Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Use Group Policy Management tools Describe the advantages of using domain policies instead of local policies List the capabilities of the Group Policy Management Console Describe the requirements for installing the Group Policy Management Console Explain how to use the different GPMC features to create and manage policies Describe the elements of the gpupdate command 2-2

© 2013 Global Knowledge Training LLC. All rights reserved. Local vs. Domain Policies Pre-image setup Workgroup only computers Kiosk computers Roving laptops Domain Affect a large number of systems Centrally managed More secure Local PoliciesDomain Policies 2-3

© 2013 Global Knowledge Training LLC. All rights reserved. Editing Local Policies ToolsFeatures Gpedit.msc Simple to run Edits local policies only MMC.exe with the GPOE snap-in Edit local or remote policies Edit policies for computer or multiple local users or groups Save as for future use 2-4

© 2013 Global Knowledge Training LLC. All rights reserved. Using Gpedit.msc 2-5 Run GPEdit.msc on a local machine to edit the local policies only. Useful for stand-alone or workgroup based machines.

© 2013 Global Knowledge Training LLC. All rights reserved. Using MMC.exe with the GPOE Snap-in 2-6 Add the GPOE Snap-in to the MMC in order to modify the local policy for a specific user or group.

© 2013 Global Knowledge Training LLC. All rights reserved. Managing Domain Policies 2-7 Using the GPMC Other Group Policy Tools Creating Policies Editing Policies Configuring Values

© 2013 Global Knowledge Training LLC. All rights reserved. Using the GPMC 2-8 Understanding the Group Policy Management Console Installing the GPMC Opening the GPMC Using the GPMC from the Server Manager Configuring the GPMC Searching and Filtering

© 2013 Global Knowledge Training LLC. All rights reserved. Understanding the Group Policy Management Console Centralized policy management tool Provides the capabilities of many separate tools and adds new functionality: OU hierarchy view Policy editing RSoP Backup and restore of policies 2-9

© 2013 Global Knowledge Training LLC. All rights reserved. Installing the GPMC Windows Vista and later: Install the free RSAT download from Microsoft Open Control Panel, Programs and Features, Turn Windows Features On or Off Within the RSAT section enable the Group Policy Management Tools Windows Server 2008 and Later: Open the Server Manager Click Add roles and features Add the Group Policy Management feature 2-11

© 2013 Global Knowledge Training LLC. All rights reserved. Opening the GPMC Windows 7 or Windows Server 2008: Click Start, Administrative Tools, and Group Policy Management. Click Start, and type gpmc.msc in the Search box. Windows 8 or Windows Server 2012: On the Start screen, type gpmc.msc. On Windows Server 2012 or Windows 8 Client, in the Server Manager click Tools, Group Policy Management. 2-13

© 2013 Global Knowledge Training LLC. All rights reserved. Using the GPMC from the Server Manager 2-14 The Tools menu within the Server Manager contains a link to the GPMC.

© 2013 Global Knowledge Training LLC. All rights reserved. Configuring the GPMC 2-15 The domain that your are logged on to will already be selected by default. In a multi-domain environment Right-click the Domains node, then select Show Domains.

© 2013 Global Knowledge Training LLC. All rights reserved. Searching and Filtering Searching for GPOs Can be useful when dealing with a very large policy infrastructure. Filtering in the GPO Editor Thousands of Administrative Templates items are available. Filter to display only policies that are configured. Filter by keyword. Narrow the policy listing to make it more manageable. 2-16

© 2013 Global Knowledge Training LLC. All rights reserved. Searching for GPOs Use the Search feature to find specific GPOs. 2-17

© 2013 Global Knowledge Training LLC. All rights reserved. Filtering in the GPO Editor 2-19 Use the Filter option to limit the number of Administrative Templates that are displayed.

© 2013 Global Knowledge Training LLC. All rights reserved. Other Group Policy Tools Group Policy Management Editor Use to edit the policy values Gpupdate.exe and Invoke-GPUpdate Use to update policies ahead of the default refresh Gpresult.exe and Get-GPResultantSetOfPolicy Command-line tools for RSOP processing 2-20

© 2013 Global Knowledge Training LLC. All rights reserved. Creating Policies 2-21 All policies are stored in the Group Policy Objects container. They become active when they are linked to a Site, Domain or OU.

© 2013 Global Knowledge Training LLC. All rights reserved. Editing Policies 2-22 Computer and user configuration items Policies Administrative Templates Preferences

© 2013 Global Knowledge Training LLC. All rights reserved. Configuring Values 2-23 Most policies have three states: Not Configured Enabled Disabled

© 2013 Global Knowledge Training LLC. All rights reserved. Understanding Group Policy Refresh The default refresh interval for policy update is 90 to 120 minutes Several methods are available to update ahead of this scheduled interval Invoke-GPUpdate GPUpdate.exe Remote GPUpdate in the GPMC 2-24

© 2013 Global Knowledge Training LLC. All rights reserved. Invoke-GPUpdate Invoke-GPUpdate is used from PowerShell Can update the local or remote systems Updates can be scheduled up to 31 days in the future 2-25

© 2013 Global Knowledge Training LLC. All rights reserved. GPUpdate.exe GPUpdate without any options will update only the policies that have been modified Using the /force switch will cause GPUpdate to download ALL policies Use the /force switch only if necessary 2-26

© 2013 Global Knowledge Training LLC. All rights reserved. Remote GPUpdate in the GPMC Update all machines in a specific OU from within the GPMC The update is scheduled with a random delay 2-27

