Microsoft Certified Trainer, Abu Z, and Microsoft Learning Solutions Partner of the Year, Unitek Education, deliver a presentation on key Group Policy enhancements in Microsoft Windows Server 2008. Group Policy is essential to enforcing centralized user and computer management in your Active Directory Domain Services environment, and mastering the five mission-critical group policy actions covered in this webinar will increase your organization's versatility, security, computing speed and cost savings.
See the full video & audio version here - http://www.unitek.com/training/certification-webinars/webinar/
2. Subject Matter Expert
Abu Z
Microsoft Certified Trainer
Unitek Education
B.Sc (Hons) in Computer Science, M. Sc
MCT, MCLC, MCSE, MCSEM, MCSA,
MCITP, MCTS, MCP...
3. Group Policy Discussion Topics
Understand Group Policy
Manage Group Policy Scope
Implement GPOs
GPO policy processing and effects
A Deeper Look at Settings and GPOs
4. Group Policy Objects
Group Policy is an infrastructure that allows you to implement specific
configurations for users and computers.
GPO is the container for one or more policy settings
Managed with the Group Policy Management Console (GPMC)
Group Policy Objects container
Edited with the Group Policy Management Editor (GPME)
5. GPO Scope
Scope. Definition of objects (users or computers) to which
GPO applies
GPO link. GPO can be linked to site, domain, or
organizational unit (OU) (SDOU)
GPO can be linked to multiple site(s) or OU(s)
GPO link(s) define maximum scope of GPO
Security group filtering
Apply or deny application of GPO to members of global security
group
Filter application of scope of GPO within its link scope
6. Group Policy Refresh
When GPOs and their settings are applied
Computer Configuration
Startup
Every 90-120 minutes
Triggered: GPUpdate command
User Configuration
Logon
Every 90-120 minutes
Triggered: GPUpdate command
7. Local GPOs
Apply before domain-based GPOs
Any setting specified by a domain-based GPO will override the
setting specified by the local GPOs.
Local GPO
One local GPO in Windows 2000, Windows XP, Windows Server®
2003
Multiple local GPOs in Windows Vista® and later
Local GPO: Computer settings and settings for all users
Administrators GPO: Settings for users in Administrators
Non-administrators GPO: Settings for users not in Admins
Per-user GPO: Settings for a specific user
If domain members can be centrally managed using domain-
linked GPOs, in what scenarios might local GPOs be used?
8. Domain-Based GPOs
Created in Active Directory, stored on domain controllers
Two default GPOs
Default Domain Policy
Define account policies for the domain: Password, account lockout, and
Kerberos policies
Default Domain Controllers Policy
Define auditing policies for domain controllers and Active Directory
9. GPO Storage
Group Policy Container (GPC)
• Stored in AD DS
• Friendly name, globally unique identifier
Group Policy Object (GPO) (GUID)
• Version
Group Policy Template (GPT)
• What we call a GPO is actually two
things, stored in two places
• Stored in SYSVOL on domain controllers
Separate replication (DCs)
mechanisms • Contains all files required to define and
apply settings
GPOTool • .ini file contains Version
Microsoft® Downloads Center
10. Manage GPOs and Their Settings
Copy (and Paste into a Group Policy Objects container)
Create a new "copy" GPO and modify it
Transfer a GPO to a trusted domain, such as test-to-production
Back Up all settings, objects, links, permissions (access control
lists [ACLs])
Restore into same domain as backup
Import Settings into a new GPO in same or any domain
Migration table for source-to-destination mapping of UNC paths
and security group names
Replaces all settings in the GPO – not a "merge"
Save Report
Delete
Rename
11. GPO Links
GPO link
Causes policy settings in GPO to apply to users or computers
within that container
Links GPO to site, domain, or OU (SDOU)
Must enable sites in the GPM console
GPO can be linked to multiple sites or OUs
Link can exist but be disabled
Link can be deleted, but GPO remains
12. GPO Inheritance and Precedence
The application of GPOs linked to each container results in a
cumulative effect called inheritance
Default Precedence: Local Site Domain OU OU… (LSDOU)
Seen on the Group Policy Inheritance tab
Link order (attribute of GPO Link)
Lower number Higher on list Precedent
Block Inheritance (attribute of OU)
Blocks the processing of GPOs from above
Enforced (attribute of GPO Link)
Enforced GPOs “blast through” Block Inheritance
Enforced GPO settings win over conflicting settings in lower GPOs
13. Use Security Filtering to Modify GPO
Scope
Apply Group Policy permission
GPO has an ACL (Delegation tab Advanced)
Default: Authenticated Users have Allow Apply Group Policy
Scope only to users in selected global group(s)
Remove Authenticated Users
Add appropriate global groups
Must be global groups (GPOs don’t scope to domain local)
Scope to users except for those in selected group(s)
On Delegation tab, click Advanced
Add appropriate global groups
Deny Apply Group Policy permission
Does not appear on Delegation tab or in filtering section
14. What Is Security Policy
Management?
