Group Policy Windows Server 2008


Published on

Microsoft Certified Trainer, Abu Z, and Microsoft Learning Solutions Partner of the Year, Unitek Education, deliver a presentation on key Group Policy enhancements in Microsoft Windows Server 2008. Group Policy is essential to enforcing centralized user and computer management in your Active Directory Domain Services environment, and mastering the five mission-critical group policy actions covered in this webinar will increase your organization's versatility, security, computing speed and cost savings.

See the full video & audio version here -

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • If you choose to demonstrate the slide:Close the GPME that you use to edit the GPO in the previous slide.Point out that the setting you just configured is contained in the CONTOSO Standards GPO.Remind students that a GPO can contain multiple settings, but by default all settings are set to Not Configured.Point out that the tool you use to manage GPOs is the Group Policy Management console.Mention that you have opened the CONTOSO Standards GPO for editing by right-clicking the GPO and choosing Edit, which opens the Group Policy Management Editor.The management of GPOs is discussed in detail in Lesson 2.
  • Mention that a GPO, and all of the settings that it contains, does not take effect until you have defined the scope of that GPO. The first step to scoping a GPO is linking it to a site, domain, or OU. Introduce students to the mnemonic acronym, SDOU. Point out that GPOs apply to users and computers, not to groups, despite the term, “Group Policy.”If you choose to demonstrate the slide, link the CONTOSO Standards GPO to the domain.Enforce the idea that the link or links define the maximum scope of the GPO. Pose a question: What if we don't want the GPO settings to apply to all objects within the scope?Use the question to transition to the concept of security group filtering, emphasizing that such filtering creates a subset of objects within the broader scope of the GPO link.Important Note: The reason this is important to mention, and will be reiterated throughout this module, is that many experienced students rely too heavily on GPO links to manage the scope of GPOs, which often leads them to less-than-ideal Active Directory organizational unit design, at the expense of efficiently applied and managed security (access control lists [ACLs]/delegation). Continue with a very brief discussion of WMI filtering, keeping the discussion very high level. Use the example of a policy setting that you want to apply to only a certain operating system. Define WMI filtering as a way of querying the system and then determining whether to apply a GPO.Wrap up with a mention of Preferences targeting. The goal is simply to introduce the term, and to prepare students for the idea that it is possible, now, to apply only part of a GPO to clients as long as that "part" is part of Preferences.It can't be emphasized enough: Keep it a "big picture" discussion! Scoping GPOs is discussed in Lesson 5.
  • You have now presented the setting and scope elements of configuration management with Group Policy. Remind students of that fact, to bring them back to the original three elements of configuration management.Then continue with this slide, which is the first half ofapplication.All you need to do is answer this basic question: When do these policies get applied? More detail about Group Policy refresh is provided in Lesson 5.
  • Discuss local GPOs. Start with the understanding that local GPOs contain settings that affect only the local machine, and that any settings specified by a domain GPO scoped to that computer will override conflicting settings in local GPOs. Therefore, local GPOs have limited usage scenarios.Mention to students that while, in the real world, local GPOs have limited usage, they do tend to appear on certification exams so it is worth understanding local GPOs. However, this will be the only point in the course in which local GPOs are addressed, and after this only domain-based GPOs will be used.Things to mention:You cannot apply local Group Policy objects to groups (except Administrators versus non-administrators)User settings exist in all local GPOs. Computer settings exist only in the main local GPO.After discussing the details of local GPOs, return the original understanding that, in a domain environment, local GPOs have limited usage scenarios. Ask students to think about what scenarios those might be.Question: If domain members can be centrally managed using domain-linked GPOs, in what scenarios might local GPOs be used?Answer: Keep in mind that local GPOs are designed for non-domain environments. Configure them for your computer at home, for example, to manage the settings for your spouse or children. In a domain environment, settings in domain-based GPOs override conflicting settings in local GPOs, and it is a best practice to manage configuration by using domain-based GPOs. However, if you want to apply policies to local accounts, rather than domain accounts, the local GPOs can be used. Also, you might use local GPOs to configure baseline security settings in your deployment image—settings that will take effect while a new computer is still in a workgroup, prior to joining the domain.
