Presentation on theme: "Module 5: Creating and Configuring Group Policy"— Presentation transcript:
1 Module 5: Creating and Configuring Group Policy Course 6425AModule 5: Creating and Configuring Group PolicyPresentation: 85 minutesLab: 75 minutesThis module helps students to create and configure Group Policy.After completing this module, students will be able to:Describe Group Policy.Configure the scope of Group Policy objects.Evaluate the application of Group Policy objects.Manage Group Policy objects.Delegate administrative control of Group Policy.Required materialsTo teach this module, you need the Microsoft® Office PowerPoint® file 6425A_05.ppt.Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Complete the practices.This section contains information that will help you to teach this module.For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information.Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.Module 5: Creating and Configuring Group Policy
2 Module 5: Creating and Configuring Group Policy Course 6425AModule OverviewModule 5: Creating and Configuring Group PolicyOverview of Group PolicyConfiguring the Scope of Group Policy ObjectsEvaluating the Application of Group Policy ObjectsManaging Group Policy ObjectsDelegating Administrative Control of Group Policy
3 Lesson 1: Overview of Group Policy Course 6425ALesson 1: Overview of Group PolicyModule 5: Creating and Configuring Group PolicyWhat Is Group Policy?Group Policy SettingsHow Group Policy Are AppliedExceptions to Group Policy ProcessingGroup Policy ComponentsWhat Are ADM and ADMX files?What Is the Central Store?Demonstration: Configuring Group Policy Objects
4 Module 5: Creating and Configuring Group Policy Course 6425AWhat Is Group Policy?Module 5: Creating and Configuring Group PolicyGroup Policy enables IT administrators to automate one-to-many management of users and computersUse Group Policy to:Explain how Group Policy enables Information Technology (IT) administrators to automate the management of users and computers, which simplifies administrative tasks and reduces IT costs. Administrators can implement security settings, enforce IT policies, and distribute software consistently for the local computer or across a given site, domain, or range of organizational units.Mention that the two domain policies exist by default. Explain how one policy may be associated with multiple containers through linking. Explain how multiple policies may link to one container.Discussion Question and AnswerQuestion: When would local Group Policy be useful in a domain environment?Answer: Companies that use imaging technologies to deploy operating systems could use local Group Polices to help secure and standardize images. In this way, computers that are not connected to the local area network (LAN) still would be subject to certain restrictions for all users.ReferenceWindows Server Group PolicyApply standard configurationsDeploy softwareEnforce security settingsEnforce a consistent desktop environmentLocal Group Policy is always in effect for local and domain users and local computer settings
5 Module 5: Creating and Configuring Group Policy Course 6425AGroup Policy SettingsModule 5: Creating and Configuring Group PolicyGroup Policysettings for users controlthese settings:SoftwareWindowsSecurityDesktopDescribe the types of settings that are available in each area. Open the default domain policy, and briefly show the location of settings. Point out that many of the same settings exist for both user and computer configuration. For example, you could disable Windows® Messenger for the computer or a user. Mention some of the new settings for Windows Server®°2008.Discussion Question and AnswerQuestion: Which of the new features will you find most useful in your environment?Answer: Answers will vary.ReferencesSummary of New or Expanded Group Policy SettingsWhat's New in Group Policy in Windows VistaSoftwareWindowsSecurityOperating systemsGroup Policysettings forcomputerscontrol these settings:
6 How Group Policy Is Applied Course 6425AHow Group Policy Is AppliedModule 5: Creating and Configuring Group PolicyComputer startsRefresh IntervalEvery 90 minutesExplain that computer setting are applied at startup, while user settings are applied at logon. Explain that client-side extensions on the client computer handle the actual processing of settings.Explain that in case of a conflict between user and computer settings, the computer setting takes precedence. For example, if a user has Windows Messenger specifically set to Allow, but the computer has Windows Messenger specifically set to Disallow, the computer setting takes precedence.Explain that you can configure the refresh interval and random offset separately for users, computers, and domain controllers. Mention that security settings are refreshed every 16 hours even if they have not changed.Discussion Question and AnswerQuestion: What would be some advantages and disadvantages to lowering the refresh interval?Answer:Advantages - Provides faster updates for new settings Ensures that mobile users are more likely to get settings refreshed.Disadvantages - Increases network traffic Consumes more local computer resources to check for updates.ReferencesGroup Policy ProcessingGroup Policy application rules for domain controllersHow a slow link is detected for processing user profiles and Group PolicyGroup Policy is not applied due to cached credentialsComputer settings appliedStartup scripts runUser logs onRefresh IntervalEvery 90 minutesUser settings appliedLogon scripts run
