70-411: AdministeringWindows Server 2012

Chapter 6Configure and Manage Group Policies

Objective 6.1: Configuring Group Policy Processing

© 2013 John Wiley & Sons, Inc. 3

Group Policies and GPOs

• Group policies are defined using group policy objects (GPOs).

• GPOs are the collection of configuration instructions that the computer processes.

• To assign a group policy, it is linked to an Active Directory container (site, domain, or organizational unit).

© 2013 John Wiley & Sons, Inc. 4

Scoping a GPOMechanisms for scoping a GPO:• A GPO link to a site, domain, or organizational

unit (OU)• The GPO link enabled or disabled• Enforced option of the GPO• The Block Inheritance option of an OU• Security group filtering• WMI filtering• Loopback policy processing• Preferences targeting (discussed in Lesson 22)

© 2013 John Wiley & Sons, Inc. 5

Understanding Group Policy Inheritance

A computer and user can be affected by multiple GPOs. GPOs are processed in the following order:1. Local group policy2. Site3. Domain4. OUA Group Policy uses inheritance in which settings are inherited from the container above.

© 2013 John Wiley & Sons, Inc. 6

Understanding Group Policy Inheritance

When Active Directory is installed, two domain GPOs are created by default:• Default Domain Policy: Linked to the

domain. It affects all users and computers in the domain including domain controllers. It specifies the password, account lockout, and Kerberos policies.

• Default Domain Controller Policy: Linked to the Domain Controllers organization unit, which then affects the domain controllers. It contains the default user rights assignments.

© 2013 John Wiley & Sons, Inc. 9

Using Filtering with Group Policies

The exceptions to the processing of group policies can be modified with these options:• Block inheritance• Enforced

© 2013 John Wiley & Sons, Inc. 12

Configuring Security Filtering/WMI

FilteringFor granular control over who or what receives a group policy, use these filters:• Security group filtering: Uses a security

access list (ACL) to determine who can modify or read a policy and who or what a GPO is applied to.

• WMI filtering: Uses the WMI Query Language (WQL) to control who or what a GPO is applied to.

© 2013 John Wiley & Sons, Inc. 13

Using Security Filtering

Security group filtering specifies which users, computers, or groups based on ACL receive a GPO.

© 2013 John Wiley & Sons, Inc. 15

WMI Filtering• Windows Management Instrumentation

(WMI): A component that extends the Windows Driver Model through an operating system interface that provides information and notification on hardware, software, operating systems, and services.

• WMI filtering: Configures a GPO to be applied to certain users or computers based on specific hardware, software, operating systems, and services.

© 2013 John Wiley & Sons, Inc. 17

Configuring Loopback Processing

• Group Policy loopback processing is used to assign user policies to computer objects.

• No matter who logs on to a computer, the user policies are applied to the computer.

© 2013 John Wiley & Sons, Inc. 19

Configuring Client-Side Extension

Behavior• Client-side extensions (CSEs) are

processes that interrupt the settings in a GPO and make the changes to the local computer or the currently logged-on user.

• CSEs are triggered when a Group Policy client pulls the GPOs from the domain.

• Each major category of policy setting has CSEs.

© 2013 John Wiley & Sons, Inc. 21

Configuring/Managing Slow-Link Processing

• Group policies executed over slow network links can affect the performance of the client computer, between a site and the corporate office of a site, or the computer being configured via a GPO.

• A link is considered slow if the link is less than 500 kilobits per second (kbps).

• The Configure Group Policy slow-link detection is used to define what is considered a slow-link connection.

© 2013 John Wiley & Sons, Inc. 22

Troubleshooting GPOsWindows Server 2012 provides the following tools for performing Result Set of Policy (RSoP) analysis:• The Group Policy Results Wizard• The GPResult.exe command• The Group Policy Modeling Wizard

Objective 6.2: Configuring Group

Policy Settings

© 2013 John Wiley & Sons, Inc. 26

Group Policy Settings• Group policy settings are refreshed every

90 minutes with a random delay of 30 minutes (giving a random range between 90 minutes and 120 minutes).

• On domain controllers, group policies get refreshed every 5 minutes.

© 2013 John Wiley & Sons, Inc. 27

Computer Configuration\ Policies

Nodes

Software Settings

Windows Settings

Administrative Templates

© 2013 John Wiley & Sons, Inc. 28

Software Configuration\Policies Nodes

Software Settings

Windows Settings

Administrative Templates

© 2013 John Wiley & Sons, Inc. 29

Software Installation Using Group Policies

• Windows Installer: A software component used for the installation, maintenance, and removal of software on Windows.

• Microsoft Software Installation (MSI) file: Contains installation information for software.

• MSI Transform files: Used to deploy customized MSI files.

• MSI Patch files: Used to apply service packs and hot fixes to installed software.

© 2013 John Wiley & Sons, Inc. 30

Assigning or Publishinga Package

When you install to a user or computer, you have the option to assign software or publish software with these options:• Assign software to a user• Assign software to a computer• Publish software to a user

© 2013 John Wiley & Sons, Inc. 31

Using Folder Redirection

Use Folder Redirection to:• Redirect the content of a certain folder to

a network location or to another location on the user’s local computer.

• Redirect the Desktop, Start Menu, Documents, Picture, Music, Videos, Favorites, Downloads, and other related folders.

It is found under \User Configuration\Policies\Windows Settings.

© 2013 John Wiley & Sons, Inc. 32

Using Scripts withGroup Policies

• A script is a list of commands that can be executed within a single file, which can perform repetitive tasks.

• The Microsoft Windows Script Hosts (WSH) is the component that provides scripting capabilities to Windows.

© 2013 John Wiley & Sons, Inc. 33

Types of Scripts

•Startup•Shutdown

Computer Scripts

•Logon•Logoff

User Scripts

© 2013 John Wiley & Sons, Inc. 34

Managing Administrative

TemplatesWhen configuring Administrative Templates, there are three states:• Not Configured: The registry key is not

modified or overwritten.• Enabled: The registry key is modified by

this setting.• Disabled: The Disabled settings undo a

change made by a prior Enabled setting.

Objective 6.3: Managing Group Policy

Objects

© 2013 John Wiley & Sons, Inc. 42

Backing Up andRestoring GPOs

• Back up all GPOs or individual GPOs using the Group Policy Management Console.

• Every time a backup is performed, a new backup version of the GPO is created.

© 2013 John Wiley & Sons, Inc. 43

Resetting theDefault GPOs

• The DCGPOFix.exe command can restore either or both the Default Domain Policy or the Default Domain Controllers Policy to their default settings.

• You must be a domain administrator to perform this task.

© 2013 John Wiley & Sons, Inc. 44

Delegating Group Policy Management

• Delegation enables you to give non-domain administrators permissions to manage group policies.

• When you grant a person or group permissions to create GPOs, they also are granted permissions to manage the GPOs they created.

• To delegate GPO permissions, use the Group Policy Management Console.

Objective 6.4: Configuring Group Policy Preferences

© 2013 John Wiley & Sons, Inc. 46

Group Policy Preferences

• Group Policy Preferences (GPP) are made up of more than 20 new Group Policy client-side extensions (CSEs) that expand the range of configurable settings in a Group Policy object (GPO).

• Examples of the new GPP extensions include Folder Options, Drive Maps, Printers, Scheduled Tasks, Services, and Start Menu.

© 2013 John Wiley & Sons, Inc. 48

Preferences that Support Editing States• Start Menu settings• Regional and Language settings• Internet options• Folder options• Power options (to include Power Schemes)

© 2013 John Wiley & Sons, Inc. 49

Actions for Preferences Settings

Most preferences settings include the following actions:• Create: Create a new preferences setting for the

user or computer.• Replace: Delete and re-create a preferences

setting for the user or computer. The result is that GPP replaces all existing settings and files associated with the preference item.

• Update: Modify an existing preferences setting for the user or computer.

• Delete: Remove an existing preferences setting for the user or computer.

© 2013 John Wiley & Sons, Inc. 50

Configuring Windows Settings

Preference extensions under Windows Settings include:• Applications extension: Configure settings for

applications.• Drive Maps extension: Create, modify, or delete

mapped drives, and configure the visibility of all drives.

• Environment extension: Create, modify, or delete environment variables.

• Files extension: Copy, modify, or delete files or change the attributes of the files.

• Folders extension: Create, modify, or delete folders.

© 2013 John Wiley & Sons, Inc. 51

Configuring Windows Settings

Preference extensions under Windows Settings include (continued):• Ini Files extension: Add, replace, or delete

sections or properties in configuration settings (.ini) or setup information (.inf) files.

• Network Shares extension: Create, modify, or unshare shared folders.

• Registry extension: Copy registry settings and apply them to other computers. Create, replace, or delete registry settings.

• Shortcuts extension: Create, modify, or delete shortcuts.

© 2013 John Wiley & Sons, Inc. 52

Configuring Printer Settings

• Similar to adding a printer to Windows, you can add a shared printer, a TCP/IP printer, or a local printer.

• The Printers preference extension allows you to create, configure, and delete local printers, TCP/IP printers, and Shared Printers Printer preference item.

© 2013 John Wiley & Sons, Inc. 53

Configuring Custom Registry Settings

The Registry preference extension allows you to:• Copy registry settings from one computer

to another, and to create, replace, or delete an individual registry value.

• Create an empty key, delete a key, or delete all values and subkeys in a key.

• Create collections or folders to organize the Registry preference items.

© 2013 John Wiley & Sons, Inc. 54

Configuring Power Options

• The Power Options extension allows you to create and configure Power Plan, Power Options, and Power Scheme preference items.

• Power Options and Power Schemes are used with Windows XP and Windows Vista, and Power Plan is used with Windows Vista and later.

© 2013 John Wiley & Sons, Inc. 55

Configuring Internet Explorer Settings

The Internet Settings preference extension allows you to • Configure specific configuration of Internet

settings, or • Configure an initial configuration of

Internet settings, but allow end users to make changes

© 2013 John Wiley & Sons, Inc. 56

Item-Level TargetingItem-level targeting is used to change the scope of individual preference items so that the preference items apply to only selected users or computers.

© 2013 John Wiley & Sons, Inc. 57

Targeting Items• Computer name• CPU speed• Date match• Disk space• Domain• IP address range• Network connection• Operating system• Portable computer

• RAM• User• Terminal session• LDAP query• Time range• WMI query