  • Describe the function and location of the GPC. Optionally, show a GPC using ADSI Edit.Optionally, show a GPT in SYSVOL. Show students how to identify the GUID of a GPO in the GPM console. Also give them a tip: sort the GPOs in SYSVOL by date, so you can quickly identify the GPO that you have just been working with.Exam TipGPOTool.exe is used to troubleshoot GPO status, including problems caused by the replication of GPOs, leading to inconsistent versions of a GPC and GPT.
  • Discussion QuestionsWhat options might you use to transfer into production a GPO that was used in a test environment? What variables constrained which option you chose?Answers should include copy-and-paste, backing up settings and importing them into a new GPO, and simply manually re-creating a GPO. The most important variable is whether the test environment is in a trusted domain (in which case you can use copy-and-paste) or in a separate environment (in which case you must use the Import Settings command).
  • As you discuss Group Policy inheritance and precedence, ensure that students understand that what is called "inheritance" is really just the effect of repeated, layered application of settings in GPOs in a specific order.You can approach this important discussion of GPO inheritance and precedence one of three ways:Talk to the points on this slide only.Talk to the first bullet on this slide, then use the visuals on the following three slides to discuss link order, locked inheritance, and enforced links.Create a demonstration in the domain and, after setting up the first bullet on the slide, demonstrate the remainder in the sample domain, returning to the Group Policy Inheritance tab to show resultant precedence and processing.
  • Many organizations struggle with how to maintain governance over Group Policy, and specifically how to effectively test a GPO before rolling it into production. Talk through a simple but completely effective best practice: Use security group filtering to manage the scope of a Group Policy object during testing. Instead of creating a sub-OU to manage the scope of a GPO for testing, link the GPO to the location it belongs in production. But instead of allowing the GPO to apply to Authenticated Users, or to the production security group, configure a security group specifically designed to limit the scope of the GPO to appropriate users and computers. The benefit of this practice is that it gives a much more realistic picture of how the GPO will perform in production, because you are not artificially limiting its scope or precedence by linking it to a separate "test" OU. In other words, you get a better picture for how the GPO interacts with other GPOs that are already in production. And yet, you still maintain full control over the specific users and computers that are within the scope of the test.Advanced Tip: If you remove Authenticated Users and scope a GPO to a specific group, support personnel will not be able to read the policy in order to perform Group Policy management tasks. Be sure to assign appropriate support personnel Read permission to the GPO.
  • Use this slide to "set up" the broad concept of this lesson: The goal of an IT pro is to ensure that systems are secure, and in the end that means configuring a security policy that is made up of a number of security settings. Help students understand that security for security's sake provides no value. All security configuration should arise out of a set of business-level security requirements, defined in an IT security policy and information management policy. Just implementing someone else's "security checklist" does not produce security that's right for your enterprise. In fact, the defaults on Windows Server 2008 are quite secure! You must understand where you're going and why you're going there before you start driving.Inform students that the goal of this lesson is to understand the mechanisms with which you can manage security settings more effectively. We're not going to worry too much in this lesson about specific settings, their functionality, or their value. Later lessons and modules will address how to secure various aspects of a Windows environment, including administration, authentication, and file system access. This lesson is about the variety of tools you can use to define and deploy security settings—whatever those settings are to you and your enterprise.
