section 2: using group policy management tools local vs. domain policies editing local policies...

Section 2: Using Group Policy Management Tools

Local vs. Domain PoliciesEditing Local PoliciesManaging Domain PoliciesUnderstanding Group Policy

Refresh

Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved.

Section Objectives

After completing this section, you will be able to:Use Group Policy Management toolsDescribe the advantages of using domain policies

instead of local policiesList the capabilities of the Group Policy Management

ConsoleDescribe the requirements for installing the Group

Policy Management ConsoleExplain how to use the different GPMC features to

create and manage policiesDescribe the elements of the gpupdate command

2-2


Local vs. Domain Policies

Pre-image setup Workgroup only computers Kiosk computers Roving laptops

Domain

Affect a large number of systems

Centrally managed More secure

Local Policies Domain Policies

2-3


Editing Local Policies

Tools Features

Gpedit.msc Simple to run Edits local policies only

MMC.exe with the GPOE snap-in

Edit local or remote policies Edit policies for computer or

multiple local users or groups Save as for future use

2-4


Using Gpedit.msc

2-5

Run GPEdit.msc on a local machine to edit

the local policies only. Useful for stand-alone or workgroup based

machines.


Using MMC.exe with the GPOE Snap-in

2-6

Add the GPOE Snap-in to the MMC in order to modify the local policy for a specific user or

group.


Managing Domain Policies

2-7

Using the GPMC

Other Group Policy Tools Creating Policies Editing Policies Configuring Values


Using the GPMC

2-8

Understanding the Group Policy Management Console Installing the GPMCOpening the GPMCUsing the GPMC from the Server ManagerConfiguring the GPMCSearching and Filtering


Understanding the Group Policy Management Console

Centralized policy management tool

Provides the capabilities of many separate tools and adds new functionality:

OU hierarchy view Policy editing RSoP Backup and restore of policies

2-9


Installing the GPMC

Windows Vista and later: Install the free RSAT download from Microsoft Open Control Panel, Programs and Features, Turn Windows

Features On or Off Within the RSAT section enable the Group Policy Management

Tools

Windows Server 2008 and Later: Open the Server Manager Click Add roles and features Add the Group Policy Management feature

2-11


Opening the GPMC

Windows 7 or Windows Server 2008: Click Start, Administrative Tools, and Group Policy Management. Click Start, and type gpmc.msc in the Search box.

Windows 8 or Windows Server 2012: On the Start screen, type gpmc.msc. On Windows Server 2012 or Windows 8 Client, in the Server

Manager click Tools, Group Policy Management.

2-13


Using the GPMC from the Server Manager

2-14

The Tools menu within the Server Manager contains a link to the GPMC.


Configuring the GPMC

2-15

The domain that your are logged on to will already be selected by default.

In a multi-domain environment Right-click the Domains node, then select Show Domains.


Searching and Filtering

Searching for GPOs Can be useful when dealing with a very large policy

infrastructure.Filtering in the GPO Editor

Thousands of Administrative Templates items are available.

Filter to display only policies that are configured.

Filter by keyword. Narrow the policy listing

to make it more manageable.

2-16


Searching for GPOs

Use the Search feature to find specific GPOs.

2-17


Filtering in the GPO Editor

2-19

Use the Filter option to limit the number of Administrative Templates that are displayed.


Other Group Policy Tools

Group Policy Management Editor Use to edit the policy values

Gpupdate.exe and Invoke-GPUpdate Use to update policies ahead of the default refresh

Gpresult.exe and Get-GPResultantSetOfPolicy Command-line tools for RSOP processing

2-20


Creating Policies

2-21

All policies are stored in the Group Policy Objects container.

They become active when they are linked to a Site, Domain or OU.


Editing Policies

2-22

Computer and user configuration items

Policies Administrative

Templates Preferences


Configuring Values

2-23

Most policies have three states:• Not Configured• Enabled• Disabled


Understanding Group Policy Refresh

The default refresh interval for policy update is 90 to 120 minutes

Several methods are available to update ahead of this scheduled interval

Invoke-GPUpdate GPUpdate.exe Remote GPUpdate in the GPMC

2-24

90 – 120 MINUTES


Invoke-GPUpdate

Invoke-GPUpdate is used from PowerShellCan update the local or remote systemsUpdates can be scheduled up to 31 days in the future

2-25


GPUpdate.exe

GPUpdate without any options will update only the policies that have been modified

Using the /force switch will cause GPUpdate to download ALL policies

Use the /force switch only if necessary

2-26


Remote GPUpdate in the GPMC

Update all machines in a specific OU from within the GPMC

The update is scheduled with a random delay

2-27


Summary

The advantages of using domain policies instead of local policies are:You can apply policies on a broad basis to large

number of computers and users. This provides a central management capability that is not available when you configure policies locally.

Policies that are configured through the domain cannot be overridden by local policy settings, so they are more secure.

2-29


Summary (cont.)

Group Policy Tools

2-29

Group Policy Tool Use it to…Group Policy Management Console

• View and manage all the policies that exist in a given Active Directory forest

Group Policy Management Editor

• View and modify all of the policy settings within

a GPO

Gpupdate.exe • Remotely update GPOs

Gpresult.exe • Display all the policy settings that are active for a computer or user

RSoP snap-in • Troubleshoot the policies that are applied to computers or users


Summary (cont.)

