70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy Objectives • Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection • Manage and troubleshoot Group Policy inheritance • Deploy and manage software using Group Policy Guide to MCSE 70-290, Enhanced 2 1 Introduction to Group Policy • Group policy centralizes management of user and computer configuration settings throughout a network • A group policy object is an Active Directory object used to configure policy settings for user and computer objects • There are two default Group Policy Objects: • Default Domain Policy (linked to domain container) • Default Domain Controllers Policy (linked to domain controller OU) Guide to MCSE 70-290, Enhanced 3 Introduction to Group Policy (continued) • You can modify default GPOs • You can create new GPOs and link them to particular sites, domains, and OUs • Policy settings will be propagated to all users and computers in container including child OUs • Group policy can only be applied to computers running Windows Server 2003, Windows 2000, and Windows XP Guide to MCSE 70-290, Enhanced 4 2 Creating a Group Policy Object • Two ways to create a GPO: • Group Policy standalone Microsoft Management Console (MMC) snap-in • Group Policy extension in Active Directory Users and Computers Guide to MCSE 70-290, Enhanced 5 Activity 9-1: Creating a Group Policy Object Using the MMC • Objective: To create a GPO using the Group Policy Object Editor MMC snap-in • Locate the MMC Group Policy Object Editor snap-in • Create a new GPO Guide to MCSE 70-290, Enhanced 6 3 Activity 9-2: Creating OUs and Moving User Accounts • Objective: To create new Organizational Units and move existing user accounts into them. • Must be familiar with using OUs for controlling the application of Group Policy settings • Create new OUs using Active Directory Users and Computers • Move users into the new OUs Guide to MCSE 70-290, Enhanced 7 Activity 9-3: Creating a Group Policy Object and Browsing Settings Using Active Directory Users and Computers • Objective: Create a GPO using Active Directory Users and Computers as an alternative to MMC snap-in • From Active Directory Users and Computers, use the Group Policy tab of the Properties of an existing OU to add and create GPOs • Browse configuration settings of a Group Policy Object Guide to MCSE 70-290, Enhanced 8 4 Editing a GPO Guide to MCSE 70-290, Enhanced 9 Editing a GPO (continued) • Table 9-1 shows configuration categories for both computer and user configurations • Two tabs in Properties of each setting: • Setting allows you to enable or disable the setting • Explain provides information about the setting • GPO content is stored in 2 locations: • Group Policy container (GPC) • Group Policy template (GPT) • A GPO is identified by a 128-bit globally unique identifier (GUID) Guide to MCSE 70-290, Enhanced 10 5 Activity 9-4: Deleting Group Policy Objects • Objective: To delete a GPO using Active Directory Users and Computers • A previously created GPO is deleted from an OU Guide to MCSE 70-290, Enhanced 11 Application of Group Policy • Two main categories to a Group Policy • Computer configuration (settings apply to computers in the container) • User configuration (settings apply to users in the container) • Upon computer startup (or user logon) • Computer queries domain controller for GPOs. Domain controller finds applicable GPOs. • Domain controller presents list of GPOs. The client gets Group Policy templates, applies the settings and runs the scripts. • Same basic process happens for user logons Guide to MCSE 70-290, Enhanced 12 6 Controlling User Desktop Settings • Administrative templates • Used to limit user manipulation of user desktop and computer configurations • Aim is to reduce administrative costs • Seven main categories of configuration settings can be applied to either computer or user section of a GPO Guide to MCSE 70-290, Enhanced 13 Controlling User Desktop Settings (continued) Guide to MCSE 70-290, Enhanced 14 7 Activity 9-5: Configuring Group Policy Object User Desktop Settings • Objective: To configure and test the application of Group Policy settings • Use Active Directory Users and Computers to access the desired configuration settings • Configure settings using the Group Policy Object Editor • Verify that the configured settings have the expected results Guide to MCSE 70-290, Enhanced 15 Managing Security Settings with Group Policy • Password Policy, Account Policy, and Kerberos Policy settings are only applicable to domain objects • Other nodes in Security Settings category can be applied at both domain and OU levels • Local Policies • Audit Policy • User Rights Assignment • Security Options Guide to MCSE 70-290, Enhanced 16 8 Managing Security Settings with Group Policy (continued) • • • • • • • • • Event Log Restricted Groups System Services Registry File System Wireless Network Policies Public Key Policies Software Restriction Policies IP Security Policies on Active Directory Guide to MCSE 70-290, Enhanced 17 Activity 9-6: Configuring Group Policy Object Security Settings • Objective: Use Group Policy settings to configure a logon banner for domain users • Use Active Directory Users and Computers to access the Default Domain Policy GPO • Create a logon