module 5: creating and configuring group policies
TRANSCRIPT
Module 5: Creating and Configuring
Group Policies
Module Overview
• Overview of Group Policies
• Configuring the Scope of Group Policy Objects
• Evaluating the Application of Group Policy Objects
• Managing Group Policy Objects
• Delegating Administrative Control of Group Policies
Lesson 1: Overview of Group Policies
• What Are Group Policies?
• Group Policy Settings
• How Group Policies Are Applied
• Exceptions to Normal Group Policy Processing
• Group Policy Components
• What Are ADM and ADMX files?
• What Is the Central Store?
• Demonstration: Configuring Group Policy Objects
What Are Group Policies?
Use Group Policies to:
• Apply standard configurations
• Deploy software
• Enforce security settings
• Enforce a consistent desktop environment
Group Policies enable IT administrators to automate one-to-many management of users and computersGroup Policies enable IT administrators to automate one-to-many management of users and computers
Local group policies are always in effect for local and domain users and local computer settingsLocal group policies are always in effect for local and domain users and local computer settings
Group Policy Settings
• Software• Windows• Security• Operating systems
Group Policy settings for computers control thesesettings:
• Software• Windows• Security• Desktop
Group Policysettings for users controlthese settings:
How Group Policies are Applied
Computer starts
• Computer settings applied
• Startup scripts run
Refresh IntervalRefresh Interval
User logs on
• User settings applied
• Logon scripts run
Refresh IntervalRefresh Interval
Every 90 minutesEvery 90 minutes
Every 90 minutesEvery 90 minutes
Exceptions to Group Policy Processing
Additional exceptions:
• Windows XP and Vista use cached credential for faster logons
• Many GPO settings take two logons to take effect
Cached credentials
• 500 KPS by default• Certain client side extensions are not
processed• Prior to Vista, ICMP is used to detect a slow
link• Vista uses Network Location Awareness
Slow links
• Remote access connections
• Moving a user or computer object in Active Directory
Group Policy Components
Group Policy ObjectGroup Policy Object
• Stored in Active Directory• Provides version information
Group Policy ContainerGroup Policy Container
• Stored in shared SYSVOL folder • Provides Group Policy settings• Supports both ADM and
ADMX templates
Group Policy TemplateGroup Policy Template
• Contains Group Policy settings• Stores content in two locations
What Are ADM and ADMX Files?
ADM files are:
• Copied into every GPO in SYSVOL
• Difficult to customize
ADMX files are:
• Language neutral
• Not stored in the GPO
• Extensible through XML
What Is the Central Store?
The Central Store:
• Is a central repository for ADMX and ADML files
• Is stored in SYSVOL
• Must be created manually
• Is detected automatically by Windows Vista or Server 2008
Windows Vista or Windows Server 2008
workstation
Windows Vista or Windows Server 2008
workstation
ADMX filesADMX files
Domain controller with SYSVOL
Domain controller with SYSVOL
Domain controller with SYSVOL
Domain controller with SYSVOL
Demonstration: Configuring Group Policy Objects
In this demonstration, you will see how to:
• Create a GPO
• Configure settings
Lesson 2: Configuring the Scope of Group Policy Objects
• Group Policy Processing Order
• What Are Multiple Local Group Policies?
• Options for Modifying Group Policy Processing
• Demonstration: Configuring Group Policy Object Links
• Demonstration: Configuring Group Policy Inheritance
• Demonstration: Filtering Group Policy Objects Using Security Groups
• Demonstration: Filtering Group Policy Objects Using WMI Filters
• How Does Loopback Processing Work?
• Discussion: Configuring the Scope of Group Policy Processing
Group Policy Processing Order
Site
Domain
OUOUOUOU
OU
GPO2GPO2
GPO3GPO3
GPO4GPO4
GPO5GPO5
GPO1GPO1
Local groupLocal group
What Are Multiple Local Group Policies?
• One layer of computer configurations that applies to all users
• Layers apply only to individual users, not to groups
• There are three layers of user configurations:
• Administrator
• Non-Administrator
• User-specific
Options for Modifying Group Policy Processing
Five methods to modify GPO default processing:
• Block inheritance
• Enforcement
• Filtering using security groups or WMI filters
• Disabling GPOs
• Loopback processing
Demonstration: Configuring Group Policy Object Links
• In this demonstration, you will see how to:
Create and link GPOs to different locations within AD DS
Disable a GPO link
Demonstration: Configuring Group Policy Inheritance
• In this demonstration, you will see how to:
Block GPO inheritance
Enforce GPO inheritance
Demonstration: Filtering Group Policy Objects By Using Security Groups
In this demonstration, you will see how to filter the application of GPOs using security groups
Demonstration: Filtering Group Policy Objects Using WMI Filters
In this demonstration, you will see how to create and assign a WMI filter
How Does Loopback Processing Work?
Discussion: Configuring the Scope of Group Policy Processing
Woodgrove Bank Domain TreeWoodgrove Bank Domain Tree
Woodgrove Bank
Head Office
Branches
Servers
Toronto
Winnipeg
SQL Server
Exchange Server
Toronto site
Winnipeg Head Office
Head Office site
High-speed link
Slow link
Lesson 3: Evaluating the Application of Group Policy Objects
• What Is Group Policy Reporting?
• What Is Group Policy Modeling?
• Demonstration: How to Evaluate the Application of Group Policies
What Is Group Policy Reporting?
• Group Policy results are provided by the GPMC
• GPResult is a command line utility
Group policy reporting is a method of planning and troubleshooting group policyGroup policy reporting is a method of planning and troubleshooting group policy
What Is Group Policy Modeling?
The Group Policy Modeling Wizard simulates:
• Site membership
• Security group membership
• WMI filters
• Slow links
• Loopback processing
• The effects of moving user or computer objects to a different Active Directory container
The Group Policy Modeling Wizard calculates the simulated net effect of GPOs
Demonstration: How to Evaluate the Application of Group Policies
In this demonstration, you will see how to run each of the tools for reviewing the application of group policies
Lesson 4: Managing Group Policy Objects
• GPO Management Tasks
• What Is a Starter GPO?
• Demonstration: How to Copy a GPO
• Demonstration: Backing up and Restoring GPOs
• Demonstration: Importing a GPO
• Migrating Group Policy Objects
GPO Management Tasks
GPO management tasks:
• Back up GPOs
• Restore GPOs
• Copy GPOs
• Import GPOs
What Is a Starter GPO?
• Stores administrative template settings on which the new GPOs will be based
• Can be exported to .cab files
• Can be imported into other areas of the enterprise
Exported to cab fileExported to cab file
starterGPOstarterGPO Cab fileCab file
Imported to GPMCImported to GPMC
Load cabinet file
Load cabinet file
Demonstration: How to Copy a GPO
In this demonstration, you will see how to copy a GPO
Demonstration: Backing up and Restoring GPOs
In this demonstration, you will see how to back up and restore a GPO
Demonstration: Importing a GPO
• In this demonstration, you will see how to:
Import a GPO
Use a migration table
Migrating Group Policy Objects
The ADMX Migrator utility:
• Can be used to convert custom ADM files to ADMX
• Is GUI based and can be downloaded from the Microsoft download site utility
Lesson 5: Delegating Administrative Control of Group Policies
• Options for Delegating Control of GPOs
• Demonstration: How to Delegate Administrative Control of GPOs
Options for Delegating Control of GPOs
Methods to delegate control of GPOs
Create GPOs in the domain
Edit or delete GPOs
Link GPOs to containers
Use reporting tools
Membership in Group Policy Creator Owners group or explicit permission to create GPOs
Assign Edit rights to individual policies
Delegate the right to link GPOs to containers
Delegate the right to use group policy reporting tools
Demonstration: How to Delegate Administrative Control of GPOs
In this demonstration, you will see how to delegate the right to create, edit, link, and use the reporting tools for group policies
Lab: Creating and Configuring GPOs
• Exercise 1: Creating Group Policy Objects
• Exercise 2: Managing the Scope of GPO Application
• Exercise 3: Verifying GPO Application
• Exercise 4: Managing GPOs
• Exercise 5: Delegating Administrative Control of GPOs
Estimated time: 75 minutes
Logon information
Virtual machine NYC-DC1, NYC-CL1
User name Administrator
Password Pa$$w0rd
Lab Review
• What other method could be used to grant a user the right to create GPOs in the domain?
• If you need to apply a GPO to computers that have certain services installed, what is the best approach?
Module Review and Takeaways
• Considerations
• Review questions
Beta Feedback Tool
• Beta feedback tool helps: Collect student roster information, module feedback, and
course evaluations. Identify and sort the changes that students request, thereby
facilitating a quick team triage. Save data to a database in SQL Server that you can later
query.
• Walkthrough of the tool
Beta Feedback
• Overall flow of module: Which topics did you think flowed smoothly, from topic to
topic? Was something taught out of order?
• Pacing: Were you able to keep up? Are there any places where the
pace felt too slow? Were you able to process what the instructor said before
moving on to next topic? Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?• Learner activities:
Which demos helped you learn the most? Why do you think that is?
Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?
Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?