7 Exceptions to Group Policy Processing Course 6425AExceptions to Group Policy ProcessingModule 5: Creating and Configuring Group PolicyAdditional exceptions:Slow links500 kilobits per second (kbps) by defaultCertain client side extensions are not processedPrior to Windows Vista, ICMP is used to detect a slow linkWindows Vista uses Network Location AwarenessDescribe what a slow link is. Mention what policies will, and will not be processed across a slow link, and how you can change that. Describe how to detect a slow link. Briefly describe the benefits of Network Location Awareness (NLA).Explain how Windows Vista® and Windows® XP use cached credentials, and how this affects Group Policy processing for users and how to change the default behavior.Explain that the method by which the user initiates a Remote Access Service (RAS) connection determines whether Group Policy will be applied immediately, or as a background refresh.Explain that when an object is moved in Active Directory Domain Services (AD DS), the system is not immediately aware of the move, and that new Group Policy may take time to apply.Discussion Question and AnswerQuestion: How is NLA better than Internet Control Message Policy (ICMP) in the proper application of Group Policy?Answer: Mobile users that move in and out of wireless networks, docking stations, hibernation, etc…, will know immediately about the availability of domain controllers.ReferenceControlling Client-Side Extensions by Using Group PolicyCached credentialsWindows XP and Windows Vista use cached credential for faster logonsMany GPO settings take two logons to take effectRemote access connectionsMoving a user or computer object in AD DS
8 Group Policy Components Course 6425AGroup Policy ComponentsModule 5: Creating and Configuring Group PolicyGroup Policy ContainerStored in AD DSProvides version informationGroup Policy ObjectDescribe the Group Policy object (GPO) as a collection of settings that will be applied. Describe the function and location of the Group Policy container for local or domain-based policies.Show the location of the ADMX files. Spend time discussing the benefits of the new ADMX format, for example: language independence, XML-based, not stored in the GPO, extensible, etc…. Mention how the ADML files support the language text. Explain what a central store for ADMX files is. Describe the benefits of using a central store. Mention that superseded ADM files will be ignored, but any custom ADM files will be recognized.ReferencesHow Core Group Policy WorksDeploying Group Policy Using Windows VistaGroup Policy TemplateStored in shared SYSVOL folderProvides Group Policy settingsSupports both ADM and ADMX templatesContains Group Policy settingsStores content in two locations
9 What Are ADM and ADMX Files? Course 6425AWhat Are ADM and ADMX Files?Module 5: Creating and Configuring Group PolicyADM files are:Copied into every GPO in SYSVOLDifficult to customizeExplain that operating systems prior to Windows Vista and Windows Server 2008 use ADM files. The main disadvantage of ADM files is that they are copied into every GPO that is created, and consume about 3 megabytes (MB) of space. This can lead to “SYSVOL bloat” , a term that describes the fact that SYSVOL can grow very large because of the GPOs that keep repetitive copies of the same ADM files.Explain that the ADM files stored on the computer that you use to create or edit a GPO, dictate what policy templates will be available in the GPO editor.Discussion Question and AnswerQuestion: How could you tell if a GPO was created or edited using ADM or ADMX files?Answer: When you open the GPO in SYSVOL, if there is an ADM folder, then the GPO was created or opened from a computer with SDM files. If there is no ADM folder, than it must have been created from a Windows Vista or Windows Server 2008 computer.ReferenceManaging Group Policy ADMX Files Step-by-Step GuideADMX files are:Language neutralNot stored in the GPOExtensible through XML
10 What Is the Central Store? Course 6425AWhat Is the Central Store?Module 5: Creating and Configuring Group PolicyThe Central Store:Is a central repository for ADMX and ADML filesIs stored in SYSVOLMust be created manuallyIs detected automatically by Windows Vista or Windows Server 2008Explain that a central store provides a central repository for ADMX files. A central store is stored in SYSVOL, and you must create and update a central store manually. Normal AD DS replication will ensure that it is copied to all domain controllers.Explain that it provides consistency for administrators that edit GPOs from multiple Windows Vista or Windows Server 2008 workstations.Consider doing a short demonstration to show how create a central store.Discussion Question and AnswerQuestion: What would be the advantage of creating the central store on the PDC emulator?Answer: The PDC emulator is the natural focus of Group Policy. Therefore, replication will not have to occur before you can use the central store.ReferenceHow to create a Central Store for Group Policy Administrative Templates in Windows VistaADMX filesWindows Vistaor Windows Server 2008 workstationDomain controllerwith SYSVOLDomain controllerwith SYSVOL
