Module 4

Planning for Group Policy

Module Overview

• Planning Group Policy Application

• Planning Group Policy Processing

• Planning the Management of Group Policy Objects

• Planning the Management of Client Computers

Lesson 1: Planning Group Policy Application

• Demonstration: Reviewing and Modifying Group Policy Settings

• Considerations for Group Policy Application

• Group Policy Application Exceptions

• New Group Policy Features in Windows Server 2008

Demonstration: Reviewing and Modifying Group Policy Settings

In this demonstration, you see how to:

• Review and modify Group Policy settings

Considerations for Group Policy Application

Considerations

• Computer settings are processed when the computer starts

• User settings are processed when a user logs on

• Speed up processing by disabling unnecessary parts of a GPO

• GPOs are cached and updated at timed intervals

Group Policy Application Exceptions

The Group Policy application exceptions are:

• Slow link processing

• Cached credentials

• Remote Access connections

• Moved computer or user objects

New Group Policy Features in Windows Server 2008

The Group Policy features are:

• New policies

• Power management settings

• Blocking device installation

• Firewall and IPSec settings

• Internet Explorer settings

• Location-based printing

• Delegation of printer driver installation

• ADMX templates

• Network Location Awareness

Lesson 2: Planning Group Policy Processing

• Considerations for Active Directory Structure

• Considerations for Using Filtering

• Considerations for Modifying Inheritance

• Considerations for Using Loopback Processing

• Demonstration: Modifying Group Policy Processing

Considerations for Active Directory Structure

Site

Domain

OUOUOUOU

OU

GPO2GPO2

GPO3GPO3

GPO4GPO4

GPO5GPO5

GPO1GPO1

Local policyLocal policy

Considerations for Using Filtering

Filtering is applied to a GPO and not links

Security Filtering:

WMI Filtering

• Controls the application of GPOs based on security groups

• Can simplify OU planning

• Controls the application of GPOs based on computer characteristics

• Can be used to control software distribution

Considerations for Modifying Inheritance

Considerations

• Blocking inheritance is not selective, all GPOs are blocked

• Use enforcement to enforce organization-wide standards

• You cannot enforce a filtered GPO

Considerations for Using Loopback Processing

Considerations

• Loopback processing is for special use computers

• Use merge mode to apply additional restrictions

• Use replace mode to apply the same settings to all users

• To provide less restrictive settings, use replace mode

• Use loopback processing to secure Terminal Servers

Demonstration: Modifying Group Policy Processing

In this demonstration, you will see how to:

• Modify Group Policy processing

Lesson 3: Planning the Management of Group Policy Objects

• Considerations for Administering Group Policy Objects

• What Are Starter GPOs?

• Considerations for Reusing or Copying GPOs

• Considerations for Backing Up and Restoring GPOs

• Considerations for Delegating Management of GPOs

• Discussion: Managing Group Policy

Considerations for Administering Group Policy Objects

Considerations

• GPMC can be installed on Windows Vista SP1

• A GPO is stored in Active Directory and SYSVOL

• New GPOs must be replicated to all domain controllers

• ADMX templates reduce GPO size

• Create a central store for ADMX templates

• ADMX templates are easier to extend than ADM templates

• ADMX templates can be used only by Windows Server 2008 and Windows Vista

• Migrate customized ADM templates to ADMX templates by using the ADMX migrator

• Use Group Policy tools for troubleshooting and planning

What Are Starter GPOs?

Starter GPOs are GPO templates that contain administrative templates settings

You can use starter GPOs:

• To standardize GPO creation

• To move GPOs easily between domains

• To distribute customized settings to partners

Considerations for Reusing or Copying GPOs

• A single GPO linked to multiple locations allows for centralized management

• You should carefully control the permission on a GPO that is linked to multiple locations

• It is difficult to synchronize settings between multiple GPOs

• For common settings, use a single GPO linked to multiple locations

• For unique settings, use an individual GPO for an OU

Considerations for Backing Up and Restoring GPOs

• System state backups of a domain controller are difficult to recover GPOs from

• Backup of GPO with GPMC before making changes

• GPO backups can be scheduled with scripts

• Only Read permissions are required to back up a GPO

• Restoring from backup includes filtering information

• Importing settings from backup does not include filtering information

• GPO backups can contain multiple versions

Considerations for Delegating Management of GPOs

• You can use GPMC to delegate permissions for managing GPOs

• Members of Domain Admins and Group Policy Creator Owners group can create GPOs

• Members of Domain Admins, Enterprise Admins, and domain local Administrators can link GPOs in a domain

• Members of Domain Admins and Enterprise Admins can edit GPOs

Discussion: Managing Group Policy

• Who is responsible for managing Group Policy in your organization?

• Does your organization back up GPOs?

• Does your organization have a need to standardize GPOs by using starter policies?

Lesson 4: Planning the Management of Client Computers

• Why Manage Client Computers?

• Methods for Managing Client Computers

• Considerations for Using Group Policy Preferences

• Demonstration: Using Group Policy Preferences

• Considerations for Deploying Software by Using Group Policy

• Considerations for Using Scripts

• Considerations for Using Folder Redirection

Why Manage Client Computers?

Managing client computers saves time and money for the organization by:

• Distributing applications

• Enforcing security settings

• Enforcing application settings

• Standardizing the user environment

Methods for Managing Client Computers

The methods for managing client computers are:

• Group Policy settings

• Group Policy preferences

• Scripts

• Windows Server Update Services

• System Center Configuration Manager

Considerations for Using Group Policy Preferences

• You can use both Group Policy settings and Group Policy preferences

• Preference settings are not enforced and can be modified by the user

• Application of Group Policy preferences is supported for Windows XP with SP2, Windows Vista, Windows Server 2003 with SP1, and Windows Server 2008

• Use the Data Sources node to easily add or modify ODBC data sources for applications

• Use the Drive Maps node as an alternative to mapping drive letters by using a logon script

• Use the Start Menu and Shortcuts node to standardize the ways of starting applications

• Use the Internet Settings node to standardize the configuration of Internet Explorer

• Use targeting to determine which users and computers a preference item will apply to

Demonstration: Using Group Policy Preferences

In this demonstration, you see how to:

• Use Group Policy preferences

Considerations for Deploying Software by Using Group Policy

• Assign an application to create a Start Menu shortcut

• Assign an application to a computer to install before use

• Assign an application to a user or publish it to limit disk utilization

• Enable document activation to automatically install the application required to open a document

• Use categories to organize published applications

• Use transform files to customize installation

• Use mandatory upgrades to keep application versions consistent

• Use forced removal to remove applications from computers

Considerations for Using Scripts

Scripts can be written in any scripting language supported by the client computer

Considerations:

• Logon scripts are commonly used for mapping drive letters

• Use Group Policy to implement logon scripts

• Startup and shutdown scripts can be used for computer-specific tasks

• Group Policy scripts should be stored on SYSVOL

Considerations for Using Folder Redirection

• My Documents is not the only folder that can be redirected

• Folder redirection simplifies backup of user data

• Folder redirection reduces the size of user profiles

• Redirect My Documents to a home folder for private storage

• Redirect My Documents to a departmental share for shared storage

• Allow folder permissions to be configured automatically

• Use offline files with folder redirection

Lab: Planning for Group Policy

• Exercise 1: Creating a Group Policy Plan

• Exercise 2: Implementing Group Policy

Estimated time: 60 minutes

Logon information

Virtual machine 6430B-SEA-DC1

User name Adatum\Administrator

Password Pa$$w0rd

Lab Scenario

• Adatum has never implemented Group Policy other than for basic password configuration in the domain using the default GPOs. After attending a recent seminar, the IT manager wants to use Group Policy more effectively for the organization.

• You have been tasked with creating a plan for implementing Group Policy.

Module Review and Takeaways

• Review Questions