Introduction to Group Policy
Lesson 7
Skills Matrix
Technology Skill
Objective Domain
Objective #
Using the Group Policy
Management Console
Create and apply Group
Policy Objects (GPOs)
4.3
Configuring Group Policy
Settings
Configure GPO templates 4.4
Group Policy
• Group Policy is a method of controlling settings
across your network.
– Group Policy consists of user and computer settings
on all versions of Windows since Windows 2000
that can be implemented during computer startup
and shutdown and user logon and logoff.
– You can configure one or more GPOs within a
domain and then use a process called linking, which
applies these settings to various containers
(domain, sites and OUs) within Active Directory.
– You can link multiple GPOs to a single container or
link one GPO to multiple containers throughout the
Active Directory structure.
Group Policy
• The following managed settings can be defined or
changed through Group Policies:
– Registry-based policies - As the name implies, these
settings modify the Windows Registry.
– Software installation policies can be used to ensure
that users always have the latest versions of
applications.
– Folder redirection allows files to be redirected to a
network drive for backup and makes them
accessible from anywhere on the network.
– Offline file storage works with folder redirection to
provide the ability to cache files locally. This allows
files to be available even when the network is
inaccessible.
Group Policy
– Scripts – Including logon, logoff, startup, and
shutdown scripts, these can assist in configuring the
user environment.
– Windows Deployment Services (WDS) – Assists in
rebuilding or deploying workstations quickly and
efficiently in an enterprise environment.
– Microsoft Internet Explorer settings – Provide quick
links and bookmarks for user accessibility, in
addition to browser options such as proxy use,
acceptance of cookies, and caching options.
– Security settings – Protect resources on computers
in the enterprise.
Group Policy
• Group Policies can be linked to sites,
domains, or OUs (not groups) to apply those
settings to all users and computers within
these Active Directory containers.
• You can use security group filtering, which
allows you to apply GPO settings to only one
or more users or groups within a container
by selectively granting the “Apply Group
Policy” permission to one or more users or
security groups.
Group Policy Objects (GPOs)
• Contain all of the Group Policy settings that
you wish to implement to user and computer
objects within a site, domain, or OU.
• Must be associated (linking) with the
container to which it is applied.
• There are three types of GPOs:
– Local GPOs.
– Domain GPOs.
– Starter GPOs.
Local GPO
• The local GPO settings are stored on the local
computer in the
%systemroot%/System32/GroupPolicy folder.
• Local GPOs contain fewer options.
– They do not support folder redirection or Group
Policy software installation.
– Fewer security settings are available.
• When a local and a nonlocal (Active Directory–
based) GPO have conflicting settings, the local GPO
is overwritten by the nonlocal GPO.
Nonlocal GPOs
• Nonlocal GPOs are created in Active Directory.
• They are linked to sites, domains, or OUs.
– Once linked to a container, the GPO is applied to all
users and computers within that container by
default.
• GPOs are stored in two places:
– Group Policy container (GPC) — An Active Directory
object that stores the properties of the GPO.
– Group Policy template (GPT) — Located in the
Policies subfolder of the SYSVOL share, the GPT is a
folder that stores policy settings, such as security
settings and script files.
Starter GPOs
• A new feature in Windows Server 2008.
• Used as GPO templates within Active
Directory.
• Allow you to configure a standard set of
items that will be configured by default in
any GPO that is derived from a starter GPO.
Default Group Policies
• When Active Directory is installed, two
domain GPOs are created by default.
– Default Domain Policy — It is linked to the
domain, and its settings affect all users and
computers in the domain.
– Default Domain Controller Policy — It is
linked to the Domain Controllers OU and its
settings affect all domain controllers in the
domain.
Creating and Managing Group Policies
• The Group Policy Management Console (GPMC) is
the Microsoft Management Console (MMC) snap-in
that is used to create and modify Group Policies
and their settings.
– The GPMC was not pre-installed in Windows Server
2003; it needed to be downloaded manually from
the Microsoft Web site.
– The GPCM is included in Windows Server 2008 by
default.
• When you configure a GPO, you will use the Group
Policy Management Editor, which can be accessed
through the GPMC or through Active Directory
Users and Computers.
Group Policy Management Console (GPMC)
Group Policy Management Console (GPMC)
Group Policy Management Console (GPMC)
Group Policy Object Editor
Group Policy Settings
• Configuring Group Policy settings enables
you to customize the configuration of a
user’s desktop, environment, and security
settings.
