6425A_05 Config Group Policy

8/14/2019 6425A_05 Config Group Policy

1/40

Module 5: Creating

and ConfiguringGroup Policy


2/40

Module Overview

Overview of Group Policy

Configuring the Scope of Group Policy Objects

Evaluating the Application of Group Policy Objects

Managing Group Policy Objects

Delegating Administrative Control of Group Policy


3/40

Lesson 1: Overview of Group Policy

What Is Group Policy?

Group Policy Settings

How Group Policy Are Applied

Exceptions to Group Policy Processing

Group Policy Components What Are ADM and ADMX files?

What Is the Central Store?

Demonstration: Configuring Group Policy Objects


4/40

What Is Group Policy?

Use Group Policy to: Apply standard configurations: (e.g.security, windows components)

Deploy software: ( Local user), (user>computer)


5/40


6/40

How Group Policy Is Applied

Computer starts

Computer settingsapplied (apply new setting every 90min)

Startup scripts run

Refresh Interval

Refresh Interval

User logs on

User settings applied

Logon scripts run

Refresh Interval

Refresh Interval

Every 90 minutesEvery 90 minutes

Every 90 minutesEvery 90 minutes


7/40

Exceptions to Group Policy Processing

Additional exceptions (GP cannot be applied):

Windows XP and Windows Vista use cachedcredential for faster logons

Many GPO settings take two logons to takeeffect

Cachedcredentials

=500 kilobits per second (kbps) by default Certain client side extensions are not

processed

Prior to Windows Vista, ICMP is used todetect a slow link

Windows Vista uses Network Location

Awareness

Slow links

Remote access connections: similar to slow link

Moving a user or computer object in AD DS, need to re-start the computer


8/40

Group Policy Components

Group Policy Object

Stored in AD DS Provides version information

Group Policy Container

Stored in shared SYSVOL folder Provides Group Policy settings Supports both ADM and

ADMX templates

Group Policy Template

Contains Group Policy settings

Stores content in two locations


9/40


10/40

What Is the Central Store?

The Central Store:

Is a central repository for ADMX(syntax) and ADML(loading) files

Is stored in SYSVOL

Must be created manually

Is detected automatically by Windows Vista or Windows

Server 2008

Windows Vistaor Windows Server 2008

workstation

Windows Vistaor Windows Server 2008

workstation

ADMX filesADMX files

Domain controllerwith SYSVOL





11/40

Demonstration: Configuring Group Policy Objects

In this demonstration, you will see how to:

Create a GPO

Configure settings


12/40

Lesson 2: Configuring the Scope of GroupPolicy Objects

Group Policy Processing Order

What Are Multiple Local Group Policy Objects?

Options for Modifying Group Policy Processing

Demonstration: Configuring Group Policy Object Links

Demonstration: Configuring Group Policy Inheritance Demonstration: Filtering Group Policy Objects UsingSecurity Groups

Demonstration: Filtering Group Policy Objects UsingWMI Filters

How Does Loopback Processing Work?

Discussion: Configuring the Scope of Group PolicyProcessing


13/40


14/40

What Are Multiple Local Group Policy Objects?

One layer of computer configurations that applies to

all users

Layers apply only to individual users, not to groups

There are three layers of user configurations:

Administrator

Non-Administrator

User-specific


15/40

Options to Modify Group Policy Processing

Five methods to modify GPO default processing: Block inheritance

Enforcement inheritance

Filtering using:

1. Security groups filters or 2. WMI (Windows Mgmt Instrumentation) filters

Write the (Query: namespace: API

Disabling GPOs

Loopback processing:

merge/ replace (computer/ user setting)

D t ti C fi i G P li


16/40

Demonstration: Configuring Group PolicyObject Links


Create and link GPOs to different locations within AD DS

Disable a GPO link

D t ti C fi i G


17/40

Demonstration: Configuring GroupPolicy Inheritance


Block GPO inheritance

Enforce GPO inheritance

D t ti Filt i G P li Obj t


18/40

Demonstration: Filtering Group Policy ObjectsUsing Security Groups

In this demonstration, you will see how to filter theapplication of GPOs using security groups

D t ti Filt i G P li Obj t


19/40

Demonstration: Filtering Group Policy ObjectsUsing WMI Filters

In this demonstration, you will see how to create and assigna WMI filter


20/40

How Does Loopback Processing Work?

