Chapter09 Implementing And Using Group Policy

8,839 views

Published on

Published in: Technology
3 Comments
4 Likes
Statistics
Notes
  • what it means and who you want to know well?
    lol
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • lol jessica
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hello
    Am jessica, can i know you well ?,
    please contact me truth my e-mail inbox
    (jessicajohn22@ymail.com) and i will tell you
    more of me ok?, waiting!!
    cheers!!!!!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
8,839
On SlideShare
0
From Embeds
0
Number of Embeds
90
Actions
Shares
0
Downloads
640
Comments
3
Likes
4
Embeds 0
No embeds

No notes for slide

Chapter09 Implementing And Using Group Policy

  1. 1. Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy
  2. 2. Objectives <ul><li>Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection </li></ul><ul><li>Manage and troubleshoot Group Policy inheritance </li></ul><ul><li>Deploy and manage software using Group Policy </li></ul>
  3. 3. Introduction to Group Policy <ul><li>Group policy centralizes management of user and computer configuration settings throughout a network </li></ul><ul><li>A group policy object is an Active Directory object used to configure policy settings for user and computer objects </li></ul><ul><li>There are two default Group Policy Objects: </li></ul><ul><ul><li>Default Domain Policy (linked to domain container) </li></ul></ul><ul><ul><li>Default Domain Controllers Policy (linked to domain controller OU) </li></ul></ul>
  4. 4. Introduction to Group Policy (continued) <ul><li>You can modify default GPOs </li></ul><ul><li>You can create new GPOs and link them to particular sites, domains, and OUs </li></ul><ul><ul><li>Policy settings will be propagated to all users and computers in container including child OUs </li></ul></ul><ul><li>Group policy can only be applied to computers running Windows Server 2003, Windows 2000, and Windows XP </li></ul>
  5. 5. Creating a Group Policy Object <ul><li>Two ways to create a GPO: </li></ul><ul><ul><li>Group Policy standalone Microsoft Management Console (MMC) snap-in </li></ul></ul><ul><ul><li>Group Policy extension in Active Directory Users and Computers </li></ul></ul>
  6. 6. Activity 9-1: Creating a Group Policy Object Using the MMC <ul><li>Objective: To create a GPO using the Group Policy Object Editor MMC snap-in </li></ul><ul><ul><li>Locate the MMC Group Policy Object Editor snap-in </li></ul></ul><ul><ul><li>Create a new GPO </li></ul></ul>
  7. 7. Activity 9-1 (continued)
  8. 8. Activity 9-2: Creating OUs and Moving User Accounts <ul><li>Objective: To create new Organizational Units and move existing user accounts into them. </li></ul><ul><ul><li>Must be familiar with using OUs for controlling the application of Group Policy settings </li></ul></ul><ul><li>Create new OUs using Active Directory Users and Computers </li></ul><ul><li>Move users into the new OUs </li></ul>
  9. 9. Activity 9-3: Creating a Group Policy Object and Browsing Settings Using Active Directory Users and Computers <ul><li>Objective: Create a GPO using Active Directory Users and Computers as an alternative to MMC snap-in </li></ul><ul><ul><li>From Active Directory Users and Computers, use the Group Policy tab of the Properties of an existing OU to add and create GPOs </li></ul></ul><ul><ul><li>Browse configuration settings of a Group Policy Object </li></ul></ul>
  10. 10. Editing a GPO
  11. 11. Editing a GPO (continued) <ul><li>Table 9-1 shows configuration categories for both computer and user configurations </li></ul><ul><li>Two tabs in Properties of each setting: </li></ul><ul><ul><li>Setting allows you to enable or disable the setting </li></ul></ul><ul><ul><li>Explain provides information about the setting </li></ul></ul><ul><li>GPO content is stored in 2 locations: </li></ul><ul><ul><li>Group Policy container (GPC) </li></ul></ul><ul><ul><li>Group Policy template (GPT) </li></ul></ul><ul><li>A GPO is identified by a 128-bit globally unique identifier (GUID) </li></ul>
