdvancedbutton.

TheSecuritySettingsdialogboxappears.

4. ClicktheAddbutton.

5. SelectthegroupyouwanttoexcludefromtheGPO.Remember,itmustbeaglobalgroup.GPOscopecannotbefilteredbydomainlocalgroups.

6. ClickOK.

ThegroupyouselectedisgiventheAllowReadpermissionbydefault.

7. CleartheAllowReadpermissioncheckbox.

8. SelecttheDenyApplyGroupPolicycheckbox.

ThefigurehereshowsanexamplethatdeniestheHelpDeskgrouptheApplygrouppolicypermissionand,therefore,excludesthegroupfromthescopeoftheGPO.



9.ClickOK.

YouarewarnedthatDenypermissionsoverrideotherpermissions.

BecauseDenypermissionsoverrideAllowpermissions,itisrecommendedthatyouusethemsparingly.MicrosoftWindowsremindsyouofthisbestpracticewiththewarningmessage.TheprocesstoexcludegroupswiththeDenyApplyGroupPolicypermissionisfarmorelaboriousthantheprocesstoincludegroupsintheSecurityFilteringsectionoftheScopetab.

10. Confirmthatyouwanttocontinue.



ImportantDenypermissionsarenotexposedontheScopetab.Unfortunately,whenyouexcludeagroup,theexclusionisnotshownintheSecurityFilteringsectionoftheScopetab.

ThisisyetonemorereasontouseDenypermissionssparingly.

WMI Filters

WMIisamanagementinfrastructuretechnologythatenablesadministratorstomonitorandcontrolmanagedobjectsinthenetwork.AWMIqueryiscapableof



filteringsystemsbasedoncharacteristics,includingRAM,processorspeed,diskcapacity,IPaddress,operatingsystemversionandservicepacklevel,installedapplications,andprinterproperties.BecauseWMIexposesalmosteverypropertyofeveryobjectwithinacomputer,thelistofattributesthatcanbeusedinaWMIqueryisvirtuallyunlimited.WMIqueriesarewrittenbyusingWMIQueryLanguage(WQL).

YoucanuseaWMIquerytocreateaWMIfilter,withwhichaGPOcanbefiltered.AgoodwaytounderstandthepurposeofaWMIfilter,bothforthecertificationexamsandforrealworldimplementation,isthroughexamples.GroupPolicycanbeusedtodeploysoftwareapplicationsandservicepacksacapabilitythatisdiscussedinModule7.YoumightcreateaGPOtodeployanapplicationandthenuseaWMIfiltertospecifythatthepolicyshouldapplyonlytocomputerswithacertainoperatingsystemandservicepackWindowsXPSP3,forexample.TheWMIquerytoidentifysuchsystemsis:

Select * FROM Win32_OperatingSystem WHERECaption="Microsoft Windows XP Professional" ANDCSDVersion="Service Pack 3"

WhentheGroupPolicyClientevaluatesGPOsithasdownloadedtodeterminewhichshouldbehandedofftotheCSEsforprocessing,itperformsthequeryagainstthelocalsystem.Ifthesystemmeetsthecriteriaofthequery,thequeryresultisalogicalTrue,andtheCSEsprocesstheGPO.



WMIexposesnamespaces,withinwhichareclassesthatcanbequeried.Manyusefulclasses,includingWin32_OperatingSystem,arefoundinaclasscalledroot\CIMv2.

TocreateaWMIfilter:

1. RightclicktheWMIFiltersnodeintheGPMCconsoletree,andthenclickNew.

Typeanameanddescriptionforthefilter,andthenclicktheAddbutton.

2. IntheNamespacebox,typethenamespaceforyourquery.

3. IntheQuerybox,enterthequery.

4. ClickOK.

TofilteraGPOwithaWMIfilter:

1. SelecttheGPOorGPOlinkintheconsoletree.

2. ClicktheScopetab.

3. ClicktheWMIdropdownlist,andselecttheWMIfilter.

AGPOcanbefilteredbyonlyoneWMIfilter,butthatWMIfiltercanbeacomplexquerythatusesmultiplecriteria.AsingleWMIfiltercanbelinkedto,andtherebyusedtofilter,oneormoreGPOs.TheGeneraltabofaWMIfilter,showninthe



figurehere,displaystheGPOsthatusetheWMIfilter:

TherearethreesignificantcaveatsregardingWMIfilters.

