CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Agenda Chapter 7: Introduction to Group Policy Quiz Exercise
Group Policy Group Policy is a method of controlling settings across your network ▫Consists of user and computer settings on all versions from Windows 2000 Linking is a process, which applies GPOs settings to various containers (domain, sites and OUs) within Active Directory ▫Link multiple GPOs to a single container ▫Link one GPO to multiple containers
Group Policy (Cont.) The following managed settings can be defined or changed through Group Policies: ▫Registry-based policies Modify the Windows Registry – desktop settings, env. variable ▫Software installation policies To ensure that users always have the latest versions of applications. ▫Folder redirection ▫Offline file storage
Group Policy (Cont.) The following managed settings can be defined or changed through Group Policies: ▫Scripts Including logon, logoff, startup, and shutdown scripts ▫Windows Deployment Services (WDS) ▫Ms IE settings Provide quick links and bookmarks for user accessibility, browser options such as proxy use, acceptance of cookies, and caching options ▫Security settings Protect resources on computers in the enterprise
Security group filtering Allows you to apply GPO settings to only one or more users or groups within a container by selectively granting permission to one or more users or security groups
Group Policy Objects (GPOs) Local GPOs ▫Stored on the local computer in the %systemroot%/System32/GroupPolicy folder. ▫Local GPOs contain fewer options. ▫Do not support folder redirection or Group Policy software installation. ▫The local GPO is overwritten by the nonlocal GPO (AD-based), when in conflict Domain GPOs Start GPOs ▫GPO templates within AD
Group Policy Objects (Cont.) Nonlocal GPO are linked to sites, domains, or Ous. GPOs are stored in two places: ▫Group Policy container (GPC) — An Active Directory object that stores the properties of the GPO. ▫Group Policy template (GPT) — Located in the Policies subfolder of the SYSVOL share, the GPT is a folder that stores policy settings, such as security settings and script files.
Default Group Policies When Active Directory is installed, two domain GPOs are created by default. ▫Default Domain Policy It is linked to the domain, and its settings affect all users and computers in the domain. ▫Default Domain Controller Policy It is linked to the Domain Controllers OU and its settings affect all domain controllers in the domain.
Group Policy Management Console Microsoft Management Console (MMC) snap-in ▫The GPMC was not pre-installed in Windows Server 2003; it needed to be downloaded manually from the Microsoft Web site. ▫The GPCM is included in Windows Server 2008 by default. When you configure a GPO, you will use the Group Policy Management Editor, which can be accessed through the GPMC or through Active Directory Users and Computers.
Group Policy Settings Configuring Group Policy settings enables you to customize the configuration of a user’s desktop, environment, and security settings. The actual settings are divided into two subcategories: ▫Computer Configuration ▫User Configuration
Group Policy Settings (Cont.) The Computer Configuration and the User Configuration nodes contain three subnodes: ▫Software Settings Used to apply all the software settings regardless of the computer ▫Windows Settings Used for define security settings and scripts. ▫Administrative Templates
GPO Inheritance You link a GPO to a domain, site, or OU or create and link a GPO to one of these containers in a single step. The settings within that GPO apply to all child objects within the object.
Group Policy Processing (LSDOU) Local policies Site policies Domain policies OU Policies Any conflicting GPO settings are overwritten by the later running GPO
Understanding Group Policy Processing The computer will obtain a list of GPOs during startup Computer configuration settings are applied synchronously during computer startup before the Logon dialog box is presented to the user Any startup scripts set to run during computer startup are processed. Then user is prompted to press Ctrl+Alt+Del to log on
Understanding Group Policy Processing The user profile is loaded based on the Group Policy settings A list of GPOs specific for the user is obtained from the domain controller. ▫User Configuration settings also are processed in the LSDOU sequence. After the user policies run, any logon scripts run The user's desktop appears after all policies and scripts have been processed.
Configuring Exceptions to GPO Processing Enforce ▫Forces a particular GPO’s settings to flow down through the Active Directory without being blocked by any child OUs. Block Policy Inheritance ▫Configuring this setting on a container object such as a site, domain, or OU will block all policies from parent containers Loopback Processing ▫Alternative method of obtaining the ordered list of GPOs to be processed for the user. ▫When set to Enabled, this setting has two options: Merge and Replace.
GPUpdate Command If you make changes to a group policy, users may not see changes take effect until: ▫They log off or log back in. ▫They Reboot the computer. ▫They wait 90 minutes (+/- 30 minutes) for stand- alone servers/workstations and 2 minutes for domain controllers. To manually push group policies, you need to use the gpupdate command: Gpupdate /force
Assignment Matching ▫1-10 Multiple Choice ▫1-10 Online Lab 7