Upload
jorge-samano-aranda
View
136
Download
0
Embed Size (px)
Citation preview
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 1/135
Module6:ImplementingaGroupPolicyInfrastructure
Contents:
Lesson1: UnderstandGroupPolicy
Lesson2: ImplementGPOs
LabA: ImplementGroupPolicy
Lesson3: ManageGroupPolicyScope
LabB: ManageGroupPolicyScope
Lesson4: GroupPolicyProcessing
Lesson5: TroubleshootPolicyApplication
LabC: TroubleshootPolicyApplication
Module Overview
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 2/135
InModule1,youlearnedthatActiveDirectoryDomainServices(ADDS)providesthefoundationalservicesofanidentityandaccesssolutionforenterprisenetworksrunningWindows,andthatADDSalsosupportsthemanagementandconfigurationofeventhelargest,mostcomplexnetworks.InModules2through5,youlearnedhowtoadministerADDSsecurityprincipals:users,groups,andcomputers.Now,youwillexaminethemanagementandconfigurationofusersandcomputersbyusingGroupPolicy.GroupPolicyprovidesaninfrastructurewithinwhichsettingscanbedefinedcentrallyanddeployedtousersandcomputersintheenterprise.
InanenvironmentmanagedbyawellimplementedGroupPolicyinfrastructure,littleornoconfigurationneedstobemadebydirectlytouchingadesktop.Theentire
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 3/135
configurationisdefined,enforced,andupdatedbyusingthesettingsinGroupPolicyobjects(GPOs)thataffectaportionoftheenterpriseasbroadasanentiresiteoradomain,orasnarrowasasingleorganizationalunit(OU)oragroup.Inthismodule,youwilllearnwhatGroupPolicyis,howitworks,andhowbesttoimplementitinyourorganization.SeveralsubsequentmoduleswillapplyGroupPolicytospecificmanagementtaskssuchassecurityconfiguration,softwaredeployment,passwordpolicy,andauditing.
Objectives
Aftercompletingthismodule,youwillbeableto:
DescribethecomponentsandtechnologiesthatcomprisetheGroupPolicyframework.
ImplementGPOs.
Configureandunderstandavarietyofpolicysettingtypes.
UnderstandandconfigureGroupPolicypreferences.
ScopeGPOsbyusinglinks,securitygroups,WindowsManagementInstrumentationfilters,loopbackprocessing,andpreferencetargeting.
DescribehowGPOsareprocessed.
LocatetheeventlogscontainingGroupPolicyrelatedeventsandtroubleshootGroupPolicyapplication.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 4/135
Lesson 1: Understand Group Policy
AGroupPolicyinfrastructurehasseveralmovingparts.Youneedtounderstandnotonlywhateachpartdoes,butalsohowtheyworktogetherandwhyyoumightwanttoassembletheminvariousconfigurations.Inthislesson,youwillgetacomprehensiveoverviewofGroupPolicy:itscomponents,itsfunctions,anditsinnerworkings.
Objectives
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 5/135
Aftercompletingthislesson,youwillbeableto:
Identifythebusinessdriversforconfigurationmanagement.
UnderstandthecorecomponentsandterminologyofGroupPolicy.
ExplainthefundamentalsofGroupPolicyprocessing.
What Is Configuration Management?
Ifyouhaveonlyonecomputerinyourenvironmentathome,forexampleandyouneedtomodifythedesktopbackground,thereareseveralwaystodothat.Most
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 6/135
peoplewouldprobablyopenPersonalizationfromControlPanelandmakethechangebyusingtheWindowsinterface.Thatworkswellforoneuser,butmaybecometediousifyouwanttomakethechangeacrossmultipleusers.Say,forexample,thatyouwantthesamebackgroundforyourselfandyourfamily.Youhavetomakethechangemultipletimes,andthenifyoueverchangeyourmindandwanttochangethebackgroundyetagain,youhavetoreturntoeachuser'sprofileandmakethechange.Implementingthechangeandmaintainingaconsistentenvironmentbecomesevenmoredifficultacrossmultiplecomputers.
Configurationmanagementisacentralizedapproachtoapplyingoneormorechangestooneormoreusersorcomputers.Ifyourememberthat,everythingelsewillbeeasiertounderstand.Thekeyelementsofconfigurationmanagementare:
Acentralizeddefinitionofachange,whichisknownasasetting.Thesettingbringsauseroracomputertoadesiredstateofconfiguration.
Adefinitionoftheuser(s)orcomputer(s)towhomthechangeapplies,whichisknownasthescopeofthechange.
Amechanismorprocessthatensuresthatthesettingisappliedtousersandcomputerswithinthescope,whichisknownastheapplication.
GroupPolicyisaframeworkwithinWindowswithcomponentsthatresideinActiveDirectory,ondomaincontrollers,andoneachWindowsserverandclientthat
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 7/135
enablesyoutomanageconfigurationinanADDSdomain.AsweturnourattentiontoGroupPolicy,whichcanbecomeverycomplex,alwaysrememberthateverythingboilsdown,intheend,tojustthesefewbasicelementsofconfigurationmanagement.
Overview of Policies
ThemostgranularcomponentoftheGroupPolicyisanindividualpolicysetting,alsoknownsimplyasapolicythatdefinesaspecificconfigurationchangetoapply.Forexample,apolicysettingexiststhatpreventsauserfromaccessingregistryeditingtools.Ifyoudefinethatpolicysettingandapplyittotheuser,theuserwillbeunabletoruntoolssuchasRegedit.exe.Anotherpolicysettingisavailablethatyoucanuse
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 8/135
torenamethelocalAdministratoraccount.YoucanusethispolicysettingtorenametheAdministratoraccountonalluserdesktopsandlaptops.
Thesetwoexamplesillustrateanimportantpoint:thatsomepolicysettingsaffectauser,regardlessofthecomputertowhichtheuserlogson,andotherpolicysettingsaffectacomputer,regardlessofwhichuserlogsontothatcomputer.Policysettingssuchasthesettingthatpreventsaccesstoregistryeditingtoolsareoftenreferredtoasuserconfigurationsettingsorusersettings.PolicysettingssuchastheonethatdisablestheAdministratoraccountandsimilarsettingsareoftenreferredtoascomputerconfigurationsettingsorcomputersettings.Youwillalsohearthesereferredtoasuserpoliciesandcomputerpolicies.Theterminologyusedintheindustryisnotexact.
TherearevariouspolicysettingsthatcanbemanagedbyGroupPolicy,andtheframeworkisextensible.So,intheend,youcouldmanagejustaboutanythingwithGroupPolicy.
Todefineapolicysetting,doubleclickit.
ThepolicysettingPropertiesdialogboxappears.
Apolicysettingcanhavethreestates:NotConfigured,Enabled,andDisabled.
InanewGPO,everypolicysettingissettoNotConfigured.Thismeansthatthe
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 9/135
GPOwillnotmodifytheexistingconfigurationofthatparticularsettingforauserorcomputer.Ifyouenableordisableapolicysetting,achangewillbemadetotheconfigurationofusersandcomputerstowhichtheGPOisapplied.
Theeffectofthechangedependsonthepolicysetting.Forexample,ifyouenablethePreventAccessToRegistryEditingToolspolicysetting,userswillbeunabletolaunchtheRegedit.exeRegistryEditor.Ifyoudisablethepolicysetting,youensurethatuserscanlaunchtheRegistryEditor.Noticethedoublenegativeinthispolicysetting:Youdisableapolicythatpreventsanaction,soyouallowtheaction.
Somepolicysettingsbundleseveralconfigurationsintoonepolicyandmightrequireadditionalparameters.Inthescreenshotabove,youcanseethatbyenablingthepolicytorestrictregistryeditingtools,youcanalsodefinewhetherregistryfilescanbemergedintothesystemsilentlybyusingregedit/s.
NoteManypolicysettingsarecomplex,andtheeffectofenablingordisablingthemmightnotbeimmediatelyclear.Also,somepolicysettingsaffectonlycertainversionsofWindows.
BesuretoreviewapolicysettingsexplanatorytextintheGroupPolicyManagementEditor(GPME)detailpaneorontheExplaintabinthepolicysettingsPropertiesdialogbox.Inaddition,alwaystesttheeffectsofapolicysettinganditsinteractionswithotherpolicy
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 10/135
settingsbeforedeployingachangeintheproductionenvironment.
YouwillexplorepolicysettingsandhowtomanagetheminLesson3.
Benefits of Using Group Policy
GroupPoliciesareaverypowerfuladministrativetool.Youcanusethemtoenforcevarioustypesofsettingstoalargenumberofusersandcomputers.Becausetheycanbeappliedtovariouslevelsfromlocaltodomain,youcanalsofocusthesesettingsveryprecisely.
Primarily,youcanuseGroupPoliciestoconfiguresettingsthatyoudonotwantusers
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 11/135
toconfigure.Also,GroupPoliciesareusuallyusedtostandardizedesktopenvironmentsonallthecomputersinanorganizationalunitorwholeorganization.YoualsocanuseGroupPoliciestoprovideadditionalsecurityandsomeadvancedsystemsettings.
MostoftenGroupPoliciesareusedforfollowingpurposes.
Apply Security Settings
InWindowsServer2008R2,GPOsincludealargenumberofsecurityrelatedsettingsthatyoucanapplytobothusersandcomputers.Forexample,youcanenforcesettingsforWindowsFirewallandconfigureAuditing,EncryptingFileSystem(EFS)policiesandothersecuritysettings.Youcanalsoconfigurefullsetofuserrightsassignments.
Manage Desktop and Application Settings
YoucanuseaGroupPolicytoprovideaconsistentdesktopandapplicationenvironmenttoallusersinyourorganizationUsingGPOs,itispossibletoconfigureeachsettingthataffectsthelookandfeelofuserenvironmentandalsotoconfiguresettingsforsomeapplicationsthatsupportGPOs.
Deploy Software
GroupPoliciescanalsobeusedtodeploysoftwareforusersorcomputers.Allsoftwarethatisprovidedinthe.msiformatcanbedeployedbyusingGroupPolicy.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 12/135
Youcanenforceautomaticsoftwareinstallationoryoucanletyourusersdecideiftheywantthesoftwaretobedeployedtotheirmachinesornot.
Manage Folder Redirection
WithFolderRedirection,youcaneasilymanageandbackupdata.Byredirectingfolders,youcanensurethatusershaveaccesstotheirdataregardlessofthecomputerthattheyusetologon.Also,youcancentralizeallusersdatatooneplaceonthenetworkserver,whilestillprovidingtheuseranexperiencesimilartostoringthesefoldersontheircomputers.
Configure Network Settings.
UsingGroupPolicies,youcanconfigurevariousnetworksettingsonclientcomputers.Forexample,youcanenforcesettingsforwirelessnetworkstoallowuserstoconnectonlytospecificSSIDsandwithpredefinedauthenticationandencryptionsettings.YoucanalsodeploypoliciesthatapplytowirednetworksettingsaswellasconfigureclientsideofservicessuchasNetworkAccessProtection
Group Policy Objects
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 13/135
PolicysettingsaredefinedandexistwithinaGPO.AGPOisanobjectthatcontainsoneormorepolicysettingsandtherebyappliesoneormoreconfigurationsettingsforauseroracomputer.
GPOscanbemanagedinActiveDirectorybyusingtheGroupPolicyManagementconsole(GPMC),shownhere:
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 14/135
GPOsaredisplayedinacontainernamedGroupPolicyObjects.
TocreateanewGPOinadomain,rightclicktheGroupPolicyObjectscontainer,andthenclickNew.TomodifytheconfigurationsettingsinaGPO,rightclicktheGPO,andthenclickEdit.
TheGPOopensintheGPMEsnapin,formerlyknownastheGroupPolicyObjectEditor(GPOEditor),shownhere:
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 15/135
TheGPMEdisplaysthethousandsofpolicysettingsavailableinaGPOinanorganizedhierarchythatbeginswiththedivisionbetweencomputersettingsandusersettings,theComputerConfigurationnodeandtheUserConfigurationnode.ThenextlevelsofthehierarchyaretwonodescalledPoliciesandPreferences.Youwilllearnaboutthedifferencebetweenthesetwonodesasthislessonprogresses.Drillingdeeperintothehierarchy,youwillseethattheGPMEdisplaysfolders,whicharealsocallednodesorpolicysettinggroups.Withinthefoldersarethepolicysettingsthemselves.ThePreventAccessToRegistryEditingToolsoptionisselectedinthescreenshotshownhere.
TheGPOmustbeappliedtodomain,site,orOUintheADDShierarchyforthesettingswithintheobjecttotakeeffect.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 16/135
YouwilllearnhowtoimplementandmanageGPOsinLesson2.
GPO Scope
ConfigurationisdefinedbypolicysettingsinGPOs.However,theconfigurationchangesinaGPOdonotaffectcomputersorusersinyourenterpriseuntilyouhavespecifiedthecomputersoruserstowhichtheGPOapplies.ThisiscalledscopingaGPO.ThescopeofaGPOisthecollectionofusersandcomputersthatwillapplythesettingsintheGPO.
YoucanuseseveralmethodstomanagethescopeofGPOs.ThefirstistheGPOlink.GPOscanbelinkedtosites,domains,andOUsinActiveDirectory.Thesite,domain,
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 17/135
orOUthenbecomesthemaximumscopeoftheGPO.Allcomputersanduserswithinthesite,domain,orOU,includingthoseinchildOUs,willbeaffectedbytheconfigurationsspecifiedbythepolicysettingsintheGPO.AsingleGPOcanbelinkedtomorethanonesiteorOU.
YoucanfurthernarrowthescopeoftheGPOwithoneoftwotypesoffilters:securityfiltersthatspecifyglobalsecuritygroupstowhichtheGPOshouldorshouldnotapply,andWindowsManagementInstrumentation(WMI)filtersthatspecifyascopebyusingcharacteristicsofasystem,suchasoperatingsystemversionorfreediskspace.UsesecurityfiltersandWMIfilterstonarroworspecifythescopewithintheinitialscopecreatedbytheGPOlink.
WindowsServer2008introducedanewcomponentofGroupPolicy:GroupPolicyPreferences.SettingsthatareconfiguredbyGroupPolicyPreferenceswithinaGPOcanbefilteredortargetedbasedonseveralcriteria.TargetedpreferencesallowyoutofurtherrefinethescopeofPreferenceswithinasingleGPO.
Group Policy Client and Client-Side Extensions
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 18/135
Howexactlyarethepolicysettingsapplied?WhenGroupPolicyrefreshbegins,aservicerunningonallWindowssystems,whichiscalledtheGroupPolicyClientinWindowsVista,Windows7,WindowsServer2008,andWindowsServer2008R2,determineswhichGPOsapplytothecomputeroruser.ThisservicedownloadsanyGPOsthatarenotalreadycached.Then,aseriesofprocessescalledclientsideextensions(CSEs)interpretthesettingsinaGPOandmakeappropriatechangestothelocalcomputerortothecurrentlyloggedonuser.ThereareCSEsforeachmajorcategoryofpolicysetting.Forexample,thereisasecurityCSEthatappliessecuritychanges,aCSEthatexecutesstartupandlogonscripts,aCSEthatinstallssoftware,andaCSEthatmakeschangestoregistrykeysandvalues.EachversionofWindowshasaddedCSEstoextendthefunctionalreachofGroupPolicy.ThereareseveraldozenCSEsnowinWindows.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 19/135
OneofthemoreimportantconceptstorememberaboutGroupPolicyisthatitisreallyclientdriven.TheGroupPolicyclientpullstheGPOsfromthedomain,triggeringtheCSEstoapplysettingslocally.GroupPolicyisnotapushtechnology.
Infact,thebehaviorofCSEscanbeconfiguredbyusingGroupPolicy.MostCSEswillapplysettingsinaGPOonlyifthatGPOhaschanged.Thisbehaviorimprovesoverallpolicyprocessingbyeliminatingredundantapplicationsofthesamesettings.MostpoliciesareappliedinsuchawaythatstandarduserscannotchangethesettingontheirsystemtheywillalwaysbesubjecttotheconfigurationenforcedbyGroupPolicy.However,somesettingscanbechangedbystandardusers,andmanycanbechangedifauserisanadministratoronthatsystem.Ifusersinyourenvironmentareadministratorsontheircomputers,considerconfiguringCSEstoreapplypolicysettingseveniftheGPOhasnotchanged.Thatway,ifanadministrativeuserchangesaconfigurationsothatitisnolongercompliantwithpolicy,theconfigurationwillberesettoitscompliantstateatthenextGroupPolicyrefresh.
NoteYoucanconfigureCSEstoreapplypolicysettings,eveniftheGPOhasnotchanged,atbackgroundrefresh.Todoso,configureaGPOscopedtocomputersanddefinethesettingsintheComputerConfiguration\Policies\AdministrativeTemplates\System\GroupPolicynode.ForeachCSEyouwanttoconfigure,openitspolicyprocessingpolicysetting,suchasRegistryPolicyProcessingfortheRegistryCSE.ClickEnabledandselecttheProcesseveniftheGroupPolicyobjectshavenotchangedcheckbox.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 20/135
AnimportantexceptiontothedefaultpolicyprocessingsettingsissettingsmanagedbythesecurityCSE.Securitysettingsarereappliedevery16hoursevenifaGPOhasnotchanged.
NoteEnabletheAlwaysWaitForNetworkAtStartupAndLogonpolicysettingforallWindowsclients.Withoutthissetting,bydefault,WindowsXP,WindowsVista,andWindows7clientsperformonlybackgroundrefreshesaclientmightstartup,andausermightlogonwithoutreceivingthelatestpoliciesfromthedomain.ThesettingislocatedinComputerConfiguration\Policies\AdministrativeTemplates\System\Logon.Besuretoreadthepolicysettingsexplanatorytext.Thecontoso.comdomainusedinthiscoursehasbeenpreconfiguredwiththisadditionalGroupPolicysetting.
Group Policy Refresh
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 21/135
Whenarepoliciesapplied?PolicysettingsintheComputerConfigurationnodeareappliedatsystemstartupandevery90120minutesthereafter.UserConfigurationpolicysettingsareappliedatlogonandevery90120minutesthereafter.TheapplicationofpoliciesiscalledGroupPolicyrefresh.
YoucanalsoforceapolicyrefreshbyusingtheGPUpdatecommand.
YouwilllearnmoreaboutGroupPolicyrefreshinLesson6.
Review the Components of Group Policy
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 22/135
Asdiscussedinprevioustopics,themostimportantcomponentstotakecareofwhendealingwithGroupPoliciesare:
Setting.ThisrepresentsaspecificsettingthatisconfigurableineachGroupPolicyobject.InWindowsServer2008R2,therealmost3,000differentsettings.GroupPolicysettingsprovidethemeaningandpurposeofGroupPolicy.Settingscanbeenabledordisabled,butbydefault,theyareNotConfigured.Theeffectofenablingordisablingasettingcansometimesbecomplextoevaluate,sobesuretoreadtheexplanatorytextandtestallsettingsbeforedeployingtheminproduction.
Scope.AfterGroupPolicysettingsareconfigured,youmustdecidewheretoapplytheGPO.Thisisdefinedbyscope.AGPOcanbelinkedtoasite,domain,orOU.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 23/135
Withinthelinkscope,aGPOcanbefilteredwithsecuritygroupsorWMIfilters.
Application.WhenplanningGroupPolicyapplication,youmustbeawareofrefreshintervalsforvarioustypesofcomputers.Computersettingsareappliedatstartupandevery90120minutesthereafter.Usersettingsareappliedatlogonandevery90120minutesthereafter.
Tools.ThereareseveraltoolsformanagingGPOs.GPOsaremanagedthroughtheGroupPolicyManagementconsole.PolicysettingswithinaGPOareconfiguredbyusingtheGPME.GPUpdateallowsyoutomanuallytriggerGroupPolicyrefresh.RSoPtoolsallowyoutoevaluateandmodelthesettingsthatwereappliedbyGroupPolicy.
Demonstration: Exploring Group Policy Settings
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 24/135
GroupPolicysettings,alsoknownaspolicies,arecontainedinaGPOandareviewedandmodifiedbyusingtheGPME.Inthisdemonstration,youwilllookmorecloselyatthecategoriesofsettingsavailableinaGPO.
Computer Configuration and User Configuration
Therearetwomajordivisionsofpolicysettings:computersettings,containedintheComputerConfigurationnode,andusersettings,containedintheUserConfigurationnode.
