70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced
Download
1 / 50

Objectives - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy. Objectives. Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Objectives' - psyche


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, EnhancedChapter 9:Implementing and Using Group Policy


Objectives
Objectives 2003 Environment, Enhanced

  • Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection

  • Manage and troubleshoot Group Policy inheritance

  • Deploy and manage software using Group Policy

Guide to MCSE 70-290, Enhanced


Introduction to group policy
Introduction to Group Policy 2003 Environment, Enhanced

  • Group policy centralizes management of user and computer configuration settings throughout a network

  • A group policy object is an Active Directory object used to configure policy settings for user and computer objects

  • There are two default Group Policy Objects:

    • Default Domain Policy (linked to domain container)

    • Default Domain Controllers Policy (linked to domain controller OU)

Guide to MCSE 70-290, Enhanced


Introduction to group policy continued
Introduction to Group Policy (continued) 2003 Environment, Enhanced

  • You can modify default GPOs

  • You can create new GPOs and link them to particular sites, domains, and OUs

    • Policy settings will be propagated to all users and computers in container including child OUs

  • Group policy can only be applied to computers running Windows Server 2003, Windows 2000, and Windows XP

Guide to MCSE 70-290, Enhanced


Creating a group policy object
Creating a Group Policy Object 2003 Environment, Enhanced

  • Two ways to create a GPO:

    • Group Policy standalone Microsoft Management Console (MMC) snap-in

    • Group Policy extension in Active Directory Users and Computers

Guide to MCSE 70-290, Enhanced


Activity 9 1 creating a group policy object using the mmc
Activity 9-1: Creating a Group Policy Object Using the MMC 2003 Environment, Enhanced

  • Objective: To create a GPO using the Group Policy Object Editor MMC snap-in

    • Locate the MMC Group Policy Object Editor snap-in

    • Create a new GPO

Guide to MCSE 70-290, Enhanced


Activity 9 1 continued
Activity 9-1 (continued) 2003 Environment, Enhanced

Guide to MCSE 70-290, Enhanced


Activity 9 2 creating ous and moving user accounts
Activity 9-2: Creating OUs and Moving User Accounts 2003 Environment, Enhanced

  • Objective: To create new Organizational Units and move existing user accounts into them.

    • Must be familiar with using OUs for controlling the application of Group Policy settings

  • Create new OUs using Active Directory Users and Computers

  • Move users into the new OUs

Guide to MCSE 70-290, Enhanced


Activity 9-3: Creating a Group Policy Object and Browsing Settings Using Active Directory Users and Computers

  • Objective: Create a GPO using Active Directory Users and Computers as an alternative to MMC snap-in

    • From Active Directory Users and Computers, use the Group Policy tab of the Properties of an existing OU to add and create GPOs

    • Browse configuration settings of a Group Policy Object

Guide to MCSE 70-290, Enhanced


Editing a gpo
Editing a GPO Settings Using Active Directory Users and Computers

Guide to MCSE 70-290, Enhanced


Editing a gpo continued
Editing a GPO (continued) Settings Using Active Directory Users and Computers

  • Table 9-1 shows configuration categories for both computer and user configurations

  • Two tabs in Properties of each setting:

    • Setting allows you to enable or disable the setting

    • Explain provides information about the setting

  • GPO content is stored in 2 locations:

    • Group Policy container (GPC)

    • Group Policy template (GPT)

  • A GPO is identified by a 128-bit globally unique identifier (GUID)

Guide to MCSE 70-290, Enhanced


Activity 9 4 deleting group policy objects
Activity 9-4: Deleting Group Policy Objects Settings Using Active Directory Users and Computers

  • Objective: To delete a GPO using Active Directory Users and Computers

  • A previously created GPO is deleted from an OU

Guide to MCSE 70-290, Enhanced


Application of group policy
Application of Group Policy Settings Using Active Directory Users and Computers

  • Two main categories to a Group Policy

    • Computer configuration (settings apply to computers in the container)

    • User configuration (settings apply to users in the container)

  • Upon computer startup (or user logon)

    • Computer queries domain controller for GPOs. Domain controller finds applicable GPOs.

    • Domain controller presents list of GPOs. The client gets Group Policy templates, applies the settings and runs the scripts.

