section 2: using group policy management tools local vs. domain policies editing local policies...
TRANSCRIPT
Section 2: Using Group Policy Management Tools
Local vs. Domain PoliciesEditing Local PoliciesManaging Domain PoliciesUnderstanding Group Policy
Refresh
Managing Windows Environments with Group Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Section Objectives
After completing this section, you will be able to:Use Group Policy Management toolsDescribe the advantages of using domain policies
instead of local policiesList the capabilities of the Group Policy Management
ConsoleDescribe the requirements for installing the Group
Policy Management ConsoleExplain how to use the different GPMC features to
create and manage policiesDescribe the elements of the gpupdate command
2-2
© 2013 Global Knowledge Training LLC. All rights reserved.
Local vs. Domain Policies
Pre-image setup Workgroup only computers Kiosk computers Roving laptops
Domain
Affect a large number of systems
Centrally managed More secure
Local Policies Domain Policies
2-3
© 2013 Global Knowledge Training LLC. All rights reserved.
Editing Local Policies
Tools Features
Gpedit.msc Simple to run Edits local policies only
MMC.exe with the GPOE snap-in
Edit local or remote policies Edit policies for computer or
multiple local users or groups Save as for future use
2-4
© 2013 Global Knowledge Training LLC. All rights reserved.
Using Gpedit.msc
2-5
Run GPEdit.msc on a local machine to edit
the local policies only. Useful for stand-alone or workgroup based
machines.
© 2013 Global Knowledge Training LLC. All rights reserved.
Using MMC.exe with the GPOE Snap-in
2-6
Add the GPOE Snap-in to the MMC in order to modify the local policy for a specific user or
group.
© 2013 Global Knowledge Training LLC. All rights reserved.
Managing Domain Policies
2-7
Using the GPMC
Other Group Policy Tools Creating Policies Editing Policies Configuring Values
© 2013 Global Knowledge Training LLC. All rights reserved.
Using the GPMC
2-8
Understanding the Group Policy Management Console Installing the GPMCOpening the GPMCUsing the GPMC from the Server ManagerConfiguring the GPMCSearching and Filtering
© 2013 Global Knowledge Training LLC. All rights reserved.
Understanding the Group Policy Management Console
Centralized policy management tool
Provides the capabilities of many separate tools and adds new functionality:
OU hierarchy view Policy editing RSoP Backup and restore of policies
2-9
© 2013 Global Knowledge Training LLC. All rights reserved.
Installing the GPMC
Windows Vista and later: Install the free RSAT download from Microsoft Open Control Panel, Programs and Features, Turn Windows
Features On or Off Within the RSAT section enable the Group Policy Management
Tools
Windows Server 2008 and Later: Open the Server Manager Click Add roles and features Add the Group Policy Management feature
2-11
© 2013 Global Knowledge Training LLC. All rights reserved.
Opening the GPMC
Windows 7 or Windows Server 2008: Click Start, Administrative Tools, and Group Policy Management. Click Start, and type gpmc.msc in the Search box.
Windows 8 or Windows Server 2012: On the Start screen, type gpmc.msc. On Windows Server 2012 or Windows 8 Client, in the Server
Manager click Tools, Group Policy Management.
2-13
© 2013 Global Knowledge Training LLC. All rights reserved.
Using the GPMC from the Server Manager
2-14
The Tools menu within the Server Manager contains a link to the GPMC.
© 2013 Global Knowledge Training LLC. All rights reserved.
Configuring the GPMC
2-15
The domain that your are logged on to will already be selected by default.
In a multi-domain environment Right-click the Domains node, then select Show Domains.
© 2013 Global Knowledge Training LLC. All rights reserved.
Searching and Filtering
Searching for GPOs Can be useful when dealing with a very large policy
infrastructure.Filtering in the GPO Editor
Thousands of Administrative Templates items are available.
Filter to display only policies that are configured.
Filter by keyword. Narrow the policy listing
to make it more manageable.
2-16
© 2013 Global Knowledge Training LLC. All rights reserved.
Searching for GPOs
Use the Search feature to find specific GPOs.
2-17
© 2013 Global Knowledge Training LLC. All rights reserved.
Filtering in the GPO Editor
2-19
Use the Filter option to limit the number of Administrative Templates that are displayed.
© 2013 Global Knowledge Training LLC. All rights reserved.
Other Group Policy Tools
Group Policy Management Editor Use to edit the policy values
Gpupdate.exe and Invoke-GPUpdate Use to update policies ahead of the default refresh
Gpresult.exe and Get-GPResultantSetOfPolicy Command-line tools for RSOP processing
2-20
© 2013 Global Knowledge Training LLC. All rights reserved.
Creating Policies
2-21
All policies are stored in the Group Policy Objects container.
They become active when they are linked to a Site, Domain or OU.
© 2013 Global Knowledge Training LLC. All rights reserved.
Editing Policies
2-22
Computer and user configuration items
Policies Administrative
Templates Preferences
© 2013 Global Knowledge Training LLC. All rights reserved.
Configuring Values
2-23
Most policies have three states:• Not Configured• Enabled• Disabled
© 2013 Global Knowledge Training LLC. All rights reserved.
Understanding Group Policy Refresh
The default refresh interval for policy update is 90 to 120 minutes
Several methods are available to update ahead of this scheduled interval
Invoke-GPUpdate GPUpdate.exe Remote GPUpdate in the GPMC
2-24
90 – 120 MINUTES
© 2013 Global Knowledge Training LLC. All rights reserved.
Invoke-GPUpdate
Invoke-GPUpdate is used from PowerShellCan update the local or remote systemsUpdates can be scheduled up to 31 days in the future
2-25
© 2013 Global Knowledge Training LLC. All rights reserved.
