Module 5: Creating and Configuring Group Policy Course 6425A Module 5: Creating and Configuring Group Policy Presentation: 85 minutes Lab: 75 minutes This module helps students to create and configure Group Policy. After completing this module, students will be able to: Describe Group Policy. Configure the scope of Group Policy objects. Evaluate the application of Group Policy objects. Manage Group Policy objects. Delegate administrative control of Group Policy. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6425A_05.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Complete the practices. This section contains information that will help you to teach this module. For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD. Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy Course 6425A Module Overview Module 5: Creating and Configuring Group Policy Overview of Group Policy Configuring the Scope of Group Policy Objects Evaluating the Application of Group Policy Objects Managing Group Policy Objects Delegating Administrative Control of Group Policy

Lesson 1: Overview of Group Policy Course 6425A Lesson 1: Overview of Group Policy Module 5: Creating and Configuring Group Policy What Is Group Policy? Group Policy Settings How Group Policy Are Applied Exceptions to Group Policy Processing Group Policy Components What Are ADM and ADMX files? What Is the Central Store? Demonstration: Configuring Group Policy Objects

Module 5: Creating and Configuring Group Policy Course 6425A What Is Group Policy? Module 5: Creating and Configuring Group Policy Group Policy enables IT administrators to automate one-to-many management of users and computers Use Group Policy to: Explain how Group Policy enables Information Technology (IT) administrators to automate the management of users and computers, which simplifies administrative tasks and reduces IT costs. Administrators can implement security settings, enforce IT policies, and distribute software consistently for the local computer or across a given site, domain, or range of organizational units. Mention that the two domain policies exist by default. Explain how one policy may be associated with multiple containers through linking. Explain how multiple policies may link to one container. Discussion Question and Answer Question: When would local Group Policy be useful in a domain environment? Answer: Companies that use imaging technologies to deploy operating systems could use local Group Polices to help secure and standardize images. In this way, computers that are not connected to the local area network (LAN) still would be subject to certain restrictions for all users. Reference Windows Server Group Policy http://go.microsoft.com/fwlink/?LinkId=99449 Apply standard configurations Deploy software Enforce security settings Enforce a consistent desktop environment Local Group Policy is always in effect for local and domain users and local computer settings

Module 5: Creating and Configuring Group Policy Course 6425A Group Policy Settings Module 5: Creating and Configuring Group Policy Group Policy settings for users control these settings: Software Windows Security Desktop Describe the types of settings that are available in each area. Open the default domain policy, and briefly show the location of settings. Point out that many of the same settings exist for both user and computer configuration. For example, you could disable Windows® Messenger for the computer or a user. Mention some of the new settings for Windows Server®°2008. Discussion Question and Answer Question: Which of the new features will you find most useful in your environment? Answer: Answers will vary. References Summary of New or Expanded Group Policy Settings http://go.microsoft.com/fwlink/?LinkId=99450 What's New in Group Policy in Windows Vista http://go.microsoft.com/fwlink/?LinkId=99451 Software Windows Security Operating systems Group Policy settings for computers control these settings:

How Group Policy Is Applied Course 6425A How Group Policy Is Applied Module 5: Creating and Configuring Group Policy Computer starts Refresh Interval Every 90 minutes Explain that computer setting are applied at startup, while user settings are applied at logon. Explain that client-side extensions on the client computer handle the actual processing of settings. Explain that in case of a conflict between user and computer settings, the computer setting takes precedence. For example, if a user has Windows Messenger specifically set to Allow, but the computer has Windows Messenger specifically set to Disallow, the computer setting takes precedence. Explain that you can configure the refresh interval and random offset separately for users, computers, and domain controllers. Mention that security settings are refreshed every 16 hours even if they have not changed. Discussion Question and Answer Question: What would be some advantages and disadvantages to lowering the refresh interval? Answer: Advantages - Provides faster updates for new settings. - Ensures that mobile users are more likely to get settings refreshed. Disadvantages - Increases network traffic. - Consumes more local computer resources to check for updates. References Group Policy Processing http://go.microsoft.com/fwlink/?LinkId=112457 Group Policy application rules for domain controllers http://go.microsoft.com/fwlink/?LinkId=112458 How a slow link is detected for processing user profiles and Group Policy http://go.microsoft.com/fwlink/?LinkId=112459 Group Policy is not applied due to cached credentials http://go.microsoft.com/fwlink/?LinkId=112460 Computer settings applied Startup scripts run User logs on Refresh Interval Every 90 minutes User settings applied Logon scripts run

