Scribd
Upload
569 views27 pages

Group Policy

Group Policy Objects in Active Directory allow administrators to centrally manage user and computer configuration settings across an organization. They can be used to control desktop settings, security policies, script deployment, and software installation. Group Policies inherit settings by default but inheritance and specific policies can be modified. Group Policies provide a standardized method for deploying and maintaining software applications on users' computers.

Uploaded by

Nawaz Rehan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
569 views27 pages

Group Policy

Group Policy Objects in Active Directory allow administrators to centrally manage user and computer configuration settings across an organization. They can be used to control desktop settings, security policies, script deployment, and software installation. Group Policies inherit settings by default but inheritance and specific policies can be modified. Group Policies provide a standardized method for deploying and maintaining software applications on users' computers.

Uploaded by

Nawaz Rehan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 27

Implementing and Using

Group Policy
Objectives
• Create and manage Group Policy objects to
control user desktop settings, security, scripts, and
folder redirection
• Manage and troubleshoot Group Policy
inheritance
• Deploy and manage software using Group Policy

University of Education 2
Introduction to Group Policy
• Group policy centralizes management of user and
computer configuration settings throughout a
network
• A group policy object is an Active Directory
object used to configure policy settings for user
and computer objects
• There are two default Group Policy Objects:
• Default Domain Policy (linked to domain container)
• Default Domain Controllers Policy (linked to domain
controller OU)
University of Education 3
Introduction to Group Policy
(continued)
• You can modify default GPOs
• You can create new GPOs and link them to
particular sites, domains, and OUs
• Policy settings will be propagated to all users and
computers in container including child OUs
• Group policy can only be applied to computers
running Windows Server 2003, Windows 2000,
and Windows XP

University of Education 4
Creating a Group Policy
Object
• Two ways to create a GPO:
• Group Policy standalone Microsoft Management
Console (MMC) snap-in
• Group Policy extension in Active Directory Users and
Computers

University of Education 5
Activity 9-1: Creating a Group
Policy Object Using the MMC

• Objective: To create a GPO using the Group


Policy Object Editor MMC snap-in
• Locate the MMC Group Policy Object Editor snap-in
• Create a new GPO

University of Education 6
Activity 9-1 (continued)

University of Education 7
Activity 9-2: Creating OUs and
Moving User Accounts
• Objective: To create new Organizational Units
and move existing user accounts into them.
• Must be familiar with using OUs for controlling the
application of Group Policy settings
• Create new OUs using Active Directory Users and
Computers
• Move users into the new OUs

University of Education 8
Activity 9-3: Creating a Group
Policy Object and Browsing
Settings Using Active Directory
Users and Computers
• Objective: Create a GPO using Active Directory
Users and Computers as an alternative to MMC
snap-in
• From Active Directory Users and Computers, use the
Group Policy tab of the Properties of an existing OU to
add and create GPOs
• Browse configuration settings of a Group Policy Object

University of Education 9
Editing a GPO

University of Education 10
Editing a GPO (continued)
• Table 9-1 shows configuration categories for both
computer and user configurations
• Two tabs in Properties of each setting:
• Setting allows you to enable or disable the setting
• Explain provides information about the setting
• GPO content is stored in 2 locations:
• Group Policy container (GPC)
• Group Policy template (GPT)
• A GPO is identified by a 128-bit globally unique
identifier (GUID)
University of Education 11
Application of Group Policy
• Two main categories to a Group Policy
• Computer configuration (settings apply to computers in
the container)
• User configuration (settings apply to users in the
container)
• Upon computer startup (or user logon)
• Computer queries domain controller for GPOs. Domain
controller finds applicable GPOs.
• Domain controller presents list of GPOs. The client
gets Group Policy templates, applies the settings and
runs the scripts.
• Same basic process happens for user logons

University of Education 12
Controlling User Desktop
Settings
• Administrative templates
• Used to limit user manipulation of user desktop and
computer configurations
• Aim is to reduce administrative costs
• Seven main categories of configuration settings can be
applied to either computer or user section of a GPO

University of Education 13
Controlling User Desktop
Settings (continued)