Enterprise IT Security Policy
security configuration
settings
Manage security configuration
Create the security policy
Apply the security policy to one or more systems
Analyze security settings against the policy
Update the policy, or correct the discrepancies on the system
Tools
Local Group Policy and Domain Group Policy
Security Templates snap-in
Security Configuration and Analysis snap-in
Security Configuration Wizard
15. Configure the Local Security Policy
Local Security Policy Domain Group Policy
16. Understand Group Policy Software
Installation (GPSI)
Installs supported packages
Windows Installer packages (.msi)
Optionally modified by Transform (.mst) or patches (.msp)
GPSI automatically installs with elevated privileges
Downlevel application package (.zap)
Supported by “publish” option only
Requires user has admin privileges
SCCM and other deployment tools can support a wider variety
of installation and configuration packages
No “feedback”
No centralized indication of success or failure
No license management
17. Understand Group Policy Software
Installation (GPSI) (continued)
Software deployment options
Assign application to users
Start menu shortcuts appear
– Install-on-demand
File associations made (optional “Auto Install”)
– Install-on-document invocation
Optionally, configure to install at logon
Publish application to users
Advertised in Programs And Features (Control Panel)
– Install-on-request
Assign to computers
Install at startup
18. Enable or Disable GPOs and GPO
Nodes
GPO Details tab GPO Status drop-down list
Enabled: Both Computer Configuration and User
Configuration settings will be applied by CSEs
All settings disabled: CSEs will not process the GPO
Computer Configuration settings disabled: CSEs will not
process settings in Computer Configuration
User Configuration settings disabled: CSEs will not process
settings in User Configuration
19. Loopback Policy Processing
At user logon, user settings from GPOs scoped to computer object
are applied
Create a consistent user experience on a computer
Conference rooms, kiosks, computer labs, VDI, RDS/TS, etc.
Computer ConfigurationPoliciesAdministrative
TemplatesSystemGroup Policy
User Group Policy loopback processing mode
Replace mode
The user gets none of the User settings that are scoped to the user…
only the User settings that are scoped to computer.
Merge mode
The user gets the User settings scoped to the user, but those settings
are overlaid with User settings scoped to the computer. The
computer wins.
