CN1276 Server
Kemtis Kunanuraksapong
MSIS with Distinction
MCTS, MCDST, MCP, A+
Agenda
• Chapter 7: Introduction to Group Policy
• Quiz
• Exercise
Group Policy
• Group Policy is a method of controlling settings
across your network
▫ Consists of user and computer settings on all
versions from Windows 2000
• Linking is a process, which applies GPOs
settings to various containers (domain, sites and
OUs) within Active Directory
▫ Link multiple GPOs to a single container
▫ Link one GPO to multiple containers
Group Policy (Cont.)
• The following managed settings can be defined
or changed through Group Policies:
▫ Registry-based policies
 Modify the Windows Registry – desktop settings,
env. variable
▫ Software installation policies
 To ensure that users always have the latest versions
of applications.
▫ Folder redirection
▫ Offline file storage
Group Policy (Cont.)
• The following managed settings can be defined
or changed through Group Policies:
▫ Scripts
 Including logon, logoff, startup, and shutdown
scripts
▫ Windows Deployment Services (WDS)
▫ Ms IE settings
 Provide quick links and bookmarks for user
accessibility, browser options such as proxy use,
acceptance of cookies, and caching options
▫ Security settings
 Protect resources on computers in the enterprise
Security group filtering
• Allows you to apply GPO settings to only one or
more users or groups within a container by
selectively granting permission to one or more
users or security groups
Group Policy Objects (GPOs)
• Local GPOs
▫ Stored on the local computer in the
%systemroot%/System32/GroupPolicy folder.
▫ Local GPOs contain fewer options.
▫ Do not support folder redirection or Group Policy
software installation.
▫ The local GPO is overwritten by the nonlocal GPO
(AD-based), when in conflict
• Domain GPOs
• Start GPOs
▫ GPO templates within AD
Group Policy Objects (Cont.)
• Nonlocal GPO are linked to sites, domains, or
Ous.
• GPOs are stored in two places:
▫ Group Policy container (GPC) — An Active
Directory object that stores the properties of the
GPO.
▫ Group Policy template (GPT) — Located in the
Policies subfolder of the SYSVOL share, the GPT is
a folder that stores policy settings, such as security
settings and script files.
Default Group Policies
• When Active Directory is installed, two domain
GPOs are created by default.
▫ Default Domain Policy
 It is linked to the domain, and its settings affect all
users and computers in the domain.
▫ Default Domain Controller Policy
 It is linked to the Domain Controllers OU and its
settings affect all domain controllers in the domain.
Group Policy Management Console
• Microsoft Management Console (MMC) snap-in
▫ The GPMC was not pre-installed in Windows
Server 2003; it needed to be downloaded
manually from the Microsoft Web site.
▫ The GPCM is included in Windows Server 2008
by default.
• When you configure a GPO, you will use the
Group Policy Management Editor, which can be
accessed through the GPMC or through Active
Directory Users and Computers.
Group Policy Settings
• Configuring Group Policy settings enables you to
customize the configuration of a user’s desktop,
environment, and security settings.
• The actual settings are divided into two
subcategories:
▫ Computer Configuration
▫ User Configuration
Group Policy Settings (Cont.)
• The Computer Configuration and the User
Configuration nodes contain three subnodes:
▫ Software Settings
 Used to apply all the software settings regardless of
the computer
▫ Windows Settings
 Used for define security settings and scripts.
▫ Administrative Templates
GPO Inheritance
• You link a GPO to a domain, site, or OU or
create and link a GPO to one of these containers
in a single step. The settings within that GPO
apply to all child objects within the object.
Group Policy Processing (LSDOU)
•
•
•
•
•
Local policies
Site policies
Domain policies
OU Policies
Any conflicting GPO settings are overwritten by
the later running GPO
Understanding Group Policy Processing
• The computer will obtain a list of GPOs during
startup
• Computer configuration settings are applied
synchronously during computer startup before
the Logon dialog box is presented to the user
• Any startup scripts set to run during computer
startup are processed.
• Then user is prompted to press Ctrl+Alt+Del to
log on
Understanding Group Policy Processing
• The user profile is loaded based on the Group
Policy settings
• A list of GPOs specific for the user is obtained
from the domain controller.
▫ User Configuration settings also are processed in
the LSDOU sequence.
• After the user policies run, any logon scripts run
• The user's desktop appears after all policies and
scripts have been processed.
Configuring Exceptions to GPO
Processing
• Enforce
▫ Forces a particular GPO’s settings to flow down through the
Active Directory without being blocked by any child OUs.
• Block Policy Inheritance
▫ Configuring this setting on a container object such as a site,
domain, or OU will block all policies from parent containers
• Loopback Processing
▫ Alternative method of obtaining the ordered list of GPOs to
be processed for the user.
▫ When set to Enabled, this setting has two options: Merge
and Replace.
GPUpdate Command
• If you make changes to a group policy, users may
not see changes take effect until:
▫ They log off or log back in.
▫ They Reboot the computer.
▫ They wait 90 minutes (+/- 30 minutes) for standalone servers/workstations and 2 minutes for
domain controllers.
• To manually push group policies, you need to
use the gpupdate command:
Gpupdate /force
Assignment
• Matching
▫ 1-10
• Multiple Choice
▫ 1-10
• Online Lab 7