SlideShare a Scribd company logo

Group Policy Windows Server 2008

Download as PPTX, PDF
Unitek Eduation
Unitek Eduation

Microsoft Certified Trainer, Abu Z, and Microsoft Learning Solutions Partner of the Year, Unitek Education, deliver a presentation on key Group Policy enhancements in Microsoft Windows Server 2008. Group Policy is essential to enforcing centralized user and computer management in your Active Directory Domain Services environment, and mastering the five mission-critical group policy actions covered in this webinar will increase your organization's versatility, security, computing speed and cost savings. See the full video & audio version here - http://www.unitek.com/training/certification-webinars/webinar/

Technology
1 of 26
WEBINAR Become a Group Policy Master in Microsoft Windows Server 2008 Presented by
Subject Matter Expert Abu Z Microsoft Certified Trainer Unitek Education B.Sc (Hons) in Computer Science, M. Sc MCT, MCLC, MCSE, MCSEM, MCSA, MCITP, MCTS, MCP...
Group Policy Discussion Topics  Understand Group Policy  Manage Group Policy Scope  Implement GPOs  GPO policy processing and effects  A Deeper Look at Settings and GPOs
Group Policy Objects  Group Policy is an infrastructure that allows you to implement specific configurations for users and computers.  GPO is the container for one or more policy settings  Managed with the Group Policy Management Console (GPMC)  Group Policy Objects container  Edited with the Group Policy Management Editor (GPME)
GPO Scope  Scope. Definition of objects (users or computers) to which GPO applies  GPO link. GPO can be linked to site, domain, or organizational unit (OU) (SDOU)  GPO can be linked to multiple site(s) or OU(s)  GPO link(s) define maximum scope of GPO  Security group filtering  Apply or deny application of GPO to members of global security group  Filter application of scope of GPO within its link scope
Group Policy Refresh  When GPOs and their settings are applied  Computer Configuration  Startup  Every 90-120 minutes  Triggered: GPUpdate command  User Configuration  Logon  Every 90-120 minutes  Triggered: GPUpdate command
Local GPOs  Apply before domain-based GPOs  Any setting specified by a domain-based GPO will override the setting specified by the local GPOs.  Local GPO  One local GPO in Windows 2000, Windows XP, Windows Server® 2003  Multiple local GPOs in Windows Vista® and later  Local GPO: Computer settings and settings for all users  Administrators GPO: Settings for users in Administrators  Non-administrators GPO: Settings for users not in Admins  Per-user GPO: Settings for a specific user  If domain members can be centrally managed using domain- linked GPOs, in what scenarios might local GPOs be used?
Domain-Based GPOs  Created in Active Directory, stored on domain controllers  Two default GPOs  Default Domain Policy  Define account policies for the domain: Password, account lockout, and Kerberos policies  Default Domain Controllers Policy  Define auditing policies for domain controllers and Active Directory
GPO Storage Group Policy Container (GPC) • Stored in AD DS • Friendly name, globally unique identifier Group Policy Object (GPO) (GUID) • Version Group Policy Template (GPT) • What we call a GPO is actually two things, stored in two places • Stored in SYSVOL on domain controllers  Separate replication (DCs) mechanisms • Contains all files required to define and apply settings  GPOTool • .ini file contains Version  Microsoft® Downloads Center
Manage GPOs and Their Settings  Copy (and Paste into a Group Policy Objects container)  Create a new "copy" GPO and modify it  Transfer a GPO to a trusted domain, such as test-to-production  Back Up all settings, objects, links, permissions (access control lists [ACLs])  Restore into same domain as backup  Import Settings into a new GPO in same or any domain  Migration table for source-to-destination mapping of UNC paths and security group names  Replaces all settings in the GPO – not a "merge"  Save Report  Delete  Rename
GPO Links  GPO link  Causes policy settings in GPO to apply to users or computers within that container  Links GPO to site, domain, or OU (SDOU)  Must enable sites in the GPM console  GPO can be linked to multiple sites or OUs  Link can exist but be disabled  Link can be deleted, but GPO remains
GPO Inheritance and Precedence  The application of GPOs linked to each container results in a cumulative effect called inheritance  Default Precedence: Local  Site  Domain  OU  OU… (LSDOU)  Seen on the Group Policy Inheritance tab  Link order (attribute of GPO Link)  Lower number  Higher on list  Precedent  Block Inheritance (attribute of OU)  Blocks the processing of GPOs from above  Enforced (attribute of GPO Link)  Enforced GPOs “blast through” Block Inheritance  Enforced GPO settings win over conflicting settings in lower GPOs
Use Security Filtering to Modify GPO Scope  Apply Group Policy permission  GPO has an ACL (Delegation tab  Advanced)  Default: Authenticated Users have Allow Apply Group Policy  Scope only to users in selected global group(s)  Remove Authenticated Users  Add appropriate global groups  Must be global groups (GPOs don’t scope to domain local)  Scope to users except for those in selected group(s)  On Delegation tab, click Advanced  Add appropriate global groups  Deny Apply Group Policy permission  Does not appear on Delegation tab or in filtering section 
What Is Security Policy Management?  Enterprise IT Security Policy  security configuration  settings  Manage security configuration  Create the security policy  Apply the security policy to one or more systems  Analyze security settings against the policy  Update the policy, or correct the discrepancies on the system  Tools  Local Group Policy and Domain Group Policy  Security Templates snap-in  Security Configuration and Analysis snap-in  Security Configuration Wizard
Configure the Local Security Policy Local Security Policy Domain Group Policy
Understand Group Policy Software Installation (GPSI)  Installs supported packages  Windows Installer packages (.msi)  Optionally modified by Transform (.mst) or patches (.msp)  GPSI automatically installs with elevated privileges  Downlevel application package (.zap)  Supported by “publish” option only  Requires user has admin privileges  SCCM and other deployment tools can support a wider variety of installation and configuration packages  No “feedback”  No centralized indication of success or failure  No license management
Understand Group Policy Software Installation (GPSI) (continued)  Software deployment options  Assign application to users  Start menu shortcuts appear – Install-on-demand  File associations made (optional “Auto Install”) – Install-on-document invocation  Optionally, configure to install at logon  Publish application to users  Advertised in Programs And Features (Control Panel) – Install-on-request  Assign to computers  Install at startup
Enable or Disable GPOs and GPO Nodes  GPO Details tab  GPO Status drop-down list  Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs  All settings disabled: CSEs will not process the GPO  Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration  User Configuration settings disabled: CSEs will not process settings in User Configuration
Loopback Policy Processing  At user logon, user settings from GPOs scoped to computer object are applied  Create a consistent user experience on a computer  Conference rooms, kiosks, computer labs, VDI, RDS/TS, etc.  Computer ConfigurationPoliciesAdministrative TemplatesSystemGroup Policy  User Group Policy loopback processing mode  Replace mode  The user gets none of the User settings that are scoped to the user… only the User settings that are scoped to computer.  Merge mode  The user gets the User settings scoped to the user, but those settings are overlaid with User settings scoped to the computer. The computer wins.
A Detailed Review of Group Policy Processing  Computer starts; Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) are started  Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer  Local  Site  Domain  OU  Enforced GPOs  GPC processes each GPO in order  Should it be applied? (enabled/disabled/permission/WMI filter)  CSEs are triggered to process settings in GPO  Settings configured as Enabled or Disabled are processed  User logs on  Process repeats for user settings  Every 90-120 minutes after startup, computer refresh  Every 90-120 minutes after logon, user refresh
Slow Links and Disconnected Systems  Group Policy Client determines whether link to domain should be considered slow link  By default, less than 500 kilobits per second (kbps)  Each CSE can use determination of slow link to decide whether it should process or not  Software CSE, for example, does not process  Disconnected  Settings previously applied will continue to take effect  Exceptions include startup, logon, logoff, and shutdown scripts  Connected  Windows Vista and later operating systems detect new connection and perform Group Policy refresh if refresh window was missed while disconnected
Understand When Settings Take Effect  GPO replication must happen  GPC and GPT must replicate  Group changes must be incorporated  Logoff/logon for user; restart for computer  Group Policy refresh must occur  Windows XP, Windows Vista, and Windows 7 clients  Always wait for network at startup and logon  Settings may require logoff/logon (user) or restart (computer) to take effect  Manually refresh: GPUpdate [/force] [/logoff] [/boot]  Most CSEs do not re-apply settings if GPO has not changed  Configure in ComputerAdmin TemplatesSystemGroup Policy
Resultant Set of Policy  The "cumulative" effect of Group Policy  A user or computer is usually within the scope of many GPOs  Potentially conflicting settings: precedence  Tools to report the settings that were applied and which GPO "won" in the case of conflicting settings  Tools to model the effects of changes to the Group Policy infrastructure or to the location of objects in Active Directory
Resultant Set of Policy  Inheritance, filters, loopback, and other policy scope and precedence factors are complex!  RSoP  The "end result" of policy application  Tools to help evaluate, model, and troubleshoot the application of Group Policy settings  RSoP analysis  The Group Policy Results Wizard  The Group Policy Modeling Wizard  GPResult.exe
Generate RSoP Reports  Group Policy Results Wizard  Queries WMI to report actual Group Policy application  Requirements  Administrative credentials on the target computer  Access to WMI (firewall)  User must have logged on at least once  RSoP report  Can be saved  View in Advanced mode  Shows some settings that do not show in the HTML report  View Group Policy processing events  GPResult.exe /s ComputerName /h filename
Unitek Education (888) 825-6273 Abu Z. Unitek.com Instructor Unitek Education webinars@unitek.com

