Chapter 9, Using Group Policies

|1|Chapter Overview

A.Understanding Group Policies

B.Implementing Group Policies

C.Using Security Policies

D.Troubleshooting Group Policy Problems

Chapter 9, Lesson 1

Understanding Group Policies

|2|1.Introduction

A.Before attempting to implement group policies, you need to be familiar with concepts that affect group policy operations:

1.Definition of group policies

2.How to use the Group Policy snap-in to administer group policy

3.Group policy settings

4.How group policy affects startup and logon

5.How group policy settings are processed

6.How security groups can be used to filter group policy

|3|2.What Are Group Policies?

A.Group policies are collections of user and computer configuration settings that you can link to computers, sites, domains, and organizational units (OUs) to specify the behavior of users’ desktops

1.For example, you can use group policies to specify which programs and shortcuts appear on the user’s desktop and on the Start menu.

B.To create a specific desktop configuration for a group of users, you create GPOs, which are collections of group policy settings.

C.GPOs can be local or nonlocal.

1.Each computer running Windows 2000 has one local GPO.

2.Nonlocal GPOs are GPOs that are Active Directory service–based.

D.One local GPO is always stored on every computer running Windows 2000, whether the computer is part of a network or an Active Directory domain.

1.If the computer is a member of an Active Directory domain, the local GPO settings can be overridden by the nonlocal GPOs.

a.In this case, the local GPO is the least influential GPO.

2.In a nonnetworked environment (or on a network that does not use a domain controller), the settings of the local GPO are used because they are not overwritten by nonlocal GPOs.

E.Nonlocal GPOs

1.Are linked to Active Directory objects, such as sites, domains, or OUs

2.Can be applied to either users or computers

3.Require a Windows 2000 domain controller on the network

4.The policies in nonlocal GPOs are applied hierarchically from the least restrictive group (the site) to the most restrictive group (the OU), and are cumulative.

5.This lesson to refers to nonlocal GPOs, unless otherwise specified.

F.You can specify which administrative groups can administer (create, modify, and delete) GPOs by defining access permissions for each GPO.

1.By assigning to an administrative group the Read and Write permissions for a GPO, the group can delegate control of the GPO.

3.Using the Group Policy Snap-In

|4|A.Use the Group Policy snap-in to create, modify, and manage GPOs.

B.Group Policy can function as either a stand-alone snap-in or an extension snap-in.

1.The way you access the Group Policy snap-in depends on the action you want to perform and the type of object you want to apply the group policies to.

C.Two primary methods for opening the Group Policy snap-in:

1.Create a new Microsoft Management Console (MMC) and select Group Policy as a stand-alone snap-in

2.Select an object in an Active Directory management console, and access Group Policy as an extension snap-in

|5|

D.The individual items of the Group Policy snap-in (such as Administrative Templates and Security Settings) are also MMC snap-in extensions.

E.By default, all of the available Group Policy snap-in extensions are loaded when you start the Group Policy snap-in.

F.The root node of the Group Policy snap-in is displayed as the name of the GPO and domain it belongs to, in the following format:GPO Name [DomainName] Policy

|6|G.Opening the Local Group Policy snap-in

1.The local group policies are those stored on each computer running Windows 2000.

2.To open the Group Policy snap-in with a focus on local group policies:

a.Start a new MMC console.
b.Add the Group Policy stand-alone snap-in.
c.In the Select Group Policy Object dialog box, select Local Computer.

|7, 8|

|9|H.Opening the Group Policy snap-in for another computer

1.You can open the local GPO for another computer on the network if you have administrative rights to that computer.

a.Start a new MMC console.
b.Add the Group Policy stand-alone snap-in.
c.Browse and select another computer in the Select Group Policy Object dialog box.

|10|I.Opening the Group Policy snap-in from Active Directory Users And Computers

1.You can also create group policies for Active Directory objects, such as domains and OUs.

a.Open Active Directory Users And Computers. (Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers.)
b.In the console tree, right-click the domain or OU you want to set group policy for, and then select Properties.
c.Click the Group Policy tab, select an entry in the Group Policy Object Links list to select an existing GPO, and then click Edit to launch the Group Policy snap-in for the selected domain or OU.
(1)To create a new GPO, click New and then click Edit.

|11|J.To open the Group Policy snap-in from Active Directory Sites And Services:

1.Open Active Directory Sites And Services. (Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites And Services.)

2.In the console tree, right-click the site you want to set group policy for, and then select Properties.

3.Click the Group Policy tab, select an entry in the Group Policy Object Links list to select an existing GPO, and then click Edit.

a.To create a new GPO, click New, and then click Edit.

|12|4.Group Policy Settings

A.Group policy settings define the desktop environments for network users.

