9.1 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Goals Understand group policy
Understand group policy settings
Identify the role of a group policy at startup and logon
Plan a group policy implementation
Create a group policy object
Assign control over a group policy object
9.2 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Introducing Group Policy Group Policy is an Active Directory feature
Helps administrators specify the standard behavior of users’ desktops
Enforces the specified requirements
You can applied group policies to various Active Directory containers SitesDomainsOrganizational Units (OUs)
(Skill 1)
9.3 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Introducing Group Policy (2) Group Policy is also called a Group Policy Object
(GPO) since it is an object of Active Directory GPO partsGPO parts
A Group Policy Container (GPC) is an Active Directory component and contains GPO attributes, extensions, and version information
A Group Policy Template (GPT) is a collection of folders stored under the SYSVOL\sysvol\domainname\Policies folder on each Windows 2000 domain controller
(Skill 1)
9.4 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 1)
Figure 9-1 GPC containers in the Active Directory Users and Computers console
9.5 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 1)
Figure 9-2 Adding the Group Policy snap-in to the console
9.6 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 1)
Figure 9-3 Accessing the Group Policy snap-in
9.7 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Introducing the Types of Group Policy Settings You can apply group policies to both users and
computers Computer configuration settings
Refer to the group policies for computers, irrespective of the users logging on to them
Apply to a computer during the initialization of the operating system
User configuration settings Refer to the group policies for users, irrespective of the
computer the users log on toApply at the time of user logon
(Skill 2)
9.8 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Introducing the Types of Group Policy Settings (2)
Computer configuration settings and User configuration settings both contain three containers, each of which include several related policies Software Settings container contains the Software
Installation extensionWindows Settings container contains Scripts and
Security Settings extensionsAdministrative Templates container contains all
registry-based Group Policy settings
(Skill 2)
9.9 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 2)
Figure 9-4 Group Policy settings in the Group Policy snap-in
9.10 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Identifying the Role of a Group Policy at Startup and Logon
The role of a Group Policy begins when a computer starts up and a user logs onDuring startup and logon, both the Computer
Configuration and the User Configuration settings are applied in a specific sequence
If computer settings and user settings conflict with each other, computer settings take precedence
(Skill 3)
9.11 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Identifying the Role of a Group Policy at Startup and Logon (2)
Processing sequence Is very important when dealing with multiple policies If a conflict occurs in case of multiple policies, the
policy to apply last wins If a computer belongs to a workgroup, it only
processes the local GPO
(Skill 3)
9.12 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Identifying the Role of a Group Policy at Startup and Logon (3)
Exceptions to processing order If the Block Policy Inheritance option is set for a
domain or OU, the GPOs above that point in the structure do not affect users or computers in that structure
If there is a conflict between No Override and Block Inheritance, No Override always wins
If Loopback settings are applied to a GPO list, the default GPO processing order is not maintained
If the No Override option is set for a GPO, no configured policy setting in the GPO can be overridden
(Skill 3)
9.13 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 9-5 The sequence in which computer configuration
and user configuration settings are applied
(Skill 3)
9.14 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Planning a Group Policy Implementation Factors to consider before implementing a Group Policy
include location of GPOs, delegation of authority, and organization structure
Major implementation strategies Centralized design approach suggests that the organization
network should be maintained by a small number of large GPOs
Decentralized design approach uses separate GPOs for specific policy settings
Functional role design approach suggests that the functional roles of users in an organization be used to apply group policies
Central control design approach suggests that you maintain a central control while delegating administration to various OU administrators
(Skill 4)
9.15 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Group Policy Object After identifying the GPO implementation
strategy for your organization, you need to create a GPO that best suits your requirements
When you install Active Directory, two GPOs are created automaticallyDefault Domain Policy (linked to the domain)Default Domain Controller Policy (linked to the
Domain Controllers OU)
You can link GPOs to sites, domains and OUs
(Skill 5)
9.16 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Group Policy Object (2) Use the Active Directory Sites and Services
console to link a GPO to a site Use the Active Directory Users and Computers
console to link GPOs to domains and OUs You can create a stand-alone GPO console for
a GPO and access it directly from the Administrative Tools menu
(Skill 5)
9.17 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 9-6 Creating a new GPO
(Skill 5)
9.18 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 9-7 Creating a GPO console
(Skill 5)
9.19 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Assigning Control of a Group Policy Object to Administrators
Once a GPO is created, you should delegate administrative control of the GPO to various administrators in your organization
Delegation relieves the administrative burden that might fall on a single individual
(Skill 6)
9.20 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Assigning Control of a Group Policy Object to Administrators (2)
Use the Properties dialog box for the GPO to assign permissions that delegate the administrative control of a GPOTo provide administrative control of the GPO,
set both the Read and Write permissions to Allow
A user having only Read permissions cannot open the various extensions of the Group Policy snap-in
(Skill 6)
9.21 © 2004 Pearson Education, Inc.
Lesson 9: Implementing Group Policy in Windows 2000 Server
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 9-8 Selecting the Group Policy object for which you want to assign control
(Skill 6)