20411B-ENU-TrainerHandbook
.pdfAdministering Windows Server® 2012 5-7
should consider configuring CSEs to reapply policy settings even if the GPO has not changed. That way, |
MCT |
||
if an administrative user changes a configuration so that it is no longer compliant with policy, the |
|||
configuration will be reset to its compliant state at the next Group Policy refresh. |
|||
USE |
|||
|
Note: You can configure CSEs to reapply policy settings at the next background refresh, |
||
|
|||
even if the GPO has not changed. You can do this by configuring a GPO scoped to computers, |
|||
and then defining the settings in the Computer Configuration\Policies\Administrative Templates |
|||
\System\ Group Policy node. For each CSE that you want to configure, open its policy- |
|||
.ONLY |
|||
processing policy setting, such as Registry Policy Processing for the Registry CSE. Click Enabled, |
|||
and select the Process even if the Group Policy objects have not changed check box. |
|||
The security CSE manages an important exception to the default policy-processing settings. Security |
|||
settings are reapplied every 16 hours, even if a GPO has not changed. |
|||
|
Note: Enable the Always Wait For Network At Startup And Logon policy setting for all |
||
|
|||
|
|||
Windows clients. Without this setting, by default, Windows XP, Windows Vista, Windows 7, and |
|
||
Windows 8 clients perform only background refreshes. This means that a client may start up, and |
|
||
then a user might sign in without receiving the latest policies from the domain. The setting is |
|
||
located in Computer Configuration\Policies\Administrative Templates\System\Logon. Be sure to |
|
||
read the policy setting’s explanatory text. |
|
Group Policy Refresh
Policy settings in the Computer Configuration node are applied at system startup, and then every 90 to 120 minutes thereafter. User Configuration policy settings are applied at logon, and then every 90 to 120 minutes thereafter. The application of policies is called Group Policy refresh.
|
Note: You also can force a policy refresh by using the GPUpdate command. |
STUDENT |
|
||
|
||
Demonstration: How to Create a GPO and Configure GPO Settings |
USE |
|
|
|
Group Policy settings, also known as policies, are contained in a GPO, and you can view and modify them by using the Group Policy Management Editor. This demonstration delves more closely into the categories
•The Computer Configuration node contains the settings that are applied to computers, regardlessPROHIBITED of who logs on to them. Computer settings are applied when the operating system starts, during background refreshes, and every 90 to 120 minutes thereafter.
•The User Configuration node contains settings that are applied when a user logs on to the
computer, during background refreshes, and every 90 to 120 minutes thereafter.of
5-8 Implementing a Group Policy Infrastructure
Within the Policies nodes of Computer Configuration and User Configuration are a hierarchy of folders that contain policy settings. Because there are thousands of settings, it is beyond the scope of this course to examine individual settings. However, it is worthwhile to define the broad categories of settings in the folders.
Software Settings Node
The Software Settings node is the first node. It contains only the Software Installation extension, which helps you specify how applications are installed and maintained within your organization.
Windows Settings Node
In both Computer Configuration and User Configuration nodes, the Policies node contains a Windows Settings node, which includes the Scripts, Security Settings, and Policy-Based QoS nodes.
Note: It also contains the Name Resolution Policy folder that contains settings for configuring Windows 8 DirectAccess, which is discussed in a later module.
Scripts Node
The Scripts extension enables you to specify two types of scripts, startup/shutdown (in the Computer Configuration node), and logon/logoff (in the User Configuration node). Startup/shutdown scripts run at computer startup or shutdown. Logon/logoff scripts run when a user logs on or off. When you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, the Scripts CSE executes the scripts from top to bottom. You can determine the order of execution for multiple scripts in the Properties dialog box. When a computer is shut down, the CSE first processes logoff scripts, followed by shutdown scripts. By default, the timeout value for processing scripts is 10 minutes. If the logoff and shutdown scripts require more than 10 minutes to process, you must adjust the timeout value with a policy setting. You can use any ActiveX® scripting language to write scripts. Some possibilities include Microsoft® Visual Basic® Scripting Edition (VBScript), Microsoft JScript®, Perl, and Microsoft MS-DOS®– style batch files (.bat and .cmd). Logon scripts on a shared network directory in another forest are supported for network logon across forests. Windows 7 and Windows 8 both support Windows PowerShell® scripts, too.
