9-1
Guide to MCSE 70-290, Enhanced
Chapter 9: Implementing and Using Group Policy
Objectives
After reading the chapter and completing the exercises, students should be able to:
- Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection
- Manage and troubleshoot Group Policy inheritance
- Deploy and manage software using Group Policy
Teaching Tips
Introduction to Group Policy
- Introduce the concept of Group Policy and Group Policy objects. Describe the types of tasks that are performed using Group Policy objects.
- Note the two default GPOs (Default Domain Policy and Default Domain Controllers Policy).
- Briefly explain how to implement Group Policy by either creating or editing GPOs and linking them to desired container objects. Note that the policies will apply to all objects in the containers including those in child containers.
Creating a Group Policy Object
- Discuss the two methods of creating a GPO, the Group Policy standalone Microsoft Management Console (MMC) snap-in and the Group Policy extension in Active Directory Users and Computers. Both of these methods are explored in upcoming activities.
Activity 9-1: Creating a Group Policy Object Using the MMC
- The purpose of this activity is to explore using the Group Policy standalone Microsoft Management Console snap-in to create a new Group Policy Object. Students are instructed to open the MMC console and add the snap-in. They then use the Group Policy Object Editor to create a new GPO.
Activity 9-2: Creating OUs and Moving User Accounts
- In this activity, students will create new OU objects and move existing user accounts into these OUs. These new configurations will be used in future activities to test Group Policy settings.
- Students create the new OU objects and move the user accounts using Active Directory Users and Computers.
Activity 9-3: Creating a Group Policy Object and Browsing Settings Using Active Directory Users and Computers
- In this activity, students use the Active Directory Users and Computers Group Policy extension to add a GPO to an OU and to create a new GPO. They continue the exercise by browsing through the User and Computer Configurations to see what types of features can be configured.
Editing a GPO
- There are two configuration types available in a GPO: Computer Configuration and User Configuration. Discuss the categories of configuration settings described in Table 9-1.
- Briefly describe how to enable specific configuration settings in the MMC snap-in and walk through an example. Specific settings will be described in more detail later in the chapter.
- Go over the storage of GPO content in Group Policy containers and Group Policy templates and their identification with a globally unique identifier.
Activity 9-4: Deleting Group Policy Objects
- The purpose of this activity is to have students permanently delete a GPO using Active Directory Users and Computers.
Application of Group Policy
- Describe the two main types of Group Policy configuration settings, the Computer Configurations and the User Configurations and be sure that students understand what a Group Policy will apply to given its location.
- Go over the process of how specific Group Policies are applied when a computer is started or a user logs on.
Controlling User Desktop Settings
- Discuss with students why an organization might choose to set up standard desktop settings. Note that Group Policies are one of the tools that can be used to control these settings.
- Go over the categories of configuration settings for administrative templates described in Table 9-2.
Activity 9-5: Configuring Group Policy Object User Desktop Settings
- The purpose of this activity is to introduce students to the types of user desktop settings that can be configured from a GPO. Students will access the Administrative Templates section of an existing GPO and reconfigure some of the settings. They then verify the results of the new configurations.
Managing Security Settings with Group Policy
- In this section, students will move from desktop settings to exploring GPO security settings. Some security settings were discussed in an earlier chapter, namely Password Policy, Account Policy, and Kerberos Policy settings. Note that these are only applied to domain objects and that the other nodes in this category can be applied to both domain and OU objects.
- Go over the nodes in the Security Settings category listed in this section and give summaries of the functions of each node.
Activity 9-6: Configuring Group Policy Object Security Settings
- In this activity, students configure a logon banner for users in a domain. This setting is found in the Default Domain GPO. Students will provide a message and verify that users logging on to the domain receive it.
Activity 9-7: Configuring File System Security Using Group Policy Settings
- The purpose of this activity is to use Group Policy settings to configure security permissions on a folder. Students first create a new folder. Using Active Directory Users and Computers, they then configure permissions for the folder for a specific user and update the Group Policy settings. Finally, they will verify that the permissions are configured as expected.
Assigning Scripts
- Introduce the concept of using scripts to automate routine operations. Discuss how Group Policy can be used to configure scripts that will run on computer startup and shutdown or user logon or logoff.
- Explain the order in which scripts are run when multiple scripts are affected by a logon/logoff or startup/shutdown.
Teaching Tip / Note that the order in which scripts run can be modified using the Up and Down buttons in the Properties dialog box.
