70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy

Guide to MCSE , Enhanced 2 Objectives Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection Manage and troubleshoot Group Policy inheritance Deploy and manage software using Group Policy

Guide to MCSE , Enhanced 3 Introduction to Group Policy Group policy centralizes management of user and computer configuration settings throughout a network A group policy object is an Active Directory object used to configure policy settings for user and computer objects There are two default Group Policy Objects: Default Domain Policy (linked to domain container) Default Domain Controllers Policy (linked to domain controller OU)

Guide to MCSE , Enhanced 4 Introduction to Group Policy (continued) You can modify default GPOs You can create new GPOs and link them to particular sites, domains, and OUs Policy settings will be propagated to all users and computers in container including child OUs Group policy can only be applied to computers running Windows Server 2003, Windows 2000, and Windows XP

Guide to MCSE , Enhanced 5 Creating a Group Policy Object Two ways to create a GPO: Group Policy standalone Microsoft Management Console (MMC) snap-in Group Policy extension in Active Directory Users and Computers

Guide to MCSE , Enhanced 6 Editing a GPO

Guide to MCSE , Enhanced 7 Editing a GPO (continued) Table 9-1 shows configuration categories for both computer and user configurations Two tabs in Properties of each setting: Setting allows you to enable or disable the setting Explain provides information about the setting GPO content is stored in 2 locations: Group Policy container (GPC) Group Policy template (GPT) A GPO is identified by a 128-bit globally unique identifier (GUID)

Guide to MCSE , Enhanced 8 Application of Group Policy Two main categories to a Group Policy Computer configuration (settings apply to computers in the container) User configuration (settings apply to users in the container) Upon computer startup (or user logon) Computer queries domain controller for GPOs. Domain controller finds applicable GPOs. Domain controller presents list of GPOs. The client gets Group Policy templates, applies the settings and runs the scripts. Same basic process happens for user logons

Guide to MCSE , Enhanced 9 Controlling User Desktop Settings Administrative templates Used to limit user manipulation of user desktop and computer configurations Aim is to reduce administrative costs Seven main categories of configuration settings can be applied to either computer or user section of a GPO

Guide to MCSE , Enhanced 10 Controlling User Desktop Settings (continued)

Guide to MCSE , Enhanced 11 Managing Security Settings with Group Policy Password Policy, Account Policy, and Kerberos Policy settings are only applicable to domain objects Other nodes in Security Settings category can be applied at both domain and OU levels Local Policies Audit Policy User Rights Assignment Security Options

Guide to MCSE , Enhanced 12 Managing Security Settings with Group Policy (continued) Event Log Restricted Groups System Services Registry File System Wireless Network Policies Public Key Policies Software Restriction Policies IP Security Policies on Active Directory

Guide to MCSE , Enhanced 13 Assigning Scripts Windows Server 2003 can run scripts during: User logon or logoff User section of GPO Computer startup and shutdown Computer section of GPO Default is for scripts to run synchronously from top to bottom Can specify script time-outs, asynchronous execution, and hiding of scripts

Guide to MCSE , Enhanced 14 Redirecting Folders Allows you to redirect the contents of a user’s profile to a network location Profile contents that can be redirected are application data, desktop, My Documents, Start menu Redirection is useful because it: Aids in backup Reduces logon time Allows creation of a standard desktop for multiple users

Guide to MCSE , Enhanced 15 Redirecting Folders (continued)

Guide to MCSE , Enhanced 16 Managing Group Policy Inheritance Specific order for GPO application: Local computer  Site  Domain  Parent OU  Child OU By default, all GPO settings are inherited At each level, there can be multiple GPOs Policies are applied in the order that they appear on the Group Policy tab for each container, bottom GPO first Applying a large number of GPOs can affect startup and logon performance

Guide to MCSE , Enhanced 17 Managing Group Policy Inheritance (continued) Conflicts are resolved according to a set formula Policies are updated automatically at intervals and can be updated manually Policies can be linked to a site, domain, or specific OU containers Multiple Group Policies can be assigned to a single container A single Group Policy can be linked to multiple containers

Guide to MCSE , Enhanced 18 Configuring Block Policy Inheritance, No Override, and Filtering These options allow default behavior to be changed for specific containers Can change default inheritance policy Can change default conflict resolution Can change permissions for a specific member within a group to deny GPO application for that member