banner • Verify that the banner appears Guide to MCSE 70-290, Enhanced 18 9 Activity 9-7: Configuring File System Security Using Group Policy Settings • Objective: Use Group Policy settings to configure security permissions • Create a folder • Use Active Directory Users and Computers to configure the permissions on the folders • Update Group Policy settings on the server • Verify that the permissions are explicitly defined Guide to MCSE 70-290, Enhanced 19 Assigning Scripts • Windows Server 2003 can run scripts during: • User logon or logoff • User section of GPO • Computer startup and shutdown • Computer section of GPO • Default is for scripts to run synchronously from top to bottom • Can specify script time-outs, asynchronous execution, and hiding of scripts Guide to MCSE 70-290, Enhanced 20 10 Activity 9-8: Assigning Logon Scripts to Users Using Group Policy • Objective: Use GPOs to assign logon scripts to domain users • Create a script file • Add the script to the logon policies of a particular group using Active Directory Users and Computers • Verify that the script runs for members of the group and not for other users Guide to MCSE 70-290, Enhanced 21 Redirecting Folders • Allows you to redirect the following contents of a user’s profile to a network location • • • • application data Desktop My Documents Start menu • Redirection is useful because it: • Aids in backup • Reduces logon time • Allows creation of a standard desktop for multiple users Guide to MCSE 70-290, Enhanced 22 11 Redirecting Folders (continued) Guide to MCSE 70-290, Enhanced 23 Managing Group Policy Inheritance • Specific order for GPO application: • Local computer Æ Site Æ Domain Æ Parent OU Æ Child OU • By default, all GPO settings are inherited • At each level, there can be multiple GPOs • Policies are applied in the order that they appear on the Group Policy tab for each container, bottom GPO first • Applying a large number of GPOs can affect startup and logon performance Guide to MCSE 70-290, Enhanced 24 12 Managing Group Policy Inheritance (continued) • When multiple policies apply to a user or computer: • If there is no conflict, both policies are applied • If there is a conflict, the last policy applied overwrites previously applied policies • If computer policy and user policy conflict, computer policies usually override user policies • • • • • Computer policies are updated automatically at set intervals Policies can be updated manually (GPUPDATE) Policies can be linked to a site, domain, or specific OU containers Multiple Group Policies can be assigned to a single container A single Group Policy can be linked to multiple containers Guide to MCSE 70-290, Enhanced 25 Activity 9-9: Linking a Group Policy Object to Multiple Containers • Objective: Link a single GPO to multiple containers • Using Active Directory Users and Computers, create and configure a new GPO in one OU • Add the GPO to another OU Guide to MCSE 70-290, Enhanced 26 13 Configuring Block Policy Inheritance, No Override, and Filtering • These options allow default behavior to be changed for specific containers • Can change default inheritance policy • Can change default conflict resolution • Can change permissions for a specific member within a group to deny GPO application for that member Guide to MCSE 70-290, Enhanced 27 Blocking Group Policy Inheritance • To change default inheritance, use the Block Policy inheritance check box on the Group Policy tab for a child container • Child will not inherit parent’s policies • Useful if one OU needs to be managed separately Guide to MCSE 70-290, Enhanced 28 14 Configuring No Override • If a policy is configured with No Override • It will be enforced despite conflicts in lower-level policies • It will be enforced on lower-level containers with Block Policy inheritance set Guide to MCSE 70-290, Enhanced 29 Filtering Using Permissions • Prevents policy settings from applying to a particular user, group, or computer within a container • To filter a GPO from a particular container member, deny Read and Apply Group Policy permissions for the member account only Guide to MCSE 70-290, Enhanced 30 15 Activity 9-10: Configuring Group Policy Object Inheritance Settings • Objective: Explore and configure Group Policy inheritance settings • Configure the Default Domain Policy GPO using Active Directory Users and Computers • Override the Default Domain Policy configuration at the OU level and verify the override • Configure No Override option at the domain level • Verify No Override option Guide to MCSE 70-290, Enhanced 31 Activity 9-11: Filtering Group Policy Objects Using Security Permissions • Objective: Use security permissions to filter and control the application of Group Policy settings • Using Active Directory Users and Computers, add a user account to a group but deny the group’s GPO permissions • Verify that the added user account is not configured with the group’s GPO Guide to MCSE 70-290, Enhanced 32 16 Troubleshooting Group Policy Settings • Potential trouble areas: • Order of Group Policy processing • Improper use of No Override or Block Policy inheritance settings • Read and Apply Group Policy permissions • Utilities that show effective Group Policy settings • GPRESULT • Command-line utility • Resultant Set of Policy (RSoP) • Graphical utility Guide to MCSE 70-290, Enhanced 33 Activity 9-12: Determining Group Policy Settings Using the Resultant Set of Policy Tool • Objective: Use RSoP to determine effective Group Policy settings • Use Active Directory Users and Computers to configure the Default Domain Policy • Open a new MMC with the Resultant Set of Policy snap-in • Use RSoP to Generate RSoP Data Guide to MCSE 70-290, Enhanced 34 17 Deploying Software Using Group Policy • Applications that can be deployed using Group Policy include: • Business applications (e.g., Microsoft Office) • Anti-virus software • Software updates (e.g., service packs) • Four phases of software rollout • • • • Software preparation Deployment Software maintenance Software removal Guide to MCSE 70-290, Enhanced 35 Software Preparation • Microsoft Windows installer package (MSI) • MSI file contains all of the information needed to install an application in a variety of configurations • Software vendors include preconfigured MSI packages • For older applications, can create MSI packages using 3rd party utilities (e.g., VERITAS) • To install, place MSI file in a shared folder and configure Group Policy to access for installation Guide to MCSE 70-290, Enhanced 36 18 Software Preparation (continued) • If application doesn’t have an MSI package can use ZAP file • • • • Text file used by Group Policy to deploy an application Can only be published and not assigned Is not resilient Requires user intervention and proper permissions Guide to MCSE 70-290, Enhanced 37 Deployment • Two ways to deploy an application • Assigning applications • Publishing applications Guide to MCSE 70-290, Enhanced 38 19 Assigning Applications • When a policy is created to assign an application • Any user who the policy applies to has a shortcut on the Start menu • Application is installed when user clicks shortcut the first time or opens it with an associated document • If policy configured in computer section, application is installed next time the computer is started • Applications are resilient (if files are corrupted, will reinstall itself) Guide to MCSE 70-290, Enhanced 39 Publishing Applications • When a policy is created to publish an application • Not advertised in Start menu • Installed using the Add/Remove Programs applet or by opening an associated document • Only published to users and not computers Guide to MCSE 70-290, Enhanced 40 20 Configuring the Deployment • Create or edit a GPO and specify deployment options • Assign or publish application to computers or users to install at the appropriate time Guide to MCSE 70-290, Enhanced 41 Activity 9-13: Publishing an Application to Users Using Group Policy • Objective: Publish an application using Group Policy settings • Create a shared folder and copy files into it • Create a GPO to publish the msi software files in the folder • Login as a member of the group using the GPO and install the software Guide to MCSE 70-290, Enhanced 42 21 Activity 9-14: Assigning an Application to Users Using Group Policy • Objective: To assign an application using Group Policy settings • Create and configure a new GPO to assign software installation to the users in an OU • Log on as a user in the OU • Verify that the software installs and executes as expected Guide to MCSE 70-290, Enhanced 43 Software Maintenance • Software must be maintained with patches and updates • Deployment of patches and updates can be: • Mandatory upgrade • Optional upgrade • Redeployment of an application Guide to MCSE 70-290, Enhanced 44 22 Software Removal • Application must have been originally installed using a Windows installer package • Removal can be: • Forced removal • Optional removal • Forced removal uninstalls application and prevents it from being reinstalled • Optional removal does not uninstall application but does prevent it from being reinstalled once removed Guide to MCSE 70-290, Enhanced 45 Summary • A Group Policy Object is an object in Active Directory used to configure and apply settings for user and computer objects • Two default GPOs created when Active Directory is installed: • Default Domain Policy • Default Domain Controllers Policy • Two mechanisms for creating GPOs • Microsoft Management Console Group Policy snap-in • Group Policy extension in Active Directory Users and Computers Guide to MCSE 70-290, Enhanced 46 23 Summary • GPOs can be used: • to control user desktop settings and security settings • to apply scripts on user logon and logoff and computer startup and shutdown • for folder redirection • GPOs are applied in a specific order • GPOs are inherited by default • Can be changed by blocking Group Policy inheritance, configuring No Override, or filtering using user permissions • Use GPRESULT or Resultant Set of Policy tool to view effective Group Policy settings Guide to MCSE 70-290, Enhanced 47 Summary • GPOs are useful in deploying and maintaining software applications • GPOs are used for four main phases of software rollout: preparation, deployment, maintenance, removal • For deployment, Group Policy uses an MSI file containing information needed to install in a variety of configurations • Deployed applications can be either assigned or published Guide to MCSE 70-290, Enhanced 48 24