70-411: Administering Windows Server 2012 Chapter 6 Configure and Manage Group Policies
Objective 6.1: Configuring Group Policy Processing
Group Policies and GPOs Group policies are defined using group policy objects (GPOs). GPOs are the collection of configuration instructions that the computer processes. To assign a group policy, it is linked to an Active Directory container (site, domain, or organizational unit). © 2013 John Wiley & Sons, Inc.
Scoping a GPO Mechanisms for scoping a GPO: A GPO link to a site, domain, or organizational unit (OU) The GPO link enabled or disabled Enforced option of the GPO The Block Inheritance option of an OU Security group filtering WMI filtering Loopback policy processing Preferences targeting (discussed in Lesson 22) © 2013 John Wiley & Sons, Inc.
Understanding Group Policy Inheritance A computer and user can be affected by multiple GPOs. GPOs are processed in the following order: Local group policy Site Domain OU A Group Policy uses inheritance in which settings are inherited from the container above. © 2013 John Wiley & Sons, Inc.
Understanding Group Policy Inheritance When Active Directory is installed, two domain GPOs are created by default: Default Domain Policy: Linked to the domain. It affects all users and computers in the domain including domain controllers. It specifies the password, account lockout, and Kerberos policies. Default Domain Controller Policy: Linked to the Domain Controllers organization unit, which then affects the domain controllers. It contains the default user rights assignments. © 2013 John Wiley & Sons, Inc.
Managing Group Policy Links To disable a group policy for a container, you right-click the GPO for the container and click the Link Enabled link. © 2013 John Wiley & Sons, Inc.
Managing Group Policy Links After a GPO is created, you can: View the containers that a GPO is linked to by clicking the GPO in Group Policy Management and viewing the Scope tab. Delete a link to a container for a GPO without deleting the GPO by right-clicking the GPO for a container and clicking Delete. When it asks whether to delete the link, click OK. Disable the link or delete a link for a container by right-clicking the container in the Scope tab and clicking the Link Enabled option or the Delete Link(s) option. © 2013 John Wiley & Sons, Inc.
Using Filtering with Group Policies The exceptions to the processing of group policies can be modified with these options: Block inheritance Enforced © 2013 John Wiley & Sons, Inc.
Configuring Blocking of Inheritance By default, group policies flow down to the lower containers and objects. To prevent the inheritance of policy settings, block all Group Policy settings from the GPOs linked to parent containers in the Group Policy hierarchy. GPOs linked directly to the container and GPOs linked to lower containers are unaffected. © 2013 John Wiley & Sons, Inc.
Configuring Enforced Policies By enforcing a GPO link, the GPO takes the highest precedence, which will prevail over any conflicting policy settings in other GPOs. An enforced link applies to child containers even when those containers are set to Block Inheritance. © 2013 John Wiley & Sons, Inc.
Configuring Security Filtering/WMI Filtering For granular control over who or what receives a group policy, use these filters: Security group filtering: Uses a security access list (ACL) to determine who can modify or read a policy and who or what a GPO is applied to. WMI filtering: Uses the WMI Query Language (WQL) to control who or what a GPO is applied to. © 2013 John Wiley & Sons, Inc.
Using Security Filtering Security group filtering specifies which users, computers, or groups based on ACL receive a GPO. © 2013 John Wiley & Sons, Inc.
Filtering GPO Scopes Here are the ways to filter GPO scopes: Remove the Allow Apply group policy permission from a group such as Authenticated Users. Remove the Authenticated Users group access control entry (ACE), add other groups or users, and assign the Allow Apply group policy permission. Add ACE for another group, user, or computer and assign the Deny Apply group policy permission. Like NTFS permissions, the Deny settings always supersede any Allow settings granted to a user through membership in another group or to the user directly. © 2013 John Wiley & Sons, Inc.
WMI Filtering Windows Management Instrumentation (WMI): A component that extends the Windows Driver Model through an operating system interface that provides information and notification on hardware, software, operating systems, and services. WMI filtering: Configures a GPO to be applied to certain users or computers based on specific hardware, software, operating systems, and services. © 2013 John Wiley & Sons, Inc.
Using WMI Filtering To use WMI filters: You need to have one domain controller running Windows Server 2003 or higher. WMI filters will be applied only to computers running Windows XP Professional or newer, or Windows Server 2003 or newer. All filter criteria must have an outcome of true for the GPO to be applied. Only one WMI filter can be configured per GPO. After a WMI filter has been created, it can be linked to multiple GPOs. © 2013 John Wiley & Sons, Inc.
Configuring Loopback Processing Group Policy loopback processing is used to assign user policies to computer objects. No matter who logs on to a computer, the user policies are applied to the computer. © 2013 John Wiley & Sons, Inc.
Configuring Loopback Processing The loopback policy is enabled using the Group Policy Management Editor, specifically the Computer Configuration\Administrative Templates\System\Group Policy\Configure user Group Policy Loopback processing mode. After you enable the setting, you have two modes to choose from that specify the loopback processing mode: Replace mode Merge mode © 2013 John Wiley & Sons, Inc.