Exceptions to Group Policy Processing Course 6425A Exceptions to Group Policy Processing Module 5: Creating and Configuring Group Policy Additional exceptions: Slow links 500 kilobits per second (kbps) by default Certain client side extensions are not processed Prior to Windows Vista, ICMP is used to detect a slow link Windows Vista uses Network Location Awareness Describe what a slow link is. Mention what policies will, and will not be processed across a slow link, and how you can change that. Describe how to detect a slow link. Briefly describe the benefits of Network Location Awareness (NLA). Explain how Windows Vista® and Windows® XP use cached credentials, and how this affects Group Policy processing for users and how to change the default behavior. Explain that the method by which the user initiates a Remote Access Service (RAS) connection determines whether Group Policy will be applied immediately, or as a background refresh. Explain that when an object is moved in Active Directory Domain Services (AD DS), the system is not immediately aware of the move, and that new Group Policy may take time to apply. Discussion Question and Answer Question: How is NLA better than Internet Control Message Policy (ICMP) in the proper application of Group Policy? Answer: Mobile users that move in and out of wireless networks, docking stations, hibernation, etc…, will know immediately about the availability of domain controllers. Reference Controlling Client-Side Extensions by Using Group Policy http://go.microsoft.com/fwlink/?LinkId=99452 Cached credentials Windows XP and Windows Vista use cached credential for faster logons Many GPO settings take two logons to take effect Remote access connections Moving a user or computer object in AD DS

Group Policy Components Course 6425A Group Policy Components Module 5: Creating and Configuring Group Policy Group Policy Container Stored in AD DS Provides version information Group Policy Object Describe the Group Policy object (GPO) as a collection of settings that will be applied. Describe the function and location of the Group Policy container for local or domain-based policies. Show the location of the ADMX files. Spend time discussing the benefits of the new ADMX format, for example: language independence, XML-based, not stored in the GPO, extensible, etc…. Mention how the ADML files support the language text. Explain what a central store for ADMX files is. Describe the benefits of using a central store. Mention that superseded ADM files will be ignored, but any custom ADM files will be recognized. References How Core Group Policy Works http://go.microsoft.com/fwlink/?LinkId=99468 Deploying Group Policy Using Windows Vista http://go.microsoft.com/fwlink/?LinkId=112461 Group Policy Template Stored in shared SYSVOL folder Provides Group Policy settings Supports both ADM and ADMX templates Contains Group Policy settings Stores content in two locations

What Are ADM and ADMX Files? Course 6425A What Are ADM and ADMX Files? Module 5: Creating and Configuring Group Policy ADM files are: Copied into every GPO in SYSVOL Difficult to customize Explain that operating systems prior to Windows Vista and Windows Server 2008 use ADM files. The main disadvantage of ADM files is that they are copied into every GPO that is created, and consume about 3 megabytes (MB) of space. This can lead to “SYSVOL bloat” , a term that describes the fact that SYSVOL can grow very large because of the GPOs that keep repetitive copies of the same ADM files. Explain that the ADM files stored on the computer that you use to create or edit a GPO, dictate what policy templates will be available in the GPO editor. Discussion Question and Answer Question: How could you tell if a GPO was created or edited using ADM or ADMX files? Answer: When you open the GPO in SYSVOL, if there is an ADM folder, then the GPO was created or opened from a computer with SDM files. If there is no ADM folder, than it must have been created from a Windows Vista or Windows Server 2008 computer. Reference Managing Group Policy ADMX Files Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkId=99453 ADMX files are: Language neutral Not stored in the GPO Extensible through XML

What Is the Central Store? Course 6425A What Is the Central Store? Module 5: Creating and Configuring Group Policy The Central Store: Is a central repository for ADMX and ADML files Is stored in SYSVOL Must be created manually Is detected automatically by Windows Vista or Windows Server 2008 Explain that a central store provides a central repository for ADMX files. A central store is stored in SYSVOL, and you must create and update a central store manually. Normal AD DS replication will ensure that it is copied to all domain controllers. Explain that it provides consistency for administrators that edit GPOs from multiple Windows Vista or Windows Server 2008 workstations. Consider doing a short demonstration to show how create a central store. Discussion Question and Answer Question: What would be the advantage of creating the central store on the PDC emulator? Answer: The PDC emulator is the natural focus of Group Policy. Therefore, replication will not have to occur before you can use the central store. Reference How to create a Central Store for Group Policy Administrative Templates in Windows Vista http://go.microsoft.com/fwlink/?LinkId=99455 ADMX files Windows Vista or Windows Server 2008 workstation Domain controller with SYSVOL Domain controller with SYSVOL

