Chapter 7

CN1276 Server
Kemtis Kunanuraksapong
MSIS with Distinction
• Chapter 7: Introduction to Group Policy
• Quiz
• Exercise
Group Policy
• Group Policy is a method of controlling settings
across your network
▫ Consists of user and computer settings on all
versions from Windows 2000
• Linking is a process, which applies GPOs
settings to various containers (domain, sites and
OUs) within Active Directory
▫ Link multiple GPOs to a single container
▫ Link one GPO to multiple containers
Group Policy (Cont.)
• The following managed settings can be defined
or changed through Group Policies:
▫ Registry-based policies
 Modify the Windows Registry – desktop settings,
env. variable
▫ Software installation policies
 To ensure that users always have the latest versions
of applications.
▫ Folder redirection
▫ Offline file storage
Group Policy (Cont.)
• The following managed settings can be defined
or changed through Group Policies:
▫ Scripts
 Including logon, logoff, startup, and shutdown
▫ Windows Deployment Services (WDS)
▫ Ms IE settings
 Provide quick links and bookmarks for user
accessibility, browser options such as proxy use,
acceptance of cookies, and caching options
▫ Security settings
 Protect resources on computers in the enterprise
Security group filtering
• Allows you to apply GPO settings to only one or
more users or groups within a container by
selectively granting permission to one or more
users or security groups
Group Policy Objects (GPOs)
• Local GPOs
▫ Stored on the local computer in the
%systemroot%/System32/GroupPolicy folder.
▫ Local GPOs contain fewer options.
▫ Do not support folder redirection or Group Policy
software installation.
▫ The local GPO is overwritten by the nonlocal GPO
(AD-based), when in conflict
• Domain GPOs
• Start GPOs
▫ GPO templates within AD
Group Policy Objects (Cont.)
• Nonlocal GPO are linked to sites, domains, or
• GPOs are stored in two places:
▫ Group Policy container (GPC) — An Active
Directory object that stores the properties of the
▫ Group Policy template (GPT) — Located in the
Policies subfolder of the SYSVOL share, the GPT is
a folder that stores policy settings, such as security
settings and script files.
Default Group Policies
• When Active Directory is installed, two domain
GPOs are created by default.
▫ Default Domain Policy
 It is linked to the domain, and its settings affect all
users and computers in the domain.
▫ Default Domain Controller Policy
 It is linked to the Domain Controllers OU and its
settings affect all domain controllers in the domain.
Group Policy Management Console
• Microsoft Management Console (MMC) snap-in
▫ The GPMC was not pre-installed in Windows
Server 2003; it needed to be downloaded
manually from the Microsoft Web site.
▫ The GPCM is included in Windows Server 2008
by default.
• When you configure a GPO, you will use the
Group Policy Management Editor, which can be
accessed through the GPMC or through Active
Directory Users and Computers.
Group Policy Settings
• Configuring Group Policy settings enables you to
customize the configuration of a user’s desktop,
environment, and security settings.
• The actual settings are divided into two
▫ Computer Configuration
▫ User Configuration
Group Policy Settings (Cont.)
• The Computer Configuration and the User
Configuration nodes contain three subnodes:
▫ Software Settings
 Used to apply all the software settings regardless of
the computer
▫ Windows Settings
 Used for define security settings and scripts.
▫ Administrative Templates
GPO Inheritance
• You link a GPO to a domain, site, or OU or
create and link a GPO to one of these containers
in a single step. The settings within that GPO
apply to all child objects within the object.
Group Policy Processing (LSDOU)
Local policies
Site policies
Domain policies
OU Policies
Any conflicting GPO settings are overwritten by
the later running GPO
Understanding Group Policy Processing
• The computer will obtain a list of GPOs during
• Computer configuration settings are applied
synchronously during computer startup before
the Logon dialog box is presented to the user
• Any startup scripts set to run during computer
startup are processed.
• Then user is prompted to press Ctrl+Alt+Del to
log on
Understanding Group Policy Processing
• The user profile is loaded based on the Group
Policy settings
• A list of GPOs specific for the user is obtained
from the domain controller.
▫ User Configuration settings also are processed in
the LSDOU sequence.
• After the user policies run, any logon scripts run
• The user's desktop appears after all policies and
scripts have been processed.
Configuring Exceptions to GPO
• Enforce
▫ Forces a particular GPO’s settings to flow down through the
Active Directory without being blocked by any child OUs.
• Block Policy Inheritance
▫ Configuring this setting on a container object such as a site,
domain, or OU will block all policies from parent containers
• Loopback Processing
▫ Alternative method of obtaining the ordered list of GPOs to
be processed for the user.
▫ When set to Enabled, this setting has two options: Merge
and Replace.
GPUpdate Command
• If you make changes to a group policy, users may
not see changes take effect until:
▫ They log off or log back in.
▫ They Reboot the computer.
▫ They wait 90 minutes (+/- 30 minutes) for standalone servers/workstations and 2 minutes for
domain controllers.
• To manually push group policies, you need to
use the gpupdate command:
Gpupdate /force
• Matching
▫ 1-10
• Multiple Choice
▫ 1-10
• Online Lab 7