Chapter 9

advertisement
Guide to MCSE 70-290, Enhanced
9-1
Chapter 9: Implementing and Using Group Policy
Objectives
After reading the chapter and completing the exercises, students should be able to:



Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder
redirection
Manage and troubleshoot Group Policy inheritance
Deploy and manage software using Group Policy
Teaching Tips
Introduction to Group Policy
1.
2.
3.
Introduce the concept of Group Policy and Group Policy objects. Describe the types of tasks that are
performed using Group Policy objects.
Note the two default GPOs (Default Domain Policy and Default Domain Controllers Policy).
Briefly explain how to implement Group Policy by either creating or editing GPOs and linking them to
desired container objects. Note that the policies will apply to all objects in the containers including those in
child containers.
Creating a Group Policy Object
1.
Discuss the two methods of creating a GPO, the Group Policy standalone Microsoft Management Console
(MMC) snap-in and the Group Policy extension in Active Directory Users and Computers. Both of these
methods are explored in upcoming activities.
Activity 9-1: Creating a Group Policy Object Using the MMC
1.
The purpose of this activity is to explore using the Group Policy standalone Microsoft Management
Console snap-in to create a new Group Policy Object. Students are instructed to open the MMC console
and add the snap-in. They then use the Group Policy Object Editor to create a new GPO.
Activity 9-2: Creating OUs and Moving User Accounts
1.
2.
In this activity, students will create new OU objects and move existing user accounts into these OUs.
These new configurations will be used in future activities to test Group Policy settings.
Students create the new OU objects and move the user accounts using Active Directory Users and
Computers.
Guide to MCSE 70-290, Enhanced
9-2
Activity 9-3: Creating a Group Policy Object and Browsing
Settings Using Active Directory Users and Computers
1.
In this activity, students use the Active Directory Users and Computers Group Policy extension to add a
GPO to an OU and to create a new GPO. They continue the exercise by browsing through the User and
Computer Configurations to see what types of features can be configured.
Editing a GPO
1.
2.
3.
There are two configuration types available in a GPO: Computer Configuration and User Configuration.
Discuss the categories of configuration settings described in Table 9-1.
Briefly describe how to enable specific configuration settings in the MMC snap-in and walk through an
example. Specific settings will be described in more detail later in the chapter.
Go over the storage of GPO content in Group Policy containers and Group Policy templates and their
identification with a globally unique identifier.
Activity 9-4: Deleting Group Policy Objects
1.
The purpose of this activity is to have students permanently delete a GPO using Active Directory Users and
Computers.
Application of Group Policy
1.
2.
Describe the two main types of Group Policy configuration settings, the Computer Configurations and the
User Configurations and be sure that students understand what a Group Policy will apply to given its
location.
Go over the process of how specific Group Policies are applied when a computer is started or a user logs
on.
Controlling User Desktop Settings
1.
2.
Discuss with students why an organization might choose to set up standard desktop settings. Note that
Group Policies are one of the tools that can be used to control these settings.
Go over the categories of configuration settings for administrative templates described in Table 9-2.
Activity 9-5: Configuring Group Policy Object User Desktop
Settings
1.
The purpose of this activity is to introduce students to the types of user desktop settings that can be
configured from a GPO. Students will access the Administrative Templates section of an existing GPO and
reconfigure some of the settings. They then verify the results of the new configurations.
Guide to MCSE 70-290, Enhanced
9-3
Managing Security Settings with Group Policy
1.
2.
In this section, students will move from desktop settings to exploring GPO security settings. Some security
settings were discussed in an earlier chapter, namely Password Policy, Account Policy, and Kerberos
Policy settings. Note that these are only applied to domain objects and that the other nodes in this category
can be applied to both domain and OU objects.
Go over the nodes in the Security Settings category listed in this section and give summaries of the
functions of each node.
Activity 9-6: Configuring Group Policy Object Security Settings
1.
In this activity, students configure a logon banner for users in a domain. This setting is found in the
Default Domain GPO. Students will provide a message and verify that users logging on to the domain
receive it.
Activity 9-7: Configuring File System Security Using Group
Policy Settings
1.
The purpose of this activity is to use Group Policy settings to configure security permissions on a folder.
Students first create a new folder. Using Active Directory Users and Computers, they then configure
permissions for the folder for a specific user and update the Group Policy settings. Finally, they will verify
that the permissions are configured as expected.
Assigning Scripts
1.
2.
Introduce the concept of using scripts to automate routine operations. Discuss how Group Policy can be
used to configure scripts that will run on computer startup and shutdown or user logon or logoff.
Explain the order in which scripts are run when multiple scripts are affected by a logon/logoff or
startup/shutdown.
Teaching
Tip
Note that the order in which scripts run can be modified using the Up and Down buttons in the
Properties dialog box.