  12. 12. Activity 9-4: Deleting Group Policy Objects <ul><li>Objective: To delete a GPO using Active Directory Users and Computers </li></ul><ul><li>A previously created GPO is deleted from an OU </li></ul>
  13. 13. Application of Group Policy <ul><li>Two main categories to a Group Policy </li></ul><ul><ul><li>Computer configuration (settings apply to computers in the container) </li></ul></ul><ul><ul><li>User configuration (settings apply to users in the container) </li></ul></ul><ul><li>Upon computer startup (or user logon) </li></ul><ul><ul><li>Computer queries domain controller for GPOs. Domain controller finds applicable GPOs. </li></ul></ul><ul><ul><li>Domain controller presents list of GPOs. The client gets Group Policy templates, applies the settings and runs the scripts. </li></ul></ul><ul><ul><li>Same basic process happens for user logons </li></ul></ul>
  14. 14. Controlling User Desktop Settings <ul><li>Administrative templates </li></ul><ul><ul><li>Used to limit user manipulation of user desktop and computer configurations </li></ul></ul><ul><ul><li>Aim is to reduce administrative costs </li></ul></ul><ul><ul><li>Seven main categories of configuration settings can be applied to either computer or user section of a GPO </li></ul></ul>
  15. 15. Controlling User Desktop Settings (continued)
  16. 16. Activity 9-5: Configuring Group Policy Object User Desktop Settings <ul><li>Objective: To configure and test the application of Group Policy settings </li></ul><ul><li>Use Active Directory Users and Computers to access the desired configuration settings </li></ul><ul><li>Configure settings using the Group Policy Object Editor </li></ul><ul><li>Verify that the configured settings have the expected results </li></ul>
  17. 17. Managing Security Settings with Group Policy <ul><li>Password Policy, Account Policy, and Kerberos Policy settings are only applicable to domain objects </li></ul><ul><li>Other nodes in Security Settings category can be applied at both domain and OU levels </li></ul><ul><ul><li>Local Policies </li></ul></ul><ul><ul><ul><li>Audit Policy </li></ul></ul></ul><ul><ul><ul><li>User Rights Assignment </li></ul></ul></ul><ul><ul><ul><li>Security Options </li></ul></ul></ul>
  18. 18. Managing Security Settings with Group Policy (continued) <ul><ul><li>Event Log </li></ul></ul><ul><ul><li>Restricted Groups </li></ul></ul><ul><ul><li>System Services </li></ul></ul><ul><ul><li>Registry </li></ul></ul><ul><ul><li>File System </li></ul></ul><ul><ul><li>Wireless Network Policies </li></ul></ul><ul><ul><li>Public Key Policies </li></ul></ul><ul><ul><li>Software Restriction Policies </li></ul></ul><ul><ul><li>IP Security Policies on Active Directory </li></ul></ul>
  19. 19. Activity 9-6: Configuring Group Policy Object Security Settings <ul><li>Objective: Use Group Policy settings to configure a logon banner for domain users </li></ul><ul><li>Use Active Directory Users and Computers to access the Default Domain Policy GPO </li></ul><ul><li>Create a logon banner </li></ul><ul><li>Verify that the banner appears </li></ul>
  20. 20. Activity 9-7: Configuring File System Security Using Group Policy Settings <ul><li>Objective: Use Group Policy settings to configure security permissions </li></ul><ul><li>Create a folder </li></ul><ul><li>Use Active Directory Users and Computers to configure the permissions on the folders </li></ul><ul><li>Update Group Policy settings on the server </li></ul><ul><li>Verify that the permissions are explicitly defined </li></ul>
  21. 21. Assigning Scripts <ul><li>Windows Server 2003 can run scripts during: </li></ul><ul><ul><li>User logon or logoff </li></ul></ul><ul><ul><ul><li>User section of GPO </li></ul></ul></ul><ul><ul><li>Computer startup and shutdown </li></ul></ul><ul><ul><ul><li>Computer section of GPO </li></ul></ul></ul><ul><li>Default is for scripts to run synchronously from top to bottom </li></ul><ul><li>Can specify script time-outs, asynchronous execution, and hiding of scripts </li></ul>
  22. 22. Activity 9-8: Assigning Logon Scripts to Users Using Group Policy <ul><li>Objective: Use GPOs to assign logon scripts to domain users </li></ul><ul><li>Create a script file </li></ul><ul><li>Add the script to the logon policies of a particular group using Active Directory Users and Computers </li></ul><ul><li>Verify that the script runs for members of the group and not for other users </li></ul>
  23. 23. Redirecting Folders <ul><li>Allows you to redirect the contents of a user’s profile to a network location </li></ul><ul><li>Profile contents that can be redirected are application data, desktop, My Documents, Start menu </li></ul><ul><li>Redirection is useful because it: </li></ul><ul><ul><li>Aids in backup </li></ul></ul><ul><ul><li>Reduces logon time </li></ul></ul><ul><ul><li>Allows creation of a standard desktop for multiple users </li></ul></ul>
  24. 24. Redirecting Folders (continued)
  25. 25. Managing Group Policy Inheritance <ul><li>Specific order for GPO application: </li></ul><ul><ul><li>Local computer  Site  Domain  Parent OU  Child OU </li></ul></ul><ul><li>By default, all GPO settings are inherited </li></ul><ul><li>At each level, there can be multiple GPOs </li></ul><ul><ul><li>Policies are applied in the order that they appear on the Group Policy tab for each container, bottom GPO first </li></ul></ul><ul><li>Applying a large number of GPOs can affect startup and logon performance </li></ul>
  26. 26. Managing Group Policy Inheritance (continued) <ul><li>Conflicts are resolved according to a set formula </li></ul><ul><li>Policies are updated automatically at intervals and can be updated manually </li></ul><ul><li>Policies can be linked to a site, domain, or specific OU containers </li></ul><ul><li>Multiple Group Policies can be assigned to a single container </li></ul><ul><li>A single Group Policy can be linked to multiple containers </li></ul>
  27. 27. Activity 9-9: Linking a Group Policy Object to Multiple Containers <ul><li>Objective: Link a single GPO to multiple containers </li></ul><ul><li>Using Active Directory Users and Computers, create and configure a new GPO in one OU </li></ul><ul><li>Add the GPO to another OU </li></ul>
  28. 28. Configuring Block Policy Inheritance, No Override, and Filtering <ul><li>These options allow default behavior to be changed for specific containers </li></ul><ul><ul><li>Can change default inheritance policy </li></ul></ul><ul><ul><li>Can change default conflict resolution </li></ul></ul><ul><ul><li>Can change permissions for a specific member within a group to deny GPO application for that member </li></ul></ul>
  29. 29. Blocking Group Policy Inheritance <ul><li>To change default inheritance, use the Block Policy inheritance check box on the Group Policy tab for a child container </li></ul><ul><ul><li>Child will not inherit parent’s policies </li></ul></ul><ul><ul><li>Useful if one OU needs to be managed separately </li></ul></ul>
  30. 30. Configuring No Override <ul><li>If a policy is configured with No Override </li></ul><ul><ul><li>It will be enforced despite conflicts in lower-level policies </li></ul></ul><ul><ul><li>It will be enforced on lower-level containers with Block Policy inheritance set </li></ul></ul>
  31. 31. Filtering Using Permissions <ul><li>Prevents policy settings from applying to a particular user, group, or computer within a container </li></ul><ul><li>To filter a GPO from a particular container member, deny Read and Apply Group Policy permissions for the member account only </li></ul>