Guide to MCSE , Enhanced 19 Blocking Group Policy Inheritance To change default inheritance, use the Block Policy inheritance check box on the Group Policy tab for a child container Child will not inherit parent’s policies Useful if one OU needs to be managed separately

Guide to MCSE , Enhanced 20 Configuring No Override If a policy is configured with No Override It will be enforced despite conflicts in lower-level policies It will be enforced on lower-level containers with Block Policy inheritance set

Guide to MCSE , Enhanced 21 Filtering Using Permissions Prevents policy settings from applying to a particular user, group, or computer within a container To filter a GPO from a particular container member, deny Read and Apply Group Policy permissions for the member account only

Guide to MCSE , Enhanced 22 Troubleshooting Group Policy Settings Potential trouble areas: Order of Group Policy processing Improper use of No Override or Block Policy inheritance settings Read and Apply Group Policy permissions Utilities that show effective Group Policy settings GPRESULT Command-line utility Resultant Set of Policy (RSoP) Graphical utility

Guide to MCSE , Enhanced 23 Deploying Software Using Group Policy Applications that can be deployed using Group Policy include: Business applications (e.g., Microsoft Office) Anti-virus software Software updates (e.g., service packs) Four phases of software rollout Software preparation Deployment Software maintenance Software removal

Guide to MCSE , Enhanced 24 Software Preparation Microsoft Windows installer package (MSI) MSI file contains all of the information needed to install an application in a variety of configurations Software vendors include preconfigured MSI packages For older applications, can create MSI packages using 3 rd party utilities (e.g., VERITAS) To install, place MSI file in a shared folder and configure Group Policy to access for installation

Guide to MCSE , Enhanced 25 Software Preparation (continued) If application doesn’t have an MSI package can use ZAP file Text file used by Group Policy to deploy an application Can only be published and not assigned Is not resilient Requires user intervention and proper permissions

Guide to MCSE , Enhanced 26 Deployment Two ways to deploy an application Assigning applications Publishing applications

Guide to MCSE , Enhanced 27 Assigning Applications When a policy is created to assign an application Any user who the policy applies to has a shortcut on the Start menu Application is installed when user clicks shortcut the first time or opens it with an associated document If policy configured in computer section, application is installed next time the computer is started Applications are resilient (if files are corrupted, will reinstall itself)

Guide to MCSE , Enhanced 28 Publishing Applications When a policy is created to publish an application Not advertised in Start menu Installed using the Add/Remove Programs applet or by opening an associated document Only published to users and not computers

Guide to MCSE , Enhanced 29 Configuring the Deployment Create or edit a GPO and specify deployment options Assign or publish application to computers or users to install at the appropriate time

Guide to MCSE , Enhanced 30 Software Maintenance Software must be maintained with patches and updates Deployment of patches and updates can be: Mandatory upgrade Optional upgrade Redeployment of an application

Guide to MCSE , Enhanced 31 Software Removal Application must have been originally installed using a Windows installer package Removal can be: Forced removal Optional removal Forced removal uninstalls application and prevents it from being reinstalled Optional removal does not uninstall application but does prevent it from being reinstalled once removed

Guide to MCSE , Enhanced 32 Summary A Group Policy Object is an object in Active Directory used to configure and apply settings for user and computer objects Two default GPOs created when Active Directory is installed: Default Domain Policy Default Domain Controllers Policy Two mechanisms for creating GPOs Microsoft Management Console Group Policy snap-in Group Policy extension in Active Directory Users and Computers

Guide to MCSE , Enhanced 33 Summary GPOs can be used: to control user desktop settings and security settings to apply scripts on user logon and logoff and computer startup and shutdown for folder redirection GPOs are applied in a specific order GPOs are inherited by default Can be changed by blocking Group Policy inheritance, configuring No Override, or filtering using user permissions Use GPRESULT or Resultant Set of Policy tool to view effective Group Policy settings

Guide to MCSE , Enhanced 34 Summary GPOs are useful in deploying and maintaining software applications GPOs are used for four main phases of software rollout: preparation, deployment, maintenance, removal For deployment, Group Policy uses an MSI file containing information needed to install in a variety of configurations Deployed applications can be either assigned or published