Activity 9-8: Assigning Logon Scripts to Users Using Group
Policy
1.
The object of this exercise is to assign login scripts to domain users using a GPO. Students will create a
script file and assign it to a GPO to be run at logon time for users affected by the GPO. They then verify
that the script runs for appropriate users and not for users who are not affected by the GPO.
Guide to MCSE 70-290, Enhanced
9-4
Redirecting Folders
1.
2.
3.
Introduce the concept of folder redirection.
Explain the reasons that you might wish to redirect folders out of a user’s profile.
Go over the settings for folder redirection that are listed in Table 9-3.
Quick Quiz
1.
What are four categories of administrative tasks that can be configured and applied using Group Policy
Objects?
Answer: user desktops, security, scripts, and folder redirection
2.
True or False: One tool that can be used to create and edit GPOs is the MMC Group Policy Editor snap-in.
Answer: True
3.
The _____________________ contains the data that makes up a Group Policy including settings,
administrative templates, security settings, software installation settings and scripts.
Answer: Group Policy template
4.
When can the scripts assigned by a Group Policy Object to a user account run?
Answer: When the user logs on or logs off
Managing Group Policy Inheritance
1.
2.
3.
4.
5.
6.
List the order in which GPOs are applied from the local computer level to Child OU level.
Discuss the default inheritance policy for GPOs and make sure that students realize that one computer or
user can process multiple policies.
Note the order in which GPOs are applied if there is more than one GPO per container. Go over the
determination of policies to apply if there are conflicts in the settings among multiple policies.
Discuss the timing of refreshes for policies to ensure that changes are picked up. Also note how to refresh
settings manually.
Reiterate that GPOs can be linked to site, domain, or OU containers in Active Directory. Note the effect of
setting policies at each level.
Explain how to create multiple group policies that are assigned to a single container. Conversely, explain
how to create a single group policy that applies to multiple containers. Give examples for both of these
situations.
Activity 9-9: Linking a Group Policy Object to Multiple
Containers
1.
In this activity, students will link a single GPO to multiple containers. First, they will create a new GPO in
one container. They then add the GPO to another container, leaving it linked to both.
Configuring Block Policy Inheritance, No Override, and Filtering
1.
Reiterate the default behavior for inheriting policy settings from parent containers. In this section, different
methods for changing this behavior are discussed.
Guide to MCSE 70-290, Enhanced
9-5
Blocking Group Policy Inheritance
1.
Note that this form of changing default behavior allows you to stop higher-level settings being applied to a
particular child container. Describe how to enable this option.
Configuring No Override
1.
Explain that this option ensures that a higher-level GPO’s settings will always be enforced at lower levels,
even if there are conflicts or if a lower container has Block Policy inheritance set.
Filtering Using Permissions
1.
Explain that this option prevents policy settings from applying to particular users, groups, or computers
within a container. Give an example of using this option.
Activity 9-10: Configuring Group Policy Object Inheritance
Settings
1.
In this exercise, students will configure various Group Policy inheritance settings. They first access the
Default Domain Policy GPO and disable a feature from there. The same feature is then enabled at a lower
level and students observe the results. They then go back to the Default Domain Policy and set it to No
Override and again observe results.
Activity 9-11: Filtering Group Policy Objects Using Security
Permissions
1.
In this activity, students will use security permissions to filter and control the application of Group Policy
settings. The Apply Group Policy feature of a user account is denied and the results of this are observed
and compared to a user account that does not have this feature denied.
Troubleshooting Group Policy Settings
1.
2.
3.
Ask students to think about why it might be difficult to keep track of Group Policy settings for a particular
account. How could you manually determine what policies are actually in effect for that account? What
are some general things to check when policies are not being applied as expected?
Describe the GPRESULT and Resultant Set of Policy (RsoP) utilities that can be used to determine
effective Group Policy settings.
Note that you can disable either the user or computer configuration part of a GPO to improve performance
problems.
Guide to MCSE 70-290, Enhanced
9-6
Activity 9-12: Determining Group Policy Settings Using the
Resultant Set of Policy Tool
1.
In this activity, students will explore the use of RsoP to determine effective Group Policy settings. They
first configure the Default Domain Policy GPO and then run the MMC utility and add the RsoP snap-in.
From the snap-in, they will generate RsoP data, select a specific user, and analyze the data that was
generated.
Deploying Software Using Group Policy
1.
Explain that Group Policy can be used to deploy and maintain software applications such as Microsoft
Office, anti-virus software, and service packs. Mention the four phases of software rollout.
Software Preparation
1.
Discuss the first phase of software rollout: software preparation. Explain what an MSI file is and how to
create one if necessary. Explain that if it is not possible to use or create an MSI file, you can still use a
ZAP file. Note the restrictions on ZAP files however.
Deployment
1.