TheComputerConfigurationnodecontainsthesettingsthatareappliedtocomputers,regardlessofwhologsontothem.Computersettingsareappliedwhen
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 25/135
theoperatingsystemstartsandduringbackgroundrefreshandevery90120minutesthereafter.
TheUserConfigurationnodecontainssettingsthatareappliedwhenauserlogsontothecomputerandduringbackgroundrefreshandevery90120minutesthereafter.
WithintheComputerConfigurationandUserConfigurationnodesarethePoliciesandPreferencesnodes.PoliciesaresettingsthatareconfiguredandbehavesimilarlytothepolicysettingsintheearlierversionsofWindows.PreferencesareintroducedinWindowsServer2008.Thefollowingsectionsexaminethesenodes.
WithinthePoliciesnodeswithinComputerConfigurationandUserConfigurationareahierarchyoffolderscontainingpolicysettings.Becausetherearethousandsofsettings,itisbeyondthescopeoftheexamandofthiscoursetoexamineindividualsettings.Itisworthwhile,however,todefinethebroadcategoriesofsettingsinthefolders.
Software Settings Node
TheSoftwareSettingsnodeisthefirstnode.ItcontainsonlytheSoftwareInstallationextension.Thisextensionhelpsyouspecifyhowapplicationsareinstalledandmaintainedwithinyourorganization.Itprovidesaplaceforindependentsoftwarevendorstoaddsettings.SoftwaredeploymentwithGroupPolicyisdiscussedin
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 26/135
Module7.
Windows Settings Node
InbothComputerConfigurationandUserConfigurationnodes,thePoliciesnodecontainsaWindowsSettingsnode,whichincludestheScripts,SecuritySettings,andPolicyBasedQoSnodes.
TheScriptsextensionenablesyoutospecifytwotypesofscripts,startup/shutdown(intheComputerConfigurationnode),andlogon/logoff(intheUserConfigurationnode).Startup/shutdownscriptsrunatcomputerstartuporshutdown.Logon/logoffscriptsrunwhenauserlogsonoroff.Whenyouassignmultiplelogon/logofforstartup/shutdownscriptstoauserorcomputer,theScriptsCSEexecutesthescriptsfromtoptobottom.YoucandeterminetheorderofexecutionformultiplescriptsinthePropertiesdialogbox.Whenacomputerisshutdown,theCSEfirstprocesseslogoffscripts,followedbyshutdownscripts.Bydefault,thetimeoutvalueforprocessingscriptsis10minutes.Ifthelogoffandshutdownscriptsrequiremorethan10minutestoprocess,youmustadjustthetimeoutvaluewithapolicysetting.YoucanuseanyActiveXscriptinglanguagetowritescripts.SomepossibilitiesincludeMicrosoftVisualBasicScriptingEdition(VBScript),MicrosoftJScript,Perl,andMicrosoftMSDOSstylebatchfiles(.batand.cmd).Logonscriptsonasharednetworkdirectoryinanotherforestaresupportedfornetworklogonacrossforests.
Security Settings Node
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 27/135
TheSecuritySettingsnodeallowsasecurityadministratortoconfiguresecuritybyusingGPOs.Thiscanbedoneafter,orinsteadof,usingasecuritytemplatetosetsystemsecurity.ForadetaileddiscussionofsystemsecurityandtheSecuritySettingsnode,refertoModule7.
Policy-Based QoS Node
ThePolicyBasedQoSnodedefinespoliciesthatmanagenetworktraffic.Forexample,youmightwanttoensurethatusersintheFinancedepartmenthavepriorityforrunningacriticalnetworkapplicationduringtheendofyearfinancialreportingperiod.ThePolicyBasedQoSnodeenablesyoutodothat.
IntheUserConfigurationnodeonly,theWindowsSettingsfoldercontainstheadditionalRemoteInstallationServices,FolderRedirection,andInternetExplorerMaintenancenodes.RemoteInstallationServices(RIS)policiescontrolthebehaviorofaremoteoperatingsysteminstallation.FolderRedirectionenablesyoutoredirectuserdataandsettingsfolderssuchasAppData,Desktop,Documents,Pictures,Music,andFavoritesfromtheirdefaultuserprofilelocationtoanalternatelocationonthenetwork,wheretheycanbecentrallymanaged.InternetExplorerMaintenanceenablesyoutoadministerandcustomizeMicrosoftInternetExplorer.
Administrative Templates Node
IntheComputerConfigurationandUserConfigurationnodes,theAdministrativeTemplatesnodecontainsregistrybasedGroupPolicysettings.TheAdministrative
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 28/135
Templatesnodeisdiscussedindetaillaterinthismodule.
Therearethousandsofsuchsettingsavailableforconfiguringtheuserandcomputerenvironment.Asanadministrator,youmightspendasignificantamountoftimemanipulatingthesesettings.Toassistyouwiththesettings,adescriptionofeachpolicysettingisavailableintwolocations:
OntheExplaintabinthePropertiesdialogboxforthesetting.Inaddition,theSettingstabinthePropertiesdialogboxforeachsettingalsoliststherequiredoperatingsystemorsoftwareforthesetting.
OntheExtendedtaboftheGPME.TheExtendedtabappearsonthelowerrightofthedetailspaneandprovidesadescriptionofeachselectedsettinginacolumnbetweentheconsoletreeandthesettingspane.Therequiredoperatingsystemorsoftwareforeachsettingisalsolisted.
Lesson 2: Implement GPOs
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 29/135
NowthatyouhaveabroadunderstandingofGroupPolicyanditscomponents,youcanlookcloselyateachcomponent.Inthissection,youwillexamineGPOsindetail.
Objectives
Aftercompletingthislesson,youwillbeableto:
Create,edit,andlinkGPOs.
IdentifychangeandconfigurationmanagementcapabilitiesofGroupPolicy.
Configurepolicysettings.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 30/135
ExplainGPOstorage,replication,andversioning.
Local GPOs
Tomanageconfigurationforusersandcomputers,youcreateGPOsthatcontainthepolicysettingsyourequire.EachcomputerhasseveralGPOsstoredlocallyonthesystem,knownasthelocalGPOs,andcanbewithinthescopeofanynumberofdomainbasedGPOs.
ComputersthatrunWindows2000Server,WindowsXP,andWindowsServer2003haveonelocalGPOeach,whichcanmanagethatsystemsconfiguration.Thelocal
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 31/135
GPOexistswhetherornotthecomputerispartofadomain,aworkgroup,oranonnetworkedenvironment.Itisstoredin%SystemRoot%\System3\GroupPolicy.ThepoliciesinthelocalGPOaffectonlythecomputeronwhichtheGPOisstored.Bydefault,onlytheSecuritySettingspoliciesareconfiguredonasystemslocalGPO.AllotherpoliciesaresetatNotConfigured.
WhenacomputerdoesnotbelongtoanActiveDirectorydomain,thelocalpolicyisusefultoconfigureandenforceconfigurationonthatcomputer.However,inanActiveDirectorydomain,settingsinGPOsthatarelinkedtothesite,domain,orOUswilloverridelocalGPOsettingsandareeasiertomanagethanGPOsonindividualcomputers.
WindowsVista,Windows7,WindowsServer2008,andlatersystemshavemultiplelocalGPOs.TheLocalComputerGPOisthesameastheGPOinthepreviousversionsofWindows.IntheComputerConfigurationnode,youcanconfigureallcomputerrelatedsettings.IntheUserConfigurationnode,youcanconfiguresettingsyouwanttoapplytoallusersonthecomputer.TheusersettingsintheLocalComputerGPOcanbemodifiedbytheusersettingsintwonewlocalGPOs:AdministratorsandNonAdministrators.ThesetwoGPOsapplyusersettingstologgedonusersaccordingtowhethertheyaremembersofthelocalAdministratorsgroupinwhichcasetheywouldusetheAdministratorsGPOornotmembersoftheAdministratorsgroup(andusetheNonAdministratorsGPO).YoucanfurtherrefinetheusersettingswithalocalGPOthatappliestoaspecificuseraccount.UserspecificlocalGPOsareassociatedwithlocal,notdomain,useraccounts.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 32/135
RSoPiseasyforcomputersettings:TheLocalComputerGPOistheonlylocalGPOthatcanapplycomputersettings.UsersettingsinauserspecificGPOoverrideconflictingsettingsintheAdministratorsandNonAdministratorsGPOs,whichthemselvesoverridesettingsintheLocalComputerGPO.TheconceptissimplethemorespecificthelocalGPO,thehighertheprecedenceofitssettings.
TocreateandeditlocalGPOs:
1. ClicktheStartbuttonandintheStartSearchbox,typemmc.exe,andthenpressEnter.
AnemptyMicrosoftManagementconsole(MMC)opens.
2. ClickFile,andthenclickAdd/RemoveSnapin.
3. SelecttheGroupPolicyObjectEditoroption,andthenclickAdd.
Adialogboxappears,promptingyoutoselecttheGPOtoedit.
4. TheLocalComputerGPOisselectedbydefault.IfyouwanttoeditanotherlocalGPO,clicktheBrowsebutton.OntheUserstab,youwillfindtheNonAdministratorsandAdministratorsGPOsandoneGPOforeachlocaluser.SelecttheGPOandclickOK.
5. ClickFinish,andthenclickOKtocloseeachofthedialogboxes.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 33/135
TheGroupPolicyObjectEditorsnapinisaddedandfocusedontheselectedGPO.
Question:IfdomainmemberscanbecentrallymanagedbyusingdomainlinkedGPOs,inwhichscenarioscanyouuselocalGPOs?
Domain-Based GPOs
DomainbasedGPOsarecreatedinActiveDirectoryandstoredondomaincontrollers.Theyareusedtomanageconfigurationcentrallyforusersandcomputersinthedomain.TheremainderofthiscoursereferstodomainbasedGPOsratherthanlocalGPOs,unlessotherwisespecified.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 34/135
WhenADDSisinstalled,twodefaultGPOsarecreated:DefaultDomainControllersPolicyandDefaultDomainPolicy.
Default Domain Policy
ThisGPOislinkedtothedomainandhasnosecuritygrouporWMIfilters.Therefore,itaffectsallusersandcomputersinthedomain,includingcomputersthataredomaincontrollers.ThisGPOcontainspolicysettingsthatspecifypassword,accountlockout,andKerberospolicies.InModule10,youwilllearnhowtomodifythedefaultsettingsinthisGPOtoalignwithyourenterprisepasswordandaccountlockoutpolicies.YoushouldnotaddunrelatedpolicysettingstothisGPO.Ifyouneedtoconfigureothersettingstoapplybroadlyinyourdomain,createadditionalGPOslinkedtothedomain.
