70 640 Lesson07 Ppt 041009


Published on

Published in: Education
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Emphasize the power of group policies and all of the wonderful things you can do with them. Also explain how group policies are essential to security.
  • The GPMC is not explained in the book until a later chapter. But you need to use it for the students to see group policies in this chapter.
  • Show group policies and how to set them.
  • This is introduced in next chapter but should be emphasized often.
  • 70 640 Lesson07 Ppt 041009

    1. 1. Introduction to Group Policy <ul><li>Lesson 7 </li></ul>
    2. 2. Skills Matrix Technology Skill Objective Domain Objective # Using the Group Policy Management Console Create and apply Group Policy Objects (GPOs) 4.3 Configuring Group Policy Settings Configure GPO templates 4.4
    3. 3. Group Policy <ul><li>Group Policy is a method of controlling settings across your network. </li></ul><ul><ul><li>Group Policy consists of user and computer settings on all versions of Windows since Windows 2000 that can be implemented during computer startup and shutdown and user logon and logoff. </li></ul></ul><ul><ul><li>You can configure one or more GPOs within a domain and then use a process called linking , which applies these settings to various containers (domain, sites and OUs) within Active Directory. </li></ul></ul><ul><ul><li>You can link multiple GPOs to a single container or link one GPO to multiple containers throughout the Active Directory structure. </li></ul></ul>
    4. 4. Group Policy <ul><li>The following managed settings can be defined or changed through Group Policies: </li></ul><ul><ul><li>Registry-based policies - As the name implies, these settings modify the Windows Registry. </li></ul></ul><ul><ul><li>Software installation policies can be used to ensure that users always have the latest versions of applications. </li></ul></ul><ul><ul><li>Folder redirection allows files to be redirected to a network drive for backup and makes them accessible from anywhere on the network. </li></ul></ul><ul><ul><li>Offline file storage works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible. </li></ul></ul>
    5. 5. Group Policy <ul><ul><li>Scripts – Including logon, logoff, startup, and shutdown scripts, these can assist in configuring the user environment. </li></ul></ul><ul><ul><li>Windows Deployment Services (WDS) – Assists in rebuilding or deploying workstations quickly and efficiently in an enterprise environment. </li></ul></ul><ul><ul><li>Microsoft Internet Explorer settings – Provide quick links and bookmarks for user accessibility, in addition to browser options such as proxy use, acceptance of cookies, and caching options. </li></ul></ul><ul><ul><li>Security settings – Protect resources on computers in the enterprise. </li></ul></ul>
    6. 6. Group Policy <ul><li>Group Policies can be linked to sites, domains, or OUs (not groups) to apply those settings to all users and computers within these Active Directory containers. </li></ul><ul><li>You can use security group filtering , which allows you to apply GPO settings to only one or more users or groups within a container by selectively granting the “Apply Group Policy” permission to one or more users or security groups. </li></ul>
    7. 7. Group Policy Objects (GPOs) <ul><li>Contain all of the Group Policy settings that you wish to implement to user and computer objects within a site, domain, or OU. </li></ul><ul><li>Must be associated (linking) with the container to which it is applied. </li></ul><ul><li>There are three types of GPOs: </li></ul><ul><ul><li>Local GPOs. </li></ul></ul><ul><ul><li>Domain GPOs. </li></ul></ul><ul><ul><li>Starter GPOs . </li></ul></ul>
