07/06/13

Module 6: Implementing a Group Policy Infrastructure

Module6:ImplementingaGroupPolicyInfrastructure
Contents: Lesson1: Lesson2: LabA: Lesson3: LabB: Lesson4: Lesson5: LabC: UnderstandGroupPolicy ImplementGPOs ImplementGroupPolicy ManageGroupPolicyScope ManageGroupPolicyScope GroupPolicyProcessing TroubleshootPolicyApplication TroubleshootPolicyApplication

Module Overview

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

1/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

InModule1,youlearnedthatActiveDirectoryDomainServices(ADDS)provides thefoundationalservicesofanidentityandaccesssolutionforenterprisenetworks runningWindows,andthatADDSalsosupportsthemanagementand configurationofeventhelargest,mostcomplexnetworks.InModules2through5, youlearnedhowtoadministerADDSsecurityprincipals:users,groups,and computers.Now,youwillexaminethemanagementandconfigurationofusersand computersbyusingGroupPolicy.GroupPolicyprovidesaninfrastructurewithinwhich settingscanbedefinedcentrallyanddeployedtousersandcomputersinthe enterprise. InanenvironmentmanagedbyawellimplementedGroupPolicyinfrastructure,little ornoconfigurationneedstobemadebydirectlytouchingadesktop.Theentire
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 2/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

configurationisdefined,enforced,andupdatedbyusingthesettingsinGroupPolicy objects(GPOs)thataffectaportionoftheenterpriseasbroadasanentiresiteora domain,orasnarrowasasingleorganizationalunit(OU)oragroup.Inthismodule, youwilllearnwhatGroupPolicyis,howitworks,andhowbesttoimplementitin yourorganization.SeveralsubsequentmoduleswillapplyGroupPolicytospecific managementtaskssuchassecurityconfiguration,softwaredeployment,password policy,andauditing.

Objectives
Aftercompletingthismodule,youwillbeableto: DescribethecomponentsandtechnologiesthatcomprisetheGroupPolicy framework. ImplementGPOs. Configureandunderstandavarietyofpolicysettingtypes. UnderstandandconfigureGroupPolicypreferences. ScopeGPOsbyusinglinks,securitygroups,WindowsManagement Instrumentationfilters,loopbackprocessing,andpreferencetargeting. DescribehowGPOsareprocessed. LocatetheeventlogscontainingGroupPolicyrelatedeventsandtroubleshoot GroupPolicyapplication.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 3/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Lesson 1: Understand Group Policy

AGroupPolicyinfrastructurehasseveralmovingparts.Youneedtounderstandnot onlywhateachpartdoes,butalsohowtheyworktogetherandwhyyoumightwant toassembletheminvariousconfigurations.Inthislesson,youwillgeta comprehensiveoverviewofGroupPolicy:itscomponents,itsfunctions,anditsinner workings.

Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 4/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Aftercompletingthislesson,youwillbeableto: Identifythebusinessdriversforconfigurationmanagement. UnderstandthecorecomponentsandterminologyofGroupPolicy. ExplainthefundamentalsofGroupPolicyprocessing.

What Is Configuration Management?

Ifyouhaveonlyonecomputerinyourenvironmentathome,forexampleandyou needtomodifythedesktopbackground,thereareseveralwaystodothat.Most
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 5/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

peoplewouldprobablyopenPersonalizationfromControlPanelandmakethechange byusingtheWindowsinterface.Thatworkswellforoneuser,butmaybecome tediousifyouwanttomakethechangeacrossmultipleusers.Say,forexample,that youwantthesamebackgroundforyourselfandyourfamily.Youhavetomakethe changemultipletimes,andthenifyoueverchangeyourmindandwanttochange thebackgroundyetagain,youhavetoreturntoeachuser'sprofileandmakethe change.Implementingthechangeandmaintainingaconsistentenvironmentbecomes evenmoredifficultacrossmultiplecomputers. Configurationmanagementisacentralizedapproachtoapplyingoneormorechanges tooneormoreusersorcomputers.Ifyourememberthat,everythingelsewillbe easiertounderstand.Thekeyelementsofconfigurationmanagementare: Acentralizeddefinitionofachange,whichisknownasasetting.Thesettingbrings auseroracomputertoadesiredstateofconfiguration. Adefinitionoftheuser(s)orcomputer(s)towhomthechangeapplies,whichis knownasthescopeofthechange. Amechanismorprocessthatensuresthatthesettingisappliedtousersand computerswithinthescope,whichisknownastheapplication.

GroupPolicyisaframeworkwithinWindowswithcomponentsthatresideinActive Directory,ondomaincontrollers,andoneachWindowsserverandclientthat
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 6/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

enablesyoutomanageconfigurationinanADDSdomain.Asweturnourattention toGroupPolicy,whichcanbecomeverycomplex,alwaysrememberthateverything boilsdown,intheend,tojustthesefewbasicelementsofconfiguration management.

Overview of Policies

ThemostgranularcomponentoftheGroupPolicyisanindividualpolicysetting,also knownsimplyasapolicythatdefinesaspecificconfigurationchangetoapply.For example,apolicysettingexiststhatpreventsauserfromaccessingregistryediting tools.Ifyoudefinethatpolicysettingandapplyittotheuser,theuserwillbeunable toruntoolssuchasRegedit.exe.Anotherpolicysettingisavailablethatyoucanuse

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 7/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

torenamethelocalAdministratoraccount.Youcanusethispolicysettingtorename theAdministratoraccountonalluserdesktopsandlaptops. Thesetwoexamplesillustrateanimportantpoint:thatsomepolicysettingsaffecta user,regardlessofthecomputertowhichtheuserlogson,andotherpolicysettings affectacomputer,regardlessofwhichuserlogsontothatcomputer.Policysettings suchasthesettingthatpreventsaccesstoregistryeditingtoolsareoftenreferredto asuserconfigurationsettingsorusersettings.Policysettingssuchastheonethat disablestheAdministratoraccountandsimilarsettingsareoftenreferredtoas computerconfigurationsettingsorcomputersettings.Youwillalsohearthese referredtoasuserpoliciesandcomputerpolicies.Theterminologyusedinthe industryisnotexact. TherearevariouspolicysettingsthatcanbemanagedbyGroupPolicy,andthe frameworkisextensible.So,intheend,youcouldmanagejustaboutanythingwith GroupPolicy. Todefineapolicysetting,doubleclickit. ThepolicysettingPropertiesdialogboxappears. Apolicysettingcanhavethreestates:NotConfigured,Enabled,andDisabled. InanewGPO,everypolicysettingissettoNotConfigured.Thismeansthatthe
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 8/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

GPOwillnotmodifytheexistingconfigurationofthatparticularsettingforauseror computer.Ifyouenableordisableapolicysetting,achangewillbemadetothe configurationofusersandcomputerstowhichtheGPOisapplied. Theeffectofthechangedependsonthepolicysetting.Forexample,ifyouenable thePreventAccessToRegistryEditingToolspolicysetting,userswillbeunable tolaunchtheRegedit.exeRegistryEditor.Ifyoudisablethepolicysetting,youensure thatuserscanlaunchtheRegistryEditor.Noticethedoublenegativeinthispolicy setting:Youdisableapolicythatpreventsanaction,soyouallowtheaction. Somepolicysettingsbundleseveralconfigurationsintoonepolicyandmightrequire additionalparameters.Inthescreenshotabove,youcanseethatbyenablingthe policytorestrictregistryeditingtools,youcanalsodefinewhetherregistryfilescan bemergedintothesystemsilentlybyusingregedit/s. NoteManypolicysettingsarecomplex,andtheeffectofenablingordisabling themmightnotbeimmediatelyclear.Also,somepolicysettingsaffectonly certainversionsofWindows.

BesuretoreviewapolicysettingsexplanatorytextintheGroupPolicyManagement Editor(GPME)detailpaneorontheExplaintabinthepolicysettingsProperties dialogbox.Inaddition,alwaystesttheeffectsofapolicysettinganditsinteractions withotherpolicy

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 9/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

settingsbeforedeployingachangeintheproductionenvironment. YouwillexplorepolicysettingsandhowtomanagetheminLesson3.

Benefits of Using Group Policy

GroupPoliciesareaverypowerfuladministrativetool.Youcanusethemtoenforce varioustypesofsettingstoalargenumberofusersandcomputers.Becausetheycan beappliedtovariouslevelsfromlocaltodomain,youcanalsofocusthesesettings veryprecisely. Primarily,youcanuseGroupPoliciestoconfiguresettingsthatyoudonotwantusers

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 10/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

toconfigure.Also,GroupPoliciesareusuallyusedtostandardizedesktop environmentsonallthecomputersinanorganizationalunitorwholeorganization. YoualsocanuseGroupPoliciestoprovideadditionalsecurityandsomeadvanced systemsettings. MostoftenGroupPoliciesareusedforfollowingpurposes.

Apply Security Settings

InWindowsServer2008R2,GPOsincludealargenumberofsecurityrelatedsettings thatyoucanapplytobothusersandcomputers.Forexample,youcanenforce settingsforWindowsFirewallandconfigureAuditing,EncryptingFileSystem(EFS) policiesandothersecuritysettings.Youcanalsoconfigurefullsetofuserrights assignments.

Manage Desktop and Application Settings

YoucanuseaGroupPolicytoprovideaconsistentdesktopandapplication environmenttoallusersinyourorganizationUsingGPOs,itispossibletoconfigure eachsettingthataffectsthelookandfeelofuserenvironmentandalsotoconfigure settingsforsomeapplicationsthatsupportGPOs.

Deploy Software
GroupPoliciescanalsobeusedtodeploysoftwareforusersorcomputers.All softwarethatisprovidedinthe.msiformatcanbedeployedbyusingGroupPolicy.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 11/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Youcanenforceautomaticsoftwareinstallationoryoucanletyourusersdecideif theywantthesoftwaretobedeployedtotheirmachinesornot.

Manage Folder Redirection

WithFolderRedirection,youcaneasilymanageandbackupdata.Byredirecting folders,youcanensurethatusershaveaccesstotheirdataregardlessofthe computerthattheyusetologon.Also,youcancentralizeallusersdatatooneplace onthenetworkserver,whilestillprovidingtheuseranexperiencesimilartostoring thesefoldersontheircomputers.

Configure Network Settings.

UsingGroupPolicies,youcanconfigurevariousnetworksettingsonclientcomputers. Forexample,youcanenforcesettingsforwirelessnetworkstoallowuserstoconnect onlytospecificSSIDsandwithpredefinedauthenticationandencryptionsettings. Youcanalsodeploypoliciesthatapplytowirednetworksettingsaswellasconfigure clientsideofservicessuchasNetworkAccessProtection

Group Policy Objects

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

12/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

PolicysettingsaredefinedandexistwithinaGPO.AGPOisanobjectthatcontains oneormorepolicysettingsandtherebyappliesoneormoreconfigurationsettings forauseroracomputer. GPOscanbemanagedinActiveDirectorybyusingtheGroupPolicyManagement console(GPMC),shownhere:

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

13/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

GPOsaredisplayedinacontainernamedGroupPolicyObjects. TocreateanewGPOinadomain,rightclicktheGroupPolicyObjectscontainer, andthenclickNew.TomodifytheconfigurationsettingsinaGPO,rightclickthe GPO,andthenclickEdit. TheGPOopensintheGPMEsnapin,formerlyknownastheGroupPolicyObject Editor(GPOEditor),shownhere:

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

14/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TheGPMEdisplaysthethousandsofpolicysettingsavailableinaGPOinan organizedhierarchythatbeginswiththedivisionbetweencomputersettingsanduser settings,theComputerConfigurationnodeandtheUserConfigurationnode.The nextlevelsofthehierarchyaretwonodescalledPoliciesandPreferences.Youwill learnaboutthedifferencebetweenthesetwonodesasthislessonprogresses.Drilling deeperintothehierarchy,youwillseethattheGPMEdisplaysfolders,whicharealso callednodesorpolicysettinggroups.Withinthefoldersarethepolicysettings themselves.ThePreventAccessToRegistryEditingToolsoptionisselectedinthe screenshotshownhere. TheGPOmustbeappliedtodomain,site,orOUintheADDShierarchyforthe settingswithintheobjecttotakeeffect.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 15/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

YouwilllearnhowtoimplementandmanageGPOsinLesson2.

GPO Scope

ConfigurationisdefinedbypolicysettingsinGPOs.However,theconfiguration changesinaGPOdonotaffectcomputersorusersinyourenterpriseuntilyouhave specifiedthecomputersoruserstowhichtheGPOapplies.Thisiscalledscopinga GPO.ThescopeofaGPOisthecollectionofusersandcomputersthatwillapplythe settingsintheGPO. YoucanuseseveralmethodstomanagethescopeofGPOs.ThefirstistheGPOlink. GPOscanbelinkedtosites,domains,andOUsinActiveDirectory.Thesite,domain,

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 16/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

orOUthenbecomesthemaximumscopeoftheGPO.Allcomputersanduserswithin thesite,domain,orOU,includingthoseinchildOUs,willbeaffectedbythe configurationsspecifiedbythepolicysettingsintheGPO.AsingleGPOcanbelinked tomorethanonesiteorOU. YoucanfurthernarrowthescopeoftheGPOwithoneoftwotypesoffilters:security filtersthatspecifyglobalsecuritygroupstowhichtheGPOshouldorshouldnot apply,andWindowsManagementInstrumentation(WMI)filtersthatspecifyascope byusingcharacteristicsofasystem,suchasoperatingsystemversionorfreedisk space.UsesecurityfiltersandWMIfilterstonarroworspecifythescopewithinthe initialscopecreatedbytheGPOlink. WindowsServer2008introducedanewcomponentofGroupPolicy:GroupPolicy Preferences.SettingsthatareconfiguredbyGroupPolicyPreferenceswithinaGPO canbefilteredortargetedbasedonseveralcriteria.Targetedpreferencesallowyouto furtherrefinethescopeofPreferenceswithinasingleGPO.