Security Settings Node
The Security Settings node allows a security administrator to configure security by using GPOs. This can be done after, or instead of, using a security template to set system security.
Policy-Based QoS Node
This quality of service (QoS) node, known as Policy-Based QoS node, defines policies that manage network traffic. For example, you might want to ensure that users in the Finance department have priority for running a critical network application during the end-of-year financial reporting period. The PolicyBased QoS node enables you to do that.
In the User Configuration node only, the Windows Settings folder contains the additional Remote Installation Services, Folder Redirection, and Internet Explorer Maintenance nodes. Remote Installation Services (RIS) policies control the behavior of a remote operating-system installation. Folder Redirection enables you to redirect user data and settings folders such as AppData, Desktop, Documents, Pictures, Music, and Favorites from their default user profile location to an alternate location on the network, where they can be centrally managed. Internet Explorer Maintenance enables you to administer and customize Windows Internet Explorer®.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 5-9
Administrative Templates Node
In the Computer Configuration and User Configuration nodes, the Administrative Templates |
MCT |
|
node contains registry-based Group Policy settings. There are thousands of such settings available for |
||
|
||
configuring the user and computer environment. As an administrator, you might spend a significant |
|
|
amount of time manipulating these settings. To assist you with the settings, a description of each policy |
|
|
setting is available in two locations: |
|
|
• On the Explain tab in the Properties dialog box for the setting. Additionally, the Settings tab in the |
||
Properties dialog box for each setting also lists the required operating system or software for the |
USE |
|
.ONLY |
||
setting. |
||
• On the Extended tab of the Group Policy Management Editor. The Extended tab appears on the |
||
lower right of the details pane, and provides a description of each selected setting in a column |
||
|
between the console tree and the settings pane. The required operating system or software for each setting is also listed.
Demonstration
This demonstration shows how to:
1.Open the Group Policy Management Console.
2.Create a new GPO named Desktop in the Group Policy container.
3.In the computer configuration, prevent the last logon name from displaying, and then prevent Windows Installer from running.
4.In the user configuration, remove the Search link from the Start menu, and then hide the display settings tab.
Demonstration Steps
Use the GPMC to create a new GPO
1.Sign in to LON-DC1 as administrator.
2.Open the Group Policy Management console.
3.Create a new GPO called Desktop.
Configure Group Policy settings
1.Open the new Desktop policy for editing.
2.In the computer configuration, prevent the last logon name from displaying, and prevent Windows Installer from running.
3.In the user configuration, remove the Search link from the Start menu, and then hide the display settings tab.
4.Close all open windows.
PROHIBITED USE STUDENT
Implementing a Group Policy Infrastructure
Lesson 2 |
MCT |
|||
Implementing and Administering GPOs |
||||
USE |
||||
In this lesson, you will examine GPOs in more detail, learning how to create, link, edit, manage, and |
||||
administer GPOs and their settings. |
||||
Lesson Objectives |
||||
After completing this lesson, you will be able to: |
||||
.ONLY |
||||
• Describe domain-based GPOs. |
||||
• Explain how to create, link, and edit GPOs. |
||||
• |
Explain GPO storage. |
|||
• |
Describe starter GPOs. |
|||
• Perform common GPO management tasks. |
||||
• |
|
|
||
Explain how to delegate administration of GPOs. |
|
|||
• Describe how to use Windows PowerShell to manage GPOs. |
STUDENT |
|||
Domain-Based GPOs |
||||
Domain-based GPOs are created in AD DS and |
|
|||
|
||||
stored on domain controllers. You can use them |
|
|||
to manage configuration centrally for the |
|
|||
domain’s users and computers. The remainder of |
|
|||
this course refers to domain-based GPOs rather |
|
|||
than local GPOs, unless otherwise specified. |
|
|||
|
|
|
||
When you install AD DS, two default GPOs are |
|
USE |
||
created: Default Domain Controllers Policy and |
|
|||
Default Domain Policy. |
|
|||
Default Domain Policy |
|
|||
This GPO is linked to the domain, and has no |
|
|||
|
||||
security group or WMI filters. Therefore, it affects all users and computers in the domain, including |
PROHIBITED |
|||
computers that are domain controllers. This GPO contains policy settings that specify password, account |
||||
|
|
|
lockout, and Kerberos version 5 protocol policies. You should not add unrelated policy settings to this GPO. If you need to configure other settings to apply broadly in your domain, create additional GPOs that link to the domain.