Default Domain Controllers Policy
ThisGPOislinkedtotheOUofthedomaincontrollers.BecausecomputeraccountsfordomaincontrollersarekeptexclusivelyintheDomainControllersOU,andothercomputeraccountsshouldbekeptinotherOUs,thisGPOaffectsonlydomaincontrollers.TheDefaultDomainControllersGPOshouldbemodifiedtoimplementyourauditingpolicies,asyouwillseeinModules8through10.Itshouldalsobemodifiedtoassignuserrightsrequiredondomaincontrollers.
Demonstration: Create, Link, and Edit GPOs
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 35/135
TocreateaGPO,rightclicktheGroupPolicyObjectscontainer,andthenclickNew.
YoumusthavepermissiontotheGroupPolicyObjectscontainertocreateaGPO.Bydefault,theDomainAdminsgroupandtheGroupPolicyCreatorOwnersgrouparedelegatedtheabilitytocreateGPOs.
TodelegatepermissiontocreateGPOstoothergroups,selecttheGroupPolicyObjectscontainerintheGPMCconsoletreeandthenclicktheDelegationtabintheconsoledetailspane.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 36/135
AfteryouhavecreatedaGPO,youcancreatetheinitialscopeoftheGPObylinkingittoasite,domain,orOU.
TolinkaGPO,rightclickthesite,domain,orOU,andthenclickLinkAnExistingGPO.
YoucanalsocreateandlinkaGPOwithasinglestep:rightclickasite,domain,orOU,andthenclickCreateAGPOInThisDomainAndLinkItHere.
NotethatyouwillnotseeyoursitesintheSitesnodeoftheGPMCuntilyourightclickSites,clickShowSites,andthenselectthesitesyouwanttomanage.
YoumusthavepermissiontolinkGPOstoasite,domain,orOU.IntheGPMC,selectthecontainerintheconsoletree,andthenclicktheDelegationtabintheconsoledetailspane.FromthePermissiondropdownlist,clickLinkGPOs.TheusersandgroupsdisplayedholdthepermissionfortheselectedOU.ClicktheAddorRemovebuttonstomodifythedelegation.
ToeditaGPO,rightclicktheGPOintheGroupPolicyObjectscontainerandclickEdit.
TheGPOisopenedintheGPME.YoumusthaveatleasttheReadpermissiontoopentheGPOinthisway.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 37/135
TomakechangestoaGPO,youmusthavetheWritepermissiontotheGPO.PermissionsfortheGPOcanbesetbyselectingtheGPOintheGroupPolicyObjectscontainerandthenclickingtheDelegationtabinthedetailspane.
TheGPMEwilldisplaythenameoftheGPOastherootnode.TheGPMEalsodisplaysthedomaininwhichtheGPOisdefinedandtheserverfromwhichtheGPOwasopenedandtowhichchangeswillbesaved.TherootnodeisintheGPOName[ServerName]format.InthescreenshotoftheGPMEonanearlierpageinthismodule,therootnodeisCONTOSOStandards[SERVER01.contoso.com]Policy.TheGPOnameisCONTOSOStandards,anditwasopenedfromSERVER01.contoso.com,meaningthattheGPOisdefinedinthecontoso.comdomain.
Bydefault,boththeGPMCandtheGPMEconsoleconnecttoaspecificdomaincontrollerinyourenvironmentwiththedomaincontrolleractingasthePDCEmulator.Inalatermodule,youwilllearntoidentifyandmanagewhichdomaincontrollerhasthisrole.
ThisisdonetoreducethepossibilitythatasingleGPOmightbechangedontwodifferentdomaincontrollers,atwhichpointduringreplicationtherewouldbenowaytoreconcilethechanges,andonlyoneversionoftheentireGPOwouldprevailandbereplicated.Focusingtheadministrativetoolsononedomaincontrollerhelpsensurethatchangesaremadeinoneplace.
However,inalarge,distributedenvironment,thePDCEmulatormaybeinadistant
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 38/135
site,resultinginslowperformancefortheGPMCs.Youcanrightclicktherootnodeofeachconsoleandconnecttoaspecificdomaincontrollerclosertoyou.Justbecognizantofthereplicationissue:IfyouaretheonlyonewhoiseditingaGPO,itisperfectlyacceptableforyoutodosoonalocal,higherperformingdomaincontroller.
Demonstration Steps
CreateaGPO.
OpenaGPOforediting.
LinkaGPO.
DelegatethemanagementofGPOs.
DeletetheGPO.
DiscussthedefaultconnectiontoPDCemulator.
GPO Storage
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 39/135
GroupPolicysettingsarepresentedasGPOsinActiveDirectoryuserinterfacetools,butaGPOisactuallytwocomponents:aGroupPolicyContainer(GPC)andaGroupPolicyTemplate(GPT).
TheGPCisanActiveDirectoryobjectstoredintheGroupPolicyObjectscontainerwithinthedomainnamingcontextofthedirectory.LikeallActiveDirectoryobjects,eachGPCincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifiestheobjectwithinActiveDirectory.TheGPCdefinesbasicattributesoftheGPO,butitdoesnotcontainanyofthesettings.ThesettingsarecontainedintheGPTacollectionoffilesstoredintheSYSVOLofeachdomaincontrollerinthe%SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDistheGUIDoftheGPC.WhenyoumakechangestothesettingsofaGPO,thechangesare
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 40/135
savedtotheGPToftheserverfromwhichtheGPOwasopened.
Bydefault,whenGroupPolicyrefreshoccurs,theCSEsapplysettingsinaGPOonlyiftheGPOhasbeenupdated.
TheGroupPolicyclientcanidentifyanupdatedGPObyitsversionnumber.EachGPOhasaversionnumberthatisincrementedeachtimeachangeismade.TheversionnumberisstoredasanattributeoftheGPCandinatextfile,GPT.ini,intheGPTfolder.TheGroupPolicyclientknowstheversionnumberofeachGPOithaspreviouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyclientdiscoversthattheversionnumberoftheGPChasbeenchanged,theCSEswillbeinformedthattheGPOisupdated.
GPO Replication
GroupPolicyContainerandGroupPolicyTemplatearebothreplicatedbetweenalldomaincontrollersinActiveDirectory.However,differentreplicationmechanismsareusedforthesetwoitems.
TheGPCinActiveDirectoryisreplicatedbytheDirectoryReplicationAgent(DRA).TheDRAusesatopologygeneratedbytheKnowledgeConsistencyChecker(KCC)thatcanbedefinedorrefinedmanually.YouwilllearnmoreaboutActiveDirectoryReplicationinModule14.TheresultisthattheGPCisreplicatedwithinsecondstoalldomaincontrollersinasiteandisreplicatedbetweensitesbasedonyourintersitereplicationconfiguration.ThisprocesswillalsobediscussedinModule14.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 41/135
TheGPTintheSYSVOLisreplicatedbyusingoneofthefollowingtwotechnologies.TheFileReplicationService(FRS)isusedtoreplicateSYSVOLindomainsrunningWindowsServer2008,WindowsServer2008R2,WindowsServer2003,andWindows2000.IfalldomaincontrollersarerunningWindowsServer2008orearlier,youcanconfigureSYSVOLreplicationbyusingDistributedFileSystemReplication(DFSR),whichisamuchmoreefficientandrobustmechanism.
BecausetheGPCandGPTarereplicatedseparately,itispossibleforthemtobecomeoutofsyncforashorttime.
Typically,whenthishappens,theGPCwillreplicatetoadomaincontrollerfirst.SystemsthatobtainedtheirorderedlistofGPOsfromthatdomaincontrollerwillidentifythenewGPC,willattempttodownloadtheGPT,andwillnoticethattheversionnumbersarenotthesame.Apolicyprocessingerrorwillberecordedintheeventlogs.Ifthereversehappens,andtheGPOreplicatestoadomaincontrollerbeforetheGPC,clientsobtainingtheirorderedlistofGPOsfromthatdomaincontrollerwillnotbenotifiedofthenewGPOuntiltheGPChasreplicated.
Manage GPOs and Their Settings
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 42/135
WhenyourightclickaGPOintheGPMC,alistofusefulmanagementcommandsappears.
Copy.YoucancopyaGPOandthenrightclicktheGroupPolicyObjectscontainerandselectPastetocreateacopyoftheGPO.ThisisusefulwhenyouwanttocreateanewGPOinthesamedomainandtostartwiththesamesettingsasanexistingGPO.ItisalsousefultocopyaGPOintoanotherdomain,forexample,betweenatestdomainandaproductiondomain.TocopyaGPObetweendomains,addthetargettrusteddomaintotheGPMC.YoumusthavepermissiontocreateGPOsinthetargetdomain.WhenyoupasteaGPO,youaregiventheoptiontocopytheaccesscontrollist(ACL)fromtheoriginalGPO,whichpreservesthesecurityfiltering,ortousethedefaultACLfornewGPOsinthetargetdomain.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 43/135
BackUp.Aswithanycriticaldata,itisimportanttobackupGPOs.BecauseaGPOconsistsofseveralfiles,objects,permissions,andlinks,managingthebackupandrestoreofGPOsisquitedifficult.Luckily,theBackUpcommandpullsallofthosepiecesintoasingleplaceandmakesrestoreasimpletask.
RestorefromBackup.RestoreanentireGPO,includingitsfiles,objects,permissions,andlinksintothesamedomaininwhichtheGPOoriginallyexisted.
ImportSettings.ImportonlythesettingsfromabackedupGPO.Althoughthisoptiondoesnotimportpermissionsorlinks,itcanbeusefulfortransferringGPOsbetweennontrusteddomainsthatcannotusecopyandpaste.IfaGPOincludespotentiallydomainspecificsettings,includingtheUNCpathsornamesofsecuritygroups,youwillbepromptedastowhetheryouwanttoimportthosesettingsexactlyastheywerebackeduportouseamigrationtablethatmapssourcetodestinationnames.
SaveReport.UsethistosaveanHTMLreportoftheGPOsettings.
Delete.UsethistodeleteaGPO.
Rename.UsethistorenameaGPO.
