Module 6
Creating and Configuring
Group Policy
Module Overview
• Overview of Group Policy
• Configuring the Scope of Group Policy Objects
• Evaluating the Application of Group Policy Objects
• Managing Group Policy Objects
• Delegating Administrative Control of Group Policy
How Group Policy Is Applied
Computer starts
Refresh Interval: Every 90 minutes
• Computer settings
applied
• Startup scripts run
User logs on
Refresh Interval: Every 90 minutes
• User settings applied
• Logon scripts run
Exceptions to Group Policy Processing
• 500 kilobits per second (kbps) by default
• Certain client side extensions are not
Slow links
processed
• Prior to Windows Vista, ICMP is used to
detect a slow link
• Windows Vista uses Network Location
Awareness
• Windows XP and Windows Vista use cached
Cached
credentials
credential for faster logons
• Many GPO settings take two logons to take
effect
Additional exceptions:
• Remote access connections
• Moving a user or computer object in AD DS
Group Policy Components
Group Policy Container
Group Policy Object
• Stored in AD DS
• Provides version information
Group Policy Template
• Contains Group Policy settings
• Stores content in two locations
• Stored in shared SYSVOL folder
• Provides Group Policy settings
• Supports both ADM and
ADMX templates
What Are ADM and ADMX Files?
ADM files are:
• Copied into every GPO in SYSVOL
• Difficult to customize
ADMX files are:
• Language neutral
• Not stored in the GPO
• Extensible through XML
What Is the Central Store?
The Central Store:
• Is a central repository for ADMX and ADML files
• Is stored in SYSVOL
• Must be created manually
• Is detected automatically by Windows Vista or Windows
Server 2008
ADMX files
Windows Vista
or Windows Server 2008
workstation
Domain controller
with SYSVOL
Domain controller
with SYSVOL
Group Policy Processing Order
GPO1
Local group
GPO2
Site
GPO3
GPO4
Domain
GPO5
OU
OU
OU
What Are Multiple Local Group Policy Objects?
• One layer of computer configurations that applies to
all users
• Layers apply only to individual users, not to groups
• There are three layers of user configurations:
• Administrator
• Non-Administrator
• User-specific
Options for Modifying Group Policy Processing
Five methods to modify GPO default processing:
• Block inheritance
• Enforcement
• Filtering using security groups or WMI filters
• Disabling GPOs
• Loopback processing
How Does Loopback Processing Work?
What Is Group Policy Reporting?
Group Policy reporting is a method of planning and
troubleshooting Group Policy
• Group Policy results are provided by the GPMC
• GPResult is a command line utility
What Is Group Policy Modeling?
The Group Policy Modeling Wizard calculates the simulated
net effect of GPOs
The Group Policy Modeling Wizard simulates:
• Site membership
• Security group membership
• WMI filters
• Slow links
• Loopback processing
• The effects of moving user or computer objects to a
different Active Directory container
GPO Management Tasks
GPO management tasks:
• Back up GPOs
• Restore GPOs
• Copy GPOs
• Import GPOs
What Is a Starter GPO?
• Stores administrative template settings on which the new
GPOs will be based
• Can be exported to .cab files
• Can be imported into other areas of the enterprise
Exported to cab file
starterGPO
Imported to GPMC
.cab file
Load
cabinet file
Migrating Group Policy Objects
The ADMX Migrator utility:
• Can be used to convert custom ADM files to ADMX
• Is GUI-based, and can be downloaded from
the Microsoft download site utility
Options for Delegating Control of GPOs
Create
Methods to delegate GPOs in
control of GPOs
the
domain
Membership in Group
Policy Creator Owners
group or explicit
permission to create
GPOs
Membership in Group
Policy Creator Owners
group or assign Edit
rights to individual
policies
Membership in Group
Policy Creator Owners
group or delegate the
right to link GPOs to
containers
Membership in Group
Policy Creator Owners
group or delegate the
right to use Group Policy
reporting tools
Edit or
delete
GPOs
Link GPOs
to
containers
Use
reporting
tools