Group Policy Client and Client-Side Extensions

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

17/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Howexactlyarethepolicysettingsapplied?WhenGroupPolicyrefreshbegins,a servicerunningonallWindowssystems,whichiscalledtheGroupPolicyClientin WindowsVista,Windows7,WindowsServer2008,andWindowsServer2008R2, determineswhichGPOsapplytothecomputeroruser.Thisservicedownloadsany GPOsthatarenotalreadycached.Then,aseriesofprocessescalledclientside extensions(CSEs)interpretthesettingsinaGPOandmakeappropriatechangesto thelocalcomputerortothecurrentlyloggedonuser.ThereareCSEsforeachmajor categoryofpolicysetting.Forexample,thereisasecurityCSEthatappliessecurity changes,aCSEthatexecutesstartupandlogonscripts,aCSEthatinstallssoftware, andaCSEthatmakeschangestoregistrykeysandvalues.EachversionofWindows hasaddedCSEstoextendthefunctionalreachofGroupPolicy.Thereareseveral dozenCSEsnowinWindows.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 18/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

OneofthemoreimportantconceptstorememberaboutGroupPolicyisthatitis reallyclientdriven.TheGroupPolicyclientpullstheGPOsfromthedomain, triggeringtheCSEstoapplysettingslocally.GroupPolicyisnotapushtechnology. Infact,thebehaviorofCSEscanbeconfiguredbyusingGroupPolicy.MostCSEswill applysettingsinaGPOonlyifthatGPOhaschanged.Thisbehaviorimprovesoverall policyprocessingbyeliminatingredundantapplicationsofthesamesettings.Most policiesareappliedinsuchawaythatstandarduserscannotchangethesettingon theirsystemtheywillalwaysbesubjecttotheconfigurationenforcedbyGroup Policy.However,somesettingscanbechangedbystandardusers,andmanycanbe changedifauserisanadministratoronthatsystem.Ifusersinyourenvironmentare administratorsontheircomputers,considerconfiguringCSEstoreapplypolicy settingseveniftheGPOhasnotchanged.Thatway,ifanadministrativeuser changesaconfigurationsothatitisnolongercompliantwithpolicy,theconfiguration willberesettoitscompliantstateatthenextGroupPolicyrefresh. NoteYoucanconfigureCSEstoreapplypolicysettings,eveniftheGPOhas notchanged,atbackgroundrefresh.Todoso,configureaGPOscopedto computersanddefinethesettingsintheComputer Configuration\Policies\AdministrativeTemplates\System\GroupPolicynode. ForeachCSEyouwanttoconfigure,openitspolicyprocessingpolicysetting, suchasRegistryPolicyProcessingfortheRegistryCSE.ClickEnabledand selecttheProcesseveniftheGroupPolicyobjectshavenotchangedcheck box.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

19/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Animportantexceptiontothedefaultpolicyprocessingsettingsissettingsmanaged bythesecurityCSE.Securitysettingsarereappliedevery16hoursevenifaGPOhas notchanged. NoteEnabletheAlwaysWaitForNetworkAtStartupAndLogonpolicysetting forallWindowsclients.Withoutthissetting,bydefault,WindowsXP,Windows Vista,andWindows7clientsperformonlybackgroundrefreshesaclient mightstartup,andausermightlogonwithoutreceivingthelatestpolicies fromthedomain.ThesettingislocatedinComputer Configuration\Policies\AdministrativeTemplates\System\Logon.Besureto readthepolicysettingsexplanatorytext.Thecontoso.comdomainusedin thiscoursehasbeenpreconfiguredwiththisadditionalGroupPolicysetting.

Group Policy Refresh

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

20/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Whenarepoliciesapplied?PolicysettingsintheComputerConfigurationnodeare appliedatsystemstartupandevery90120minutesthereafter.UserConfiguration policysettingsareappliedatlogonandevery90120minutesthereafter.The applicationofpoliciesiscalledGroupPolicyrefresh. YoucanalsoforceapolicyrefreshbyusingtheGPUpdatecommand. YouwilllearnmoreaboutGroupPolicyrefreshinLesson6.

Review the Components of Group Policy

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 21/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Asdiscussedinprevioustopics,themostimportantcomponentstotakecareofwhen dealingwithGroupPoliciesare: Setting.ThisrepresentsaspecificsettingthatisconfigurableineachGroupPolicy object.InWindowsServer2008R2,therealmost3,000differentsettings.Group PolicysettingsprovidethemeaningandpurposeofGroupPolicy.Settingscanbe enabledordisabled,butbydefault,theyareNotConfigured.Theeffectofenabling ordisablingasettingcansometimesbecomplextoevaluate,sobesuretoread theexplanatorytextandtestallsettingsbeforedeployingtheminproduction. Scope.AfterGroupPolicysettingsareconfigured,youmustdecidewheretoapply theGPO.Thisisdefinedbyscope.AGPOcanbelinkedtoasite,domain,orOU.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 22/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Withinthelinkscope,aGPOcanbefilteredwithsecuritygroupsorWMIfilters. Application.WhenplanningGroupPolicyapplication,youmustbeawareofrefresh intervalsforvarioustypesofcomputers.Computersettingsareappliedatstartup andevery90120minutesthereafter.Usersettingsareappliedatlogonandevery 90120minutesthereafter. Tools.ThereareseveraltoolsformanagingGPOs.GPOsaremanagedthroughthe GroupPolicyManagementconsole.PolicysettingswithinaGPOareconfiguredby usingtheGPME.GPUpdateallowsyoutomanuallytriggerGroupPolicyrefresh. RSoPtoolsallowyoutoevaluateandmodelthesettingsthatwereappliedby GroupPolicy.

Demonstration: Exploring Group Policy Settings

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

23/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

GroupPolicysettings,alsoknownaspolicies,arecontainedinaGPOandareviewed andmodifiedbyusingtheGPME.Inthisdemonstration,youwilllookmorecloselyat thecategoriesofsettingsavailableinaGPO.

Computer Configuration and User Configuration

Therearetwomajordivisionsofpolicysettings:computersettings,containedinthe ComputerConfigurationnode,andusersettings,containedintheUserConfiguration node. TheComputerConfigurationnodecontainsthesettingsthatareappliedto computers,regardlessofwhologsontothem.Computersettingsareappliedwhen
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 24/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

theoperatingsystemstartsandduringbackgroundrefreshandevery90120 minutesthereafter. TheUserConfigurationnodecontainssettingsthatareappliedwhenauserlogson tothecomputerandduringbackgroundrefreshandevery90120minutes thereafter.

WithintheComputerConfigurationandUserConfigurationnodesarethePoliciesand Preferencesnodes.Policiesaresettingsthatareconfiguredandbehavesimilarlyto thepolicysettingsintheearlierversionsofWindows.Preferencesareintroducedin WindowsServer2008.Thefollowingsectionsexaminethesenodes. WithinthePoliciesnodeswithinComputerConfigurationandUserConfigurationarea hierarchyoffolderscontainingpolicysettings.Becausetherearethousandsof settings,itisbeyondthescopeoftheexamandofthiscoursetoexamineindividual settings.Itisworthwhile,however,todefinethebroadcategoriesofsettingsinthe folders.

Software Settings Node

TheSoftwareSettingsnodeisthefirstnode.ItcontainsonlytheSoftware Installationextension.Thisextensionhelpsyouspecifyhowapplicationsareinstalled andmaintainedwithinyourorganization.Itprovidesaplaceforindependentsoftware vendorstoaddsettings.SoftwaredeploymentwithGroupPolicyisdiscussedin
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 25/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Module7.

Windows Settings Node

InbothComputerConfigurationandUserConfigurationnodes,thePoliciesnode containsaWindowsSettingsnode,whichincludestheScripts,SecuritySettings,and PolicyBasedQoSnodes. TheScriptsextensionenablesyoutospecifytwotypesofscripts,startup/shutdown (intheComputerConfigurationnode),andlogon/logoff(intheUserConfiguration node).Startup/shutdownscriptsrunatcomputerstartuporshutdown.Logon/logoff scriptsrunwhenauserlogsonoroff.Whenyouassignmultiplelogon/logoffor startup/shutdownscriptstoauserorcomputer,theScriptsCSEexecutesthescripts fromtoptobottom.Youcandeterminetheorderofexecutionformultiplescriptsin thePropertiesdialogbox.Whenacomputerisshutdown,theCSEfirstprocesses logoffscripts,followedbyshutdownscripts.Bydefault,thetimeoutvaluefor processingscriptsis10minutes.Ifthelogoffandshutdownscriptsrequiremorethan 10minutestoprocess,youmustadjustthetimeoutvaluewithapolicysetting.You canuseanyActiveXscriptinglanguagetowritescripts.Somepossibilitiesinclude MicrosoftVisualBasicScriptingEdition(VBScript),MicrosoftJScript,Perl,and MicrosoftMSDOSstylebatchfiles(.batand.cmd).Logonscriptsonashared networkdirectoryinanotherforestaresupportedfornetworklogonacrossforests.

Security Settings Node

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 26/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TheSecuritySettingsnodeallowsasecurityadministratortoconfiguresecurityby usingGPOs.Thiscanbedoneafter,orinsteadof,usingasecuritytemplatetoset systemsecurity.ForadetaileddiscussionofsystemsecurityandtheSecuritySettings node,refertoModule7.

Policy-Based QoS Node

ThePolicyBasedQoSnodedefinespoliciesthatmanagenetworktraffic.Forexample, youmightwanttoensurethatusersintheFinancedepartmenthavepriorityfor runningacriticalnetworkapplicationduringtheendofyearfinancialreportingperiod. ThePolicyBasedQoSnodeenablesyoutodothat. IntheUserConfigurationnodeonly,theWindowsSettingsfoldercontainsthe additionalRemoteInstallationServices,FolderRedirection,andInternetExplorer Maintenancenodes.RemoteInstallationServices(RIS)policiescontrolthebehaviorof aremoteoperatingsysteminstallation.FolderRedirectionenablesyoutoredirectuser dataandsettingsfolderssuchasAppData,Desktop,Documents,Pictures,Music,and Favoritesfromtheirdefaultuserprofilelocationtoanalternatelocationonthe network,wheretheycanbecentrallymanaged.InternetExplorerMaintenanceenables youtoadministerandcustomizeMicrosoftInternetExplorer.

Administrative Templates Node

IntheComputerConfigurationandUserConfigurationnodes,theAdministrative TemplatesnodecontainsregistrybasedGroupPolicysettings.TheAdministrative
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 27/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Templatesnodeisdiscussedindetaillaterinthismodule. Therearethousandsofsuchsettingsavailableforconfiguringtheuserandcomputer environment.Asanadministrator,youmightspendasignificantamountoftime manipulatingthesesettings.Toassistyouwiththesettings,adescriptionofeach policysettingisavailableintwolocations: OntheExplaintabinthePropertiesdialogboxforthesetting.Inaddition,the SettingstabinthePropertiesdialogboxforeachsettingalsoliststherequired operatingsystemorsoftwareforthesetting. OntheExtendedtaboftheGPME.TheExtendedtabappearsonthelowerright ofthedetailspaneandprovidesadescriptionofeachselectedsettinginacolumn betweentheconsoletreeandthesettingspane.Therequiredoperatingsystemor softwareforeachsettingisalsolisted.

Lesson 2: Implement GPOs

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

28/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

NowthatyouhaveabroadunderstandingofGroupPolicyanditscomponents,you canlookcloselyateachcomponent.Inthissection,youwillexamineGPOsindetail.

Objectives
Aftercompletingthislesson,youwillbeableto: Create,edit,andlinkGPOs. IdentifychangeandconfigurationmanagementcapabilitiesofGroupPolicy. Configurepolicysettings.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

29/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

ExplainGPOstorage,replication,andversioning.

Local GPOs

Tomanageconfigurationforusersandcomputers,youcreateGPOsthatcontainthe policysettingsyourequire.EachcomputerhasseveralGPOsstoredlocallyonthe system,knownasthelocalGPOs,andcanbewithinthescopeofanynumberof domainbasedGPOs. ComputersthatrunWindows2000Server,WindowsXP,andWindowsServer2003 haveonelocalGPOeach,whichcanmanagethatsystemsconfiguration.Thelocal

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 30/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

GPOexistswhetherornotthecomputerispartofadomain,aworkgroup,oranon networkedenvironment.Itisstoredin%SystemRoot%\System3\GroupPolicy.The policiesinthelocalGPOaffectonlythecomputeronwhichtheGPOisstored.By default,onlytheSecuritySettingspoliciesareconfiguredonasystemslocalGPO.All otherpoliciesaresetatNotConfigured. WhenacomputerdoesnotbelongtoanActiveDirectorydomain,thelocalpolicyis usefultoconfigureandenforceconfigurationonthatcomputer.However,inanActive Directorydomain,settingsinGPOsthatarelinkedtothesite,domain,orOUswill overridelocalGPOsettingsandareeasiertomanagethanGPOsonindividual computers. WindowsVista,Windows7,WindowsServer2008,andlatersystemshavemultiple localGPOs.TheLocalComputerGPOisthesameastheGPOinthepreviousversions ofWindows.IntheComputerConfigurationnode,youcanconfigureallcomputer relatedsettings.IntheUserConfigurationnode,youcanconfiguresettingsyouwant toapplytoallusersonthecomputer.TheusersettingsintheLocalComputerGPO canbemodifiedbytheusersettingsintwonewlocalGPOs:AdministratorsandNon Administrators.ThesetwoGPOsapplyusersettingstologgedonusersaccordingto whethertheyaremembersofthelocalAdministratorsgroupinwhichcasetheywould usetheAdministratorsGPOornotmembersoftheAdministratorsgroup(andusethe NonAdministratorsGPO).YoucanfurtherrefinetheusersettingswithalocalGPO thatappliestoaspecificuseraccount.UserspecificlocalGPOsareassociatedwith local,notdomain,useraccounts.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 31/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

RSoPiseasyforcomputersettings:TheLocalComputerGPOistheonlylocalGPO thatcanapplycomputersettings.UsersettingsinauserspecificGPOoverride conflictingsettingsintheAdministratorsandNonAdministratorsGPOs,which themselvesoverridesettingsintheLocalComputerGPO.Theconceptissimplethe morespecificthelocalGPO,thehighertheprecedenceofitssettings. TocreateandeditlocalGPOs: 1. ClicktheStartbuttonandintheStartSearchbox,typemmc.exe,andthen pressEnter. AnemptyMicrosoftManagementconsole(MMC)opens. 2. 3. ClickFile,andthenclickAdd/RemoveSnapin. SelecttheGroupPolicyObjectEditoroption,andthenclickAdd. Adialogboxappears,promptingyoutoselecttheGPOtoedit. 4. TheLocalComputerGPOisselectedbydefault.Ifyouwanttoeditanother localGPO,clicktheBrowsebutton.OntheUserstab,youwillfindtheNon AdministratorsandAdministratorsGPOsandoneGPOforeachlocaluser. SelecttheGPOandclickOK. 5. ClickFinish,andthenclickOKtocloseeachofthedialogboxes.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

32/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TheGroupPolicyObjectEditorsnapinisaddedandfocusedontheselectedGPO. Question:Ifdomainmemberscanbecentrallymanagedbyusingdomain linkedGPOs,inwhichscenarioscanyouuselocalGPOs?

Domain-Based GPOs

DomainbasedGPOsarecreatedinActiveDirectoryandstoredondomaincontrollers. Theyareusedtomanageconfigurationcentrallyforusersandcomputersinthe domain.TheremainderofthiscoursereferstodomainbasedGPOsratherthanlocal GPOs,unlessotherwisespecified.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

33/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

WhenADDSisinstalled,twodefaultGPOsarecreated:DefaultDomainControllers PolicyandDefaultDomainPolicy.

Default Domain Policy

ThisGPOislinkedtothedomainandhasnosecuritygrouporWMIfilters.Therefore, itaffectsallusersandcomputersinthedomain,includingcomputersthataredomain controllers.ThisGPOcontainspolicysettingsthatspecifypassword,accountlockout, andKerberospolicies.InModule10,youwilllearnhowtomodifythedefaultsettings inthisGPOtoalignwithyourenterprisepasswordandaccountlockoutpolicies.You shouldnotaddunrelatedpolicysettingstothisGPO.Ifyouneedtoconfigureother settingstoapplybroadlyinyourdomain,createadditionalGPOslinkedtothe domain.

Default Domain Controllers Policy

ThisGPOislinkedtotheOUofthedomaincontrollers.Becausecomputeraccounts fordomaincontrollersarekeptexclusivelyintheDomainControllersOU,andother computeraccountsshouldbekeptinotherOUs,thisGPOaffectsonlydomain controllers.TheDefaultDomainControllersGPOshouldbemodifiedtoimplement yourauditingpolicies,asyouwillseeinModules8through10.Itshouldalsobe modifiedtoassignuserrightsrequiredondomaincontrollers.

Demonstration: Create, Link, and Edit GPOs

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 34/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TocreateaGPO,rightclicktheGroupPolicyObjectscontainer,andthenclick New. YoumusthavepermissiontotheGroupPolicyObjectscontainertocreateaGPO.By default,theDomainAdminsgroupandtheGroupPolicyCreatorOwnersgroupare delegatedtheabilitytocreateGPOs. TodelegatepermissiontocreateGPOstoothergroups,selecttheGroupPolicy ObjectscontainerintheGPMCconsoletreeandthenclicktheDelegationtabinthe consoledetailspane.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

35/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

AfteryouhavecreatedaGPO,youcancreatetheinitialscopeoftheGPObylinking ittoasite,domain,orOU. TolinkaGPO,rightclickthesite,domain,orOU,andthenclickLinkAnExisting GPO. YoucanalsocreateandlinkaGPOwithasinglestep:rightclickasite,domain,or OU,andthenclickCreateAGPOInThisDomainAndLinkItHere. NotethatyouwillnotseeyoursitesintheSitesnodeoftheGPMCuntilyouright clickSites,clickShowSites,andthenselectthesitesyouwanttomanage. YoumusthavepermissiontolinkGPOstoasite,domain,orOU.IntheGPMC,select thecontainerintheconsoletree,andthenclicktheDelegationtabintheconsole detailspane.FromthePermissiondropdownlist,clickLinkGPOs.Theusersand groupsdisplayedholdthepermissionfortheselectedOU.ClicktheAddorRemove buttonstomodifythedelegation. ToeditaGPO,rightclicktheGPOintheGroupPolicyObjectscontainerandclick Edit. TheGPOisopenedintheGPME.YoumusthaveatleasttheReadpermissiontoopen theGPOinthisway.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

36/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TomakechangestoaGPO,youmusthavetheWritepermissiontotheGPO. PermissionsfortheGPOcanbesetbyselectingtheGPOintheGroupPolicyObjects containerandthenclickingtheDelegationtabinthedetailspane. TheGPMEwilldisplaythenameoftheGPOastherootnode.TheGPMEalso displaysthedomaininwhichtheGPOisdefinedandtheserverfromwhichtheGPO wasopenedandtowhichchangeswillbesaved.TherootnodeisintheGPOName [ServerName]format.InthescreenshotoftheGPMEonanearlierpageinthis module,therootnodeisCONTOSOStandards[SERVER01.contoso.com]Policy.The GPOnameisCONTOSOStandards,anditwasopenedfromSERVER01.contoso.com, meaningthattheGPOisdefinedinthecontoso.comdomain. Bydefault,boththeGPMCandtheGPMEconsoleconnecttoaspecificdomain controllerinyourenvironmentwiththedomaincontrolleractingasthePDCEmulator. Inalatermodule,youwilllearntoidentifyandmanagewhichdomaincontrollerhas thisrole. ThisisdonetoreducethepossibilitythatasingleGPOmightbechangedontwo differentdomaincontrollers,atwhichpointduringreplicationtherewouldbenoway toreconcilethechanges,andonlyoneversionoftheentireGPOwouldprevailandbe replicated.Focusingtheadministrativetoolsononedomaincontrollerhelpsensure thatchangesaremadeinoneplace. However,inalarge,distributedenvironment,thePDCEmulatormaybeinadistant
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 37/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

site,resultinginslowperformancefortheGPMCs.Youcanrightclicktherootnode ofeachconsoleandconnecttoaspecificdomaincontrollerclosertoyou.Justbe cognizantofthereplicationissue:IfyouaretheonlyonewhoiseditingaGPO,itis perfectlyacceptableforyoutodosoonalocal,higherperformingdomaincontroller.

Demonstration Steps
CreateaGPO. OpenaGPOforediting. LinkaGPO. DelegatethemanagementofGPOs. DeletetheGPO. DiscussthedefaultconnectiontoPDCemulator.

GPO Storage

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

38/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

GroupPolicysettingsarepresentedasGPOsinActiveDirectoryuserinterfacetools, butaGPOisactuallytwocomponents:aGroupPolicyContainer(GPC)andaGroup PolicyTemplate(GPT). TheGPCisanActiveDirectoryobjectstoredintheGroupPolicyObjectscontainer withinthedomainnamingcontextofthedirectory.LikeallActiveDirectoryobjects, eachGPCincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifies theobjectwithinActiveDirectory.TheGPCdefinesbasicattributesoftheGPO,butit doesnotcontainanyofthesettings.ThesettingsarecontainedintheGPTa collectionoffilesstoredintheSYSVOLofeachdomaincontrollerinthe %SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDisthe GUIDoftheGPC.WhenyoumakechangestothesettingsofaGPO,thechangesare
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 39/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

savedtotheGPToftheserverfromwhichtheGPOwasopened. Bydefault,whenGroupPolicyrefreshoccurs,theCSEsapplysettingsinaGPOonlyif theGPOhasbeenupdated. TheGroupPolicyclientcanidentifyanupdatedGPObyitsversionnumber.EachGPO hasaversionnumberthatisincrementedeachtimeachangeismade.Theversion numberisstoredasanattributeoftheGPCandinatextfile,GPT.ini,intheGPT folder.TheGroupPolicyclientknowstheversionnumberofeachGPOithas previouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyclientdiscovers thattheversionnumberoftheGPChasbeenchanged,theCSEswillbeinformedthat theGPOisupdated.

GPO Replication
GroupPolicyContainerandGroupPolicyTemplatearebothreplicatedbetweenall domaincontrollersinActiveDirectory.However,differentreplicationmechanismsare usedforthesetwoitems. TheGPCinActiveDirectoryisreplicatedbytheDirectoryReplicationAgent(DRA). TheDRAusesatopologygeneratedbytheKnowledgeConsistencyChecker(KCC) thatcanbedefinedorrefinedmanually.YouwilllearnmoreaboutActiveDirectory ReplicationinModule14.TheresultisthattheGPCisreplicatedwithinsecondstoall domaincontrollersinasiteandisreplicatedbetweensitesbasedonyourintersite replicationconfiguration.ThisprocesswillalsobediscussedinModule14.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 40/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TheGPTintheSYSVOLisreplicatedbyusingoneofthefollowingtwotechnologies. TheFileReplicationService(FRS)isusedtoreplicateSYSVOLindomainsrunning WindowsServer2008,WindowsServer2008R2,WindowsServer2003,and Windows2000.IfalldomaincontrollersarerunningWindowsServer2008orearlier, youcanconfigureSYSVOLreplicationbyusingDistributedFileSystemReplication (DFSR),whichisamuchmoreefficientandrobustmechanism. BecausetheGPCandGPTarereplicatedseparately,itispossibleforthemtobecome outofsyncforashorttime. Typically,whenthishappens,theGPCwillreplicatetoadomaincontrollerfirst. SystemsthatobtainedtheirorderedlistofGPOsfromthatdomaincontrollerwill identifythenewGPC,willattempttodownloadtheGPT,andwillnoticethatthe versionnumbersarenotthesame.Apolicyprocessingerrorwillberecordedinthe eventlogs.Ifthereversehappens,andtheGPOreplicatestoadomaincontroller beforetheGPC,clientsobtainingtheirorderedlistofGPOsfromthatdomain controllerwillnotbenotifiedofthenewGPOuntiltheGPChasreplicated.

Manage GPOs and Their Settings

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

41/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

WhenyourightclickaGPOintheGPMC,alistofusefulmanagementcommands appears. Copy.YoucancopyaGPOandthenrightclicktheGroupPolicyObjectscontainer andselectPastetocreateacopyoftheGPO.Thisisusefulwhenyouwantto createanewGPOinthesamedomainandtostartwiththesamesettingsasan existingGPO.ItisalsousefultocopyaGPOintoanotherdomain,forexample, betweenatestdomainandaproductiondomain.TocopyaGPObetween domains,addthetargettrusteddomaintotheGPMC.Youmusthavepermissionto createGPOsinthetargetdomain.WhenyoupasteaGPO,youaregiventhe optiontocopytheaccesscontrollist(ACL)fromtheoriginalGPO,whichpreserves thesecurityfiltering,ortousethedefaultACLfornewGPOsinthetargetdomain.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 42/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

BackUp.Aswithanycriticaldata,itisimportanttobackupGPOs.BecauseaGPO consistsofseveralfiles,objects,permissions,andlinks,managingthebackupand restoreofGPOsisquitedifficult.Luckily,theBackUpcommandpullsallofthose piecesintoasingleplaceandmakesrestoreasimpletask. RestorefromBackup.RestoreanentireGPO,includingitsfiles,objects, permissions,andlinksintothesamedomaininwhichtheGPOoriginallyexisted. ImportSettings.ImportonlythesettingsfromabackedupGPO.Althoughthis optiondoesnotimportpermissionsorlinks,itcanbeusefulfortransferringGPOs betweennontrusteddomainsthatcannotusecopyandpaste.IfaGPOincludes potentiallydomainspecificsettings,includingtheUNCpathsornamesofsecurity groups,youwillbepromptedastowhetheryouwanttoimportthosesettings exactlyastheywerebackeduportouseamigrationtablethatmapssourceto destinationnames. SaveReport.UsethistosaveanHTMLreportoftheGPOsettings. Delete.UsethistodeleteaGPO. Rename.UsethistorenameaGPO.

Lab A: Implement Group Policy

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

43/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

44/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

4.

Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

5.

Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodo so.

Lab Scenario
YouareresponsibleformanagingchangeandconfigurationatContoso,Ltd.Contoso corporateITsecuritypoliciesspecifythatcomputerscannotbeleftunattendedand loggedontoformorethan10minutes.Youwillthereforeconfigurethescreensaver timeoutandpasswordprotectedscreensaverpolicysettings.Additionally,youwill lockdownaccesstoregistryeditingtools.

Exercise 1: Create, Edit, and Link Group Policy Objects

Inthisexercise,youwillcreateaGPOthatimplementsasettingmandated bythecorporatesecuritypolicyofContoso,Ltdandscopethesettingtoall usersandcomputersinthedomain.Youwillthenexaminetheeffectofthe GPO.Youcanalsoexploreothersettingsthataremadeavailablewithina
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 45/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

GPO. Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. 5. CreateaGPO. EditthesettingsofaGPO. ScopeaGPOwithaGPOlink. ViewtheeffectsofGroupPolicyapplication. ExploreGPOsettings.

Task 1: Create a GPO.

1.

OnNYCDC1,runGroupPolicyManagementasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2.

CreateaGroupPolicyObjectnamedCONTOSOStandardsintheGroup PolicyObjectscontainer.

Task 2: Edit the settings of a GPO.

1.

EdittheCONTOSOStandardsGPO.
46/135

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

07/06/13

Module 6: Implementing a Group Policy Infrastructure

2.

NavigatetotheUserConfiguration,Policies,AdministrativeTemplates, Systemfolder.

3. 4.

PreventusersfromrunningRegistryEditorandregedit/s. NavigatetotheUserConfiguration,Policies,AdministrativeTemplates, ControlPanel,Personalizationfolder.

5. 6. 7.

ExaminetheexplanatorytextfortheScreensavertimeoutpolicysetting. ConfiguretheScreensavertimeoutpolicyto600seconds. EnablethePasswordprotectthescreensaverpolicysetting.

Task 3: Scope a GPO with a GPO link.

LinktheCONTOSOStandardsGPOtothecontoso.comdomain.

Task 4: View the effects of Group Policy application.

1. 2.

LogontoNYCCL1asPat.Coleman. Attempttochangethescreensaverwaittimeandresumesettings.Youare preventedfromdoingsobyGroupPolicy.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

47/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

3.

AttempttorunRegistryEditor.YouarepreventedfromdoingsobyGroup Policy.

Task 5: Explore GPO settings.

OnNYCDC1,edittheCONTOSOStandardsGPOandspendtimeexploringthe settingsthatareavailableinaGPO.Donotmakeanychanges.

Results:Inthisexercise,youcreatedaGPOnamedContosoStandardsthat configurespasswordprotectedscreensaver,screensavertimeout,andregistry editingtoolrestrictions

NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecause thesettingsyouhaveconfiguredherewillbeusedinsubsequentlabs.

Exercise 2: Use Filtering and Commenting

Inthisexercise,youwillusethenewcommentingandfilteringfeaturesof GroupPolicytolocateanddocumentpolicysettings.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

48/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Themaintasksforthisexerciseareasfollows: 1. 2. Searchandfilterpolicysettings. DocumentGPOsandsettingswithcomments.

Task 1: Search and filter policy settings.

1. 2.

Ifnecessary,opentheGPMCandthenedittheCONTOSOStandardsGPO. IntheUserConfiguration\Policies\AdministrativeTemplatesfolder,filter theviewtoshowonlypolicysettingsthatcontainthephrasescreensaver. Spendafewmomentsexaminingthosesettings.

3.

Filtertheviewtoshowonlyconfiguredpolicysettings.Spendafewmoments examiningthosesettings.

4.

TurnoffthefilterfromAdministrativeTemplates.

Task 2: Document GPOs and settings with comments.

1.

EditthecommenttotheCONTOSOStandardsGPOandaddthefollowing commenttotheGPO:Contosocorporatestandardpolicies.Settingsare scopedtoallusersandcomputersinthedomain.Personresponsible

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

49/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

forthisGPO:yourname. ThiscommentappearsontheDetailstaboftheGPOintheGPMC. 2. AddthefollowingcommenttotheScreensavertimeoutpolicysetting: CorporateITSecurityPolicyimplementedwiththispolicyin combinationwithPasswordProtecttheScreenSaver. 3. AddthefollowingcommenttothePasswordprotectthescreensaverpolicy setting:CorporateITSecurityPolicyimplementedwiththispolicyin combinationwithScreenSaverTimeout.

Results:Inthisexercise,youaddedcommentstoyourGroupPolicyobjectand settings.

Lab Review Questions Question:WhichpolicysettingsarealreadybeingdeployedbyusingGroup Policyinyourorganization? Question:Whichpolicysettingsdidyoudiscoverthatyoumightwantto implementinyourorganization?

Lesson 3: Manage Group Policy Scope

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 50/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

AGPOis,byitself,acollectionofconfigurationinstructionsthatwillbeprocessedby theCSEsofcomputers.UntiltheGPOisscoped,itdoesnotapplytoanyusersor computers.TheGPOsscopedeterminestheCSEsofwhichcomputerswillreceive andprocesstheGPOandonlythecomputersoruserswithinthescopeofaGPOwill applythesettingsinthatGPO.Inthislesson,youwilllearntomanagethescopeofa GPO.ThefollowingmechanismsareusedtoscopeaGPO: TheGPOlinktoasite,domain,orOUandwhetherthatlinkisenabled TheEnforceoptionofaGPO TheBlockInheritanceoptiononanOU

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 51/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Securitygroupfiltering WMIfiltering Policynodeenablingordisabling Preferencestargeting Loopbackpolicyprocessing

Youmustbeabletodefinetheusersorcomputerstowhichconfigurationis deployed,andtherefore,youmustmastertheartofscopingGPOs.Inthislesson, youwilllearneachofthemechanismswithwhichyoucanscopeaGPOand,inthe process,youwillmastertheconceptsofGroupPolicyapplication,inheritance,and precedence.

Objectives
Aftercompletingthislesson,youwillbeableto: ManageGPOlinks. IdentifytherelationshipbetweenOUstructureandGPOapplication. EvaluateGPOinheritanceandprecedence. UnderstandtheBlockInheritanceandEnforcedlinkoptions.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 52/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

ApplysecurityfilteringtonarrowthescopeofaGPO. ApplyaWMIfiltertoaGPO. TargetGroupPolicypreferences. IdentifybestpracticesforscopingGroupPolicy.