Administering Windows Server® 2012 5-11
|
Note: Windows computers also have local GPOs, which are used when computers are not |
MCT |
||||
connected to domain environments. Windows Vista, Windows 7, Windows 8, Windows Server |
||||||
2008, Windows Server 2008 R2, and Windows Server 2012 support the notion of multiple local |
||||||
USE |
||||||
GPOs. The Local Computer GPO is the same as the GPO in the previous Windows versions. In |
||||||
the Computer Configuration node, you can configure all computer-related settings. In the |
||||||
User Configuration node, you can configure settings that you want to apply to all users on the |
||||||
computer. The user settings in the Local Computer GPO can be modified by the user settings in |
||||||
two new local GPOs: Administrators and Non-Administrators. These two GPOs apply user settings |
||||||
to logged-on users according to whether they are members of the local Administrators group, in |
.ONLY |
|||||
which case they would use the Administrators GPO, or not members of the Administrators group, |
||||||
and therefore use the Non-Administrators GPO. You can further refine the user settings with a |
||||||
local GPO that applies to a specific user account. User-specific local GPOs are associated with |
||||||
local, not domain, user accounts. |
||||||
It is important to understand that domain-based GPO setting combined with those applied using |
||||||
local GPOs, but as domain-based GPOs apply last, they take precedence over local GPO settings. |
||||||
|
|
|
||||
GPO Storage |
|
|
|
|||
Group Policy settings are presented as GPOs in |
|
|
|
|
||
|
|
STUDENT |
||||
AD DS user interface tools, but a GPO is actually |
|
|
||||
two components: a Group Policy container and a |
|
|
||||
Group Policy template. |
|
|
||||
The Group Policy container is an AD DS object |
|
|
||||
stored in the Group Policy Objects container |
|
|
||||
within the domain-naming context of the |
|
|
||||
directory. Like all AD DS objects, each Group |
|
|
||||
Policy container includes a globally unique |
|
|
||||
identifier (GUID) attribute that uniquely identifies |
|
|
||||
|
|
|
|
|||
the object within AD DS. The Group Policy |
|
|
|
|
||
container defines basic attributes of the GPO, but |
|
|
|
|
||
|
USE |
|||||
|
|
|
it does not contain any of the settings. The settings are contained in the Group Policy template, a collection of files stored in the System Volume (SYSVOL) of each domain controller in the
%SystemRoot%\SYSVOL\Domain\Policies\GPOGUID path, where GPOGUID is the GUID of the Group Policy container. When you make changes to the settings of a GPO, the changes are saved to the Group
Policy template of the server from which the GPO was opened. |
PROHIBITED |
|
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the GPO has been updated.
The Group Policy client can identify an updated GPO by its version number. Each GPO has a version number that is incremented each time a change is made. The version number is stored as a Group Policy container attribute and in a text file, Group Policy template.ini, in the Group Policy template folder. The Group Policy client knows the version number of each GPO it has previously applied. If, during Group Policy refresh, the Group Policy client discovers that the version number of the Group Policy container has been changed, the CSEs will be informed that the GPO is updated.
Group Policy container and Group Policy template are both replicated between all domain controllers in AD DS. However, different replication mechanisms are used for these two items.
