module 3_lecture 7 - implementing group policy

IDENTIFYING THE ROLE OF A GROUP POLICY

Lesson 7:

1

• The role of a Group Policy begins when a computer starts up or when a user logs on

• During startup and logon, both Computer Configuration and User Configuration settings are applied in a specific sequence

Identifying the Role of a Group Policy at Startup and Logon

(Skill 3)

Figure The sequence in which Computer Configuration and User Configuration settings are applied

(Skill 3)

• Every computer has one GPO that is stored locally

• This local Group Policy Object (LPGO) is applied first

• The processing sequence becomes very important when dealing with multiple policies

• If there are no conflicts between the policies, all settings from all of the policies apply

• However, if a conflict occurs the policy to apply last wins

Identifying the Role of a Group Policy at Startup and Logon (2)

(Skill 3)

• Sequence in which Group Policy settings are processed

• Local GPO

• Site GPOs

• Domain GPOs

• OU GPOs (LSDOU)


(Skill 3)

• If more than one GPO is linked

• The policies are processed in reverse order for each individual container

• This is done so that the policy that is considered to be the most important is displayed at the top of the list of all GPOs applied to a particular container


(Skill 3)

• Like files and folders, Group Policies are also inherited from parent containers to child containers

• You can specifically set a separate Group Policy setting for a child container to override the settings it inherits from its parent container

• It is extremely important to note that like OU structures, Group Policies do not flow between domains


(Skill 3)

• Group Policy applied to a parent domain

• Does not apply to its child domain or domains

• The only container that can apply Group Policies to multiple domains is the site container

• Group Policy applied to a site

• Affects all users and computers in the site, regardless of domain

• For this reason, you must be an Enterprise Admin in order to apply a Group Policy to a site


(Skill 3)

• Exceptions to the order in which GPOs are processed

• If a computer belongs to a workgroup, it processes only local GPOs

• You can modify the default behavior using the Block Inheritance option, but this can make GPO administration more complicated and it should be used sparingly

• You can block inheritance for GPO links for an entire domain, for all domain controllers, or for an OU


(Skill 3)

(Skill 3)

Figure Blocking Inheritance for the GPO links for all domain controllers


• The default order for processing Group policy settings is also affected when you set the GPO link to Enforced

• Policy settings in the GPO link take precedence over child object settings

• Gives the parent GPO link precedence so that the default behavior does not apply (formerly called the No Override option)

• GPO administration is more complex

• GPOs cannot have their inheritance blocked


(Skill 3)

Figure The Enforced setting

(Skill 3)


• If Block Inheritance option is set for a domain or OU

• The GPOs above that point in the structure do not affect users or computers in that structure; they are blocked

• If there is a conflict between Enforced and Block Inheritance, Enforced always wins


(Skill 3)


• You can disable a GPO link to block that GPO from being applied for the selected site, domain, or OU

• Disables the GPO only for the selected container object; it does not disable the GPO itself

• If the GPO is linked to other sites, domains, or OUs, they continue to process the GPO as long as their links are enabled

• Processing is enabled for all GPO links by default

• To disable a GPO link, right-click it and select the Link Enabled command (a check mark indicates it is enabled)


(Skill 3)

Figure The Link Enabled command

(Skill 3)


• When GPOs are linked to the same container, policies are evaluated based on the link order set on the Linked Group Policy Objects tab for the container object

• The policy settings in the GPO with the lowest link order (Link Order 1) are processed last

• Link Order 1 has the highest precedence and is used to settle a conflict

• Use the arrow buttons to change the link order


(Skill 3)


• Group Policies are never applied to Windows NT, 95, 98, or Windows Me computers


(Skill 3)

• User Group Policy loopback processing mode

• This policy is referred to as the loopback feature

• Enforced when both the user account and the computer account are members of a Windows 2000 or later domain

• You can configure loopback so that the User Configuration settings in GPOs are applied to every user logging on to that computer


(Skill 3)

Figure The User Group Policy loopback processing mode policy

(Skill 3)

• User Group Policy loopback processing mode

• In Merge mode, the Computer Configuration GPO settings are appended to the default list of GPOs

• In Replace mode, the User Configuration GPO settings are completely replaced by the Computer Configuration GPO settings


(Skill 3)

Figure Merge or Replace mode

(Skill 3)

• After you decide on a Group Policy setting design, you devise a Group Policy implementation strategy

• Factors to consider

• Location of GPOs

• Delegation of authority

• Organization structure

Planning a Group Policy Implementation

(Skill 4)

• Types of Group Policy implementation strategies

• Centralized GPO design

• An organization’s network is maintained by a small number of large GPOs

• Decentralized GPO design

• Uses separate GPOs for specific policy settings

Planning a Group Policy Implementation (2)

(Skill 4)


• Functional Role (or Team Design)

• Functional roles of users are considered to apply Group Policies

• Steps to implement this strategy

• Create an OU structure that corresponds to the actual team structure of your organization

• Create a customized GPO for each OU that is tailored to the needs of the OU


(Skill 4)


• Delegation with Central Control Design or Distributed Control Design

• Based on delegating administrative control over OUs to various administrators in an organization

• When you implement this strategy, you maintain centralized control while distributing managerial control to a number of OU administrators


(Skill 4)

• Regardless of which approach (or combination) you choose, it is important to try to avoid using certain tools and options

• Enforced and Block Inheritance options

• Filtering

• Troubleshooting GPOs can be very difficult when these tools are used


(Skill 4)

• When you install Active Directory on your network, two GPOs are created automatically

• Default Domain Policy, which is linked to the domain

• Default Domain Controllers Policy, which is linked to the Domain Controllers OU

• You can use these policies to assign standard settings to the domain and the domain controllers in a domain, respectively

Creating a Group Policy Object

(Skill 5)

• GPOs can be linked to sites, domains, and OUs

• To link a GPO to a site, use the Active Directory Sites and Services console or the GPMC

• To link GPOs to domains and OUs, use either the Active Directory Users and Computers console or the GPMC

Creating a Group Policy Object (2)

(Skill 5)

• You can create a stand-alone GPO console for a GPO and access it directly from the All Programs/Administrative Tools menu

• Steps to create a GPO console

1. Open Add Standalone Snap-in dialog box from an MMC console

2. Select Group Policy Object Editor from the list of available snap-ins


(Skill 5)

• Steps to create a GPO console

3. Click the Browse button in the Group Policy Wizard

4. In the Browse for a Group Policy Object dialog box, select the GPO for which you want to create a console

The selected GPO name is added to the Group Policy Object text box on the Select Group Policy Object screen in the wizard

3. From the File menu, save the console for the GPO to make it available on the All Programs/Administrative Tools menu


(Skill 5)

Figure Creating a GPO

(Skill 5)

Figure The New GPO dialog box

(Skill 5)

Figure New Group Policy Object in a domain

(Skill 5)

• Assign permissions to delegate administrative control over a GPO on the Delegation tab in the GPMC

• There are three standard permissions you can assign to a GPO

• However, five permission levels display on the Delegation tab

• Each of these permission levels represents a combination of Active Directory permissions

Delegating Control for a Group Policy Object

(Skill 6)

• To delegate permissions for a GPO, you must have the Edit settings, delete, and modify security permission for the GPO

• To view the permissions for groups with custom permissions or to set custom permissions, click the Advanced button to open the ACL Editor for the GPO (<GPO_name> Security Settings dialog box)

Delegating Control for a Group Policy Object (2)

(Skill 6)

• You must assign the Edit settings, delete, and modify security permission to at least one group or user for each GPO

• If there is only one user or group with this permission level, you cannot remove this user or group

• Permissions inherited from parent containers cannot be removed


(Skill 6)

• To change the permissions assigned to a user or group

• Right-click the user or group in the Groups and users box

• Select from the three standard permissions on the context menu

• You can also use the Remove command to remove a user or group from the Groups and users box


(Skill 6)

Figure Setting GPO permissions

(Skill 6)

Figure The Delegation tab in the GPMC

(Skill 6)

Thankyou

•Q & A

For My Slides and Handouts

http://zeeshanacademy.blogspot.com/https://www.facebook.com/drzeeshanacademy

https://sites.google.com/site/drzeeshanacademy/

http://zeeshanacademy.blogspot.com/

module 3_lecture 7 - implementing group policy

Documents