20. A Detailed Review of Group Policy Processing
Computer starts; Remote Procedure Call System Service
(RPCSS) and Multiple Universal Naming Convention Provider
(MUP) are started
Group Policy Client starts and obtains an ordered list of GPOs
that are scoped to the computer
Local Site Domain OU Enforced GPOs
GPC processes each GPO in order
Should it be applied? (enabled/disabled/permission/WMI filter)
CSEs are triggered to process settings in GPO
Settings configured as Enabled or Disabled are processed
User logs on
Process repeats for user settings
Every 90-120 minutes after startup, computer refresh
Every 90-120 minutes after logon, user refresh
21. Slow Links and Disconnected
Systems
Group Policy Client determines whether link to domain should be
considered slow link
By default, less than 500 kilobits per second (kbps)
Each CSE can use determination of slow link to decide whether it
should process or not
Software CSE, for example, does not process
Disconnected
Settings previously applied will continue to take effect
Exceptions include startup, logon, logoff, and shutdown scripts
Connected
Windows Vista and later operating systems detect new connection
and perform Group Policy refresh if refresh window was missed while
disconnected
22. Understand When Settings Take
Effect
GPO replication must happen
GPC and GPT must replicate
Group changes must be incorporated
Logoff/logon for user; restart for computer
Group Policy refresh must occur
Windows XP, Windows Vista, and Windows 7 clients
Always wait for network at startup and logon
Settings may require logoff/logon (user) or restart (computer) to
take effect
Manually refresh: GPUpdate [/force] [/logoff] [/boot]
Most CSEs do not re-apply settings if GPO has not changed
Configure in ComputerAdmin TemplatesSystemGroup Policy
23. Resultant Set of Policy
The "cumulative" effect of Group Policy
A user or computer is usually within the scope of many GPOs
Potentially conflicting settings: precedence
Tools to report the settings that were applied and
which GPO "won" in the case of conflicting settings
Tools to model the effects of changes to the Group Policy
infrastructure or to the location of objects in Active Directory
24. Resultant Set of Policy
Inheritance, filters, loopback, and other policy scope and
precedence factors are complex!
RSoP
The "end result" of policy application
Tools to help evaluate, model, and troubleshoot the application
of Group Policy settings
RSoP analysis
The Group Policy Results Wizard
The Group Policy Modeling Wizard
GPResult.exe
25. Generate RSoP Reports
Group Policy Results Wizard
Queries WMI to report actual Group Policy application
Requirements
Administrative credentials on the target computer
Access to WMI (firewall)
User must have logged on at least once
RSoP report
Can be saved
View in Advanced mode
Shows some settings that do not show in the HTML report
View Group Policy processing events
GPResult.exe /s ComputerName /h filename
26. Unitek Education
(888) 825-6273
Abu Z. Unitek.com
Instructor
Unitek Education webinars@unitek.com
Notas do Editor
If you choose to demonstrate the slide:Close the GPME that you use to edit the GPO in the previous slide.Point out that the setting you just configured is contained in the CONTOSO Standards GPO.Remind students that a GPO can contain multiple settings, but by default all settings are set to Not Configured.Point out that the tool you use to manage GPOs is the Group Policy Management console.Mention that you have opened the CONTOSO Standards GPO for editing by right-clicking the GPO and choosing Edit, which opens the Group Policy Management Editor.The management of GPOs is discussed in detail in Lesson 2.
Mention that a GPO, and all of the settings that it contains, does not take effect until you have defined the scope of that GPO. The first step to scoping a GPO is linking it to a site, domain, or OU. Introduce students to the mnemonic acronym, SDOU. Point out that GPOs apply to users and computers, not to groups, despite the term, “Group Policy.”If you choose to demonstrate the slide, link the CONTOSO Standards GPO to the domain.Enforce the idea that the link or links define the maximum scope of the GPO. Pose a question: What if we don't want the GPO settings to apply to all objects within the scope?Use the question to transition to the concept of security group filtering, emphasizing that such filtering creates a subset of objects within the broader scope of the GPO link.Important Note: The reason this is important to mention, and will be reiterated throughout this module, is that many experienced students rely too heavily on GPO links to manage the scope of GPOs, which often leads them to less-than-ideal Active Directory organizational unit design, at the expense of efficiently applied and managed security (access control lists [ACLs]/delegation). Continue with a very brief discussion of WMI filtering, keeping the discussion very high level. Use the example of a policy setting that you want to apply to only a certain operating system. Define WMI filtering as a way of querying the system and then determining whether to apply a GPO.Wrap up with a mention of Preferences targeting. The goal is simply to introduce the term, and to prepare students for the idea that it is possible, now, to apply only part of a GPO to clients as long as that "part" is part of Preferences.It can't be emphasized enough: Keep it a "big picture" discussion! Scoping GPOs is discussed in Lesson 5.
You have now presented the setting and scope elements of configuration management with Group Policy. Remind students of that fact, to bring them back to the original three elements of configuration management.Then continue with this slide, which is the first half ofapplication.All you need to do is answer this basic question: When do these policies get applied? More detail about Group Policy refresh is provided in Lesson 5.
