Module 11: Implementing Group Pol

icy
Contents:
Module Overview
Lesson 1:

Overview of Group Policy

Lesson 2:

Group Policy Processing

Lesson 3:

Implementing a Central Store for Administrative Templat

Lab:

Implementing Group Policy

Module Review and Takeaways

Module Overview
Maintaining a consistent computing environment across an o
rganization is challenging. Administrators need a mechanism
to configureand enforce user and computer settings and rest
rictions. Group Policy can provide that consistency by enabli
ng administrators tocentrally manage and apply configuratio
n settings.
This module provides an overview of Group Policy and provid
es details about how to implement Group Policy.

Objectives
After completing this module, you will be able to:
Create and manage Group Policy Objects.
Describe Group Policy processing.
Implement a Central Store for administrative templates.

Lesson 1 : Overview of Group Policy

You can use Group Policy to control the settings of the comp
uting environment. It is important to understand how Group
Policyfunctions, so you can apply Group Policy correctly. This
lesson provides an overview of Group Policy structure, and d
efines local anddomain-based Group Policy Objects
(GPOs). It also describes the types of settings available for u
sers and groups.

Lesson Objectives
After completing this lesson, you will be able to:
Describe the components of Group Policy.
Describe multiple local GPOs.
Describe storage options for domain GPOs.
Describe GPO policies and preferences.
Describe starter GPOs.
Describe the process of delegating GPO management.
Describe the process of creating and managing GPOs.

Components of Group Policy

Group Policy settings are configuration settings that allow ad

ministrators to enforce settings by modifying the computerspecific anduser-specific registry settings on domain-based c
omputers. You can group together Group Policy settings to m
ake GPOs, which youcan then apply to users or computers.

GPOs

A Group Policy Object

(GPO) is an object that contains one or more policy settings t
hat apply configuration setting for users,computers, or both.
GPO templates are stored in SYSVOL, and
GPO container objects are stored in Active Directory Domai
n Services
(AD DS). You can manage GPOs by using the Group PolicyMa
nagement Console
(GPMC). Within the GPMC, you can open and edit a GPO by u

sing the Group Policy Management Editor window.GPOs are li

nked to Active Directory containers to apply settings to the o
bjects in those containers.

Group Policy Settings

A Group Policy setting is the most granular component of Gr

oup Policy. It defines a specific configuration setting to apply
to an object
(a computer or a user, or both) within AD DS. Group Policy h
as thousands of configurable settings. These settings can af
ect nearlyevery area of the computing environment.
Not all settings can be applied to all older versions of Windo
ws Server and Windows operating systems. Each new ve
rsionintroduces new settings and capabilities that only apply
to that specific version. If a computer has a Group Policy sett
ing applied thatit cannot process, the setting is simply ignore
d.
Most policy settings have the following three states:
Not Configured. The GPO does not modify the existing configuration of th
Enabled. The policy setting is applied.
Disabled. The policy setting is specifically reversed.
By default, most settings are set to Not Configured.
Note: Some settings are multi-valued or have text string val
ues. These are typically used to provide specific configuratio
ndetails to apps or operating system components. For exam
ple, a setting might provide the URL of the home page used i
nWindows Internet Explorer or the path to blocked apps.
The efect of a configuration change depends on the policy s
etting. For example, if you enable the Prohibit Access to Cont
rol Panelpolicy setting, users cannot open Control Panel. If yo
u disable the policy setting, you ensure that users can open
Control Panel.Notice the double negative in this policy settin
g: You disable a policy that prevents an action, thereby allow
ing the action.

Group Policy Settings Structure

There are two distinct areas of Group Policy settings:

User settings. These are settings that modify the HKey Current User hive
Computer settings. These are settings that modify the HKEY Local Machin

User and computer settings each have three areas of configu

ration, as described in the following table.
Section

Description

Software sett

Contain software settings that can be deployed to either the user or the compu

ings

t is deployed to the computer is available to all users of that computer.

Windows ope

Contain script settings and security settings for both user and computer, and I

rating syste
m settings
Administrativ

Contain hundreds of settings that modify the registry to control various aspect

e templates

ht be created by Microsoft or other vendors. You can add these new templates

n add to the GPME. You can download thesetemplates from the Microsoft webs

Group Policy Management Editor Window

The Group Policy Management Editor window displays the in
dividual Group Policy settings that are available in a GPO. Th
ese aredisplayed in an organized hierarchy that begins with t
he division between computer settings and user settings, an
d then expands toshow the Computer Configuration node an
d the User Configuration node. The Group Policy Managemen
t Editor window is where youconfigure all Group Policy settin
gs and preferences.

Group Policy Preferences

In addition to the Group Policy sections shown in the previou

s table, a Preferences node is present under both the Compu
terConfiguration and User Configuration nodes in the Group
Policy Management Editor window. Preferences provide even
morecapabilities with which to configure the environment, a
nd are discussed later in this module.