GPO Links

AGPOcanbelinkedtooneormoreActiveDirectorysites,domains,orOUs.Aftera policyislinkedtoasite,domain,orOU,theusersorcomputersandusersinthat
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 53/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

containerarewithinthescopeoftheGPO,includingcomputersandusersinchild OUs. AsyoulearnedinLesson1,youcanlinkaGPOtothedomain,siteortoanOU. TolinkaGPO,rightclickthedomainorOUintheGPMCconsoletree,andthenclick LinkasexistingGPO.IfyouhavenotyetcreatedaGPO,clickCreateAGPOIn This{Domain|OU|Site}AndLinkItHere. YoucanchoosethesamecommandstolinkaGPOtoasite,butbydefault,your ActiveDirectorysitesarenotvisibleintheGPMC. ToshowsitesintheGPMC,rightclickSitesintheGPMCconsoletreeandchoose ShowSites. NoteAGPOlinkedtoasiteaffectsallcomputersinthesitewithoutregardto thedomaintowhichthecomputersbelong(aslongasallcomputersbelong tothesameActiveDirectoryforest).Therefore,whenyoulinkaGPOtoasite, thatGPOcanbeappliedtomultipledomainswithinaforest.SitelinkedGPOs arestoredondomaincontrollersinthedomaininwhichtheGPOwascreated. Therefore,domaincontrollersforthatdomainmustbeaccessibleforsite linkedGPOstobeappliedcorrectly.Ifyouimplementsitelinkedpolicies,you mustconsiderpolicyapplicationwhenplanningyournetworkinfrastructure. EitherplaceadomaincontrollerfromtheGPOsdomaininthesitetowhich thepolicyislinked,orensurethatawideareanetwork(WAN)connectivity providesaccessibilitytoadomaincontrollerintheGPOsdomain.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 54/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

WhenyoulinkaGPOtoasite,domain,orOU,youdefinetheinitialscopeofthe GPO.SelectaGPOandclicktheScopetabtoidentifythecontainerstowhichthe GPOislinked.InthedetailspaneoftheGPMC,theGPOlinksaredisplayedinthe firstsectionoftheScopetab,asseenhere:

TheimpactoftheGPOslinksisthattheGroupPolicyClientdownloadstheGPOif eitherthecomputerortheuserobjectsfallwithinthescopeofthelink.TheGPOwill bedownloadedonlyifitisneworupdated.TheGroupPolicyClientcachestheGPO tomakepolicyrefreshmoreefficient.

Link a GPO to Multiple OUs

YoucanlinkaGPOtomorethanonesiteorOU.Itiscommon,forexample,toapply configurationtocomputersinseveralOUs.Youcandefinetheconfigurationina singleGPOandlinkthatGPOtoeachOU.IfyoulaterchangesettingsintheGPO, yourchangeswillapplytoallOUstowhichtheGPOislinked.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 55/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Delete or Disable a GPO Link

AfteryouhavelinkedaGPO,theGPOlinkappearsintheGPMCunderneaththesite, domain,orOU.TheiconfortheGPOlinkhasasmallshortcutarrow.Whenyou rightclicktheGPOlink,acontextmenuappears,asshownhere:

TodeleteaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthenclick Delete. DeletingaGPOlinkdoesnotdeletetheGPOitself,whichremainsinthatGPO container.DeletingthelinkdoeschangethescopeoftheGPOsothatitnolonger appliestocomputersanduserswithinasite,domain,orOUtowhichitwas previouslylinked. YoucanalsomodifyaGPOlinkbydisablingit. TodisableaGPOlink,rightclicktheGPOlinkintheGPMCconsoletreeandthen deselecttheLinkEnabledoption.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 56/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

DisablingthelinkalsochangestheGPOscopesothatitnolongerappliesto computersanduserswithinthatcontainer.However,thelinkremainssothatitcan beeasilyreenabled.

Group Policy Processing Order

TheGPOsthatapplytoauser,computer,orbothdonotallapplyatonce.GPOsare appliedinaparticularorder.Thisordermeansthatsettingsthatareprocessedfirst maybeoverwrittenbyconflictingsettingsthatareprocessedlater. GroupPolicyfollowsthefollowinghierarchicalprocessingorder:

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

57/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

1.

Localgrouppolicies.EachcomputerrunningWindows2000orlaterhasat leastonelocalgrouppolicy.Thelocalpoliciesareappliedfirst.

2.

Sitegrouppolicies.Policieslinkedtositesareprocessedsecond.Ifthereare multiplesitepolicies,theyareprocessedsynchronouslyinthelistedpreference order.

3.

Domaingrouppolicies.Policieslinkedtodomainsareprocessedthird.Ifthere aremultipledomainpolicies,theyareprocessedsynchronouslyinthelisted preferenceorder.

4.

OUgrouppolicies.PolicieslinkedtotoplevelOUsareprocessedfourth.If therearemultipletoplevelOUpolicies,theyareprocessedsynchronouslyinthe listedpreferenceorder.

5.

ChildOUgrouppolicies.PolicieslinkedtochildOUsareprocessedfifth.If therearemultiplechildOUpolicies,theyareprocessedsynchronouslyinthe listedpreferenceorder.WhentherearemultiplelevelsofchildOUs,policiesfor higherlevelOUsareappliedfirstandpoliciesforthelowerlevelOUsareapplied next.

InGroupPolicyapplication,thegeneralruleisthatthelastpolicyappliedwins.For example,apolicythatrestrictsaccesstoControlPanelappliedatthedomainlevel couldbereversedbyapolicyappliedattheOUlevelfortheobjectscontainedinthat particularOU.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 58/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

IfyoulinkseveralGPOstoanorganizationalunit,theirprocessingoccursintheorder thattheadministratorspecifiesontheLinkedGroupPolicyObjectstabforthe organizationalunitintheGroupPolicyManagementConsole(GPMC). Bydefault,processingisenabledforallGPOlinks.Youcancompletelyblockthe applicationofaGPOforagivensite,domain,ororganizationalunitbydisablingthat containersGPOlink.NotethatiftheGPOislinkedtoothercontainers,theywill continuetoprocesstheGPOiftheirlinksareenabled. YoucanalsodisabletheuserorcomputerconfigurationofaparticularGPO independentofeithertheuserorcomputer.Ifonesectionofapolicyisknowntobe empty,disablingtheothersidespeedsuppolicyprocessing.Forexample,ifyouhave apolicythatonlydeliversuserdesktopconfiguration,youcoulddisablethecomputer sideofthepolicy.

GPO Inheritance and Precedence

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

59/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

ApolicysettingcanbeconfiguredinmorethanoneGPO,andGPOscanbeinconflict withoneanother.Forexample,apolicysettingcanbeenabledinoneGPO,disabled inanotherGPO,andnotconfiguredinathirdGPO.Inthiscase,theprecedenceof theGPOsdetermineswhichpolicysettingtheclientapplies.AGPOwithhigher precedenceprevailsoveraGPOwithlowerprecedence.Precedenceisshownasa numberintheGPMC.Thesmallerthenumberthatis,thecloserto1thehigherthe precedence,soaGPOwithaprecedenceof1willprevailoverotherGPOs.Selectthe domainorOUandthenclicktheGroupPolicyInheritancetabtoviewthe precedenceofeachGPO. WhenapolicysettingisenabledordisabledinaGPOwithhigherprecedence,the configuredsettingtakeseffect.However,rememberthatpolicysettingsaresettoNot
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 60/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Configuredbydefault.IfapolicysettingisnotconfiguredinaGPOwithhigher precedence,thepolicysetting(eitherenabledordisabled)inaGPOwithlower precedencewilltakeeffect. Asite,domain,orOUcanhavemorethanoneGPOlinkedtoit.Thelinkorderof GPOsdeterminestheprecedenceofGPOsinsuchascenario.GPOswithahigherlink ordertakeprecedenceoverGPOswithalowerlinkorder.WhenyouselectanOUin theGPMC,theLinkedGroupPolicyObjectstabshowsthelinkorderofGPOslinked tothatOU. ThedefaultbehaviorofGroupPolicyisthatGPOslinkedtoahigherlevelcontainer areinheritedbylowerlevelcontainers.Whenacomputerstartsuporauserlogson, theGroupPolicyClientexaminesthelocationofthecomputeroruserobjectinActive DirectoryandevaluatestheGPOswithscopesthatincludethecomputeroruser. Then,theclientsideextensionsapplypolicysettingsfromtheseGPOs.Policiesare appliedsequentially,beginningwiththepolicieslinkedtothesite,followedbythose linkedtothedomain,followedbythoselinkedtoOUsfromthetoplevelOUdown totheOUinwhichtheuserorcomputerobjectexists.Itisalayeredapplicationof settings,soaGPOthatisappliedlaterintheprocess,becauseithashigher precedence,overridessettingsappliedearlierintheprocess. ThesequentialapplicationofGPOscreatesaneffectcalledpolicyinheritance.Policies areinherited,sotheresultantsetofgrouppoliciesforauserorcomputerwillbethe cumulativeeffectofsite,domain,andOUpolicies.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 61/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Bydefault,inheritedGPOshavelowerprecedencethanGPOslinkeddirectlytothe container.Forexample,youmightconfigureapolicysettingtodisabletheuseof registryeditingtoolsforallusersinthedomainbyconfiguringthepolicysettingina GPOlinkedtothedomain.ThatGPO,anditspolicysetting,isinheritedbyallusers withinthedomain.However,youprobablywantadministratorstobeabletouse registryeditingtools,soyouwilllinkaGPOtotheOUthatcontainsadministrators accountsandconfigurethepolicysettingtoallowtheuseofregistryeditingtools. BecausetheGPOlinkedtotheadministratorsOUtakeshigherprecedencethanthe inheritedGPO,administratorswillbeabletouseregistryeditingtools.Thefollowing figureillustratesGroupPolicyInheritance:

Precedence of Multiple Linked GPOs

AnOU,domain,orsitecanhavemorethanoneGPOlinkedtoit.Iftherearemultiple GPOs,theobjectslinkorderdeterminestheirprecedence.Inthefollowingfigure,two GPOsarelinkedtothePeopleOU:

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

62/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Theobjecthigheronthelist,withalinkorderof1,hasthehighestprecedence. Therefore,settingsthatareenabledordisabledinthePowerUserConfiguration POhasprecedenceoverthesamesettingsintheStandardUserConfigurationGPO. TochangetheprecedenceofaGPOlink: 1. 2. 3. 4. SelecttheOU,site,ordomainintheGPMCconsoletree. ClicktheLinkedGroupPolicyObjectstabinthedetailspane. SelecttheGPO. UsetheUp,Down,MoveToTop,andMoveToBottomarrowstochangethe linkorderoftheselectedGPO.

Block Inheritance
AdomainorOUcanbeconfiguredtopreventtheinheritanceofpolicysettings. Toblockinheritance,rightclickthedomainorOUintheGPMCconsoletreeand selectBlockInheritance. TheBlockInheritanceoptionisapropertyofadomainorOU,soitblocksallGroup PolicysettingsfromGPOslinkedtoparentsintheGroupPolicyhierarchy.Whenyou
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 63/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

blockinheritanceonanOU,forexample,GPOapplicationbeginswithanyGPOs linkeddirectlytothatOUGPOslinkedtohigherlevelOUs,thedomain,orthesite willnotapply. TheBlockInheritanceoptionshouldbeusedsparingly.Blockinginheritancemakesit moredifficulttoevaluateGroupPolicyprecedenceandinheritance.Inalatertopic, youwilllearnhowtoscopeaGPOsothatitappliestoonlyasubsetofobjectsorso thatitispreventedfromapplyingtoasubsetofobjects.Withsecuritygroupfiltering, youcancarefullyscopeaGPOsothatitappliestoonlythecorrectusersand computersinthefirstplace,makingitunnecessarytousetheBlockInheritance option.

Enforce a GPO Link

Inaddition,aGPOlinkcanbesettoEnforced. ToenforceaGPOlink,rightclicktheGPOlinkintheconsoletreeandchoose Enforcedfromthecontextmenu. WhenaGPOlinkissettoEnforced,theGPOtakesthehighestlevelofprecedence policysettingsinthatGPOwillprevailoveranyconflictingpolicysettingsinother GPOs.Inaddition,alinkthatisenforcedwillapplytochildcontainersevenwhen thosecontainersaresettoBlockInheritance.TheEnforcedoptioncausesthepolicy toapplytoallobjectswithinitsscope.Enforcedwillcausepoliciestooverrideany conflictingpoliciesandwillapplyregardlessofwhetheraBlockInheritanceoptionis
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 64/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

set. Inthefigureonthefollowingpage,BlockInheritancehasbeenappliedtothe BusinessOU.Asaresult,GPOD,whichisappliedtothedomain,isblockedanddoes notapplywhenauserfromtheEmployeesOUlogsontoacomputerintheClients OU.However,intheSecurityGPO,GPOslinkedtothedomainwiththeEnforced optiondoesapply.Infact,itisappliedlastintheprocessingorder,meaningits settingswilloverridethoseofGPOsB,C,andE. WhenyouconfigureaGPOthatdefinesconfigurationmandatedbyyourcorporateIT securityandusagepolicies,youwanttoensurethatthosesettingsarenotoverridden byotherGPOs.YoucandothisbyenforcingthelinkoftheGPO.Thefigurehere showsjustthisscenario:

ConfigurationmandatedbycorporatepoliciesisdeployedintheCONTOSOCorporate ITSecurity&UsageGPO,whichislinkedwithanenforcedlinktotheContoso.com domain.TheiconfortheGPOlinkhasapadlockonitthevisualindicatorofan enforcedlink.OnthePeopleOU,theGroupPolicyInheritancetabshowsthatthe GPOtakesprecedenceevenovertheGPOslinkedtothePeopleOUitself.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

65/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Evaluating Precedence
TofacilitateevaluationofGPOprecedence,youcansimplyselectanOU(ordomain) andclicktheGroupPolicyInheritancetab.Thistabwilldisplaytheresulting precedenceofGPOs,accountingforGPOlink,linkorder,inheritanceblocking,and linkenforcement.Thistabdoesnotaccountforpoliciesthatarelinkedtoasite,nor doesitaccountforGPOsecurityorWMIfiltering.