  • Don't spend too much time on this slide. You're simply pointing out that local Group Policy is an option for configuring security policy, but it's not manageable. The visual on this slide, and the text in the Student Manual, starts with the Local Security Policy. Discuss the fact that the local security policy allows you to configure many, but not all security settings. Local Security Policy does not, for example, do anything to file system or registry ACLs. You need to "lock down" ACLs using the Security Settings dialog box (the "Security tab" of a file, folder, or registry key properties dialog box).Module 6 discussed local group policy, and posed the question, "Why would you use it?" If you are working with workgroup (not domain) computers, or if you want to ensure that a computer meets a certain level of compliance before it joins the domain, then local security policy is valuable. But as soon as a system is member of a domain, local security policy is as far from "manageable" as possible—there's no central configuration capability for local security policy.On the other end of the spectrum is domain Group Policy, which of course is centralized and, as seen in the figure, exposes a number of additional settings including file system & registry ACLs.The rest of this lesson fills in the "middle" of this spectrum. You will be showing students how to create Group Policies that are based on the configuration of a server; and how to analyze a server to see whether it remains in compliance with domain policy. It's very important that students understand that this is where they will be "working" in this lesson. That way, they have some perspective as they dive into security templates and the security configuration wizard, each of which produces ways of managing security settings that fall between local and domain policy, and each of which allows you to promote a collection of settings to a domain-level configuration policy managed with Group Policy.
  • Ensure that students understand that GPSI can install only Windows Installer packages. However, since many applications are available as Windows Installer packages, and since there are tools that allow one to create Windows Installer packages, this is enough to allow GPSI to serve as a valuable software deployment mechanism for many organizations.Touch on the point that GPSI can, technically, deploy any application that supports an unattended installation command using a down level application package (“.zap file”). This file is basically a .ini file that specifies the unattended installation command. However, .zap files can only be deployed using the “publish” option (assign versus publish will be discussed on the next slide). So applications deployed with the .zap files can only appear in the Programs And Features applet in Control Panel. Furthermore, installing applications from .zap files requires that users are local administrators on their computers. Therefore .zap files are very rarely used in the real world.Point out that SCCM and other deployment tools can deploy applications and configuration using a much wider variety of package types. Commercial software deployment tools also provide reporting and feedback mechanisms that support software metering, auditing, and license management.However, even organizations with tools like SCCM might use GPSI for certain scenarios—they can each serve a role in a software deployment infrastructure.
  • Talk through the differences between assigning an application to users, publishing an application to users, or assigning an application to computers. After presenting the “facts”, ask students to discuss different scenarios that would be best supported by each option. Be sure in the discussion that the following points are raised:Assigning applications to users can be a bit dangerous, because the applications will follow users to every computer to which they log on. For example, if you were to assign Microsoft Visio® to users, and users were to log on to conference room computers, Visio would end up installed on the conference room computers, which may not be desirable.Most software is licensed per computer, not per user. For this, and the previous reason, it is generally a best practice to deploy software using the assigned-to-computer option.Organizations often want to limit the applications that users install. And often, it is challenging to help users find an application that meets a need that they have. One great feature of the “publish” option is the fact that applications can be categorized. When you go to install applications from Programs And Features in Control Panel, those categories are used to group the available applications. So, for example, if you needed a photo editor, you could go to Programs And Features and when you choose to install an application from the network, the published applications in the Photo Editor category would display each of the applications that the enterprise has approved for you to install to meet that need.Exam TipKnow the difference between assigning applications and publishing applications.
  • In addition to explaining the settings in the GPO Status drop-down list, mention the performance benefits gained by specifically disabling nodes of GPOs that have no settings anyway.Ask students to consider what scenarios might lend themselves to disabling a GPO that has settings. Answers might include GPOs that configure strict lockdown in the case of a security incident or that configure disaster recovery settings; in other words, those that are disabled until needed.
  • Exam TipThe 70-640 exam is likely to include several questions that test your knowledge of Group Policy scope. Sometimes, questions that seem to be addressing the technical details of a policy setting are, in fact, testing your ability to scope the setting to appropriate systems. When you encounter Group Policy questions, ask yourself, “Is this really about a specific policy setting, or is it about the scope of that setting?”
  • Use this slide to reinforce the fundamentals of Group Policy processing, and to ensure that all students are on the same page.
  • Discuss the issues associated with slow links and disconnected systems. Make sure that students understand that, when a computer is disconnected, the settings that were previously applied will continue to take effect. There are several exceptions to this rule, most notably that startup, logon, logoff, and shutdown scripts do not run when the system is disconnected.