Local Group Policy

All systems that are running Microsoft Windows client or serv
er operating systems also have available local GPOs. Local p
olicysettings only apply to the local machine, but you can ex
port and import them to other computers.

New in Windows Server 2012 R2

Windows Server 2012 R2 ofers several new or updated Grou

p Policy settings and features for computers that run Window
s Server2012 R2 or Windows 8.1. These settings and feature
s include the following:
Faster processing by using a Group Policy Caching setting. This new setting
unning in synchronous mode (which is the default mode for Group Policy p
Increased support for IPv6. New IPv6 settings include the ability to push IP
ion, item-level targeting is available for IPv6.
Extended logging for Group Policy operations. The Group Policy Operationa
uding the length of processing time and the amount of time for downloadin
e: Event Viewer\Applications and Services\Microsoft\Windows\GroupPolicy\
There are many new settings for Windows 8.1 and Windows Server 2012 R
onfiguring charms, and customizing background colors.

What Are Multiple Local GPOs?

In Windows operating systems prior to Windows Vista, ther

e was only one available user configuration in the local Grou
p Policy.
That configuration was applied to all users who logged on fro
m that local computer. This is still true, but Windows Vista an
d newerWindows client operating systems, and Windows Ser
ver 2008 and newer Windows Server operating systems, hav
e an added feature:multiple local GPOs. Since Windows 8 an
d Windows Server 2012, you also can have diferent user set
tings for diferent local users,but this is only available for use
rs configurations that are in Group Policy. In fact, there is onl

y one set of computer configurationsavailable that afects all

users of the computer.
Since Windows 8 and Windows Server 2012, Computers that
run Windows provide this ability with the following three laye
rs of localGPOs:
Local Group Policy (contains the computer configuration settings)
Administrators and Non-Administrators Local Group Policy
User-specific Local Group Policy
Note: The exception to this feature is domain controllers. Due to the nat

How the Layers Are Processed

The layers of local GPOs are processed in the following order
:
1. Local Group Policy
2. Administrators and Non-Administrators Group Policy
3. User-specific Local Group Policy
With the exception of the Administrator or Non-Administrator
categories, it is not possible to apply local GPOs to groups, b
ut only toindividual local user accounts. Domain users are su
bject to the local Group Policy, or to the Administrator or Non
-Administratorsettings, as appropriate.
Note: Domain administrators can disable processing local G
POs on clients that are running Windows client operating sys
temsand Windows Server operating systems by enabling the
Turn Of Local Group Policy Objects Processing policy setting.

Storage of Domain GPOs

Group Policy settings are presented as GPOs in the GPMC, bu

t a GPO is actually two components: a Group Policy template
, and aGroup Policy container.

Group Policy Template

Group Policy templates are the actual collection of settings t

hat you can change. The Group Policy template is a collectio
n of filesstored in the SYSVOL of each domain controller. SYS
VOL is located in the %SystemRoot% \SYSVOL\Domain \Polici
es\GPOGUID path,where GPOGUID is the globally unique ide
ntifier (GUID) of the Group
Policy container. When you create a GPO, a new Group Policy
template is created in the SYSVOL folder, and a new Group P
olicycontainer is created in AD DS.

Group Policy Container

The Group Policy container is an Active Directory object that

is stored in the Active Directory database. Each Group Policy
containerincludes a GUID attribute that uniquely identifies th
e object within AD DS. The Group Policy container defines ba
sic attributes of theGPO such as links and version numbers,
but it does not contain any of the settings.
By default, when a Group Policy refresh occurs, the Group Po
licy client-side extensions
(CSEs) only apply settings in a GPO if the GPOhas been upda
ted.
The Group Policy client can identify an updated GPO by its v
ersion number. Each GPO has a version number that is incre
mented eachtime a change is made. The version number is s
tored as an attribute of the Group Policy container, and in a t
ext file, GPT.ini, in theGroup Policy Template folder. The Grou
p Policy Client knows the version number of each GPO that it
has previously applied. If, duringGroup Policy refresh, the Gr
oup Policy client discovers that the version number of the Gr
oup Policy container has been changed, theCSEs are informe
d that the GPO is updated.
When editing a Group Policy Object, the version you are editi
ng is the version on the domain controller that has the prima

ry domaincontroller
(PDC) emulator Flexible Single Master Operations
(FSMO) role. It does not matter what computer you are using
to performthe editing, the GPMC is focused on the PDC emul
ator by default. You can, however, change the focus of the G
PMC to edit a versionon a diferent domain controller.

What Are Group Policy Preferences?

Group Policy preferences are a Group Policy feature, which in

cludes more than 20 Group Policy extensions that expand th
e range ofconfigurable settings within a GPO. Configuring pr
eferences helps reduce the need for logon scripts.

Characteristics of Preferences

Preferences have the following characteristics:

Preferences exist for both computers and users.
Unlike Group Policy settings, preferences are not enforced, and users can
es.
Preferences can be managed through the Remote Server Administration To
Preferences can be applied only once at startup or sign in, and can be refr
Unlike Group Policy settings, preferences are not removed when the GPO i
You can target preferences easily to certain users or computers by using a
ership or by the operating system version.
Preferences are not available for local GPOs.
Unlike a Group Policy setting, the user interface of a Group Policy preferen

Common Uses for Group Policy Preferences

Although you can configure many settings through Group Pol

icy preferences, the following are some of the more common
uses:
Map network drives for users
Configure desktop shortcuts for users or computers
Set environment variables
Map printers
Set power options
Configure Start menus
Configure data sources
Configure Internet options
Schedule tasks

What Are Starter GPOs?

Starter GPOs are templates that assist in the creation of GPO

s. When creating new GPOs, you can choose to use a starter
GPO as thesource.
This makes it easier and faster to create multiple GPOs with
the same baseline configuration.

Available Settings
Starter GPOs contain settings from only the Administrative T
emplates node of either the User Configuration section or th
e ComputerConfiguration section. The Software Settings and
Windows Settings nodes of Group Policy are not available, be
cause these nodesinvolve interaction
of services and are more complex and domain-dependent.

Exporting Starter GPOs

You can export starter GPOs to a Cabinet file
(.cab) and then load that
.cab file into another environment that is completelyindepen
dent of the source domain or forest. By exporting a starter G
PO, you can send the
.cab file to other administrators, who canthen use it in other
areas. For example, you might create a GPO that defines Inte
rnet Explorer security settings. If you want all sitesand doma
ins to employ the same settings, then you could export the s
tarter GPO to a .cab file, and then distribute it.

When to Use Starter GPOs

The most common situation in which you would use a starter

GPO is when you want a group of settings for a type of comp
uter role.For example, you might want all corporate laptops t
o have the same desktop restrictions, or all file servers to ha
ve the same baselineGroup Policy settings, but enable variati
ons for diferent departments.

Included Starter GPOs

The GPMC includes a link to create a Starter GPO folder, whi
ch contains a number of predefined starter GPOs. These poli
cies providepreconfigured, security-oriented settings for Ent
erprise Clients (EC), in addition to Specialized Security
Limited Functionality
(SSLF)clients for both user and computer settings on Window
s Vista and Windows XP with Service Pack 2
(SP2) operating systems. You canuse these policies as startin
g points when you design security policies.

Delegating Management of GPOs

Administrators can delegate some of the Group Policy admini

strative tasks to other users. These users do not have to be
domainadministratorsthey can be users that are granted c
ertain rights to GPOs.
For example, a user who manages a particular Organizationa
l Unit
(OU) could be tasked with performing reporting and analysis
duties, while the help desk group is allowed to edit GPOs for
that OU. A third group made up of developers might be put i
n charge ofcreating Windows Management Instrumentation
(WMI) filters.
The following Group Policy administrative tasks can be deleg
ated independently:
Creating GPOs, including creating Starter GPOs
Editing GPOs
Managing Group Policy links for a site, domain, or OU
Performing Group Policy modeling analysis
Reading Group Policy results data
Creating WMI filters
Members of the Group Policy Creator Owners group can crea
te new GPOs and edit or delete GPOs that they have created
.

Group Policy Default Permissions

By default, the following users and groups have full access t
o manage Group Policy:

 Domain Admins
Enterprise Admins
Creator Owner
Local System
The Authenticated User group has Read and Apply Group Poli
cy permissions only.

Permissions for Creating GPOs

By default, only Domain Admins, Enterprise Admins, and Gro

up Policy Creator Owners can create new GPOs. You can use
twomethods to grant a group or user this right:
Add the user to the Group Policy Creator Owners group
Explicitly grant the group or user permission to create GPOs by using the

Permissions for Editing GPOs

To edit a GPO, the user must have both Read and Write acce
ss to the GPO. You can grant this permission by using the GP
MC.

Managing GPO Links

The ability to link GPOs to a container is a permission that is
specific to that container. In the GPMC, you can manage this
permissionby using the Delegation tab on the container. You
can also delegate it through the Delegation of Control Wizard
in Active DirectoryUsers and Computers.

Group Policy Modeling and Group Policy Resu

lts
You can delegate the ability to use the reporting tools either
through the GPMC or through the Delegation of Control Wiza
rd in ActiveDirectory Users and Computers.

Creating WMI Filters

You can delegate the ability to create and manage WMI filter
s either through the GPMC or through the Delegation of Cont
rol Wizardin Active Directory Users and Computers.

Demonstration: Creating and Managing

GPOs
In this demonstration, you will see how to:
Create a GPO by using the GPMC.
Edit a GPO in the Group Policy Management Editor window.

 Use Windows PowerShell to create a GPO.

Demonstration Steps Create a GPO by using t

he GPMC

Sign in to LON-DC1 as Administrator with a password of Pa$$w0rd, a

Edit a GPO in the Group Policy Management E

ditor window
1.
2.

Edit the policy to prohibit the use of Windows Messenger.