First,theWQLsyntaxofWMIqueriescanbechallengingtomaster.YoucanoftenfindexamplesontheInternetwhenyousearchbyusingthekeywordsWMIfilterandWMIquery,alongwithadescriptionofthequeryyouwanttocreate.

Second,WMIfiltersareexpensiveintermsofGroupPolicyprocessingperformance.BecausetheGroupPolicyClientmustperformtheWMIqueryateachpolicyprocessinginterval,thereisaslightimpactonsystemperformanceevery90120minutes.Withtheperformanceoftodayscomputers,theimpactmightnotbenoticeable,butyoushouldcertainlytesttheeffectsofaWMIfilterpriorto



deployingitwidelyinyourproductionenvironment.

NotethattheWMIqueryisprocessedonlyonetime,evenifitisusedtofilterthescopeofmultipleGPOs.

Third,WMIfiltersarenotprocessedbycomputersrunningWindows2000Server.IfaGPOisfilteredwithaWMIfilter,aWindows2000ServersystemignoresthefilterandprocessestheGPOasiftheresultsofthefilterweretrue.

Enable or Disable GPOs and GPO Nodes

YoucanpreventthesettingsintheComputerConfigurationorUserConfiguration



nodesfrombeingprocessedduringpolicyrefreshbychangingtheGPOStatus.

ToenableordisableaGPO'snodes,selecttheGPOorGPOlinkintheconsoletree,clicktheDetailstab,showninthefigure,andthenselectoneofthefollowingfromtheGPOStatusdropdownlist:

Enabled.BothcomputerconfigurationsettingsanduserconfigurationsettingswillbeprocessedbyCSEsduringpolicyrefresh.

AllSettingsDisabled.CSEswillnotprocesstheGPOduringpolicyrefresh.

ComputerConfigurationSettingsDisabled.Duringcomputerpolicyrefresh,computerconfigurationsettingsintheGPOwillnotbeapplied.



UserConfigurationSettingsDisabled.Duringuserpolicyrefresh,userconfigurationsettingsintheGPOwillnotbeapplied.

YoucanconfigureGPOstatustooptimizepolicyprocessing.IfaGPOcontainsonlyusersettings,forexample,settingtheGPOStatusoptiontodisablecomputersettingspreventstheGroupPolicyclientfromattemptingtoprocesstheGPOduringcomputerpolicyrefresh.BecausetheGPOcontainsnocomputersettings,thereisnoneedtoprocesstheGPO,andyoucansaveafewcyclesoftheprocessor.

NoteYoucandefineaconfigurationthatshouldtakeeffectincaseofanemergency,securityincident,orotherdisastersinaGPOandlinktheGPOsothatitisscopedtoappropriateusersandcomputers.Then,disabletheGPO.Ifyourequiretheconfigurationtobedeployed,enabletheGPO.

Target Preferences



Preferences,whicharenewtoWindowsServer2008,haveabuiltinscopingmechanismcalleditemleveltargeting.YoucanhavemultiplepreferenceitemsinasingleGPO,andeachpreferenceitemcanbetargetedorfiltered.So,forexample,youcouldhaveasingleGPOwithapreferencethatspecifiesfolderoptionsforengineersandanotheritemthatspecifiesfolderoptionsforsalespeople.YoucantargettheitemsbyusingasecuritygrouporOU.Thereareoveradozenothercriteriathatcanbeused,includinghardwareandnetworkcharacteristics,dateandtime,LightweightDirectoryAccessProtocol(LDAP)queries,andmore.



NoteWhatsnewaboutpreferencesisthatyoucantargetmultiplepreferenceitemswithinasingleGPOinsteadofrequiringmultipleGPOs.Withtraditionalpolicies,youoftenneedmultipleGPOsfilteredtoindividualgroupstoapplyvariationsofsettings.

LikeWMIfilters,itemleveltargetingofpreferencesrequirestheCSEtoperformaquerytodeterminewhethertoapplythesettingsinapreferencesitem.Youmustbeawareofthepotentialperformanceimpactofitemleveltargeting,particularlyifyouuseoptionssuchasLDAPqueries,whichrequireprocessingtimeandaresponsefromadomaincontrollertoprocess.AsyoudesignyourGroupPolicyinfrastructure,



balancetheconfigurationmanagementbenefitsofitemleveltargetingagainsttheperformanceimpactyoudiscoverduringtestinginalab.