Recommended

Useful Group Policy Concepts
Useful Group Policy ConceptsUseful Group Policy Concepts
Useful Group Policy Concepts
Rob Dunn
 
Group policy management window server 2008r2
Group policy management window server 2008r2Group policy management window server 2008r2
Group policy management window server 2008r2
IGZ Software house
 
Group policy Best Practices
Group policy Best PracticesGroup policy Best Practices
Group policy Best Practices
Rob Dunn
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Installation windows server 2019 standard
Installation windows server 2019 standardInstallation windows server 2019 standard
Installation windows server 2019 standard
Mr Cuong
 
10 implementing GPOs
10 implementing GPOs10 implementing GPOs
10 implementing GPOs
Hameda Hurmat
 
User management
User managementUser management
User management
Mufaddal Haidermota
 
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-ITPresentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Md. Abdul Barek
 

Recommended

Useful Group Policy Concepts
Useful Group Policy ConceptsUseful Group Policy Concepts
Useful Group Policy Concepts
Rob Dunn
 
Group policy management window server 2008r2
Group policy management window server 2008r2Group policy management window server 2008r2
Group policy management window server 2008r2
IGZ Software house
 
Group policy Best Practices
Group policy Best PracticesGroup policy Best Practices
Group policy Best Practices
Rob Dunn
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Installation windows server 2019 standard
Installation windows server 2019 standardInstallation windows server 2019 standard
Installation windows server 2019 standard
Mr Cuong
 
10 implementing GPOs
10 implementing GPOs10 implementing GPOs
10 implementing GPOs
Hameda Hurmat
 
User management
User managementUser management
User management
Mufaddal Haidermota
 
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-ITPresentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Md. Abdul Barek
 
Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCP
Tan Huynh Cong
 
File Sever
File SeverFile Sever
File Sever
Jagdeep Singh Malhi
 
Nfs
NfsNfs
Nfs
ShingalaKrupa
 
Users and groups
Users and groupsUsers and groups
Users and groups
Varnnit Jain
 
Active directory
Active directory Active directory
Active directory
deshvikas
 
Hard drive partitions
Hard drive partitionsHard drive partitions
Hard drive partitions
Gabriela_Technoteacher
 
Windows Server 2019.pptx
Windows Server 2019.pptxWindows Server 2019.pptx
Windows Server 2019.pptx
masbulosoke
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
Akshay Tiwari
 
DHCP
DHCPDHCP
DHCP
Kashif Latif
 
1 introduction to windows server 2016
1 introduction to windows server 20161 introduction to windows server 2016
1 introduction to windows server 2016
Hameda Hurmat
 
Presentation on samba server
Presentation on samba serverPresentation on samba server
Presentation on samba server
Veeral Bhateja
 