Desktop Policies

2-29

Policy DescriptionComputer Configuration

User Configuration

• Settings that apply only to the computer objects that are within the scope of the policy

• Settings that apply to the user objects that are within the scope of the policy

Desktop Settings and Restrictions

• Include a wide range of desktop settings, from changing the aesthetic background logo to a complete lockdown of system

Logon Scripts • Perform actions at logon; settings are now incorporated into Group Policy as individual configurable items

Folder Redirection • Process that stores the user’s personal My Documents files on a server instead of locally


Summary (cont.)

Software Policies

2-29

Policy DescriptionDistributing Software Packages

• Software Installation section within Group Policy is used to distribute software packages

• User Configuration and Computer Configuration sections of Group Policy are used to distribute software to user or computer, respectively

• Add/Remove Programs on Windows XP and Windows Server 2003 or from Programs and Features within Windows Vista and later are used by the end user to install published packages

Restricting Access to Software

• Four types of SRPs (Path Rule, Network Zone Rule, Hash Rule, Certificate Rule) are used to prevent suspect software from running


Summary (cont.)

Using the GPMC, you can perform most of the common Group Policy operations without having to switch between separate windows in separate Active Directory utilities. The GPMC also offers the following capabilities:

OU hierarchy view Policy editing RSoP Backup and restore of policies Back up policy objects (and restore them if necessary) Import settings from one policy object as the basis for

creating a new object View all the links for a specific policy object

2-29


Summary (cont.)

The GPMC is included in the RSAT pack for Windows Vista and later. It is also included in Windows Server 2008 and later, but you must enable it. The GPMC requires Windows XP or later to run. It also requires the following:

The computer on which you run GPMC must be a member of either a domain in the forest that you wish to administer, or a domain that has a trust with that forest.

Windows 2000 Server domain controllers must run SP2 or higher.

Windows 2000 Server domain controllers in a separate forest to which you connect must run SP3 or higher.

2-29


Summary (cont.)

For Windows XP, GPMC also requires the following: Upgrade Windows XP to SP1 Microsoft.NET Framework Hotfix Q326469 (updates gpedit.dll to version

5.1.2600.1186)For Windows Vista and later, the GPMC also requires

the following: Download and install the RSAT Pack for Windows Vista Enable the GPMC in the Control Panel

2-29


Summary (cont.)

Four subnodes (Domains, Sites, Group Policy Modeling, and Group Policy Results) appear under the forest node. You can use the GPMC to:Show multiple domains in the console pane at the

same time (right-click the Domains subnode)Connect to a different forest (right-click the top node

[Group Policy Management] and select Add Forest)Show the context menu for each node (Actions menu)

2-29


Summary (cont.)

GPMC has two features for searching and filtering: Search: Allows you to search on a per-domain or per-

forest basis; specify a condition to search by or create a list of conditions

Filter: Allows you to limit the number of Administrative Templates that are displayed; limit the display by managed items, configured items, commented items, keyword filtering, and requirements filtering

2-30


Summary (cont.)

The Group Policy Update tool is a command-line tool that is used to remotely update GPOs. The elements of the gpupdate command are:

/Target: {Computer | User}: Used to specify that only the user or computer policy settings that are updated will use this switch

/Force: Reapplies the policy settings /Wait:value: Specifies how long the system should wait (in

seconds) for the policy processing to complete /Logoff: Indicates that the user is logged off after the policy

settings have been applied /Boot: Causes the system to reboot after the policy settings

are applied2-30


Knowledge Check

1. What are the advantages of using domain policies instead of local policies? (Choose all that apply.)a. They are more secure.b. They provide a central management capability.c. They affect a large number of computers and users.d. They are helpful in a workgroup scenario when you

cannot use local-based policies.

2-30


Knowledge Check (cont.)

2. List the capabilities of the GPMC. Provides a view of the OU hierarchy Contains built-in policy editing Contains inherent RSoP views Provides backup and restore of policies

3. How is the GPMC installed on Windows 8?It is installed as part of the RSAT package that must be downloaded from Microsoft.

2-30



4. Briefly describe the following elements of the gpupdate command:/force:

This switch reapplies the policy settings. By default, only the policy settings that have changed are applied.

/logoff:

This switch indicates that the user is logged off after the policy settings have been applied.

2-31



5. In which ways can you limit the display of Administrative Templates? (Choose all that apply.)a. Managed itemsb. Deleted itemsc. Commented itemsd. Keyword filtering

2-31



6. Describe each tool, feature, or policy used to manage group policies in the space provided. Group Policy Management Editor: Is used to view

and modify all of the policy settings within a GPO. Gpupdate.exe: Is used to remotely update GPOs. Folder Redirection: A process that stores the user’s

personal My Documents files on a server instead of locally.

User Configuration and Computer Configuration sections of Group Policy:

User configuration settings apply only to the computer objects that are within the scope of the policy.

Computer configuration settings apply only to the user objects that are within the scope of the policy.

2-31

section 2: using group policy management tools local vs. domain policies editing local policies...

Documents

local policy

global knowledge training

local policieslist

local machine

runedits local policies

windows features

gpoe snapinedit local

multiple local users