Discuss local GPOs. Start with the understanding that local GPOs contain settings that affect only the local machine, and that any settings specified by a domain GPO scoped to that computer will override conflicting settings in local GPOs. Therefore, local GPOs have limited usage scenarios.Mention to students that while, in the real world, local GPOs have limited usage, they do tend to appear on certification exams so it is worth understanding local GPOs. However, this will be the only point in the course in which local GPOs are addressed, and after this only domain-based GPOs will be used.Things to mention:You cannot apply local Group Policy objects to groups (except Administrators versus non-administrators)User settings exist in all local GPOs. Computer settings exist only in the main local GPO.After discussing the details of local GPOs, return the original understanding that, in a domain environment, local GPOs have limited usage scenarios. Ask students to think about what scenarios those might be.Question: If domain members can be centrally managed using domain-linked GPOs, in what scenarios might local GPOs be used?Answer: Keep in mind that local GPOs are designed for non-domain environments. Configure them for your computer at home, for example, to manage the settings for your spouse or children. In a domain environment, settings in domain-based GPOs override conflicting settings in local GPOs, and it is a best practice to manage configuration by using domain-based GPOs. However, if you want to apply policies to local accounts, rather than domain accounts, the local GPOs can be used. Also, you might use local GPOs to configure baseline security settings in your deployment image—settings that will take effect while a new computer is still in a workgroup, prior to joining the domain.
Describe the function and location of the GPC. Optionally, show a GPC using ADSI Edit.Optionally, show a GPT in SYSVOL. Show students how to identify the GUID of a GPO in the GPM console. Also give them a tip: sort the GPOs in SYSVOL by date, so you can quickly identify the GPO that you have just been working with.Exam TipGPOTool.exe is used to troubleshoot GPO status, including problems caused by the replication of GPOs, leading to inconsistent versions of a GPC and GPT.
Discussion QuestionsWhat options might you use to transfer into production a GPO that was used in a test environment? What variables constrained which option you chose?Answers should include copy-and-paste, backing up settings and importing them into a new GPO, and simply manually re-creating a GPO. The most important variable is whether the test environment is in a trusted domain (in which case you can use copy-and-paste) or in a separate environment (in which case you must use the Import Settings command).
As you discuss Group Policy inheritance and precedence, ensure that students understand that what is called "inheritance" is really just the effect of repeated, layered application of settings in GPOs in a specific order.You can approach this important discussion of GPO inheritance and precedence one of three ways:Talk to the points on this slide only.Talk to the first bullet on this slide, then use the visuals on the following three slides to discuss link order, locked inheritance, and enforced links.Create a demonstration in the composer.com domain and, after setting up the first bullet on the slide, demonstrate the remainder in the sample domain, returning to the Group Policy Inheritance tab to show resultant precedence and processing.
Many organizations struggle with how to maintain governance over Group Policy, and specifically how to effectively test a GPO before rolling it into production. Talk through a simple but completely effective best practice: Use security group filtering to manage the scope of a Group Policy object during testing. Instead of creating a sub-OU to manage the scope of a GPO for testing, link the GPO to the location it belongs in production. But instead of allowing the GPO to apply to Authenticated Users, or to the production security group, configure a security group specifically designed to limit the scope of the GPO to appropriate users and computers. The benefit of this practice is that it gives a much more realistic picture of how the GPO will perform in production, because you are not artificially limiting its scope or precedence by linking it to a separate "test" OU. In other words, you get a better picture for how the GPO interacts with other GPOs that are already in production. And yet, you still maintain full control over the specific users and computers that are within the scope of the test.Advanced Tip: If you remove Authenticated Users and scope a GPO to a specific group, support personnel will not be able to read the policy in order to perform Group Policy management tasks. Be sure to assign appropriate support personnel Read permission to the GPO.