Loopback Policy Processing

Bydefault,auserssettingscomefromGPOsscopedtotheuserobjectinActiveDirectory.Regardlessofwhichcomputertheuserlogsonto,theresultantsetofpoliciesthatdeterminetheusersenvironmentisthesame.Therearesituations,however,inwhichyoumightwanttoconfigureauserdifferently,dependingonthecomputerinuse.Forexample,youmightwanttolockdownandstandardizeuserdesktopswhenuserslogontocomputersincloselymanagedenvironmentssuchasconferencerooms,receptionareas,laboratories,classrooms,andkiosks.Itisalso



importantforvirtualdesktopinfrastructure(VDI)scenarios,includingremotevirtualmachinesandRemoteDesktopServices(RDS),knownasTerminalServicesinpreviousversions.

ImagineascenarioinwhichyouwanttoenforceastandardcorporateappearancefortheWindowsdesktoponallcomputersinconferenceroomsandotherpublicareasofyouroffice.HowwillyoucentrallymanagethisconfigurationbyusingGroupPolicy?PolicysettingsthatconfiguredesktopappearancearelocatedintheUserConfigurationnodeofaGPO.Therefore,bydefault,thesettingsapplytousers,regardlessofwhichcomputertheylogonto.Thedefaultpolicyprocessingdoesnotgiveyouawaytoscopeusersettingstoapplytocomputers,regardlessofwhichuserlogson.Thatswhereloopbackpolicyprocessingcomesin.

LoopbackpolicyprocessingaltersthedefaultalgorithmusedbytheGroupPolicyclienttoobtaintheorderedlistofGPOsthatshouldbeappliedtoausersconfiguration.InsteadofuserconfigurationbeingdeterminedbytheUserConfigurationnodeofGPOsthatarescopedtotheuserobject,userconfigurationcanbedeterminedbytheUserConfigurationnodepoliciesofGPOsthatarescopedtothecomputerobject.

TheUserGroupPolicyloopbackprocessingmodepolicy,locatedintheComputerConfiguration\Policies\AdministrativeTemplates\System\GroupPolicyfolderinGPME,canbe,likeallpolicysettings,settoNotConfigured,Enabled,orDisabled.



Whenenabled,thepolicycanspecifytheReplaceorMergemode.

Replace.Inthiscase,theGPOlistfortheuser(obtainedinstep5intheGroupPolicyProcessing,thenextsection)isreplacedentirelybytheGPOlistalreadyobtainedforthecomputeratcomputerstartup(instep2).ThesettingsinUserConfigurationpoliciesofthecomputersGPOsareappliedtotheuser.TheReplacemodeisusefulinasituationsuchasaclassroomwhereusersshouldreceiveastandardconfigurationratherthantheconfigurationappliedtothoseusersinalessmanagedenvironment.

Merge.Inthiscase,theGPOlistobtainedforthecomputeratcomputerstartup(step2intheGroupPolicyProcessingsection)isappendedtotheGPOlistobtainedfortheuserwhenloggingon(step5).BecausetheGPOlistobtainedforthecomputerisappliedlater,settingsinGPOsonthecomputerslisthave



precedenceiftheyconflictwithsettingsintheuserslist.Thismodewouldbeusefultoapplyadditionalsettingstouserstypicalconfigurations.Forexample,youmightallowausertoreceivetheuserstypicalconfigurationwhenloggingontoacomputerinaconferenceroomorreceptionarea,butreplacethewallpaperwithastandardbitmapanddisabletheuseofcertainapplicationsordevices.

NoteItisalessdocumentedfactthatwhenyoucombinetheloopbackprocessingwithsecuritygroupfiltering,theapplicationofusersettingsduringpolicyrefreshusesthecredentialsofthecomputertodeterminewhichGPOstoapplyaspartoftheloopbackprocessing.However,theloggedonusermustalsohavetheApplyGroupPolicypermissionfortheGPOtobesuccessfullyapplied.

Lab B: Manage Group Policy Scope



Lab Setup

Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:

1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.

2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.

3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.