  32. 32. Activity 9-10: Configuring Group Policy Object Inheritance Settings <ul><li>Objective: Explore and configure Group Policy inheritance settings </li></ul><ul><li>Configure the Default Domain Policy GPO using Active Directory Users and Computers </li></ul><ul><li>Override the Default Domain Policy configuration at the OU level and verify the override </li></ul><ul><li>Configure No Override option at the domain level </li></ul><ul><li>Verify No Override option </li></ul>
  33. 33. Activity 9-11: Filtering Group Policy Objects Using Security Permissions <ul><li>Objective: Use security permissions to filter and control the application of Group Policy settings </li></ul><ul><li>Using Active Directory Users and Computers, add a user account to a group but deny the group’s GPO permissions </li></ul><ul><li>Verify that the added user account is not configured with the group’s GPO </li></ul>
  34. 34. Troubleshooting Group Policy Settings <ul><li>Potential trouble areas: </li></ul><ul><ul><li>Order of Group Policy processing </li></ul></ul><ul><ul><li>Improper use of No Override or Block Policy inheritance settings </li></ul></ul><ul><ul><li>Read and Apply Group Policy permissions </li></ul></ul><ul><li>Utilities that show effective Group Policy settings </li></ul><ul><ul><li>GPRESULT </li></ul></ul><ul><ul><ul><li>Command-line utility </li></ul></ul></ul><ul><ul><li>Resultant Set of Policy (RSoP) </li></ul></ul><ul><ul><ul><li>Graphical utility </li></ul></ul></ul>
  35. 35. Activity 9-12: Determining Group Policy Settings Using the Resultant Set of Policy Tool <ul><li>Objective: Use RSoP to determine effective Group Policy settings </li></ul><ul><li>Use Active Directory Users and Computers to configure the Default Domain Policy </li></ul><ul><li>Open a new MMC with the Resultant Set of Policy snap-in </li></ul><ul><li>Use RSoP to Generate RSoP Data </li></ul>
  36. 36. Activity 9-12 (continued)
  37. 37. Deploying Software Using Group Policy <ul><li>Applications that can be deployed using Group Policy include: </li></ul><ul><ul><li>Business applications (e.g., Microsoft Office) </li></ul></ul><ul><ul><li>Anti-virus software </li></ul></ul><ul><ul><li>Software updates (e.g., service packs) </li></ul></ul><ul><li>Four phases of software rollout </li></ul><ul><ul><li>Software preparation </li></ul></ul><ul><ul><li>Deployment </li></ul></ul><ul><ul><li>Software maintenance </li></ul></ul><ul><ul><li>Software removal </li></ul></ul>
  38. 38. Software Preparation <ul><li>Microsoft Windows installer package (MSI) </li></ul><ul><ul><li>MSI file contains all of the information needed to install an application in a variety of configurations </li></ul></ul><ul><ul><li>Software vendors include preconfigured MSI packages </li></ul></ul><ul><ul><li>For older applications, can create MSI packages using 3 rd party utilities (e.g., VERITAS) </li></ul></ul><ul><li>To install, place MSI file in a shared folder and configure Group Policy to access for installation </li></ul>
  39. 39. Software Preparation (continued) <ul><li>If application doesn’t have an MSI package can use ZAP file </li></ul><ul><ul><li>Text file used by Group Policy to deploy an application </li></ul></ul><ul><ul><li>Can only be published and not assigned </li></ul></ul><ul><ul><li>Is not resilient </li></ul></ul><ul><ul><li>Requires user intervention and proper permissions </li></ul></ul>
  40. 40. Deployment <ul><li>Two ways to deploy an application </li></ul><ul><ul><li>Assigning applications </li></ul></ul><ul><ul><li>Publishing applications </li></ul></ul>
  41. 41. Assigning Applications <ul><li>When a policy is created to assign an application </li></ul><ul><ul><li>Any user who the policy applies to has a shortcut on the Start menu </li></ul></ul><ul><ul><ul><li>Application is installed when user clicks shortcut the first time or opens it with an associated document </li></ul></ul></ul><ul><ul><li>If policy configured in computer section, application is installed next time the computer is started </li></ul></ul><ul><ul><li>Applications are resilient (if files are corrupted, will reinstall itself) </li></ul></ul>