11 Demonstration: Configuring Group Policy Objects Course 6425ADemonstration: Configuring Group Policy ObjectsModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to:Create a GPOConfigure settingsTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Demonstration steps:Open the Group Policy Management Console (GPMC) and spend a few moments discussing the interface. Show how to add other domains, discuss the tabs in the details pane in regards to the container and the Group Policy itself.Create a new Group Policy named Desktop in the Group Policy container.In the computer configuration, prevent the last logon name from displaying, and prevent Windows Messenger from running.In the user configuration, remove the Search menu from the Start menu, and Hide the screen saver tab.Discussion Question and AnswerQuestion: When you open the GPMC on your Windows XP computer, you do not see the new Windows Vista settings in the Group Policy Object Editor. Why not?Answer: The XP operating system cannot interpret the ADMX files, and will not display those templates.ReferenceManaging Windows Server 2008 Beta 3 and Windows Vista using Group Policy
12 Lesson 2: Configuring the Scope of Group Policy Objects Course 6425ALesson 2: Configuring the Scope of Group Policy ObjectsModule 5: Creating and Configuring Group PolicyGroup Policy Processing OrderWhat Are Multiple Local Group Policy Objects?Options for Modifying Group Policy ProcessingDemonstration: Configuring Group Policy Object LinksDemonstration: Configuring Group Policy InheritanceDemonstration: Filtering Group Policy Objects Using Security GroupsDemonstration: Filtering Group Policy Objects Using WMI FiltersHow Does Loopback Processing Work?Discussion: Configuring the Scope of Group Policy Processing
13 Group Policy Processing Order Course 6425AGroup Policy Processing OrderModule 5: Creating and Configuring Group PolicyGPO1Local groupExplain that GPOs can link only to Active Directory Domain Services (AD DS) containers such as sites, domains, and organizational units (OUs), not to individual security principals. Security principals receive GPO settings by virtue of being in a container.Describe the order of application, and policies for local GPOs, site level, domain level, OU, and nested OU levels. Explain that GPO settings are cumulative, and what happens in the case of conflicts between policies. Explain how precedence works if you assign multiple policies at the same level. Mention that any local Group Policy will be applied unless a domain level policy overrides them.Discussion Question and AnswerQuestion: Your organization has multiple domains spread over multiple sites. You want to apply a Group Policy to all users in two different domains. What is the best way to accomplish this?Answer: The GPO must be applied separately to each domain. If the settings are changed for one domain, then you must change them manually for the other domain to remain in synch. The GPMC simplifies the task of copying the GPO to another domain.ReferencesGroup Policy processing and precedenceHow Core Group Policy WorksGPO2SiteGPO3GPO4DomainGPO5OUOUOU
14 What Are Multiple Local Group Policy Objects? Course 6425AWhat Are Multiple Local Group Policy Objects?Module 5: Creating and Configuring Group PolicyOne layer of computer configurations that applies to all usersLayers apply only to individual users, not to groupsExplain that all computers running Windows 2000 or later have a local Group Policy. Stress that in a domain environment, domain policies will override local settings. Describe how you can use local Group Policy to control the local machine. Explain that this is useful in workgroup and standalone environments. Stress that local Group Policy will apply to all users who log onto the local computer.Describe the new feature in Windows Server 2008 and Windows Vista that allows multiple Group Policy objects. Explain how you can apply multiple Group Policy objects to Administrators, non–Administrators, or individual local users. Mention that you cannot apply Group Policy objects to groups. Mention also that you only can apply user settings to multiple Group Policy object policies. There is always only one computer configuration policy.Discussion Question and AnswerQuestion: When would multiple local Group Policy objects be useful in a domain environment?Answer: Companies may use multiple local Group Policy objects to exempt domain and local administrative accounts from local restrictions.ReferencesMultiple Local Group Policy objectsStep-by-Step Guide to Managing Multiple Local Group Policy ObjectsThere are three layers of user configurations:AdministratorNon-AdministratorUser-specific
15 Options for Modifying Group Policy Processing Course 6425AOptions for Modifying Group Policy ProcessingModule 5: Creating and Configuring Group PolicyFive methods to modify GPO default processing:Block inheritanceEnforcementExplain that, by default, all Group Policy objects apply to all security principals (Authenticated Users groups,) in a given container, but that you can modify behavior through various methods. Provide a brief description of the methods. The following topics will explain them in detail.Discussion Question and AnswerQuestion: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy?Answer: Enforce the GPO link at the Finance OU level.ReferencesControlling the Scope of Group Policy Objects using GPMCLoopback processing with merge or replaceFiltering using security groups or WMI filtersDisabling GPOsLoopback processing