Link the Prohibit Windows Messenger GPO to the domain.

Use Windows PowerShell to create a GPO na

med Desktop Lockdown

In Windows PowerShell, import the grouppolicy module, and then use th

New-GPO Name "Desktop Lockdown"

Lesson 2: Group Policy Processing

Understanding how Group Policy is applied is the key to bein
g able to develop a Group Policy strategy. This lesson shows
you howGroup Policy is associated with Active Directory obje
cts, how it is processed, and how to control the application o
f Group Policy. Aftercreating the GPOs and configuring the se
ttings you want to apply, they must be linked to containers.
GPOs are applied in a specificorder. This order might determi
ne what settings are applied to objects. There are two defaul
t policies that are automatically created.You can use these p
olicies to deliver password and security settings for the dom
ain and for domain controllers. The application ofpolicies can
also be controlled through security filtering.

Lesson Objectives
After completing this lesson, you will be able to:
Describe a GPO link.
Explain how to apply GPOs to containers and objects.
Describe the Group Policy processing order.
Describe the default GPOs.
Describe GPO security filtering.

GPO Links

Once you have created a GPO and defined all the settings th
at you want it to deliver, the next step is to link the policy to
an ActiveDirectory container.
A GPO link is the logical connection of the policy to a contain
er. You can link a single GPO to multiple containers by using
the GPMC.You can link GPOs to the following types of contain
ers:
Sites
Domains
Organizational Unit (OUs)
Once a GPO is linked to a container, by default
the policy is applied to all the objects in the container, and s
ubsequently all the child containers under that parent object
. This isbecause the default permissions of the GPO are such
that Authenticated Users have Read and Apply Group Policy
permission. You canmodify this behavior by managing permi
ssions on the GPO.
You can disable links to containers, which removes the confi
guration settings. You can also delete links. Deleting links do
es not deletethe actual GPO, only the logical connection to t
he container.
GPOs cannot be linked directly to users, groups, or computer
s. In addition, GPOs cannot be linked to the system container
s in AD DS,including Builtin, Computers, Users, or Managed S
ervice Accounts. The AD DS system containers receive Grou

p Policy settings fromGPOs that are linked to the domain lev

el only.

Applying GPOs

Computer configuration settings are applied at startup, and t

hen are refreshed at regular intervals. Any startup scripts ar
e run atcomputer startup. The default interval is every 90 mi
nutes, but this is configurable. The exceptions to this default
interval are domaincontrollers, which have their settings refr
eshed every five minutes.
User settings are applied at logon and are refreshed at regul
ar, configurable intervals. The default for this is also 90 minu
tes. Anylogon scripts are run at sign in.
Note: A number of user settings require two
sign ins before the user sees the efect of the GPO. This is be
cause multiple users signing in to the same computer use ca
chedcredentials to speed up sign ins. This means that, altho
ugh the policy settings are being delivered to the computer,
the user isalready signed in and thus the settings do not tak
e efect until the next sign in. The Folder Redirection setting i
s an example ofthis.
You can change the refresh interval by configuring a Group P
olicy setting. For computer settings, the refresh interval setti
ng is foundin the Computer Configuration\Policies\Administra
tive Templates \System\Group Policy node. For user settings,
the refresh interval isfound at the corresponding settings un
der User Configuration. An exception to the refresh interval i

s the security settings. Thesecurity settings section of the Gr

oup Policy is refreshed at least every 16 hours, regardless of
the interval that you set for therefresh interval.
You can also refresh Group Policy manually. The commandline utility Gpupdate refreshes and delivers any new Group
Policyconfigurations. The Gpupdate /force command refres
hes all the Group Policy settings. There is also a new Window
s PowerShellInvoke-Gpupdate cmdlet, which performs the
same function.
A new feature in Windows Server 2012 and in Windows 8 is R
emote Policy Refresh. This feature allows administrators to u
se theGPMC to target an OU and force Group Policy refresh o
n all of its computers and their currently signed-in users. To f
orce a GroupPolicy refresh, right-click any OU, and then click
Group Policy Update. The update occurs within 10 minute
s.

Group Policy Processing Order

GPOs are not applied simultaneously; rather, they are applie

d in a logical order. GPOs that are applied later in the proces
s of applyingGPOs overwrite any conflicting policy settings th
at were applied earlier.
GPOs are applied in the following order:
1Local GPOs. Local GPOs are processed first.
. Computers running Windows operating systems already have a configured
2Site GPOs. Policies that are linked to sites are processed next.