  • Use this slide to wrap up all of the detail regarding when Windows settings actually take effect. This should answer the question, “When I change a policy setting, when will that setting actually be applied to a user or computer?“The Student Manual contains a lot of good information that will allow you to step through the slide and to answer questions from students.Replication technologies, including the Directory Replication Agent, FRS, and DFS-R, are discussed in a later module. Don't go into detail about the replication technologies themselves, but rather point out that both the GPC and GPT must replicate to the domain controller from which a client is obtaining its policies, and that the GPC and GPT used to different replication technologies that are not always in sync.Other points to make:It is highly recommended that organizations implement the Always Wait For Network At Startup And Logon policy setting. Without that, a change to a policy setting may take several logoff/logon or restart cycles before it takes effect, and there's no good way to predict the exact timing. In order to truly manage the application of new policy settings, enable Always Wait For Network At Startup And Logon. Make sure that students understand that this does not significantly slow down either the startup or logon process. It's not as if users will complain that is noticeably slower. Also make sure that students understand that when a system is not connected to the network, it ignores this setting, so this setting is not a problem for disconnected laptop usersMost policy settings, particularly managed policy settings, cannot be changed by the user. However, if users are administrators of their machines, it is possible for them to change some settings. Those changes will never be reverted to match the settings specified by the GPOs, because most CSEs will only reapply policy settings when a GPO has changed. The exceptions to this rule are security settings, which are reapplied every 16 hours whether or not the GPO has changed. If an enterprise is concerned about enforcing its policy settings, and if it is possible for users to change those settings, then you should configure the CSEs to reapply policy settings even if the GPO has not changed. The policy processing behavior of each CSE can be configured with Group Policy in the path shown at the bottom of the slide.
  • Transition by asking students if the following seems complicated:A GPO can contain multiple settings.Multiple GPOs may apply to a user or computer, scoped using a variety of mechanisms.Those GPOs may contain conflicting settings.Ask: How can you figure out who wins and what policies were applied?Provide a very brief introduction to the concept and term Resultant Set of Policy (RSoP).This is mainly presented in the introductory module because newer students tend to begin to wonder how they will possibly be able to manage and evaluate group policy settings, so we proactively answer that question here.RSoP is discussed in Lesson 6.
  • Use this slide to introduce the term and the concepts and tools of RSoP.Remind students how complex it can become to evaluate a resultant set of policy, with factors including inheritance, filters, loopback, the interaction between GPOs in CSEs, and the mind-boggling number of policy settings.Help students understand that resultant set of policy is both a descriptor, meaning "the end result" of policy application, and the name of a collection of tools and processes.
  • Talk in detail about RSoP reports, preferably supporting with demonstrations. Ensure that students understand how to generate, interpret, and save RSoP reports created by the Group Policy Results Wizard in the GPME console or by the GPResult command.Emphasize the critical importance of RSoP reports in analyzing and troubleshooting Group Policy application in an enterprise.
  • Group Policy Windows Server 2008

    1. 1. WEBINARBecome a Group Policy Master inMicrosoft Windows Server 2008 Presented by
    2. 2. Subject Matter ExpertAbu ZMicrosoft Certified TrainerUnitek EducationB.Sc (Hons) in Computer Science, M. ScMCT, MCLC, MCSE, MCSEM, MCSA,MCITP, MCTS, MCP...