University of Education 14
Activity 9-5: Configuring
Group Policy Object User
Desktop Settings
• Objective: To configure and test the application of
Group Policy settings
• Use Active Directory Users and Computers to
access the desired configuration settings
• Configure settings using the Group Policy Object
Editor
• Verify that the configured settings have the
expected results

University of Education 15
Managing Security Settings
with Group Policy
• Password Policy, Account Policy, and Kerberos
Policy settings are only applicable to domain
objects
• Other nodes in Security Settings category can be
applied at both domain and OU levels
• Local Policies
• Audit Policy
• User Rights Assignment
• Security Options

University of Education 16
Managing Security Settings
with Group Policy (continued)
• Event Log
• Restricted Groups
• System Services
• Registry
• File System
• Wireless Network Policies
• Public Key Policies
• Software Restriction Policies
• IP Security Policies on Active Directory
University of Education 17
Activity 9-6: Configuring
Group Policy Object Security
Settings
• Objective: Use Group Policy settings to configure
a logon banner for domain users
• Use Active Directory Users and Computers to
access the Default Domain Policy GPO
• Create a logon banner
• Verify that the banner appears

University of Education 18
Assigning Scripts
• Windows Server 2003 can run scripts during:
• User logon or logoff
• User section of GPO
• Computer startup and shutdown
• Computer section of GPO
• Default is for scripts to run synchronously from
top to bottom
• Can specify script time-outs, asynchronous
execution, and hiding of scripts

University of Education 19
Activity 9-8: Assigning Logon
Scripts to Users Using Group
Policy
• Objective: Use GPOs to assign logon scripts to
domain users
• Create a script file
• Add the script to the logon policies of a particular
group using Active Directory Users and
Computers
• Verify that the script runs for members of the
group and not for other users
University of Education 20
Managing Group Policy
Inheritance
• Specific order for GPO application:
• Local computer  Site  Domain  Parent OU 
Child OU
• By default, all GPO settings are inherited
• At each level, there can be multiple GPOs
• Policies are applied in the order that they appear on the
Group Policy tab for each container, bottom GPO first
• Applying a large number of GPOs can affect
startup and logon performance
University of Education 21
Deploying Software Using
Group Policy
• Applications that can be deployed using Group
Policy include:
• Business applications (e.g., Microsoft Office)
• Anti-virus software
• Software updates (e.g., service packs)
• Four phases of software rollout
• Software preparation
• Deployment
• Software maintenance
• Software removal
University of Education 22
Software Preparation
• Microsoft Windows installer package (MSI)
• MSI file contains all of the information needed to
install an application in a variety of configurations
• Software vendors include preconfigured MSI packages
• For older applications, can create MSI packages using
3rd party utilities (e.g., VERITAS)
• To install, place MSI file in a shared folder and
configure Group Policy to access for installation

University of Education 23
Software Preparation
(continued)
• If application doesn’t have an MSI package can
use ZAP file
• Text file used by Group Policy to deploy an application
• Can only be published and not assigned
• Is not resilient
• Requires user intervention and proper permissions

University of Education 24
Summary
• A Group Policy Object is an object in Active
Directory used to configure and apply settings for
user and computer objects
• Two default GPOs created when Active Directory
is installed:
• Default Domain Policy
• Default Domain Controllers Policy
• Two mechanisms for creating GPOs
• Microsoft Management Console Group Policy snap-in
• Group Policy extension in Active Directory Users and
Computers

University of Education 25
Summary
• GPOs can be used:
• to control user desktop settings and security settings
• to apply scripts on user logon and logoff and computer
startup and shutdown
• for folder redirection
• GPOs are applied in a specific order
• GPOs are inherited by default
• Can be changed by blocking Group Policy inheritance,
configuring No Override, or filtering using user
permissions
• Use GPRESULT or Resultant Set of Policy tool to view
effective Group Policy settings
University of Education 26
Summary
• GPOs are useful in deploying and maintaining
software applications
• GPOs are used for four main phases of software
rollout: preparation, deployment, maintenance,
removal
• For deployment, Group Policy uses an MSI file
containing information needed to install in a variety
of configurations
• Deployed applications can be either assigned or
published

University of Education 27

You might also like