5-12 Implementing a Group Policy Infrastructure
The Group Policy container in AD DS is replicated by the Directory Replication Agent (DRA). The DRA |
MCT |
||
uses a topology generated by the Knowledge Consistency Checker (KCC), which you can define or |
|||
refine manually. The result is that the Group Policy container is replicated within seconds to all domain |
|||
|
|||
controllers in a site and is replicated between sites based on your intersite replication configuration. |
|
||
The Group Policy template in the SYSVOL is replicated by using one of the following two technologies. |
|
||
The File Replication Service (FRS) is used to replicate SYSVOL in domains running Windows Server 2008, |
|
||
Windows Server 2008 R2, Windows Server 2003, and Windows 2000. If all domain controllers are running |
|||
Windows Server 2008 or newer, you can configure SYSVOL replication by using Distributed File System |
USE |
||
|
|||
(DFS) Replication, which is a much more efficient and robust mechanism. |
|
||
Because the Group Policy container and Group Policy template are replicated separately, it is possible for |
|
||
them to become out of sync for a short time. |
|
||
Typically, when this happens, the Group Policy container will replicate to a domain controller first. Systems |
|||
that obtained their ordered list of GPOs from that domain controller will identify the new Group Policy |
|
||
container, will attempt to download the Group Policy template, and will notice that the version numbers |
|
||
are not the same. A policy processing error will be recorded in the event logs. If the reverse happens, and |
|||
|
|
.ONLY |
|
the GPO replicates to a domain controller before the Group Policy container, clients obtaining their |
STUDENT |
||
ordered list of GPOs from that domain controller will not be notified of the new GPO until the Group |
|||
Policy container has replicated. |
|||
Starter GPOs |
|||
A Starter GPO is used as a template from which to |
|
||
|
|||
create other GPOs within GPMC. Starter GPOs |
|
||
only contain Administrative Template settings. |
|
||
You may use a Starter GPO to provide a starting |
|
||
point for new GPOs created in your domain. The |
|
||
Starter GPO already may contain specific settings |
|
||
that are recommended best practices for your |
|
USE |
|
environment. Starter GPOs can be exported to, |
|
||
and imported from, cabinet (.cab) files to make |
|
||
distribution to other environments simple and |
|
||
efficient. |
|
||
|
|
||
GPMC stores Starter GPOs in a folder named, |
|||
PROHIBITED |
|||
StarterGPOs, which is located in SYSVOL. |
|||
|
|
Preconfigured Starter GPOs from Microsoft are available for Windows client operating systems. These Starter GPOs contain Administrative Template settings that reflect Microsoft-recommended best practices for the configuration of the client environment.
5-MCT13 USEONLY
stored in the backed-up version before restoring it.
You can restore any version of a GPO. If one becomes corrupt or you delete it, you can restore any of the.STUDENT historical versions of that GPO. The restore interface provides the ability for you to view the settings
You can import policy settings from one GPO into another. Importing a GPO allows you to transfer settings from a backed up GPO to an existing GPO. Importing a GPO transfers only the GPO settings. The import process does not import GPO links. Security principals defined in the source may need to be migrated to target.
PROHIBITED USE
5-14 Implementing a Group Policy Infrastructure
Delegating Administration of Group Policies
Delegation of GPO-related tasks allows you to distribute the administrative workload across the enterprise. You can task one group with creating and editing GPOs, while another group performs reporting and analysis duties. A third group might be in charge of creating WMI filters.
You can delegate the following Group Policy tasks independently:
•Creating GPOs
•Editing GPOs
•Managing Group Policy links for a site, domain, or OU
•Performing Group Policy Modeling analyses on a given domain or OU
•Reading Group Policy Results data for objects in a given domain or OU
•Creating WMI filters in a domain
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that they have created.
Group Policy Default Permissions
By default, the following user and groups have Full Control over GPO management:
•Domain Admins
•Enterprise Admins
•Creator Owner
•Local System
The Authenticated User group has Read and Apply Group Policy permissions.
Creating GPOs
By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new GPOs. You can use two methods to grant a group or user this right:
•Add the user or group to the Group Policy Creator Owners group.
•Explicitly grant the group or user permission to create GPOs by using GPMC.
Editing GPOs
To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission by using the GPMC.