    • Same basic process happens for user logons

Guide to MCSE 70-290, Enhanced


Controlling user desktop settings
Controlling User Desktop Settings Settings Using Active Directory Users and Computers

  • Administrative templates

    • Used to limit user manipulation of user desktop and computer configurations

    • Aim is to reduce administrative costs

    • Seven main categories of configuration settings can be applied to either computer or user section of a GPO

Guide to MCSE 70-290, Enhanced


Controlling user desktop settings continued
Controlling User Desktop Settings (continued) Settings Using Active Directory Users and Computers

Guide to MCSE 70-290, Enhanced


Activity 9 5 configuring group policy object user desktop settings
Activity 9-5: Configuring Group Policy Object User Desktop Settings

  • Objective: To configure and test the application of Group Policy settings

  • Use Active Directory Users and Computers to access the desired configuration settings

  • Configure settings using the Group Policy Object Editor

  • Verify that the configured settings have the expected results

Guide to MCSE 70-290, Enhanced


Managing security settings with group policy
Managing Security Settings with Group Policy Settings

  • Password Policy, Account Policy, and Kerberos Policy settings are only applicable to domain objects

  • Other nodes in Security Settings category can be applied at both domain and OU levels

    • Local Policies

      • Audit Policy

      • User Rights Assignment

      • Security Options

Guide to MCSE 70-290, Enhanced


Managing security settings with group policy continued
Managing Security Settings with Group Policy (continued) Settings

  • Event Log

  • Restricted Groups

  • System Services

  • Registry

  • File System

  • Wireless Network Policies

  • Public Key Policies

  • Software Restriction Policies

  • IP Security Policies on Active Directory

Guide to MCSE 70-290, Enhanced


Activity 9 6 configuring group policy object security settings
Activity 9-6: Configuring Group Policy Object Security Settings

  • Objective: Use Group Policy settings to configure a logon banner for domain users

  • Use Active Directory Users and Computers to access the Default Domain Policy GPO

  • Create a logon banner

  • Verify that the banner appears

Guide to MCSE 70-290, Enhanced


Activity 9 7 configuring file system security using group policy settings
Activity 9-7: Configuring File System Security Using Group Policy Settings

  • Objective: Use Group Policy settings to configure security permissions

  • Create a folder

  • Use Active Directory Users and Computers to configure the permissions on the folders

  • Update Group Policy settings on the server

  • Verify that the permissions are explicitly defined

Guide to MCSE 70-290, Enhanced


Assigning scripts
Assigning Scripts Policy Settings

  • Windows Server 2003 can run scripts during:

    • User logon or logoff

      • User section of GPO

    • Computer startup and shutdown

      • Computer section of GPO

  • Default is for scripts to run synchronously from top to bottom

  • Can specify script time-outs, asynchronous execution, and hiding of scripts

Guide to MCSE 70-290, Enhanced


Activity 9 8 assigning logon scripts to users using group policy
Activity 9-8: Assigning Logon Scripts to Users Using Group Policy

  • Objective: Use GPOs to assign logon scripts to domain users

  • Create a script file

  • Add the script to the logon policies of a particular group using Active Directory Users and Computers

  • Verify that the script runs for members of the group and not for other users

Guide to MCSE 70-290, Enhanced


Redirecting folders
Redirecting Folders Policy

  • Allows you to redirect the contents of a user’s profile to a network location

  • Profile contents that can be redirected are application data, desktop, My Documents, Start menu

  • Redirection is useful because it:

    • Aids in backup

    • Reduces logon time

    • Allows creation of a standard desktop for multiple users

Guide to MCSE 70-290, Enhanced


Redirecting folders continued
Redirecting Folders (continued) Policy

Guide to MCSE 70-290, Enhanced


Managing group policy inheritance
Managing Group Policy Inheritance Policy

  • Specific order for GPO application:

    • Local computer  Site  Domain  Parent OU  Child OU

  • By default, all GPO settings are inherited

  • At each level, there can be multiple GPOs

    • Policies are applied in the order that they appear on the Group Policy tab for each container, bottom GPO first

  • Applying a large number of GPOs can affect startup and logon performance

Guide to MCSE 70-290, Enhanced


Managing group policy inheritance continued
Managing Group Policy Inheritance (continued) Policy

