Planning a Group Policy Management and Implementation Strategy Lesson 10.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group...
-
Upload
debra-cook -
Category
Documents
-
view
255 -
download
2
Transcript of Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group...
Module Overview
• Planning Group Policy Application
• Planning Group Policy Processing
• Planning the Management of Group Policy Objects
• Planning the Management of Client Computers
Lesson 1: Planning Group Policy Application
• Demonstration: Reviewing and Modifying Group Policy Settings
• Considerations for Group Policy Application
• Group Policy Application Exceptions
• New Group Policy Features in Windows Server 2008
Demonstration: Reviewing and Modifying Group Policy Settings
In this demonstration, you see how to:
• Review and modify Group Policy settings
Considerations for Group Policy Application
Considerations
• Computer settings are processed when the computer starts
• User settings are processed when a user logs on
• Speed up processing by disabling unnecessary parts of a GPO
• GPOs are cached and updated at timed intervals
Group Policy Application Exceptions
The Group Policy application exceptions are:
• Slow link processing
• Cached credentials
• Remote Access connections
• Moved computer or user objects
New Group Policy Features in Windows Server 2008
The Group Policy features are:
• New policies
• Power management settings
• Blocking device installation
• Firewall and IPSec settings
• Internet Explorer settings
• Location-based printing
• Delegation of printer driver installation
• ADMX templates
• Network Location Awareness
Lesson 2: Planning Group Policy Processing
• Considerations for Active Directory Structure
• Considerations for Using Filtering
• Considerations for Modifying Inheritance
• Considerations for Using Loopback Processing
• Demonstration: Modifying Group Policy Processing
Considerations for Active Directory Structure
Site
Domain
OUOUOUOU
OU
GPO2GPO2
GPO3GPO3
GPO4GPO4
GPO5GPO5
GPO1GPO1
Local policyLocal policy
Considerations for Using Filtering
Filtering is applied to a GPO and not links
Security Filtering:
WMI Filtering
• Controls the application of GPOs based on security groups
• Can simplify OU planning
• Controls the application of GPOs based on computer characteristics
• Can be used to control software distribution
Considerations for Modifying Inheritance
Considerations
• Blocking inheritance is not selective, all GPOs are blocked
• Use enforcement to enforce organization-wide standards
• You cannot enforce a filtered GPO
Considerations for Using Loopback Processing
Considerations
• Loopback processing is for special use computers
• Use merge mode to apply additional restrictions
• Use replace mode to apply the same settings to all users
• To provide less restrictive settings, use replace mode
• Use loopback processing to secure Terminal Servers
Demonstration: Modifying Group Policy Processing
In this demonstration, you will see how to:
• Modify Group Policy processing
Lesson 3: Planning the Management of Group Policy Objects
• Considerations for Administering Group Policy Objects
• What Are Starter GPOs?
• Considerations for Reusing or Copying GPOs
• Considerations for Backing Up and Restoring GPOs
• Considerations for Delegating Management of GPOs
• Discussion: Managing Group Policy
Considerations for Administering Group Policy Objects
Considerations
• GPMC can be installed on Windows Vista SP1
• A GPO is stored in Active Directory and SYSVOL
• New GPOs must be replicated to all domain controllers
• ADMX templates reduce GPO size
• Create a central store for ADMX templates
• ADMX templates are easier to extend than ADM templates
• ADMX templates can be used only by Windows Server 2008 and Windows Vista
• Migrate customized ADM templates to ADMX templates by using the ADMX migrator
• Use Group Policy tools for troubleshooting and planning
What Are Starter GPOs?