B.Group policy settings are contained in a GPO.

C.Two types of group policy settings: computer configuration settings and user configuration settings

D.The Computer Configuration and User Configuration folders are beneath the root of the GPO.

1.Use computer configuration settings to set group policies you want to apply to computers, regardless of who logs on to them.

a.Windows 2000 applies computer configuration settings when the operating system initializes.

2.Use user configuration settings to set group policies that apply to specific users, regardless of which computer the user logs on to.

a.User configuration settings are applied when the user logs on to the computer.

E.Both computer configuration settings and user configuration settings include the following folders, which appear as items beneath the Computer Configuration and User Configuration folders:

1.The Software Settings folder

2.The Windows Settings folder

3.The Administrative Templates folder

|13|F.Software Settings folder

1.In both the Computer Configuration and User Configuration folders, the Software Settings folder contains only Software Installation settings, by default.

2.Use Software Installation settings to specify how applications are installed and maintained and to provide a place for third-party software vendors to add their own settings.

3.There are two modes for managing applications: Assigned and Published.

a.You assign an application to a computer when you want computers or people managed by the GPO to have the application.
b.You publish an application when you want the application to be available to people managed by the GPO, should a person want the application.
(1)You cannot publish an application to computers.

|14|

|15|G.Windows Settings folder

1.In both the Computer Configuration and User Configuration folders, the Windows Settings folder contains two items: Scripts and Security Settings.

2.You can use Scripts to specify startup/shutdown scripts (for computers) and logon/logoff scripts (for users).

a.Startup/shutdown scripts run at computer startup or shutdown.

b.Logon/logoff scripts run when a user logs on or off the computer.

c.When you assign multiple startup/shutdown scripts or logon/logoff scripts, Windows 2000 executes scripts in order from top to bottom.

(1)You can set the order that scripts are executed in the Properties dialog box.

d.Administrators can use any ActiveX scripting language they are comfortable with to create scripts, including VBScript, JScript, Perl, and MS-DOS–style batch files.

3.You can use Security Settings to manually configure the security levels assigned to a GPO.

|16|

|17|4.For only the User Configuration folder, Windows Settings contains the following additional group policy settings:

a.Internet Explorer Maintenance: lets you administer and customize Microsoft Internet Explorer

b.Remote Installation Services: controls the behavior of remote operating system installations

c.Folder Redirection: lets you redirect Windows 2000 special folders (My Documents, Application Data, Desktop, and the Start menu) to an alternate location

|18|H.Administrative Templates folder

1.In both the Computer Configuration and User Configuration folders, the Administrative Templates folder contains all registry-based group policy settings, including the following:

a.Windows Components: lets you administer Windows 2000 components, including Microsoft NetMeeting, Internet Explorer, Windows Explorer, Microsoft Management Console (MMC), Task Scheduler, and Windows Installer

b.System: lets you control logon and logoff functions and group policies

c.Network: lets you control settings for Offline Files and Network And Dial-Up Connections

|19|

2.For Computer Configuration only, Administrative Templates contains additional settings.

a.Printers contains additional group policy settings.

a.System Settings contains Disk Quotas as well as Domain Name System (DNS) Client and Windows File Protection.

3.For User Configuration only, Administrative Templates contains additional registry-based group policy settings, including settings for Start Menu & Taskbar, Desktop, and Control Panel.

|20|4.In Administrative Templates, more than 450 policy settings are available for configuring the user environment.

5.In the registry, computer configurations are saved inHKEY_LOCAL_MACHINE (HKLM).

6.In the registry, user configurations are saved inHKEY_CURRENT_USER (HKCU).

|21|5.How Group Policy Affects Startup and Logon

A.The Computer Configuration and User Configuration settings are applied in the following sequence:

1.The network starts.

2.The computer obtains an ordered list of GPOs.

3.The system processes the Computer Configuration settings in the following order:

a.Local GPO

b.Site GPOs

c.Domain GPOs

d.OU GPOs

4.Startup scripts run.

5.The user presses Ctrl+Alt+Del to log on.

|22|6.After the user is authenticated, the computer loads the user profile, governed by the group policy settings in effect.

7.The computer obtains an ordered list of GPOs for the user. The contents of the list depend on these factors:

a.Whether the user is a part of a Windows 2000 domain and is therefore subject to group policy through Active Directory

b.Whether loopback is enabled

c.The location of the user in Active Directory

8.The system processes the User Configuration settings in this order:

a.Local GPO

b.Site GPOs

c.Domain GPOs

d.OU GPOs

9.The computer runs the logon scripts.