Use Security Filtering to Modify GPO Scope

Bynow,youvelearnedthatyoucanlinkaGPOtoasite,domain,orOU.However, youmightneedtoapplyGPOsonlytocertaingroupsofusersorcomputersrather
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 66/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

thantoallusersorcomputerswithinthescopeoftheGPO.Althoughyoucannot directlylinkaGPOtoasecuritygroup,thereisawaytoapplyGPOstospecific securitygroups.ThepoliciesinaGPOapplyonlytouserswhohaveAllowReadand AllowApplyGroupPolicypermissionstotheGPO. EachGPOhasanACLthatdefinespermissionstotheGPO.Twopermissions,Allow ReadandAllowApplyGroupPolicy,arerequiredforaGPOtoapplytoauseror computer.Forexample,ifaGPOisscopedtoacomputerbyitslinktothecomputers OU,butthecomputerdoesnothaveReadandApplyGroupPolicypermissions,itwill notdownloadandapplytheGPO.Therefore,bysettingtheappropriatepermissions forsecuritygroups,youcanfilteraGPOsothatitssettingsapplyonlytothe computersandusersyouspecify. Bydefault,AuthenticatedUsersaregiventheAllowApplyGroupPolicypermissionon eachnewGPO.Thismeansthatbydefault,allusersandcomputersareaffectedby theGPOssetfortheirdomain,site,orOU,regardlessoftheothergroupsinwhich theymightbemembers.Therefore,therearetwowaysoffilteringGPOscope: RemovetheApplyGroupPolicypermission(currentlysettoAllow)forthe AuthenticatedUsersgroupbutdonotsetthispermissiontoDeny.Then,determine thegroupstowhichtheGPOshouldbeappliedandsettheReadandApplyGroup PolicypermissionsforthesegroupstoAllow. DeterminethegroupstowhichtheGPOshouldnotbeappliedandsettheApply GroupPolicypermissionforthesegroupstoDeny.IfyoudenytheApplyGroup
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 67/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

PolicypermissiontoaGPO,theuserorcomputerwillnotapplysettingsinthe GPO,eveniftheuserorcomputerisamemberofanothergroupthatisallowed theApplyGroupPolicyPermission.

Filtering a GPO to Apply to Specific Groups

ToapplyaGPOtoaspecificsecuritygroup: 1. 2. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree. IntheSecurityFilteringsection,selecttheAuthenticatedUsersgroupand clickRemove.

NoteGPOscanbefilteredonlywithglobalsecuritygroupsnotwith domainlocalsecuritygroups.

3. 4. 5.

ClickOKtoconfirmthechange. ClickAdd. SelectthegrouptowhichyouwantthepolicytoapplyandclickOK.

TheresultwilllooksimilartothefigureshownheretheAuthenticatedUsersgroupis
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 68/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

notlisted,andthespecificgrouptowhichthepolicyshouldapplyislisted.

Filtering a GPO to Exclude Specific Groups

TheScopetabofaGPOdoesnotallowyoutoexcludespecificgroups.Toexcludea groupthatis,todenytheApplyGroupPolicypermissionyoumustusethe Delegationtab. TodenyagrouptheApplyGroupPolicypermission: 1. 2. SelecttheGPOintheGroupPolicyObjectscontainerintheconsoletree. ClicktheDelegationtab.
69/135

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

07/06/13

Module 6: Implementing a Group Policy Infrastructure

3.

ClicktheAdvancedbutton. TheSecuritySettingsdialogboxappears.

4. 5.

ClicktheAddbutton. SelectthegroupyouwanttoexcludefromtheGPO.Remember,itmustbea globalgroup.GPOscopecannotbefilteredbydomainlocalgroups.

6.

ClickOK. ThegroupyouselectedisgiventheAllowReadpermissionbydefault.

7. 8.

CleartheAllowReadpermissioncheckbox. SelecttheDenyApplyGroupPolicycheckbox.

ThefigurehereshowsanexamplethatdeniestheHelpDeskgrouptheApplygroup policypermissionand,therefore,excludesthegroupfromthescopeoftheGPO.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

70/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

9.ClickOK. YouarewarnedthatDenypermissionsoverrideotherpermissions. BecauseDenypermissionsoverrideAllowpermissions,itisrecommendedthatyou usethemsparingly.MicrosoftWindowsremindsyouofthisbestpracticewiththe warningmessage.TheprocesstoexcludegroupswiththeDenyApplyGroupPolicy permissionisfarmorelaboriousthantheprocesstoincludegroupsintheSecurity FilteringsectionoftheScopetab. 10. Confirmthatyouwanttocontinue.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

71/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

ImportantDenypermissionsarenotexposedontheScopetab. Unfortunately,whenyouexcludeagroup,theexclusionisnotshownin theSecurityFilteringsectionoftheScopetab.

ThisisyetonemorereasontouseDenypermissionssparingly.

WMI Filters

WMIisamanagementinfrastructuretechnologythatenablesadministratorsto monitorandcontrolmanagedobjectsinthenetwork.AWMIqueryiscapableof
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 72/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

filteringsystemsbasedoncharacteristics,includingRAM,processorspeed,disk capacity,IPaddress,operatingsystemversionandservicepacklevel,installed applications,andprinterproperties.BecauseWMIexposesalmosteverypropertyof everyobjectwithinacomputer,thelistofattributesthatcanbeusedinaWMIquery isvirtuallyunlimited.WMIqueriesarewrittenbyusingWMIQueryLanguage(WQL). YoucanuseaWMIquerytocreateaWMIfilter,withwhichaGPOcanbefiltered.A goodwaytounderstandthepurposeofaWMIfilter,bothforthecertificationexams andforrealworldimplementation,isthroughexamples.GroupPolicycanbeusedto deploysoftwareapplicationsandservicepacksacapabilitythatisdiscussedin Module7.YoumightcreateaGPOtodeployanapplicationandthenuseaWMIfilter tospecifythatthepolicyshouldapplyonlytocomputerswithacertainoperating systemandservicepackWindowsXPSP3,forexample.TheWMIquerytoidentify suchsystemsis:

S e l e c t*F R O MW i n 3 2 _ O p e r a t i n g S y s t e mW H E R E C a p t i o n = " M i c r o s o f tW i n d o w sX PP r o f e s s i o n a l "A N D C S D V e r s i o n = " S e r v i c eP a c k3 "

WhentheGroupPolicyClientevaluatesGPOsithasdownloadedtodeterminewhich shouldbehandedofftotheCSEsforprocessing,itperformsthequeryagainstthe localsystem.Ifthesystemmeetsthecriteriaofthequery,thequeryresultisalogical True,andtheCSEsprocesstheGPO.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 73/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

WMIexposesnamespaces,withinwhichareclassesthatcanbequeried.Manyuseful classes,includingWin32_OperatingSystem,arefoundinaclasscalledroot\CIMv2. TocreateaWMIfilter: 1. RightclicktheWMIFiltersnodeintheGPMCconsoletree,andthenclick New. Typeanameanddescriptionforthefilter,andthenclicktheAddbutton. 2. 3. 4. IntheNamespacebox,typethenamespaceforyourquery. IntheQuerybox,enterthequery. ClickOK. TofilteraGPOwithaWMIfilter: 1. 2. 3. SelecttheGPOorGPOlinkintheconsoletree. ClicktheScopetab. ClicktheWMIdropdownlist,andselecttheWMIfilter.

AGPOcanbefilteredbyonlyoneWMIfilter,butthatWMIfiltercanbeacomplex querythatusesmultiplecriteria.AsingleWMIfiltercanbelinkedto,andthereby usedtofilter,oneormoreGPOs.TheGeneraltabofaWMIfilter,showninthe

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 74/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

figurehere,displaystheGPOsthatusetheWMIfilter:

TherearethreesignificantcaveatsregardingWMIfilters. First,theWQLsyntaxofWMIqueriescanbechallengingtomaster.Youcanoften findexamplesontheInternetwhenyousearchbyusingthekeywordsWMIfilter andWMIquery,alongwithadescriptionofthequeryyouwanttocreate. Second,WMIfiltersareexpensiveintermsofGroupPolicyprocessingperformance. BecausetheGroupPolicyClientmustperformtheWMIqueryateachpolicy processinginterval,thereisaslightimpactonsystemperformanceevery90120 minutes.Withtheperformanceoftodayscomputers,theimpactmightnotbe noticeable,butyoushouldcertainlytesttheeffectsofaWMIfilterpriorto

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 75/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

deployingitwidelyinyourproductionenvironment. NotethattheWMIqueryisprocessedonlyonetime,evenifitisusedtofilterthe scopeofmultipleGPOs. Third,WMIfiltersarenotprocessedbycomputersrunningWindows2000Server. IfaGPOisfilteredwithaWMIfilter,aWindows2000Serversystemignoresthe filterandprocessestheGPOasiftheresultsofthefilterweretrue.

Enable or Disable GPOs and GPO Nodes

YoucanpreventthesettingsintheComputerConfigurationorUserConfiguration
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 76/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

nodesfrombeingprocessedduringpolicyrefreshbychangingtheGPOStatus.

ToenableordisableaGPO'snodes,selecttheGPOorGPOlinkintheconsoletree, clicktheDetailstab,showninthefigure,andthenselectoneofthefollowingfrom theGPOStatusdropdownlist: Enabled.Bothcomputerconfigurationsettingsanduserconfigurationsettingswill beprocessedbyCSEsduringpolicyrefresh. AllSettingsDisabled.CSEswillnotprocesstheGPOduringpolicyrefresh. ComputerConfigurationSettingsDisabled.Duringcomputerpolicyrefresh, computerconfigurationsettingsintheGPOwillnotbeapplied.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 77/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

UserConfigurationSettingsDisabled.Duringuserpolicyrefresh,user configurationsettingsintheGPOwillnotbeapplied.

YoucanconfigureGPOstatustooptimizepolicyprocessing.IfaGPOcontainsonly usersettings,forexample,settingtheGPOStatusoptiontodisablecomputersettings preventstheGroupPolicyclientfromattemptingtoprocesstheGPOduringcomputer policyrefresh.BecausetheGPOcontainsnocomputersettings,thereisnoneedto processtheGPO,andyoucansaveafewcyclesoftheprocessor. NoteYoucandefineaconfigurationthatshouldtakeeffectincaseofan emergency,securityincident,orotherdisastersinaGPOandlinktheGPOso thatitisscopedtoappropriateusersandcomputers.Then,disabletheGPO. Ifyourequiretheconfigurationtobedeployed,enabletheGPO.

Target Preferences

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

78/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Preferences,whicharenewtoWindowsServer2008,haveabuiltinscoping mechanismcalleditemleveltargeting.Youcanhavemultiplepreferenceitemsina singleGPO,andeachpreferenceitemcanbetargetedorfiltered.So,forexample, youcouldhaveasingleGPOwithapreferencethatspecifiesfolderoptionsfor engineersandanotheritemthatspecifiesfolderoptionsforsalespeople.Youcan targettheitemsbyusingasecuritygrouporOU.Thereareoveradozenother criteriathatcanbeused,includinghardwareandnetworkcharacteristics,dateand time,LightweightDirectoryAccessProtocol(LDAP)queries,andmore.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

79/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

NoteWhatsnewaboutpreferencesisthatyoucantargetmultiplepreference itemswithinasingleGPOinsteadofrequiringmultipleGPOs.Withtraditional policies,youoftenneedmultipleGPOsfilteredtoindividualgroupstoapply variationsofsettings.

LikeWMIfilters,itemleveltargetingofpreferencesrequirestheCSEtoperforma querytodeterminewhethertoapplythesettingsinapreferencesitem.Youmustbe awareofthepotentialperformanceimpactofitemleveltargeting,particularlyifyou useoptionssuchasLDAPqueries,whichrequireprocessingtimeandaresponsefrom adomaincontrollertoprocess.AsyoudesignyourGroupPolicyinfrastructure,

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 80/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

balancetheconfigurationmanagementbenefitsofitemleveltargetingagainstthe performanceimpactyoudiscoverduringtestinginalab.

Loopback Policy Processing

Bydefault,auserssettingscomefromGPOsscopedtotheuserobjectinActive Directory.Regardlessofwhichcomputertheuserlogsonto,theresultantsetof policiesthatdeterminetheusersenvironmentisthesame.Therearesituations, however,inwhichyoumightwanttoconfigureauserdifferently,dependingonthe computerinuse.Forexample,youmightwanttolockdownandstandardizeuser desktopswhenuserslogontocomputersincloselymanagedenvironmentssuchas conferencerooms,receptionareas,laboratories,classrooms,andkiosks.Itisalso

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 81/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

importantforvirtualdesktopinfrastructure(VDI)scenarios,includingremotevirtual machinesandRemoteDesktopServices(RDS),knownasTerminalServicesin previousversions. Imagineascenarioinwhichyouwanttoenforceastandardcorporateappearancefor theWindowsdesktoponallcomputersinconferenceroomsandotherpublicareasof youroffice.HowwillyoucentrallymanagethisconfigurationbyusingGroupPolicy? PolicysettingsthatconfiguredesktopappearancearelocatedintheUser ConfigurationnodeofaGPO.Therefore,bydefault,thesettingsapplytousers, regardlessofwhichcomputertheylogonto.Thedefaultpolicyprocessingdoesnot giveyouawaytoscopeusersettingstoapplytocomputers,regardlessofwhichuser logson.Thatswhereloopbackpolicyprocessingcomesin. LoopbackpolicyprocessingaltersthedefaultalgorithmusedbytheGroupPolicy clienttoobtaintheorderedlistofGPOsthatshouldbeappliedtoausers configuration.InsteadofuserconfigurationbeingdeterminedbytheUser ConfigurationnodeofGPOsthatarescopedtotheuserobject,userconfiguration canbedeterminedbytheUserConfigurationnodepoliciesofGPOsthatarescoped tothecomputerobject. TheUserGroupPolicyloopbackprocessingmodepolicy,locatedintheComputer Configuration\Policies\AdministrativeTemplates\System\GroupPolicyfolderinGPME, canbe,likeallpolicysettings,settoNotConfigured,Enabled,orDisabled.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

82/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Whenenabled,thepolicycanspecifytheReplaceorMergemode. Replace.Inthiscase,theGPOlistfortheuser(obtainedinstep5intheGroup PolicyProcessing,thenextsection)isreplacedentirelybytheGPOlistalready obtainedforthecomputeratcomputerstartup(instep2).ThesettingsinUser ConfigurationpoliciesofthecomputersGPOsareappliedtotheuser.TheReplace modeisusefulinasituationsuchasaclassroomwhereusersshouldreceivea standardconfigurationratherthantheconfigurationappliedtothoseusersinaless managedenvironment. Merge.Inthiscase,theGPOlistobtainedforthecomputeratcomputerstartup (step2intheGroupPolicyProcessingsection)isappendedtotheGPOlist obtainedfortheuserwhenloggingon(step5).BecausetheGPOlistobtainedfor thecomputerisappliedlater,settingsinGPOsonthecomputerslisthave
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 83/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

precedenceiftheyconflictwithsettingsintheuserslist.Thismodewouldbe usefultoapplyadditionalsettingstouserstypicalconfigurations.Forexample,you mightallowausertoreceivetheuserstypicalconfigurationwhenloggingontoa computerinaconferenceroomorreceptionarea,butreplacethewallpaperwitha standardbitmapanddisabletheuseofcertainapplicationsordevices.

NoteItisalessdocumentedfactthatwhenyoucombinetheloopback processingwithsecuritygroupfiltering,theapplicationofusersettings duringpolicyrefreshusesthecredentialsofthecomputertodetermine whichGPOstoapplyaspartoftheloopbackprocessing.However,the loggedonusermustalsohavetheApplyGroupPolicypermissionforthe GPOtobesuccessfullyapplied.

Lab B: Manage Group Policy Scope

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

84/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

85/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

4.

Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

5.

Start6425CNYCCL1.Donotlogontotheclientcomputeruntildirectedtodo so.

Lab Scenario
Youareanadministratorofthecontoso.comdomain.TheContosoStandardsGPO, linkedtothedomain,configuresapolicysettingthatrequiresatenminutescreen savertimeout.Anengineerreportsthatacriticalapplicationthatperformslengthy calculationscrasheswhenthescreenssaverstarts,andtheengineerhasaskedyouto preventthesettingfromapplyingtotheteamofengineersthatusestheapplication everyday.Youhavealsobeenaskedtoconfigureconferenceroomcomputerstouse a45minutetimeoutsothatthescreensaverdoesnotlaunchduringameeting.