Use this slide to "set up" the broad concept of this lesson: The goal of an IT pro is to ensure that systems are secure, and in the end that means configuring a security policy that is made up of a number of security settings. Help students understand that security for security's sake provides no value. All security configuration should arise out of a set of business-level security requirements, defined in an IT security policy and information management policy. Just implementing someone else's "security checklist" does not produce security that's right for your enterprise. In fact, the defaults on Windows Server 2008 are quite secure! You must understand where you're going and why you're going there before you start driving.Inform students that the goal of this lesson is to understand the mechanisms with which you can manage security settings more effectively. We're not going to worry too much in this lesson about specific settings, their functionality, or their value. Later lessons and modules will address how to secure various aspects of a Windows environment, including administration, authentication, and file system access. This lesson is about the variety of tools you can use to define and deploy security settings—whatever those settings are to you and your enterprise.
Don't spend too much time on this slide. You're simply pointing out that local Group Policy is an option for configuring security policy, but it's not manageable. The visual on this slide, and the text in the Student Manual, starts with the Local Security Policy. Discuss the fact that the local security policy allows you to configure many, but not all security settings. Local Security Policy does not, for example, do anything to file system or registry ACLs. You need to "lock down" ACLs using the Security Settings dialog box (the "Security tab" of a file, folder, or registry key properties dialog box).Module 6 discussed local group policy, and posed the question, "Why would you use it?" If you are working with workgroup (not domain) computers, or if you want to ensure that a computer meets a certain level of compliance before it joins the domain, then local security policy is valuable. But as soon as a system is member of a domain, local security policy is as far from "manageable" as possible—there's no central configuration capability for local security policy.On the other end of the spectrum is domain Group Policy, which of course is centralized and, as seen in the figure, exposes a number of additional settings including file system & registry ACLs.The rest of this lesson fills in the "middle" of this spectrum. You will be showing students how to create Group Policies that are based on the configuration of a server; and how to analyze a server to see whether it remains in compliance with domain policy. It's very important that students understand that this is where they will be "working" in this lesson. That way, they have some perspective as they dive into security templates and the security configuration wizard, each of which produces ways of managing security settings that fall between local and domain policy, and each of which allows you to promote a collection of settings to a domain-level configuration policy managed with Group Policy.
Ensure that students understand that GPSI can install only Windows Installer packages. However, since many applications are available as Windows Installer packages, and since there are tools that allow one to create Windows Installer packages, this is enough to allow GPSI to serve as a valuable software deployment mechanism for many organizations.Touch on the point that GPSI can, technically, deploy any application that supports an unattended installation command using a down level application package (“.zap file”). This file is basically a .ini file that specifies the unattended installation command. However, .zap files can only be deployed using the “publish” option (assign versus publish will be discussed on the next slide). So applications deployed with the .zap files can only appear in the Programs And Features applet in Control Panel. Furthermore, installing applications from .zap files requires that users are local administrators on their computers. Therefore .zap files are very rarely used in the real world.Point out that SCCM and other deployment tools can deploy applications and configuration using a much wider variety of package types. Commercial software deployment tools also provide reporting and feedback mechanisms that support software metering, auditing, and license management.However, even organizations with tools like SCCM might use GPSI for certain scenarios—they can each serve a role in a software deployment infrastructure.
Talk through the differences between assigning an application to users, publishing an application to users, or assigning an application to computers. After presenting the “facts”, ask students to discuss different scenarios that would be best supported by each option. Be sure in the discussion that the following points are raised:Assigning applications to users can be a bit dangerous, because the applications will follow users to every computer to which they log on. For example, if you were to assign Microsoft Visio® to users, and users were to log on to conference room computers, Visio would end up installed on the conference room computers, which may not be desirable.Most software is licensed per computer, not per user. For this, and the previous reason, it is generally a best practice to deploy software using the assigned-to-computer option.Organizations often want to limit the applications that users install. And often, it is challenging to help users find an application that meets a need that they have. One great feature of the “publish” option is the fact that applications can be categorized. When you go to install applications from Programs And Features in Control Panel, those categories are used to group the available applications. So, for example, if you needed a photo editor, you could go to Programs And Features and when you choose to install an application from the network, the published applications in the Photo Editor category would display each of the applications that the enterprise has approved for you to install to meet that need.Exam TipKnow the difference between assigning applications and publishing applications.