Disk management / hard drive partition management / create drive or partition...
Disk management / hard drive partition management / create drive or partition...Disk management / hard drive partition management / create drive or partition...
Disk management / hard drive partition management / create drive or partition...
Ajay Panchal
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting Process
Gaurav Sharma
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 
Understanding the Windows Server Administration Fundamentals (Part-1)
Understanding the Windows Server Administration Fundamentals (Part-1)Understanding the Windows Server Administration Fundamentals (Part-1)
Understanding the Windows Server Administration Fundamentals (Part-1)
Tuan Yang
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchy
sritolia
 
Chapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsChapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User Accounts
Raja Waseem Akhtar
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
Festus Oriaku
 
What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 
Samba power point presentation
Samba power point presentationSamba power point presentation
Samba power point presentation
Md Maksudur Rahman
 
Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferences
Rob Dunn
 
group policies in windows 2008 server
group policies in windows 2008 servergroup policies in windows 2008 server
group policies in windows 2008 server
kgotthold
 

More Related Content

What's hot

Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCP
Tan Huynh Cong
 
File Sever
File SeverFile Sever
File Sever
Jagdeep Singh Malhi
 
Nfs
NfsNfs
Nfs
ShingalaKrupa
 
Users and groups
Users and groupsUsers and groups
Users and groups
Varnnit Jain
 
Active directory
Active directory Active directory
Active directory
deshvikas
 
Hard drive partitions
Hard drive partitionsHard drive partitions
Hard drive partitions
Gabriela_Technoteacher
 
Windows Server 2019.pptx
Windows Server 2019.pptxWindows Server 2019.pptx
Windows Server 2019.pptx
masbulosoke
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
Akshay Tiwari
 
DHCP
DHCPDHCP
DHCP
Kashif Latif
 
1 introduction to windows server 2016
1 introduction to windows server 20161 introduction to windows server 2016
1 introduction to windows server 2016
Hameda Hurmat
 
Presentation on samba server
Presentation on samba serverPresentation on samba server
Presentation on samba server
Veeral Bhateja
 
Disk management / hard drive partition management / create drive or partition...
Disk management / hard drive partition management / create drive or partition...Disk management / hard drive partition management / create drive or partition...
Disk management / hard drive partition management / create drive or partition...
Ajay Panchal
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting Process
Gaurav Sharma
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 
Understanding the Windows Server Administration Fundamentals (Part-1)
Understanding the Windows Server Administration Fundamentals (Part-1)Understanding the Windows Server Administration Fundamentals (Part-1)
Understanding the Windows Server Administration Fundamentals (Part-1)
Tuan Yang
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchy
sritolia
 
Chapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsChapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User Accounts
Raja Waseem Akhtar
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
Festus Oriaku
 
What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 
Samba power point presentation
Samba power point presentationSamba power point presentation
Samba power point presentation
Md Maksudur Rahman
 

What's hot (20)

Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCP
 
File Sever
File SeverFile Sever
File Sever
 
Nfs
NfsNfs
Nfs
 
Users and groups
Users and groupsUsers and groups
Users and groups
 
Active directory
Active directory Active directory
Active directory
 
Hard drive partitions
Hard drive partitionsHard drive partitions
Hard drive partitions
 
Windows Server 2019.pptx
Windows Server 2019.pptxWindows Server 2019.pptx
Windows Server 2019.pptx
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
 
DHCP
DHCPDHCP
DHCP
 
1 introduction to windows server 2016
1 introduction to windows server 20161 introduction to windows server 2016
1 introduction to windows server 2016
 
Presentation on samba server
Presentation on samba serverPresentation on samba server
Presentation on samba server
 
Disk management / hard drive partition management / create drive or partition...
Disk management / hard drive partition management / create drive or partition...Disk management / hard drive partition management / create drive or partition...
Disk management / hard drive partition management / create drive or partition...
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting Process
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
 
Understanding the Windows Server Administration Fundamentals (Part-1)
Understanding the Windows Server Administration Fundamentals (Part-1)Understanding the Windows Server Administration Fundamentals (Part-1)
Understanding the Windows Server Administration Fundamentals (Part-1)
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchy
 
Chapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsChapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User Accounts
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Samba power point presentation
Samba power point presentationSamba power point presentation
Samba power point presentation
 

Viewers also liked

Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferences
Rob Dunn
 
group policies in windows 2008 server
group policies in windows 2008 servergroup policies in windows 2008 server
group policies in windows 2008 server
kgotthold
 
Chapter09 Implementing And Using Group Policy
Chapter09 Implementing And Using Group PolicyChapter09 Implementing And Using Group Policy
Chapter09 Implementing And Using Group Policy
Raja Waseem Akhtar
 
Windows Server 2008 R2 Group Policy Changes
Windows Server 2008 R2 Group Policy ChangesWindows Server 2008 R2 Group Policy Changes
Windows Server 2008 R2 Group Policy Changes
Eduardo Castro
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
Nishad Sukumaran
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directory
anilinvns
 
Install Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-StepInstall Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-Step
Mehdi Poustchi Amin
 
Group Policy
Group PolicyGroup Policy
Group Policy
Chris Watson
 
Windows Server 2008 R2
Windows Server 2008 R2Windows Server 2008 R2
Windows Server 2008 R2
Rishu Mehra
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
thebigredhemi
 
Deploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-IT
Deploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-ITDeploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-IT
Deploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-IT
Md. Abdul Barek
 
GALAXY
GALAXYGALAXY
GALAXY
Rashamol Shahida Beevi
 
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
Md. Abdul Barek
 
Group Policy Management Makes Your Life Easier
Group Policy Management Makes Your Life EasierGroup Policy Management Makes Your Life Easier
Group Policy Management Makes Your Life Easier
Spiceworks Ziff Davis
 
Active directory basics
Active directory basicsActive directory basics
Active directory basics
Sanjeev Gupta
 
Business Continuity with Disaster Recovery
Business Continuity with Disaster RecoveryBusiness Continuity with Disaster Recovery
Business Continuity with Disaster Recovery
Yoong Seng Lai
 
Shadow copy
Shadow copyShadow copy
Shadow copy
Sanjeev Gupta
 
iSCSI introduction and usage
iSCSI introduction and usageiSCSI introduction and usage
iSCSI introduction and usage
Lingshan Zhu
 
Microsoft Offical Course 20410C_11
Microsoft Offical Course 20410C_11Microsoft Offical Course 20410C_11
Microsoft Offical Course 20410C_11
gameaxt
 