Exercise 1: Configure GPO Scope with Links

Inthisexercise,youwillmodifythescopeofGPOsbyusingGPOlinks,and youwillexploreinheritance,precedence,andtheeffectsofEnforcedlinks
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 86/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

andBlockInheritance. Themaintasksforthisexerciseareasfollows: 1. CreateaGPOwithapolicysettingthattakesprecedenceoveraconflicting setting. 2. 3. ViewtheeffectofanenforcedGPOlink. ApplyBlockInheritance.

Task 1: Create a GPO with a policy setting that takes precedence over a conflicting setting. 1. OnNYCDC1,runActiveDirectoryUsersandComputersasan administrator,withtheusernamePat.Coleman_Adminandthepassword Pa$$w0rd. 2. IntheUserAccounts\EmployeesOU,createasubOUcalledEngineers,and thencloseActiveDirectoryUsersandComputers. 3. RuntheGroupPolicyManagementConsoleasanadministrator,withtheuser namePat.Coleman_AdminandthepasswordPa$$w0rd. 4. CreateanewGPOlinkedtotheEngineersOUcalledEngineering ApplicationOverride.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 87/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

5.

ConfiguretheScreensavertimeoutpolicysettingtobedisabled,andthen closetheGPME.

6.

SelecttheEngineersOU,andthenclicktheGroupPolicyInheritancetab. NoticethattheEngineeringApplicationOverrideGPOhasprecedenceover theCONTOSOStandardsGPO.Thescreensavertimeoutpolicysettingyou justconfiguredintheEngineeringApplicationOverrideGPOwillbeapplied afterthesettingintheCONTOSOStandardsGPO.Therefore,thenewsetting willoverwritethestandardssetting,andwill"win."Screensavertimeoutwillbe disabledforuserswithinthescopeoftheEngineeringApplicationOverride GPO.

Task 2: View the effect of an enforced GPO link.

1.

IntheGPMCconsoletree,selecttheDomainControllersOU,andthenclick theGroupPolicyInheritancetab.

2.

NoticethattheGPOnamed6425Chasthehighestprecedence.Settingsinthis GPOwilloverrideanyconflictingsettingsinanyoftheotherGPOs. TheDefaultDomainControllersGPOspecifies,amongotherthings,which groupsaregiventherighttologonlocallytodomaincontrollers.Toenhance thesecurityofdomaincontrollers,standardusersarenotgiventherighttolog onlocally.toallowanonprivilegeduseraccountsuchasPat.Colemantologon

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

88/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

todomaincontrollers.Inthiscourse,the6425CGPOgivesDomainUsersthe righttologonlocallytoacomputer.The6425CGPOislinkedtothedomain,so itssettingswouldnormallybeoverriddenbysettingsintheDefaultDomain ControllersGPO.Therefore,the6425CGPOlinktothedomainisconfiguredas Enforced.Inthisway,theconflictinuserrightsassignmentbetweenthetwo GPOsis"won"bythe6425CGPO.

Task 3: Apply Block Inheritance.

1.

IntheGPMCconsole,selecttheEngineersOUandexaminetheprecedence andinheritanceofGPOsontheGroupPolicyInheritancetab.

2.

BlocktheinheritanceofGPOstotheEngineersOU. Question:WhichGPOscontinuetoapplytousersintheEngineersOU? WherearethoseGPOslinked?Whydidtheycontinuetoapply?

3.

TurnoffBlockInheritancefromtheEngineersOU.

Results:Inthisexercise,youcreatedaGPOcalledEngineeringApplication OverrideandlinkedittotheEngineersOU.Youalsohaveanunderstandingof inheritance,precedence,andtheeffectsofanEnforcedlinkandBlockInheritance.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

89/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Exercise 2: Configure GPO Scope with Filtering

Astimepasses,youdiscoverthatonlyasmallnumberofengineersrequire thescreensavertimeoutoverridethatiscurrentlyappliedtoallusersin theEngineersOU.Inaddition,youdiscoverthatafewusersmustbe exemptedfromthescreensavertimeoutpolicyandothersettings configuredbytheCONTOSOStandardsGPO.Youdecidetousesecurity filteringtomanagethescopeoftheGPOs. Inthisexercise,youwillmodifythescopeofGPOsbyusingfiltering. Themaintasksforthisexerciseareasfollows: 1. 2. Configurepolicyapplicationwithsecurityfiltering. Configureanexemptionwithsecurityfiltering.

Task 1: Configure policy application with security filtering.

1.

RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2.

IntheGroups\ConfigurationOU,createaglobalsecuritygroupnamed
90/135

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

07/06/13

Module 6: Implementing a Group Policy Infrastructure

GPO_EngineeringApplicationOverride_Apply. 3. IntheGPMCconsole,selecttheEngineeringApplicationOverrideGPO. NoticethatintheSecurityFilteringsection,theGPOappliesbydefaulttoall authenticatedusers. 4. ConfiguretheGPOtoapplyonlytotheGPO_EngineeringApplication Override_Applygroup.

Task 2: Configure an exemption with security filtering.

1.

RunActiveDirectoryUsersandComputersasanadministratorwiththeuser namePat.Coleman_AdminandthepasswordPa$$w0rd.

2.

IntheGroups\ConfigurationOU,createaglobalsecuritygroupnamed GPO_CONTOSOStandards_Exempt.

3.

IntheGPMCconsole,selecttheCONTOSOStandardsGPO.Noticethatinthe SecurityFilteringsection,theGPOappliesbydefaulttoallauthenticated users.

4.

ConfiguretheGPOtodenyApplyGroupPolicypermissiontothe GPO_CONTOSOStandards_Exemptgroup.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

91/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Results:Inthisexercise,youconfiguredtheEngineeringApplicationOverride GPOtoapplyonlytothemembersofGPO_EngineeringApplication Override_Apply.YoualsoconfiguredagroupwiththeDenyApplyGroupPolicy permission,whichoverridestheAllowpermission.Ifanyuserrequiresexemption fromthepoliciesintheCONTOSOStandardsGPO,youcansimplyaddthe computertothegroupGPO_CONTOSOStandards_Exempt.

Exercise 3: Configure Loopback Processing

Youneedtoconfigurethescreensavertimeoutinconferenceroomsto45 minutessothatascreensaverdoesnotappearinthemiddleofameeting. Inthisexercise,youwillconfigureloopbackGPOprocessing. Themaintaskforthisexerciseisasfollows: Configureloopbackprocessing.

Task 1: Configure loopback processing.

1.

CreateanewGPOnamedConferenceRoomPoliciesandlinkittothe Kiosks\ConferenceRoomsOU.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

92/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

2.

ConfirmthattheConferenceRoomPoliciesGPOisscopedto AuthenticatedUsers.

3.

ModifytheScreenSavertimeoutpolicytolaunchthescreensaverafter45 minutes.ModifytheUserGroupPolicyloopbackprocessingmodepolicy settingtouseMergemode.

Results:Inthisexercise,youcreatedaConferenceRoomPoliciesGPOthat appliesa45minutescreensavertimeouttouserswhentheylogontoconference roomcomputers.

NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecause thesettingsyouhaveconfiguredherewillbeusedinsubsequentlabs.

Lab Review Questions Question:Manyorganizationsrelyheavilyonsecuritygroupfilteringtoscope GPOs,ratherthanlinkingGPOstospecificOUs.Intheseorganizations,GPOsare typicallylinkedveryhighintheActiveDirectorylogicalstructuretothedomain itselfortoafirstlevelOU.Whatadvantagesaregainedbyusingsecuritygroup filteringratherthanGPOlinkstomanagethescopeoftheGPO? Question:Whymightitbeusefultocreateanexemptiongroupagroupthat isdeniedtheApplyGroupPolicypermissionforeveryGPOyoucreate?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 93/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Question:Doyouuseloopbackpolicyprocessinginyourorganization?In whichscenariosandforwhichpolicysettingscanloopbackpolicyprocessingadd value?

Lesson 4: Group Policy Processing

Nowthatyouhavelearnedmoreabouttheconcepts,components,andscopingof GroupPolicy,youarereadytoexamineGroupPolicyprocessingclosely.

Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 94/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Aftercompletingthislesson,youwillbeableto: Understand,improve,andmanuallytriggerpolicyrefresh. Implementloopbackpolicyprocessing.

Detailed Review of Group Policy Processing

ThistopicdetailsGroupPolicyprocessing.Asyoureadit,rememberthatGroupPolicy isallaboutapplyingconfigurationsdefinedbyGPOs,thatGPOsareappliedinan order(site,domain,andOU),andthatGPOsappliedlaterintheorderhavehigher

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 95/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

precedencetheirsettings,whenapplied,willoverridesettingsappliedearlier.The followingsequencedetailstheprocessthroughwhichsettingsinadomainbasedGPO areappliedtoaffectacomputeroruser. 1. Thecomputerstarts,andthenetworkstarts.RemoteProcedureCallSystem Service(RPCSS)andMultipleUniversalNamingConventionProvider(MUP)are started.TheGroupPolicyClientisstarted. 2. TheGroupPolicyClientobtainsanorderedlistofGPOsscopedtothecomputer. TheorderofthelistdeterminestheorderofGPOprocessing,whichis,by default,local,site,domain,andOU. LocalGPOs.EachcomputerrunningWindowsServer2003,WindowsXP,and Windows2000hasexactlyoneGPOstoredlocally.WindowsVista,Windows Server2008,andWindows7havemultiplelocalGPOs.Theprecedenceof localGPOsisdiscussedintheLocalGPOssectioninLesson2. SiteGPOs.AnyGPOsthathavebeenlinkedtothesiteareaddedtothe orderedlistnext.WhenmultipleGPOsarelinkedtoasite,adomain,oran OU,thelinkorder,configuredontheScopetab,determinestheorderin whichtheyareaddedtothelist.TheGPOthatishighestonthelist,withthe numberclosestto1,hasthehighestprecedence,andisaddedtothelistlast. Itwill,therefore,beappliedlast,anditssettingswilloverridethoseofthe GPOsappliedearlier. DomainGPOs.MultipledomainlinkedGPOsareaddedasspecifiedbythelink
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 96/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

order. NoteDomainlinkedpoliciesarenotinheritedbychilddomains.Policies fromaparentdomainarenotinheritedbyachilddomain.Eachdomain maintainsdistinctpolicylinks.However,computersinseveraldomains mightbewithinthescopeofaGPOlinkedtoasite.

OUGPOs.GPOslinkedtotheOUhighestintheActiveDirectoryhierarchyare addedtotheorderedlist,followedbyGPOslinkedtoitschildOU,andsoon. Finally,theGPOslinkedtotheOUthatcontainsthecomputerareadded.If severalgrouppoliciesarelinkedtoanOU,theyareaddedintheorder specifiedbythelinkorder. EnforcedGPOsareaddedattheendoftheorderedlist,sotheirsettingswill beappliedattheendoftheprocessandwill,therefore,overridesettingsof GPOsearlierinthelistandintheprocess.Asapointoftrivia,enforcedGPOs areaddedtothelistinthereverseorder:OU,domain,andsite.Thisis relevantwhenyouapplycorporatesecuritypoliciesinadomainlinked enforcedGPO.ThatGPOwillbeattheendoftheorderedlistandwillbe appliedlast,soitssettingswilltakeprecedence. 3. TheGPOsareprocessedsynchronouslyintheorderspecifiedbytheorderedlist. ThismeansthatsettingsinthelocalGPOsareprocessedfirst,followedbyGPOs linkedtothesite,thedomain,andtheOUscontainingtheuserorcomputer. GPOslinkedtotheOUofwhichthecomputeroruserisadirectmemberare
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 97/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

processedlast,followedbyenforcedGPOs. AseachGPOisprocessed,thesystemdetermineswhetheritssettingsshould beappliedbasedontheGPOstatusforthecomputernode(enabledor disabled)andwhetherthecomputerhastheAllowGroupPolicypermission.If aWMIfilterisappliedtotheGPO,andifthecomputerisrunningWindowsXP orlater,itperformstheWQLqueryspecifiedinthefilter. 4. IftheGPOshouldbeappliedtothesystem,CSEstriggertoprocesstheGPO settings.PolicysettingsinGPOsoverwritepoliciesofpreviouslyappliedGPOsin thefollowingways: Ifapolicysettingisconfigured(settoEnabledorDisabled)inaGPOlinkedto aparentcontainer(OU,domain,orsite),andthesamepolicysettingisNot ConfiguredinGPOslinkedtoitschildcontainer,theresultantsetofpolicies forusersandcomputersinthechildcontainerwillincludetheparentspolicy setting.IfthechildcontainerisconfiguredwiththeBlockInheritanceoption, theparentsettingisnotinheritedunlesstheGPOlinkisconfiguredwiththe Enforcedoption. Ifapolicysettingisconfigured(settoEnabledorDisabled)foraparent container,andthesamepolicysettingisconfiguredforachild,thechild containerssettingoverridesthesettinginheritedfromtheparent.Ifthe parentGPOlinkisconfiguredwiththeEnforcedoption,theparentsettinghas precedence. IfapolicysettingofGPOslinkedtoparentcontainersisNotConfigured,and
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 98/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

thechildOUsettingisalsoNotConfigured,theresultantpolicysettingisthe settingthatresultsfromtheprocessingoflocalGPOs.Iftheresultantsetting oflocalGPOsisalsoNotConfigured,theresultantconfigurationisthe Windowsdefaultsetting. 5. Whentheuserlogson,theprocessisrepeatedforusersettings.Theclient obtainsanorderedlistofGPOsscopedtotheuser,examineseachGPO synchronously,andhandsoverGPOsthatshouldbeappliedtotheappropriate CSEsforprocessing.ThisstepismodifiedifUserLoopbackGroupPolicy Processingisenabled.Loopbackpolicyprocessingisdiscussedinthenexttopic.

NoteSomePolicysettingsareinbothComputerConfigurationandUser Configurationnodes.MostpolicysettingsarespecifictoeithertheUser ConfigurationorComputerConfigurationnode.Afewsettingsappearin bothnodes.Althoughinmostsituations,thesettingintheComputer ConfigurationnodeoverridesthesettingintheUserConfigurationnode, itisimportanttoreadtheexplanatorytextaccompanyingthepolicy settingtounderstandthesettingseffectanditsapplication.

6.

Every90120minutesaftercomputerstartup,computerpolicyrefreshoccurs, andtheprocessisrepeatedforcomputersettings.

7.

Every90120minutesafteruserlogon,userpolicyrefreshoccurs,andthe processisrepeatedforusersettings.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

99/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Slow Links and Disconnected Systems

OneofthetasksthatcanbeautomatedandmanagedwithGroupPolicyissoftware installation.InModule7,you'lllearnaboutGroupPolicySoftwareInstallation(GPSI), whichisprovidedbythesoftwareinstallationCSE.YoucanconfigureaGPOtoinstall oneormoresoftwarepackages. Imagine,however,thatauserconnectstoyournetworkoveraslowconnection.You wouldnotwantlargesoftwarepackagestobetransferredovertheslowlinkbecause performancewouldbeproblematic. TheGroupPolicyClientaddressesthisconcernbydetectingthespeedofthe

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 100/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

connectiontothedomainanddeterminingwhethertheconnectionshouldbe consideredaslowlink.ThatdeterminationisthenusedbyeachCSEtodecide whethertoapplysettings.Thesoftwareextension,forexample,isconfiguredtoforgo policyprocessingsothatsoftwareisnotinstalledifaslowlinkisdetected.Bydefault, alinkisconsideredtobeslowifitislessthan500kilobitspersecond(kbps). IfGroupPolicydetectsaslowlink,itsetsaflagtoindicatetheslowlinktotheCSEs. TheCSEscanthendeterminewhethertoprocesstheapplicableGroupPolicysettings. Thedefaultslowlinkspeedis500kilobitspersecond(Kbps),butyoucanconfigure this.Thefollowingtabledescribesthedefaultbehavioroftheclientsideextensions:

ClientSide Extension
Registrypolicyprocessing InternetExplorermaintenance SoftwareInstallationpolicy FolderRedirectionpolicy Scriptspolicy Securitypolicy InternetProtocolSecurity (IPSec)policy

Slowlinkprocessing

Canitbechanged?