Demonstration: Configuring Group Policy Objects Course 6425A Demonstration: Configuring Group Policy Objects Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to: Create a GPO Configure settings To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: Open the Group Policy Management Console (GPMC) and spend a few moments discussing the interface. Show how to add other domains, discuss the tabs in the details pane in regards to the container and the Group Policy itself. Create a new Group Policy named Desktop in the Group Policy container. In the computer configuration, prevent the last logon name from displaying, and prevent Windows Messenger from running. In the user configuration, remove the Search menu from the Start menu, and Hide the screen saver tab. Discussion Question and Answer Question: When you open the GPMC on your Windows XP computer, you do not see the new Windows Vista settings in the Group Policy Object Editor. Why not? Answer: The XP operating system cannot interpret the ADMX files, and will not display those templates. Reference Managing Windows Server 2008 Beta 3 and Windows Vista using Group Policy http://go.microsoft.com/fwlink/?LinkId=112462   

Lesson 2: Configuring the Scope of Group Policy Objects Course 6425A Lesson 2: Configuring the Scope of Group Policy Objects Module 5: Creating and Configuring Group Policy Group Policy Processing Order What Are Multiple Local Group Policy Objects? Options for Modifying Group Policy Processing Demonstration: Configuring Group Policy Object Links Demonstration: Configuring Group Policy Inheritance Demonstration: Filtering Group Policy Objects Using Security Groups Demonstration: Filtering Group Policy Objects Using WMI Filters How Does Loopback Processing Work? Discussion: Configuring the Scope of Group Policy Processing

Group Policy Processing Order Course 6425A Group Policy Processing Order Module 5: Creating and Configuring Group Policy GPO1 Local group Explain that GPOs can link only to Active Directory Domain Services (AD DS) containers such as sites, domains, and organizational units (OUs), not to individual security principals. Security principals receive GPO settings by virtue of being in a container. Describe the order of application, and policies for local GPOs, site level, domain level, OU, and nested OU levels. Explain that GPO settings are cumulative, and what happens in the case of conflicts between policies. Explain how precedence works if you assign multiple policies at the same level. Mention that any local Group Policy will be applied unless a domain level policy overrides them. Discussion Question and Answer Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group Policy to all users in two different domains. What is the best way to accomplish this? Answer: The GPO must be applied separately to each domain. If the settings are changed for one domain, then you must change them manually for the other domain to remain in synch. The GPMC simplifies the task of copying the GPO to another domain. References Group Policy processing and precedence http://go.microsoft.com/fwlink/?LinkId=99456 How Core Group Policy Works http://go.microsoft.com/fwlink/?LinkId=99468 GPO2 Site GPO3 GPO4 Domain GPO5 OU OU OU

What Are Multiple Local Group Policy Objects? Course 6425A What Are Multiple Local Group Policy Objects? Module 5: Creating and Configuring Group Policy One layer of computer configurations that applies to all users Layers apply only to individual users, not to groups Explain that all computers running Windows 2000 or later have a local Group Policy. Stress that in a domain environment, domain policies will override local settings. Describe how you can use local Group Policy to control the local machine. Explain that this is useful in workgroup and standalone environments. Stress that local Group Policy will apply to all users who log onto the local computer. Describe the new feature in Windows Server 2008 and Windows Vista that allows multiple Group Policy objects. Explain how you can apply multiple Group Policy objects to Administrators, non–Administrators, or individual local users. Mention that you cannot apply Group Policy objects to groups. Mention also that you only can apply user settings to multiple Group Policy object policies. There is always only one computer configuration policy. Discussion Question and Answer Question: When would multiple local Group Policy objects be useful in a domain environment? Answer: Companies may use multiple local Group Policy objects to exempt domain and local administrative accounts from local restrictions. References Multiple Local Group Policy objects http://go.microsoft.com/fwlink/?LinkId=112463 Step-by-Step Guide to Managing Multiple Local Group Policy Objects http://go.microsoft.com/fwlink/?LinkId=99457 There are three layers of user configurations: Administrator Non-Administrator User-specific

Options for Modifying Group Policy Processing Course 6425A Options for Modifying Group Policy Processing Module 5: Creating and Configuring Group Policy Five methods to modify GPO default processing: Block inheritance Enforcement Explain that, by default, all Group Policy objects apply to all security principals (Authenticated Users groups,) in a given container, but that you can modify behavior through various methods. Provide a brief description of the methods. The following topics will explain them in detail. Discussion Question and Answer Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy? Answer: Enforce the GPO link at the Finance OU level. References Controlling the Scope of Group Policy Objects using GPMC http://go.microsoft.com/fwlink/?LinkId=99458 Loopback processing with merge or replace http://go.microsoft.com/fwlink/?LinkId=99459 Filtering using security groups or WMI filters Disabling GPOs Loopback processing