Lab A: Implement Group Policy
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 44/135
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:
1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.
2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.
3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 45/135
4. Logonbyusingthefollowingcredentials:
Username:Pat.Coleman
Password:Pa$$w0rd
Domain:Contoso
5. Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodoso.
Lab Scenario
YouareresponsibleformanagingchangeandconfigurationatContoso,Ltd.ContosocorporateITsecuritypoliciesspecifythatcomputerscannotbeleftunattendedandloggedontoformorethan10minutes.Youwillthereforeconfigurethescreensavertimeoutandpasswordprotectedscreensaverpolicysettings.Additionally,youwilllockdownaccesstoregistryeditingtools.
Exercise 1: Create, Edit, and Link Group Policy Objects
Inthisexercise,youwillcreateaGPOthatimplementsasettingmandatedbythecorporatesecuritypolicyofContoso,Ltdandscopethesettingtoallusersandcomputersinthedomain.YouwillthenexaminetheeffectoftheGPO.Youcanalsoexploreothersettingsthataremadeavailablewithina
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 46/135
GPO.
Themaintasksforthisexerciseareasfollows:
1. CreateaGPO.
2. EditthesettingsofaGPO.
3. ScopeaGPOwithaGPOlink.
4. ViewtheeffectsofGroupPolicyapplication.
5. ExploreGPOsettings.
Task 1: Create a GPO.
1. OnNYCDC1,runGroupPolicyManagementasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. CreateaGroupPolicyObjectnamedCONTOSOStandardsintheGroupPolicyObjectscontainer.
Task 2: Edit the settings of a GPO.
1. EdittheCONTOSOStandardsGPO.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 47/135
2. NavigatetotheUserConfiguration,Policies,AdministrativeTemplates,Systemfolder.
3. PreventusersfromrunningRegistryEditorandregedit/s.
4. NavigatetotheUserConfiguration,Policies,AdministrativeTemplates,ControlPanel,Personalizationfolder.
5. ExaminetheexplanatorytextfortheScreensavertimeoutpolicysetting.
6. ConfiguretheScreensavertimeoutpolicyto600seconds.
7. EnablethePasswordprotectthescreensaverpolicysetting.
Task 3: Scope a GPO with a GPO link.
LinktheCONTOSOStandardsGPOtothecontoso.comdomain.
Task 4: View the effects of Group Policy application.
1. LogontoNYCCL1asPat.Coleman.
2. Attempttochangethescreensaverwaittimeandresumesettings.YouarepreventedfromdoingsobyGroupPolicy.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 48/135
3. AttempttorunRegistryEditor.YouarepreventedfromdoingsobyGroupPolicy.
Task 5: Explore GPO settings.
OnNYCDC1,edittheCONTOSOStandardsGPOandspendtimeexploringthesettingsthatareavailableinaGPO.Donotmakeanychanges.
Results:Inthisexercise,youcreatedaGPOnamedContosoStandardsthatconfigurespasswordprotectedscreensaver,screensavertimeout,andregistryeditingtoolrestrictions
NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinsubsequentlabs.
Exercise 2: Use Filtering and Commenting
Inthisexercise,youwillusethenewcommentingandfilteringfeaturesofGroupPolicytolocateanddocumentpolicysettings.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 49/135
Themaintasksforthisexerciseareasfollows:
1. Searchandfilterpolicysettings.
2. DocumentGPOsandsettingswithcomments.
Task 1: Search and filter policy settings.
1. Ifnecessary,opentheGPMCandthenedittheCONTOSOStandardsGPO.
2. IntheUserConfiguration\Policies\AdministrativeTemplatesfolder,filtertheviewtoshowonlypolicysettingsthatcontainthephrasescreensaver.Spendafewmomentsexaminingthosesettings.
3. Filtertheviewtoshowonlyconfiguredpolicysettings.Spendafewmomentsexaminingthosesettings.
4. TurnoffthefilterfromAdministrativeTemplates.
Task 2: Document GPOs and settings with comments.
1. EditthecommenttotheCONTOSOStandardsGPOandaddthefollowingcommenttotheGPO:Contosocorporatestandardpolicies.Settingsarescopedtoallusersandcomputersinthedomain.Personresponsible
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 50/135
forthisGPO:yourname.
ThiscommentappearsontheDetailstaboftheGPOintheGPMC.
2. AddthefollowingcommenttotheScreensavertimeoutpolicysetting:CorporateITSecurityPolicyimplementedwiththispolicyincombinationwithPasswordProtecttheScreenSaver.
3. AddthefollowingcommenttothePasswordprotectthescreensaverpolicysetting:CorporateITSecurityPolicyimplementedwiththispolicyincombinationwithScreenSaverTimeout.
Results:Inthisexercise,youaddedcommentstoyourGroupPolicyobjectandsettings.
Lab Review Questions
Question:WhichpolicysettingsarealreadybeingdeployedbyusingGroupPolicyinyourorganization?
Question:Whichpolicysettingsdidyoudiscoverthatyoumightwanttoimplementinyourorganization?
Lesson 3: Manage Group Policy Scope
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 51/135
AGPOis,byitself,acollectionofconfigurationinstructionsthatwillbeprocessedbytheCSEsofcomputers.UntiltheGPOisscoped,itdoesnotapplytoanyusersorcomputers.TheGPOsscopedeterminestheCSEsofwhichcomputerswillreceiveandprocesstheGPOandonlythecomputersoruserswithinthescopeofaGPOwillapplythesettingsinthatGPO.Inthislesson,youwilllearntomanagethescopeofaGPO.ThefollowingmechanismsareusedtoscopeaGPO:
TheGPOlinktoasite,domain,orOUandwhetherthatlinkisenabled
TheEnforceoptionofaGPO
TheBlockInheritanceoptiononanOU
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 52/135
Securitygroupfiltering
WMIfiltering
Policynodeenablingordisabling
Preferencestargeting
Loopbackpolicyprocessing
Youmustbeabletodefinetheusersorcomputerstowhichconfigurationisdeployed,andtherefore,youmustmastertheartofscopingGPOs.Inthislesson,youwilllearneachofthemechanismswithwhichyoucanscopeaGPOand,intheprocess,youwillmastertheconceptsofGroupPolicyapplication,inheritance,andprecedence.
Objectives
Aftercompletingthislesson,youwillbeableto:
ManageGPOlinks.
IdentifytherelationshipbetweenOUstructureandGPOapplication.
EvaluateGPOinheritanceandprecedence.
UnderstandtheBlockInheritanceandEnforcedlinkoptions.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 53/135
ApplysecurityfilteringtonarrowthescopeofaGPO.
ApplyaWMIfiltertoaGPO.
TargetGroupPolicypreferences.
IdentifybestpracticesforscopingGroupPolicy.
GPO Links
AGPOcanbelinkedtooneormoreActiveDirectorysites,domains,orOUs.Afterapolicyislinkedtoasite,domain,orOU,theusersorcomputersandusersinthat
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 54/135
containerarewithinthescopeoftheGPO,includingcomputersandusersinchildOUs.
AsyoulearnedinLesson1,youcanlinkaGPOtothedomain,siteortoanOU.
TolinkaGPO,rightclickthedomainorOUintheGPMCconsoletree,andthenclickLinkasexistingGPO.IfyouhavenotyetcreatedaGPO,clickCreateAGPOInThis{Domain|OU|Site}AndLinkItHere.
YoucanchoosethesamecommandstolinkaGPOtoasite,butbydefault,yourActiveDirectorysitesarenotvisibleintheGPMC.
ToshowsitesintheGPMC,rightclickSitesintheGPMCconsoletreeandchooseShowSites.
NoteAGPOlinkedtoasiteaffectsallcomputersinthesitewithoutregardtothedomaintowhichthecomputersbelong(aslongasallcomputersbelongtothesameActiveDirectoryforest).Therefore,whenyoulinkaGPOtoasite,thatGPOcanbeappliedtomultipledomainswithinaforest.SitelinkedGPOsarestoredondomaincontrollersinthedomaininwhichtheGPOwascreated.Therefore,domaincontrollersforthatdomainmustbeaccessibleforsitelinkedGPOstobeappliedcorrectly.Ifyouimplementsitelinkedpolicies,youmustconsiderpolicyapplicationwhenplanningyournetworkinfrastructure.EitherplaceadomaincontrollerfromtheGPOsdomaininthesitetowhichthepolicyislinked,orensurethatawideareanetwork(WAN)connectivityprovidesaccessibilitytoadomaincontrollerintheGPOsdomain.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 55/135
WhenyoulinkaGPOtoasite,domain,orOU,youdefinetheinitialscopeoftheGPO.SelectaGPOandclicktheScopetabtoidentifythecontainerstowhichtheGPOislinked.InthedetailspaneoftheGPMC,theGPOlinksaredisplayedinthefirstsectionoftheScopetab,asseenhere:
TheimpactoftheGPOslinksisthattheGroupPolicyClientdownloadstheGPOifeitherthecomputerortheuserobjectsfallwithinthescopeofthelink.TheGPOwillbedownloadedonlyifitisneworupdated.TheGroupPolicyClientcachestheGPOtomakepolicyrefreshmoreefficient.
Link a GPO to Multiple OUs
YoucanlinkaGPOtomorethanonesiteorOU.Itiscommon,forexample,toapplyconfigurationtocomputersinseveralOUs.YoucandefinetheconfigurationinasingleGPOandlinkthatGPOtoeachOU.IfyoulaterchangesettingsintheGPO,yourchangeswillapplytoallOUstowhichtheGPOislinked.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 56/135
Delete or Disable a GPO Link
AfteryouhavelinkedaGPO,theGPOlinkappearsintheGPMCunderneaththesite,domain,orOU.TheiconfortheGPOlinkhasasmallshortcutarrow.WhenyourightclicktheGPOlink,acontextmenuappears,asshownhere:
TodeleteaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthenclickDelete.
DeletingaGPOlinkdoesnotdeletetheGPOitself,whichremainsinthatGPOcontainer.DeletingthelinkdoeschangethescopeoftheGPOsothatitnolongerappliestocomputersanduserswithinasite,domain,orOUtowhichitwaspreviouslylinked.
YoucanalsomodifyaGPOlinkbydisablingit.
TodisableaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthendeselecttheLinkEnabledoption.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 57/135
DisablingthelinkalsochangestheGPOscopesothatitnolongerappliestocomputersanduserswithinthatcontainer.However,thelinkremainssothatitcanbeeasilyreenabled.
Group Policy Processing Order
TheGPOsthatapplytoauser,computer,orbothdonotallapplyatonce.GPOsareappliedinaparticularorder.Thisordermeansthatsettingsthatareprocessedfirstmaybeoverwrittenbyconflictingsettingsthatareprocessedlater.
GroupPolicyfollowsthefollowinghierarchicalprocessingorder:
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 58/135
1. Localgrouppolicies.EachcomputerrunningWindows2000orlaterhasatleastonelocalgrouppolicy.Thelocalpoliciesareappliedfirst.
2. Sitegrouppolicies.Policieslinkedtositesareprocessedsecond.Iftherearemultiplesitepolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.
3. Domaingrouppolicies.Policieslinkedtodomainsareprocessedthird.Iftherearemultipledomainpolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.
4. OUgrouppolicies.PolicieslinkedtotoplevelOUsareprocessedfourth.IftherearemultipletoplevelOUpolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.
5. ChildOUgrouppolicies.PolicieslinkedtochildOUsareprocessedfifth.IftherearemultiplechildOUpolicies,theyareprocessedsynchronouslyinthelistedpreferenceorder.WhentherearemultiplelevelsofchildOUs,policiesforhigherlevelOUsareappliedfirstandpoliciesforthelowerlevelOUsareappliednext.
InGroupPolicyapplication,thegeneralruleisthatthelastpolicyappliedwins.Forexample,apolicythatrestrictsaccesstoControlPanelappliedatthedomainlevelcouldbereversedbyapolicyappliedattheOUlevelfortheobjectscontainedinthatparticularOU.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 59/135
IfyoulinkseveralGPOstoanorganizationalunit,theirprocessingoccursintheorderthattheadministratorspecifiesontheLinkedGroupPolicyObjectstabfortheorganizationalunitintheGroupPolicyManagementConsole(GPMC).
Bydefault,processingisenabledforallGPOlinks.YoucancompletelyblocktheapplicationofaGPOforagivensite,domain,ororganizationalunitbydisablingthatcontainersGPOlink.NotethatiftheGPOislinkedtoothercontainers,theywillcontinuetoprocesstheGPOiftheirlinksareenabled.
YoucanalsodisabletheuserorcomputerconfigurationofaparticularGPOindependentofeithertheuserorcomputer.Ifonesectionofapolicyisknowntobeempty,disablingtheothersidespeedsuppolicyprocessing.Forexample,ifyouhaveapolicythatonlydeliversuserdesktopconfiguration,youcoulddisablethecomputersideofthepolicy.
GPO Inheritance and Precedence
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 60/135
ApolicysettingcanbeconfiguredinmorethanoneGPO,andGPOscanbeinconflictwithoneanother.Forexample,apolicysettingcanbeenabledinoneGPO,disabledinanotherGPO,andnotconfiguredinathirdGPO.Inthiscase,theprecedenceoftheGPOsdetermineswhichpolicysettingtheclientapplies.AGPOwithhigherprecedenceprevailsoveraGPOwithlowerprecedence.PrecedenceisshownasanumberintheGPMC.Thesmallerthenumberthatis,thecloserto1thehighertheprecedence,soaGPOwithaprecedenceof1willprevailoverotherGPOs.SelectthedomainorOUandthenclicktheGroupPolicyInheritancetabtoviewtheprecedenceofeachGPO.
WhenapolicysettingisenabledordisabledinaGPOwithhigherprecedence,theconfiguredsettingtakeseffect.However,rememberthatpolicysettingsaresettoNot
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 61/135
Configuredbydefault.IfapolicysettingisnotconfiguredinaGPOwithhigherprecedence,thepolicysetting(eitherenabledordisabled)inaGPOwithlowerprecedencewilltakeeffect.
Asite,domain,orOUcanhavemorethanoneGPOlinkedtoit.ThelinkorderofGPOsdeterminestheprecedenceofGPOsinsuchascenario.GPOswithahigherlinkordertakeprecedenceoverGPOswithalowerlinkorder.WhenyouselectanOUintheGPMC,theLinkedGroupPolicyObjectstabshowsthelinkorderofGPOslinkedtothatOU.
ThedefaultbehaviorofGroupPolicyisthatGPOslinkedtoahigherlevelcontainerareinheritedbylowerlevelcontainers.Whenacomputerstartsuporauserlogson,theGroupPolicyClientexaminesthelocationofthecomputeroruserobjectinActiveDirectoryandevaluatestheGPOswithscopesthatincludethecomputeroruser.Then,theclientsideextensionsapplypolicysettingsfromtheseGPOs.Policiesareappliedsequentially,beginningwiththepolicieslinkedtothesite,followedbythoselinkedtothedomain,followedbythoselinkedtoOUsfromthetoplevelOUdowntotheOUinwhichtheuserorcomputerobjectexists.Itisalayeredapplicationofsettings,soaGPOthatisappliedlaterintheprocess,becauseithashigherprecedence,overridessettingsappliedearlierintheprocess.
ThesequentialapplicationofGPOscreatesaneffectcalledpolicyinheritance.Policiesareinherited,sotheresultantsetofgrouppoliciesforauserorcomputerwillbethecumulativeeffectofsite,domain,andOUpolicies.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 62/135
Bydefault,inheritedGPOshavelowerprecedencethanGPOslinkeddirectlytothecontainer.Forexample,youmightconfigureapolicysettingtodisabletheuseofregistryeditingtoolsforallusersinthedomainbyconfiguringthepolicysettinginaGPOlinkedtothedomain.ThatGPO,anditspolicysetting,isinheritedbyalluserswithinthedomain.However,youprobablywantadministratorstobeabletouseregistryeditingtools,soyouwilllinkaGPOtotheOUthatcontainsadministratorsaccountsandconfigurethepolicysettingtoallowtheuseofregistryeditingtools.BecausetheGPOlinkedtotheadministratorsOUtakeshigherprecedencethantheinheritedGPO,administratorswillbeabletouseregistryeditingtools.ThefollowingfigureillustratesGroupPolicyInheritance:
Precedence of Multiple Linked GPOs
AnOU,domain,orsitecanhavemorethanoneGPOlinkedtoit.IftherearemultipleGPOs,theobjectslinkorderdeterminestheirprecedence.Inthefollowingfigure,twoGPOsarelinkedtothePeopleOU:
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 63/135
Theobjecthigheronthelist,withalinkorderof1,hasthehighestprecedence.Therefore,settingsthatareenabledordisabledinthePowerUserConfiguration
POhasprecedenceoverthesamesettingsintheStandardUserConfigurationGPO.
TochangetheprecedenceofaGPOlink:
1. SelecttheOU,site,ordomainintheGPMCconsoletree.
2. ClicktheLinkedGroupPolicyObjectstabinthedetailspane.
3. SelecttheGPO.
4. UsetheUp,Down,MoveToTop,andMoveToBottomarrowstochangethelinkorderoftheselectedGPO.
Block Inheritance
AdomainorOUcanbeconfiguredtopreventtheinheritanceofpolicysettings.
Toblockinheritance,rightclickthedomainorOUintheGPMCconsoletreeandselectBlockInheritance.
TheBlockInheritanceoptionisapropertyofadomainorOU,soitblocksallGroupPolicysettingsfromGPOslinkedtoparentsintheGroupPolicyhierarchy.Whenyou
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 64/135
blockinheritanceonanOU,forexample,GPOapplicationbeginswithanyGPOslinkeddirectlytothatOUGPOslinkedtohigherlevelOUs,thedomain,orthesitewillnotapply.
TheBlockInheritanceoptionshouldbeusedsparingly.BlockinginheritancemakesitmoredifficulttoevaluateGroupPolicyprecedenceandinheritance.Inalatertopic,youwilllearnhowtoscopeaGPOsothatitappliestoonlyasubsetofobjectsorsothatitispreventedfromapplyingtoasubsetofobjects.Withsecuritygroupfiltering,youcancarefullyscopeaGPOsothatitappliestoonlythecorrectusersandcomputersinthefirstplace,makingitunnecessarytousetheBlockInheritanceoption.
Enforce a GPO Link
Inaddition,aGPOlinkcanbesettoEnforced.
ToenforceaGPOlink,rightclicktheGPOlinkintheconsoletreeandchooseEnforcedfromthecontextmenu.
WhenaGPOlinkissettoEnforced,theGPOtakesthehighestlevelofprecedencepolicysettingsinthatGPOwillprevailoveranyconflictingpolicysettingsinotherGPOs.Inaddition,alinkthatisenforcedwillapplytochildcontainersevenwhenthosecontainersaresettoBlockInheritance.TheEnforcedoptioncausesthepolicytoapplytoallobjectswithinitsscope.EnforcedwillcausepoliciestooverrideanyconflictingpoliciesandwillapplyregardlessofwhetheraBlockInheritanceoptionis
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 65/135
set.
Inthefigureonthefollowingpage,BlockInheritancehasbeenappliedtotheBusinessOU.Asaresult,GPOD,whichisappliedtothedomain,isblockedanddoesnotapplywhenauserfromtheEmployeesOUlogsontoacomputerintheClientsOU.However,intheSecurityGPO,GPOslinkedtothedomainwiththeEnforcedoptiondoesapply.Infact,itisappliedlastintheprocessingorder,meaningitssettingswilloverridethoseofGPOsB,C,andE.
WhenyouconfigureaGPOthatdefinesconfigurationmandatedbyyourcorporateITsecurityandusagepolicies,youwanttoensurethatthosesettingsarenotoverriddenbyotherGPOs.YoucandothisbyenforcingthelinkoftheGPO.Thefigurehereshowsjustthisscenario:
ConfigurationmandatedbycorporatepoliciesisdeployedintheCONTOSOCorporateITSecurity&UsageGPO,whichislinkedwithanenforcedlinktotheContoso.comdomain.TheiconfortheGPOlinkhasapadlockonitthevisualindicatorofanenforcedlink.OnthePeopleOU,theGroupPolicyInheritancetabshowsthattheGPOtakesprecedenceevenovertheGPOslinkedtothePeopleOUitself.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 66/135
Evaluating Precedence
TofacilitateevaluationofGPOprecedence,youcansimplyselectanOU(ordomain)andclicktheGroupPolicyInheritancetab.ThistabwilldisplaytheresultingprecedenceofGPOs,accountingforGPOlink,linkorder,inheritanceblocking,andlinkenforcement.Thistabdoesnotaccountforpoliciesthatarelinkedtoasite,nordoesitaccountforGPOsecurityorWMIfiltering.