On Off Off Off Off On Off

No Yes Yes Yes Yes No Yes

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

101/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Wirelesspolicy EFSRecoverypolicy DiskQuotapolicy

Off On Off

Yes Yes Yes

Ifauserisworkingwhiledisconnectedfromthenetwork,thesettingspreviously appliedbyGroupPolicycontinuetotakeeffect,soausersexperienceisidentical, irrespectiveofwhetherheorsheisonthenetworkoraway.Thereareexceptionsto thisrule,mostnotablythatstartup,logon,logoff,andshutdownscriptswillnotrunif theuserisdisconnected. Ifaremoteuserconnectstothenetwork,theGroupPolicyclientwakesupand determineswhetheraGroupPolicyrefreshwindowhasbeenmissed.Ifso,it performsaGroupPolicyrefreshtoobtainthelatestGPOsfromthedomain.Again, theCSEsdetermine,basedontheirpolicyprocessingsettings,whethersettingsin thoseGPOsareapplied.ThisprocessdoesnotapplytoWindowsXPorWindows Server2003systems.ItappliesonlytoWindowsVista,WindowsServer2008, Windows7,andneweroperatingsystems.

Identify When Settings Take Effect

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

102/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

ThereareseveralprocessesthatmustbecompletedbeforeGroupPolicysettingsare actuallyappliedtoauseroracomputer.Wewilldiscusstheseprocessesinthistopic

GPO Replication Must Happen

BeforeaGPOcantakeeffect,theGroupPolicycontainer(GPC)inActiveDirectory mustbereplicatedtothedomaincontrollerfromwhichtheGroupPolicyClient obtainsitsorderedlistofGPOs.Additionally,theGroupPolicytemplate(GPT)in SYSVOLmustreplicatetothesamedomaincontroller.

Group Changes Must Be Incorporated

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 103/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Finally,ifyouhaveaddedanewgrouporchangedthemembershipofagroupthatis usedtofiltertheGPO,thatchangemustalsobereplicated,andthechangemustbe inthesecuritytokenofthecomputerandtheuser,whichrequiresarestart(forthe computertoupdateitsgroupmembership)oralogoffandlogon(fortheuserto updateitsgroupmembership).

User or Computer Group Policy Refresh Must Occur

Asyouknow,refreshhappensatstartup(forcomputersettings)andlogon(foruser settings)andevery90120minutesthereafter,bydefault. NoteRememberthatthepracticalimpactoftheGroupPolicyrefreshinterval isthatwhenyoumakeachangeinyourenvironment,itwillbeonaverage onehalfthattime,or45to60minutes,beforethechangestartstotake effect.

Bydefault,WindowsXP,WindowsVista,andWindows7clientsperformonly backgroundrefreshesatstartupandlogon,whichmeansthataclientmightstartup andausermightlogonwithoutreceivingthelatestpoliciesfromthedomain.We highlyrecommendthatyouchangethisdefaultbehaviorsothatpolicychangesare implementedinamanaged,predictableway.EnablethepolicysettingAlwaysWait ForNetworkAtStartupAndLogonforallWindowsclients.Thesettingislocated inComputerConfiguration\Policies\AdministrativeTemplates\System\Logon.Besure

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 104/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

toreadthepolicysettingsexplanatorytext.Notethatthisdoesnotaffectthestartup orlogontimeforcomputersthatarenotconnectedtoanetwork.Ifthecomputer detectsthatitisdisconnected,itdoesnot"wait"foranetwork.Thecontoso.com domainusedinthiscoursehasbeenpreconfiguredwiththisadditionalGroupPolicy setting.

Settings Might Not Take Effect Immediately

Althoughmostsettingsareappliedduringabackgroundpolicyrefresh,someCSEsdo notapplythesettinguntilthenextstartuporlogonevent.Forexample,newlyadded startupandlogonscriptpoliciesdonotrununtilthenextcomputerstartuporlogon. Softwareinstallation,whichisdiscussedinModule7,willoccuratthenextstartupif thesoftwareisassignedincomputersettings.Changestofolderredirectionpolicies willnottakeeffectuntilthenextlogon.

Manually Refresh Group Policy with GPUpdate

WhenyouareexperimentingwithGroupPolicyortryingtotroubleshootGroupPolicy processing,youmightneedtoinitiateaGroupPolicyrefreshmanuallysothatyoudo nothavetowaitforthenextbackgroundrefresh.TheGPUpdatecommandcanbe usedtoinitiateaGroupPolicyrefresh.Usedonitsown,thiscommandtriggers processingidenticaltoabackgroundGroupPolicyrefresh.Bothcomputerpolicyand userpolicyarerefreshed.Usethe/target:computeror/target:userparametertolimit therefreshtocomputerorusersettings,respectively.Duringbackgroundrefresh,by default,settingsareappliedonlyiftheGPOhasbeenupdated.The/forceswitch
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 105/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

causesthesystemtoreapplyallsettingsinallGPOsscopedtotheuserorcomputer. Somepolicysettingsrequirealogofforrebootbeforetheyactuallytakeeffect.The /logoffand/bootswitchesofGPUpdatecausealogofforreboot,respectively.You canusetheseswitcheswhenyouapplysettingsthatrequirealogofforreboot. So,thecommandthatwillcauseatotalrefreshapplication,and(ifnecessary)reboot andlogontoapplyupdatedpolicysettingsis:

g p u p d a t e/ f o r c e/ l o g o f f/ b o o t

InWindows2000Server,theSecedit.execommandwasusedtorefreshpolicy,so youmightencounteramentionoftheSecedit.execommandontheexam.

Most CSEs Do Not Reapply Settings if the GPO Has Not Changed
RememberthatmostCSEsapplysettingsinaGPOonlyiftheGPOversionhas changed.Thismeansifausercanchangeasettingthatwasoriginallyspecifiedby GroupPolicy,thesettingwillnotbebroughtbackintocompliancewiththesettings specifiedbytheGPOuntiltheGPOchanges.Luckily,mostpolicysettingscannotbe changedbyanonprivilegeduser.However,ifauserisanadministratoroftheir computer,orifthepolicysettingaffectsapartoftheregistryorofthesystemthat theuserhaspermissionstochange,thiscouldbearealproblem.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

106/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

YouhavetheoptionofinstructingeachCSEtoreapplythesettingsofGPOsevenif theGPOshavenotbeenchanged.ProcessingbehaviorofeachCSEcanbeconfigured inthepolicysettingsfoundinComputerConfiguration\Administrative Templates\System\GroupPolicy.

Lesson 5: Troubleshoot Policy Application

WiththeinteractionofmultiplesettingsinmultipleGPOsscopedbyusingavarietyof methods,GroupPolicyapplicationcanbecomplextoanalyzeandunderstand. Therefore,youmustbeequippedtoeffectivelyevaluateandtroubleshootyourGroup Policyimplementation,identifypotentialproblemsbeforetheyarise,andsolve

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 107/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

unforeseenchallenges.MicrosoftWindowsprovidestwotoolsthatareindispensible forsupportingGroupPolicy,ResultantSetofPolicy(RSoP)andtheGroupPolicy OperationalLogs.Inthislesson,youwillexploretheuseofthesetoolsinboth proactiveandreactivetroubleshootingandsupportscenarios.

Objectives
Aftercompletingthislesson,youwillbeableto: AnalyzethesetofGPOsandpolicysettingsthathavebeenappliedtoauseror computer. ProactivelymodeltheimpactofGroupPolicyorActiveDirectorychangesonthe ResultantSetofPolicy(RSOP). LocatetheeventlogscontainingGroupPolicyrelatedevents.

Resultant Set of Policy

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

108/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

InLesson4,youlearnedthatauserorcomputercanbewithinthescopeofmultiple GPOs.GroupPolicyinheritance,filters,andexceptionsarecomplex,anditsoften difficulttodeterminewhichpolicysettingswillapply. RSoPistheneteffectofGPOsappliedtoauserorcomputertakingintoaccountGPO links,exceptions,suchasEnforcedandBlockInheritance,andapplicationofsecurity andWMIfilters. RSoPisalsoacollectionoftoolsthathelpyouevaluate,model,andtroubleshootthe applicationofGroupPolicysettings.RSoPcanqueryalocalorremotecomputerand reportbacktheexactsettingsthatwereappliedtothecomputerandtoanyuserwho

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 109/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

hasloggedontothecomputer.RSoPcanalsomodelthepolicysettingsthatare anticipatedtobeappliedtoauserorcomputerunderavarietyofscenarios,including movingtheobjectbetweenOUsorsitesorchangingtheobjectsgroupmembership. Withthesecapabilities,RSoPcanhelpyoumanageandtroubleshootconflicting policies. WindowsServer2008providesthefollowingtoolsforperformingRSoPanalysis: TheGroupPolicyResultsWizard TheGroupPolicyModelingWizard GPResult.exe

Generate RSoP Reports

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

110/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TohelpyouanalyzethecumulativeeffectofGPOsandpolicysettingsonauseror computerinyourorganization,theGPMCincludestheGroupPolicyResultsWizard.If youwanttounderstandexactlywhichpolicysettingshaveappliedtoauserora computer,andwhy,theGroupPolicyResultsWizardisthetooltouse. TheGroupPolicyResultsWizardcanreachintotheWMIprovideronalocalor remotecomputerrunningWindowVista,WindowsXP,WindowsServer2003, WindowsServer2008,orWindows7.TheWMIprovidercanreporteverythingthere istoknowaboutthewayGroupPolicywasappliedtothesystem.Itknowswhen processingoccurred,whichGPOswereapplied,whichGPOswerenotappliedand why,errorsthatwereencountered,andtheexactpolicysettingsthattookprecedence andtheirsourceGPO.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 111/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

ThereareseveralrequirementsforrunningtheGroupPolicyResultsWizard,as follows: Youmusthaveadministrativecredentialsonthetargetcomputer. ThetargetcomputermustberunningWindowsXPornewer.TheGroupPolicy ResultsWizardcannotaccessWindows2000systems. YoumustbeabletoaccessWMIonthetargetcomputer.Thismeansitmustbe poweredon,connectedtothenetwork,andaccessiblethroughports135and445.

NotePerformingRSoPanalysisbyusingGroupPolicyResultsWizardisjust oneexampleofremoteadministration.Toperformremoteadministration, youmayneedtoconfigureinboundrulesforthefirewallusedbyyour clientsandservers.

TheWMIservicemustbestartedonthetargetcomputer. IfyouwanttoanalyzeRSoPforauser,thatusermusthaveloggedonatleast oncetothecomputer.Itisnotnecessaryfortheusertobecurrentlyloggedon.

Afteryouhaveensuredthattherequirementsaremet,youarereadytorunanRSoP analysis.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

112/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TorunanRSoPreport,rightclickGroupPolicyResultsintheGPMCconsoletree andthenclickGroupPolicyResultsWizard. Thewizardpromptsyoutoselectacomputer.ItthenconnectstotheWMIprovider onthatcomputerandprovidesalistofusersthathaveloggedontoit.Youcanthen selectoneoftheusersoropttoskipRSoPanalysisforuserconfigurationpolicies. ThewizardproducesadetailedRSoPreportinadynamicHTMLformat.IfInternet ExplorerEnhancedSecurityConfigurationisset,youwillbepromptedtoallowthe consoletodisplaythedynamiccontent.Youcanexpandorcollapseeachsectionof thereportbyclickingtheShoworHidelink,orbydoubleclickingtheheadingofthe section. Thereportisdisplayedonthreetabs: Summary.TheSummarytabdisplaysthestatusofGroupPolicyprocessingat thelastrefresh.Youcanidentifyinformationthatwascollectedaboutthesystem, theGPOsthatwereappliedanddenied,securitygroupmembershipthatmight haveaffectedGPOsfilteredwithsecuritygroups,WMIfiltersthatwereanalyzed, andthestatusofCSEs. Settings.TheSettingstabdisplaystheresultantsetofpolicysettingsappliedto thecomputeroruser.Thistabshowsyouexactlywhathashappenedtotheuser throughtheeffectsofyourGroupPolicyimplementation.Atremendousamountof informationcanbegleanedfromtheSettingstab,butsomedataisntreported,
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 113/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

suchasIPSec,wireless,anddiskquotapolicysettings. PolicyEvents.ThePolicyEventstabdisplaysGroupPolicyeventsfromthe eventlogsofthetargetcomputer.

AfteryouhavegeneratedanRSoPreportwiththeGroupPolicyResultsWizard,you canrightclickthereporttorerunthequery,printthereport,orsavethereportas eitheranXMLfileoranHTMLfilethatmaintainsthedynamicexpandingand collapsingsections.BothfiletypescanbeopenedwithInternetExplorer,sotheRSoP reportisportableoutsidetheGPMC. Ifyourightclickthenodeofthereportitself,undertheGroupPolicyResultsfolderin theconsoletree,youcanswitchtoAdvancedView.InAdvancedView,RSoPis displayedbyusingtheRSoPsnapin,whichexposesallappliedsettings,including IPSec,wireless,anddiskquotapolicies.

Generate RSoP Reports with GPResult.exe

TheGPResult.execommandisthecommandlineversionoftheGroupPolicyResults Wizard.GPResulttapsintothesameWMIproviderasthewizard,producesthesame informationand,infact,enablesyoutocreatethesamegraphicalreports.GPResult runsonWindowsVista,WindowsXP,WindowsServer2003,WindowsServer2008, andWindows7.Windows2000includesaGPResult.execommand,whichproducesa limitedreportofGroupPolicyprocessing,butisnotassophisticatedasthecommand
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 114/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

includedinlaterversionsofWindows. WhenyouruntheGPResultcommand,youarelikelytousethefollowingoptions.

/ s c o m p u t e r n a m e

ThisoptionspecifiesthenameorIPaddressofaremotesystem.Ifyouuseadot(.) asthecomputername,ordonotincludethe/soption,theRSoPanalysisis performedonthelocalcomputer.

/ s c o p e[ u s e r|c o m p u t e r ]

ThisdisplaysRSoPanalysisforuserorcomputersettings.Ifyouomitthe/scope option,RSoPanalysisincludesbothuserandcomputersettings.

/ u s e r u s e r n a m e

ThisspecifiesthenameoftheuserforwhichRSoPdataistobedisplayed.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

115/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

/ r

ThisoptiondisplaysasummaryofRSoPdata.

/ v

ThisoptiondisplaysverboseRSoPdata,whichpresentsthemostmeaningful information.

/ z

Thisdisplayssuperverbosedata,includingthedetailsofallpolicysettingsappliedto thesystem.Often,thisismoreinformationthanyouwillrequirefortypicalGroup Policytroubleshooting.