Viewers also liked (20)

Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferences
 
group policies in windows 2008 server
group policies in windows 2008 servergroup policies in windows 2008 server
group policies in windows 2008 server
 
Chapter09 Implementing And Using Group Policy
Chapter09 Implementing And Using Group PolicyChapter09 Implementing And Using Group Policy
Chapter09 Implementing And Using Group Policy
 
Windows Server 2008 R2 Group Policy Changes
Windows Server 2008 R2 Group Policy ChangesWindows Server 2008 R2 Group Policy Changes
Windows Server 2008 R2 Group Policy Changes
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directory
 
Install Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-StepInstall Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-Step
 
Group Policy
Group PolicyGroup Policy
Group Policy
 
Windows Server 2008 R2
Windows Server 2008 R2Windows Server 2008 R2
Windows Server 2008 R2
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
 
Deploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-IT
Deploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-ITDeploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-IT
Deploy & Configure Remote Desktop Gateway in Windows Server 2008 R2 By Barek-IT
 
GALAXY
GALAXYGALAXY
GALAXY
 
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
 
Group Policy Management Makes Your Life Easier
Group Policy Management Makes Your Life EasierGroup Policy Management Makes Your Life Easier
Group Policy Management Makes Your Life Easier
 
Active directory basics
Active directory basicsActive directory basics
Active directory basics
 
Business Continuity with Disaster Recovery
Business Continuity with Disaster RecoveryBusiness Continuity with Disaster Recovery
Business Continuity with Disaster Recovery
 
Shadow copy
Shadow copyShadow copy
Shadow copy
 
iSCSI introduction and usage
iSCSI introduction and usageiSCSI introduction and usage
iSCSI introduction and usage
 
Microsoft Offical Course 20410C_11
Microsoft Offical Course 20410C_11Microsoft Offical Course 20410C_11
Microsoft Offical Course 20410C_11
 

Similar to Group Policy Windows Server 2008

70 640 Lesson07 Ppt 041009
70 640 Lesson07 Ppt 04100970 640 Lesson07 Ppt 041009
70 640 Lesson07 Ppt 041009
Coffeyville Community College
 
Ad group policy1
Ad group policy1Ad group policy1
Ad group policy1
denogx
 
Window 2003 server group policy AD
Window 2003 server group policy ADWindow 2003 server group policy AD
Window 2003 server group policy AD
sentmery5
 
70 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 04100970 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 041009
Coffeyville Community College
 
User account policy
User account policyUser account policy
User account policy
Muuluu
 
Domain wide organisation policy
Domain wide organisation policyDomain wide organisation policy
Domain wide organisation policy
Emmanuel Oshogwe Akpeokhai
 
Mcts chapter 7
Mcts chapter 7Mcts chapter 7
Mcts chapter 7
Sadegh Nakhjavani
 
A.Group Policy and group policy obj.pptx
A.Group Policy and group policy obj.pptxA.Group Policy and group policy obj.pptx
A.Group Policy and group policy obj.pptx
RosannaFranciscoFlor
 
Group policy objects
Group policy objectsGroup policy objects
Group policy objects
MianMuhammadMuaz
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Win Connections Group Policy Changes (Harold W)
Win Connections Group Policy Changes (Harold W)Win Connections Group Policy Changes (Harold W)
Win Connections Group Policy Changes (Harold W)
Harold Wong
 
Win Connections Group Policy Changes ( Harold W)
Win Connections Group Policy Changes ( Harold W)Win Connections Group Policy Changes ( Harold W)
Win Connections Group Policy Changes ( Harold W)
Harold Wong
 
Windows server 2012 and group policy
Windows server 2012 and group policyWindows server 2012 and group policy
Windows server 2012 and group policy
Ravi Kumar Lanke
 
Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...
Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...
Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...
Puppet
 
Group Policy Preferences, Templates, And Scripting
Group Policy Preferences, Templates, And ScriptingGroup Policy Preferences, Templates, And Scripting
Group Policy Preferences, Templates, And Scripting
Microsoft TechNet
 
Citrix group policy troubleshooting for xen app and xendesktop
Citrix group policy troubleshooting for xen app and xendesktopCitrix group policy troubleshooting for xen app and xendesktop
Citrix group policy troubleshooting for xen app and xendesktop
solarisyougood
 
Ad msi-installation via Active Directory
Ad msi-installation via Active DirectoryAd msi-installation via Active Directory
Ad msi-installation via Active Directory
Kalai Mani
 
Citrix Group Policy Troubleshooting for XenApp and XenDesktop
Citrix Group Policy Troubleshooting for XenApp and XenDesktopCitrix Group Policy Troubleshooting for XenApp and XenDesktop
Citrix Group Policy Troubleshooting for XenApp and XenDesktop
David McGeough
 
Environment Manager Policy
Environment Manager PolicyEnvironment Manager Policy
Environment Manager Policy
Ivanti
 
Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...
Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...
Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...
David McGeough
 

Similar to Group Policy Windows Server 2008 (20)

70 640 Lesson07 Ppt 041009
70 640 Lesson07 Ppt 04100970 640 Lesson07 Ppt 041009
70 640 Lesson07 Ppt 041009
 
Ad group policy1
Ad group policy1Ad group policy1
Ad group policy1
 
Window 2003 server group policy AD
Window 2003 server group policy ADWindow 2003 server group policy AD
Window 2003 server group policy AD
 
70 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 04100970 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 041009
 
User account policy
User account policyUser account policy
User account policy
 
Domain wide organisation policy
Domain wide organisation policyDomain wide organisation policy
Domain wide organisation policy
 
Mcts chapter 7
Mcts chapter 7Mcts chapter 7
Mcts chapter 7
 
A.Group Policy and group policy obj.pptx
A.Group Policy and group policy obj.pptxA.Group Policy and group policy obj.pptx
A.Group Policy and group policy obj.pptx
 
Group policy objects
Group policy objectsGroup policy objects
Group policy objects
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Win Connections Group Policy Changes (Harold W)
Win Connections Group Policy Changes (Harold W)Win Connections Group Policy Changes (Harold W)
Win Connections Group Policy Changes (Harold W)
 
Win Connections Group Policy Changes ( Harold W)
Win Connections Group Policy Changes ( Harold W)Win Connections Group Policy Changes ( Harold W)
Win Connections Group Policy Changes ( Harold W)
 
Windows server 2012 and group policy
Windows server 2012 and group policyWindows server 2012 and group policy
Windows server 2012 and group policy
 
Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...
Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...
Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane...
 