    3. 3. Group Policy Discussion Topics Understand Group Policy Manage Group Policy Scope Implement GPOs GPO policy processing and effects A Deeper Look at Settings and GPOs
    4. 4. Group Policy Objects Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. GPO is the container for one or more policy settings Managed with the Group Policy Management Console (GPMC)  Group Policy Objects container Edited with the Group Policy Management Editor (GPME)
    5. 5. GPO Scope Scope. Definition of objects (users or computers) to which GPO applies GPO link. GPO can be linked to site, domain, or organizational unit (OU) (SDOU)  GPO can be linked to multiple site(s) or OU(s)  GPO link(s) define maximum scope of GPO Security group filtering  Apply or deny application of GPO to members of global security group  Filter application of scope of GPO within its link scope
    6. 6. Group Policy Refresh When GPOs and their settings are applied Computer Configuration  Startup  Every 90-120 minutes  Triggered: GPUpdate command User Configuration  Logon  Every 90-120 minutes  Triggered: GPUpdate command
    7. 7. Local GPOs Apply before domain-based GPOs  Any setting specified by a domain-based GPO will override the setting specified by the local GPOs. Local GPO  One local GPO in Windows 2000, Windows XP, Windows Server® 2003  Multiple local GPOs in Windows Vista® and later  Local GPO: Computer settings and settings for all users  Administrators GPO: Settings for users in Administrators  Non-administrators GPO: Settings for users not in Admins  Per-user GPO: Settings for a specific user If domain members can be centrally managed using domain- linked GPOs, in what scenarios might local GPOs be used?
    8. 8. Domain-Based GPOs Created in Active Directory, stored on domain controllers Two default GPOs  Default Domain Policy  Define account policies for the domain: Password, account lockout, and Kerberos policies  Default Domain Controllers Policy  Define auditing policies for domain controllers and Active Directory
    9. 9. GPO Storage Group Policy Container (GPC) • Stored in AD DS • Friendly name, globally unique identifier Group Policy Object (GPO) (GUID) • Version Group Policy Template (GPT)• What we call a GPO is actually two things, stored in two places • Stored in SYSVOL on domain controllers Separate replication (DCs) mechanisms • Contains all files required to define and apply settings GPOTool • .ini file contains Version  Microsoft® Downloads Center
    10. 10. Manage GPOs and Their Settings Copy (and Paste into a Group Policy Objects container)  Create a new "copy" GPO and modify it  Transfer a GPO to a trusted domain, such as test-to-production Back Up all settings, objects, links, permissions (access control lists [ACLs]) Restore into same domain as backup Import Settings into a new GPO in same or any domain  Migration table for source-to-destination mapping of UNC paths and security group names  Replaces all settings in the GPO – not a "merge" Save Report Delete Rename
    11. 11. GPO Links GPO link  Causes policy settings in GPO to apply to users or computers within that container  Links GPO to site, domain, or OU (SDOU)  Must enable sites in the GPM console  GPO can be linked to multiple sites or OUs  Link can exist but be disabled  Link can be deleted, but GPO remains
    12. 12. GPO Inheritance and Precedence The application of GPOs linked to each container results in a cumulative effect called inheritance  Default Precedence: Local  Site  Domain  OU  OU… (LSDOU)  Seen on the Group Policy Inheritance tab Link order (attribute of GPO Link)  Lower number  Higher on list  Precedent Block Inheritance (attribute of OU)  Blocks the processing of GPOs from above Enforced (attribute of GPO Link)  Enforced GPOs “blast through” Block Inheritance  Enforced GPO settings win over conflicting settings in lower GPOs
    13. 13. Use Security Filtering to Modify GPO Scope Apply Group Policy permission  GPO has an ACL (Delegation tab  Advanced)  Default: Authenticated Users have Allow Apply Group Policy Scope only to users in selected global group(s)  Remove Authenticated Users  Add appropriate global groups  Must be global groups (GPOs don’t scope to domain local) Scope to users except for those in selected group(s)  On Delegation tab, click Advanced  Add appropriate global groups  Deny Apply Group Policy permission  Does not appear on Delegation tab or in filtering section 
    14. 14. What Is Security Policy Management? Enterprise IT Security Policy  security configuration  settings Manage security configuration  Create the security policy  Apply the security policy to one or more systems  Analyze security settings against the policy  Update the policy, or correct the discrepancies on the system Tools  Local Group Policy and Domain Group Policy  Security Templates snap-in  Security Configuration and Analysis snap-in  Security Configuration Wizard
    15. 15. Configure the Local Security PolicyLocal Security Policy Domain Group Policy