/ u d o m a i n \ u s e r / p p a s s w o r d

ThisprovidescredentialsthatareintheAdministratorsgroupofaremotesystem.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 116/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Withoutthesecredentials,GPResultrunsbyusingthecredentialswithwhichyouare loggedon.

[ / x|/ h ]f i l e n a m e

ThisoptionsavesthereportsintheXMLorHTMLformat.Theseoptionsareavailable inWindowsVistaSP1andlater,WindowsServer2008andlater,andWindows7.

Troubleshoot Group Policy with the Group Policy Results Wizard and GPResult.exe
Asanadministrator,youwilllikelyencounterscenariosthatrequireGroupPolicy troubleshooting.Youmightneedtodiagnoseandsolveproblems,includingthe following: GPOsarenotbeingappliedatall. Theresultantsetofpoliciesforacomputeroruserisnotwhatwasexpected.

TheGroupPolicyResultsWizardandGPResult.exewilloftenprovidethemost valuableinsightintoGroupPolicyprocessingandapplicationproblems.Remember thatthesetoolsexaminetheWMIRSoPprovidertoreportexactlywhathappenedon asystem.ExaminingtheRSoPreportwilloftenpointyoutoGPOsthatarescoped

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 117/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

incorrectlyorpolicyprocessingerrorsthatpreventedtheapplicationofGPOsettings.

Perform What-If Analyses with the Group Policy Modeling Wizard

Ifyoumoveacomputeroruserbetweensites,domains,orOUs,orchangeits securitygroupmembership,theGPOsscopedtothatuserorcomputerwillchange. Therefore,theRSoPforthecomputeroruserwillbedifferent.TheRSoPwillalso changeifslowlinkorloopbackprocessingoccurs,orifthereisachangetoasystem characteristicthatistargetedbyaWMIfilter. Beforeyoumakeanyofthesechanges,youshouldevaluatethepotentialimpactto

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 118/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

theRSoPoftheuserorcomputer.TheGroupPolicyResultsWizardcanperformRSoP analysisonlyonwhathasactuallyhappened.Topredictthefutureandtoperform whatifanalyses,youcanusetheGroupPolicyModelingWizard. ToperformGroupPolicyModeling,rightclicktheGroupPolicyModelingnodeinthe GPMCconsoletree,clickGroupPolicyModelingWizard,andthenperformthestepsin thewizard. Modelingisperformedbyconductingasimulationonadomaincontroller,soyouare firstaskedtoselectadomaincontrollerthatisrunningWindowsServer2003orlater. Youdonotneedtobeloggedonlocallytothedomaincontroller,butthemodeling requestwillbeperformedonthedomaincontroller.Youarethenaskedtospecifythe settingsforthesimulation. Selectauserorcomputerobjecttoevaluate,orspecifytheOU,site,ordomainto evaluate. Choosewhetherslowlinkprocessingshouldbesimulated. Specifytosimulateloopbackprocessingand,ifso,chooseReplaceorMergemode. Selectasitetosimulate. Selectsecuritygroupsfortheuserandforthecomputer. ChoosewhichWMIfilterstoapplyinthesimulationofuserandcomputerpolicy
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 119/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

processing.

Whenyouhavespecifiedthesettingsforthesimulation,areportisproducedthatis verysimilartotheGroupPolicyResultsreportdiscussedearlier.TheSummarytab showsanoverviewofwhichGPOswillbeprocessed,andtheSettingstabdetailsthe policysettingsthatwillbeappliedtotheuserorcomputer.Thisreport,too,canbe savedbyrightclickingitandchoosingSaveReport.

Examine Policy Event Logs

WindowsVista,WindowsServer2008,andWindows7improveyourabilityto
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 120/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

troubleshootGroupPolicynotonlywithRSoPtools,butalsowithimprovedlogging ofGroupPolicyevents. IntheSystemlog,youwillfindhighlevelinformationaboutGroupPolicy, includingerrorscreatedbytheGroupPolicyclientwhenitcannotconnecttoa domaincontrollerorlocateGPOs. TheApplicationlogcaptureseventsrecordedbyCSEs. Anewlog,calledtheGroupPolicyOperationalLog,providesdetailedinformation aboutGroupPolicyprocessing.

TofindGroupPolicylogs,opentheEventViewersnapinorconsole.TheSystemand ApplicationlogsareintheWindowsLogsnode.TheGroupPolicyOperationalLogis foundin ApplicationsAndServicesLogs\Microsoft\Windows\GroupPolicy\Operational.

Lab C: Troubleshoot Policy Application

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

121/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

122/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

4.

Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

5.

Start6425CNYCCL1.LogontoNYCCL1asPat.Colemanwiththepasswordof Pa$$w0rd.

Lab Scenario
YouareresponsibleforadministeringandtroubleshootingtheGroupPolicy infrastructureatContoso,Ltd.Youwanttoevaluatetheresultantsetofpoliciesfor usersinyourenvironmenttoensurethattheGroupPolicyinfrastructureishealthy, andthatallpoliciesareappliedastheywereintended.

Exercise 1: Perform RSoP Analysis

Inthisexercise,youwillevaluatetheresultantsetofpolicybyusingboth theGroupPolicyResultsWizardandtheGPResultscommand. Themaintasksforthisexerciseareasfollows:

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

123/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

1. 2. 3.

RefreshGroupPolicy. CreateaGroupPolicyresultsRSoPreport. AnalyzeRSoPwithGPResults.

Task 1: Refresh Group Policy.

1.

OnNYCCL1,runthecommandpromptasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.

2.

Runthegpupdate/forcecommand.Afterthecommandhascompleted,make anoteofthecurrentsystemtime,whichyouwillneedtoknowforatasklaterin thislab.

3.

RestartNYCCL1andwaitforittorestartbeforeproceedingwiththenexttask.

Task 2: Create a Group Policy results RSoP report.

1.

OnNYCDC1,runtheGroupPolicyManagementconsoleasanadministrator, withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2.

UsetheGroupPolicyResultsWizardtorunanRSoPreportfor Pat.ColemanonNYCCL1.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

124/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

3.

ReviewGroupPolicySummaryresults.Forbothuserandcomputer configuration,identifythetimeofthelastpolicyrefreshandthelistofallowed anddeniedGPOs.Identifythecomponentsthatwereusedtoprocesspolicy settings.

4.

ClicktheSettingstab.Reviewthesettingsthatwereappliedduringuserand computerpolicyapplication,andidentifytheGPOfromwhichthesettingswere obtained.

5.

ClickthePolicyEventstab,andlocatetheeventthatlogsthepolicyrefresh youtriggeredwiththeGPUpdatecommandinTask1.

6.

ClicktheSummarytab,rightclickthepage,andchooseSaveReport.Save thereportasanHTMLfiletodriveDwithanameofyourchoice.Thenopenthe RSoPreportfromdriveD.

Task 3: Analyze RSoP with GPResults.

1. 2. 3.

LogontoNYCCL1asPat.Coleman_AdminwiththepasswordPa$$w0rd. Runthecommandpromptwithadministrativecredentials. Typegpresult/randpressEnter. RSoPsummaryresultsaredisplayed.Theinformationisverysimilartothe SummarytaboftheRSoPreportproducedbytheGroupPolicyResultsWizard.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

125/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

4.

Typegpresult/vandpressEnter. AmoredetailedRSoPreportisproduced.NoticethatmanyoftheGroupPolicy settingsappliedbytheclientarelistedinthisreport.

5.

Typegpresult/zandpressEnter. ThemostdetailedRSoPreportisproduced.

6.

Typegpresult/h:"%userprofile%\Desktop\RSOP.html"andpressEnter. AnRSoPreportissavedasanHTMLfiletoyourdesktop.

7. 8.

OpenthesavedRSoPreportfromyourdesktop. Comparethereport,itsinformation,anditsformattingwiththeRSoPreportyou savedintheprevioustask.

Results:Inthisexercise,youlearnedhowtodoaresultantsetofpolicyintwo ways,usingawizardandfromthecommandline.

Exercise 2: Use the Group Policy Modeling Wizard

BeforeyourollouttheConferenceRoomPoliciesGPOforproduction,you wanttoevaluatetheeffectitwillhaveonuserswhologontoconference
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 126/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

roomcomputers.Inthisexercise,youwillusetheGroupPolicyModeling Wizardtomodeltheresultantsetofpoliciesappliedtoauser,Mike Danseglio,ifheweretologontoaconferenceroomcomputer,NYCCL1. Themaintaskforthisexerciseisasfollows: PerformGroupPolicyresultsmodeling.

NoteThistaskrequiresgreaterlevelofdetailinthehighlevelsteps comparetoothertasksinthemodule..

Task 1: Perform Group Policy results modeling.

1. 2.

SwitchtoNYCDC1. IntheGroupPolicyManagementconsoletree,expandForest:Contoso.com, andthenclickGroupPolicyModeling.

3.

RightclickGroupPolicyModeling,andthenclickGroupPolicyModeling Wizard. TheGroupPolicyModelingWizardappears.

4.

ClickNext.
127/135

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

07/06/13

Module 6: Implementing a Group Policy Infrastructure

5. 6.

OntheDomainControllerSelectionpage,clickNext. OntheUserAndComputerSelectionpage,intheUserInformation section,clickUser,andthenclickBrowse. TheSelectUserdialogboxappears.

7. 8.

TypeMike.DanseglioandthenpressEnter. IntheComputerInformationsection,clicktheComputeroptionbutton, andthenclickBrowse. TheSelectComputerdialogboxappears.

9.

TypeNYCCL1andthenpressEnter.

10. ClickNext. 11. OntheAdvancedSimulationOptionspage,selecttheLoopback Processingcheckbox,andthenclickMerge. EventhoughtheConferenceRoomPolicesGPOspecifiesloopback processing,youmustinstructtheGroupPolicyModelingWizardtoconsider loopbackprocessinginitssimulation. 12. ClickNext. 13. OntheAlternateActiveDirectoryPathspage,clicktheBrowsebuttonnext toComputerlocation.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 128/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

TheChooseComputerContainerdialogboxappears. 14. Expandcontoso.comandKiosks,andthenclickConferenceRooms. YouaresimulatingtheeffectofNYCCL1asaconferenceroomcomputer. 15. ClickOK. 16. ClickNext. 17. OntheUserSecurityGroupspage,clickNext. 18. OntheComputerSecurityGroupspage,clickNext. 19. OntheWMIFiltersforUserspage,clickNext. 20. OntheWMIFiltersforComputerspage,click.Next. 21. ReviewyoursettingsontheSummaryofSelectionspage,andthenclick Next. 22. ClickFinish. 23. OntheSummarytab,scrolltoandexpand,ifnecessary,UserConfiguration, GroupPolicyObjects,andAppliedGPOs. 24. CheckwhethertheConferenceRoomPoliciesGPOapplytoMikeDanseglio asaUserpolicywhenhelogsontoNYCCL1ifNYCCL1isintheConference RoomsOU.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

129/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Ifnot,checkthescopeoftheConferenceRoomPoliciesGPO.Itshouldbe linkedtotheConferenceRoomsOUwithsecuritygroupfilteringthatapplies theGPOtotheAuthenticatedUsersspecialidentity.Youcanrightclickthe modelingquerytorerunthequery.IftheGPOisstillnotapplying,trydeleting andrebuildingtheGroupPolicyModelingreport,andbeverycarefulto followeachstepprecisely. 25. ClicktheSettingstab. 26. Scrollto,andexpandifnecessary,UserConfiguration,Policies, AdministrativeTemplatesandControlPanel/Personalization. 27. Confirmthatthescreensavertimeoutis2,700seconds(45minutes),thesetting configuredbytheConferenceRoomPoliciesGPOthatoverridesthe10 minutestandardconfiguredbytheCONTOSOStandardsGPO.

Results:Inthisexercise,youusedtheGroupPolicyModelingWizardtoconfirm thattheConferenceRoomPoliciesGPOinfactappliesitssettingstouserslogging ontoconferenceroomcomputers.

Exercise 3: View Policy Events

Asaclientperformsapolicyrefresh,GroupPolicycomponentslogentries
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 130/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

totheWindowseventlogs.Inthisexercise,youwilllocateandexamine GroupPolicyrelatedevents. Themaintaskforthisexerciseisasfollows: Viewpolicyevents.

Task 1: View policy events.

1.

OnNYCCL1,whereyouareloggedonasPat.Coleman_Admin,runEvent Viewerasanadministrator.

2. 3.

LocateandreviewGroupPolicyeventsintheSystemlog. LocateandreviewGroupPolicyeventsintheApplicationlog.

NoteDependingonhowlongthevirtualmachinehasbeenrunning,you maynothaveanyGroupPolicyEventsintheapplicationlog.

IntheGroupPolicyOperationallog,locatethefirsteventrelatedintheGroup PolicyrefreshyouinitiatedinExercise1,withtheGPUpdatecommand.Reviewthat eventandtheeventsthatfollowedit.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 131/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Results:Inthisexercise,youidentifiedGroupPolicyeventsintheeventlogs.

To prepare for the next module

Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:

1. 2.

Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick Revert.

3. 4.

IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCCL1.

Lab Review Questions Question:InwhichsituationshaveyouusedRSoPreportstotroubleshoot GroupPolicyapplicationinyourorganization? Question:Inwhichsituationshaveyouused,orcouldyouanticipateusing, GroupPolicymodeling?

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

132/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Question:HaveyoueverdiagnosedaGroupPolicyapplicationproblembased oneventsinoneoftheeventlogs?

Module Review and Takeaways

Review Questions
1. YouhaveassignedalogonscripttoanOUviaGroupPolicy.Thescriptislocated inasharednetworkfoldernamedScripts.SomeusersintheOUreceivethe script,whereasothersdonot.Whatmightbethepossiblecauses?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe 133/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

2. 3.

WhatGPOsettingsareappliedacrossslowlinksbydefault? Youneedtoensurethatadomainlevelpolicyisenforced,buttheManagers globalgroupneedstobeexemptfromthepolicy.Howwouldyouaccomplish this?

Common Issues Related to Group Policy Management

Issue
GroupPolicysettingsarenotappliedtoallusersor computersinOUwhereGPOisapplied Grouppolicysettingssometimesneedtworestarts toapply

Troubleshootingtip

Best Practices Related to Group Policy Management

NameGroupPolicyobjects,soyoucaneasilyidentifythembyname ApplyGroupPolicyObjectashighaspossibleinADDShierarchy UseBlockInheritanceandEnforcedoptionsonlywhenreallynecessary MakecommentsonGPOsettings

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

134/135

07/06/13

Module 6: Implementing a Group Policy Infrastructure

Tools
Tool
Grouppolicyreporting RSoP

Usefor
Reportinginformationabout thecurrentpoliciesbeing deliveredtoclients.

Wheretofindit
GroupPolicyManagementConsole

GPResult

Acommandlineutilitythat displaysRSoPinformation.

Commandlineutility

GPUpdate

RefreshinglocalandADDS basedGroupPolicysettings.

Commandlineutility

Dcgpofix

RestoringthedefaultGroup Policyobjectstotheiroriginal stateafterinitialinstallation.

Commandlineutility

GPOLogView

ExportingGroupPolicyrelated eventsfromthesystemand operationallogsintotext, HTML,orXMLfiles.Foruse withWindowsVista,Windows 7,andlaterversions.

Commandlineutility

GroupPolicy Managementscripts

Samplescriptsthatperforma numberofdifferent troubleshootingand maintenancetasks.

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=8&FontSize=3&FontType=segoe

135/135