Group Policy Preferences, Templates, And Scripting
Group Policy Preferences, Templates, And ScriptingGroup Policy Preferences, Templates, And Scripting
Group Policy Preferences, Templates, And Scripting
 
Citrix group policy troubleshooting for xen app and xendesktop
Citrix group policy troubleshooting for xen app and xendesktopCitrix group policy troubleshooting for xen app and xendesktop
Citrix group policy troubleshooting for xen app and xendesktop
 
Ad msi-installation via Active Directory
Ad msi-installation via Active DirectoryAd msi-installation via Active Directory
Ad msi-installation via Active Directory
 
Citrix Group Policy Troubleshooting for XenApp and XenDesktop
Citrix Group Policy Troubleshooting for XenApp and XenDesktopCitrix Group Policy Troubleshooting for XenApp and XenDesktop
Citrix Group Policy Troubleshooting for XenApp and XenDesktop
 
Environment Manager Policy
Environment Manager PolicyEnvironment Manager Policy
Environment Manager Policy
 
Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...
Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...
Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and Xen...
 

Recently uploaded

Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 

Recently uploaded (20)

Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 

Group Policy Windows Server 2008

  • 1. WEBINAR Become a Group Policy Master in Microsoft Windows Server 2008 Presented by
  • 2. Subject Matter Expert Abu Z Microsoft Certified Trainer Unitek Education B.Sc (Hons) in Computer Science, M. Sc MCT, MCLC, MCSE, MCSEM, MCSA, MCITP, MCTS, MCP...
  • 3. Group Policy Discussion Topics  Understand Group Policy  Manage Group Policy Scope  Implement GPOs  GPO policy processing and effects  A Deeper Look at Settings and GPOs
  • 4. Group Policy Objects  Group Policy is an infrastructure that allows you to implement specific configurations for users and computers.  GPO is the container for one or more policy settings  Managed with the Group Policy Management Console (GPMC)  Group Policy Objects container  Edited with the Group Policy Management Editor (GPME)
  • 5. GPO Scope  Scope. Definition of objects (users or computers) to which GPO applies  GPO link. GPO can be linked to site, domain, or organizational unit (OU) (SDOU)  GPO can be linked to multiple site(s) or OU(s)  GPO link(s) define maximum scope of GPO  Security group filtering  Apply or deny application of GPO to members of global security group  Filter application of scope of GPO within its link scope
  • 6. Group Policy Refresh  When GPOs and their settings are applied  Computer Configuration  Startup  Every 90-120 minutes  Triggered: GPUpdate command  User Configuration  Logon  Every 90-120 minutes  Triggered: GPUpdate command
  • 7. Local GPOs  Apply before domain-based GPOs  Any setting specified by a domain-based GPO will override the setting specified by the local GPOs.  Local GPO  One local GPO in Windows 2000, Windows XP, Windows Server® 2003  Multiple local GPOs in Windows Vista® and later  Local GPO: Computer settings and settings for all users  Administrators GPO: Settings for users in Administrators  Non-administrators GPO: Settings for users not in Admins  Per-user GPO: Settings for a specific user  If domain members can be centrally managed using domain- linked GPOs, in what scenarios might local GPOs be used?
  • 8. Domain-Based GPOs  Created in Active Directory, stored on domain controllers  Two default GPOs  Default Domain Policy  Define account policies for the domain: Password, account lockout, and Kerberos policies  Default Domain Controllers Policy  Define auditing policies for domain controllers and Active Directory
  • 9. GPO Storage Group Policy Container (GPC) • Stored in AD DS • Friendly name, globally unique identifier Group Policy Object (GPO) (GUID) • Version Group Policy Template (GPT) • What we call a GPO is actually two things, stored in two places • Stored in SYSVOL on domain controllers  Separate replication (DCs) mechanisms • Contains all files required to define and apply settings  GPOTool • .ini file contains Version  Microsoft® Downloads Center
  • 10. Manage GPOs and Their Settings  Copy (and Paste into a Group Policy Objects container)  Create a new "copy" GPO and modify it  Transfer a GPO to a trusted domain, such as test-to-production  Back Up all settings, objects, links, permissions (access control lists [ACLs])  Restore into same domain as backup  Import Settings into a new GPO in same or any domain  Migration table for source-to-destination mapping of UNC paths and security group names  Replaces all settings in the GPO – not a "merge"  Save Report  Delete  Rename
  • 11. GPO Links  GPO link  Causes policy settings in GPO to apply to users or computers within that container  Links GPO to site, domain, or OU (SDOU)  Must enable sites in the GPM console  GPO can be linked to multiple sites or OUs  Link can exist but be disabled  Link can be deleted, but GPO remains
  • 12. GPO Inheritance and Precedence  The application of GPOs linked to each container results in a cumulative effect called inheritance  Default Precedence: Local  Site  Domain  OU  OU… (LSDOU)  Seen on the Group Policy Inheritance tab  Link order (attribute of GPO Link)  Lower number  Higher on list  Precedent  Block Inheritance (attribute of OU)  Blocks the processing of GPOs from above  Enforced (attribute of GPO Link)  Enforced GPOs “blast through” Block Inheritance  Enforced GPO settings win over conflicting settings in lower GPOs
  • 13. Use Security Filtering to Modify GPO Scope  Apply Group Policy permission  GPO has an ACL (Delegation tab  Advanced)  Default: Authenticated Users have Allow Apply Group Policy  Scope only to users in selected global group(s)  Remove Authenticated Users  Add appropriate global groups  Must be global groups (GPOs don’t scope to domain local)  Scope to users except for those in selected group(s)  On Delegation tab, click Advanced  Add appropriate global groups  Deny Apply Group Policy permission  Does not appear on Delegation tab or in filtering section 