Demonstration: Configuring Group Policy Object Links Course 6425A Demonstration: Configuring Group Policy Object Links Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to: Create and link GPOs to different locations within AD DS Disable a GPO link To complete this demonstration, you must have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running. Demonstration steps Link the policy you created in the previous demo to the Toronto OU. Log on as one of the Toronto users to test the results. Show how to disable the computer or user side of the policy. Explain that this would be done to gain some performance advantage by not processing parts of the policy that are known to be empty. Show how to disable the entire policy. Explain that this normally would be done to assist in troubleshooting policies. Discussion Question and Answer Question: True or false: if a GPO is linked to multiple containers, altering the settings for one of those links will affect only that container. Answer: False. Changing the settings of a GPO will affect all the containers to which the GPO is linked. References Create or delete a Group Policy object http://go.microsoft.com/fwlink/?LinkId=112464 Link a Group Policy object using GPMC http://go.microsoft.com/fwlink/?LinkId=112465 Disable a Group Policy object link using GPMC  http://go.microsoft.com/fwlink/?LinkId=112466

Demonstration: Configuring Group Policy Inheritance Course 6425A Demonstration: Configuring Group Policy Inheritance Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to: Block GPO inheritance Enforce GPO inheritance To complete this demonstration, you will need to have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running. Explain that blocking inheritance will prevent all higher-level GPOs from being applied. Also mention that you cannot block GPOs selectively. This might be done to exempt a particular OU from restrictive policies that have been applied at a higher level. Show how the blue exclamation mark indicates inheritance has been blocked at that level. Mention that policies that are being enforced cannot be blocked through this method. Demonstration steps: Create a new OU and create a new user (User1) in the OU. (Ensure that Domain Users have the right to log on to the domain controller). In the Default Domain policy, enable the setting to remove the Help menu from the Start menu. Log on as the new user and test that the Help menu no longer appears. As Administrator, block inheritance for the new OU. Log on as the new user and test that the Help menu now appears. As Administrator, enforce the Default Domain policy. Log on as the new user and test that the Help menu no longer appears because the enforcement overrides the blocking of inheritance. As Administrator, turn off enforcement and inheritance blocking. Discussion Question and Answer Question: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this? Answer: Block inheritance for the OUs that should not receive GPO2, and set the link on GPO1 to be enforced to ensure that all OUs receive GPO1. Reference Group Policy Inheritance http://go.microsoft.com/fwlink/?LinkId=101110

Demonstration: Filtering Group Policy Objects Using Security Groups Course 6425A Demonstration: Filtering Group Policy Objects Using Security Groups Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to filter the application of GPOs using security groups To complete this demonstration, you will need to have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running. Show how to use the scope tab of the GPO to assign the GPO settings to particular users or computers. Show the security sheet and discuss the Apply Group Policy permission. Describe how to exempt certain users or computers from GPO settings by denying the Apply Group Policy permission. This could be done to exempt department managers or administrators from restrictive settings that apply to the entire department, or to apply a policy only to certain users or computers. Demonstration steps: Create a second user (User2) in the OU that you created for the last demo. Create a link between a GPO and the OU that removes the Run menu from the Start menu. Use security filtering to exempt User2 from the GPO setting. Log on as User1 and test that there is no Run menu. Log on as User2 and test that the Run menu appears because security filtering is in place. Discussion Question and Answer Question: You want to ensure that a specific policy linked to an OU will affect only the members of the Managers global group. How would you accomplish this? Answer: Use the security page of the GPO to remove the Authenticated Users group and, then add the Managers global group, and grant them Read and Apply Group Policy permissions. References Filter using security groups http://go.microsoft.com/fwlink/?LinkId=112467 Using Security Filtering to Apply GPOs to Selected Groups http://go.microsoft.com/fwlink/?LinkId=112468 Security filtering using GPMC http://go.microsoft.com/fwlink/?LinkId=112469

Demonstration: Filtering Group Policy Objects Using WMI Filters Course 6425A Demonstration: Filtering Group Policy Objects Using WMI Filters Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to create and assign a WMI filter To complete this demonstration, you will need to have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running. Explain that Windows Management Instrumentation (WMI) filters allow you determine whether GPO settings will be applied based on the target computer’s attributes. For example, a WMI filter can test for required disk space, memory service-pack level, etc…, to determine if a certain GPO will be applied. Mention that WMI filter support is available only on Windows XP and later. Windows 2000 and earlier cannot process WMI filters. Demonstration steps: Use the GPMC to create a new WMI filter that targets only XP Professional clients. (See the following syntax.) Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional“. Use the GPMC to create a new GPO named software. Assign the WMI to the software GPO. Discussion Question and Answer Question: You need to deploy a software application that requires computers to have more than 1 GB of RAM. What is the best way to accomplish this? Answer: Create a WMI filter to test for the amount of RAM, and link that filter to the GPO that delivers the software package.