.
3Domain GPOs. Policies that are linked to the domain are processed next. T
. olicies are processed in order of preference.
4OU GPOs. Policies linked to OUs are processed next. These policies contain
. mple, the Sales users might have special required settings. You can link a
5
Child OU policies. Any policies that are linked to child OUs are processed l
.
Objects in the containers receive the cumulative efect of all
polices in their processing order. In the case of a conflict bet
weensettings, the last policy applied takes efect. For exampl
e, a domain-level policy might restrict access to registry editi
ng tools, but youcould configure an OU-level policy and link i
t to the IT OU to reverse that policy. Because the OU-level po
licy is applied later in theprocess, access to registry tools wo
uld be available.
Note: Other methods such as Enforcement and Inheritance
Blocking can change the efect of policies on containers.
If multiple policies are applied at the same level, the adminis
trator can assign a preference value to control the order of p
rocessing.The default preference order is the order in which t
he policies were linked.
The administrator can also disable the user or computer con
figuration of a particular GPO. If one section of a policy is kno
wn to beempty, it should be disabled to speed up policy proc
essing. For example, if there is a policy that only delivers use
r desktopconfiguration, the administrator could disable the c
omputer side of the policy.

What Are the Default GPOs?

During the installation of the AD DS role, two default GPOs ar

e created: Default Domain Policy, and Default Domain Contr
ollersPolicy.

Default Domain Policy

The Default Domain Policy is linked to the domain and afect

s all security principles in the domain.
It contains the default password policy settings, the account
lockout settings, and the Kerberos protocol. As a best practic
e, thispolicy should not have other settings configured. If yo
u need to configure other settings to apply to the entire dom
ain, then youshould create new policies to
deliver the settings, and then link those policies to the doma
in.
Note: Currently, fine-grained password policies are the typic
al enterprise method, although they are beyond the scope of
thismodule.

Default Domain Controllers Policy

The Default Domain Controllers Policy is linked to the Domai

n Controllers OU, and should only afect domain controllers.
This policy isdesigned to provide auditing settings and user r
ights, and should not be used for other purposes.

GPO Security Filtering

By nature, a GPO applies to all the security principles in the

container, and all child containers below the parent. Howeve
r, you mightwant to change that behavior and have certain
GPOs apply only to particular security principles. For exampl
e, you might want toexempt certain users in an OU from a re
strictive desktop policy. You can accomplish this through sec
urity filtering.
Each GPO has an Access Control List
(ACL) that defines permissions to that GPO. The default perm
ission is for Authenticated Users tohave the Read and Apply
Group Policy permissions applied.
By adjusting the permissions in the ACL, you can control whi
ch security principles receive permission to have the GPO se
ttingsapplied. There are two approaches you might take to d
o this:
Deny access to the Group Policy
Limit permissions to Group Policy
Note: The Authenticated Users group includes all user and computer acc

Deny Access to Group Policy

If most security principles in the container should receive the

policy settings but some should not, then you can exempt pa
rticularsecurity principles by denying them access to the Gro
up Policy. For example, you might have a Group Policy that al
l the users in theSales OU should receive except the Sales M
anagers group. You can exempt that group

(or user) by adding that group

(or user) to theACL of the GPO, and then setting the permissi
on to Deny.

Limit Permissions to Group Policy

Alternatively, if you have created a GPO that should only be

applied to a few security principles in a container, you can re
move theAuthenticated Users group from the ACL, add the s
ecurity principles that should receive the GPO settings, and t
hen grant the securityprinciples the Read and Apply Group P
olicy permissions. For example, you might have a GPO with c
omputer configuration settingsthat should only apply to lapt
op computers. You could remove the Authenticated Users gr
oup from the ACL, add the computeraccounts of the laptops,
and then grant the security principles the Read and Apply Gr
oup Policy permission.
The ACL of a GPO is accessed in the GPMC by selecting the G
PO in the Group Policy Object folder, and then clicking theDe
legation>Advanced tab.
Note: As a best practice, you should never deny access to t
he Authenticated User group. If you do, then security principl
eswould never receive the GPO settings.

Discussion: Identifying Group Policy App

lication

For this discussion, review the AD DS structure in the graphic

, read the scenario, and then answer the questions on the sli
de.

Scenario

The following illustration represents a portion of the A. Datu

m Corporations AD DS structure, which contains the Sales O
U with itschild OUs and the Servers OU.

FIGURE 11.1: AD DS STRUCTURE

GPO1 is linked to the Adatum domain container. The GPO configures powe
es of inactivity, and restricts access to registry editing tools.
GPO2 has settings to lock down the desktops of the Sales Users OU, and c
GPO3 configures power options for laptops in the Sales Laptops OU.
GPO4 configures a diferent set of power options to ensure that the server
Some users in the Sales OU have administrative rights on th
eir computers, and have created local policies to specifically
grant accessto Control Panel.

Discussion Questions
Based on this scenario, answer the following questions:
Question: What power options will the servers in the Server
s OU receive?

Question: What power options will the laptops in the Sales

Laptops OU receive?
Question: What power options will all other computers in th
e domain receive?
Question: Will users in the Sales Users OU who have create
d local policies to grant access to Control Panel be able to ac
cessControl Panel?
Question: If you needed to grant access to Control Panel to
some users, how would you do it?
Question: Can GPO2 be applied to other department OUs?