  • 14. What Is Security Policy Management?  Enterprise IT Security Policy  security configuration  settings  Manage security configuration  Create the security policy  Apply the security policy to one or more systems  Analyze security settings against the policy  Update the policy, or correct the discrepancies on the system  Tools  Local Group Policy and Domain Group Policy  Security Templates snap-in  Security Configuration and Analysis snap-in  Security Configuration Wizard
  • 15. Configure the Local Security Policy Local Security Policy Domain Group Policy
  • 16. Understand Group Policy Software Installation (GPSI)  Installs supported packages  Windows Installer packages (.msi)  Optionally modified by Transform (.mst) or patches (.msp)  GPSI automatically installs with elevated privileges  Downlevel application package (.zap)  Supported by “publish” option only  Requires user has admin privileges  SCCM and other deployment tools can support a wider variety of installation and configuration packages  No “feedback”  No centralized indication of success or failure  No license management
  • 17. Understand Group Policy Software Installation (GPSI) (continued)  Software deployment options  Assign application to users  Start menu shortcuts appear – Install-on-demand  File associations made (optional “Auto Install”) – Install-on-document invocation  Optionally, configure to install at logon  Publish application to users  Advertised in Programs And Features (Control Panel) – Install-on-request  Assign to computers  Install at startup
  • 18. Enable or Disable GPOs and GPO Nodes  GPO Details tab  GPO Status drop-down list  Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs  All settings disabled: CSEs will not process the GPO  Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration  User Configuration settings disabled: CSEs will not process settings in User Configuration
  • 19. Loopback Policy Processing  At user logon, user settings from GPOs scoped to computer object are applied  Create a consistent user experience on a computer  Conference rooms, kiosks, computer labs, VDI, RDS/TS, etc.  Computer ConfigurationPoliciesAdministrative TemplatesSystemGroup Policy  User Group Policy loopback processing mode  Replace mode  The user gets none of the User settings that are scoped to the user… only the User settings that are scoped to computer.  Merge mode  The user gets the User settings scoped to the user, but those settings are overlaid with User settings scoped to the computer. The computer wins.
  • 20. A Detailed Review of Group Policy Processing  Computer starts; Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) are started  Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer  Local  Site  Domain  OU  Enforced GPOs  GPC processes each GPO in order  Should it be applied? (enabled/disabled/permission/WMI filter)  CSEs are triggered to process settings in GPO  Settings configured as Enabled or Disabled are processed  User logs on  Process repeats for user settings  Every 90-120 minutes after startup, computer refresh  Every 90-120 minutes after logon, user refresh
  • 21. Slow Links and Disconnected Systems  Group Policy Client determines whether link to domain should be considered slow link  By default, less than 500 kilobits per second (kbps)  Each CSE can use determination of slow link to decide whether it should process or not  Software CSE, for example, does not process  Disconnected  Settings previously applied will continue to take effect  Exceptions include startup, logon, logoff, and shutdown scripts  Connected  Windows Vista and later operating systems detect new connection and perform Group Policy refresh if refresh window was missed while disconnected
  • 22. Understand When Settings Take Effect  GPO replication must happen  GPC and GPT must replicate  Group changes must be incorporated  Logoff/logon for user; restart for computer  Group Policy refresh must occur  Windows XP, Windows Vista, and Windows 7 clients  Always wait for network at startup and logon  Settings may require logoff/logon (user) or restart (computer) to take effect  Manually refresh: GPUpdate [/force] [/logoff] [/boot]  Most CSEs do not re-apply settings if GPO has not changed  Configure in ComputerAdmin TemplatesSystemGroup Policy
  • 23. Resultant Set of Policy  The "cumulative" effect of Group Policy  A user or computer is usually within the scope of many GPOs  Potentially conflicting settings: precedence  Tools to report the settings that were applied and which GPO "won" in the case of conflicting settings  Tools to model the effects of changes to the Group Policy infrastructure or to the location of objects in Active Directory
  • 24. Resultant Set of Policy  Inheritance, filters, loopback, and other policy scope and precedence factors are complex!  RSoP  The "end result" of policy application  Tools to help evaluate, model, and troubleshoot the application of Group Policy settings  RSoP analysis  The Group Policy Results Wizard  The Group Policy Modeling Wizard  GPResult.exe
  • 25. Generate RSoP Reports  Group Policy Results Wizard  Queries WMI to report actual Group Policy application  Requirements  Administrative credentials on the target computer  Access to WMI (firewall)  User must have logged on at least once  RSoP report  Can be saved  View in Advanced mode  Shows some settings that do not show in the HTML report  View Group Policy processing events  GPResult.exe /s ComputerName /h filename
  • 26. Unitek Education (888) 825-6273 Abu Z. Unitek.com Instructor Unitek Education webinars@unitek.com