How Does Loopback Processing Work? Course 6425A How Does Loopback Processing Work? Module 5: Creating and Configuring Group Policy Explain that loopback processing is a computer-side setting that provides alternate user settings for computers configured to use loopback. Explain the difference between Merge and Replace. Scenarios where this would be useful include kiosks, classroom computers, secure computers, or any place where it is desirable that all users who log on get the same user settings. For example, a public-access computer in the lobby may have the desktop locked down completely, and only allow access to certain software. Loopback would ensure that whoever logged on to the computer would be subject to those restrictions. References Loopback processing with merge or replace http://go.microsoft.com/fwlink/?LinkId=99459 Loopback processing of Group Policy http://go.microsoft.com/fwlink/?LinkId=99460

Discussion: Configuring the Scope of Group Policy Processing Course 6425A Discussion: Configuring the Scope of Group Policy Processing Module 5: Creating and Configuring Group Policy Woodgrove Bank Domain Tree Woodgrove Bank Head Office site Scenario: Physical structure Woodgrove bank has a single domain that spans two sites, Head Office and Toronto. The Toronto site is connected to the Head Office site across a high-speed link. Within the Head Office site, there is a branch office in Winnipeg. This office is connected to Head Office across a slow link. There are five users in the Winnipeg office. There is no domain controller in the Winnipeg office, but there is a SQL server. This organization has deployed both Windows XP Professional and Windows Vista computers. Requirements All domain computers that have Windows XP Professional installed will have a small software application distributed through Group Policy. Domain users should not have access to the desktop display properties. The Administrators group will be exempt from this restriction. Both the Winnipeg and Toronto branch users will have further desktop restrictions applied. Both branches will have a kiosk computer available in the lobby for public Internet access. This computer needs to be locked down so that the user cannot change any settings. Their computer accounts are located in their respective branches’ OU. The computer accounts for all servers other than domain controllers will be located in the server’s OU or in a nested OU inside the Servers OU. All servers must have baseline security settings applied. SQL servers must have additional security settings applied. How would you construct a Group Policy scheme to satisfy the requirements? A suggested solution A domain policy that delivers the software application, and that uses a WMI filter to detect computers running Windows XP. You must configure this policy to apply across a slow link. A domain policy that restricts access to the desktop display properties, and that has security group filtering enabled to exempt the Administrators group. Administrative templates are always applied across slow links. A policy applied to the branch OU to impose further desktop restrictions. A policy applied to the branch OU to enforce loopback that is security filtered to apply only to kiosk computer accounts. A policy applied to the Server OU to increase security. A policy applied to the SQL OU to apply extra security. Security settings are always applied across slow links.   Winnipeg Head Office Head Office Slow link Branches High-speed link Toronto Toronto site Winnipeg Servers SQL Server Exchange Server

Module 5: Creating and Configuring Group Policy Course 6425A Module 5: Creating and Configuring Group Policy Discussion Questions and Answers Question: What are the advantages to using security group filtering over blocking inheritance, to prevent Group Policy from being applied? Answer: Security group filtering allows you to block or apply specific policies, while blocking inheritance affects all higher-level policies. Question: When would blocking inheritance be more appropriate? Answer: When you need to prevent all the objects in an OU from receiving Group Policy, and there are too many objects to make filtering a practical solution.

Lesson 3: Evaluating the Application of Group Policy Objects Course 6425A Lesson 3: Evaluating the Application of Group Policy Objects Module 5: Creating and Configuring Group Policy What Is Group Policy Reporting? What Is Group Policy Modeling? Demonstration: How to Evaluate the Application of Group Policy

What Is Group Policy Reporting? Course 6425A What Is Group Policy Reporting? Module 5: Creating and Configuring Group Policy Group Policy reporting is a method of planning and troubleshooting Group Policy Explain that Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting easier. Explain that Group Policy Reporting is a feature of the GPMC. Describe how to use the GPResult command-line utility, and the switches available for GPResult. Emphasize that a user must log on to the computer on which you are testing, and that the firewall on the client computer must be enabled to allow the RPC port to run the query. Describe the differences in the information returned from GPResult and the Group Policy Results Wizard, and how you can print the results or save them as HTML files. Discussion Question and Answer Question: You want to know which domain controller delivered Group Policy to a client. Which utility would you use? Answer: GPResult.exe will provide that information. References Group Policy Results (Administering Group Policy with Group Policy Management Console) http://go.microsoft.com/fwlink/?LinkId=99462 Determine Resultant Set of Policy with GPResult.exe http://go.microsoft.com/fwlink/?LinkId=113117 Group Policy results are provided by the GPMC GPResult is a command line utility

What Is Group Policy Modeling? Course 6425A What Is Group Policy Modeling? Module 5: Creating and Configuring Group Policy The Group Policy Modeling Wizard calculates the simulated net effect of GPOs The Group Policy Modeling Wizard simulates: Describe how you can use the Group Policy Modeling Wizard to test the effects of GPOs before they are released in the live environment. Emphasize that local Group Policy are not taken into consideration when using the wizard. Describe how you can print the results or save them as HTML files. Discussion Question and Answer Question: What simulations can you perform with the Group Policy Modeling Wizard? Choose all that apply: Loopback processing Moving a user to a different domain in the same forest Security group filtering Slow link detection WMI filtering All of the above Answer: A, D and E are correct. You cannot simulate migrating users across domains. You can simulate security group membership, but not security group filtering. References Determine Resultant Set of Policy with GPResult.exe http://go.microsoft.com/fwlink/?LinkId=113117 Using Group Policy Modeling and Group Policy Results to Evaluate Group Policy Settings http://go.microsoft.com/fwlink/?LinkId=99463 Site membership Security group membership WMI filters Slow links Loopback processing The effects of moving user or computer objects to a different Active Directory container

Demonstration: How to Evaluate the Application of Group Policy Course 6425A Demonstration: How to Evaluate the Application of Group Policy Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to run each of the tools for reviewing Group Policy application To complete this demonstration, you must have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running. Demonstration steps From the command prompt, run GPResult and explain the resulting output. Use the GPMC to run the Group Policy Reporting Wizard for a User. Examine the output, and save the report as an HTML file. Use the GPMC to run the Group Policy Modeling Wizard to simulate what would happen if the User moved to a different OU, and then compare the differences. Discussion Question and Answer Question: A user reports that they are unable to access Control Panel, yet other users in the department can access Control Panel. What tools might you use to troubleshoot the problem? Answer: The Group Policy Results Wizard can tell you if the problem is Group Policy related, and if so, what policy is providing the setting.

Lesson 4: Managing Group Policy Objects Course 6425A Lesson 4: Managing Group Policy Objects Module 5: Creating and Configuring Group Policy GPO Management Tasks What Is a Starter GPO? Demonstration: How to Copy a GPO Demonstration: Backing up and Restoring GPOs Demonstration: Importing a GPO Migrating Group Policy Objects

Module 5: Creating and Configuring Group Policy Course 6425A GPO Management Tasks Module 5: Creating and Configuring Group Policy GPO management tasks: Back up GPOs Restore GPOs Copy GPOs Import GPOs Emphasize the importance of backing up GPOs. Explain that you can back up all GPOs at once, or back them up individually. The location of the backed-up GPOs can be any valid location on either the local computer or the network. Explain how you can restore older versions of GPOs, if necessary. Explain that a copied GPO will be named “copy of OldGPOName’”, but that it can be renamed afterwards. Explain that GPO settings can only be imported from backup versions of GPOs, and that imported settings will overwrite all current settings in a GPO. Explain the difference between copying and importing. Explain the purpose of a migration table. Explain that a copy or import operation always creates a new GPO. It is not possible to copy settings from multiple GPOs into a single GPO. Discussion Question and Answer Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem? Answer: Restoring a previous backed up version will restore the original settings. References Backing up, Restoring, Migrating, and Copying GPOs http://go.microsoft.com/fwlink/?LinkId=99464 Import using GPMC http://go.microsoft.com/fwlink/?LinkId=99465

Module 5: Creating and Configuring Group Policy Course 6425A What Is a Starter GPO? Module 5: Creating and Configuring Group Policy Stores administrative template settings on which the new GPOs will be based Can be exported to .cab files Can be imported into other areas of the enterprise The Starter GPOs folder is a new feature. Explain that starter GPOs allow you to store preconfigured administrative template settings in starter GPOs that act as templates for creating new GPOs. You can export these starter GPOs into .cab files that you easily can import into other areas of your enterprise. This can help provide consistency in large enterprises. You can store comments about the Starter GPO in the template itself. Reference Help Topics: Working with Starter GPOs Exported to cab file Imported to GPMC starterGPO .cab file Load cabinet file