Demonstration: Using Group Policy Diag

nostic Tools
In this demonstration, you will see how to:
Use Gpupdate to refresh Group Policy.
Use the Gpresult cmdlet to output the results to an HTML file.
Use the Group Policy Modeling Wizard to test the policy.

Demonstration Steps Use Gpupdate to refres

h Group Policy
On LON-DC1, use Gpupdate to refresh the GPOs.

Use the Gpresult cmdlet to output the results

to an HTML file
1.
2.

Use Gpresult /H to create an HTML file that displays the current GPO s
Open the HTML report and review the results.

Use the Group Policy Modeling Wizard to test

the policy

Use the Group Policy Modeling Wizard to simulate a policy application for

Lesson 3: Implementing a Central S

tore for Administrative Templates
Larger organizations might have many GPOs with multiple a
dministrators managing them. When an administrator edits
a GPO, thetemplate files are pulled from the local workstatio
n. The Central Store provides a single folder in SYSVOL that c
ontains all of thetemplates required to create and edit GPOs.
This lesson discusses the files that make up the templates, a
nd covers how to create a Central Store location to provide c
onsistencyin the templates that administrators use.

Lesson Objectives

After completing this lesson, you will be able to:

Describe the Central Store.
Describe administrative templates.
Describe how administrative templates work.
Describe managed and unmanaged policy settings.

What Is the Central Store?

If your organization has multiple administration workstations

, there could be potential issues when editing GPOs. If you d
o not have aCentral Store that contains the template files, th
en the workstation from which you are editing will use the
.admx (ADMX) and .adml
(ADML) files that are stored in the local PolicyDefinitons folde
r.
If diferent administration workstations have diferent operati
ng systems or are at diferent service pack levels, there mig
ht bediferences in the ADMX and ADML files. For example, t
he ADMX and ADML files that are stored on a workstation ru
nning Windows 7with no service pack installed might not be
the same as the files that are stored on a domain controller r
unning Windows Server2012. This could lead to administrato
rs not seeing the same settings in a GPO.
The Central Store addresses this issue. The Central Store pro
vides a single point from which administration workstations c
andownload the same ADMX and ADML files when editing a
GPO. The Central Store is detected automatically by Window

s operatingsystems
(Windows Vista or newer or Windows Server 2008 or newer).
Because of this automatic behavior, the local workstation th
atthe administrator uses to perform administration always c
hecks to see if a Central Store exists before loading the local
ADMX andADML files in the Group Policy Management Editor
window. When the local workstation detects a Central Store,
it then downloads thetemplate files from there. In this way, t
here is a consistent administration experience among multip
le workstations.

Creating and Provisioning the Central Store

You must create and provision the Central Store manually. Fir
st you must create a folder on a domain controller, name the
folderPolicyDefinitions, and store the folder at C:\Windows\S
YSVOL\sysvol\{Domain Name}\Policies\. This folder is now y
our Central Store.You must then copy all the contents of the
C:\Windows\PolicyDefinitions folder to the Central Store. The
ADML files in this folder arealso in a language-specific folder
(such as en-US).

What Are Administrative Templates?

An administrative template is made up of two XML files type

s:
ADMX files that specify the registry setting to change. AMDX files are lang
ADML files that generate the user interface to configure the Administrative
Editor window. ADML files are language-specific.

ADMX and ADML files are stored in the %SystemRoot

%\PolicyDefinitions folder or in the Central Store. You can als
o create your owncustom administrative templates in XML fo
rmat. Administrative templates that control Microsoft Office
products
(such as Office Word,Office Excel and Office PowerPoint) are
also available from the Microsoft website.
Administrative templates have the following characteristics:
They are organized into subfolders that house configuration options for sp
nd Windows components.
The settings in the Computer section edit the HKEY_LOCAL_MACHINE regis
RENT_USER registry hive.
Some settings exist for both User and Computer. For example, there is a se
he User and the Computer templates. In case of conflicting settings, the C
Some settings are available only to certain versions of Windows operating
d versions for that setting. Any setting that cannot be processed by an old
em.

ADM Files

Prior to Windows Vista, administrative templates had an

.adm file extension (ADM). ADM files were languagespecific, and weredifficult to customize. ADM files are stored
in SYSVOL as part of the Group Policy template. If an ADM fil
e is used in multiple GPOs,then the file is stored multiple tim
es. This increases the size of SYSVOL, and therefore increase
s the size of Active Directoryreplication traffic.

How Administrative Templates Work

Administrative Templates have settings for almost every asp

ect of the computing environment. Each setting in the templ
atecorresponds to a registry setting that controls an aspect o
f the computing environment. For example, when you enable
the settingthat prevents access to Control Panel, the value in
the registry key that controls that aspect also changes.
The Administrative Templates node is organized as shown in
the following table.
Section
Computer settings

Nodes

Control Panel

Network

Printers

System

Windows Components

All Settings

Section
User settings

Nodes

Control Panel

Desktop

Network

Shared Folders

Start Menu and Taskbar

System

Windows Components

All Settings

Most of the nodes contain multiple subfolders to further orga

nize settings into logical groupings. Even with this organizati
on, findingthe setting that you need might be a daunting tas
k.
To help you locate settings in the All Settings folder you can
filter the entire list of settings in either the computer or the u
ser section.The following filter options are available:
Managed or unmanaged
Configured or not configured
Commented
By keyword
By platform
You can also combine multiple criteria. For example, you coul
d filter to find all the configured settings that apply to Intern
et Explorer10 by using the keyword ActiveX.

