Designing Group Policy Planning Deployment of Group Policy Troubleshooting Group Policy Planning Deployment of Group Policy Group Policy overview Planning Group Policy inheritance Filtering Group Policy by using security groups Group Policy Overview Group Policy allows centralized control of user and computer configuration settings. Group Policy uses Active Directory to centralize management and standardize security settings. Use the Block Policy Inheritance attribute or the No Override attribute to modify the default inheritance model. Planning Group Policy Inheritance Inheritance simplifies Group Policy administration by allowing widespread policy settings only to higherlevel organizational units (OUs). Group Policy can be applied at different levels within Active Directory by defining Group Policy objects (GPOs) that are linked to sites, domains, or OUs. The Group Policy is applied to all computer or user objects within the container where the Group Policy object is defined. Effective permissions are based on the inheritance model. The settings applied to an OU typically take precedence. Group Policy Application Order Assessing Group Policy Application Security requirements must be met without significantly affecting logon performance. Use the following design strategies: Disable unused portions of Group Policy. Minimize the levels at which Group Policy is applied. Avoid cross-domain Group Policy object assignments. No Override and Block Policy Inheritance Making the Decision: Designing Group Policy Simplify the troubleshooting of Group Policy. Minimize the time spent processing Group Policy during logon. Prevent blocking of key Group Policy settings. Prevent users from changing configuration by applying Local Group Policies. Apply central Group Policy that will affect all users. Apply specific Group Policy to a limited number of computers or users. OU Structure for the Engineering Domain OU Structure for the Wide World Importers Domain Filtering Group Policy by Using Security Groups Group Policy is not applied to security groups. Group Policy is based on the location of objects within the Active Directory hierarchy. By default, Group Policies apply to all users and computers within a site, domain, or OU. Use security groups to filter Group Policy application so that it applies only to specific users and groups within a given object. When defining a Group Policy object, define which security groups will be able to Read and Apply Group Policy in the Group Policy object’s Security tab. Making the Decision: Designing Group Policy Filtering Strategies Ensure that a Group Policy is applied to a security group. Prevent an OU administrator from blocking inheritance. Prevent application of a Group Policy object to a specific group of users or computers. Applying the Decision: Group Policy Filtering at Wide World Importers Create two custom domain local groups named FullTimeGP and ContingentGP. Create two custom global groups named FullTimeEmployees and ContingentStaff that contain all full-time staff and all contingent staff. Configure the security for the Office Group Policy so that only the FullTimeGP domain local group has Read and Apply Group Policy permissions. The network administrators could also configure the Office Group Policy to have the No Override attribute. Troubleshooting Group Policy Assessing Group Policy Troubleshooting Assessing Group Policy Troubleshooting Inspect the Active Directory hierarchy. Inspect applied Group Policies by using the Gpresult utility. Gpresult Utility Gpresult [/V] [/S] [/C | /U] [/?] /V runs Gpresult in verbose mode. /S runs Gpresult in super verbose mode. /C only displays the Group Policy objects applied to the computer. /U only displays the Group Policy objects applied to the user. Making the Decision: Troubleshooting Group Policy Application Determine all possible locations where Group Policy objects might be defined. Determine whether the Group Policy that was applied is a user or computer configuration setting. Determine why a higher-level Group Policy is not applied. Determine why a lower-level Group Policy is not applied. Determine why a Group Policy does not apply to all computers or users within a site, domain, or OU. Applying the Decision: Troubleshooting Group Policy Application at Wide World Importers Verify the location of Don’s user account in Active Directory. Determine where Group Policies might exist that could affect Don's user account for application of Group Policy. Run Gpresult to determine all user Group Policies that were applied to Don's user account at logon. Determine if filtering is affecting the Group Policy application. Chapter Summary Designing Group Policy Group Policy overview Planning Group Policy inheritance Filtering Group Policy by using security groups Assessing Group Policy troubleshooting