  42. 42. Publishing Applications <ul><li>When a policy is created to publish an application </li></ul><ul><ul><li>Not advertised in Start menu </li></ul></ul><ul><ul><li>Installed using the Add/Remove Programs applet or by opening an associated document </li></ul></ul><ul><ul><li>Only published to users and not computers </li></ul></ul>
  43. 43. Configuring the Deployment <ul><li>Create or edit a GPO and specify deployment options </li></ul><ul><li>Assign or publish application to computers or users to install at the appropriate time </li></ul>
  44. 44. Activity 9-13: Publishing an Application to Users Using Group Policy <ul><li>Objective: Publish an application using Group Policy settings </li></ul><ul><li>Create a shared folder and copy files into it </li></ul><ul><li>Create a GPO to publish the msi software files in the folder </li></ul><ul><li>Login as a member of the group using the GPO and install the software </li></ul>
  45. 45. Activity 9-14: Assigning an Application to Users Using Group Policy <ul><li>Objective: To assign an application using Group Policy settings </li></ul><ul><li>Create and configure a new GPO to assign software installation to the users in an OU </li></ul><ul><li>Log on as a user in the OU </li></ul><ul><li>Verify that the software installs and executes as expected </li></ul>
  46. 46. Software Maintenance <ul><li>Software must be maintained with patches and updates </li></ul><ul><li>Deployment of patches and updates can be: </li></ul><ul><ul><li>Mandatory upgrade </li></ul></ul><ul><ul><li>Optional upgrade </li></ul></ul><ul><ul><li>Redeployment of an application </li></ul></ul>
  47. 47. Software Removal <ul><li>Application must have been originally installed using a Windows installer package </li></ul><ul><li>Removal can be: </li></ul><ul><ul><li>Forced removal </li></ul></ul><ul><ul><li>Optional removal </li></ul></ul><ul><li>Forced removal uninstalls application and prevents it from being reinstalled </li></ul><ul><li>Optional removal does not uninstall application but does prevent it from being reinstalled once removed </li></ul>
  48. 48. Summary <ul><li>A Group Policy Object is an object in Active Directory used to configure and apply settings for user and computer objects </li></ul><ul><li>Two default GPOs created when Active Directory is installed: </li></ul><ul><ul><li>Default Domain Policy </li></ul></ul><ul><ul><li>Default Domain Controllers Policy </li></ul></ul><ul><li>Two mechanisms for creating GPOs </li></ul><ul><ul><li>Microsoft Management Console Group Policy snap-in </li></ul></ul><ul><ul><li>Group Policy extension in Active Directory Users and Computers </li></ul></ul>
  49. 49. Summary <ul><li>GPOs can be used: </li></ul><ul><ul><li>to control user desktop settings and security settings </li></ul></ul><ul><ul><li>to apply scripts on user logon and logoff and computer startup and shutdown </li></ul></ul><ul><ul><li>for folder redirection </li></ul></ul><ul><li>GPOs are applied in a specific order </li></ul><ul><li>GPOs are inherited by default </li></ul><ul><ul><li>Can be changed by blocking Group Policy inheritance, configuring No Override, or filtering using user permissions </li></ul></ul><ul><ul><li>Use GPRESULT or Resultant Set of Policy tool to view effective Group Policy settings </li></ul></ul>
  50. 50. Summary <ul><li>GPOs are useful in deploying and maintaining software applications </li></ul><ul><li>GPOs are used for four main phases of software rollout: preparation, deployment, maintenance, removal </li></ul><ul><li>For deployment, Group Policy uses an MSI file containing information needed to install in a variety of configurations </li></ul><ul><li>Deployed applications can be either assigned or published </li></ul>

×