Managed and Unmanaged Policy Setting

s

There are two types of policy settings: managed, and unman

aged. All policy settings in a GPOs Administrative Templates
aremanaged policies.
The Group Policy service controls the managed policy setting
s and removes a policy setting when it is no longer within sc
ope of theuser or computer. The Group Policy service does n
ot control unmanaged policy settings. These policy settings
are persistent. TheGroup Policy service does not remove un
managed policy settings.

Managed Policy Settings

A managed policy setting has the following

characteristics:
The UI is locked so that a user cannot change the setting. Managed policy
mple, if you configure the desktop wallpaper through a Group Policy settin
Changes are made in the restricted areas of the registry to which only adm
o HKLM\Software\Policies (computer settings)
o HKCU\Software\Policies (user settings)
o HKLM\Software\Microsoft\Windows\Current Version\Policies (computer se
o HKCU\Software\Microsoft\Windows\Current Version\Policies (user settings
Changes made by a Group Policy setting and the UI lockout are released if
mple, if you delete a GPO, managed policy settings that had been applied
s previous state. Also, the UI interface for the setting is enabled.

Unmanaged Policy Settings

In contrast, an unmanaged policy setting makes a change th

at is persistent in the registry. If the GPO no longer applies, t

he settingremains. This is often called tattooing the registry

in other words, making a permanent change. To reverse th
e efect of the policysetting, you must deploy a change that r
everts the configuration to the desired state. Additionally, an
unmanaged policy setting doesnot lock the UI for that settin
g.
By default, the Group Policy Management Editor hides unma
naged policy settings to discourage administrators from impl
ementing aconfiguration that is difficult to revert. Many of th
e settings that are available in Group Policy preferences are
unmanaged settings.

Lab: Implementing Group Policy

Scenario
A. Datum Corporation is a global engineering and manufactu
ring company with a head office based in
London, England. An IT office and a data center are located i
n London to support the London location and other locations.
A. Datumhas recently deployed a Windows Server 2012 infra
structure with Windows 8 clients.
In your role as a member of the server support team, you hel
p to deploy and configure new servers and services into the
existinginfrastructure based on the instructions given to you
by your IT manager.
Your manager has asked you to create a Central Store for AD
MX files to ensure that everyone can edit GPOs that have be
en createdwith customized ADMX files. You also need to crea
te a starter GPO that includes Internet Explorer settings, and
then configure a GPOthat applies GPO settings for the Marke
ting department and the IT department.

Objectives

After completing this lab, you will be able to:

Configure a Central Store.
Create GPOs.

Lab Setup

Estimated Time: 40 minutes

Virtual machines

20410C-LON-DC1
20410C-LON-CL1

User name

Adatum\Administra

Password

Pa$$w0rd

Lab Setup Instructions

For this lab, you will use the available virtual machine enviro
nment. Before you begin the lab, you must complete the foll
owing steps:
1. On the host computer, click Start, point to Administrative Tools, and
2. In Hyper-V Manager, click 20410C-LON-DC1. In the Actions pane, click
3. In the Actions pane, click Connect. Wait until the virtual machine start
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Repeat steps 2 and 3 for 20410C-LON-CL1. Do not sign in until directed

Exercise 1: Configuring a Central Store

Scenario
A. Datum recently implemented a customized ADMX templat
e to configure an app. A colleague obtained
the ADMX files from the vendor before creating the GPO with
the configurations settings. The settings were applied to the
app asexpected.
After implementation, you noticed that you are unable to mo
dify the app settings in the GPO from any location other than
theworkstation that was originally used by your colleague. To
resolve this issue, your manager has asked you to create a C
entral Storefor administrative templates. After you create th
e Central Store, your colleague will copy the vendor ADMX te
mplate from theworkstation into the Central Store.
The main tasks for this exercise are as follows:
1. View the location of administrative templates in a Group Policy Object (

2. Create a Central Store.

3. Copy administrative templates to the Central Store.
4. Verify the administrative template location in GPMC.
Task 1: View the location of administrative templates
in a Group Policy Object (GPO)
1. Sign in to LON-DC1 as Administrator with a password of Pa$$w0rd.
2. Start the Group Policy Management Console (GPMC).
3. In the Group Policy Object folder, open the Default Domain Policy an
Task 2: Create a Central Store
1. Open File Explorer and browse to C:\Windows\SYSVOL\sysvol\Ada
2. Create a folder to use for the Central Store and name it PolicyDefiniti
Task 3: Copy administrative templates to the Central
Store
Copy the contents of the default PolicyDefinitions folder located at C:\Win
located at C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.
Task 4: Verify the administrative template location in
GPMC
1Verify that the Group Policy Management Editor is using the ADMX files fro
. e location information text of the Administrative templates folder.
2
Close the Group Policy Management Editor window.
.
Results: After completing this exercise, you should have con
figured a Central Store.