Configuring Client-Side Extension Behavior Client-side extensions (CSEs) are processes that interrupt the settings in a GPO and make the changes to the local computer or the currently logged-on user. CSEs are triggered when a Group Policy client pulls the GPOs from the domain. Each major category of policy setting has CSEs. © 2013 John Wiley & Sons, Inc.
Configuring Client-Side Extension Behavior You can configure the behavior of CSEs by using Group Policy, specifically \Computer Configuration\Policies\Administrative Template\System\Group Policy\. © 2013 John Wiley & Sons, Inc.
Configuring/Managing Slow-Link Processing Group policies executed over slow network links can affect the performance of the client computer, between a site and the corporate office of a site, or the computer being configured via a GPO. A link is considered slow if the link is less than 500 kilobits per second (kbps). The Configure Group Policy slow-link detection is used to define what is considered a slow-link connection. © 2013 John Wiley & Sons, Inc.
Troubleshooting GPOs Windows Server 2012 provides the following tools for performing Result Set of Policy (RSoP) analysis: The Group Policy Results Wizard The GPResult.exe command The Group Policy Modeling Wizard © 2013 John Wiley & Sons, Inc.
Troubleshooting GPOs The Group Policy Results Wizard helps you analyze the cumulative effect of GPOs and policy settings on a user or computer. To run the Group Policy Results Wizard, the following must be true: The target computer must be online. You must have administrative credentials on the target computer. The target computer must run Windows XP or newer. WMI must be running on the target computer and ports 135 and 445 must be available to access WMI on the target computer. © 2013 John Wiley & Sons, Inc.
Objective 6.2: Configuring Group Policy Settings
Group Policy Settings The Computer Configuration node contains settings that are applied to the computer regardless of who logs on to the computer. By default, computer settings are applied when the computer is started. The User Configuration node contains settings that are applied when the user logs on. © 2013 John Wiley & Sons, Inc.
Group Policy Settings Group policy settings are refreshed every 90 minutes with a random delay of 30 minutes (giving a random range between 90 minutes and 120 minutes). On domain controllers, group policies get refreshed every 5 minutes. © 2013 John Wiley & Sons, Inc.
Computer Configuration\ Policies Nodes Software Settings Windows Settings Administrative Templates © 2013 John Wiley & Sons, Inc.
Software Configuration\ Policies Nodes Software Settings Windows Settings Administrative Templates © 2013 John Wiley & Sons, Inc.
Software Installation Using Group Policies Windows Installer: A software component used for the installation, maintenance, and removal of software on Windows. Microsoft Software Installation (MSI) file: Contains installation information for software. MSI Transform files: Used to deploy customized MSI files. MSI Patch files: Used to apply service packs and hot fixes to installed software. © 2013 John Wiley & Sons, Inc.
Assigning or Publishing a Package When you install to a user or computer, you have the option to assign software or publish software with these options: Assign software to a user Assign software to a computer Publish software to a user © 2013 John Wiley & Sons, Inc.
Using Folder Redirection Use Folder Redirection to: Redirect the content of a certain folder to a network location or to another location on the user’s local computer. Redirect the Desktop, Start Menu, Documents, Picture, Music, Videos, Favorites, Downloads, and other related folders. It is found under \User Configuration\Policies\Windows Settings. © 2013 John Wiley & Sons, Inc.
Using Scripts with Group Policies A script is a list of commands that can be executed within a single file, which can perform repetitive tasks. The Microsoft Windows Script Hosts (WSH) is the component that provides scripting capabilities to Windows. © 2013 John Wiley & Sons, Inc.
Types of Scripts © 2013 John Wiley & Sons, Inc. Computer Scripts Startup Shutdown User Scripts Logon Logoff © 2013 John Wiley & Sons, Inc.
Managing Administrative Templates When configuring Administrative Templates, there are three states: Not Configured: The registry key is not modified or overwritten. Enabled: The registry key is modified by this setting. Disabled: The Disabled settings undo a change made by a prior Enabled setting. © 2013 John Wiley & Sons, Inc.
The Central Store The Central Store: Is a folder structure created in the SYSVOL directory on the domain controllers in each domain in your organization. Is created only on a single domain controller for each domain. The content of the SYSVOL will be replicated to the other domain controllers. © 2013 John Wiley & Sons, Inc.
Security Templates A security template is a collection of configuration settings stored in a text file with the .inf extension. They can be used to: Save the security configuration to a file. Deploy the security settings to a computer or group policy. Analyze compliance of a computer’s current configuration against the desired configuration. © 2013 John Wiley & Sons, Inc.
Custom Administrative Template Files To make settings in ADMX files available to a GPO, add the Administrative Templates file to the GPO. If you have older ADM files, either add them to the GPO or convert the ADM file to an ADMX file. © 2013 John Wiley & Sons, Inc.
Using ADMX Migrator ADMX Migrator: Is a snap-in for the MMC that simplifies the process of converting existing Group Policy ADM templates to the new ADMX format. Provides a graphical user interface for creating and editing Administrative Templates. © 2013 John Wiley & Sons, Inc.