16 Demonstration: Configuring Group Policy Object Links Course 6425ADemonstration: Configuring Group Policy Object LinksModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to:Create and link GPOs to different locations within AD DSDisable a GPO linkTo complete this demonstration, you must have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running.Demonstration stepsLink the policy you created in the previous demo to the Toronto OU. Log on as one of the Toronto users to test the results.Show how to disable the computer or user side of the policy. Explain that this would be done to gain some performance advantage by not processing parts of the policy that are known to be empty.Show how to disable the entire policy. Explain that this normally would be done to assist in troubleshooting policies.Discussion Question and AnswerQuestion: True or false: if a GPO is linked to multiple containers, altering the settings for one of those links will affect only that container.Answer: False. Changing the settings of a GPO will affect all the containers to which the GPO is linked.ReferencesCreate or delete a Group Policy objectLink a Group Policy object using GPMCDisable a Group Policy object link using GPMC
17 Demonstration: Configuring Group Policy Inheritance Course 6425ADemonstration: Configuring Group Policy InheritanceModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to:Block GPO inheritanceEnforce GPO inheritanceTo complete this demonstration, you will need to have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running.Explain that blocking inheritance will prevent all higher-level GPOs from being applied. Also mention that you cannot block GPOs selectively. This might be done to exempt a particular OU from restrictive policies that have been applied at a higher level. Show how the blue exclamation mark indicates inheritance has been blocked at that level. Mention that policies that are being enforced cannot be blocked through this method.Demonstration steps:Create a new OU and create a new user (User1) in the OU. (Ensure that Domain Users have the right to log on to the domain controller).In the Default Domain policy, enable the setting to remove the Help menu from the Start menu.Log on as the new user and test that the Help menu no longer appears.As Administrator, block inheritance for the new OU.Log on as the new user and test that the Help menu now appears.As Administrator, enforce the Default Domain policy.Log on as the new user and test that the Help menu no longer appears because the enforcement overrides the blocking of inheritance.As Administrator, turn off enforcement and inheritance blocking.Discussion Question and AnswerQuestion: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this?Answer: Block inheritance for the OUs that should not receive GPO2, and set the link on GPO1 to be enforced to ensure that all OUs receive GPO1.ReferenceGroup Policy Inheritance
18 Demonstration: Filtering Group Policy Objects Using Security Groups Course 6425ADemonstration: Filtering Group Policy Objects Using Security GroupsModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to filter the application of GPOs using security groupsTo complete this demonstration, you will need to have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running.Show how to use the scope tab of the GPO to assign the GPO settings to particular users or computers. Show the security sheet and discuss the Apply Group Policy permission. Describe how to exempt certain users or computers from GPO settings by denying the Apply Group Policy permission. This could be done to exempt department managers or administrators from restrictive settings that apply to the entire department, or to apply a policy only to certain users or computers.Demonstration steps:Create a second user (User2) in the OU that you created for the last demo.Create a link between a GPO and the OU that removes the Run menu from the Start menu.Use security filtering to exempt User2 from the GPO setting.Log on as User1 and test that there is no Run menu.Log on as User2 and test that the Run menu appears because security filtering is in place.Discussion Question and AnswerQuestion: You want to ensure that a specific policy linked to an OU will affect only the members of the Managers global group. How would you accomplish this?Answer: Use the security page of the GPO to remove the Authenticated Users group and, then add the Managers global group, and grant them Read and Apply Group Policy permissions.ReferencesFilter using security groupsUsing Security Filtering to Apply GPOs to Selected GroupsSecurity filtering using GPMC
19 Demonstration: Filtering Group Policy Objects Using WMI Filters Course 6425ADemonstration: Filtering Group Policy Objects Using WMI FiltersModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to create and assign a WMI filterTo complete this demonstration, you will need to have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running.Explain that Windows Management Instrumentation (WMI) filters allow you determine whether GPO settings will be applied based on the target computer’s attributes. For example, a WMI filter can test for required disk space, memory service-pack level, etc…, to determine if a certain GPO will be applied. Mention that WMI filter support is available only on Windows XP and later. Windows 2000 and earlier cannot process WMI filters.Demonstration steps:Use the GPMC to create a new WMI filter that targets only XP Professional clients. (See the following syntax.) Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional“.Use the GPMC to create a new GPO named software.Assign the WMI to the software GPO.Discussion Question and AnswerQuestion: You need to deploy a software application that requires computers to have more than 1 GB of RAM. What is the best way to accomplish this?Answer: Create a WMI filter to test for the amount of RAM, and link that filter to the GPO that delivers the software package.