Exercise 2: Creating GPOs

Scenario
After a recent meeting of the IT Policy committee, managem
ent has decided that A. Datum will use Group Policy to restri
ct useraccess to the General page of Internet Explorer.
Your manager has asked you to create a starter GPO that ca
n be used for all departments with default restriction setting
s for InternetExplorer. You then need to create the GPOs that
will deliver the settings for members of all departments exce
pt for the ITdepartment.
The main tasks for this exercise are as follows:
1. Create a Windows Internet Explorer Restriction default starter GPO.
2. Configure the Internet Explorer Restriction starter GPO.
3. Create an Internet Explorer Restrictions GPO from the Internet Explorer

4. Test the GPO for Domain Users.

5. Use security filtering to exempt the IT Department from the Internet Ex
6. Test the GPO app for IT department users.
7. Test Application of the GPO for other domain users.
Task 1: Create a Windows Internet Explorer Restrictio
n default starter GPO
1. Open the GPMC and create a starter GPO named Internet Explorer R
2. Type a comment that states This GPO disables the General page in
Task 2: Configure the Internet Explorer Restriction sta
rter GPO
1. Configure the starter GPO to disable the General page of Internet Opti
Hint: Select All Settings in Administrative Templates and filter for an
2. Close the Group Policy Management Editor window.
Task 3: Create an Internet Explorer Restrictions GPO f
rom the Internet Explorer Restrictions starter GPO
Create a new GPO named IE Restrictions that is based on the Internet E
tum.com domain.
Task 4: Test the GPO for Domain Users
1. Sign in to LON-CL1 as Adatum\Brad, with a password of Pa$$w0rd.
2. Open Control Panel.
3. Attempt to change your home page.
4. Open Internet Options to verify that the General tab has been restri
5. Sign out from LON-CL1.
Task 5: Use security filtering to exempt the IT Depart
ment from the Internet Explorer Restrictions policy
1. On LON-DC1, open the GPMC.
2. Configure security filtering on the Internet Explorer Restrictions po
Task 6: Test the GPO app for IT department users
1. Sign in to LON-CL1 as Brad, with a password of Pa$$w0rd.
2. Open Control Panel.
3. Attempt to change your home page. Verify that the Internet Properti
available.
4. Sign out from LON-CL1.
Task 7: Test Application of the GPO for other domain u
sers
1. Sign in to LON-CL1 as Boris, with a password of Pa$$w0rd.
2. Open Control Panel.
3. Attempt to change your home page.

4. Open Internet Options to verify that the General tab has been restri
5. Sign out from LON-CL1.
Results: After completing this lab, you should have created
a GPO.
Prepare for the next module
After you finish the lab, revert the virtual machines back to t
heir initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410C-LON-DC1, and then c
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410C-LON-CL1.
Lab Review Questions
Question: What is the diference between ADMX and ADML
files?
Question: The Sales Managers group should be exempted fr
om the desktop lockdown policy that is being applied to the
entireSales OU. All sales user accounts and sales groups resi
de in the Sales OU. How would you exempt the Sales Manag
ers group?
Question: What Windows command can you use to force th
e immediate refresh of all GPOs on a client computer?

Module Review and Takeaways

Module Review Questions
Question: What are some of the advantages and disadvant
ages of using site-level GPOs?
Question: You have a number of logon scripts that map net
work drives for users. Not all users need these drive mappin
gs, soyou must ensure that only the desired users receive th
e mappings. You want to move away from using scripts. Wha
t is the bestway to map network drives for selected users wit
hout using scripts?

Best Practices

The following are recommended best practices:

Do not use the Default Domain and Default Domain Controllers policies f
licies.
Limit the use of security filtering and other mechanisms that make diagn
If they have no settings configured, disable the User or Computer section
If you have multiple administration workstations, create a Central Store.
Add comments to your GPOs to explain what the policies are doing.

 Design your OU structure to support Group Policy application.

Common Issues and Troubleshooting Tips

Common Issue
A user is experiencing abnormal behavior on theirworkstation.

All users in a particular OU are having issues, andthe OU has multiple GPOs applied.

Tools
Tool

Use

Group Policy Management C

Controls all aspects of Group Policy

onsole (GPMC)
Group Policy Management E

Configure settings in GPOs

ditor snap-in
Resultant Set of Policy

Determine what settings are applying to a user or computer

(RSoP)
Group Policy Modeling Wizar

Test what would occur if settings were applied to users orcompu

o actually applying the settings

Local Group Policy Editor

Configure Group Policy settings that apply only to the localcomp