Use Security Filtering to Modify GPO Scope
Bynow,youvelearnedthatyoucanlinkaGPOtoasite,domain,orOU.However,youmightneedtoapplyGPOsonlytocertaingroupsofusersorcomputersrather
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 67/135
thantoallusersorcomputerswithinthescopeoftheGPO.AlthoughyoucannotdirectlylinkaGPOtoasecuritygroup,thereisawaytoapplyGPOstospecificsecuritygroups.ThepoliciesinaGPOapplyonlytouserswhohaveAllowReadandAllowApplyGroupPolicypermissionstotheGPO.
EachGPOhasanACLthatdefinespermissionstotheGPO.Twopermissions,AllowReadandAllowApplyGroupPolicy,arerequiredforaGPOtoapplytoauserorcomputer.Forexample,ifaGPOisscopedtoacomputerbyitslinktothecomputersOU,butthecomputerdoesnothaveReadandApplyGroupPolicypermissions,itwillnotdownloadandapplytheGPO.Therefore,bysettingtheappropriatepermissionsforsecuritygroups,youcanfilteraGPOsothatitssettingsapplyonlytothecomputersandusersyouspecify.
Bydefault,AuthenticatedUsersaregiventheAllowApplyGroupPolicypermissiononeachnewGPO.Thismeansthatbydefault,allusersandcomputersareaffectedbytheGPOssetfortheirdomain,site,orOU,regardlessoftheothergroupsinwhichtheymightbemembers.Therefore,therearetwowaysoffilteringGPOscope:
RemovetheApplyGroupPolicypermission(currentlysettoAllow)fortheAuthenticatedUsersgroupbutdonotsetthispermissiontoDeny.Then,determinethegroupstowhichtheGPOshouldbeappliedandsettheReadandApplyGroupPolicypermissionsforthesegroupstoAllow.
DeterminethegroupstowhichtheGPOshouldnotbeappliedandsettheApplyGroupPolicypermissionforthesegroupstoDeny.IfyoudenytheApplyGroup
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 68/135
PolicypermissiontoaGPO,theuserorcomputerwillnotapplysettingsintheGPO,eveniftheuserorcomputerisamemberofanothergroupthatisallowedtheApplyGroupPolicyPermission.
Filtering a GPO to Apply to Specific Groups
ToapplyaGPOtoaspecificsecuritygroup:
1. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree.
2. IntheSecurityFilteringsection,selecttheAuthenticatedUsersgroupandclickRemove.
NoteGPOscanbefilteredonlywithglobalsecuritygroupsnotwithdomainlocalsecuritygroups.
3. ClickOKtoconfirmthechange.
4. ClickAdd.
5. SelectthegrouptowhichyouwantthepolicytoapplyandclickOK.
TheresultwilllooksimilartothefigureshownheretheAuthenticatedUsersgroupis
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 69/135
notlisted,andthespecificgrouptowhichthepolicyshouldapplyislisted.
Filtering a GPO to Exclude Specific Groups
TheScopetabofaGPOdoesnotallowyoutoexcludespecificgroups.Toexcludeagroupthatis,todenytheApplyGroupPolicypermissionyoumustusetheDelegationtab.
TodenyagrouptheApplyGroupPolicypermission:
1. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree.
2. ClicktheDelegationtab.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 70/135
3. ClicktheAdvancedbutton.
TheSecuritySettingsdialogboxappears.
4. ClicktheAddbutton.
5. SelectthegroupyouwanttoexcludefromtheGPO.Remember,itmustbeaglobalgroup.GPOscopecannotbefilteredbydomainlocalgroups.
6. ClickOK.
ThegroupyouselectedisgiventheAllowReadpermissionbydefault.
7. CleartheAllowReadpermissioncheckbox.
8. SelecttheDenyApplyGroupPolicycheckbox.
ThefigurehereshowsanexamplethatdeniestheHelpDeskgrouptheApplygrouppolicypermissionand,therefore,excludesthegroupfromthescopeoftheGPO.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 71/135
9.ClickOK.
YouarewarnedthatDenypermissionsoverrideotherpermissions.
BecauseDenypermissionsoverrideAllowpermissions,itisrecommendedthatyouusethemsparingly.MicrosoftWindowsremindsyouofthisbestpracticewiththewarningmessage.TheprocesstoexcludegroupswiththeDenyApplyGroupPolicypermissionisfarmorelaboriousthantheprocesstoincludegroupsintheSecurityFilteringsectionoftheScopetab.
10. Confirmthatyouwanttocontinue.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 72/135
ImportantDenypermissionsarenotexposedontheScopetab.Unfortunately,whenyouexcludeagroup,theexclusionisnotshownintheSecurityFilteringsectionoftheScopetab.
ThisisyetonemorereasontouseDenypermissionssparingly.
WMI Filters
WMIisamanagementinfrastructuretechnologythatenablesadministratorstomonitorandcontrolmanagedobjectsinthenetwork.AWMIqueryiscapableof
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 73/135
filteringsystemsbasedoncharacteristics,includingRAM,processorspeed,diskcapacity,IPaddress,operatingsystemversionandservicepacklevel,installedapplications,andprinterproperties.BecauseWMIexposesalmosteverypropertyofeveryobjectwithinacomputer,thelistofattributesthatcanbeusedinaWMIqueryisvirtuallyunlimited.WMIqueriesarewrittenbyusingWMIQueryLanguage(WQL).
YoucanuseaWMIquerytocreateaWMIfilter,withwhichaGPOcanbefiltered.AgoodwaytounderstandthepurposeofaWMIfilter,bothforthecertificationexamsandforrealworldimplementation,isthroughexamples.GroupPolicycanbeusedtodeploysoftwareapplicationsandservicepacksacapabilitythatisdiscussedinModule7.YoumightcreateaGPOtodeployanapplicationandthenuseaWMIfiltertospecifythatthepolicyshouldapplyonlytocomputerswithacertainoperatingsystemandservicepackWindowsXPSP3,forexample.TheWMIquerytoidentifysuchsystemsis:
Select * FROM Win32_OperatingSystem WHERECaption="Microsoft Windows XP Professional" ANDCSDVersion="Service Pack 3"
WhentheGroupPolicyClientevaluatesGPOsithasdownloadedtodeterminewhichshouldbehandedofftotheCSEsforprocessing,itperformsthequeryagainstthelocalsystem.Ifthesystemmeetsthecriteriaofthequery,thequeryresultisalogicalTrue,andtheCSEsprocesstheGPO.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 74/135
WMIexposesnamespaces,withinwhichareclassesthatcanbequeried.Manyusefulclasses,includingWin32_OperatingSystem,arefoundinaclasscalledroot\CIMv2.
TocreateaWMIfilter:
1. RightclicktheWMIFiltersnodeintheGPMCconsoletree,andthenclickNew.
Typeanameanddescriptionforthefilter,andthenclicktheAddbutton.
2. IntheNamespacebox,typethenamespaceforyourquery.
3. IntheQuerybox,enterthequery.
4. ClickOK.
TofilteraGPOwithaWMIfilter:
1. SelecttheGPOorGPOlinkintheconsoletree.
2. ClicktheScopetab.
3. ClicktheWMIdropdownlist,andselecttheWMIfilter.
AGPOcanbefilteredbyonlyoneWMIfilter,butthatWMIfiltercanbeacomplexquerythatusesmultiplecriteria.AsingleWMIfiltercanbelinkedto,andtherebyusedtofilter,oneormoreGPOs.TheGeneraltabofaWMIfilter,showninthe
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 75/135
figurehere,displaystheGPOsthatusetheWMIfilter:
TherearethreesignificantcaveatsregardingWMIfilters.
First,theWQLsyntaxofWMIqueriescanbechallengingtomaster.YoucanoftenfindexamplesontheInternetwhenyousearchbyusingthekeywordsWMIfilterandWMIquery,alongwithadescriptionofthequeryyouwanttocreate.
Second,WMIfiltersareexpensiveintermsofGroupPolicyprocessingperformance.BecausetheGroupPolicyClientmustperformtheWMIqueryateachpolicyprocessinginterval,thereisaslightimpactonsystemperformanceevery90120minutes.Withtheperformanceoftodayscomputers,theimpactmightnotbenoticeable,butyoushouldcertainlytesttheeffectsofaWMIfilterpriorto
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 76/135
deployingitwidelyinyourproductionenvironment.
NotethattheWMIqueryisprocessedonlyonetime,evenifitisusedtofilterthescopeofmultipleGPOs.
Third,WMIfiltersarenotprocessedbycomputersrunningWindows2000Server.IfaGPOisfilteredwithaWMIfilter,aWindows2000ServersystemignoresthefilterandprocessestheGPOasiftheresultsofthefilterweretrue.
Enable or Disable GPOs and GPO Nodes
YoucanpreventthesettingsintheComputerConfigurationorUserConfiguration
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 77/135
nodesfrombeingprocessedduringpolicyrefreshbychangingtheGPOStatus.
ToenableordisableaGPO'snodes,selecttheGPOorGPOlinkintheconsoletree,clicktheDetailstab,showninthefigure,andthenselectoneofthefollowingfromtheGPOStatusdropdownlist:
Enabled.BothcomputerconfigurationsettingsanduserconfigurationsettingswillbeprocessedbyCSEsduringpolicyrefresh.
AllSettingsDisabled.CSEswillnotprocesstheGPOduringpolicyrefresh.
ComputerConfigurationSettingsDisabled.Duringcomputerpolicyrefresh,computerconfigurationsettingsintheGPOwillnotbeapplied.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 78/135
UserConfigurationSettingsDisabled.Duringuserpolicyrefresh,userconfigurationsettingsintheGPOwillnotbeapplied.
YoucanconfigureGPOstatustooptimizepolicyprocessing.IfaGPOcontainsonlyusersettings,forexample,settingtheGPOStatusoptiontodisablecomputersettingspreventstheGroupPolicyclientfromattemptingtoprocesstheGPOduringcomputerpolicyrefresh.BecausetheGPOcontainsnocomputersettings,thereisnoneedtoprocesstheGPO,andyoucansaveafewcyclesoftheprocessor.