© 2013 Global Knowledge Training LLC. All rights reserved. Summary The advantages of using domain policies instead of local policies are: You can apply policies on a broad basis to large number of computers and users. This provides a central management capability that is not available when you configure policies locally. Policies that are configured through the domain cannot be overridden by local policy settings, so they are more secure. 2-29

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Group Policy Tools 2-29 Group Policy ToolUse it to… Group Policy Management Console View and manage all the policies that exist in a given Active Directory forest Group Policy Management Editor View and modify all of the policy settings within a GPO Gpupdate.exeRemotely update GPOs Gpresult.exeDisplay all the policy settings that are active for a computer or user RSoP snap-inTroubleshoot the policies that are applied to computers or users

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Desktop Policies 2-29 PolicyDescription Computer Configuration User Configuration Settings that apply only to the computer objects that are within the scope of the policy Settings that apply to the user objects that are within the scope of the policy Desktop Settings and Restrictions Include a wide range of desktop settings, from changing the aesthetic background logo to a complete lockdown of system Logon ScriptsPerform actions at logon; settings are now incorporated into Group Policy as individual configurable items Folder RedirectionProcess that stores the user’s personal My Documents files on a server instead of locally

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Software Policies 2-29 PolicyDescription Distributing Software Packages Software Installation section within Group Policy is used to distribute software packages User Configuration and Computer Configuration sections of Group Policy are used to distribute software to user or computer, respectively Add/Remove Programs on Windows XP and Windows Server 2003 or from Programs and Features within Windows Vista and later are used by the end user to install published packages Restricting Access to Software Four types of SRPs (Path Rule, Network Zone Rule, Hash Rule, Certificate Rule) are used to prevent suspect software from running

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Using the GPMC, you can perform most of the common Group Policy operations without having to switch between separate windows in separate Active Directory utilities. The GPMC also offers the following capabilities: OU hierarchy view Policy editing RSoP Backup and restore of policies Back up policy objects (and restore them if necessary) Import settings from one policy object as the basis for creating a new object View all the links for a specific policy object 2-29

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) The GPMC is included in the RSAT pack for Windows Vista and later. It is also included in Windows Server 2008 and later, but you must enable it. The GPMC requires Windows XP or later to run. It also requires the following: The computer on which you run GPMC must be a member of either a domain in the forest that you wish to administer, or a domain that has a trust with that forest. Windows 2000 Server domain controllers must run SP2 or higher. Windows 2000 Server domain controllers in a separate forest to which you connect must run SP3 or higher. 2-29

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) For Windows XP, GPMC also requires the following: Upgrade Windows XP to SP1 Microsoft.NET Framework Hotfix Q (updates gpedit.dll to version ) For Windows Vista and later, the GPMC also requires the following: Download and install the RSAT Pack for Windows Vista Enable the GPMC in the Control Panel 2-29

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Four subnodes (Domains, Sites, Group Policy Modeling, and Group Policy Results) appear under the forest node. You can use the GPMC to: Show multiple domains in the console pane at the same time (right-click the Domains subnode) Connect to a different forest (right-click the top node [Group Policy Management] and select Add Forest) Show the context menu for each node (Actions menu) 2-29

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) GPMC has two features for searching and filtering: Search: Allows you to search on a per-domain or per- forest basis; specify a condition to search by or create a list of conditions Filter: Allows you to limit the number of Administrative Templates that are displayed; limit the display by managed items, configured items, commented items, keyword filtering, and requirements filtering 2-30

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) The Group Policy Update tool is a command-line tool that is used to remotely update GPOs. The elements of the gpupdate command are: /Target: {Computer | User}: Used to specify that only the user or computer policy settings that are updated will use this switch /Force: Reapplies the policy settings /Wait:value: Specifies how long the system should wait (in seconds) for the policy processing to complete /Logoff: Indicates that the user is logged off after the policy settings have been applied /Boot: Causes the system to reboot after the policy settings are applied 2-30

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check 1.What are the advantages of using domain policies instead of local policies? (Choose all that apply.) a.They are more secure. b.They provide a central management capability. c.They affect a large number of computers and users. d.They are helpful in a workgroup scenario when you cannot use local-based policies. 2-30

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.List the capabilities of the GPMC. Provides a view of the OU hierarchy Contains built-in policy editing Contains inherent RSoP views Provides backup and restore of policies 3.How is the GPMC installed on Windows 8? It is installed as part of the RSAT package that must be downloaded from Microsoft. 2-30

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 4.Briefly describe the following elements of the gpupdate command: /force: This switch reapplies the policy settings. By default, only the policy settings that have changed are applied. /logoff: This switch indicates that the user is logged off after the policy settings have been applied. 2-31

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 5.In which ways can you limit the display of Administrative Templates? (Choose all that apply.) a.Managed items b.Deleted items c.Commented items d.Keyword filtering 2-31

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 6.Describe each tool, feature, or policy used to manage group policies in the space provided. Group Policy Management Editor: Is used to view and modify all of the policy settings within a GPO. Gpupdate.exe: Is used to remotely update GPOs. Folder Redirection: A process that stores the user’s personal My Documents files on a server instead of locally. User Configuration and Computer Configuration sections of Group Policy: User configuration settings apply only to the computer objects that are within the scope of the policy. Computer configuration settings apply only to the user objects that are within the scope of the policy. 2-31