20 How Does Loopback Processing Work? Course 6425AHow Does Loopback Processing Work?Module 5: Creating and Configuring Group PolicyExplain that loopback processing is a computer-side setting that provides alternate user settings for computers configured to use loopback. Explain the difference between Merge and Replace. Scenarios where this would be useful include kiosks, classroom computers, secure computers, or any place where it is desirable that all users who log on get the same user settings. For example, a public-access computer in the lobby may have the desktop locked down completely, and only allow access to certain software. Loopback would ensure that whoever logged on to the computer would be subject to those restrictions.ReferencesLoopback processing with merge or replaceLoopback processing of Group Policy
21 Discussion: Configuring the Scope of Group Policy Processing Course 6425ADiscussion: Configuring the Scope of Group Policy ProcessingModule 5: Creating and Configuring Group PolicyWoodgrove Bank Domain TreeWoodgrove BankHead Office siteScenario:Physical structureWoodgrove bank has a single domain that spans two sites, Head Office and Toronto. The Toronto site is connected to the Head Office site across a high-speed link. Within the Head Office site, there is a branch office in Winnipeg. This office is connected to Head Office across a slow link. There are five users in the Winnipeg office. There is no domain controller in the Winnipeg office, but there is a SQL server.This organization has deployed both Windows XP Professional and Windows Vista computers.RequirementsAll domain computers that have Windows XP Professional installed will have a small software application distributed through Group Policy.Domain users should not have access to the desktop display properties. The Administrators group will be exempt from this restriction.Both the Winnipeg and Toronto branch users will have further desktop restrictions applied.Both branches will have a kiosk computer available in the lobby for public Internet access. This computer needs to be locked down so that the user cannot change any settings. Their computer accounts are located in their respective branches’ OU.The computer accounts for all servers other than domain controllers will be located in the server’s OU or in a nested OU inside the Servers OU. All servers must have baseline security settings applied.SQL servers must have additional security settings applied.How would you construct a Group Policy scheme to satisfy the requirements?A suggested solutionA domain policy that delivers the software application, and that uses a WMI filter to detect computers running Windows XP. You must configure this policy to apply across a slow link.A domain policy that restricts access to the desktop display properties, and that has security group filtering enabled to exempt the Administrators group. Administrative templates are always applied across slow links.A policy applied to the branch OU to impose further desktop restrictions.A policy applied to the branch OU to enforce loopback that is security filtered to apply only to kiosk computer accounts.A policy applied to the Server OU to increase security.A policy applied to the SQL OU to apply extra security. Security settings are always applied across slow links.WinnipegHead OfficeHead OfficeSlow linkBranchesHigh-speed linkTorontoToronto siteWinnipegServersSQL ServerExchange Server
22 Module 5: Creating and Configuring Group Policy Course 6425AModule 5: Creating and Configuring Group PolicyDiscussion Questions and AnswersQuestion: What are the advantages to using security group filtering over blocking inheritance, to prevent Group Policy from being applied?Answer: Security group filtering allows you to block or apply specific policies, while blocking inheritance affects all higher-level policies.Question: When would blocking inheritance be more appropriate?Answer: When you need to prevent all the objects in an OU from receiving Group Policy, and there are too many objects to make filtering a practical solution.