Demonstration: How to Copy a GPO Course 6425A Demonstration: How to Copy a GPO Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to copy a GPO To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Copy an existing GPO, and then describe the effect on GPO permissions. Demonstration steps Use the GPMC to copy the Desktop policy that you created in the previous demonstration. Rename the resulting GPO with the name of your choice. Discussion Question and Answer Question: What is the advantage of copying a GPO and linking it to an OU, versus linking the original GPO to multiple OUs? Answer: If the original GPO is modified, it will affect all the OUs to which it is linked. A copied GPO is a new instance of the GPO that has no connection to the original GPO. References Copy a Group Policy object using GPMC http://go.microsoft.com/fwlink/?LinkId=113118 Copy using GPMC http://go.microsoft.com/fwlink/?LinkId=113119

Demonstration: Backing up and Restoring GPOs Course 6425A Demonstration: Backing up and Restoring GPOs Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to back up and restore a GPO To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: Create a folder named GPO_Back to hold the backed up GPOs. Back up an individual GPO. Back up all GPOs. Delete one of the GPOs from the Group Policy folder. Restore the GPO from the backup version. Discussion Question and Answer Question: What permissions are required to back-up a GPO? Answer: Read permission. References Back up a Group Policy object using GPMC http://go.microsoft.com/fwlink/?LinkId=113120 Restore using GPMC http://go.microsoft.com/fwlink/?LinkId=113121 Restore a backed-up Group Policy object using GPMC http://go.microsoft.com/fwlink/?LinkId=113122

Demonstration: Importing a GPO Course 6425A Demonstration: Importing a GPO Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to: Import a GPO Use a migration table  To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: Create a new GPO named Redirect. Configure the Redirect policy to redirect the My Documents folder to a UNC path of \\server\share. Backup the Redirect policy. Create a new GPO named Imported. Import the policy settings from the Redirect policy to the Imported policy. When the scan discovers the settings that may need to be modified, create a new migration table that changes the UNC path from \\server\share to \\Srv1\docs. Finish the Import Wizard, and show that the UNC path for My Documents has changed from \\server\share to \\Srv1\docs. Discussion Question and Answer Question: What is the purpose of a migration table? Answer: Migration tables allow you to, if required, change specific references in copied or imported GPOs, in the new location where the GPO will be applied. Reference Import a Group Policy object using GPMC http://go.microsoft.com/fwlink/?LinkId=113123

Migrating Group Policy Objects Course 6425A Migrating Group Policy Objects Module 5: Creating and Configuring Group Policy The ADMX Migrator utility: Can be used to convert custom ADM files to ADMX Is GUI-based, and can be downloaded from the Microsoft download site utility Explain that the ADMX Migrator enables you to convert ADM files to the ADMX format. References ADMX Migrator http://go.microsoft.com/fwlink/?LinkId=99466 ADMX Migrator download (Blog) http://go.microsoft.com/fwlink/?LinkId=113124

Lesson 5: Delegating Administrative Control of Group Policy Course 6425A Lesson 5: Delegating Administrative Control of Group Policy Module 5: Creating and Configuring Group Policy Options for Delegating Control of GPOs Demonstration: How to Delegate Administrative Control of GPOs

Options for Delegating Control of GPOs Course 6425A Options for Delegating Control of GPOs Module 5: Creating and Configuring Group Policy Methods to delegate control of GPOs Create GPOs in the domain Edit or delete GPOs Link GPOs to containers Use reporting tools Membership in Group Policy Creator Owners group or explicit permission to create GPOs Assign Edit rights to individual policies Delegate the right to link GPOs to containers Delegate the right to use Group Policy reporting tools Explain that you can delegate different aspects of GPO management. Emphasize that the ability to create, link, and edit GPOs are separate events, and that having the right to perform one of those operations does not give you any rights to perform other operations. The only user who has the right to do all those things, by default, is the administrator. The Delegation of Control Wizard or the GPMC can be used to delegate linking GPOs, as well as enable use of the reporting tools. Explain that you can use membership in the Group Policy Creator Owner group or delegation through the GPMC to delegate the right to create new Group Policy. You can configure each individual policy to allow users or groups to edit that policy. Reference Delegating Group Policy http://go.microsoft.com/fwlink/?LinkId=99467

Demonstration: How to Delegate Administrative Control of GPOs Course 6425A Demonstration: How to Delegate Administrative Control of GPOs Module 5: Creating and Configuring Group Policy In this demonstration, you will see how to delegate the right to create, edit, link, and use the reporting tools for Group Policy To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: Use the Delegation of Control Wizard to delegate to a user the right to link an existing GPO, and to use the Group Policy reporting tools. Use the GPMC to delegate a different user the right to create Group Policy. Use the GPMC to delegate the user the right to edit the desktop policy. Discussion Question and Answer Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this? Answer: You must use the GPMC to delegate permission to create GPOs to the user. You cannot add the user to the Group Policy Creator Owners group, because it is a global group and therefore cannot contain a user from a different domain. References Delegation and policy-related permissions http://go.microsoft.com/fwlink/?LinkId=113125

Lab: Creating and Configuring GPOs Course 6425A Lab: Creating and Configuring GPOs Module 5: Creating and Configuring Group Policy Exercise 1: Creating Group Policy Objects Exercise 2: Managing the Scope of GPO Application Exercise 3: Verifying GPO Application Exercise 4: Managing GPOs Exercise 5: Delegating Administrative Control of GPOs Lab Objectives: Create and link Group Policy objects Manage the scope of GPO application Verify the application of Group Policy settings Manage GPOs Delegate administrative control of GPOs Scenario: Woodgrove Bank has decided to implement Group Policy to manage user desktops and to configure computer security. The organization already implemented an OU configuration that includes top-level OUs grouped by location, with additional OUs within each location OU for users, groups, workstations, servers, and service accounts. The enterprise administrator has created a GPO deployment plan. You have been asked to create Group Policy objects so that certain policies can be applied to all objects in the domain. Some policies are considered optional, while some are mandatory. You also want to create policy settings that will apply only to subsets of domain objects. You also want to have separate policies for computer and user settings. GPO administration also must be delegated to administrators within each company location. This lab consists of five exercises. (see the next page for more information about the lab) Logon information Virtual machine NYC-DC1, NYC-CL1 User name Administrator Password Pa$$w0rd Estimated time: 75 minutes

Module 5: Creating and Configuring Group Policy Course 6425A Module 5: Creating and Configuring Group Policy Exercise 1: Creating Group Policy Objects The student will create and link the GPOs specified by the enterprise administrator’s design. Tasks include modifying the default domain policy, and creating policies linked to specific OUs and sites. Exercise 2: Managing the Scope of GPO Application The student will configure the inheritance of GPO settings based on the enterprise administrator’s design. Tasks include disabling links, blocking and enforcing inheritance, and applying filtering based on security groups and WMI filters. Exercise 3: Verifying GPO Application The student will test the application of GPOs to ensure that the GPOs are being applied as the design specifies. Students will log in as specific users, and then use Group Policy Modeling and RSOP to verify that GPOs are being applied correctly. Exercise 4: Managing GPOs The student will use the GPMC to back up, restore, and import GPOs. Exercise 5: Delegating Administrative Control of GPOs The student will delegate administrative control of GPOs based on the enterprise administrator design. Tasks include configuring permissions to create and link GPOs, and configuring permissions to use Group Policy modeling and RSOP. The student then will test the permissions configuration. Inputs: GPO design documentation that the enterprise administrator provides. Outputs: GPOs configured as the design specifies.

Module 5: Creating and Configuring Group Policy Course 6425A Lab Review Module 5: Creating and Configuring Group Policy What other method could be used to grant a user the right to create GPOs in the domain? If you need to apply a GPO to computers that have certain services installed, what is the best approach? Lab Review Questions and Answers Question: What other method could be used to grant a user the right to create GPOs in the domain? Answer: Add the user to the Group Policy Creator Owner group. Question: If you need to apply a GPO to computers that have certain services installed, what is the best approach? Answer: Create a WMI Filter to query for the services.

Module Review and Takeaways Course 6425A Module Review and Takeaways Module 5: Creating and Configuring Group Policy Considerations Review questions Key points of this module are: Multiple local Group Policy ADMX and ADML files replace ADM files Methods to control Group Policy, inheritance, filtering, and enforcement Group policy tools and reporting Review Questions and Answers Question: You want to force the application of certain Group Policy settings across a slow link. What can you do? Answer: Use Group Policy to force those settings to be applied across the link, or use Group Policy to change the slow link threshold. Question: You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt form the policy. How would you accomplish this? Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group. Question: You want all GPOs that contain user settings to have certain Administrative Templates enabled. You need to be able to send those policies to other administrators in the enterprise. What is the best approach? Answer: Configure a Starter GPO to have the required basic settings, and then export the GPO to a .cab file. That file then can be imported by other administrators. Question: You want to control access to removable storage devices on all client workstations through Group Policy. Can you use Group Policy to do this? Answer: You can only control access to removable storage devices on Windows Vista and Windows Server 2008.