Editor's Notes

  1. If you choose to demonstrate the slide:Close the GPME that you use to edit the GPO in the previous slide.Point out that the setting you just configured is contained in the CONTOSO Standards GPO.Remind students that a GPO can contain multiple settings, but by default all settings are set to Not Configured.Point out that the tool you use to manage GPOs is the Group Policy Management console.Mention that you have opened the CONTOSO Standards GPO for editing by right-clicking the GPO and choosing Edit, which opens the Group Policy Management Editor.The management of GPOs is discussed in detail in Lesson 2.
  2. Mention that a GPO, and all of the settings that it contains, does not take effect until you have defined the scope of that GPO. The first step to scoping a GPO is linking it to a site, domain, or OU. Introduce students to the mnemonic acronym, SDOU. Point out that GPOs apply to users and computers, not to groups, despite the term, “Group Policy.”If you choose to demonstrate the slide, link the CONTOSO Standards GPO to the domain.Enforce the idea that the link or links define the maximum scope of the GPO. Pose a question: What if we don't want the GPO settings to apply to all objects within the scope?Use the question to transition to the concept of security group filtering, emphasizing that such filtering creates a subset of objects within the broader scope of the GPO link.Important Note: The reason this is important to mention, and will be reiterated throughout this module, is that many experienced students rely too heavily on GPO links to manage the scope of GPOs, which often leads them to less-than-ideal Active Directory organizational unit design, at the expense of efficiently applied and managed security (access control lists [ACLs]/delegation). Continue with a very brief discussion of WMI filtering, keeping the discussion very high level. Use the example of a policy setting that you want to apply to only a certain operating system. Define WMI filtering as a way of querying the system and then determining whether to apply a GPO.Wrap up with a mention of Preferences targeting. The goal is simply to introduce the term, and to prepare students for the idea that it is possible, now, to apply only part of a GPO to clients as long as that "part" is part of Preferences.It can't be emphasized enough: Keep it a "big picture" discussion! Scoping GPOs is discussed in Lesson 5.
  3. You have now presented the setting and scope elements of configuration management with Group Policy. Remind students of that fact, to bring them back to the original three elements of configuration management.Then continue with this slide, which is the first half ofapplication.All you need to do is answer this basic question: When do these policies get applied? More detail about Group Policy refresh is provided in Lesson 5.
  4. Discuss local GPOs. Start with the understanding that local GPOs contain settings that affect only the local machine, and that any settings specified by a domain GPO scoped to that computer will override conflicting settings in local GPOs. Therefore, local GPOs have limited usage scenarios.Mention to students that while, in the real world, local GPOs have limited usage, they do tend to appear on certification exams so it is worth understanding local GPOs. However, this will be the only point in the course in which local GPOs are addressed, and after this only domain-based GPOs will be used.Things to mention:You cannot apply local Group Policy objects to groups (except Administrators versus non-administrators)User settings exist in all local GPOs. Computer settings exist only in the main local GPO.After discussing the details of local GPOs, return the original understanding that, in a domain environment, local GPOs have limited usage scenarios. Ask students to think about what scenarios those might be.Question: If domain members can be centrally managed using domain-linked GPOs, in what scenarios might local GPOs be used?Answer: Keep in mind that local GPOs are designed for non-domain environments. Configure them for your computer at home, for example, to manage the settings for your spouse or children. In a domain environment, settings in domain-based GPOs override conflicting settings in local GPOs, and it is a best practice to manage configuration by using domain-based GPOs. However, if you want to apply policies to local accounts, rather than domain accounts, the local GPOs can be used. Also, you might use local GPOs to configure baseline security settings in your deployment image—settings that will take effect while a new computer is still in a workgroup, prior to joining the domain.
  5. Describe the function and location of the GPC. Optionally, show a GPC using ADSI Edit.Optionally, show a GPT in SYSVOL. Show students how to identify the GUID of a GPO in the GPM console. Also give them a tip: sort the GPOs in SYSVOL by date, so you can quickly identify the GPO that you have just been working with.Exam TipGPOTool.exe is used to troubleshoot GPO status, including problems caused by the replication of GPOs, leading to inconsistent versions of a GPC and GPT.
  6. Discussion QuestionsWhat options might you use to transfer into production a GPO that was used in a test environment? What variables constrained which option you chose?Answers should include copy-and-paste, backing up settings and importing them into a new GPO, and simply manually re-creating a GPO. The most important variable is whether the test environment is in a trusted domain (in which case you can use copy-and-paste) or in a separate environment (in which case you must use the Import Settings command).
  7. As you discuss Group Policy inheritance and precedence, ensure that students understand that what is called "inheritance" is really just the effect of repeated, layered application of settings in GPOs in a specific order.You can approach this important discussion of GPO inheritance and precedence one of three ways:Talk to the points on this slide only.Talk to the first bullet on this slide, then use the visuals on the following three slides to discuss link order, locked inheritance, and enforced links.Create a demonstration in the composer.com domain and, after setting up the first bullet on the slide, demonstrate the remainder in the sample domain, returning to the Group Policy Inheritance tab to show resultant precedence and processing.
  8. Many organizations struggle with how to maintain governance over Group Policy, and specifically how to effectively test a GPO before rolling it into production. Talk through a simple but completely effective best practice: Use security group filtering to manage the scope of a Group Policy object during testing. Instead of creating a sub-OU to manage the scope of a GPO for testing, link the GPO to the location it belongs in production. But instead of allowing the GPO to apply to Authenticated Users, or to the production security group, configure a security group specifically designed to limit the scope of the GPO to appropriate users and computers. The benefit of this practice is that it gives a much more realistic picture of how the GPO will perform in production, because you are not artificially limiting its scope or precedence by linking it to a separate "test" OU. In other words, you get a better picture for how the GPO interacts with other GPOs that are already in production. And yet, you still maintain full control over the specific users and computers that are within the scope of the test.Advanced Tip: If you remove Authenticated Users and scope a GPO to a specific group, support personnel will not be able to read the policy in order to perform Group Policy management tasks. Be sure to assign appropriate support personnel Read permission to the GPO.
  9. Use this slide to "set up" the broad concept of this lesson: The goal of an IT pro is to ensure that systems are secure, and in the end that means configuring a security policy that is made up of a number of security settings. Help students understand that security for security's sake provides no value. All security configuration should arise out of a set of business-level security requirements, defined in an IT security policy and information management policy. Just implementing someone else's "security checklist" does not produce security that's right for your enterprise. In fact, the defaults on Windows Server 2008 are quite secure! You must understand where you're going and why you're going there before you start driving.Inform students that the goal of this lesson is to understand the mechanisms with which you can manage security settings more effectively. We're not going to worry too much in this lesson about specific settings, their functionality, or their value. Later lessons and modules will address how to secure various aspects of a Windows environment, including administration, authentication, and file system access. This lesson is about the variety of tools you can use to define and deploy security settings—whatever those settings are to you and your enterprise.