10.The operating system user interface prescribed by the group policies appears.

|23|6.How Group Policy Is Processed

A.Group policy settings are processed in the following order:

1.Local GPO: each computer running Windows 2000 has exactly one GPO stored locally

2.Site GPOs: any GPOs that have been linked to the site the computer is located in are processed next

3.Domain GPOs: if multiple GPOs are linked to a domain, the computer processes them synchronously; the administrator specifies the order of GPOs linked to a domain

4.OU GPOs: GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to the next highest level OU, and so on. Finally, the computer processes the GPOs linked to the OU that contains the user or computer object.

B.The GPO that is processed last overrides conflicting settings in all other GPOs that were processed earlier.

|24|

|25|7.Exceptions to the Processing Order

A.The following are exceptions to the default order of processing group policy settings:

1.Workgroup Membership: a computer that is a member of a workgroup processes only the local GPO

2.No Override: any GPO linked to a site, domain, or OU can be set so that none of its policy settings can be overridden

3.Block Policy Inheritance: at any site, domain, or OU, group policy inheritance can be selectively marked as Block Policy Inheritance. However, No Override settings are always applied and cannot be blocked.

|26|4.Loopback: Used to circumvent the normal order in which GPOs are applied. In the Enabled state, Loopback can be set to Merge or Replace mode.

a.Replace: the GPO list for the user is replaced by the GPO list obtained for the computer at startup

b.Merge: the GPO list obtained for the computer at startup is appended to the GPO list obtained for the user at logon. Because the GPO list obtained for the computer is applied later, it has precedence if it conflicts with settings in the user’s list.

|27|8.Group Policy Inheritance

A.Group policies are typically passed down from parent to child containers in Active Directory.

B.However, if you specify a group policy for a child container, the child container’s group policy settings override any conflicting settings inherited from the parent container.

C.If a parent OU has policy settings that are not configured, the child OU does not inherit them.

D.Policy settings that are disabled are inherited as disabled.

E.If a parent policy and a child policy are compatible, the child inherits the parent policy, and the child’s setting is also applied.

F.If a policy setting configured for a parent OU is incompatible with the same policy setting configured for a child OU, the child does not inherit the policy setting from the parent—instead, the setting for the child is applied.

|28|9.Using Security Groups to Filter Group Policy

A.Because you can link more than one GPO to a site, domain, or OU, you might need to link GPOs associated with other directory objects.

B.By setting the appropriate permissions for security groups, you can filter group policy to influence only the computers and users you specify.

10.Lesson Review

A.The lesson review questions are located on page 305 of the textbook.

|29|11.Lesson Summary

A.Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops.

B.Use the Group Policy snap-in to manage group policies.

C.Windows 2000 applies GPOs in this order:

1.Local GPO

2.Site GPOs

3.Domain GPOs

4.OU GPOs

D.By default, Active Directory objects inherit group policy settings from parent containers.

Chapter 9, Lesson 2

|30|Implementing Group Policies

1.Introduction

A.You may have to modify the group policies in place on a network, or sometimes even create new GPOs.

|31|2.Tasks for Implementing Group Policies

A.Creating a GPO

B.Creating a GPO console

C.Delegating administrative control of a GPO

D.Specifying group policy settings for a GPO

E.Disabling unused group policy settings

F.Indicating GPO processing exceptions

G.Filtering GPO scope

H.Linking a GPO to a site, domain, or OU

|32|3.Creating a GPO

A.The first step in implementing a group policy is creating a GPO.

1.You need to know the type of Active Directory object the GPO will be used for.

|33|B.To create a GPO:

1.Determine the type of Active Directory object you want to create a GPO for.

a.To create a GPO linked to a domain or an OU, open Active Directory Users And Computers.

b.To create a GPO linked to a site, open Active Directory Sites And Services.

2.Right-click the site, domain, or OU object that you want to create a GPO for, and then select Properties.

|34|3.Click the Group Policy tab.

4.Click New, and then type the name you want to assign to the GPO.

a.By default, the new GPO is linked to the site, domain, or OU that you selected in Active Directory Users And Computers or Active Directory Sites And Services, and its settings apply to that site, domain, or OU.

5.Click Close.

|35|4.Creating a GPO Console

A.After you create a GPO, you can create a custom MMC console containing the Group Policy snap-in and focused on that particular GPO.

1.After saving the console, you can open it from the Administrative Tools program group in the Start Menu.

B.To create a GPO console:

1.Start a new MMC console, and then add the Group Policy stand-alone snap-in to it.

2.In the Select Group Policy Object dialog box, browse and select the GPO that you want to focus on.

3.Save the GPO console.

5.Delegating Administrative Control of a GPO

A.After you create a GPO, you must determine who should have permission to access and modify the GPO.

|36|B.The following default GPO permissions are assigned to the built-in security groups: