Window 2003 server group policy ADDocument Transcript
What is group policy in active directory ? What are Group Policy objects (GPOs)?Group Policy objects, other than the local Group Policy object, are virtual objects. The policy settinginformation of a GPO is actually stored in two locations: the Group Policy container and the Group Policytemplate.The Group Policy container is an Active Directory container that stores GPO properties, including informationon version, GPO status, and a list of components that have settings in the GPO.The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available forGroup Policy Software Installation.The Group Policy template is located in the system volume folder (Sysvol) in the Policies subfolder for itsdomain.What is the order in which GPOs are applied ?Group Policy settings are processed in the following order:1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. Thisprocesses for both computer and user Group Policy processing.2.Site : Any GPOs that have been linked to the site that the computer belongs to are processed next.Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab forthe site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last,and therefore has the highest precedence.3.Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on theLinked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processedlast, and therefore has the highest precedence.4.Organizational units : GPOs that are linked to the organizational unit that is highest in the Active Directoryhierarchy are processed first, then POs that are linked to its child organizational unit, and so on. Finally, theGPOs that are linked to the organizational unit that contains the user or computer are processed.At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can belinked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified bythe administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.The GPO with the lowest link order is processed last, and therefore has the highest precedence.This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit ofwhich the computer or user is a direct member are processed last, which overwrites settings in the earlierGPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)How to backup/restore Group Policy objects ?Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group PolicyManagement console. Now, navigate through the console tree to Group Policy Management | Forest: |Domains | | Group Policy Objects.
When you do, the details pane should display all of the group policy objects that are associated with thedomain. In Figure A there are only two group policy objects, but in a production environment you may havemany more. The Group Policy Objects container stores all of the group policy objects for the domain.Now, right-click on the Group Policy Objects container, and choose the Back Up All command from theshortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.As you can see in Figure B, this dialog box requires you to provide the path to which you want to store thebackup files. You can either store the backups in a dedicated folder on a local drive, or you can place them ina folder on a mapped network drive. The dialog box also contains a Description field that you can use toprovide a description of the backup that you are creating.You must provide the path to which you want to store your backup of the group policy objects.To initiate the backup process, just click the Back Up button. When the backup process completes, youshould see a dialog box that tells you how many group policy objects were successfully backed up. Click OKto close the dialog box, and you’re all done.When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is toright-click on the Group Policy Object, and choose the Restore From Backup command from the shortcutmenu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, andthen implement the settings found in the backup.Your other option is to right-click on the Group Policy Object you want to restore, and choose the ImportSettings option. This option works more like a merge than a restore.Any settings that presently reside within the Group Policy Object are retained unless there is a contradictorysettings within the file that is being imported.You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printersetc.) on the computers in one department. How would you do that?go to Start->programs->Administrative tools->Active Directory Users and ComputersRight Click on Domain->click on preopertiesOn New windows Click on Group PolicySelect Default Policy->click on Editon group Policy consolego to User Configuration->Administrative Template->Start menu and TaskbarSelect each property you want to modify and do the sameWhat?s the difference between software publishing and assigning?Assign Users :The software application is advertised when the user logs on. It is installed when the user clickson the software application icon via the start menu, or accesses a file that has been associated with thesoftware application.Assign Computers :The software application is advertised and installed when it is safe to do so, such as whenthe computer is next restarted.
Publish to users : The software application does not appear on the start menu or desktop. This means theuser may not know that the software is available. The software application is made available via theAdd/Remove Programs option in control panel, or by clicking on a file that has been associated with theapplication. Published applications do not reinstall themselves in the event of accidental deletion, and it is notpossible to publish to computers.What are administrative templates?Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management ofmachines and users in an Active Directory environment. Administrative Templates facilitate the managementof registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policyadministrator and the registry keys that should be updated on the target machines.An ADM file is a text file with a specific syntax which describes both the interface and the registry valueswhich will be changed if the policy is enabled or disabled.ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped withfive ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into aunified “namespace” in GPEdit and presented to the administrator under the Administrative Templates node(for both machine and user policy).Can I deploy non-MSI software with GPO?create the fiile in .zap extension.Name some GPO settings in the computer and user parts ?Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPOsettings in the computer and user parts.A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, andeveryone else there gets the GPO. What will you look for?make sure user not be member of loopback policy as in loopback policy it doesn’t effect user settings onlycomputer policy will applicable. if he is member of gpo filter grp or not?You may also want to check the computers event logs. If you find event ID 1085 then you may want todownload the patch to fix this and reboot the computer.How can I override blocking of inheritance ?What can I do to prevent inheritance from above?Name a few benefits of using GPMC.How frequently is the client policy refreshed ?90 minutes give or take.Where is secedit ?It’s now gpupdate.
What can be restricted on Windows Server 2003 that wasn’t there in previous products ?Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IPproperties. Users may be selectively restricted from modifying their IP address and other networkconfiguration parameters.You want to create a new group policy but do not wish to inherit.Make sure you check Block inheritance among the options when creating the policy.How does the Group Policy ‘No Override’ and ‘Block Inheritance’ work ?Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP’s foreach level. Obviously it may be that some policy settings conflict hence the application order of Site – Domain– Organization Unit and within each layer you set order for all defined policies but you may want to forcesome polices to never be overridden (No Override) and you may want some containers to not inherit settingsfrom a parent container (Block Inheritance).A good definition of each is as follows:No Override – This prevents child containers from overriding policies set at higher levelsBlock Inheritance – Stops containers inheriting policies from parent containersNo Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but onthe parent a group policy has No Override set then it will get applied.Also the highest No Override takes precedence over lower No Override’s set.To block inheritance perform the following:1. Start the Active Directory Users and Computer snap-in (Start – Programs – Administrative Tools –Active Directory Users and Computers)2. Right click on the container you wish to stop inheriting settings from its parent and select3. Select the ‘Group Policy’ tab4. Check the ‘Block Policy inheritance’ option5. Click Apply then OKTo set a policy to never be overridden perform the following:1. Start the Active Directory Users and Computer snap-in (Start - - Administrative Tools – ActiveDirectory Users and Computers)2. Right click on the container you wish to set a Group Policy to not be overridden and select Properties3. Select the ‘Group Policy’ tab4. Click Options5. Check the ‘No Override’ option6. Click OK7. Click Apply then OK