    8. 8. Local GPO <ul><li>The local GPO settings are stored on the local computer in the %systemroot%/System32/GroupPolicy folder. </li></ul><ul><li>Local GPOs contain fewer options. </li></ul><ul><ul><li>They do not support folder redirection or Group Policy software installation. </li></ul></ul><ul><ul><li>Fewer security settings are available. </li></ul></ul><ul><li>When a local and a nonlocal (Active Directory–based) GPO have conflicting settings, the local GPO is overwritten by the nonlocal GPO. </li></ul>
    9. 9. Nonlocal GPOs <ul><li>Nonlocal GPOs are created in Active Directory. </li></ul><ul><li>They are linked to sites, domains, or OUs. </li></ul><ul><ul><li>Once linked to a container, the GPO is applied to all users and computers within that container by default. </li></ul></ul><ul><li>GPOs are stored in two places: </li></ul><ul><ul><li>Group Policy container (GPC) — An Active Directory object that stores the properties of the GPO. </li></ul></ul><ul><ul><li>Group Policy template (GPT) — Located in the Policies subfolder of the SYSVOL share, the GPT is a folder that stores policy settings, such as security settings and script files. </li></ul></ul>
    10. 10. Starter GPOs <ul><li>A new feature in Windows Server 2008. </li></ul><ul><li>Used as GPO templates within Active Directory. </li></ul><ul><li>Allow you to configure a standard set of items that will be configured by default in any GPO that is derived from a starter GPO. </li></ul>
    11. 11. Default Group Policies <ul><li>When Active Directory is installed, two domain GPOs are created by default. </li></ul><ul><ul><li>Default Domain Policy — It is linked to the domain, and its settings affect all users and computers in the domain. </li></ul></ul><ul><ul><li>Default Domain Controller Policy — It is linked to the Domain Controllers OU and its settings affect all domain controllers in the domain. </li></ul></ul>
    12. 12. Creating and Managing Group Policies <ul><li>The Group Policy Management Console (GPMC) is the Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings. </li></ul><ul><ul><li>The GPMC was not pre-installed in Windows Server 2003; it needed to be downloaded manually from the Microsoft Web site. </li></ul></ul><ul><ul><li>The GPCM is included in Windows Server 2008 by default. </li></ul></ul><ul><li>When you configure a GPO, you will use the Group Policy Management Editor , which can be accessed through the GPMC or through Active Directory Users and Computers. </li></ul>
    13. 13. Group Policy Management Console (GPMC)
    14. 14. Group Policy Management Console (GPMC)
    15. 15. Group Policy Management Console (GPMC)
    16. 16. Group Policy Object Editor
    17. 17. Group Policy Settings <ul><li>Configuring Group Policy settings enables you to customize the configuration of a user’s desktop, environment, and security settings. </li></ul><ul><li>The actual settings are divided into two subcategories: </li></ul><ul><ul><li>Computer Configuration </li></ul></ul><ul><ul><li>User Configuration </li></ul></ul>
    18. 18. Group Policy Settings <ul><li>The Computer Configuration and the User Configuration nodes contain three subnodes: </li></ul><ul><ul><li>Software Settings </li></ul></ul><ul><ul><ul><li>Used to install software. </li></ul></ul></ul><ul><ul><li>Windows Settings </li></ul></ul><ul><ul><ul><li>Used for define security settings and scripts. </li></ul></ul></ul><ul><ul><li>Administrative Templates </li></ul></ul><ul><ul><ul><li>Windows Server 2008 includes thousands of Administrative Template policies, which contain all registry-based policy settings. </li></ul></ul></ul><ul><ul><ul><li>They are used to generate the user interface for the Group Policy settings. </li></ul></ul></ul>
    19. 19. GPO Inheritance <ul><li>You link a GPO to a domain, site, or OU or create and link a GPO to one of these containers in a single step. The settings within that GPO apply to all child objects within the object. </li></ul>
    20. 20. Group Policy Processing (LSDOU) <ul><li>Local policies. </li></ul><ul><li>Site policies. </li></ul><ul><li>Domain policies. </li></ul><ul><li>OU policies. </li></ul>Any conflicting GPO settings are overwritten by the later running GPO.