  • Conflicts are resolved according to a set formula

  • Policies are updated automatically at intervals and can be updated manually

  • Policies can be linked to a site, domain, or specific OU containers

  • Multiple Group Policies can be assigned to a single container

  • A single Group Policy can be linked to multiple containers

Guide to MCSE 70-290, Enhanced


Activity 9 9 linking a group policy object to multiple containers
Activity 9-9: Linking a Group Policy Object to Multiple Containers

  • Objective: Link a single GPO to multiple containers

  • Using Active Directory Users and Computers, create and configure a new GPO in one OU

  • Add the GPO to another OU

Guide to MCSE 70-290, Enhanced


Configuring block policy inheritance no override and filtering
Configuring Block Policy Inheritance, No Override, and Filtering

  • These options allow default behavior to be changed for specific containers

    • Can change default inheritance policy

    • Can change default conflict resolution

    • Can change permissions for a specific member within a group to deny GPO application for that member

Guide to MCSE 70-290, Enhanced


Blocking group policy inheritance
Blocking Group Policy Inheritance Filtering

  • To change default inheritance, use the Block Policy inheritance check box on the Group Policy tab for a child container

    • Child will not inherit parent’s policies

    • Useful if one OU needs to be managed separately

Guide to MCSE 70-290, Enhanced


Configuring no override
Configuring No Override Filtering

  • If a policy is configured with No Override

    • It will be enforced despite conflicts in lower-level policies

    • It will be enforced on lower-level containers with Block Policy inheritance set

Guide to MCSE 70-290, Enhanced


Filtering using permissions
Filtering Using Permissions Filtering

  • Prevents policy settings from applying to a particular user, group, or computer within a container

  • To filter a GPO from a particular container member, deny Read and Apply Group Policy permissions for the member account only

Guide to MCSE 70-290, Enhanced


Activity 9 10 configuring group policy object inheritance settings
Activity 9-10: Configuring Group Policy Object Inheritance Settings

  • Objective: Explore and configure Group Policy inheritance settings

  • Configure the Default Domain Policy GPO using Active Directory Users and Computers

  • Override the Default Domain Policy configuration at the OU level and verify the override

  • Configure No Override option at the domain level

  • Verify No Override option

Guide to MCSE 70-290, Enhanced


Activity 9 11 filtering group policy objects using security permissions
Activity 9-11: Filtering Group Policy Objects Using Security Permissions

  • Objective: Use security permissions to filter and control the application of Group Policy settings

  • Using Active Directory Users and Computers, add a user account to a group but deny the group’s GPO permissions

  • Verify that the added user account is not configured with the group’s GPO

Guide to MCSE 70-290, Enhanced


Troubleshooting group policy settings
Troubleshooting Group Policy Settings Permissions

  • Potential trouble areas:

    • Order of Group Policy processing

    • Improper use of No Override or Block Policy inheritance settings

    • Read and Apply Group Policy permissions

  • Utilities that show effective Group Policy settings

    • GPRESULT

      • Command-line utility

    • Resultant Set of Policy (RSoP)

      • Graphical utility

Guide to MCSE 70-290, Enhanced


Activity 9 12 determining group policy settings using the resultant set of policy tool
Activity 9-12: Determining Group Policy Settings Using the Resultant Set of Policy Tool

  • Objective: Use RSoP to determine effective Group Policy settings

  • Use Active Directory Users and Computers to configure the Default Domain Policy

  • Open a new MMC with the Resultant Set of Policy snap-in

  • Use RSoP to Generate RSoP Data

Guide to MCSE 70-290, Enhanced


Activity 9 12 continued
Activity 9-12 (continued) Resultant Set of Policy Tool

Guide to MCSE 70-290, Enhanced


Deploying software using group policy
Deploying Software Using Group Policy Resultant Set of Policy Tool

  • Applications that can be deployed using Group Policy include:

    • Business applications (e.g., Microsoft Office)

    • Anti-virus software

    • Software updates (e.g., service packs)

  • Four phases of software rollout

    • Software preparation

    • Deployment

    • Software maintenance

    • Software removal

Guide to MCSE 70-290, Enhanced


Software preparation
Software Preparation Resultant Set of Policy Tool

  • Microsoft Windows installer package (MSI)

    • MSI file contains all of the information needed to install an application in a variety of configurations

    • Software vendors include preconfigured MSI packages

    • For older applications, can create MSI packages using 3rd party utilities (e.g., VERITAS)

  • To install, place MSI file in a shared folder and configure Group Policy to access for installation

Guide to MCSE 70-290, Enhanced


Software preparation continued
Software Preparation (continued) Resultant Set of Policy Tool

  • If application doesn’t have an MSI package can use ZAP file

    • Text file used by Group Policy to deploy an application

    • Can only be published and not assigned

    • Is not resilient

    • Requires user intervention and proper permissions

Guide to MCSE 70-290, Enhanced


Deployment
Deployment Resultant Set of Policy Tool

  • Two ways to deploy an application

    • Assigning applications

    • Publishing applications

Guide to MCSE 70-290, Enhanced


Assigning applications
Assigning Applications Resultant Set of Policy Tool

  • When a policy is created to assign an application

    • Any user who the policy applies to has a shortcut on the Start menu

      • Application is installed when user clicks shortcut the first time or opens it with an associated document

    • If policy configured in computer section, application is installed next time the computer is started

    • Applications are resilient (if files are corrupted, will reinstall itself)

Guide to MCSE 70-290, Enhanced


Publishing applications
Publishing Applications Resultant Set of Policy Tool

  • When a policy is created to publish an application

    • Not advertised in Start menu

    • Installed using the Add/Remove Programs applet or by opening an associated document

    • Only published to users and not computers

Guide to MCSE 70-290, Enhanced


Configuring the deployment
Configuring the Deployment Resultant Set of Policy Tool

  • Create or edit a GPO and specify deployment options

  • Assign or publish application to computers or users to install at the appropriate time

Guide to MCSE 70-290, Enhanced


Activity 9 13 publishing an application to users using group policy
Activity 9-13: Publishing an Application to Users Using Group Policy

  • Objective: Publish an application using Group Policy settings

  • Create a shared folder and copy files into it

  • Create a GPO to publish the msi software files in the folder

  • Login as a member of the group using the GPO and install the software

Guide to MCSE 70-290, Enhanced


Activity 9 14 assigning an application to users using group policy
Activity 9-14: Assigning an Application to Users Using Group Policy

  • Objective: To assign an application using Group Policy settings

  • Create and configure a new GPO to assign software installation to the users in an OU

  • Log on as a user in the OU

  • Verify that the software installs and executes as expected

Guide to MCSE 70-290, Enhanced


Software maintenance
Software Maintenance Policy

  • Software must be maintained with patches and updates

  • Deployment of patches and updates can be:

    • Mandatory upgrade

    • Optional upgrade

    • Redeployment of an application

Guide to MCSE 70-290, Enhanced


Software removal
Software Removal Policy

  • Application must have been originally installed using a Windows installer package

  • Removal can be:

    • Forced removal

    • Optional removal

  • Forced removal uninstalls application and prevents it from being reinstalled

  • Optional removal does not uninstall application but does prevent it from being reinstalled once removed

Guide to MCSE 70-290, Enhanced


Summary
Summary Policy

  • A Group Policy Object is an object in Active Directory used to configure and apply settings for user and computer objects

  • Two default GPOs created when Active Directory is installed:

    • Default Domain Policy

    • Default Domain Controllers Policy

  • Two mechanisms for creating GPOs

    • Microsoft Management Console Group Policy snap-in

    • Group Policy extension in Active Directory Users and Computers

Guide to MCSE 70-290, Enhanced


Summary1
Summary Policy

  • GPOs can be used:

    • to control user desktop settings and security settings

    • to apply scripts on user logon and logoff and computer startup and shutdown

    • for folder redirection

  • GPOs are applied in a specific order

  • GPOs are inherited by default

    • Can be changed by blocking Group Policy inheritance, configuring No Override, or filtering using user permissions

    • Use GPRESULT or Resultant Set of Policy tool to view effective Group Policy settings

Guide to MCSE 70-290, Enhanced


Summary2
Summary Policy

  • GPOs are useful in deploying and maintaining software applications

  • GPOs are used for four main phases of software rollout: preparation, deployment, maintenance, removal

  • For deployment, Group Policy uses an MSI file containing information needed to install in a variety of configurations

  • Deployed applications can be either assigned or published

Guide to MCSE 70-290, Enhanced


ad