Property Filters for Administrative Templates By default, all policy settings are displayed. To narrow down the displayed list of settings, use Administrative Templates Property Filters. © 2013 John Wiley & Sons, Inc.
Property Filters for Administrative Templates To filter the settings displayed, select or deselect the following filter options: Managed or Unmanaged Configured or Not Configured Keyword Filters Requirements Filters © 2013 John Wiley & Sons, Inc.
Objective 6.3: Managing Group Policy Objects
Backing Up and Restoring GPOs Back up all GPOs or individual GPOs using the Group Policy Management Console. Every time a backup is performed, a new backup version of the GPO is created. © 2013 John Wiley & Sons, Inc.
Resetting the Default GPOs The DCGPOFix.exe command can restore either or both the Default Domain Policy or the Default Domain Controllers Policy to their default settings. You must be a domain administrator to perform this task. © 2013 John Wiley & Sons, Inc.
Delegating Group Policy Management Delegation enables you to give non-domain administrators permissions to manage group policies. When you grant a person or group permissions to create GPOs, they also are granted permissions to manage the GPOs they created. To delegate GPO permissions, use the Group Policy Management Console. © 2013 John Wiley & Sons, Inc.
Objective 6.4: Configuring Group Policy Preferences
Group Policy Preferences Group Policy Preferences (GPP) are made up of more than 20 new Group Policy client-side extensions (CSEs) that expand the range of configurable settings in a Group Policy object (GPO). Examples of the new GPP extensions include Folder Options, Drive Maps, Printers, Scheduled Tasks, Services, and Start Menu. © 2013 John Wiley & Sons, Inc.
Configuring Preferences Settings When you create a GPO with preferences, the preferences options are configured much like using Control Panel and Windows Explorer options. When you need to configure Internet Options, for example, the options you configure will look exactly like the Internet Options found in the Windows Control Panel. © 2013 John Wiley & Sons, Inc.
Preferences that Support Editing States Start Menu settings Regional and Language settings Internet options Folder options Power options (to include Power Schemes) © 2013 John Wiley & Sons, Inc.
Actions for Preferences Settings Most preferences settings include the following actions: Create: Create a new preferences setting for the user or computer. Replace: Delete and re-create a preferences setting for the user or computer. The result is that GPP replaces all existing settings and files associated with the preference item. Update: Modify an existing preferences setting for the user or computer. Delete: Remove an existing preferences setting for the user or computer. © 2013 John Wiley & Sons, Inc.
Configuring Windows Settings Preference extensions under Windows Settings include: Applications extension: Configure settings for applications. Drive Maps extension: Create, modify, or delete mapped drives, and configure the visibility of all drives. Environment extension: Create, modify, or delete environment variables. Files extension: Copy, modify, or delete files or change the attributes of the files. Folders extension: Create, modify, or delete folders. © 2013 John Wiley & Sons, Inc.
Configuring Windows Settings Preference extensions under Windows Settings include (continued): Ini Files extension: Add, replace, or delete sections or properties in configuration settings (.ini) or setup information (.inf) files. Network Shares extension: Create, modify, or unshare shared folders. Registry extension: Copy registry settings and apply them to other computers. Create, replace, or delete registry settings. Shortcuts extension: Create, modify, or delete shortcuts. © 2013 John Wiley & Sons, Inc.
Configuring Printer Settings Similar to adding a printer to Windows, you can add a shared printer, a TCP/IP printer, or a local printer. The Printers preference extension allows you to create, configure, and delete local printers, TCP/IP printers, and Shared Printers Printer preference item. © 2013 John Wiley & Sons, Inc.
Configuring Custom Registry Settings The Registry preference extension allows you to: Copy registry settings from one computer to another, and to create, replace, or delete an individual registry value. Create an empty key, delete a key, or delete all values and subkeys in a key. Create collections or folders to organize the Registry preference items. © 2013 John Wiley & Sons, Inc.
Configuring Power Options The Power Options extension allows you to create and configure Power Plan, Power Options, and Power Scheme preference items. Power Options and Power Schemes are used with Windows XP and Windows Vista, and Power Plan is used with Windows Vista and later. © 2013 John Wiley & Sons, Inc.
Configuring Internet Explorer Settings The Internet Settings preference extension allows you to Configure specific configuration of Internet settings, or Configure an initial configuration of Internet settings, but allow end users to make changes © 2013 John Wiley & Sons, Inc.
Item-Level Targeting Item-level targeting is used to change the scope of individual preference items so that the preference items apply to only selected users or computers. © 2013 John Wiley & Sons, Inc.
Targeting Items Computer name Portable computer CPU speed RAM Date match User Disk space Terminal session Domain LDAP query IP address range Time range Network connection WMI query Operating system © 2013 John Wiley & Sons, Inc.
Targeting Items Each targeting item results in a value of either true or false. You can apply multiple targeting items to a preference item and select the logical operation (AND or OR) by which to combine each targeting item with the preceding one. If the combined value is false, then the settings in the preference item are not applied to the user or computer. © 2013 John Wiley & Sons, Inc.