Activity 9-8: Assigning Logon Scripts to Users Using Group Policy
- The object of this exercise is to assign login scripts to domain users using a GPO. Students will create a script file and assign it to a GPO to be run at logon time for users affected by the GPO. They then verify that the script runs for appropriate users and not for users who are not affected by the GPO.
Redirecting Folders
- Introduce the concept of folder redirection.
- Explain the reasons that you might wish to redirect folders out of a user’s profile.
- Go over the settings for folder redirection that are listed in Table 9-3.
Quick Quiz
- What are four categories of administrative tasks that can be configured and applied using Group Policy Objects?
Answer: user desktops, security, scripts, and folder redirection
- True or False: One tool that can be used to create and edit GPOs is the MMC Group Policy Editor snap-in.
Answer: True
- The ______contains the data that makes up a Group Policy including settings, administrative templates, security settings, software installation settings and scripts.
Answer: Group Policy template
- When can the scripts assigned by a Group Policy Object to a user account run?
Answer: When the user logs on or logs off
Managing Group Policy Inheritance
- List the order in which GPOs are applied from the local computer level to Child OU level.
- Discuss the default inheritance policy for GPOs and make sure that students realize that one computer or user can process multiple policies.
- Note the order in which GPOs are applied if there is more than one GPO per container. Go over the determination of policies to apply if there are conflicts in the settings among multiple policies.
- Discuss the timing of refreshes for policies to ensure that changes are picked up. Also note how to refresh settings manually.
- Reiterate that GPOs can be linked to site, domain, or OU containers in Active Directory. Note the effect of setting policies at each level.
- Explain how to create multiple group policies that are assigned to a single container. Conversely, explain how to create a single group policy that applies to multiple containers. Give examples for both of these situations.
Activity 9-9: Linking a Group Policy Object to Multiple Containers
- In this activity, students will link a single GPO to multiple containers. First, they will create a new GPO in one container. They then add the GPO to another container, leaving it linked to both.
Configuring Block Policy Inheritance, No Override, and Filtering
- Reiterate the default behavior for inheriting policy settings from parent containers. In this section, different methods for changing this behavior are discussed.
Blocking Group Policy Inheritance
- Note that this form of changing default behavior allows you to stop higher-level settings being applied to a particular child container. Describe how to enable this option.
Configuring No Override
- Explain that this option ensures that a higher-level GPO’s settings will always be enforced at lower levels, even if there are conflicts or if a lower container has Block Policy inheritance set.
Filtering Using Permissions
- Explain that this option prevents policy settings from applying to particular users, groups, or computers within a container. Give an example of using this option.
Activity 9-10: Configuring Group Policy Object Inheritance Settings
- In this exercise, students will configure various Group Policy inheritance settings. They first access the Default Domain Policy GPO and disable a feature from there. The same feature is then enabled at a lower level and students observe the results. They then go back to the Default Domain Policy and set it to No Override and again observe results.
Activity 9-11: Filtering Group Policy Objects Using Security Permissions
- In this activity, students will use security permissions to filter and control the application of Group Policy settings. The Apply Group Policy feature of a user account is denied and the results of this are observed and compared to a user account that does not have this feature denied.
Troubleshooting Group Policy Settings
- Ask students to think about why it might be difficult to keep track of Group Policy settings for a particular account. How could you manually determine what policies are actually in effect for that account? What are some general things to check when policies are not being applied as expected?
- Describe the GPRESULT and Resultant Set of Policy (RsoP) utilities that can be used to determine effective Group Policy settings.
- Note that you can disable either the user or computer configuration part of a GPO to improve performance problems.
Activity 9-12: Determining Group Policy Settings Using the Resultant Set of Policy Tool
- In this activity, students will explore the use of RsoP to determine effective Group Policy settings. They first configure the Default Domain Policy GPO and then run the MMC utility and add the RsoP snap-in. From the snap-in, they will generate RsoP data, select a specific user, and analyze the data that was generated.
Deploying Software Using Group Policy
- Explain that Group Policy can be used to deploy and maintain software applications such as Microsoft Office, anti-virus software, and service packs. Mention the four phases of software rollout.
Software Preparation
- Discuss the first phase of software rollout: software preparation. Explain what an MSI file is and how to create one if necessary. Explain that if it is not possible to use or create an MSI file, you can still use a ZAP file. Note the restrictions on ZAP files however.
Deployment
- Introduce the two types of deployment: assigning applications and publishing applications.