  10. Don't spend too much time on this slide. You're simply pointing out that local Group Policy is an option for configuring security policy, but it's not manageable. The visual on this slide, and the text in the Student Manual, starts with the Local Security Policy. Discuss the fact that the local security policy allows you to configure many, but not all security settings. Local Security Policy does not, for example, do anything to file system or registry ACLs. You need to "lock down" ACLs using the Security Settings dialog box (the "Security tab" of a file, folder, or registry key properties dialog box).Module 6 discussed local group policy, and posed the question, "Why would you use it?" If you are working with workgroup (not domain) computers, or if you want to ensure that a computer meets a certain level of compliance before it joins the domain, then local security policy is valuable. But as soon as a system is member of a domain, local security policy is as far from "manageable" as possible—there's no central configuration capability for local security policy.On the other end of the spectrum is domain Group Policy, which of course is centralized and, as seen in the figure, exposes a number of additional settings including file system & registry ACLs.The rest of this lesson fills in the "middle" of this spectrum. You will be showing students how to create Group Policies that are based on the configuration of a server; and how to analyze a server to see whether it remains in compliance with domain policy. It's very important that students understand that this is where they will be "working" in this lesson. That way, they have some perspective as they dive into security templates and the security configuration wizard, each of which produces ways of managing security settings that fall between local and domain policy, and each of which allows you to promote a collection of settings to a domain-level configuration policy managed with Group Policy.
  11. Ensure that students understand that GPSI can install only Windows Installer packages. However, since many applications are available as Windows Installer packages, and since there are tools that allow one to create Windows Installer packages, this is enough to allow GPSI to serve as a valuable software deployment mechanism for many organizations.Touch on the point that GPSI can, technically, deploy any application that supports an unattended installation command using a down level application package (“.zap file”). This file is basically a .ini file that specifies the unattended installation command. However, .zap files can only be deployed using the “publish” option (assign versus publish will be discussed on the next slide). So applications deployed with the .zap files can only appear in the Programs And Features applet in Control Panel. Furthermore, installing applications from .zap files requires that users are local administrators on their computers. Therefore .zap files are very rarely used in the real world.Point out that SCCM and other deployment tools can deploy applications and configuration using a much wider variety of package types. Commercial software deployment tools also provide reporting and feedback mechanisms that support software metering, auditing, and license management.However, even organizations with tools like SCCM might use GPSI for certain scenarios—they can each serve a role in a software deployment infrastructure.
  12. Talk through the differences between assigning an application to users, publishing an application to users, or assigning an application to computers. After presenting the “facts”, ask students to discuss different scenarios that would be best supported by each option. Be sure in the discussion that the following points are raised:Assigning applications to users can be a bit dangerous, because the applications will follow users to every computer to which they log on. For example, if you were to assign Microsoft Visio® to users, and users were to log on to conference room computers, Visio would end up installed on the conference room computers, which may not be desirable.Most software is licensed per computer, not per user. For this, and the previous reason, it is generally a best practice to deploy software using the assigned-to-computer option.Organizations often want to limit the applications that users install. And often, it is challenging to help users find an application that meets a need that they have. One great feature of the “publish” option is the fact that applications can be categorized. When you go to install applications from Programs And Features in Control Panel, those categories are used to group the available applications. So, for example, if you needed a photo editor, you could go to Programs And Features and when you choose to install an application from the network, the published applications in the Photo Editor category would display each of the applications that the enterprise has approved for you to install to meet that need.Exam TipKnow the difference between assigning applications and publishing applications.
  13. In addition to explaining the settings in the GPO Status drop-down list, mention the performance benefits gained by specifically disabling nodes of GPOs that have no settings anyway.Ask students to consider what scenarios might lend themselves to disabling a GPO that has settings. Answers might include GPOs that configure strict lockdown in the case of a security incident or that configure disaster recovery settings; in other words, those that are disabled until needed.
  14. Exam TipThe 70-640 exam is likely to include several questions that test your knowledge of Group Policy scope. Sometimes, questions that seem to be addressing the technical details of a policy setting are, in fact, testing your ability to scope the setting to appropriate systems. When you encounter Group Policy questions, ask yourself, “Is this really about a specific policy setting, or is it about the scope of that setting?”
  15. Use this slide to reinforce the fundamentals of Group Policy processing, and to ensure that all students are on the same page.
  16. Discuss the issues associated with slow links and disconnected systems. Make sure that students understand that, when a computer is disconnected, the settings that were previously applied will continue to take effect. There are several exceptions to this rule, most notably that startup, logon, logoff, and shutdown scripts do not run when the system is disconnected.
  17. Use this slide to wrap up all of the detail regarding when Windows settings actually take effect. This should answer the question, “When I change a policy setting, when will that setting actually be applied to a user or computer?“The Student Manual contains a lot of good information that will allow you to step through the slide and to answer questions from students.Replication technologies, including the Directory Replication Agent, FRS, and DFS-R, are discussed in a later module. Don't go into detail about the replication technologies themselves, but rather point out that both the GPC and GPT must replicate to the domain controller from which a client is obtaining its policies, and that the GPC and GPT used to different replication technologies that are not always in sync.Other points to make:It is highly recommended that organizations implement the Always Wait For Network At Startup And Logon policy setting. Without that, a change to a policy setting may take several logoff/logon or restart cycles before it takes effect, and there's no good way to predict the exact timing. In order to truly manage the application of new policy settings, enable Always Wait For Network At Startup And Logon. Make sure that students understand that this does not significantly slow down either the startup or logon process. It's not as if users will complain that is noticeably slower. Also make sure that students understand that when a system is not connected to the network, it ignores this setting, so this setting is not a problem for disconnected laptop usersMost policy settings, particularly managed policy settings, cannot be changed by the user. However, if users are administrators of their machines, it is possible for them to change some settings. Those changes will never be reverted to match the settings specified by the GPOs, because most CSEs will only reapply policy settings when a GPO has changed. The exceptions to this rule are security settings, which are reapplied every 16 hours whether or not the GPO has changed. If an enterprise is concerned about enforcing its policy settings, and if it is possible for users to change those settings, then you should configure the CSEs to reapply policy settings even if the GPO has not changed. The policy processing behavior of each CSE can be configured with Group Policy in the path shown at the bottom of the slide.
  18. Transition by asking students if the following seems complicated:A GPO can contain multiple settings.Multiple GPOs may apply to a user or computer, scoped using a variety of mechanisms.Those GPOs may contain conflicting settings.Ask: How can you figure out who wins and what policies were applied?Provide a very brief introduction to the concept and term Resultant Set of Policy (RSoP).This is mainly presented in the introductory module because newer students tend to begin to wonder how they will possibly be able to manage and evaluate group policy settings, so we proactively answer that question here.RSoP is discussed in Lesson 6.
  19. Use this slide to introduce the term and the concepts and tools of RSoP.Remind students how complex it can become to evaluate a resultant set of policy, with factors including inheritance, filters, loopback, the interaction between GPOs in CSEs, and the mind-boggling number of policy settings.Help students understand that resultant set of policy is both a descriptor, meaning "the end result" of policy application, and the name of a collection of tools and processes.
  20. Talk in detail about RSoP reports, preferably supporting with demonstrations. Ensure that students understand how to generate, interpret, and save RSoP reports created by the Group Policy Results Wizard in the GPME console or by the GPResult command.Emphasize the critical importance of RSoP reports in analyzing and troubleshooting Group Policy application in an enterprise.