In addition to explaining the settings in the GPO Status drop-down list, mention the performance benefits gained by specifically disabling nodes of GPOs that have no settings anyway.Ask students to consider what scenarios might lend themselves to disabling a GPO that has settings. Answers might include GPOs that configure strict lockdown in the case of a security incident or that configure disaster recovery settings; in other words, those that are disabled until needed.
Exam TipThe 70-640 exam is likely to include several questions that test your knowledge of Group Policy scope. Sometimes, questions that seem to be addressing the technical details of a policy setting are, in fact, testing your ability to scope the setting to appropriate systems. When you encounter Group Policy questions, ask yourself, “Is this really about a specific policy setting, or is it about the scope of that setting?”
Use this slide to reinforce the fundamentals of Group Policy processing, and to ensure that all students are on the same page.
Discuss the issues associated with slow links and disconnected systems. Make sure that students understand that, when a computer is disconnected, the settings that were previously applied will continue to take effect. There are several exceptions to this rule, most notably that startup, logon, logoff, and shutdown scripts do not run when the system is disconnected.
Use this slide to wrap up all of the detail regarding when Windows settings actually take effect. This should answer the question, “When I change a policy setting, when will that setting actually be applied to a user or computer?“The Student Manual contains a lot of good information that will allow you to step through the slide and to answer questions from students.Replication technologies, including the Directory Replication Agent, FRS, and DFS-R, are discussed in a later module. Don't go into detail about the replication technologies themselves, but rather point out that both the GPC and GPT must replicate to the domain controller from which a client is obtaining its policies, and that the GPC and GPT used to different replication technologies that are not always in sync.Other points to make:It is highly recommended that organizations implement the Always Wait For Network At Startup And Logon policy setting. Without that, a change to a policy setting may take several logoff/logon or restart cycles before it takes effect, and there's no good way to predict the exact timing. In order to truly manage the application of new policy settings, enable Always Wait For Network At Startup And Logon. Make sure that students understand that this does not significantly slow down either the startup or logon process. It's not as if users will complain that is noticeably slower. Also make sure that students understand that when a system is not connected to the network, it ignores this setting, so this setting is not a problem for disconnected laptop usersMost policy settings, particularly managed policy settings, cannot be changed by the user. However, if users are administrators of their machines, it is possible for them to change some settings. Those changes will never be reverted to match the settings specified by the GPOs, because most CSEs will only reapply policy settings when a GPO has changed. The exceptions to this rule are security settings, which are reapplied every 16 hours whether or not the GPO has changed. If an enterprise is concerned about enforcing its policy settings, and if it is possible for users to change those settings, then you should configure the CSEs to reapply policy settings even if the GPO has not changed. The policy processing behavior of each CSE can be configured with Group Policy in the path shown at the bottom of the slide.
Transition by asking students if the following seems complicated:A GPO can contain multiple settings.Multiple GPOs may apply to a user or computer, scoped using a variety of mechanisms.Those GPOs may contain conflicting settings.Ask: How can you figure out who wins and what policies were applied?Provide a very brief introduction to the concept and term Resultant Set of Policy (RSoP).This is mainly presented in the introductory module because newer students tend to begin to wonder how they will possibly be able to manage and evaluate group policy settings, so we proactively answer that question here.RSoP is discussed in Lesson 6.
Use this slide to introduce the term and the concepts and tools of RSoP.Remind students how complex it can become to evaluate a resultant set of policy, with factors including inheritance, filters, loopback, the interaction between GPOs in CSEs, and the mind-boggling number of policy settings.Help students understand that resultant set of policy is both a descriptor, meaning "the end result" of policy application, and the name of a collection of tools and processes.
Talk in detail about RSoP reports, preferably supporting with demonstrations. Ensure that students understand how to generate, interpret, and save RSoP reports created by the Group Policy Results Wizard in the GPME console or by the GPResult command.Emphasize the critical importance of RSoP reports in analyzing and troubleshooting Group Policy application in an enterprise.