Assigning Applications
- Explain how an assigned application appears to the user and how it is installed and advertised. Discuss the advantages of assigning applications through a GPO, noting resiliency.
Publishing Applications
- Note the differences in publishing and assigning applications using a GPO. Explain how published applications are installed and note that applications can only be published to users.
Configuring the Deployment
- Explain how to configure a deployment by creating or editing a GPO and specifying the options. Give examples.
Activity 9-13: Publishing an Application to Users Using Group Policy
- The purpose of this activity is to explore how to publish an application using Group Policy settings. Students will create a new folder and place an MSI and supporting file into the folder. They then create a GPO that will publish the software application. Next, students will log on to a user account and verify that that the software is available for installation using the Add or Remove Programs utility.
Activity 9-14: Assigning an Application to Users Using Group Policy
- In this activity, students will explore how to assign an application using Group Policy settings. They create a new GPO that assigns the software application from the last exercise. They then log on to a user account and verify that the software is advertised and installs as expected.
Software Maintenance
- Describe what types of tasks fall into the realm of software maintenance.
- List the three deployment options available: mandatory upgrades, optional upgrades, and redeployment of an application. Discuss what each of the options does and how to configure them.
Software Removal
- Explain how to use Group Policy to remove an application. Discuss what the differences are between forced and optional removal.
Teaching Tip / Caution students that in order to use Group Policy to remove an application, the application must have been originally installed using a Windows installer package.
Quick Quiz
- If a domain-level Group Policy and an OU-level Group Policy are both assigned to an account and there is a conflict between the configuration settings in the policies, how is the conflict resolved?
Answer: Later settings overwrite earlier settings, so the OU-level policy will apply.
- If you want a particular GPO’s configuration settings to always be enforced despite any lower-level conflicts, what GPO option can you use?
Answer: The No Override option
- The ______graphical utility enables you to view the effective Group Policy settings that have been applied to a particular user or computer.
Answer: Resultant Set of Policy (RsoP)
- What are two methods of deploying applications using a GPO?
Answer: Assigning applications and publishing applications
Class Discussion Topics
- In the many activities in this chapter, students have had opportunities to explore some of the options available in Group Policy Objects. How comfortable are they with the diversity of tasks and features that can be accessed through Group Policy? Is more exploration time needed? Are there types of tasks that have not been discussed?
- What are some tasks that could be accomplished with logon/logoff or startup/shutdown scripts? Is this a useful feature?
- Do you find it easier to use the MMC Group Policy snap-in or Active Directory Users and Computers for creating and editing GPOs? What are the advantages and disadvantages of each?
Additional Projects
- Explore security settings in a Group Policy Object. Using the HelpCenter or other Internet resources, research a particular feature that you’re not familiar with already. For example, you could present Wireless Network Policiesthat control security (e.g. authentication and encryption methods) used in wireless networks. Give a brief presentation of what the feature controls and how to use it.
- Write or find a script to accomplish a logon task and assign it to a GPO. Microsoft maintains a list of scripts that can be downloaded in the Microsoft Download Center.
- Research the use of ZAP files and describe what these files contain and do.
Solutions to Additional Projects
- Students should select one feature to explore in depth. There are numerous features to choose from.
- The following script was downloaded from Microsoft Download Center and is used to determine the difference between the local time zone and Greenwich Mean Time. This and other scripts can be downloaded or written, saved, and assigned as in Activity 9-8.
Set objWMIService = GetObject(“winmgmts:” _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colTimeZone = objWMIService.ExecQuery("Select * from Win32_TimeZone")
For Each objTimeZone in colTimeZone
Wscript.Echo "Offset: "& objTimeZone.Bias
Next
- A .zap file is a text file that contains the setup instructions for installing an application. In most cases, the .zap file will contain only the following lines:
[Application]
FriendlyName="applicationname"
SetupCommand=""\\servername\sharename\installapplication.exe""
The FriendlyName value is the name that will be displayed in the Add Or Remove Programs control panel on the client computer. The SetupCommand value is the path to the installation file for the application. You can use a Universal Naming Convention (UNC) path or a mapped drive for the SetupCommand value.
After you have created the .zap file and copied the application installation files to a network share, you can publish the application to users. The application is added to the list of available applications in the Add Or Remove Programs control panel. Users can then select the application to install. Applications that are distributed through .zap files cannot be assigned to either computers or users, and they will not install using extension activation.