23 Lesson 3: Evaluating the Application of Group Policy Objects Course 6425ALesson 3: Evaluating the Application of Group Policy ObjectsModule 5: Creating and Configuring Group PolicyWhat Is Group Policy Reporting?What Is Group Policy Modeling?Demonstration: How to Evaluate the Application of Group Policy
24 What Is Group Policy Reporting? Course 6425AWhat Is Group Policy Reporting?Module 5: Creating and Configuring Group PolicyGroup Policy reporting is a method of planning and troubleshooting Group PolicyExplain that Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting easier. Explain that Group Policy Reporting is a feature of the GPMC. Describe how to use the GPResult command-line utility, and the switches available for GPResult. Emphasize that a user must log on to the computer on which you are testing, and that the firewall on the client computer must be enabled to allow the RPC port to run the query. Describe the differences in the information returned from GPResult and the Group Policy Results Wizard, and how you can print the results or save them as HTML files.Discussion Question and AnswerQuestion: You want to know which domain controller delivered Group Policy to a client. Which utility would you use?Answer: GPResult.exe will provide that information.ReferencesGroup Policy Results (Administering Group Policy with Group Policy Management Console)Determine Resultant Set of Policy with GPResult.exeGroup Policy results are provided by the GPMCGPResult is a command line utility
25 What Is Group Policy Modeling? Course 6425AWhat Is Group Policy Modeling?Module 5: Creating and Configuring Group PolicyThe Group Policy Modeling Wizard calculates the simulated net effect of GPOsThe Group Policy Modeling Wizard simulates:Describe how you can use the Group Policy Modeling Wizard to test the effects of GPOs before they are released in the live environment. Emphasize that local Group Policy are not taken into consideration when using the wizard. Describe how you can print the results or save them as HTML files.Discussion Question and AnswerQuestion: What simulations can you perform with the Group Policy Modeling Wizard? Choose all that apply:Loopback processingMoving a user to a different domain in the same forestSecurity group filteringSlow link detectionWMI filteringAll of the aboveAnswer: A, D and E are correct. You cannot simulate migrating users across domains. You can simulate security group membership, but not security group filtering.ReferencesDetermine Resultant Set of Policy with GPResult.exeUsing Group Policy Modeling and Group Policy Results to Evaluate Group Policy SettingsSite membershipSecurity group membershipWMI filtersSlow linksLoopback processingThe effects of moving user or computer objects to a different Active Directory container
26 Demonstration: How to Evaluate the Application of Group Policy Course 6425ADemonstration: How to Evaluate the Application of Group PolicyModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to run each of the tools for reviewing Group Policy applicationTo complete this demonstration, you must have the 6425A-NYC-DC1 and the 6425A-NYC-CL1 virtual machines running.Demonstration stepsFrom the command prompt, run GPResult and explain the resulting output.Use the GPMC to run the Group Policy Reporting Wizard for a User. Examine the output, and save the report as an HTML file.Use the GPMC to run the Group Policy Modeling Wizard to simulate what would happen if the User moved to a different OU, and then compare the differences.Discussion Question and AnswerQuestion: A user reports that they are unable to access Control Panel, yet other users in the department can access Control Panel. What tools might you use to troubleshoot the problem?Answer: The Group Policy Results Wizard can tell you if the problem is Group Policy related, and if so, what policy is providing the setting.
27 Lesson 4: Managing Group Policy Objects Course 6425ALesson 4: Managing Group Policy ObjectsModule 5: Creating and Configuring Group PolicyGPO Management TasksWhat Is a Starter GPO?Demonstration: How to Copy a GPODemonstration: Backing up and Restoring GPOsDemonstration: Importing a GPOMigrating Group Policy Objects
28 Module 5: Creating and Configuring Group Policy Course 6425AGPO Management TasksModule 5: Creating and Configuring Group PolicyGPO management tasks:Back up GPOsRestore GPOsCopy GPOsImport GPOsEmphasize the importance of backing up GPOs. Explain that you can back up all GPOs at once, or back them up individually. The location of the backed-up GPOs can be any valid location on either the local computer or the network.Explain how you can restore older versions of GPOs, if necessary. Explain that a copied GPO will be named “copy of OldGPOName’”, but that it can be renamed afterwards.Explain that GPO settings can only be imported from backup versions of GPOs, and that imported settings will overwrite all current settings in a GPO. Explain the difference between copying and importing. Explain the purpose of a migration table. Explain that a copy or import operation always creates a new GPO. It is not possible to copy settings from multiple GPOs into a single GPO.Discussion Question and AnswerQuestion: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem?Answer: Restoring a previous backed up version will restore the original settings.ReferencesBacking up, Restoring, Migrating, and Copying GPOsImport using GPMC
29 Module 5: Creating and Configuring Group Policy Course 6425AWhat Is a Starter GPO?Module 5: Creating and Configuring Group PolicyStores administrative template settings on which the new GPOs will be basedCan be exported to .cab filesCan be imported into other areas of the enterpriseThe Starter GPOs folder is a new feature. Explain that starter GPOs allow you to store preconfigured administrative template settings in starter GPOs that act as templates for creating new GPOs. You can export these starter GPOs into .cab files that you easily can import into other areas of your enterprise. This can help provide consistency in large enterprises. You can store comments about the Starter GPO in the template itself.ReferenceHelp Topics: Working with Starter GPOsExported to cab fileImported to GPMCstarterGPO.cab fileLoad cabinet file
30 Demonstration: How to Copy a GPO Course 6425ADemonstration: How to Copy a GPOModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to copy a GPOTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Copy an existing GPO, and then describe the effect on GPO permissions.Demonstration stepsUse the GPMC to copy the Desktop policy that you created in the previous demonstration.Rename the resulting GPO with the name of your choice.Discussion Question and AnswerQuestion: What is the advantage of copying a GPO and linking it to an OU, versus linking the original GPO to multiple OUs?Answer: If the original GPO is modified, it will affect all the OUs to which it is linked. A copied GPO is a new instance of the GPO that has no connection to the original GPO.ReferencesCopy a Group Policy object using GPMCCopy using GPMC
31 Demonstration: Backing up and Restoring GPOs Course 6425ADemonstration: Backing up and Restoring GPOsModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to back up and restore a GPOTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Demonstration steps:Create a folder named GPO_Back to hold the backed up GPOs.Back up an individual GPO.Back up all GPOs.Delete one of the GPOs from the Group Policy folder.Restore the GPO from the backup version.Discussion Question and AnswerQuestion: What permissions are required to back-up a GPO?Answer: Read permission.ReferencesBack up a Group Policy object using GPMCRestore using GPMCRestore a backed-up Group Policy object using GPMC
32 Demonstration: Importing a GPO Course 6425ADemonstration: Importing a GPOModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to:Import a GPOUse a migration table To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Demonstration steps:Create a new GPO named Redirect.Configure the Redirect policy to redirect the My Documents folder to a UNC path of \\server\share.Backup the Redirect policy.Create a new GPO named Imported.Import the policy settings from the Redirect policy to the Imported policy.When the scan discovers the settings that may need to be modified, create a new migration table that changes the UNC path from \\server\share to \\Srv1\docs.Finish the Import Wizard, and show that the UNC path for My Documents has changed from \\server\share to \\Srv1\docs.Discussion Question and AnswerQuestion: What is the purpose of a migration table?Answer: Migration tables allow you to, if required, change specific references in copied or imported GPOs, in the new location where the GPO will be applied.ReferenceImport a Group Policy object using GPMC
33 Migrating Group Policy Objects Course 6425AMigrating Group Policy ObjectsModule 5: Creating and Configuring Group PolicyThe ADMX Migrator utility:Can be used to convert custom ADM files to ADMXIs GUI-based, and can be downloaded from the Microsoft download site utilityExplain that the ADMX Migrator enables you to convert ADM files to the ADMX format.ReferencesADMX MigratorADMX Migrator download (Blog)
34 Lesson 5: Delegating Administrative Control of Group Policy Course 6425ALesson 5: Delegating Administrative Control of Group PolicyModule 5: Creating and Configuring Group PolicyOptions for Delegating Control of GPOsDemonstration: How to Delegate Administrative Control of GPOs
35 Options for Delegating Control of GPOs Course 6425AOptions for Delegating Control of GPOsModule 5: Creating and Configuring Group PolicyMethods to delegate control of GPOsCreate GPOs in the domainEdit or delete GPOsLink GPOs to containersUse reporting toolsMembership in Group Policy Creator Owners group or explicit permission to create GPOsAssign Edit rights to individual policiesDelegate the right to link GPOs to containersDelegate the right to use Group Policy reporting toolsExplain that you can delegate different aspects of GPO management. Emphasize that the ability to create, link, and edit GPOs are separate events, and that having the right to perform one of those operations does not give you any rights to perform other operations. The only user who has the right to do all those things, by default, is the administrator.The Delegation of Control Wizard or the GPMC can be used to delegate linking GPOs, as well as enable use of the reporting tools. Explain that you can use membership in the Group Policy Creator Owner group or delegation through the GPMC to delegate the right to create new Group Policy. You can configure each individual policy to allow users or groups to edit that policy.ReferenceDelegating Group Policy
36 Demonstration: How to Delegate Administrative Control of GPOs Course 6425ADemonstration: How to Delegate Administrative Control of GPOsModule 5: Creating and Configuring Group PolicyIn this demonstration, you will see how to delegate the right to create, edit, link, and use the reporting tools for Group PolicyTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Demonstration steps:Use the Delegation of Control Wizard to delegate to a user the right to link an existing GPO, and to use the Group Policy reporting tools.Use the GPMC to delegate a different user the right to create Group Policy.Use the GPMC to delegate the user the right to edit the desktop policy.Discussion Question and AnswerQuestion: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this?Answer: You must use the GPMC to delegate permission to create GPOs to the user. You cannot add the user to the Group Policy Creator Owners group, because it is a global group and therefore cannot contain a user from a different domain.ReferencesDelegation and policy-related permissions
