Designing Group Policy


Planning Deployment of Group Policy
Troubleshooting Group Policy
Planning Deployment of Group Policy



Group Policy overview
Planning Group Policy inheritance
Filtering Group Policy by using security groups
Group Policy Overview



Group Policy allows centralized control of user and
computer configuration settings.
Group Policy uses Active Directory to centralize
management and standardize security settings.
Use the Block Policy Inheritance attribute or the No
Override attribute to modify the default inheritance
model.
Planning Group Policy Inheritance





Inheritance simplifies Group Policy administration by
allowing widespread policy settings only to higherlevel organizational units (OUs).
Group Policy can be applied at different levels within
Active Directory by defining Group Policy objects
(GPOs) that are linked to sites, domains, or OUs.
The Group Policy is applied to all computer or user
objects within the container where the Group Policy
object is defined.
Effective permissions are based on the inheritance
model.
The settings applied to an OU typically take
precedence.
Group Policy Application Order
Assessing Group Policy Application


Security requirements must be met without
significantly affecting logon performance.
Use the following design strategies:



Disable unused portions of Group Policy.
Minimize the levels at which Group Policy is applied.
Avoid cross-domain Group Policy object assignments.
No Override and Block Policy Inheritance
Making the Decision: Designing Group
Policy






Simplify the troubleshooting of Group Policy.
Minimize the time spent processing Group Policy
during logon.
Prevent blocking of key Group Policy settings.
Prevent users from changing configuration by
applying Local Group Policies.
Apply central Group Policy that will affect all users.
Apply specific Group Policy to a limited number of
computers or users.
OU Structure for the Engineering Domain
OU Structure for the Wide World
Importers Domain
Filtering Group Policy by Using Security
Groups





Group Policy is not applied to security groups.
Group Policy is based on the location of objects
within the Active Directory hierarchy.
By default, Group Policies apply to all users and
computers within a site, domain, or OU.
Use security groups to filter Group Policy application
so that it applies only to specific users and groups
within a given object.
When defining a Group Policy object, define which
security groups will be able to Read and Apply Group
Policy in the Group Policy object’s Security tab.
Making the Decision: Designing Group
Policy Filtering Strategies



Ensure that a Group Policy is applied to a security
group.
Prevent an OU administrator from blocking
inheritance.
Prevent application of a Group Policy object to a
specific group of users or computers.
Applying the Decision: Group Policy
Filtering at Wide World Importers




Create two custom domain local groups named
FullTimeGP and ContingentGP.
Create two custom global groups named
FullTimeEmployees and ContingentStaff that contain
all full-time staff and all contingent staff.
Configure the security for the Office Group Policy so
that only the FullTimeGP domain local group has
Read and Apply Group Policy permissions.
The network administrators could also configure the
Office Group Policy to have the No Override attribute.
Troubleshooting Group Policy

Assessing Group Policy Troubleshooting
Assessing Group Policy Troubleshooting


Inspect the Active Directory hierarchy.
Inspect applied Group Policies by using the Gpresult
utility.
Gpresult Utility

Gpresult [/V] [/S] [/C | /U] [/?]




/V runs Gpresult in verbose mode.
/S runs Gpresult in super verbose mode.
/C only displays the Group Policy objects applied to the
computer.
/U only displays the Group Policy objects applied to the user.
Making the Decision: Troubleshooting
Group Policy Application





Determine all possible locations where Group Policy
objects might be defined.
Determine whether the Group Policy that was applied
is a user or computer configuration setting.
Determine why a higher-level Group Policy is not
applied.
Determine why a lower-level Group Policy is not
applied.
Determine why a Group Policy does not apply to all
computers or users within a site, domain, or OU.
Applying the Decision: Troubleshooting
Group Policy Application at Wide World
Importers




Verify the location of Don’s user account in Active
Directory.
Determine where Group Policies might exist that
could affect Don's user account for application of
Group Policy.
Run Gpresult to determine all user Group Policies that
were applied to Don's user account at logon.
Determine if filtering is affecting the Group Policy
application.
Chapter Summary
Designing Group Policy




Group Policy overview
Planning Group Policy inheritance
Filtering Group Policy by using security groups
Assessing Group Policy troubleshooting