Presentation is loading. Please wait.

Presentation is loading. Please wait.

Section 4: Understanding the Architecture of Group Policy Processing Group Policy Components in AD DS Understanding the Group Policy Processing Sequence.

Published byClinton Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Section 4: Understanding the Architecture of Group Policy Processing Group Policy Components in AD DS Understanding the Group Policy Processing Sequence."— Presentation transcript:

1 Section 4: Understanding the Architecture of Group Policy Processing Group Policy Components in AD DS Understanding the Group Policy Processing Sequence Modifying Group Policy Processing Managing Windows Environments with Group Policy

2 © 2013 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Describe the Active Directory components that you can use to deploy Group Policy Explain the order in which Group Policy is deployed in Active Directory Describe the methods that are available to modify Group Policy processing 4-2

3 © 2013 Global Knowledge Training LLC. All rights reserved. Group Policy Components in AD DS 4-3 The following AD DS components are an important part of Group Policy: Sysvol Folder PDC Emulator Group Policy Container Group Policy Template GPO Versioning File Replication Services DFS-R

4 © 2013 Global Knowledge Training LLC. All rights reserved. Sysvol Folder 4-4 The Sysvol folder is where GPOs and their corresponding support files are stored.

5 © 2013 Global Knowledge Training LLC. All rights reserved. PDC Emulator The PDC emulator is the domain controller that GPOs are created on before they are replicated to other domain controllers. 4-5

6 © 2013 Global Knowledge Training LLC. All rights reserved. Group Policy Container 4-7 Using ADSI Edit, we can see the Group Policy Container inside the AD database.

7 © 2013 Global Knowledge Training LLC. All rights reserved. Group Policy Template 4-8 The GPT is the folder inside Sysvol that actually stores the policy settings.

8 © 2013 Global Knowledge Training LLC. All rights reserved. GPO Versioning Following are some guidelines about GPO versioning: Every time a change is made to a GPO, the version number in an INI file called Gpt.ini is incremented. For computer changes to a GPO, the version number increments by 1. A user change to a GPO increments by 65536. 4-9

9 © 2013 Global Knowledge Training LLC. All rights reserved. FRS Replication The File Replication Service replicates the Sysvol directory structure separately from Active Directory replication. 4-10 Note: FRS is not utilized in a new Windows Server 2012 Domain installation. DFS-R is now the default.

10 © 2013 Global Knowledge Training LLC. All rights reserved. DFS-R 4-11 DFS-R can be used to replicate the Sysvol structure instead of FRS DFS-R is a Delta-based replication model that only replicates changes inside the files being replicated To convert from FRS to DFS-R for Sysvol replication, follow the steps in the TechNet reference below: http://technet.microsoft.com/en- us/library/dd640019(v=ws.10).aspx New installations of a Windows Server 2012 Domain will already have DFS-R replication enabled

11 © 2013 Global Knowledge Training LLC. All rights reserved. Site Understanding the Group Policy Processing Sequence Group Policy is processed from the top down: Local Site Domain OU Domain Local OU The last policy applied wins. 4-12

12 © 2013 Global Knowledge Training LLC. All rights reserved. Modifying Group Policy Processing 4-15 Using Group Policy Inheritance Using Block Inheritance and Enforce options Using Security Filtering Implementing WMI Filters Changing the GPO Link Order Using Loopback Processing

13 © 2013 Global Knowledge Training LLC. All rights reserved. Using Group Policy Inheritance Group Policy inheritance allows you to apply corporate standards and customized settings for different groups of users. Guidelines for Group Policy inheritance include: Define a corporate standard GPO containing settings that apply to a top-level OU. Typically, GPOs are assigned to the OU structure instead of the domain or site, so child OUs can be used to control which settings are applied. 4-16

14 © 2013 Global Knowledge Training LLC. All rights reserved. Using the Block Inheritance and Enforce Options Most policies are set per OU. A good OU structure makes policies easier to apply. The Group Policy Enforce option prevents policies from being reversed at a lower level. The Group Policy Block Inheritance option prevents higher level policies from being inherited. The Enforce option always wins. 4-17

15 © 2013 Global Knowledge Training LLC. All rights reserved. Using Security Filtering By default, a GPO affects all users and computers contained in the linked site, domain, or OU. However, you can use security filtering on a GPO to modify its effects. You can modify the permissions on the GPO to apply only to a specific user or to the members of a security group. Using a security group filter on a GPO applied to an OU, you can control who should not have the settings applied. You can use security filtering to exempt administrators from GPO processing. 4-18

16 © 2013 Global Knowledge Training LLC. All rights reserved. Implementing WMI Filters Using the WBEMTest Tool The WBEMTest Query Result Dialog Box Using PowerShell to Explore WMI Creating a WMI Filter 4-19