Managing GPO Links
The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can manage this permission by using the Delegation tab on the container. You also can delegate it through the Delegation of Control Wizard in Active Directory Users and Computers.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 5-15
Group Policy Modeling and Group Policy Results |
MCT |
||||
You can delegate the ability to use the reporting tools in the same fashion, through GPMC or the |
|||||
Delegation of Control Wizard in Active Directory Users and Computers. |
USE |
||||
Create WMI Filters |
|
|
|||
|
|
|
|
|
|
You can delegate the ability to create and manage WMI filters in the same fashion, through GPMC or the |
|||||
Delegation of Control Wizard in Active Directory Users and Computers. |
|
|
|
||
Managing GPOs with Windows PowerShell |
|
|
|
||
In addition to using the Group Policy |
|
|
|
|
|
|
|
ONLY. |
|||
Management console and the Group Policy |
|
|
|||
Management Editor, you can also perform |
|
|
|||
common GPO administrative tasks by using |
|
|
|||
Windows PowerShell. |
|
|
|
||
The following table lists some of the more |
|
|
STUDENT |
||
|
|
|
|
||
common administrative tasks possible with |
|
|
|
|
|
Windows PowerShell. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cmdlet name |
Description |
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
New-GPO |
Creates a new GPO |
|
|
|
|
|
|
|
|
|
|
New-GPLink |
Creates a new GPO link for the specified GPO |
|
|
|
|
|
|
|
|
|
|
Backup-GPO |
Backs up the specified GPOs |
|
|
|
|
|
|
|
|
|
|
Restore-GPO |
Restores the specified GPOs |
USE |
|||
|
|
|
|||
|
|
|
|
|
|
Copy-GPO |
Copies a GPO |
|
|
|
|
|
|
|
|
|
|
Get-GPO |
Gets the specified GPOs |
|
|
|
|
|
|
|
|
|
|
Import-GPO |
Imports the backed up settings into a specified GPO |
PROHIBITED |
|||
|
|
|
|||
|
|
|
|
|
|
Set-GPInheritance |
Grants specified permissions to a user or security group for the |
|
|
|
|
|
specified GPOs |
|
|
|
|
|
|
|
|
|
|
For example, the following command creates a new GPO called Sales:
New-GPO -Name Sales -comment "This the sales GPO"
The following code imports the settings from the backed up Sales GPO stored in the C:\Backups folder into the NewSales GPO.
import-gpo -BackupGpoName Sales -TargetName NewSales -path c:\backups
5-16 Implementing a Group Policy Infrastructure
Lesson 3 |
MCT |
|
Group Policy Scope and Group Policy Processing |
||
USE |
||
A GPO is, by itself, a collection of configuration instructions that will be processed by the CSEs of |
||
computers. Until the GPO is scoped, it does not apply to any users or computers. The GPO’s scope |
||
|
determines the CSEs of which computers will receive and process the GPO, and only the computers or users within the scope of a GPO will apply the settings in that GPO. In this lesson, you will learn to manage
the scope of a GPO. The following mechanisms are used to scope a GPO:
• The GPO link to a site, domain, or OU, and whether that link is enabled |
.ONLY |
||
• The Enforce option of a GPO |
|||
• The Block Inheritance option on an OU |
|||
• |
Security group filtering |
||
• |
WMI filtering |
||
|
|
||
• Policy node enabling or disabling |
STUDENT |
||
• |
Preferences targeting |
||
• |
Loopback policy processing |
||
You must be able to define the users or computers to which you plan to deploy these configurations. |
|||
Consequently, you must master the art of scoping GPOs. In this lesson, you will learn each of the |
|||
mechanisms with which you can scope a GPO and, in the process, you will master the concepts of Group |
|||
Policy application, inheritance, and precedence. |
|||
Lesson Objectives |
|||
After completing this lesson, you will be able to: |
|||
|
|
||
• |
Describe GPO links. |
|
|
• |
Explain GPO processing. |
USE |
|
• Describe GPO inheritance and precedence. |
|||
• Use security filters to filter GPO scope. |
|||
• Explain how to use WMI filters to filter GPO scope. |
|||
|
|
||
• Describe how to enable and disable GPOs. |
PROHIBITED |
||
• Explain how and when to use loopback processing. |
|||
• |
Explain considerations for computers that are disconnected, or which are connected by slow links. |
||
|
• Explain when Group Policy settings take effect.