NoteYoucandefineaconfigurationthatshouldtakeeffectincaseofanemergency,securityincident,orotherdisastersinaGPOandlinktheGPOsothatitisscopedtoappropriateusersandcomputers.Then,disabletheGPO.Ifyourequiretheconfigurationtobedeployed,enabletheGPO.
Target Preferences
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 79/135
Preferences,whicharenewtoWindowsServer2008,haveabuiltinscopingmechanismcalleditemleveltargeting.YoucanhavemultiplepreferenceitemsinasingleGPO,andeachpreferenceitemcanbetargetedorfiltered.So,forexample,youcouldhaveasingleGPOwithapreferencethatspecifiesfolderoptionsforengineersandanotheritemthatspecifiesfolderoptionsforsalespeople.YoucantargettheitemsbyusingasecuritygrouporOU.Thereareoveradozenothercriteriathatcanbeused,includinghardwareandnetworkcharacteristics,dateandtime,LightweightDirectoryAccessProtocol(LDAP)queries,andmore.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 80/135
NoteWhatsnewaboutpreferencesisthatyoucantargetmultiplepreferenceitemswithinasingleGPOinsteadofrequiringmultipleGPOs.Withtraditionalpolicies,youoftenneedmultipleGPOsfilteredtoindividualgroupstoapplyvariationsofsettings.
LikeWMIfilters,itemleveltargetingofpreferencesrequirestheCSEtoperformaquerytodeterminewhethertoapplythesettingsinapreferencesitem.Youmustbeawareofthepotentialperformanceimpactofitemleveltargeting,particularlyifyouuseoptionssuchasLDAPqueries,whichrequireprocessingtimeandaresponsefromadomaincontrollertoprocess.AsyoudesignyourGroupPolicyinfrastructure,
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 81/135
balancetheconfigurationmanagementbenefitsofitemleveltargetingagainsttheperformanceimpactyoudiscoverduringtestinginalab.
Loopback Policy Processing
Bydefault,auserssettingscomefromGPOsscopedtotheuserobjectinActiveDirectory.Regardlessofwhichcomputertheuserlogsonto,theresultantsetofpoliciesthatdeterminetheusersenvironmentisthesame.Therearesituations,however,inwhichyoumightwanttoconfigureauserdifferently,dependingonthecomputerinuse.Forexample,youmightwanttolockdownandstandardizeuserdesktopswhenuserslogontocomputersincloselymanagedenvironmentssuchasconferencerooms,receptionareas,laboratories,classrooms,andkiosks.Itisalso
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 82/135
importantforvirtualdesktopinfrastructure(VDI)scenarios,includingremotevirtualmachinesandRemoteDesktopServices(RDS),knownasTerminalServicesinpreviousversions.
ImagineascenarioinwhichyouwanttoenforceastandardcorporateappearancefortheWindowsdesktoponallcomputersinconferenceroomsandotherpublicareasofyouroffice.HowwillyoucentrallymanagethisconfigurationbyusingGroupPolicy?PolicysettingsthatconfiguredesktopappearancearelocatedintheUserConfigurationnodeofaGPO.Therefore,bydefault,thesettingsapplytousers,regardlessofwhichcomputertheylogonto.Thedefaultpolicyprocessingdoesnotgiveyouawaytoscopeusersettingstoapplytocomputers,regardlessofwhichuserlogson.Thatswhereloopbackpolicyprocessingcomesin.
LoopbackpolicyprocessingaltersthedefaultalgorithmusedbytheGroupPolicyclienttoobtaintheorderedlistofGPOsthatshouldbeappliedtoausersconfiguration.InsteadofuserconfigurationbeingdeterminedbytheUserConfigurationnodeofGPOsthatarescopedtotheuserobject,userconfigurationcanbedeterminedbytheUserConfigurationnodepoliciesofGPOsthatarescopedtothecomputerobject.
TheUserGroupPolicyloopbackprocessingmodepolicy,locatedintheComputerConfiguration\Policies\AdministrativeTemplates\System\GroupPolicyfolderinGPME,canbe,likeallpolicysettings,settoNotConfigured,Enabled,orDisabled.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 83/135
Whenenabled,thepolicycanspecifytheReplaceorMergemode.
Replace.Inthiscase,theGPOlistfortheuser(obtainedinstep5intheGroupPolicyProcessing,thenextsection)isreplacedentirelybytheGPOlistalreadyobtainedforthecomputeratcomputerstartup(instep2).ThesettingsinUserConfigurationpoliciesofthecomputersGPOsareappliedtotheuser.TheReplacemodeisusefulinasituationsuchasaclassroomwhereusersshouldreceiveastandardconfigurationratherthantheconfigurationappliedtothoseusersinalessmanagedenvironment.
Merge.Inthiscase,theGPOlistobtainedforthecomputeratcomputerstartup(step2intheGroupPolicyProcessingsection)isappendedtotheGPOlistobtainedfortheuserwhenloggingon(step5).BecausetheGPOlistobtainedforthecomputerisappliedlater,settingsinGPOsonthecomputerslisthave
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 84/135
precedenceiftheyconflictwithsettingsintheuserslist.Thismodewouldbeusefultoapplyadditionalsettingstouserstypicalconfigurations.Forexample,youmightallowausertoreceivetheuserstypicalconfigurationwhenloggingontoacomputerinaconferenceroomorreceptionarea,butreplacethewallpaperwithastandardbitmapanddisabletheuseofcertainapplicationsordevices.
NoteItisalessdocumentedfactthatwhenyoucombinetheloopbackprocessingwithsecuritygroupfiltering,theapplicationofusersettingsduringpolicyrefreshusesthecredentialsofthecomputertodeterminewhichGPOstoapplyaspartoftheloopbackprocessing.However,theloggedonusermustalsohavetheApplyGroupPolicypermissionfortheGPOtobesuccessfullyapplied.
Lab B: Manage Group Policy Scope
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 85/135
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:
1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.
2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.
3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 86/135
4. Logonbyusingthefollowingcredentials:
Username:Pat.Coleman
Password:Pa$$w0rd
Domain:Contoso
5. Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodoso.
Lab Scenario
Youareanadministratorofthecontoso.comdomain.TheContosoStandardsGPO,linkedtothedomain,configuresapolicysettingthatrequiresatenminutescreensavertimeout.Anengineerreportsthatacriticalapplicationthatperformslengthycalculationscrasheswhenthescreenssaverstarts,andtheengineerhasaskedyoutopreventthesettingfromapplyingtotheteamofengineersthatusestheapplicationeveryday.Youhavealsobeenaskedtoconfigureconferenceroomcomputerstousea45minutetimeoutsothatthescreensaverdoesnotlaunchduringameeting.
Exercise 1: Configure GPO Scope with Links
Inthisexercise,youwillmodifythescopeofGPOsbyusingGPOlinks,andyouwillexploreinheritance,precedence,andtheeffectsofEnforcedlinks
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 87/135
andBlockInheritance.
Themaintasksforthisexerciseareasfollows:
1. CreateaGPOwithapolicysettingthattakesprecedenceoveraconflictingsetting.
2. ViewtheeffectofanenforcedGPOlink.
3. ApplyBlockInheritance.
Task 1: Create a GPO with a policy setting that takes precedence over aconflicting setting.
1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. IntheUserAccounts\EmployeesOU,createasubOUcalledEngineers,andthencloseActiveDirectoryUsersandComputers.
3. RuntheGroupPolicyManagementConsoleasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
4. CreateanewGPOlinkedtotheEngineersOUcalledEngineeringApplicationOverride.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 88/135
5. ConfiguretheScreensavertimeoutpolicysettingtobedisabled,andthenclosetheGPME.
6. SelecttheEngineersOU,andthenclicktheGroupPolicyInheritancetab.NoticethattheEngineeringApplicationOverrideGPOhasprecedenceovertheCONTOSOStandardsGPO.ThescreensavertimeoutpolicysettingyoujustconfiguredintheEngineeringApplicationOverrideGPOwillbeappliedafterthesettingintheCONTOSOStandardsGPO.Therefore,thenewsettingwilloverwritethestandardssetting,andwill"win."ScreensavertimeoutwillbedisabledforuserswithinthescopeoftheEngineeringApplicationOverrideGPO.
Task 2: View the effect of an enforced GPO link.
1. IntheGPMCconsoletree,selecttheDomainControllersOU,andthenclicktheGroupPolicyInheritancetab.
2. NoticethattheGPOnamed6425Chasthehighestprecedence.SettingsinthisGPOwilloverrideanyconflictingsettingsinanyoftheotherGPOs.
TheDefaultDomainControllersGPOspecifies,amongotherthings,whichgroupsaregiventherighttologonlocallytodomaincontrollers.Toenhancethesecurityofdomaincontrollers,standardusersarenotgiventherighttologonlocally.toallowanonprivilegeduseraccountsuchasPat.Colemantologon
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 89/135
todomaincontrollers.Inthiscourse,the6425CGPOgivesDomainUserstherighttologonlocallytoacomputer.The6425CGPOislinkedtothedomain,soitssettingswouldnormallybeoverriddenbysettingsintheDefaultDomainControllersGPO.Therefore,the6425CGPOlinktothedomainisconfiguredasEnforced.Inthisway,theconflictinuserrightsassignmentbetweenthetwoGPOsis"won"bythe6425CGPO.
Task 3: Apply Block Inheritance.
1. IntheGPMCconsole,selecttheEngineersOUandexaminetheprecedenceandinheritanceofGPOsontheGroupPolicyInheritancetab.
2. BlocktheinheritanceofGPOstotheEngineersOU.
Question:WhichGPOscontinuetoapplytousersintheEngineersOU?WherearethoseGPOslinked?Whydidtheycontinuetoapply?
3. TurnoffBlockInheritancefromtheEngineersOU.
Results:Inthisexercise,youcreatedaGPOcalledEngineeringApplicationOverrideandlinkedittotheEngineersOU.Youalsohaveanunderstandingofinheritance,precedence,andtheeffectsofanEnforcedlinkandBlockInheritance.
07/06/13 Module 6: Implementing a Group Policy Infrastructure
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 90/135
Exercise 2: Configure GPO Scope with Filtering
Astimepasses,youdiscoverthatonlyasmallnumberofengineersrequirethescreensavertimeoutoverridethatiscurrentlyapp