Disc ssion Config ing the Scope of G o p Polic


21/40

Discussion: Configuring the Scope of Group PolicyProcessing

Woodgrove Bank Domain TreeWoodgrove Bank Domain Tree

Woodgrove Bank

Head Office

Branches

Servers

Toronto

Winnipeg

SQL Server

ExchangeServer

Toronto site

Winnipeg Head Office

Head Office site

High-speed link

Slow link


22/40

Lesson 3: Evaluating the Application of Group


23/40

Lesson 3: Evaluating the Application of GroupPolicy Objects

What Is Group Policy Reporting?

What Is Group Policy Modeling?

Demonstration: How to Evaluate the Application of GroupPolicy


24/40

What Is Group Policy Reporting?

Group Policy results are provided by the GPMC :

(Group policy manqgement console)

GPResult is a command line utility

Group Policy reporting is a method of planning andtroubleshooting Group Policy


25/40

What Is Group Policy Modeling?

The Group Policy Modeling Wizard simulates:

Site membership

Security group membership WMI filters

Slow links

Loopback processing

The effects of moving user or computer objects to adifferent Active Directory container

The Group Policy Modeling Wizard calculates the simulated net

effect of GPOs

Demonstration: How to Evaluate the Application


26/40

Demonstration: How to Evaluate the Applicationof Group Policy

In this demonstration, you will see how to run each of thetools for reviewing Group Policy application


27/40


28/40

GPO Management Tasks

GPO management tasks:

Back up GPOs

Restore GPOs

Copy GPOs

Import GPOs


29/40

What Is a Starter GPO?

Stores administrative template settings on which the newGPOs will be based

Can be exported to .cab files

Can be imported into other areas of the enterprise

Exported to cab fileExported to cab file

starterGPOstarterGPO.cab file.cab file

Imported to GPMCImported to GPMC

Loadcabinet file

Loadcabinet file


30/40


31/40

Demonstration: Backing up and Restoring GPOs

In this demonstration, you will see how to back up andrestore a GPO


32/40

Demonstration: Importing a GPO


Import a GPO Use a migration table


33/40

Migrating Group Policy Objects

Can be used to convert custom ADM files to ADMX

Is GUI-based, and can be downloaded fromthe Microsoft download site utility

The ADMX Migrator utility:

Lesson 5: Delegating Administrative Control of


34/40

Lesson 5: Delegating Administrative Control ofGroup Policy

Options for Delegating Control of GPOs

Demonstration: How to Delegate Administrative Controlof GPOs


35/40

Options for Delegating Control of GPOs

Methods to delegatecontrol of GPOs

Create GPOsin the

domain

Edit ordelete GPOs

Link GPOs tocontainers

Use reportingtools

Membership in GroupPolicy Creator Ownersgroup or explicitpermission to createGPOs

Assign Edit rights toindividual policies

Delegate the right tolink GPOs to containers

Delegate the right touse Group Policyreporting tools


36/40


37/40

Lab: Creating and Configuring GPOs

Exercise 1: Creating Group Policy Objects

Exercise 2: Managing the Scope of GPO Application

Exercise 3: Verifying GPO Application

Exercise 4: Managing GPOs

Exercise 5: Delegating Administrative Control of GPOs

Estimated time: 75 minutes

Logon information

Virtual machine NYC-DC1, NYC-CL1

User name AdministratorPassword Pa$$w0rd


38/40


39/40

Lab Review

What other method could be used to grant a user the rightto create GPOs in the domain?

If you need to apply a GPO to computers that have certainservices installed, what is the best approach?


40/40

Module Review and Takeaways

Considerations

Review questions

6425A_05 Config Group Policy

Documents

Transcript of 6425A_05 Config Group Policy