Starter GPOs are GPO templates that contain administrative templates settings
You can use starter GPOs:
• To standardize GPO creation
• To move GPOs easily between domains
• To distribute customized settings to partners
Considerations for Reusing or Copying GPOs
• A single GPO linked to multiple locations allows for centralized management
• You should carefully control the permission on a GPO that is linked to multiple locations
• It is difficult to synchronize settings between multiple GPOs
• For common settings, use a single GPO linked to multiple locations
• For unique settings, use an individual GPO for an OU
Considerations for Backing Up and Restoring GPOs
• System state backups of a domain controller are difficult to recover GPOs from
• Backup of GPO with GPMC before making changes
• GPO backups can be scheduled with scripts
• Only Read permissions are required to back up a GPO
• Restoring from backup includes filtering information
• Importing settings from backup does not include filtering information
• GPO backups can contain multiple versions
Considerations for Delegating Management of GPOs
• You can use GPMC to delegate permissions for managing GPOs
• Members of Domain Admins and Group Policy Creator Owners group can create GPOs
• Members of Domain Admins, Enterprise Admins, and domain local Administrators can link GPOs in a domain
• Members of Domain Admins and Enterprise Admins can edit GPOs
Discussion: Managing Group Policy
• Who is responsible for managing Group Policy in your organization?
• Does your organization back up GPOs?
• Does your organization have a need to standardize GPOs by using starter policies?
Lesson 4: Planning the Management of Client Computers
• Why Manage Client Computers?
• Methods for Managing Client Computers
• Considerations for Using Group Policy Preferences
• Demonstration: Using Group Policy Preferences
• Considerations for Deploying Software by Using Group Policy
• Considerations for Using Scripts
• Considerations for Using Folder Redirection
Why Manage Client Computers?
Managing client computers saves time and money for the organization by:
• Distributing applications
• Enforcing security settings
• Enforcing application settings
• Standardizing the user environment
Methods for Managing Client Computers
The methods for managing client computers are:
• Group Policy settings
• Group Policy preferences
• Scripts
• Windows Server Update Services
• System Center Configuration Manager
Considerations for Using Group Policy Preferences
• You can use both Group Policy settings and Group Policy preferences
• Preference settings are not enforced and can be modified by the user
• Application of Group Policy preferences is supported for Windows XP with SP2, Windows Vista, Windows Server 2003 with SP1, and Windows Server 2008
• Use the Data Sources node to easily add or modify ODBC data sources for applications
• Use the Drive Maps node as an alternative to mapping drive letters by using a logon script
• Use the Start Menu and Shortcuts node to standardize the ways of starting applications
• Use the Internet Settings node to standardize the configuration of Internet Explorer
• Use targeting to determine which users and computers a preference item will apply to
Demonstration: Using Group Policy Preferences
In this demonstration, you see how to:
• Use Group Policy preferences
Considerations for Deploying Software by Using Group Policy
• Assign an application to create a Start Menu shortcut
• Assign an application to a computer to install before use
• Assign an application to a user or publish it to limit disk utilization
• Enable document activation to automatically install the application required to open a document
• Use categories to organize published applications
• Use transform files to customize installation
• Use mandatory upgrades to keep application versions consistent
• Use forced removal to remove applications from computers
Considerations for Using Scripts
Scripts can be written in any scripting language supported by the client computer
Considerations:
• Logon scripts are commonly used for mapping drive letters
• Use Group Policy to implement logon scripts
• Startup and shutdown scripts can be used for computer-specific tasks
• Group Policy scripts should be stored on SYSVOL
Considerations for Using Folder Redirection
• My Documents is not the only folder that can be redirected
• Folder redirection simplifies backup of user data
• Folder redirection reduces the size of user profiles
• Redirect My Documents to a home folder for private storage
• Redirect My Documents to a departmental share for shared storage
• Allow folder permissions to be configured automatically
• Use offline files with folder redirection
Lab: Planning for Group Policy
• Exercise 1: Creating a Group Policy Plan
• Exercise 2: Implementing Group Policy
Estimated time: 60 minutes
Logon information
Virtual machine 6430B-SEA-DC1
User name Adatum\Administrator
Password Pa$$w0rd
Lab Scenario
• Adatum has never implemented Group Policy other than for basic password configuration in the domain using the default GPOs. After attending a recent seminar, the IT manager wants to use Group Policy more effectively for the organization.
• You have been tasked with creating a plan for implementing Group Policy.