4. Logonbyusingthefollowingcredentials:

Username:Pat.Coleman

Password:Pa$$w0rd

Domain:Contoso

5. Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodoso.

Lab Scenario

Youareanadministratorofthecontoso.comdomain.TheContosoStandardsGPO,linkedtothedomain,configuresapolicysettingthatrequiresatenminutescreensavertimeout.Anengineerreportsthatacriticalapplicationthatperformslengthycalculationscrasheswhenthescreenssaverstarts,andtheengineerhasaskedyoutopreventthesettingfromapplyingtotheteamofengineersthatusestheapplicationeveryday.Youhavealsobeenaskedtoconfigureconferenceroomcomputerstousea45minutetimeoutsothatthescreensaverdoesnotlaunchduringameeting.

Exercise 1: Configure GPO Scope with Links

Inthisexercise,youwillmodifythescopeofGPOsbyusingGPOlinks,andyouwillexploreinheritance,precedence,andtheeffectsofEnforcedlinks



andBlockInheritance.


1. CreateaGPOwithapolicysettingthattakesprecedenceoveraconflictingsetting.

2. ViewtheeffectofanenforcedGPOlink.

3. ApplyBlockInheritance.

Task 1: Create a GPO with a policy setting that takes precedence over aconflicting setting.

1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2. IntheUserAccounts\EmployeesOU,createasubOUcalledEngineers,andthencloseActiveDirectoryUsersandComputers.

3. RuntheGroupPolicyManagementConsoleasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

4. CreateanewGPOlinkedtotheEngineersOUcalledEngineeringApplicationOverride.



5. ConfiguretheScreensavertimeoutpolicysettingtobedisabled,andthenclosetheGPME.

6. SelecttheEngineersOU,andthenclicktheGroupPolicyInheritancetab.NoticethattheEngineeringApplicationOverrideGPOhasprecedenceovertheCONTOSOStandardsGPO.ThescreensavertimeoutpolicysettingyoujustconfiguredintheEngineeringApplicationOverrideGPOwillbeappliedafterthesettingintheCONTOSOStandardsGPO.Therefore,thenewsettingwilloverwritethestandardssetting,andwill"win."ScreensavertimeoutwillbedisabledforuserswithinthescopeoftheEngineeringApplicationOverrideGPO.

Task 2: View the effect of an enforced GPO link.

1. IntheGPMCconsoletree,selecttheDomainControllersOU,andthenclicktheGroupPolicyInheritancetab.

2. NoticethattheGPOnamed6425Chasthehighestprecedence.SettingsinthisGPOwilloverrideanyconflictingsettingsinanyoftheotherGPOs.

TheDefaultDomainControllersGPOspecifies,amongotherthings,whichgroupsaregiventherighttologonlocallytodomaincontrollers.Toenhancethesecurityofdomaincontrollers,standardusersarenotgiventherighttologonlocally.toallowanonprivilegeduseraccountsuchasPat.Colemantologon



todomaincontrollers.Inthiscourse,the6425CGPOgivesDomainUserstherighttologonlocallytoacomputer.The6425CGPOislinkedtothedomain,soitssettingswouldnormallybeoverriddenbysettingsintheDefaultDomainControllersGPO.Therefore,the6425CGPOlinktothedomainisconfiguredasEnforced.Inthisway,theconflictinuserrightsassignmentbetweenthetwoGPOsis"won"bythe6425CGPO.

Task 3: Apply Block Inheritance.

1. IntheGPMCconsole,selecttheEngineersOUandexaminetheprecedenceandinheritanceofGPOsontheGroupPolicyInheritancetab.

2. BlocktheinheritanceofGPOstotheEngineersOU.

Question:WhichGPOscontinuetoapplytousersintheEngineersOU?WherearethoseGPOslinked?Whydidtheycontinuetoapply?

3. TurnoffBlockInheritancefromtheEngineersOU.

Results:Inthisexercise,youcreatedaGPOcalledEngineeringApplicationOverrideandlinkedittotheEngineersOU.Youalsohaveanunderstandingofinheritance,precedence,andtheeffectsofanEnforcedlinkandBlockInheritance.



Exercise 2: Configure GPO Scope with Filtering

Astimepasses,youdiscoverthatonlyasmallnumberofengineersrequirethescreensavertimeoutoverridethatiscurrentlyapp