70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy PowerPoint PPT Presentation


  • 122 Views
  • Uploaded on
  • Presentation posted in: General

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy. Understanding Group Policy Concepts . Group Policy Objects (GPOs) Local GPOs are stored on each Windows 2000+ clients and servers

Download Presentation

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


70 290 mcse guide to managing a microsoft windows server 2003 environment chapter 9 implementing and using group poli

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 9:Implementing and Using Group Policy


Understanding group policy concepts

Understanding Group Policy Concepts

  • Group Policy Objects (GPOs)

    • LocalGPOs are stored on each Windows 2000+ clients and servers

    • Non-local GPOs are stored at the domain level within AD


Introduction to group policy

Introduction to Group Policy

  • Group policy centralizes management of user and computer configuration settings throughout a network

  • A group policy object is an Active Directory object used to configure policy settings for user and computer objects

  • There are two default Group Policy Objects:

    • Default Domain Policy (linked to domain container)

    • Default Domain Controllers Policy (linked to domain controller OU)


Introduction to group policy continued

Introduction to Group Policy (continued)

  • You can modify default GPOs

  • You can create new GPOs and link them to particular sites, domains, and OUs

    • Policy settings will be propagated to all users and computers in container including child OUs

  • Group policy can only be applied to computers running Windows Server 2003, Windows 2000, and Windows XP


Creating a group policy object

Creating a Group Policy Object

  • Two ways to create a GPO:

    • Group Policy standalone Microsoft Management Console (MMC) snap-in

    • Group Policy extension in Active Directory Users and Computers


Group policy

Group Policy

  • Desktop settings

  • Security

  • Scripts

    • Computer

    • User

  • Folder redirection

  • Software deployment


Editing a gpo

Editing a GPO

  • Computer or User Configuration


Editing a gpo continued

Editing a GPO (continued)

  • Two tabs in Properties of each setting:

    • Setting allows you to enable or disable the setting

    • Explain provides information about the setting

  • GPO content is stored in 2 locations:

    • Group Policy container (GPC)

      • An AD container

      • Stores info such as GUID and Version

      • System\Policies

    • Group Policy template (GPT)

      • Stores GPO settings

      • Registry changes stored in Registry.pol

      • %systemroot%\sysvol\<domain name>\Policies

  • A GPO is identified by a 128-bit globally unique identifier (GUID)


Understanding group policy concepts1

Understanding Group Policy Concepts

  • Group Policy template information


Understanding group policy concepts2

Understanding Group Policy Concepts

  • Group Policy template subfolders


Understanding group policy concepts3

Understanding Group Policy Concepts

  • Group Policy template subfolders

  • GPT.INI

    • In root folder of each template

    • Enabled/Disabled

    • Version


Application of group policy

Application of Group Policy

  • Two main categories to a Group Policy

    • Computer configuration (settings apply to computers in the container)

    • User configuration (settings apply to users in the container)

  • Upon computer startup (or user logon)

    • Computer queries domain controller for GPOs. Domain controller finds applicable GPOs.

    • Domain controller presents list of GPOs. The client gets Group Policy templates, applies the settings and runs the scripts.

    • Same basic process happens for user logons


Group policies

Group Policies

  • Computer settings take precedence over user settings

  • Computer settings take effect

    • After refresh interval 90+ minutes

    • When OS restarted

  • User setting

    • After refresh interval 90+ minutes

    • When new logon


Group policies1

Group Policies

  • Policy settings

    • Not Configured

      • Processed

    • Enabled

      • Processed

    • Disabled

      • Not Processed

  • Local Computer policy settings

    • Applied as soon as they are saved


Controlling user desktop settings

Controlling User Desktop Settings

  • Administrative templates

    • Used to limit user manipulation of user desktop and computer configurations

    • Aim is to reduce administrative costs

    • Seven main categories of configuration settings can be applied to either computer or user section of a GPO


Controlling user desktop settings continued

Controlling User Desktop Settings (continued)


Managing security settings with group policy

Managing Security Settings with Group Policy

  • Password Policy, Account Policy, and Kerberos Policy settings are only applicable to domain objects

  • Other nodes in Security Settings category can be applied at both domain and OU levels

    • Local Policies – applies to local account database

      • Maybe Overwritten by Domain or OU policies

      • Audit Policy

      • User Rights Assignment

      • Security Options


Understanding group policy concepts4

Understanding Group Policy Concepts

  • Password Policy settings, under Windows settings

    • Password History

    • Password age

    • Min Length

    • Complexity

    • Encryption


Understanding group policy concepts5

Understanding Group Policy Concepts

  • Account Lockout Policy under Windows settings

    • Duration

    • Threshold

    • Reset

      • Zero must manually reset


Managing security settings with group policy continued

Managing Security Settings with Group Policy (continued)

  • Event Log

  • Restricted Groups –controls group membership

  • System Services

  • Registry

  • File System

  • Wireless Network Policies

  • Public Key Policies

  • Software Restriction Policies

  • IP Security Policies on Active Directory


Assigning scripts

Assigning Scripts

  • Windows Server 2003 can run scripts during:

    • User logon or logoff

      • User section of GPO

    • Computer startup and shutdown

      • Computer section of GPO

  • Default is for scripts to run synchronously from top to bottom

  • Can specify script time-outs, asynchronous execution, and hiding of scripts


Try it activity 9 1 9 7

Try it! Activity 9.1 – 9.7


  • Login