Introduce the two types of deployment: assigning applications and publishing applications.
Assigning Applications
1.
Explain how an assigned application appears to the user and how it is installed and advertised. Discuss the
advantages of assigning applications through a GPO, noting resiliency.
Publishing Applications
1.
Note the differences in publishing and assigning applications using a GPO. Explain how published
applications are installed and note that applications can only be published to users.
Configuring the Deployment
1.
Explain how to configure a deployment by creating or editing a GPO and specifying the options. Give
examples.
Guide to MCSE 70-290, Enhanced
9-7
Activity 9-13: Publishing an Application to Users Using Group
Policy
1.
The purpose of this activity is to explore how to publish an application using Group Policy settings.
Students will create a new folder and place an MSI and supporting file into the folder. They then create a
GPO that will publish the software application. Next, students will log on to a user account and verify that
that the software is available for installation using the Add or Remove Programs utility.
Activity 9-14: Assigning an Application to Users Using Group
Policy
1.
In this activity, students will explore how to assign an application using Group Policy settings. They create
a new GPO that assigns the software application from the last exercise. They then log on to a user account
and verify that the software is advertised and installs as expected.
Software Maintenance
1.
2.
Describe what types of tasks fall into the realm of software maintenance.
List the three deployment options available: mandatory upgrades, optional upgrades, and redeployment of
an application. Discuss what each of the options does and how to configure them.
Software Removal
1.
Explain how to use Group Policy to remove an application. Discuss what the differences are between
forced and optional removal.
Teaching
Tip
Caution students that in order to use Group Policy to remove an application, the application
must have been originally installed using a Windows installer package.
Quick Quiz
1.
If a domain-level Group Policy and an OU-level Group Policy are both assigned to an account and there is
a conflict between the configuration settings in the policies, how is the conflict resolved?
Answer: Later settings overwrite earlier settings, so the OU-level policy will apply.
2.
If you want a particular GPO’s configuration settings to always be enforced despite any lower-level
conflicts, what GPO option can you use?
Answer: The No Override option
3.
The ____________________ graphical utility enables you to view the effective Group Policy settings that
have been applied to a particular user or computer.
Answer: Resultant Set of Policy (RsoP)
Guide to MCSE 70-290, Enhanced
4.
9-8
What are two methods of deploying applications using a GPO?
Answer: Assigning applications and publishing applications
Class Discussion Topics
1.
2.
3.
In the many activities in this chapter, students have had opportunities to explore some of the options available in
Group Policy Objects. How comfortable are they with the diversity of tasks and features that can be accessed
through Group Policy? Is more exploration time needed? Are there types of tasks that have not been
discussed?
What are some tasks that could be accomplished with logon/logoff or startup/shutdown scripts? Is this a useful
feature?
Do you find it easier to use the MMC Group Policy snap-in or Active Directory Users and Computers for
creating and editing GPOs? What are the advantages and disadvantages of each?
Additional Projects
1.
Explore security settings in a Group Policy Object. Using the Help Center or other Internet resources, research
a particular feature that you’re not familiar with already. For example, you could present Wireless Network
Policies that control security (e.g. authentication and encryption methods) used in wireless networks. Give a
brief presentation of what the feature controls and how to use it.
2.
Write or find a script to accomplish a logon task and assign it to a GPO. Microsoft maintains a list of scripts
that can be downloaded in the Microsoft Download Center.
3.
Research the use of ZAP files and describe what these files contain and do.
Solutions to Additional Projects
1.
Students should select one feature to explore in depth. There are numerous features to choose from.
2.
The following script was downloaded from Microsoft Download Center and is used to determine the difference
between the local time zone and Greenwich Mean Time. This and other scripts can be downloaded or written,
saved, and assigned as in Activity 9-8.
Set objWMIService = GetObject(“winmgmts:” _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colTimeZone = objWMIService.ExecQuery("Select * from Win32_TimeZone")
For Each objTimeZone in colTimeZone
Wscript.Echo "Offset: "& objTimeZone.Bias
Next
Guide to MCSE 70-290, Enhanced
3.
9-9
A .zap file is a text file that contains the setup instructions for installing an application. In most cases, the .zap
file will contain only the following lines:
[Application]
FriendlyName = "applicationname"
SetupCommand = ""\\servername\sharename\installapplication.exe""
The FriendlyName value is the name that will be displayed in the Add Or Remove Programs control panel on
the client computer. The SetupCommand value is the path to the installation file for the application. You can use
a Universal Naming Convention (UNC) path or a mapped drive for the SetupCommand value.
After you have created the .zap file and copied the application installation files to a network share, you can
publish the application to users. The application is added to the list of available applications in the Add Or
Remove Programs control panel. Users can then select the application to install. Applications that are
distributed through .zap files cannot be assigned to either computers or users, and they will not install using
extension activation.
Download