Module 5: Creating and Configuring Group Policy

Module Overview
Overview of Group Policy Configuring the Scope of Group Policy Objects

Evaluating the Application of Group Policy Objects

Managing Group Policy Objects Delegating Administrative Control of Group Policy

Lesson 1: Overview of Group Policy

What Is Group Policy? Group Policy Settings

How Group Policy Are Applied

Exceptions to Group Policy Processing Group Policy Components

What Are ADM and ADMX files?

What Is the Central Store? Demonstration: Configuring Group Policy Objects

What Is Group Policy?

Group Policy enables IT administrators to automate one-to-many management of users and computers Use Group Policy to: Apply standard configurations Deploy software Enforce security settings Enforce a consistent desktop environment

Local Group Policy is always in effect for local and domain users and local computer settings

Group Policy Settings

Group Policy settings for users control these settings:

Software Windows Security Desktop Software Windows Security Operating systems

Group Policy settings for computers control these settings:

How Group Policy Is Applied

Computer starts
Refresh Interval

Every 90 minutes

Computer settings applied Startup scripts run

User logs on
Refresh Interval Every 90 minutes

User settings applied Logon scripts run

Exceptions to Group Policy Processing

500 kilobits per second (kbps) by default Certain client side extensions are not

Slow links

processed Prior to Windows Vista, ICMP is used to detect a slow link Windows Vista uses Network Location Awareness

Windows XP and Windows Vista use cached

Cached credentials

credential for faster logons Many GPO settings take two logons to take effect

Additional exceptions:
Remote access connections
Moving a user or computer object in AD DS

Group Policy Components

Group Policy Container

Stored in AD DS Provides version information

Group Policy Object

Group Policy Template

Contains Group Policy settings Stores content in two locations Stored in shared SYSVOL folder Provides Group Policy settings Supports both ADM and ADMX templates

What Are ADM and ADMX Files?

ADM files are: Copied into every GPO in SYSVOL Difficult to customize ADMX files are: Language neutral

Not stored in the GPO

Extensible through XML

What Is the Central Store?

The Central Store: Is a central repository for ADMX and ADML files Is stored in SYSVOL Must be created manually Is detected automatically by Windows Vista or Windows Server 2008

ADMX files

Windows Vista or Windows Server 2008 workstation

Domain controller with SYSVOL

Domain controller with SYSVOL

Demonstration: Configuring Group Policy Objects

In this demonstration, you will see how to:
Create a GPO

Configure settings

Lesson 2: Configuring the Scope of Group Policy Objects

Group Policy Processing Order What Are Multiple Local Group Policy Objects?

Options for Modifying Group Policy Processing

Demonstration: Configuring Group Policy Object Links Demonstration: Configuring Group Policy Inheritance

Demonstration: Filtering Group Policy Objects Using

Security Groups WMI Filters

Demonstration: Filtering Group Policy Objects Using How Does Loopback Processing Work? Discussion: Configuring the Scope of Group Policy

Processing

Group Policy Processing Order

GPO1
Local group

GPO2 Site GPO3 GPO4 Domain GPO5 OU

OU

OU

What Are Multiple Local Group Policy Objects?

One layer of computer configurations that applies to all users Layers apply only to individual users, not to groups There are three layers of user configurations: Administrator Non-Administrator User-specific

Options for Modifying Group Policy Processing

Five methods to modify GPO default processing:
Block inheritance
Enforcement Filtering using security groups or WMI filters Disabling GPOs Loopback processing

Demonstration: Configuring Group Policy Object Links

In this demonstration, you will see how to:

Create and link GPOs to different locations within AD DS

Disable a GPO link

Demonstration: Configuring Group Policy Inheritance

In this demonstration, you will see how to:

Block GPO inheritance

Enforce GPO inheritance

Demonstration: Filtering Group Policy Objects Using Security Groups

In this demonstration, you will see how to filter the application of GPOs using security groups

Demonstration: Filtering Group Policy Objects Using WMI Filters

In this demonstration, you will see how to create and assign a WMI filter

How Does Loopback Processing Work?

Discussion: Configuring the Scope of Group Policy Processing

Woodgrove Bank Domain Tree Woodgrove Bank

Head Office site

Head Office

Winnipeg

Slow link

Head Office

Branches
Toronto

High-speed link

Winnipeg

Toronto site

Servers
SQL Server

Exchange Server

Lesson 3: Evaluating the Application of Group Policy Objects

What Is Group Policy Reporting? What Is Group Policy Modeling?

Demonstration: How to Evaluate the Application of Group

Policy

What Is Group Policy Reporting?

Group Policy reporting is a method of planning and troubleshooting Group Policy

Group Policy results are provided by the GPMC

GPResult is a command line utility

What Is Group Policy Modeling?

The Group Policy Modeling Wizard calculates the simulated net effect of GPOs

The Group Policy Modeling Wizard simulates:

Site membership Security group membership WMI filters Slow links

Loopback processing
The effects of moving user or computer objects to a different Active Directory container

Demonstration: How to Evaluate the Application of Group Policy

In this demonstration, you will see how to run each of the tools for reviewing Group Policy application

Lesson 4: Managing Group Policy Objects

GPO Management Tasks What Is a Starter GPO?

Demonstration: How to Copy a GPO

Demonstration: Backing up and Restoring GPOs Demonstration: Importing a GPO

Migrating Group Policy Objects

GPO Management Tasks

GPO management tasks:
Back up GPOs Restore GPOs

Copy GPOs
Import GPOs

What Is a Starter GPO?

Stores administrative template settings on which the new

GPOs will be based

Can be exported to .cab files Can be imported into other areas of the enterprise

Exported to cab file

Imported to GPMC

starterGPO

.cab file

Load cabinet file

Demonstration: How to Copy a GPO

In this demonstration, you will see how to copy a GPO

Demonstration: Backing up and Restoring GPOs

In this demonstration, you will see how to back up and restore a GPO

Demonstration: Importing a GPO

In this demonstration, you will see how to:

Import a GPO

Use a migration table

Migrating Group Policy Objects

The ADMX Migrator utility: Can be used to convert custom ADM files to ADMX Is GUI-based, and can be downloaded from the Microsoft download site utility

Lesson 5: Delegating Administrative Control of Group Policy

Options for Delegating Control of GPOs Demonstration: How to Delegate Administrative Control

of GPOs

Options for Delegating Control of GPOs

Create Methods to delegate GPOs in control of GPOs the domain Membership in Group Policy Creator Owners group or explicit permission to create GPOs Assign Edit rights to individual policies Delegate the right to link GPOs to containers Delegate the right to use Group Policy reporting tools Edit or delete GPOs Link GPOs to containers Use reporting tools

Demonstration: How to Delegate Administrative Control of GPOs

In this demonstration, you will see how to delegate the right to create, edit, link, and use the reporting tools for Group Policy

Lab: Creating and Configuring GPOs

Exercise 1: Creating Group Policy Objects Exercise 2: Managing the Scope of GPO Application

Exercise 3: Verifying GPO Application

Exercise 4: Managing GPOs Exercise 5: Delegating Administrative Control of GPOs

Logon information

Virtual machine User name Password

NYC-DC1, NYC-CL1

Administrator Pa$$w0rd

Estimated time: 75 minutes

Lab Review
What other method could be used to grant a user the right

to create GPOs in the domain?

If you need to apply a GPO to computers that have certain

services installed, what is the best approach?

Module Review and Takeaways

Considerations Review questions