• The actual settings are divided into two
subcategories:
– Computer Configuration
– User Configuration
Group Policy Settings
• The Computer Configuration and the User
Configuration nodes contain three subnodes:
– Software Settings
•Used to install software.
– Windows Settings
•Used for define security settings and scripts.
– Administrative Templates
•Windows Server 2008 includes thousands of
Administrative Template policies, which contain
all registry-based policy settings.
•They are used to generate the user interface for
the Group Policy settings.
GPO Inheritance
• You link a GPO to a domain, site, or OU or
create and link a GPO to one of these
containers in a single step. The settings
within that GPO apply to all child objects
within the object.
Group Policy Processing ORDER (LSDOU)
1.
2.
3.
4.
Local policies.
Site policies.
Domain policies.
OU policies.
Any conflicting GPO settings are overwritten by the
later running GPO.
Understanding Group Policy Processing
• When a computer is initialized during
startup, it establishes a secure link between
the computer and a domain controller.
– Then the computer obtains a list of GPOs to
be applied.
• Computer configuration settings are applied
synchronously during computer startup
before the Logon dialog box is presented to
the user.
Understanding Group Policy Processing
• Any startup scripts set to run during
computer startup are processed. These
scripts also run synchronously and have a
default timeout of 600 seconds (10
minutes) to complete.
• When the Computer Configuration scripts
and startup scripts are complete, the user is
prompted to press Ctrl+Alt+Del to log on.
Understanding Group Policy Processing
• Upon successful authentication, the user
profile is loaded based on the Group Policy
settings in effect.
• A list of GPOs specific for the user is
obtained from the domain controller.
– User Configuration settings also are
processed in the LSDOU sequence.
Understanding Group Policy Processing
• After the user policies run, any logon scripts
run. Unlike the startup scripts, these scripts
run asynchronously by default.
• The user's desktop appears after all policies
and scripts have been processed.
Configuring Exceptions to GPO Processing
• Enforce — Configuring this setting on an individual GPO link
forces a particular GPO’s settings to flow down through the
Active Directory without being blocked by any child OUs.
• Block Policy Inheritance — Configuring this setting on a
container object such as a site, domain, or OU will block all
policies from parent containers from flowing to this
container.
• Loopback Processing — This is a Group Policy option that
provides an alternative method of obtaining the ordered list
of GPOs to be processed for the user.
– When set to Enabled, this setting has two options: Merge and
Replace.
GPUpdate Command
• If you make changes to a group policy, users
may not see changes take effect until:
– They log off or log back in.
– They Reboot the computer.
– They wait 90 minutes (+/- 30 minutes) for
stand-alone servers/workstations and 2
minutes for domain controllers.
• To manually push group policies, you need to
use the gpupdate command:
Gpupdate /force
Summary
• Group Policy consists of user and computer
settings that can be implemented during computer
startup and user logon.
– These settings can be used to customize the user
environment, to implement security guidelines, and
to assist in simplifying user and desktop
administration.
– Group Policies can be beneficial to users and
administrators.
– They can be used to increase a company's return on
investment and to decrease the overall total cost of
ownership for the network.
Summary
• In Active Directory, Group Policies can be
assigned to sites, domains, and OUs.
• By default, there is one local policy per
computer. Local policy settings are
overwritten by Active Directory policy
settings.
Summary
• Group Policy content is stored in an Active
Directory GPC and in a GPT.
– The GPC can be seen using the Advanced
Features view in Active Directory Users and
Computers.
– The GPT is a GUID-named folder located in
the
systemroot\sysvol\SYSVOL\domain_name\
Policies folder.
Summary
• The Default Domain Policy and the Default
Domain Controller Policy are created by
default when Active Directory is installed.
• The Group Policy Management Console is
the tool used to create and modify Group
Policies and their settings.
Summary
• GPO nodes contain three subnodes
including Software Settings, Windows
Settings, and Administrative Templates.
Administrative templates are XML files with
the .admx file extension.
– Over 100 ADMX files are included with
Windows Server 2008.
Summary
• The order of Group Policy processing can be
remembered using the acronym LSDOU:
– Local
– Site
– Domain
– OU
• This order is an important part of
understanding how to implement Group
Policies for an object.
Summary
• Group Policies applied to parent containers
are inherited by all child containers and
objects.
– Inheritance can be altered by using the
Enforce, Block Policy Inheritance, or
Loopback settings.