17 © 2013 Global Knowledge Training LLC. All rights reserved. Using the WBEMTest Tool Use the WBEMTest tool to become familiar with the WMI structure. 4-20

18 © 2013 Global Knowledge Training LLC. All rights reserved. Viewing the instances exposes the properties within WMI. WBEMTest Query Result Dialog Box 4-21

19 © 2013 Global Knowledge Training LLC. All rights reserved. Using PowerShell to Explore WMI (1) PowerShell can also be used to explore the WMI repository 4-22

20 © 2013 Global Knowledge Training LLC. All rights reserved. Using PowerShell to Explore WMI (2) Use PowerShell to enumerate the items in a WMI class 4-23

21 © 2013 Global Knowledge Training LLC. All rights reserved. Using PowerShell to Explore WMI (3) Use PowerShell to test a WQL query for Group Policy 4-24 This query returns results for Version 6.2.9200 and ProductType “2”, which is Windows Server 2012.

22 © 2013 Global Knowledge Training LLC. All rights reserved. Creating a WMI Filter This WMI filter returns only Windows 8 computers. 4-25

23 © 2013 Global Knowledge Training LLC. All rights reserved. Changing the GPO Link Order The link order in a policy at a specific level determines the order in which policies are processed. The policy with the lowest link order number will be processed last. Settings in the policy with the lowest link order number take precedence. 4-26

24 © 2013 Global Knowledge Training LLC. All rights reserved. Using Loopback Processing The User Group Policy loopback processing mode retains the User Configuration settings based upon the OU that the Computer is in and not the User. This option can be very useful in environments such as classrooms, public kiosks, and reception areas. 4-27

25 © 2013 Global Knowledge Training LLC. All rights reserved. Summary Group Policy is based on the following components: Sysvol folder: A system folder that is located in the NTFS file system of every Active Directory domain controller. It contains administrative templates, security settings, applied scripts, and details about MSI packages that will be installed. PDC emulator: A single domain controller per domain is assigned the role of a PDC emulator. This role is automatically assigned to the first domain controller in an Active Directory domain. 4-30

26 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Group Policy Container: Stores the policy setting information for a GPO. It stores the details of every GPO that is created in Active Directory. The GPC contains the version number of each GPO, its current status, and the installed components. Group Policy template: Stores the files that are created by the GPO in the Sysvol folder on the PDC emulator for each domain. It stores computer and user scripts, the GPO template files, and the Registry.pol files. 4-30

27 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Group Policy is deployed in the following order: 1.Local Group Policy settings 2.Site policies 3.Domain policies 4.OU policies 4-30

28 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) The methods to modify Group Policy processing are: Block Inheritance and Enforce Options: The Block Inheritance attribute prevents higher-level policies from being applied to lower levels. Applied at higher levels of the policy architecture, the Enforce option ensures that certain policies cannot be overridden or blocked. This option is applied to an individual GPO. Security Filtering: Sets the ACLs to prevent or allow policies from applying to specific users or groups. 4-30

29 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) WMI Filters: Consist of a collection of one or more queries (conditions) written in WQL. When you build a WMI filter and apply it to a GPO, the GPO will apply only if the queries in the filter are all satisfied. GPO Link Order: Controls the order in which GPOs are applied within each domain, site, and OU. Loopback Processing: Configures the user policy settings based on the computer location that the users log on to. 4-30

30 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check 1.Which Active Directory component does the following text describe? A system folder that is located in the NTFS file system of every Active Directory domain controller. It contains administrative templates, security settings, applied scripts, and details about MSI packages that will be installed. Sysvol folder 4-31

31 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.What is the Group Policy deployment order? Local Site Domain OUOU 4-31

32 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 3.Match each method used to modify Group Policy processing with its correct description. 4-31 MethodDescription GPO Link OrderA.It prevents higher-level policies from being applied to lower levels. Security FilteringB.Controls the order in which GPOs are applied within each domain, site, or OU. WMI FiltersC.Configures the user policy settings based on the computer location that the users log on to. Block Inheritance Option D. Consist of a collection of one or more queries (conditions) written in WQL. Loopback Processing E.Sets the ACLs to prevent or allow policies from applying to specific users or groups. B E D A C

Download ppt "Section 4: Understanding the Architecture of Group Policy Processing Group Policy Components in AD DS Understanding the Group Policy Processing Sequence."

Similar presentations

Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Chapter 7: Configuring Group Policy

Chapter 7: Configuring Group Policy
Chapter 8 Configuring Group Policies

Chapter 8 Configuring Group Policies
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9-10-11 2008.

(ITI310) By Eng. BASSEM ALSAID SESSIONS
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK

Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure.

9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Similar presentations

Ads by Google