    21. 21. Understanding Group Policy Processing <ul><li>When a computer is initialized during startup, it establishes a secure link between the computer and a domain controller. </li></ul><ul><ul><li>Then the computer obtains a list of GPOs to be applied. </li></ul></ul><ul><li>Computer configuration settings are applied synchronously during computer startup before the Logon dialog box is presented to the user. </li></ul>
    22. 22. Understanding Group Policy Processing <ul><li>Any startup scripts set to run during computer startup are processed. These scripts also run synchronously and have a default timeout of 600 seconds (10 minutes) to complete. </li></ul><ul><li>When the Computer Configuration scripts and startup scripts are complete, the user is prompted to press Ctrl+Alt+Del to log on. </li></ul>
    23. 23. Understanding Group Policy Processing <ul><li>Upon successful authentication, the user profile is loaded based on the Group Policy settings in effect. </li></ul><ul><li>A list of GPOs specific for the user is obtained from the domain controller. </li></ul><ul><ul><li>User Configuration settings also are processed in the LSDOU sequence. </li></ul></ul>
    24. 24. Understanding Group Policy Processing <ul><li>After the user policies run, any logon scripts run. Unlike the startup scripts, these scripts run asynchronously by default. </li></ul><ul><li>The user's desktop appears after all policies and scripts have been processed. </li></ul>
    25. 25. Configuring Exceptions to GPO Processing <ul><li>Enforce — Configuring this setting on an individual GPO link forces a particular GPO’s settings to flow down through the Active Directory without being blocked by any child OUs. </li></ul><ul><li>Block Policy Inheritance — Configuring this setting on a container object such as a site, domain, or OU will block all policies from parent containers from flowing to this container. </li></ul><ul><li>Loopback Processing — This is a Group Policy option that provides an alternative method of obtaining the ordered list of GPOs to be processed for the user. </li></ul><ul><ul><li>When set to Enabled, this setting has two options: Merge and Replace. </li></ul></ul>
    26. 26. GPUpdate Command <ul><li>If you make changes to a group policy, users may not see changes take effect until: </li></ul><ul><ul><li>They log off or log back in. </li></ul></ul><ul><ul><li>They Reboot the computer. </li></ul></ul><ul><ul><li>They wait 90 minutes (+/- 30 minutes) for stand-alone servers/workstations and 2 minutes for domain controllers. </li></ul></ul><ul><li>To manually push group policies, you need to use the gpupdate command: </li></ul><ul><ul><li>Gpupdate /force </li></ul></ul>
    27. 27. Summary <ul><li>Group Policy consists of user and computer settings that can be implemented during computer startup and user logon. </li></ul><ul><ul><li>These settings can be used to customize the user environment, to implement security guidelines, and to assist in simplifying user and desktop administration. </li></ul></ul><ul><ul><li>Group Policies can be beneficial to users and administrators. </li></ul></ul><ul><ul><li>They can be used to increase a company's return on investment and to decrease the overall total cost of ownership for the network. </li></ul></ul>
    28. 28. Summary <ul><li>In Active Directory, Group Policies can be assigned to sites, domains, and OUs. </li></ul><ul><li>By default, there is one local policy per computer. Local policy settings are overwritten by Active Directory policy settings. </li></ul>
    29. 29. Summary <ul><li>Group Policy content is stored in an Active Directory GPC and in a GPT. </li></ul><ul><ul><li>The GPC can be seen using the Advanced Features view in Active Directory Users and Computers. </li></ul></ul><ul><ul><li>The GPT is a GUID-named folder located in the systemrootsysvolSYSVOLdomain_name Policies folder. </li></ul></ul>
    30. 30. Summary <ul><li>The Default Domain Policy and the Default Domain Controller Policy are created by default when Active Directory is installed. </li></ul><ul><li>The Group Policy Management Console is the tool used to create and modify Group Policies and their settings. </li></ul>
    31. 31. Summary <ul><li>GPO nodes contain three subnodes including Software Settings, Windows Settings, and Administrative Templates. Administrative templates are XML files with the .admx file extension. </li></ul><ul><ul><li>Over 100 ADMX files are included with Windows Server 2008. </li></ul></ul>
    32. 32. Summary <ul><li>The order of Group Policy processing can be remembered using the acronym LSDOU: </li></ul><ul><ul><li>Local </li></ul></ul><ul><ul><li>Site </li></ul></ul><ul><ul><li>Domain </li></ul></ul><ul><ul><li>OU </li></ul></ul><ul><li>This order is an important part of understanding how to implement Group Policies for an object. </li></ul>
    33. 33. Summary <ul><li>Group Policies applied to parent containers are inherited by all child containers and objects. </li></ul><ul><ul><li>Inheritance can be altered by using the Enforce, Block Policy Inheritance, or Loopback settings. </li></ul></ul>