37 Lab: Creating and Configuring GPOs Course 6425ALab: Creating and Configuring GPOsModule 5: Creating and Configuring Group PolicyExercise 1: Creating Group Policy ObjectsExercise 2: Managing the Scope of GPO ApplicationExercise 3: Verifying GPO ApplicationExercise 4: Managing GPOsExercise 5: Delegating Administrative Control of GPOsLab Objectives:Create and link Group Policy objectsManage the scope of GPO applicationVerify the application of Group Policy settingsManage GPOsDelegate administrative control of GPOsScenario:Woodgrove Bank has decided to implement Group Policy to manage user desktops and to configure computer security. The organization already implemented an OU configuration that includes top-level OUs grouped by location, with additional OUs within each location OU for users, groups, workstations, servers, and service accounts. The enterprise administrator has created a GPO deployment plan. You have been asked to create Group Policy objects so that certain policies can be applied to all objects in the domain. Some policies are considered optional, while some are mandatory. You also want to create policy settings that will apply only to subsets of domain objects. You also want to have separate policies for computer and user settings. GPO administration also must be delegated to administrators within each company location.This lab consists of five exercises. (see the next page for more information about the lab)Logon informationVirtual machineNYC-DC1, NYC-CL1User nameAdministratorPasswordPa$$w0rdEstimated time: 75 minutes
38 Module 5: Creating and Configuring Group Policy Course 6425AModule 5: Creating and Configuring Group PolicyExercise 1: Creating Group Policy ObjectsThe student will create and link the GPOs specified by the enterprise administrator’s design. Tasks include modifying the default domain policy, and creating policies linked to specific OUs and sites.Exercise 2: Managing the Scope of GPO ApplicationThe student will configure the inheritance of GPO settings based on the enterprise administrator’s design. Tasks include disabling links, blocking and enforcing inheritance, and applying filtering based on security groups and WMI filters.Exercise 3: Verifying GPO ApplicationThe student will test the application of GPOs to ensure that the GPOs are being applied as the design specifies. Students will log in as specific users, and then use Group Policy Modeling and RSOP to verify that GPOs are being applied correctly.Exercise 4: Managing GPOsThe student will use the GPMC to back up, restore, and import GPOs.Exercise 5: Delegating Administrative Control of GPOsThe student will delegate administrative control of GPOs based on the enterprise administrator design. Tasks include configuring permissions to create and link GPOs, and configuring permissions to use Group Policy modeling and RSOP. The student then will test the permissions configuration.Inputs:GPO design documentation that the enterprise administrator provides.Outputs:GPOs configured as the design specifies.
39 Module 5: Creating and Configuring Group Policy Course 6425ALab ReviewModule 5: Creating and Configuring Group PolicyWhat other method could be used to grant a user the right to create GPOs in the domain?If you need to apply a GPO to computers that have certain services installed, what is the best approach?Lab Review Questions and AnswersQuestion: What other method could be used to grant a user the right to create GPOs in the domain?Answer: Add the user to the Group Policy Creator Owner group.Question: If you need to apply a GPO to computers that have certain services installed, what is the best approach?Answer: Create a WMI Filter to query for the services.
40 Module Review and Takeaways Course 6425AModule Review and TakeawaysModule 5: Creating and Configuring Group PolicyConsiderationsReview questionsKey points of this module are:Multiple local Group PolicyADMX and ADML files replace ADM filesMethods to control Group Policy, inheritance, filtering, and enforcementGroup policy tools and reportingReview Questions and AnswersQuestion: You want to force the application of certain Group Policy settings across a slow link. What can you do?Answer: Use Group Policy to force those settings to be applied across the link, or use Group Policy to change the slow link threshold.Question: You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt form the policy. How would you accomplish this?Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group.Question: You want all GPOs that contain user settings to have certain Administrative Templates enabled. You need to be able to send those policies to other administrators in the enterprise. What is the best approach?Answer: Configure a Starter GPO to have the required basic settings, and then export the GPO to a .cab file. That file then can be imported by other administrators.Question: You want to control access to removable storage devices on all client workstations through Group Policy. Can you use Group Policy to do this?Answer: You can only control access to removable storage devices on Windows Vista and Windows Server