GPUpdate.exe
GPUpdate without any options will update only the policies that have been modified
Using the /force switch will cause GPUpdate to download ALL policies
Use the /force switch only if necessary
2-26
© 2013 Global Knowledge Training LLC. All rights reserved.
Remote GPUpdate in the GPMC
Update all machines in a specific OU from within the GPMC
The update is scheduled with a random delay
2-27
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary
The advantages of using domain policies instead of local policies are:You can apply policies on a broad basis to large
number of computers and users. This provides a central management capability that is not available when you configure policies locally.
Policies that are configured through the domain cannot be overridden by local policy settings, so they are more secure.
2-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Group Policy Tools
2-29
Group Policy Tool Use it to…Group Policy Management Console
• View and manage all the policies that exist in a given Active Directory forest
Group Policy Management Editor
• View and modify all of the policy settings within
a GPO
Gpupdate.exe • Remotely update GPOs
Gpresult.exe • Display all the policy settings that are active for a computer or user
RSoP snap-in • Troubleshoot the policies that are applied to computers or users
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Desktop Policies
2-29
Policy DescriptionComputer Configuration
User Configuration
• Settings that apply only to the computer objects that are within the scope of the policy
• Settings that apply to the user objects that are within the scope of the policy
Desktop Settings and Restrictions
• Include a wide range of desktop settings, from changing the aesthetic background logo to a complete lockdown of system
Logon Scripts • Perform actions at logon; settings are now incorporated into Group Policy as individual configurable items
Folder Redirection • Process that stores the user’s personal My Documents files on a server instead of locally
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Software Policies
2-29
Policy DescriptionDistributing Software Packages
• Software Installation section within Group Policy is used to distribute software packages
• User Configuration and Computer Configuration sections of Group Policy are used to distribute software to user or computer, respectively
• Add/Remove Programs on Windows XP and Windows Server 2003 or from Programs and Features within Windows Vista and later are used by the end user to install published packages
Restricting Access to Software
• Four types of SRPs (Path Rule, Network Zone Rule, Hash Rule, Certificate Rule) are used to prevent suspect software from running
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Using the GPMC, you can perform most of the common Group Policy operations without having to switch between separate windows in separate Active Directory utilities. The GPMC also offers the following capabilities:
OU hierarchy view Policy editing RSoP Backup and restore of policies Back up policy objects (and restore them if necessary) Import settings from one policy object as the basis for
creating a new object View all the links for a specific policy object
2-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
The GPMC is included in the RSAT pack for Windows Vista and later. It is also included in Windows Server 2008 and later, but you must enable it. The GPMC requires Windows XP or later to run. It also requires the following:
The computer on which you run GPMC must be a member of either a domain in the forest that you wish to administer, or a domain that has a trust with that forest.
Windows 2000 Server domain controllers must run SP2 or higher.
Windows 2000 Server domain controllers in a separate forest to which you connect must run SP3 or higher.
2-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
For Windows XP, GPMC also requires the following: Upgrade Windows XP to SP1 Microsoft.NET Framework Hotfix Q326469 (updates gpedit.dll to version
5.1.2600.1186)For Windows Vista and later, the GPMC also requires
the following: Download and install the RSAT Pack for Windows Vista Enable the GPMC in the Control Panel
2-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Four subnodes (Domains, Sites, Group Policy Modeling, and Group Policy Results) appear under the forest node. You can use the GPMC to:Show multiple domains in the console pane at the
same time (right-click the Domains subnode)Connect to a different forest (right-click the top node
[Group Policy Management] and select Add Forest)Show the context menu for each node (Actions menu)
2-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
GPMC has two features for searching and filtering: Search: Allows you to search on a per-domain or per-
forest basis; specify a condition to search by or create a list of conditions
Filter: Allows you to limit the number of Administrative Templates that are displayed; limit the display by managed items, configured items, commented items, keyword filtering, and requirements filtering
2-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
The Group Policy Update tool is a command-line tool that is used to remotely update GPOs. The elements of the gpupdate command are:
/Target: {Computer | User}: Used to specify that only the user or computer policy settings that are updated will use this switch
/Force: Reapplies the policy settings /Wait:value: Specifies how long the system should wait (in
seconds) for the policy processing to complete /Logoff: Indicates that the user is logged off after the policy
settings have been applied /Boot: Causes the system to reboot after the policy settings
are applied2-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check
1. What are the advantages of using domain policies instead of local policies? (Choose all that apply.)a. They are more secure.b. They provide a central management capability.c. They affect a large number of computers and users.d. They are helpful in a workgroup scenario when you
cannot use local-based policies.
2-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
2. List the capabilities of the GPMC. Provides a view of the OU hierarchy Contains built-in policy editing Contains inherent RSoP views Provides backup and restore of policies
3. How is the GPMC installed on Windows 8?It is installed as part of the RSAT package that must be downloaded from Microsoft.
2-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
4. Briefly describe the following elements of the gpupdate command:/force:
This switch reapplies the policy settings. By default, only the policy settings that have changed are applied.
/logoff:
This switch indicates that the user is logged off after the policy settings have been applied.
2-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
5. In which ways can you limit the display of Administrative Templates? (Choose all that apply.)a. Managed itemsb. Deleted itemsc. Commented itemsd. Keyword filtering
2-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
6. Describe each tool, feature, or policy used to manage group policies in the space provided. Group Policy Management Editor: Is used to view
and modify all of the policy settings within a GPO. Gpupdate.exe: Is used to remotely update GPOs. Folder Redirection: A process that stores the user’s
personal My Documents files on a server instead of locally.
User Configuration and Computer Configuration sections of Group Policy:
User configuration settings apply only to the computer objects that are within the scope of the policy.
Computer configuration settings apply only to the user objects that are within the scope of the policy.
2-31