Planning a Group Policy Management and Implementation Strategy Lesson 10

Skills Matrix Technology SkillObjective DomainObjective # Introducing the Group Policy Management MMC Snap-In Configure GPO templates4.4

Group Policy Management Console The Group Policy Management MMC snap-in is a tool for managing Windows Server 2008, Windows Server 2003, and Windows 2000 Active Directory domains. The Group Policy Management MMC provides a single access point to all aspects of Group Policy that were previously spread across other tools, such as Active Directory Users and Computers, Active Directory Sites and Services, Resultant Set of Policy (RSoP), and the Group Policy Management Editor. GPMC is natively installed with Windows Server 2008.

Group Policy Management Console Import and copy GPO settings to and from the file system. Backup and restoration of GPOs is available in Group Policy Management. Resultant Set of Policy (RSoP) functionality integration includes Group Policy Modeling and Group Policy Results. Hypertext Markup Language (HTML) reports allow read-only views of GPO settings and RSoP information.

Group Policy Management Console Search for GPOs based on name, permissions, WMI filter, GUID, or policy extensions set in the GPOs. Search for individual settings within a GPO by keyword, and search for only those settings that have been configured.

Group Policy Management Console

Managing an Individual GPO The following features are available when a GPO is selected in the Group Policy Management interface: –Scope –Details –Settings –Delegation

Scope Allows administrators to view the locations to which the policy is linked. In addition, security filtering using permissions and WMI are available for viewing, editing, or creating. When a WMI filter is applied to the policy, it appears in the list with an Open button that allows filter modification. If a WMI filter is not applied to the policy, the button will allow a new filter to be created or linked to the GPO.

Scope

Detail Allows the GPO to be enabled or disabled. It also displays read-only information that includes the owner, GUID, creation date, and last modification date.

Detail

Settings When this tab is activated, an HTML report is generated that allows administrators to view GPO settings that do not have the original default values. Links on the right side of the report allow detailed information to be displayed or hidden. Right-clicking within this view allows administrators to print or save the report.

Settings

Delegation Like the previously discussed Delegation tab for a container object, this tab lists the users and groups that have access to this GPO and the permissions that apply to them. The Advanced button allows access to the Security tab to directly view the GPO’s ACL.

Filtering Group Policy Scope By default, Group Policy settings will apply to all child objects within the domain, site, or OU to which they are linked. In addition, the settings will be inherited down through the Active Directory structure unless policy inheritance has been blocked. Using the Block Policy Inheritance policy setting, you can prevent policy settings from applying to all child objects at the current level and all subordinate levels. Although the Block Policy Inheritance setting is useful in some circumstances, it may be necessary to have a policy apply only when certain conditions exist or only to a certain group of people.

Filtering Group Policy Scope To meet the need for refined control over the application of group policies, two additional filtering methods, discussed in the following sections, can be used. They include the following: –Security Group Filtering. This method uses the GPO’s Security tab to determine user and group account access to the policy. –WMI Filtering. This method uses filters written in the WMI Query Language (WQL), which is similar to structured query language (SQL), to control GPO application.

Filtering Group Policy Scope

Windows Management Instrumentation (WMI) A component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. It allows administrators to create queries based on hardware, software, operating systems, and services. These queries can be used to gather data or to determine where items, such as GPOs, will be applied. WMI filters can be used to control which users or computers will be affected by a GPO based on defined criteria.

Windows Management Instrumentation (WMI)

Resultant Set of Policy (RSoP) The sum of the policies applied to a user or computer after all filters, security group permissions, and inheritance settings, such as Block Policy Inheritance and Enforce, have finished processing. As the application of group policies becomes more complex within your Active Directory structure, it can become difficult to predict what the final policy settings will be when all processing is complete. In addition, it may be difficult to trace the origin of a particular outcome due to policy inheritance, policy links, and permission settings.

Resultant Set of Policy (RSoP) Two modes within RSoP: –Planning mode –Logging mode

Resultant Set of Policy (RSoP) Planning mode –This mode allows administrators to simulate the effect of policy settings prior to implementing them on a computer or user. This mode is beneficial when planning due to growth or changes to your organization. –You can use planning mode to test the effects of changes to group policies on your organization prior to deployment. –You can use planning mode to simulate the results of a slow link on a GPO in addition to simulating the loopback process.

Resultant Set of Policy (RSoP) Logging mode –This mode queries existing policies in the hierarchy that are linked to sites, domains, domain controllers, and OUs. –This mode is useful for documenting and understanding how combined policies are affecting users and computers. The results are returned in an MMC window that can be saved for later reference.

Resultant Set of Policy (RSoP)

Using GPResult Command Although not as easy to read as the Group Policy Results information that can be obtained using GPMC, GPResult is a command-line tool that allows you to create and display an RSoP query from the command line. It provides comprehensive information about the operating system, the user, and the computer.

Summary Application of group policies can be filtered by using Block Policy Inheritance, No Override, permissions, and WMI filters. WMI filters allow administrative control over group policy implementation based on criteria defined in the filter. –After evaluation, all filter criteria must return a value of true for the policy to be applied. –Any criteria that return a value of false after evaluation will prevent the policy from being applied.

Summary Only one WMI filter can be applied to each GPO. GPMC can be used to manage all aspects of Group Policy, including the following: creation, linking, editing, reporting, modeling, backup, restore, copying, importing, and scripting. Determining effective group policies can be accomplished using RSoP, GPMC, or GPResult.

Summary RSoP is an MMC snap-in that has two modes: Planning and Logging. –Planning mode allows administrators to simulate policy settings prior to their deployment. –Logging mode reports on the results of existing policies.

Summary Delegating administrative control of Group Policy management tasks is an important feature when planning a decentralized administrative approach. GPMC is a comprehensive tool that simplifies delegation of all aspects of Group Policy management.