    16. 16. Understand Group Policy Software Installation (GPSI) Installs supported packages  Windows Installer packages (.msi)  Optionally modified by Transform (.mst) or patches (.msp)  GPSI automatically installs with elevated privileges  Downlevel application package (.zap)  Supported by “publish” option only  Requires user has admin privileges  SCCM and other deployment tools can support a wider variety of installation and configuration packages No “feedback”  No centralized indication of success or failure  No license management
    17. 17. Understand Group Policy Software Installation (GPSI) (continued) Software deployment options  Assign application to users  Start menu shortcuts appear – Install-on-demand  File associations made (optional “Auto Install”) – Install-on-document invocation  Optionally, configure to install at logon  Publish application to users  Advertised in Programs And Features (Control Panel) – Install-on-request  Assign to computers  Install at startup
    18. 18. Enable or Disable GPOs and GPO Nodes GPO Details tab  GPO Status drop-down list Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs All settings disabled: CSEs will not process the GPO Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration User Configuration settings disabled: CSEs will not process settings in User Configuration
    19. 19. Loopback Policy Processing At user logon, user settings from GPOs scoped to computer object are applied  Create a consistent user experience on a computer  Conference rooms, kiosks, computer labs, VDI, RDS/TS, etc. Computer ConfigurationPoliciesAdministrative TemplatesSystemGroup Policy  User Group Policy loopback processing mode Replace mode  The user gets none of the User settings that are scoped to the user… only the User settings that are scoped to computer. Merge mode  The user gets the User settings scoped to the user, but those settings are overlaid with User settings scoped to the computer. The computer wins.
    20. 20. A Detailed Review of Group Policy Processing Computer starts; Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) are started Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer  Local  Site  Domain  OU  Enforced GPOs GPC processes each GPO in order  Should it be applied? (enabled/disabled/permission/WMI filter)  CSEs are triggered to process settings in GPO  Settings configured as Enabled or Disabled are processed User logs on Process repeats for user settings Every 90-120 minutes after startup, computer refresh Every 90-120 minutes after logon, user refresh
    21. 21. Slow Links and Disconnected Systems Group Policy Client determines whether link to domain should be considered slow link  By default, less than 500 kilobits per second (kbps)  Each CSE can use determination of slow link to decide whether it should process or not  Software CSE, for example, does not process Disconnected  Settings previously applied will continue to take effect  Exceptions include startup, logon, logoff, and shutdown scripts Connected  Windows Vista and later operating systems detect new connection and perform Group Policy refresh if refresh window was missed while disconnected
    22. 22. Understand When Settings Take Effect GPO replication must happen  GPC and GPT must replicate Group changes must be incorporated  Logoff/logon for user; restart for computer Group Policy refresh must occur  Windows XP, Windows Vista, and Windows 7 clients  Always wait for network at startup and logon Settings may require logoff/logon (user) or restart (computer) to take effect Manually refresh: GPUpdate [/force] [/logoff] [/boot] Most CSEs do not re-apply settings if GPO has not changed  Configure in ComputerAdmin TemplatesSystemGroup Policy
    23. 23. Resultant Set of Policy The "cumulative" effect of Group Policy  A user or computer is usually within the scope of many GPOs  Potentially conflicting settings: precedence Tools to report the settings that were applied and which GPO "won" in the case of conflicting settings Tools to model the effects of changes to the Group Policy infrastructure or to the location of objects in Active Directory
    24. 24. Resultant Set of Policy Inheritance, filters, loopback, and other policy scope and precedence factors are complex! RSoP  The "end result" of policy application  Tools to help evaluate, model, and troubleshoot the application of Group Policy settings RSoP analysis  The Group Policy Results Wizard  The Group Policy Modeling Wizard  GPResult.exe
    25. 25. Generate RSoP Reports Group Policy Results Wizard  Queries WMI to report actual Group Policy application Requirements  Administrative credentials on the target computer  Access to WMI (firewall)  User must have logged on at least once RSoP report  Can be saved  View in Advanced mode  Shows some settings that do not show in the HTML report  View Group Policy processing events GPResult.exe /s ComputerName /h filename
    26. 26. Unitek Education (888) 825-6273Abu Z. Unitek.comInstructorUnitek Education