section 4: understanding the architecture of group policy processing group policy components in ad...

Section 4: Understanding the Architecture of Group Policy Processing

Group Policy Components in AD DSUnderstanding the Group Policy

Processing SequenceModifying Group Policy Processing

Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved.

Section Objectives

After completing this section, you will be able to:Describe the Active Directory components that you can

use to deploy Group PolicyExplain the order in which Group Policy is deployed in

Active Directory Describe the methods that are available to modify

Group Policy processing

4-2


Group Policy Components in AD DS

4-3

The following AD DS components are an important part of Group Policy:Sysvol FolderPDC EmulatorGroup Policy ContainerGroup Policy TemplateGPO VersioningFile Replication ServicesDFS-R


Sysvol Folder

4-4

The Sysvol folder is where GPOs and their corresponding support files are stored.


PDC Emulator

The PDC emulator is the domain controller that GPOs are created on before they are replicated to other domain controllers.

4-5


Group Policy Container

4-7

Using ADSI Edit, we can see the Group Policy Container inside the AD database.


Group Policy Template

4-8

The GPT is the folder inside Sysvol that actually stores the policy settings.


GPO Versioning

Following are some guidelines about GPO versioning:

Every time a change is made to a GPO, the version number in an INI file called Gpt.ini is incremented.

For computer changes to a GPO, the version number increments by 1.

A user change to a GPO increments by 65536.

4-9


FRS Replication

The File Replication Service replicates the Sysvol directory structure separately from Active Directory replication.

4-10

Note: FRS is not utilized in a new Windows Server

2012 Domain installation. DFS-R is now the default.


DFS-R

4-11

DFS-R can be used to replicate the Sysvol structure instead of FRS

DFS-R is a Delta-based replication model that only replicates changes inside the files being replicated

To convert from FRS to DFS-R for Sysvol replication, follow the steps in the TechNet reference below:

http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx

New installations of a Windows Server 2012 Domain will already have DFS-R replication enabled


Site

Understanding the Group Policy Processing Sequence

Group Policy is processed from the top down:LocalSiteDomainOU

Domain

Local

OUThe last policy applied wins.

4-12


Modifying Group Policy Processing

4-15

Using Group Policy Inheritance

Using Block Inheritance and Enforce options Using Security Filtering Implementing WMI Filters Changing the GPO Link Order Using Loopback Processing


Using Group Policy Inheritance

Group Policy inheritance allows you to apply corporate standards and customized settings for different groups of users. Guidelines for Group Policy inheritance include:

Define a corporate standard GPO containing settings that apply to a top-level OU.

Typically, GPOs are assigned to the OU structure instead of the domain or site, so child OUs can be used to control which settings are applied.

4-16


Using the Block Inheritance and Enforce Options

Most policies are set per OU.A good OU structure makes policies easier to apply.The Group Policy Enforce option prevents policies

from being reversed at a lower level.The Group Policy Block Inheritance option prevents

higher level policies from being inherited.The Enforce option always wins.

4-17


Using Security Filtering

By default, a GPO affects all users and computers contained in the linked site, domain, or OU. However, you can use security filtering on a GPO to modify its effects.

You can modify the permissions on the GPO to apply only to a specific user or to the members of a security group.

Using a security group filter on a GPO applied to an OU, you can control who should not have the settings applied.

You can use security filtering to exempt administrators from GPO processing.

4-18


Implementing WMI Filters

Using the WBEMTest ToolThe WBEMTest Query Result Dialog BoxUsing PowerShell to Explore WMICreating a WMI Filter

4-19


Using the WBEMTest Tool

Use the WBEMTest tool to become familiar with the WMI structure.

4-20


Viewing the instances exposes the properties within WMI.

WBEMTest Query Result Dialog Box

4-21


Using PowerShell to Explore WMI (1)

PowerShell can also be used to explore the WMI repository

4-22



Use PowerShell to enumerate the items in a WMI class

4-23



Use PowerShell to test a WQL query for Group Policy

4-24

This query returns results for Version 6.2.9200 and ProductType “2”, which is Windows Server 2012.


Creating a WMI Filter

This WMI filter returns only Windows 8 computers.

4-25


Changing the GPO Link Order

The link order in a policy at a specific level determines the order in which policies are processed.

The policy with the lowestlink order number will be processedlast.

Settings in the policy with the lowest link order number take precedence.

4-26


Using Loopback Processing

The User Group Policy loopback processing mode retains the User Configuration settings based upon the OU that the Computer is in and not the User.

This option can be very useful in environments such as classrooms, public kiosks, and reception areas.

4-27


Summary

Group Policy is based on the following components:Sysvol folder: A system folder that is located in the

NTFS file system of every Active Directory domain controller. It contains administrative templates, security settings, applied scripts, and details about MSI packages that will be installed.

PDC emulator: A single domain controller per domain is assigned the role of a PDC emulator. This role is automatically assigned to the first domain controller in an Active Directory domain.

4-30


Summary (cont.)

Group Policy Container: Stores the policy setting information for a GPO. It stores the details of every GPO that is created in Active Directory. The GPC contains the version number of each GPO, its current status, and the installed components.

Group Policy template: Stores the files that are created by the GPO in the Sysvol folder on the PDC emulator for each domain. It stores computer and user scripts, the GPO template files, and the Registry.pol files.

4-30


Summary (cont.)

Group Policy is deployed in the following order:1. Local Group Policy settings

2. Site policies

3. Domain policies

4. OU policies

4-30


Summary (cont.)

The methods to modify Group Policy processing are:Block Inheritance and Enforce Options: The Block

Inheritance attribute prevents higher-level policies from being applied to lower levels.

Applied at higher levels of the policy architecture, the Enforce option ensures that certain policies cannot be overridden or blocked. This option is applied to an individual GPO.

Security Filtering: Sets the ACLs to prevent or allow policies from applying to specific users or groups.

4-30


Summary (cont.)

WMI Filters: Consist of a collection of one or more queries (conditions) written in WQL. When you build a WMI filter and apply it to a GPO, the GPO will apply only if the queries in the filter are all satisfied.

GPO Link Order: Controls the order in which GPOs are applied within each domain, site, and OU.

Loopback Processing: Configures the user policy settings based on the computer location that the users log on to.

4-30


Knowledge Check

1. Which Active Directory component does the following text describe?

A system folder that is located in the NTFS file system of every Active Directory domain controller. It contains administrative templates, security settings, applied scripts, and details about MSI packages that will be installed.

Sysvol folder

4-31


Knowledge Check (cont.)

2. What is the Group Policy deployment order?Local

Site

Domain

OU

4-31


Knowledge Check (cont.)

3. Match each method used to modify Group Policy processing with its correct description.

4-31

Method Description

GPO Link Order A. It prevents higher-level policies from being applied to lower levels.

Security Filtering B. Controls the order in which GPOs are applied within each domain, site, or OU.

WMI Filters C. Configures the user policy settings based on the computer location that the users log on to.

Block Inheritance Option

D. Consist of a collection of one or more queries (conditions) written in WQL.

Loopback Processing

E. Sets the ACLs to prevent or allow policies from applying to specific users or groups.

B

E

D

A

C

section 4: understanding the architecture of group policy processing group policy components in ad...

Documents

group policy processing4

group policy container4

group policy template4

policy settings

global knowledge training

group policyexplain

dfsr replication

sysvol replication