Overview
Introduction to Group Policy
Introduction to Group Policy
Group Policy Enables You to:
Set centralized and decentralized policies
Ensure users have their required environments
Lower total cost of ownership by controlling user and computer environments
Enforce corporate policies
Group Policy Structure
Types of Group Policy Settings
| Administrative Templates |
Registry-based Group Policy settings |
| Security |
Settings for local, domain, and network security |
| Software Installation |
Settings for central management of software installation |
| Scripts |
Startup, shutdown, logon, and logoff scripts
|
| Remote Installation Services |
Settings that control the options available to users when running the Client Installation wizard used by RIS
|
| Internet Explorer Maintenance |
Settings to administer and customize Microsoft Internet Explorer on Windows 2012–based computers
|
| Folder Redirection
|
Settings for storing of users’ folders on a network server
|
Group Policy Objects
Group Policy Settings for Computers and Users
Group Policy Settings for Computers:
Specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings
Apply when the operating system initializes and during the periodic refresh cycle
Group Policy Settings for Users:
Specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts
Apply when users log on to the computer and during the periodic refresh cycle
Group Policy Objects and Active Directory Containers
GPO Settings Affect User and Computer Objects Within Sites, Domains, and OUs to Which a GPO Is Linked
You can link one GPO to multiple sites, domains, or OUs
You can link multiple GPOs to one site, domain, or OU
Working with Group Policy Objects
Creating Linked Group Policy Objects
To Apply Group Policy to a Container, Create a GPO Linked to the Container:
Create GPOs linked to domains and OUs by using Active Directory Users and Computers
Create GPOs linked to sites by using Active Directory Sites and Services
Creating Unlinked Group Policy Objects
Linking an Existing Group Policy Object
Specifying a Domain Controller for Managing Group Policy Objects
When You Create a New GPO or Edit an Existing GPO, by Default, the Domain Controller That Holds the PDC Emulator Role Performs the Operation
The Options Available to Specify a Domain Controller for Managing GPOs Include:
The one with the Operations Master token for the PDC emulator
The one used by the Active Directory snap-ins
Use any available domain controller
To Specify a Domain Controller for Managing Group Policy Objects:
Use the DC Options command on the View menu in the Group Policy snap-in
Enable a Group Policy setting that specifies which domain controller should be used
How Group Policy Settings Are Applied in Active Directory
Group Policy Inheritance
Windows 2012 Applies GPO Settings in a Specific Order
Child Containers Inherit GPO Settings from Parent Containers
How Group Policy Settings Are Processed
The GetGPOList Function Executes on the Client Computer During:
Computer startup to determine which GPOs contain computer configurations settings to be applied
User logon to determine which GPOs contain user configurations settings to be applied
Controlling the Processing of Group Policy
Synchronous and Asynchronous Processing
By default, the processing of Group Policy is synchronous
You can change the processing of Group Policy to asynchronous by using a Group Policy setting for both computers and users
Refreshing Group Policy at Established Intervals of:
90 minutes for computers configured as domain controllers and running Windows 2012 Professional and for member servers running Windows 2012 Server
5 minutes for domain controllers
Processing Unchanged Group Policy Settings
You can configure each client-side extension to process all applicable Group Policy settings
Group Policy and Slow Network Connections (Links)
Group Policy Can Detect a Slow Link
Group Policy Uses an Algorithm to Determine Whether a Link Should Be Considered Slow
Group Policy Sets a Flag to Indicate a Slow Link to the Client-side Extensions
Resolving Conflicts Between Group Policy Settings
All Group Policy Settings Apply Unless There Are Conflicts
The Last Setting Processed Applies
When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply
When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply
A Computer Setting Applies When It Conflicts with a User Setting
Class Discussion: How Group Policy Is Applied
GPO1 ensures that Favorites appears on the Start menu
GPO2 and GPO3 require a password of 11 characters and remove the Windows Update icon
GPO4 removes Favorites from the Start menu and adds the Windows Update icon
What are the resultant Group Policy settings for the OU?
Class Discussion: How Group Policy Is Applied 2
What are the resultant Group Policy settings for the OU?
A password must be at least 11 characters long
The Windows Update icon appears on the Start menu
Favorites does not appear on the Start menu
Enabling Block Inheritance
Enabling Block Inheritance
=> Stops inheritance of all GPOs from all parent containers
=> Cannot selectively choose which GPOs are blocked
=> Cannot stop No Override
Enabling No Override
=> Overrides Block Inheritance and GPO conflicts
=> Should be set high in the Active Directory tree
=> Is applicable to links and not to GPOs
=> Enforces corporate-wide rules
Filtering Group Policy Settings
=> Explicitly denying the Apply Group Policy permission
=> Omitting an explicit Apply Group Policy permission
Class Discussion: Changing Group Policy Inheritance
=> An anti-virus application must be installed on all computers in the domain
=> The Office suite must be installed on all computers in the domain, except for those in the Payroll department
=> An accounting application must be installed on all client computers in the Payroll department, except for the computers used by the Payroll OU administrators
=> How do you set up your GPOs?
=> A GPO linked to the domain with the anti-virus application settings configured and the link configured with No Override
=> A GPO linked to the domain that installs the Office suite
=> Enable Block Inheritance for the Payroll OU
=> A GPO linked to the Payroll OU to install the accounting application
=> Modify the DACL of the GPO linked to the Payroll OU to deny the Apply Group Policy permission for the computer accounts used by the Payroll OU administrators
Delegating Administrative Control of Group Policy
Enable a User to Manage Group Policy Links for a Site, Domain, or OU by:
Assigning the user read and write permissions to the gPLink and gPOptions attributes of the site, domain, or OU
Using the Delegation of Control wizard
Enable a User or Group to Create GPOs by:
Adding the user or group to the Group Policy Creator Owners group
Enable a User to Edit GPOs by:
Assigning the user read and write permissions to the GPO
Making the user a member of either Domain Admins, Enterprise Admins, or GPO Creator Owners groups
Granting the user access to the GPO by using the Security tab in the GPO Properties dialog box
Monitoring and Troubleshooting Group Policy
Monitoring Group Policy
Enabling Diagnostic Logging to the Event Log
Causes Group Policy to generate detailed events in the Event Log
Enabling Verbose Logging
Tracks all changes and settings applied to the local computer and the users who log on to the computer
Involves the addition of the registry keys for verbose logging
Group Policy Troubleshooting Tools
Windows 2012 Support Tools for Group Policy Troubleshooting:
Netdiag.exe
Replmon.exe
Windows 2012 Resource Kit Tools for Group Policy Troubleshooting:
Gpotool.exe
Gpresult.exe
Troubleshooting Group Policy
Cannot Access or Open the Group Policy Object
Group Policy Settings Not Taking Effect as Expected
Best Practices
Limit the Use of Blocking, No Override, and Filtering of GPOs
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected